Solved

Best Practice for Hyper-V Hosts in domains

Posted on 2013-06-07
4
535 Views
Last Modified: 2014-11-12
I have 3 Hyper-V hosts servers that I recently upgraded to Windows Server 2012. These hosts run the majority of my domain servers as VMs. I have a primary DC in a separate physical box that also provides my DHCP. The 2nd DC is a VM.

Each Hyper-V host server has 2 NICs. Originally, I set up the Hyper-V host servers with the Management NIC on a private subnet that was isolated from the domain and on each virtual switch, I unchecked the "Allow management operating system to share this network adapter". My understanding was that it was best practice to keep the Hyper-V hosts isolated from the domain for security purposes.

Now, I am reading many posts where the Hyper-V host servers are actually joined to the same domain that the hosted VMs are in. As I understand it, this is done to facilitate easier Hyper-V host management.

Which is the current best practice approach?

I would like the Hyper-V hosts on the domain so that I could manage them from the same workstation that I use to manager the server VMs and other domain resources. I could also team the two network adapters in each Hyper-V server for better network performance/resilience.

Thanks,

Dave
0
Comment
Question by:dcadler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 39

Accepted Solution

by:
Philip Elder earned 250 total points
ID: 39229130
Have more than 2 NICs available for one.
Team them for another and then attach the vSwitch leaving the host OS access so that they both share the teamed NICs.

Our preference is for a minumum of 4 NICs, preferably with two h/w setups, and Intel only.

For standalone situations where there is only one host we leave them workgroup and use HVRemote to configure both the host and a management system.
EDIT: Forgot the link: http://bit.ly/13pOYph

We've seen enough issues when the only DC is offline when trying to manage the host.

In your case, where there are two DCs on separate hosts you can indeed join the domain and then use RSAT on a Windows desktop OS machine to manage.

AzMan can be used to further fine tune permissions for folks that can manage say one VM but not the whole host.
http://bit.ly/14FlSzO

Philip
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 250 total points
ID: 39231608
From security point of view I would say that your design is the better one. The main advantage is that you can control who and from where can access the server via ACL on the router; you could even block any Internet access from that server and leave it without an anti-virus.

For remote management you could set up HVRemote http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6 

If, on other hand you had a big Hyper-V shop with many servers, than yes, it would be wise to set a dedicated domain for Hyper-V Management.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39233585
Hi.

"isolated from the domain for security purposes" - now what should that mean in detail? Please link that statement you read. What should get more secure because it's not on the domain and why?
0
 

Author Closing Comment

by:dcadler
ID: 39244475
I decided to add teaming to the server NICs and to keep the Hyper-V hosts on a separate VLAN as stand alone rather than domain connected. I also teams the adapters on that VLAN to allow me to more easily move VMs from one server to another as needed. Thanks for all of your help.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question