Solved

SBS 2011 Virtualizd on Hyper-V host that is member of same domain

Posted on 2014-11-12
9
166 Views
Last Modified: 2014-12-09
Hi people,

Look, I know this has been asked a million times before, and the literature is abundantly clear that:

Having a Hyper-V 2008 R2 Host machine as a domain member of a domain which has its only domain controller installed as a guest VM of said machine can create an issue when failure occurs to the DC and prevents logging into the hyper-V host. So called failure loop caused by the fact the login server can't be accessed because its one of the affected VM's.

I was wondering though, wouldn't just having access to a local administrator account for the Hyper-V host prevent all of this cacophony?

The reason I ask is that its quite handy having the 2008 R2 Hyper-V host as a domain member of SBS 2011 hosted domain, as that way you can access update and security status ETC from the SBS Console.

Could somebody also please confirm that in Hyper-V for 2012 and 2012 R2 this 'loop' issue has been resolved entirely now?

Kind Regards, Paul
0
Comment
Question by:Paul
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 166 total points
ID: 40437383
Having a local account is fine.  But one of the problems is the domain is not available as the Hyper-V system is booting up. That means domain policies can never be fully applied.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 168 total points
ID: 40437388
It hasn't exactly been resolved with 2012, the loop issue is still there. The only way around this is to set up another DC on a separate machine, be it a VM or a physical host.

There's lots of literature out there but there's no real one definitive answer. Just go with what you're most comfortable with. I personally always join the Hyper-V host to the domain.

Microsoft's PFE team also recommend joining the host to the domain in their Hyper-V 2012/2012 R2 Best Practices article: http://blogs.technet.com/b/askpfeplat/archive/2013/03/10/windows-server-2012-hyper-v-best-practices-in-easy-checklist-form.aspx
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 166 total points
ID: 40437747
It is our preference after working with virtualization platforms since "Longhorn" (Windows Server 2008) to keep standalone Hyper-V servers in workgroup mode.

We then use John Howard's HVRemote to configure the RSAT machine and the Hyper-V host to allow for remote management.

Permissions become a bit of a rat's nest when a domain is involved and can cause problems if the domain admin account has not logged into the server thus no credentials would be cached. BTDT.
0
 
LVL 1

Author Comment

by:Paul
ID: 40446125
Hi people,

Thanks for the feedback. Just to clarify, even if the domain admin has no cached credentials, does'nt the local admin account have all the full and necessary priveledges required to do what needs to be done to bring the VM's back online?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 24

Expert Comment

by:VB ITS
ID: 40446149
That's correct. The main reason you would join the host to the domain is really only for management purposes.
0
 
LVL 1

Author Comment

by:Paul
ID: 40446171
Thanks VB ITS.

Philip Elder, do you have anything to add to this that provides an example where by there was something critical you couldn't get done with a local admin account when trying to bring a hyper-v host online that had been joined to uncontactable domain?

Kind regards, Paul
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40446565
We had an on-site that liked to tinker. In the process of tinkering we lost DNS on a standalone with DAS. It was joined to the domain. For some reason while logged in as local admin we were not able to make the necessary changes to the VM and local NIC setup without domain admin. No DNS = no domain thus no domain admin as the credentials were not cached.

Making changes to the VM sometimes refuses to take without domain admin while a domain member. Local Admin no go.

Permissions on the VHDX folder can get muddled when managing via local versus domain admin.

Those are just some of the experiences we've had where having the server in a domain caused us grief.
0
 
LVL 1

Author Closing Comment

by:Paul
ID: 40488339
Thanks for coming guys!

I understand from these responses that there are several issues involved with Hyper-V hosts being joined or not joined to the domain. There is also the matter of conflicting Microsoft documentation on Best Practices.

Lee W points out that even when you do join the hyper-v host to the domain, the effectiveness of certain policies that require restart to be applied may be compromised by the lack of external DC controller to fetch them from at time of boot.

Philip Elders position on permissions issues that can be encountered in certain circumstances are also clearly valid. However, I can't understand why when logged in to a local admin account on 2008 or later you couldn't force take ownership of the problematic VHD or hyper-V bin files. Worst case scenario, I would have thought you rebuild the Hyper-V machine from scratch (providing you know the correct or approximate settings) and attach the VHD you just took ownership of.

I confess to not being able to confirm nor deny the above, and no good way to recreate the situation (it appears to be an exception to rule).

I tried to award you all 500 points but I doubt it will allow it! As such, unless somebody (or Phil himself) can explain why the above work around to Philips issue is incorrect, I have awarded VBS's answer of, do what you feel comfortable with as the best answer.

Thanks for all your valued input, and I am sorry for the delay in my return to the thread. I had some long deserved time off.

Kind Regards, Paul
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40488956
Paul,

Permission sets run for both users, services, and the machine itself. There are a number of posts/KBs/TechNet references out there on reclaiming ACLs to get an idea of just how complicated they can be for Hyper-V. Domain joined or not also impacts these permission sets.

We always set up an OS Logical Disk/partition/LUN for the host at 75GB with the balance going to VHDX and configuration file storage (we change both on the host to the second partition). In  the 2012 era if the host OS gets hosed one can reload and configure in very short order.

We keep a bootable flash drive with OS install files on it and an iDRAC Enterprise, iLO Advanced, or Intel RMM in the box for this very reason.

Once the reload and configuration steps are done one need only run the Import Wizard in the Hyper-V console to be right back in business.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now