SBS 2011 Virtualizd on Hyper-V host that is member of same domain

Hi people,

Look, I know this has been asked a million times before, and the literature is abundantly clear that:

Having a Hyper-V 2008 R2 Host machine as a domain member of a domain which has its only domain controller installed as a guest VM of said machine can create an issue when failure occurs to the DC and prevents logging into the hyper-V host. So called failure loop caused by the fact the login server can't be accessed because its one of the affected VM's.

I was wondering though, wouldn't just having access to a local administrator account for the Hyper-V host prevent all of this cacophony?

The reason I ask is that its quite handy having the 2008 R2 Hyper-V host as a domain member of SBS 2011 hosted domain, as that way you can access update and security status ETC from the SBS Console.

Could somebody also please confirm that in Hyper-V for 2012 and 2012 R2 this 'loop' issue has been resolved entirely now?

Kind Regards, Paul
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Having a local account is fine.  But one of the problems is the domain is not available as the Hyper-V system is booting up. That means domain policies can never be fully applied.
VB ITSSpecialist ConsultantCommented:
It hasn't exactly been resolved with 2012, the loop issue is still there. The only way around this is to set up another DC on a separate machine, be it a VM or a physical host.

There's lots of literature out there but there's no real one definitive answer. Just go with what you're most comfortable with. I personally always join the Hyper-V host to the domain.

Microsoft's PFE team also recommend joining the host to the domain in their Hyper-V 2012/2012 R2 Best Practices article:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
It is our preference after working with virtualization platforms since "Longhorn" (Windows Server 2008) to keep standalone Hyper-V servers in workgroup mode.

We then use John Howard's HVRemote to configure the RSAT machine and the Hyper-V host to allow for remote management.

Permissions become a bit of a rat's nest when a domain is involved and can cause problems if the domain admin account has not logged into the server thus no credentials would be cached. BTDT.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

PaulAuthor Commented:
Hi people,

Thanks for the feedback. Just to clarify, even if the domain admin has no cached credentials, does'nt the local admin account have all the full and necessary priveledges required to do what needs to be done to bring the VM's back online?
VB ITSSpecialist ConsultantCommented:
That's correct. The main reason you would join the host to the domain is really only for management purposes.
PaulAuthor Commented:
Thanks VB ITS.

Philip Elder, do you have anything to add to this that provides an example where by there was something critical you couldn't get done with a local admin account when trying to bring a hyper-v host online that had been joined to uncontactable domain?

Kind regards, Paul
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We had an on-site that liked to tinker. In the process of tinkering we lost DNS on a standalone with DAS. It was joined to the domain. For some reason while logged in as local admin we were not able to make the necessary changes to the VM and local NIC setup without domain admin. No DNS = no domain thus no domain admin as the credentials were not cached.

Making changes to the VM sometimes refuses to take without domain admin while a domain member. Local Admin no go.

Permissions on the VHDX folder can get muddled when managing via local versus domain admin.

Those are just some of the experiences we've had where having the server in a domain caused us grief.
PaulAuthor Commented:
Thanks for coming guys!

I understand from these responses that there are several issues involved with Hyper-V hosts being joined or not joined to the domain. There is also the matter of conflicting Microsoft documentation on Best Practices.

Lee W points out that even when you do join the hyper-v host to the domain, the effectiveness of certain policies that require restart to be applied may be compromised by the lack of external DC controller to fetch them from at time of boot.

Philip Elders position on permissions issues that can be encountered in certain circumstances are also clearly valid. However, I can't understand why when logged in to a local admin account on 2008 or later you couldn't force take ownership of the problematic VHD or hyper-V bin files. Worst case scenario, I would have thought you rebuild the Hyper-V machine from scratch (providing you know the correct or approximate settings) and attach the VHD you just took ownership of.

I confess to not being able to confirm nor deny the above, and no good way to recreate the situation (it appears to be an exception to rule).

I tried to award you all 500 points but I doubt it will allow it! As such, unless somebody (or Phil himself) can explain why the above work around to Philips issue is incorrect, I have awarded VBS's answer of, do what you feel comfortable with as the best answer.

Thanks for all your valued input, and I am sorry for the delay in my return to the thread. I had some long deserved time off.

Kind Regards, Paul
Philip ElderTechnical Architect - HA/Compute/StorageCommented:

Permission sets run for both users, services, and the machine itself. There are a number of posts/KBs/TechNet references out there on reclaiming ACLs to get an idea of just how complicated they can be for Hyper-V. Domain joined or not also impacts these permission sets.

We always set up an OS Logical Disk/partition/LUN for the host at 75GB with the balance going to VHDX and configuration file storage (we change both on the host to the second partition). In  the 2012 era if the host OS gets hosed one can reload and configure in very short order.

We keep a bootable flash drive with OS install files on it and an iDRAC Enterprise, iLO Advanced, or Intel RMM in the box for this very reason.

Once the reload and configuration steps are done one need only run the Import Wizard in the Hyper-V console to be right back in business.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.