Solved

SBS 2011 Virtualizd on Hyper-V host that is member of same domain

Posted on 2014-11-12
9
177 Views
Last Modified: 2014-12-09
Hi people,

Look, I know this has been asked a million times before, and the literature is abundantly clear that:

Having a Hyper-V 2008 R2 Host machine as a domain member of a domain which has its only domain controller installed as a guest VM of said machine can create an issue when failure occurs to the DC and prevents logging into the hyper-V host. So called failure loop caused by the fact the login server can't be accessed because its one of the affected VM's.

I was wondering though, wouldn't just having access to a local administrator account for the Hyper-V host prevent all of this cacophony?

The reason I ask is that its quite handy having the 2008 R2 Hyper-V host as a domain member of SBS 2011 hosted domain, as that way you can access update and security status ETC from the SBS Console.

Could somebody also please confirm that in Hyper-V for 2012 and 2012 R2 this 'loop' issue has been resolved entirely now?

Kind Regards, Paul
0
Comment
Question by:Paul
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 166 total points
ID: 40437383
Having a local account is fine.  But one of the problems is the domain is not available as the Hyper-V system is booting up. That means domain policies can never be fully applied.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 168 total points
ID: 40437388
It hasn't exactly been resolved with 2012, the loop issue is still there. The only way around this is to set up another DC on a separate machine, be it a VM or a physical host.

There's lots of literature out there but there's no real one definitive answer. Just go with what you're most comfortable with. I personally always join the Hyper-V host to the domain.

Microsoft's PFE team also recommend joining the host to the domain in their Hyper-V 2012/2012 R2 Best Practices article: http://blogs.technet.com/b/askpfeplat/archive/2013/03/10/windows-server-2012-hyper-v-best-practices-in-easy-checklist-form.aspx
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 166 total points
ID: 40437747
It is our preference after working with virtualization platforms since "Longhorn" (Windows Server 2008) to keep standalone Hyper-V servers in workgroup mode.

We then use John Howard's HVRemote to configure the RSAT machine and the Hyper-V host to allow for remote management.

Permissions become a bit of a rat's nest when a domain is involved and can cause problems if the domain admin account has not logged into the server thus no credentials would be cached. BTDT.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Paul
ID: 40446125
Hi people,

Thanks for the feedback. Just to clarify, even if the domain admin has no cached credentials, does'nt the local admin account have all the full and necessary priveledges required to do what needs to be done to bring the VM's back online?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40446149
That's correct. The main reason you would join the host to the domain is really only for management purposes.
0
 
LVL 1

Author Comment

by:Paul
ID: 40446171
Thanks VB ITS.

Philip Elder, do you have anything to add to this that provides an example where by there was something critical you couldn't get done with a local admin account when trying to bring a hyper-v host online that had been joined to uncontactable domain?

Kind regards, Paul
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40446565
We had an on-site that liked to tinker. In the process of tinkering we lost DNS on a standalone with DAS. It was joined to the domain. For some reason while logged in as local admin we were not able to make the necessary changes to the VM and local NIC setup without domain admin. No DNS = no domain thus no domain admin as the credentials were not cached.

Making changes to the VM sometimes refuses to take without domain admin while a domain member. Local Admin no go.

Permissions on the VHDX folder can get muddled when managing via local versus domain admin.

Those are just some of the experiences we've had where having the server in a domain caused us grief.
0
 
LVL 1

Author Closing Comment

by:Paul
ID: 40488339
Thanks for coming guys!

I understand from these responses that there are several issues involved with Hyper-V hosts being joined or not joined to the domain. There is also the matter of conflicting Microsoft documentation on Best Practices.

Lee W points out that even when you do join the hyper-v host to the domain, the effectiveness of certain policies that require restart to be applied may be compromised by the lack of external DC controller to fetch them from at time of boot.

Philip Elders position on permissions issues that can be encountered in certain circumstances are also clearly valid. However, I can't understand why when logged in to a local admin account on 2008 or later you couldn't force take ownership of the problematic VHD or hyper-V bin files. Worst case scenario, I would have thought you rebuild the Hyper-V machine from scratch (providing you know the correct or approximate settings) and attach the VHD you just took ownership of.

I confess to not being able to confirm nor deny the above, and no good way to recreate the situation (it appears to be an exception to rule).

I tried to award you all 500 points but I doubt it will allow it! As such, unless somebody (or Phil himself) can explain why the above work around to Philips issue is incorrect, I have awarded VBS's answer of, do what you feel comfortable with as the best answer.

Thanks for all your valued input, and I am sorry for the delay in my return to the thread. I had some long deserved time off.

Kind Regards, Paul
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 40488956
Paul,

Permission sets run for both users, services, and the machine itself. There are a number of posts/KBs/TechNet references out there on reclaiming ACLs to get an idea of just how complicated they can be for Hyper-V. Domain joined or not also impacts these permission sets.

We always set up an OS Logical Disk/partition/LUN for the host at 75GB with the balance going to VHDX and configuration file storage (we change both on the host to the second partition). In  the 2012 era if the host OS gets hosed one can reload and configure in very short order.

We keep a bootable flash drive with OS install files on it and an iDRAC Enterprise, iLO Advanced, or Intel RMM in the box for this very reason.

Once the reload and configuration steps are done one need only run the Import Wizard in the Hyper-V console to be right back in business.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question