Join Hyper-V host to guest domain?

According to the Microsoft article below, Microsoft recommends joining the Hyper-V host (with GUI) to the same domain as the guest VM's.  If I am running 1 or 2 guest VM's on the Hyper-V host, is that the recommended method?  If not, why?

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/best-practices-analyzer/domain-membership-is-recommended-for-servers-running-hyper-v

Many thanks.
Bruce R.Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I have two very thorough EE articles on all things Hyper-V:

Some Hyper-V Hardware and Software Best Practices
Practical Hyper-V Performance Expectations

Suffice it to say, we don't join standalone hosts to the guest's domain.

It provides a barrier between the ongoing production network for one. This can be absolutely critical for protecting the host. The following outlines how we do that:

Protecting a Backup Repository from Malware and Ransomware
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bruce R.Author Commented:
Thank you Phillip,
What you wrote makes sense but since I read a lot about putting the host on the domain are there any real advantages to putting the host on the domain?
What about backing up the host?  I will be using ShadowProtect and ImageManager to backup the guest VM's to a BDR and then to the Cloud, BUT what about the HOST?  Should it even be backed up or should I use a simpler solution such as Windows Backup to an onsite USB drive?
Thanks.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Simplicity of management. RSAT can be set up to connect to the Hyper-V host via any domain joined system running as a Standard User. Right click, Run As Admin, and Credential then good to go.

Make sure to keep a record of the local admin account. If there is a chicken and the egg event that could be the only way in to the host.

We don't back up the host.

This is what we do: Disaster Preparedness: KVM/IP + USB Flash = Recovery. Here’s a Guide
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Bruce R.Author Commented:
Phillip, Thanks for your replies.  I'm weighing the (convenience) advantages of putting the host on the domain versus the disadvantages you mentioned.  Is the only advantage of keeping the host independent and off the domain in protecting it from a malware infection?  Are there other advantages in performance, etc.?  If not, is the protection from malware enough of an advantage, since you're not even backing up the host, and I assume you can rebuild the host fairly quickly/easily?
Thanks.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The chicken and the egg dilemma is also one of the possibilities with a domain joined host. That is, no access if the guest DC is offline. Technically, one should be able to use the local admin to log on but that's not always the case. BTDT

Malware is another.

By having the host standalone means that it is not accessible to most, if not all, users on the guest domain. While we make a point of documenting everything for all of our clients and keeping their password files up to date, no one should have any access to the host for any reason short of something blowing up. That's how we operate. A workgroup host makes that a simpler process.
0
Bruce R.Author Commented:
Thank you!
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You're welcome. :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hyper-V

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.