5

I have a Windows Server 2019 server, which is running some services itself, and Hyper-V virtual machines with Windows and Linux guests.

To centralize user and machine management, I have setup Active Directory Domain Services, DNS, and File and Storage services on the host system. I have joined the various virtual machines to the AD domain, and control users and (virtual) machine policies from a single point.

This is working fine, in an isolated view.

The bigger picture is, that all services (AD DS, DNS, File and Storage) are binding to everything (any interface). I realized it quick, and disabled (or changed) the firewall rules for the services to match only the internal interface, I want the services on.

However, after the nightly restart (installing patches, etc.), some/most of the firewall rules added by AD DS, DNS, File and Storage, were reenabled and changed to its default state (any interface).

How do I configure AD DS, DNS, and File and Storage services to bind only to a specified internal interface, or how do I force my firewall rule changes so "they" (the services) don't override it after every server restart?

burnersk
  • 1,966
  • 4
  • 25
  • 38
  • 2
    You should not have multiple interfaces on a Domain Controller. It should not be multi-homed. Build a new VM for the DC with a single internal interface ONLY. – Semicolon Jan 30 '20 at 15:55

1 Answers1

8

Don't mix AD, Hyper-V and File Server in one Windows Server instance. Just install Hyper-V on baremetal and deploy sepearte Windows VMs for AD and FileServer role. Virtual Switches allow you to segregate network interfaces for each role.

Here is explanation regarding combining Hyper-V and AD role on the same server: https://www.hyper-v.io/combining-hyper-v-dc-role-server-bad-idea/

batistuta09
  • 8,723
  • 9
  • 21
  • 4
    AD and File Services go together like peas in a pod. It is actually REQUIRED that a DC be a file server (think SYSVOL/NETLOGON). Though, aside from those shares, if it can be avoided - do so. – Semicolon Jan 30 '20 at 15:53