2

I have a Hyper-V 2012 host running a Win 2012 ADS domain controller. Question is should I make the hyper-v Host partition part of the domain?

Problems occur as the VM Host boots because the domain controller virtual machine is, of course, not running at that time.

It would be convenient to have the VM Host as part of the domain because that would allow file shares going into the VM to use domain users and groups. Also allows WSUS to provide updates to the VM Host.

How does everyone else deal with this issue?

NickC
  • 2,313
  • 13
  • 40
  • 52
  • Coming from the VMWare world, I tend to isolate the majority of the hypervisors from the virtual machines as much as I can for security reasons; not sure what's the best practice for Hyper-V. – gravyface Nov 18 '12 at 14:04

1 Answers1

2

I don't think MS has a best practice for this. It is up to you but a couple of things here.

  1. You should consider having more than one DC. Stick another one running on a separate server (or hyper-V host)

  2. Placing the hyper-v host on the domain will allow you to manage it with domain credentials, it will allow for failover clustering (not really needed in your environment, but still).

The problems you are referring to during boot can be solved by doing #1 above.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • At the moment this is in an experimental development environment so don't really want the overhead of another server as in option 1. Beginning to think that although it might to nice to have the VM host on the domain, the problems caused are probably just not worth the grief. For the moment have decided to remove the VM host from the domain. As gravyface commented this is also better for security reasons. – NickC Nov 18 '12 at 14:54
  • It's different in vmware though. But yes, it doesn't matter overall if you have the hyper-v host on the domain or not. #2 above are some pros to doing so, but it isn't necessary. Typically users do put them on the domain, but typically that is to allow for ease of management. – TheCleaner Nov 18 '12 at 15:25
  • One of the problems with VMHost not being part of the domain is authentication of shares on VMHost being used in the Domain COntroller VM, see my other post here: http://serverfault.com/questions/449894/wsus-setup-on-ads-domain-controller-vm – NickC Nov 18 '12 at 17:24