Active Directory domain membership for a colocated server and its hosted VMs

Question

I will be setting up a single hardware to be colocated in a data center to host several Hyper-V guests, all of which will have Windows Server 2012 installed as the operating system. I will be managing and monitoring the applications and VMs from my office, where I only have two PCs running Windows 8.

Right now, I don't have any Active Directory domains installed in the office, since it doesn't make any sense for two computers. But having almost 10 remote servers to manage, makes me think about the advantages of having AD DS and joining my VMs on them for easier and safer management and monitoring.

Generally, my question is how and where should I deploy the domain controller. I can't have a very fast and reliable connection between my office and the data center, so I want the server to keep working when my office can't connect. I will be using VPN to connect to the server from my office (no IPv6 available for DirectAccess). So my logic tells me that I should (at least) have a DC on the colocated server.

Several specific questions comes to my mind:

1. Should I deploy the AD DS on the Host or on a VM? I would really like the Host to ONLY serve the Hyper-V role for isolation and managability purposes.
2. Should I join the Host OS to the domain? Isn't it risky if for some reason the VM with the AD DS role doesn't start?
3. What about the AD DS redundancy? Does it make sense to have a SECOND VM act as backup domain controller?!
4. I know joining my office PCs to the remote Domain Controller will cause some issues because of the connectivity, so should I leave office PCs as a work group, or deploy a local DC which replicates the original one?

I should note that I will be able to get physical access to my server machine in a 2 or 3 hours trip in case needed anytime during its operation.

Answer 1

Should I deploy the AD DS on the Host or on a VM? I would really like the Host to ONLY serve the Hyper-V role for isolation and managability purposes.

Without a doubt, your host should not be running AD DS. Definitely create a virtual Domain Controller.

Should I join the Host OS to the domain? Isn't it risky if for some reason the VM with the AD DS role doesn't start?

Personally, I wouldn't. With a single host, I don't think you're going to get any advantages and because of your lack of AD redundancy, you are creating a dangerous single point of failure as you point out. This answer changes when you being scaling out and have a decent AD infrastructure. Also, ensure your Host is configured with static IP and DNS.

What about the AD DS redundancy? Does it make sense to have a SECOND VM act as backup domain controller?!

Yes, but what makes a lot more sense is to have a secondary domain controller on a different host, or have a separate physical domain controller. I'm guessing you don't have the luxury so a second VM is better than nothing, but be aware that a host or storage failure could leave you in a bad place. Ensure your backup strategy is spot on.

I'm not going to sit and say "YOU SHOULDN'T DO THIS", but you need to be aware of how fragile everything will be sitting on one host.

Should I leave office PCs as a work group, or deploy a local DC which replicates the original one?

This is really up to you - the latter is a perfectly acceptable solution if you configure your Sites properly so that AD knows that there is a WAN inbetween. But, you don't really say what relationship the servers in the DC have to you. If you're not going to get any real benefit from it then you may just be creating work for yourself.

Although, this would serve to be a redundant physical DC which would be nice.