2

Server 2012 R2 host running all VM servers to support a small IDE

After collating guidance regarding SCEP I've decided to go ahead install SCCM even though I only initially need SCEP. (I figure I'll start a slow learning process to get up to speed on SCCM)

But in the meantime, I need to install it somewhere. I figured wiser heads might advise what to do and what to avoid.

While the following post addressed some other issues, the discussion seemed pretty absolute about not having the host be a DC. So I'm guessing that means it is not advisable to put SCCM on the host either.

Should I still have a physical DC, even post-Server 2012?

So if SCCM is going to be on one of my VM's, is it OK to have it on the VM DC? Or is there some over-riding reason that it should be on it's own VM? Are there startup timing issues, or the like? I have a small system, just the one host, and I don't want to use up licenses too quickly.

Thanks.

Alan
  • 973
  • 2
  • 17
  • 34
  • This is really late but I hope you didn't do this... please tell me you didn't. –  May 06 '15 at 16:51
  • I'm assuming your 'hope you didn't do this' is in relation to the SCCM install, and no, I didn't install it yet. And even though I indicated I was installing SCCM, in the interim I actually did just install SCEP and was happy with how that turned out. But before I install SCCM, I'm actually waiting for someone to offer guidance/input on this. I haven't actually created the VM servers yet but was intending one of them to be solely dedicated as the DC. Should SCCM be on a server by itself? I really only have the one physical machine at this time for all my servers. – Alan May 06 '15 at 19:59

1 Answers1

2

OK. It sounds like you are working with a pretty small environment. You might want to reconsider whether or not SCCM is an appropriately size toolset. Take a look at my answer to Is SCCM overkill for medium-sized organizations? and give it it some thought. You might be happier with Windows InTune or a smaller, less complex, less featureful endpoint management system.

I'm guessing that means it is not advisable to put SCCM on the host either.

Correctomundo! See the below reasoning which I pulled directly from the Windows Server 2012 Hyper-V Best Practices which I recommend you review along with Aidan Finn's Recommended Practices For Hyper-V.


Do not install any other Roles on a host besides the Hyper-V role and the Remote Desktop Services roles (if VDI will be used on the host).

When the Hyper-V role is installed, the host OS becomes the "Parent Partition" (a quasi-virtual machine), and the Hypervisor partition is placed between the parent partition and the hardware. As a result, it is not recommended to install additional (non-Hyper-V and/or VDI related) roles


You want your Hyper-V Host to be as clean and as simply configured as possible. It is highly recommended to not install other applications or roles onto your Hyper-V host, especially one as complex as ConfigMgr.


is it OK to have [SCCM] on the VM DC?

Nope! SCCM is complex and somewhat fidgety application. In order to install it you will need a whole bunch of prerequisites, not limited too IIS, Reporting Services, MS SQL, and WSUS. For such as small Site you would co-mingled these services and Site Rolls on a single server, your Domain Controller, which also happens to run a complex and somewhat fidgety application. I highly recommend you do not do this.

Take a look at can domain controllers also serve other functions?. It used to be fairly common to deploy a single physical server that had ADDS, DNS, DHCP, File and Print Roles all co-mingled. However, with the prevalence and low cost of virtualization in the Microsoft ecosystem it is becoming more common to deploy your domain controllers in single-purpose virtual machines to avoid problems and isolate them if they occur.

As an aside, note I said "domain controllers". You will want at least two Domain Controllers, one of which is a physical standalone machine if you plan on clustering your Hyper-V hosts. You should always have two domain controllers (see: Risks of having only one domain controller?). Furthermore you should pay particular attention to the caveats of running virtualized domain controllers, especially things like cloning and time synchronization.

I don't want to use up licenses too quickly

Yep. I understand that, but please consider some of the technical limitations and dangers you might find yourself in down the road. A datacenter license of Windows Server looks like mighty affordable if SCCM has exploded your site's only domain controller.

  • Terrific answer, get reference links - thanks! Confirms the bits and pieces I've been reading elsewhere. Also helps me save some time investing a lot of effort just right now in SCCM; will pick that up much later. My big need was SCEP and I was able to get that accomplished. The steps I followed are at this [link](https://social.msdn.microsoft.com/Forums/en-US/67f3fd85-0486-41af-b0ea-76e0ee0c5e39/what-might-be-my-best-approach-for-a-very-small-business-to-install-malware-protection-on-server?forum=winserversecurity) - see the last entry. – Alan May 07 '15 at 01:19
  • @Alan Glad I could help. I don't mean to dissuade you but SCCM can be a bit of a beast. Maybe [BigHomie](https://serverfault.com/users/154913/bighomie) would be willing to do some consulting for you. –  May 07 '15 at 16:10
  • When I get to it, consulting makes sense, but based on what you've indicated, I won't be getting to it anytime soon. ;-) BTW, regarding the theory/practice of running nothing but the Hyper-V role on the host; I noticed as I was installing the Hyper-V role the standard install includes the File Server role. Is it OK to leave that there, or should that be removed? (assuming it can be removed for the new configuration) – Alan May 07 '15 at 20:03
  • @Alan - If the wizard selected it then keep it. –  May 07 '15 at 21:18