Jump to content
RESET Forums (homeservershow.com)

VM server in domain with Domain controller as VM - chicken/egg scenario


adsboel
 Share

Recommended Posts

Hi guys,

 

Is there a problem running the hyper-v in a domain and having the controller as vm on the same server?

 

if everything goes pearshaped I can still book the hyper v and connect to individual vms with credentials previously used.

 

Any comments?

Link to comment
Share on other sites

In theory yes you 'should' be able to connect to the host and any other VMs using cached credentials but best practise is to have the host running in a workgroup of it's own (so that you log in locally to it) and not be dependant on any of the child VMs on it.

 

Imagine the case of a host server starting up - like any domain member the first thing windows is going to do is look for the domain controller and DNS server (domain members really should have their DNS pointing to the Domain Controller), neither of which it is going to find as the VM won't have started up yet.

 

As you say a classic chicken and egg situation.

 

Eventually the host will realise that it can't find its DC and startup anyway, but it will be massively delayed and the event logs will be full of errors.

 

I always have the hosts running in their own workgroup.

 

 

John 

Link to comment
Share on other sites

well, if you take this argument to its extreme, you shouldn't have dchp and dns under the host either. The dns I solved by adding my router as secondary dns in the dhcp setup, so in a fail scenario all clients on network will skip the dns and goto the router (which is a dns proxy for the dns server) keeping internet open for clients.

 

Mind you this is just for my homelab and that's about it.

 

working abit towards getting hyper/v shared vhd running on a shared something .. so I need to grant to the vm access to the shared storage on the domain. hmmm, should actually be possible without being part of the doman.

Link to comment
Share on other sites

The idea of running DCs in VMs has come up in the forums before. The general consensus was that it wasn't a good idea. Same goes for DHCP and DNS ('course, if you follow Best Practice and have DCHP and DNS on the DC, they won't be in a VM either). As you say, DHCP needs to be configured so it hands out your router as the Secondary DNS (it also has to be configured to hand out your router as the Default Gateway).

Link to comment
Share on other sites

I have DC/DHCP/DNS setup on a VM and fairly happy with it after I realised the secondary DNS trick. My girlfriend stopped asking why the internet was down every time I was tinkering on the main box.

 

Maybe a safe option is to move the DC VM to my old N36L as physical and keep that alive as DC. I was planning to keep it up as pure windows NAS as its all hooked up with activated windows to support this project.  This way I would get both hyper-v server (located on gen8) into same domain and thus be able to share resource left right and center without any cross domain issues.

 

Essentially I am looking to enable shared volumes, so between VM copies are using I/O instead of network.

 

Brian

Link to comment
Share on other sites

There is absolutely no problem with running your domain controller, DNS and DHCP servers as virtual machines. The important bit is that the host server is NOT a member of the domain itself and that it has a static IP configuration. As it is not a domain member then its DNS can be pointed to anything, ie your router (assuming that is a DNS proxy) or any public DNS servers.

 

Golden rule with virtualisation is that the host machine should be doing as little as possible other than running the VMs  - make it as simple as you possibly can, static addresses, workgroup mode. Which is why I prefer to have my hosts just running MS Hyper-V server which is completely stripped down and just does the one thing very efficiently indeed.

 

If on the other hand you were in an enterprise situation with multiple hosts and each of them had virtualised DCs, DNS servers and DHCP servers, then it is acceptable (indeed advantageous) to have the hosts as domain members to make management a bit easier and take advantage of domain level security and group policies.

 

Brian, what are you currently running on the N36L? If possible, it may well be a good idea to promote it to be another DC and also install the DNS role on it. That way you will have better redundancy and also you can play around with active directory replication (don't worry it sounds worse than it actually is - and is almost completely automatic) and DNS zone transfers.

 

John 

Link to comment
Share on other sites

I actually have a fully functional physical 2008 r2 on the n36l - i need to replacen a raid disc but its storage and thats it :)

 

 

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Best practices:

 

Run DCs in a VM... but run two seperate hosts. And a DC in each. That way, at any given time, one of them is online, and able to connect to a DC.

 

However, at home, this is impracticle. And will probably end up with you in the doghouse.... or a VERY high power bill.

 

 

But in a home environment... use both roles on the host... (like in Server 2012R2 Essentials.....), and licensing be damned....

Link to comment
Share on other sites

Agreed. Duplicating a corporate AD environment at home doesn't seem the best way to go, for most people at least. I'm sure there are some who could justify it.

Link to comment
Share on other sites

In any good enterprise environment, you would have as many physical DC's as you would virtual DC's.  It's just a good practice.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...