none
Domain Controller as Hyper-V host

    Question

  • Hello, we currently use Virtual Iron (Oracle killed it) at our Hot Backup site. I have already converted our production virtual environment to Hyper-V and am now about to convert the hot backup site. I want to make the Hyper-V host Windows Server 2008 R2 as the Domain Controller and Hyper-V host. I would like to do this because there is only one physical server at the hot backup site (very small requirements and beefy server). Are there any concerns with making the physical hyper-v host server a domain contoller as well.

    I read somewhere that you take a performance hit if the drive with AD is installed also contains the Hyper-V Virtual Servers but I would place those on seperate phyiscal drives.

    Remeber this is for a hot backup site that would only be used in the event of total loss of our HQ building and would only be needed to limp along for a few weeks for business continuity with skeleton crew.

    Thanks.

    Wednesday, November 18, 2009 5:25 PM

Answers

  • I'm supposed to say something about best practices. Don't enable any other roles in the parent partition (i.e., the physical Hyper-V server), don't run any applications in the parent partition, have a second physical server for AD, etc.

    Using separate physical drives like you are planning to do is a great idea.

    I usually tell people to hold back 2 GB of ram for the Hyper-V server. In other words, if you have 32 GB of ram, make sure that you don't allocate more than 30 GB of ram to the running virtual machines. In your case, you need to hold back more than 2 GB of ram. Find the amount of ram used by a physical domain controller and add 2 GB to that to come up with your custom hold back amount.
    Wednesday, November 18, 2009 6:07 PM
  • Hi,

     

    Yes, as John mentioned, generally speaking, we don’t recommend that you combine Domain Controller and Hyper-V host on the same physical computer, especially in production environment.

     

     

    Best Regards,

    Vincent Hu

     

    Thursday, November 19, 2009 9:19 AM

All replies

  • I'm supposed to say something about best practices. Don't enable any other roles in the parent partition (i.e., the physical Hyper-V server), don't run any applications in the parent partition, have a second physical server for AD, etc.

    Using separate physical drives like you are planning to do is a great idea.

    I usually tell people to hold back 2 GB of ram for the Hyper-V server. In other words, if you have 32 GB of ram, make sure that you don't allocate more than 30 GB of ram to the running virtual machines. In your case, you need to hold back more than 2 GB of ram. Find the amount of ram used by a physical domain controller and add 2 GB to that to come up with your custom hold back amount.
    Wednesday, November 18, 2009 6:07 PM
  • Hi,

     

    Yes, as John mentioned, generally speaking, we don’t recommend that you combine Domain Controller and Hyper-V host on the same physical computer, especially in production environment.

     

     

    Best Regards,

    Vincent Hu

     

    Thursday, November 19, 2009 9:19 AM
  • My $0.02 will follow right in line whe John and Vincent.

    In the end you will be better served by placing AD in its own VM.
    Yes, there is the recommendation, but there have also been experiences that point to this being a better solution (beyond best practice).  I will use the phrasing "you will have a better experience by doing it this way"

    On a side note - Do you have a compelling reason to have the DC installed in the parent partition?

    Oh, and if you run the DC in a VM - be sure to disable the Hyper-V time synchronization service in the AD VM and set it to sync with a very reliable NTP source.  Then you can avoid a time drift issue that folks have reported but has not been resolved yet.

    Brian Ehlert (hopefully you have found this useful)
    Thursday, November 19, 2009 3:52 PM
  • Thank you all for your responses. I do have DC in our production env that is a Hyper-V guest so I will disable the Time Sync. Thanks for the tip.

    As far as why it is because this is a hot backup location and not a production location. We only have one physical server at the site and I am thinking it would be better to have the DC boot up first before the virtual guests. I guess I could install the DC as a guest OS and put the other ones on a delayed start to wait for the DC to boot.

    I defenetly would not do this in a production env. We had physical server as the main FSMO - DNS - DHCP DC.

    Thanks again.
    Thursday, November 19, 2009 4:04 PM
  • Hello,

    I've had ok experiences with configurations similar to yours.  As you mentioned, definately have a DC (preferrably 2) off of the Hyper-V server in the production environment.  I would avoid putting the domain controller role on the host OS. 

    Have a good day.
    Friday, November 20, 2009 5:13 AM
  • I have a single box for our in-house server running Hyper-V with SBS 2008 as guest DC. I set the SBS VM to start automatically. The 2008 R2 Hyper-V core does not belong to the domain. I used John Howard's scripts to enable DCOM, WinRM etc. on the workstation we use to manage Hyper-V. It's still tricky to manage the Hyper-V if the DC isn't running.

    One poster here mentioned that their Hyper-V server belongs to the domain where DC is guest. Most of these types of arrangements are probably like ours, we're a partner that sells SBS and Dynamics CRM, I'm getting up to speed on Hyper-V because some customer's should virtualize and it allows flexiblity for our testing.

     
    Monday, February 15, 2010 11:29 PM
  • I'm now using 5nine Hyper-V manager on Hyper-V Server Core which eliminates the headache of getting a domain joined workstation able to run Microsoft's Hyper-V manager for a non domain joined Hyper-V 2008 R2 SP1 Server Core. That way I can get the guest servers up and running quickly.

    Later I setup a domain joined workstation to run Microsoft's Hyper-V manager first by installing the Hyper-V Remote Management (now for SP1)

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

    Go into Programs and Features > Turn Windows Features on/off and check the Hyper-V checkbox under Remote Server Administration Tools>Role Administration Tools>Hyper-V Tolls and then I run John Howards's hvremote.wsf as follows:

     

    Client domain, Server workgroup

    Server

    Create a local account (eg "john")

    Use net user /? or Computer Management

     

    Server

    Grant the user access

    cscript hvremote.wsf /add:accountname ***

     

    Client

    Allow Anonymous Logon remote DCOM access

    cscript hvremote.wsf /anondcom:grant

     

    Client

    Set credentials for local account

    Use cmdkey /add:servername /user:servername\accountname /pass

     

    Client

    Set firewall exception

    cscript hvremote.wsf /mmc:enable

     

    Both

    Verify configuration for errors

    cscript hvremote.wsf /show /target:othercomputername

    Posted this because it's hard to pull this together when first working on it


    Doug Steinschneider DCS Group
    Monday, May 30, 2011 3:53 PM
  • Hi Nathan,

    Just to clarify you're post, when you say "off of the Hyper-V server" you do mean running as guest servers under it?


    Doug Steinschneider DCS Group
    Monday, May 30, 2011 3:58 PM