none
How do you configure DNS/AD in a Hyper-V environment so you can still access the internet?

    Question

  • Is there a "Best Practise" to configure a "fake" VM domain on the fringe of the real internet?

    My goal is to have Hyper-V based "Data Centre" test system running in my home environment. ie: A VM for AD (DNS &/or DHCP), another as an AD mirror. Then any others I need to spin up for testing SQL, Sharepoint, Team Server etc.

    • I'd like the VM servers to be able to see each other & also the internet.
    • I'd like other PC's in the house to interact with the Virtual Environment.
    • If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

    Currently my home machines use a cheap Netgear router for DHCP, Gateway & DNS. It's necessary for internet access as my ISP only provides one dynamic IP address per household.  My ISP doesn't provide static IP addresses to domestic accounts. 

    1st problem: AD needed a FQDN & I don't have one. I'd like to invent one & use it. But I don't know how to have the VM's DNS to play nice with the real internet DNS service. It complains that there is no entry for the FQDN in my router's DNS. (Understandable, I don't really want a bogus domain name escaping into the internet).

    It also complains that the DNS server shouldn't have a loopback address as its first entry.

    Ideally I'd like the boundary to my "Fake" domain to be at the ISP router, as opposed to a Virtual network on the host.

    Do I need to put all VM's on "Private" Virtual network & then create an ISA server VM to connect the private network to the "External" netcard. Or do I give each VM 2 networks; one internal & the other external?

    Is there some way to keep DNS happy by using Conditional Forwarders. or should I be changing the IP4 Protocol with an Alternate Configuration.

    In Short: Is there some way that all my Virtual servers & physical PC's can see the Active Directory in the VM, & also see the rest of the internet? But not let my fake domain collide with a real world.

    thx 

    Saturday, March 10, 2012 8:55 AM

Answers

  • Whether it is on physical or virtual machines does not matter. Basically your DHCP server must hand out static address of AD server as primary DNS server address so clients can find DC. Then put the ISP's DNS addresses in the forward lookup of your DNS server so clients can find internet. Also make sure your server has static IP address outside of DHCP scope. 127.0.0.1 is Ok but AD/DNS server should have its own address first in DNS list.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    • Proposed as answer by Tiger Li Tuesday, March 13, 2012 6:29 AM
    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Saturday, March 10, 2012 2:23 PM
  •   I find the best way is to set up AD on a private virtual network with its own private subnet. To give it Internet access run one vm as a NAT router (or TMG) with its public NIC connected to the LAN.

      You can then proceed just as you would for a physical network behind a NAT router. Run DHCP on the DC and not on the NAT router. Give the clients the NAT router for a gateway but the DC for DNS. (AD works best with no other DNS addresses, even as secondaries). Modify the local DNS to forward to a public DNS (your ISP or 4.2.2.2) service to resolve foreign URLs.

      If you want physical machines on your LAN to be in the domain as well you would use an external virtual network rather than private (so that the vms and the physicals are in the same network. This would need to be a different NIC from the one connecting the host to the DSL router). I would not join the host machine to the domain. Leave the host as a "black box" powering your vms and the host/DSL link as a pseudo DMZ.

      So you need two NICs in the host. One connects to your DSL router. Only the host and the public side of your NAT router vm use this network and this IP subnet. The other NIC connects to a switch to which all your physical machines (except the vm host) connect. This network is behind your NAT router and is your domain network containing all your physical and virtual server and workstations (except the vm host). The "boundary" of your domain will be the NAT router.

     

    Bill


    • Edited by Bill Grant Saturday, March 10, 2012 11:48 PM typo
    • Proposed as answer by Tiger Li Tuesday, March 13, 2012 6:29 AM
    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Saturday, March 10, 2012 11:47 PM
  • Hi David,

    Thanks for posting here.

    >•I'd like the VM servers to be able to see each other & also the internet.
    >•I'd like other PC's in the house to interact with the Virtual Environment.
    >•If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

    We can have physical NIC on host directly be attached to each VM ,mean they can share a “real” NIC at same time . After that we can have VPN service on edge router and create a connect to this Hyper-V datacenter network form home across over internet in order to access it form remote home network.

    VMs---(physical NIC)----Internet edge Router------(VPN over Internet)------Home

    How does basic networking work in Hyper-V?
    http://blogs.technet.com/b/jhoward/archive/2008/06/16/how-does-basic-networking-work-in-hyper-v.aspx

    Hyper-V: Virtual Networking Survival Guide
    http://social.technet.microsoft.com/wiki/contents/articles/151.hyper-v-virtual-networking-survival-guide.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Tuesday, March 13, 2012 6:29 AM

All replies

  • Whether it is on physical or virtual machines does not matter. Basically your DHCP server must hand out static address of AD server as primary DNS server address so clients can find DC. Then put the ISP's DNS addresses in the forward lookup of your DNS server so clients can find internet. Also make sure your server has static IP address outside of DHCP scope. 127.0.0.1 is Ok but AD/DNS server should have its own address first in DNS list.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    • Proposed as answer by Tiger Li Tuesday, March 13, 2012 6:29 AM
    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Saturday, March 10, 2012 2:23 PM
  •   I find the best way is to set up AD on a private virtual network with its own private subnet. To give it Internet access run one vm as a NAT router (or TMG) with its public NIC connected to the LAN.

      You can then proceed just as you would for a physical network behind a NAT router. Run DHCP on the DC and not on the NAT router. Give the clients the NAT router for a gateway but the DC for DNS. (AD works best with no other DNS addresses, even as secondaries). Modify the local DNS to forward to a public DNS (your ISP or 4.2.2.2) service to resolve foreign URLs.

      If you want physical machines on your LAN to be in the domain as well you would use an external virtual network rather than private (so that the vms and the physicals are in the same network. This would need to be a different NIC from the one connecting the host to the DSL router). I would not join the host machine to the domain. Leave the host as a "black box" powering your vms and the host/DSL link as a pseudo DMZ.

      So you need two NICs in the host. One connects to your DSL router. Only the host and the public side of your NAT router vm use this network and this IP subnet. The other NIC connects to a switch to which all your physical machines (except the vm host) connect. This network is behind your NAT router and is your domain network containing all your physical and virtual server and workstations (except the vm host). The "boundary" of your domain will be the NAT router.

     

    Bill


    • Edited by Bill Grant Saturday, March 10, 2012 11:48 PM typo
    • Proposed as answer by Tiger Li Tuesday, March 13, 2012 6:29 AM
    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Saturday, March 10, 2012 11:47 PM
  • Hi David,

    Thanks for posting here.

    >•I'd like the VM servers to be able to see each other & also the internet.
    >•I'd like other PC's in the house to interact with the Virtual Environment.
    >•If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

    We can have physical NIC on host directly be attached to each VM ,mean they can share a “real” NIC at same time . After that we can have VPN service on edge router and create a connect to this Hyper-V datacenter network form home across over internet in order to access it form remote home network.

    VMs---(physical NIC)----Internet edge Router------(VPN over Internet)------Home

    How does basic networking work in Hyper-V?
    http://blogs.technet.com/b/jhoward/archive/2008/06/16/how-does-basic-networking-work-in-hyper-v.aspx

    Hyper-V: Virtual Networking Survival Guide
    http://social.technet.microsoft.com/wiki/contents/articles/151.hyper-v-virtual-networking-survival-guide.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marked as answer by Tiger Li Thursday, March 15, 2012 12:48 AM
    Tuesday, March 13, 2012 6:29 AM