Most of the time, I get my inspiration from the forums, where some interesting people asks a interesting question. Today, there was a thread about Hyper-V on separate domain, and what our recommendation was.
You may think that there is a good practice to make your Hyper-V host part of an AD DS directory. Yes, it is. AD DS centralize all access rights to servers and support the delegation of administration services. Especially when it comes to Failover Cluster, the Hyper-V nodes require an Active Directory domain. (Important: You can off course run your Hyper-V hosts in a workgroup (not domain joined) and have VMs that belongs to the domain. But you can`t use Failover Clustering with this configuration).
But sometimes you want to live in an ideal world and separate the Hyper-V hosts with the rest of your domain and create a ‘Utility Directory’ which contains only the Hyper-V hosts. The security and identity context for the networked services in your production domain would remain the same as it was, but the security context for your Hyper-V hosts becomes an independent directory.
But when is this necessary?
It depends. It`s really a question about security, policy, and the size of your network. Remember that you would need additional servers as well to manage this domain. This configuration ensures that end users not lives or operates in the same security context as your Hyper-V hosts.