Wednesday, December 22, 2010

Hyper-V and separate Active Directory Domain

Most of the time, I get my inspiration from the forums, where some interesting people asks a interesting question. Today, there was a thread about Hyper-V on separate domain, and what our recommendation was.

You may think that there is a good practice to make your Hyper-V host part of an AD DS directory. Yes, it is. AD DS centralize all access rights to servers and support the delegation of administration services. Especially when it comes to Failover Cluster, the Hyper-V nodes require an Active Directory domain. (Important: You can off course run your Hyper-V hosts in a workgroup (not domain joined) and have VMs that belongs to the domain. But you can`t use Failover Clustering with this configuration).
But sometimes you want to live in an ideal world and separate the Hyper-V hosts with the rest of your domain and create a ‘Utility Directory’ which contains only the Hyper-V hosts. The security and identity context for the networked services in your production domain would remain the same as it was, but the security context for your Hyper-V hosts becomes an independent directory.

But when is this necessary?

It depends. It`s really a question about security, policy, and the size of your network. Remember that you would need additional servers as well to manage this domain. This configuration ensures that end users not lives or operates in the same security context as your Hyper-V hosts.

Any thoughts?


Anonymous said...


Thanks for the article. However, I wonder if I decide to go for clustering which I need to have hyperv on the domain, which is my production domain (not utility domain as you suggested), but some of the hyperv guest is replication of my production AD - how is that? can it be done?

Kristian Nese said...

It`s very common that you put your Hyper-V Clusters in the same AD domain as the rest of your servers and infrastructure, especially in small and medium large businesses.
If I understand your question correct, you`re planning to run virtualized domain controllers in this Hyper-V cluster as well? This it also quite common, but be sure that you have available domain controllers outside your Hyper-V cluster too. If not, you will have serious problems to start your cluster after an entire shutdown.
1. Either have available domain controllers outside the cluster (physical domain controllers)
2. Have your virtulized domain controllers located directly on your DAS on one or more hyper-v hosts (located outside the CSV or on a dedicated LUN).