Hyper-V - Domain or Workgroup? - Full or Core?

wedge1988

Hi All,

Ive come to the point of setting up Server 2008 Hyper-v. I have 2 "kind of" questions from those who have done this.

Should i join the Hyper-V host to a domain? In doing this im sure if it got compromised it would be bad for the network (In some way)

Or should it run as a Standalone Workgroup. (Only downfall to this is the extra permissions that need configuring)

Also...

Who thinks the Core version is better than the full version. Bearing in mind that the core version is cmd only (Not a problem as id say with the net i dont find setting up cmd based things hard)

The full version on a domain is my ideal situation, but who thinks the core version on a workgroup is better?

Opinions please people!

Hyper-Me

Is this for a lab or for production?

Hyper-V works easiest when joined to a domain, for the management purposes. If its a full install of Server 08 then it matters less that its on a domain, because you can manage it from that box.

If its a core install, you can't manage it from that box and will need a workstation that has Hyper-V manager installed. Its tricky to get this setup in a workgroup. It's cake in a domain.

In my home lab I have a headless box with 2008 R2 and I just RDP into it. Its on a workgroup, but i do the actual VM management on that machine through RDP from my regular desktop.

RobertKaucher

really the suggestions you will get here all come down to this being a lab or production environment.

If this is prod, you probably don't want people RDPing into the system. It will take up resources and there are security concerns around it. I don't know how many servers I have come accross that end up having Flash installed or Acrobat when they just don't need them. I would suggest core for most production situations.

Do a full if you are working in a lab environment.

wedge1988

I have really considered doing what you have done Hyper-Me, but with the exception that i add my domain user account to the local administrators group.

I came across this: Hyper-V Remote Management Configuration Utility - Home It is a script that can be used to set permissions easily with the Hyer-V server for a Domain client > Worgroup Server. Requires modifications to the COM permissions on the workgroup server and a local username and group. Simple to set up

The only difference between the core and full i can come up with is that the full install requires about 300mb more memory. Its actually easier to manage (Lets face it windows is a gui os) and for 300mb extra i can justify it. On the services side ill just lock it down with SCW.



Anybody else have anything?

PS its production.

wedge1988

Ok, so i got the core bit up and running. now reccommendations people!

WORKGROUP or DOMAIN?

Id prefer Workgroup because of security, but whats your experience with this?

astorrs

Server Core with only the Hyper-V role in a Domain.

With SCVMM you can only manage Hyper-V hosts that are in a workgroup as perimeter hosts, more steps and you'll loose some functionality. You mention security as your primary concern - if you don't trust your AD environment, don't you already have bigger problems to worry about.

wedge1988

Server Core with only the Hyper-V role in a Domain

What do you mean by this? That the virtual machines shouldnt be joined to the domain?

if you don't trust your AD environment, don't you already have bigger problems to worry about.

I do trust it, i just prefer knowing the more secure something is the less people can break it. (If you get me)

LOL.

RobertKaucher

wedge1988 wrote: »

What do you mean by this? That the virtual machines shouldnt be joined to the domain?



I do trust it, i just prefer knowing the more secure something is the less people can break it. (If you get me)

LOL.

He means only that role installed on the server and not a bunch of other junk.

I don't see not joining a system to the domain as making it more secure, only harder to manage.

Just create a group called VMManagers or something like that and only allow them the right to log on. Then you can still apply GPOs, etc, as you normally would.

pwjohnston

wedge1988 wrote: »

WORKGROUP or DOMAIN?

Id prefer Workgroup because of security, but whats your experience with this?

If security is an issue than none of your servers should be accessible by your client base and you should have your servers separated by at least a VLAN or Firewall.

The issue of Workgroup or Domain is not one of security, but manageability within the size of your network. If it's still on the same subnet and rdp is enabled you're a lost password away from being compromised. It's wrong to believe that not being on the domain is going to make you more secure. Besides if your domain is set up correctly, end users shouldn't have permissions on your domain servers in the first place.

Hyper-Me

Production?

Core, on a domain. If you have more than a handful get SCVMM.

wedge1988

ok cool. (thanks Hyer-Me):D