No... If there is an exploit in one of the services which allows me to more easily own the box, then having that service running on the host rather than the VM, makes for a bigger exploit, since access to all hosts would be granted, not just a vulnerable VM.
* * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Thu, Aug 25, 2011 at 11:38 AM, Crawford, Scott <[email protected]>wrote: > Isn’t the attack surface already there if there’s a DC at all? I suppose > there could be some vulnerability that’s introduced by the combination of > Hyper-V and AD, but that doesn’t seem any more likely to me than a > vulnerability being introduced by having a DC run _*under*_ a hypervisor. > So, in that sense, I think it’s a wash.**** > > ** ** > > I would think you’d want your DCs up and running first anyway so in that > sense, booting a host that’s running AD should take less time than booting a > host that’s not running AD and _*then*_ booting a guess that is running > AD.**** > > ** ** > > Maybe my imagination is lacking, but it seems like it would only simplify > DR, especially the datacenter reboot.**** > > ** ** > > Yeah, good point. Care would definitely be required, especially regarding > NICs.**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Thursday, August 25, 2011 9:16 AM > > *To:* NT System Admin Issues > *Subject:* Re: [Microsoft support] Is it me...**** > > ** ** > > Re: #1 - Fair point. > > Re: #2 - It adds attack surface area, beyond just services that need to be > patched. > > Re: #3 - Again, fair enough point, but it does take longer to start up a > DC, and this has an impact on when other services get started up. It > probably complicates a few DR scenarios as well. :) And you have to pay > more attention to how the DC is configured, as such a system will likely be > multi-homed. > > I do it at home today, but would caution that care was taken in going this > route -- not a rejection, but not an endorsement either. > > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Thu, Aug 25, 2011 at 9:40 AM, Crawford, Scott <[email protected]> > wrote:**** > > I’m curious why not. The more I think about it, the more it seems like a > good idea.**** > > **** > > 1. It completely negates the issue of virtualizing a DC or having a > separate physical DC**** > > 2. Second, a potential problem with running services on the host is > that it could starve the guests for resources, but if any service NEEDS > resources, what better than AD?**** > > 3. If you have virtualized DCs, the hosts should be the most > protected servers in your environment since a compromise there can easily > lead to a compromise of any guest – including a DC. So, if that host is > already well protected, since it is in fact as critical as a DC, why not run > AD on it?**** > > **** > > One possible reason against running extra services on the host is he > possibility for needing more reboots due to patching, but it should be a > fairly insignificant difference, especially if running Server Core.**** > > **** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Thursday, August 25, 2011 8:27 AM**** > > > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > I thought it was a no-no.**** > > **** > > Sean Rector, MCSE**** > > **** > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 6:11 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > *Right – I’m missing what’s not best practice about it. ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]* <[email protected]>**** > > * ***** > > *c – 312.731.3132***** > > * ***** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 1:33 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > In my environment – nothing. It’s working like a champ.**** > > **** > > Sean Rector, MCSE**** > > **** > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 1:29 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > *What’s wrong with that? ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]* <[email protected]>**** > > * ***** > > *c – 312.731.3132***** > > * ***** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 6:14 AM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > I *know* I'm not following best practice, but my Hyper-V hosts are running > Datacenter Ed. and *are* my DCs.**** > > **** > > Sean Rector, MCSE **** > > Information Technology Manager**** > > Virginia Opera Association**** > > **** > > E-Mail: [email protected]**** > > Phone: (757) 213-4548 (direct line)**** > > **** > ------------------------------ > > *From:* Michael B. Smith [mailto:[email protected]] > *Sent:* Tue 8/23/2011 7:29 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > If you are down, you call them and tell them you are down and that it is a > “business critical” event. I don’t know what the fee for that is, but you > are supposed to get a callback in 30 minutes 24x7x365.**** > > **** > > Regards,**** > > **** > > Michael B. Smith**** > > Consultant and Exchange MVP**** > > http://TheEssentialExchange.com**** > > **** > > *From:* David Lum [mailto:[email protected]] > *Sent:* Tuesday, August 23, 2011 7:20 PM > *To:* NT System Admin Issues > *Subject:* [Microsoft support] Is it me...**** > > **** > > ..or is there no 24x7 pay per incident number for support on Microsoft > Servers? I keep getting to this page (2008 R2) and choosing “Virtualization” > and “Other” I get support times of 6a-6pm. > > https://support.microsoft.com/oas/default.aspx?st=1&as=1&iid=1059&iguid=d535992c-b4dd-49a7-b4a8-2b14e5649525_1_1&x=10&y=17&c1=508&sd=gn&c=SMC&ln=en-us&prid=13020&gsaid=582847 > **** > > **** > > I had a situation the other night where I thought I was going to have to > call them because I uh…have a Hyper-V host that’s a domain member and it was > requiring connection to a DC to start a guest VM, and the guest VM was the > DC it needed to talk to!**** > > **** > > Invoking some DR steps I got back in business, but still…do you need to > have some kind of support contract to have them available 24x7?**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
