I believe they are referring to you have increased the surface area of attack by adding AD to the Hyper-V host. I have always tried to maintain a one server one task with the exception of AD/DNS/DHCP combo on one machine. That is me and what I learn back with Win 2000. KISS works most of the time for me.
Jon On Thu, Aug 25, 2011 at 11:38 AM, Crawford, Scott <[email protected]>wrote: > Isn’t the attack surface already there if there’s a DC at all? I suppose > there could be some vulnerability that’s introduced by the combination of > Hyper-V and AD, but that doesn’t seem any more likely to me than a > vulnerability being introduced by having a DC run _*under*_ a hypervisor. > So, in that sense, I think it’s a wash.**** > > ** ** > > I would think you’d want your DCs up and running first anyway so in that > sense, booting a host that’s running AD should take less time than booting a > host that’s not running AD and _*then*_ booting a guess that is running > AD.**** > > ** ** > > Maybe my imagination is lacking, but it seems like it would only simplify > DR, especially the datacenter reboot.**** > > ** ** > > Yeah, good point. Care would definitely be required, especially regarding > NICs.**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Thursday, August 25, 2011 9:16 AM > > *To:* NT System Admin Issues > *Subject:* Re: [Microsoft support] Is it me...**** > > ** ** > > Re: #1 - Fair point. > > Re: #2 - It adds attack surface area, beyond just services that need to be > patched. > > Re: #3 - Again, fair enough point, but it does take longer to start up a > DC, and this has an impact on when other services get started up. It > probably complicates a few DR scenarios as well. :) And you have to pay > more attention to how the DC is configured, as such a system will likely be > multi-homed. > > I do it at home today, but would caution that care was taken in going this > route -- not a rejection, but not an endorsement either. > > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Thu, Aug 25, 2011 at 9:40 AM, Crawford, Scott <[email protected]> > wrote:**** > > I’m curious why not. The more I think about it, the more it seems like a > good idea.**** > > **** > > 1. It completely negates the issue of virtualizing a DC or having a > separate physical DC**** > > 2. Second, a potential problem with running services on the host is > that it could starve the guests for resources, but if any service NEEDS > resources, what better than AD?**** > > 3. If you have virtualized DCs, the hosts should be the most > protected servers in your environment since a compromise there can easily > lead to a compromise of any guest – including a DC. So, if that host is > already well protected, since it is in fact as critical as a DC, why not run > AD on it?**** > > **** > > One possible reason against running extra services on the host is he > possibility for needing more reboots due to patching, but it should be a > fairly insignificant difference, especially if running Server Core.**** > > **** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Thursday, August 25, 2011 8:27 AM**** > > > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > I thought it was a no-no.**** > > **** > > Sean Rector, MCSE**** > > **** > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 6:11 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > *Right – I’m missing what’s not best practice about it. ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]* <[email protected]>**** > > * ***** > > *c – 312.731.3132***** > > * ***** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 1:33 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > In my environment – nothing. It’s working like a champ.**** > > **** > > Sean Rector, MCSE**** > > **** > > *From:* Brian Desmond [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 1:29 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > *What’s wrong with that? ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]* <[email protected]>**** > > * ***** > > *c – 312.731.3132***** > > * ***** > > *From:* Sean Rector [mailto:[email protected]] > *Sent:* Wednesday, August 24, 2011 6:14 AM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > **** > > I *know* I'm not following best practice, but my Hyper-V hosts are running > Datacenter Ed. and *are* my DCs.**** > > **** > > Sean Rector, MCSE **** > > Information Technology Manager**** > > Virginia Opera Association**** > > **** > > E-Mail: [email protected]**** > > Phone: (757) 213-4548 (direct line)**** > > **** > ------------------------------ > > *From:* Michael B. Smith [mailto:[email protected]] > *Sent:* Tue 8/23/2011 7:29 PM > *To:* NT System Admin Issues > *Subject:* RE: [Microsoft support] Is it me...**** > > If you are down, you call them and tell them you are down and that it is a > “business critical” event. I don’t know what the fee for that is, but you > are supposed to get a callback in 30 minutes 24x7x365.**** > > **** > > Regards,**** > > **** > > Michael B. Smith**** > > Consultant and Exchange MVP**** > > http://TheEssentialExchange.com**** > > **** > > *From:* David Lum [mailto:[email protected]] > *Sent:* Tuesday, August 23, 2011 7:20 PM > *To:* NT System Admin Issues > *Subject:* [Microsoft support] Is it me...**** > > **** > > ..or is there no 24x7 pay per incident number for support on Microsoft > Servers? I keep getting to this page (2008 R2) and choosing “Virtualization” > and “Other” I get support times of 6a-6pm. > > https://support.microsoft.com/oas/default.aspx?st=1&as=1&iid=1059&iguid=d535992c-b4dd-49a7-b4a8-2b14e5649525_1_1&x=10&y=17&c1=508&sd=gn&c=SMC&ln=en-us&prid=13020&gsaid=582847 > **** > > **** > > I had a situation the other night where I thought I was going to have to > call them because I uh…have a Hyper-V host that’s a domain member and it was > requiring connection to a DC to start a guest VM, and the guest VM was the > DC it needed to talk to!**** > > **** > > Invoking some DR steps I got back in business, but still…do you need to > have some kind of support contract to have them available 24x7?**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
