Hi all,<\/p>\n
I know this has probably been asked a million times but I can’t quite find the answer I’m looking for…<\/p>\n
We have a single server running Hyper V Core 2019, this is running a Server Essentials 2016 VM.<\/p>\n
We’re in the process of upgrading, new drives, new RAIDs, fresh install of Hyper V Core, but wanted to know the following:<\/p>\n
Should the Hyper V Core server really been joined to the domain in this setup? If we had multi servers/DCs I can totally understand this. As one could authenticate with secondary DCs etc.<\/em><\/p>\nAs Server Essentials is the only<\/strong> DC, the way I’m thinking (please correct me if I’m wrong<\/em>). If the Hyper V is domain joined, unless it can see the DC (Server Essentials 2016) it won’t be able to authenticate and thus we won’t be able to log in. So, if the Essentials VM doesn’t boot for whatever reason, the Hyper V won’t be able to authenticate with the DC.<\/p>\nI’m thinking if the Hyper V Core is purely set in a workgroup, it won’t matter if the DC doesn’t boot or not and we’ll still be able to log in on it to manage via Windows Admin Center/Hyper V Manager. Does that make sense?<\/p>\n
Does anyone have any best practices/tips/comments for this kind of environment?<\/p>","upvoteCount":6,"answerCount":7,"datePublished":"2024-02-28T10:54:58.000Z","author":{"@type":"Person","name":"stevekelly4","url":"https://community.spiceworks.com/u/stevekelly4"},"suggestedAnswer":[{"@type":"Answer","text":"
Hi all,<\/p>\n
I know this has probably been asked a million times but I can’t quite find the answer I’m looking for…<\/p>\n
We have a single server running Hyper V Core 2019, this is running a Server Essentials 2016 VM.<\/p>\n
We’re in the process of upgrading, new drives, new RAIDs, fresh install of Hyper V Core, but wanted to know the following:<\/p>\n
Should the Hyper V Core server really been joined to the domain in this setup? If we had multi servers/DCs I can totally understand this. As one could authenticate with secondary DCs etc.<\/em><\/p>\nAs Server Essentials is the only<\/strong> DC, the way I’m thinking (please correct me if I’m wrong<\/em>). If the Hyper V is domain joined, unless it can see the DC (Server Essentials 2016) it won’t be able to authenticate and thus we won’t be able to log in. So, if the Essentials VM doesn’t boot for whatever reason, the Hyper V won’t be able to authenticate with the DC.<\/p>\nI’m thinking if the Hyper V Core is purely set in a workgroup, it won’t matter if the DC doesn’t boot or not and we’ll still be able to log in on it to manage via Windows Admin Center/Hyper V Manager. Does that make sense?<\/p>\n
Does anyone have any best practices/tips/comments for this kind of environment?<\/p>","upvoteCount":6,"datePublished":"2024-02-28T10:54:58.000Z","url":"https://community.spiceworks.com/t/hyper-v-core-workgroup-or-domain/967737/1","author":{"@type":"Person","name":"stevekelly4","url":"https://community.spiceworks.com/u/stevekelly4"}},{"@type":"Answer","text":"\n\n
<\/div>\n
stevekelly4:<\/div>\n
\nHi all,<\/p>\n
I know this has probably been asked a million times but I can’t quite find the answer I’m looking for…<\/p>\n
We have a single server running Hyper V Core 2019, this is running a Server Essentials 2016 VM.<\/p>\n
We’re in the process of upgrading, new drives, new RAIDs, fresh install of Hyper V Core, but wanted to know the following:<\/p>\n
Should the Hyper V Core server really been joined to the domain in this setup? If we had multi servers/DCs I can totally understand this. As one could authenticate with secondary DCs etc.<\/em><\/p>\nAs Server Essentials is the only<\/strong> DC, the way I’m thinking (please correct me if I’m wrong<\/em>). If the Hyper V is domain joined, unless it can see the DC (Server Essentials 2016) it won’t be able to authenticate and thus we won’t be able to log in. So, if the Essentials VM doesn’t boot for whatever reason, the Hyper V won’t be able to authenticate with the DC.<\/p>\nI’m thinking if the Hyper V Core is purely set in a workgroup, it won’t matter if the DC doesn’t boot or not and we’ll still be able to log in on it to manage via Windows Admin Center/Hyper V Manager. Does that make sense?<\/p>\n
Does anyone have any best practices/tips/comments for this kind of environment?<\/p>\n<\/blockquote>\n<\/aside>\n
I think you might have misunderstooded as there are 3 different OS and/or hypervisor you are mentioning<\/p>\n
\nHyper-v 2019 which is the “harden” hypervisor much like VMware ESXi which receives or have patches only once every 3-6 months. This is no longer being offered after hyper-v 2019<\/li>\n Server 2019 “core” with hyper-v role which is a full server 2019 without the GUI, it still have the functionality of server 2019 std with updates etc but requires only cmd lines<\/li>\n server 2019 “GUI” with hyper-v role<\/li>\n<\/ul>\nIf I read the min hardware requirements between core vs GUI is like CPU 300Mhz and 1.5GB of RAM, it does makes no sense not to use the GUI with its ease of usage and troubleshooting especially with event viewer etc ?<\/p>","upvoteCount":0,"datePublished":"2024-02-28T13:20:03.000Z","url":"https://community.spiceworks.com/t/hyper-v-core-workgroup-or-domain/967737/2","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}},{"@type":"Answer","text":"
Hi Adrian,<\/p>\n
Thanks for the reply. It’s Microsoft Hyper-V Server 2019 . My apologies.<\/p>\n
Reason being is costs. Microsoft Hyper-V Server 2019 is free and my boss likes “free”
Single Hyper-V host is safer in a workgroup, as an attacker that has domain credentials or Kerberos tickets couldn’t directly leverage them against the host.<\/p>\n
Managing a host in workgroup is a little harder to get going.<\/p>\n
It isn’t true that you wouldn’t be able to login to the host if the domain controller was down. You would still have local accounts available, which is exactly how you would login to a workgroup host.<\/p>","upvoteCount":3,"datePublished":"2024-02-28T13:59:15.000Z","url":"https://community.spiceworks.com/t/hyper-v-core-workgroup-or-domain/967737/4","author":{"@type":"Person","name":"kevinhsieh","url":"https://community.spiceworks.com/u/kevinhsieh"}},{"@type":"Answer","text":"
I am making no distinction between Hyper-V Server and Windows with Hyper-V role, because from the authentication and security perspective around workgroup and domain joined there is no difference.<\/p>","upvoteCount":2,"datePublished":"2024-02-28T14:00:52.000Z","url":"https://community.spiceworks.com/t/hyper-v-core-workgroup-or-domain/967737/5","author":{"@type":"Person","name":"kevinhsieh","url":"https://community.spiceworks.com/u/kevinhsieh"}},{"@type":"Answer","text":"\n\n
<\/div>\n
stevekelly4:<\/div>\n
\nHi Adrian,<\/p>\n
Thanks for the reply. It’s Microsoft Hyper-V Server 2019 . My apologies.<\/p>\n
Reason being is costs. Microsoft Hyper-V Server 2019 is free and my boss likes “free”
All 3 are “free” as long as you do not have other roles and features enabled (other than hyper-v) or applications installed on the server 20xx with hyper-v role.<\/p>\n
The only drawbacks is that Hyper-v server, like ESXi have much fewer updates and patches unlike server 20xx with hyper-v role that can have monthly CU & feature updates etc and have to reboot the host.<\/p>\n
Being in Domain can be easier to control as you can start using Domain users or assign to Domain groups for VM management. But depending on your Org sector, it can also mean if it gets attacked or compromised, the intruder can get access to Domain data…<\/p>","upvoteCount":1,"datePublished":"2024-02-28T14:49:10.000Z","url":"https://community.spiceworks.com/t/hyper-v-core-workgroup-or-domain/967737/6","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}},{"@type":"Answer","text":"
I never add hypervisors and backup infrastructure to the same domain as users. They are usually in the workgroup.
Hi all,
I know this has probably been asked a million times but I can’t quite find the answer I’m looking for…
We have a single server running Hyper V Core 2019, this is running a Server Essentials 2016 VM.
We’re in the process of upgrading, new drives, new RAIDs, fresh install of Hyper V Core, but wanted to know the following:
Should the Hyper V Core server really been joined to the domain in this setup? If we had multi servers/DCs I can totally understand this. As one could authenticate with secondary DCs etc.
As Server Essentials is the only DC, the way I’m thinking (please correct me if I’m wrong ). If the Hyper V is domain joined, unless it can see the DC (Server Essentials 2016) it won’t be able to authenticate and thus we won’t be able to log in. So, if the Essentials VM doesn’t boot for whatever reason, the Hyper V won’t be able to authenticate with the DC.
I’m thinking if the Hyper V Core is purely set in a workgroup, it won’t matter if the DC doesn’t boot or not and we’ll still be able to log in on it to manage via Windows Admin Center/Hyper V Manager. Does that make sense?
Does anyone have any best practices/tips/comments for this kind of environment?
6 Spice ups
adrian_ych
February 28, 2024, 1:20pm
2
stevekelly4:
Hi all,
I know this has probably been asked a million times but I can’t quite find the answer I’m looking for…
We have a single server running Hyper V Core 2019, this is running a Server Essentials 2016 VM.
We’re in the process of upgrading, new drives, new RAIDs, fresh install of Hyper V Core, but wanted to know the following:
Should the Hyper V Core server really been joined to the domain in this setup? If we had multi servers/DCs I can totally understand this. As one could authenticate with secondary DCs etc.
As Server Essentials is the only DC, the way I’m thinking (please correct me if I’m wrong ). If the Hyper V is domain joined, unless it can see the DC (Server Essentials 2016) it won’t be able to authenticate and thus we won’t be able to log in. So, if the Essentials VM doesn’t boot for whatever reason, the Hyper V won’t be able to authenticate with the DC.
I’m thinking if the Hyper V Core is purely set in a workgroup, it won’t matter if the DC doesn’t boot or not and we’ll still be able to log in on it to manage via Windows Admin Center/Hyper V Manager. Does that make sense?
Does anyone have any best practices/tips/comments for this kind of environment?
I think you might have misunderstooded as there are 3 different OS and/or hypervisor you are mentioning
Hyper-v 2019 which is the “harden” hypervisor much like VMware ESXi which receives or have patches only once every 3-6 months. This is no longer being offered after hyper-v 2019
Server 2019 “core” with hyper-v role which is a full server 2019 without the GUI, it still have the functionality of server 2019 std with updates etc but requires only cmd lines
server 2019 “GUI” with hyper-v role
If I read the min hardware requirements between core vs GUI is like CPU 300Mhz and 1.5GB of RAM, it does makes no sense not to use the GUI with its ease of usage and troubleshooting especially with event viewer etc ?
Hi Adrian,
Thanks for the reply. It’s Microsoft Hyper-V Server 2019 . My apologies.
Reason being is costs. Microsoft Hyper-V Server 2019 is free and my boss likes “free”
kevinhsieh
February 28, 2024, 1:59pm
4
Single Hyper-V host is safer in a workgroup, as an attacker that has domain credentials or Kerberos tickets couldn’t directly leverage them against the host.
Managing a host in workgroup is a little harder to get going.
It isn’t true that you wouldn’t be able to login to the host if the domain controller was down. You would still have local accounts available, which is exactly how you would login to a workgroup host.
3 Spice ups
kevinhsieh
February 28, 2024, 2:00pm
5
I am making no distinction between Hyper-V Server and Windows with Hyper-V role, because from the authentication and security perspective around workgroup and domain joined there is no difference.
2 Spice ups
adrian_ych
February 28, 2024, 2:49pm
6
All 3 are “free” as long as you do not have other roles and features enabled (other than hyper-v) or applications installed on the server 20xx with hyper-v role.
The only drawbacks is that Hyper-v server, like ESXi have much fewer updates and patches unlike server 20xx with hyper-v role that can have monthly CU & feature updates etc and have to reboot the host.
Being in Domain can be easier to control as you can start using Domain users or assign to Domain groups for VM management. But depending on your Org sector, it can also mean if it gets attacked or compromised, the intruder can get access to Domain data…
1 Spice up
pkrupicka
February 28, 2024, 9:15pm
7
I never add hypervisors and backup infrastructure to the same domain as users. They are usually in the workgroup.
1 Spice up
