Hyper-V servers: Workgroup or Domain?

A common misconception while implementing server virtualization is to isolate the hypervisors from directory services. The reason for that is because we have accepted the fact that VMware ESX hosts do not run Windows and therefore cannot be part of let’s say Active Directory. Even this is not totally true, VMware is very capable of authenticating users by utilizing Active Directory, see this article

Back to my specialism, Hyper-V… As a general statement it is safe to say that Hyper-V hosts should be members of the Active Directory. Why? well why did we have Active Directory in the first place? It was to increase business efficiency and IT operations throughout the enterprise. Since Hyper-V servers benefit from GPO’s, secure single sign on and security policies it sounds logical to make them domain members.

There are however a few side notes:

• At least 1 domain controller should be a physical host, or at least 1 domain controller should not be part of your Hyper-V infrastructure
• If Hyper-V is implemented within the DMZ, domain membership is not desired

By implementing only virtual Hyper-V based domain controllers we would actually implement a mutual dependency, or as we say in Holland: ‘a chicken and an egg situation’ thus not a good idea. So at least 1 domain controller needs to be isolated from your Hyper-V environment.
But… doesn’t that result in decreased efficiency within the environment? Well, one must keep in mind that virtualizing your server infrastructure isn’t the ultimate goal, reducing costs and gaining flexibility however is. The business case for implementing server virtualization should be based on the servers hosting your business applications, not on the infrastructure servers. By virtualizing infrastructure related servers you reduce operational costs of the IT department but it will not enhance your business processes. Virtualization of the mission critical servers on the contrary will instantly open a window of opportunity concerning matters as flexibility, high availability and business continuity.

What to do with servers within DMZ Cache?

A couple of years ago the DMZ consisted of very few servers. With the increasing adoption of telecommuting and online services the DMZ started to grow to levels that match or even extend the corporate servers workgroup based or actually withdrawing them from the DMZ so that they can be added to the Active Directory.

As for DMZ based servers I strongly encourage customers to implement Active Directory Lightweight Directory Services (ADLDS, formerly ADAM). ADLDS makes it possible to centrally manage your DMZ whilst maintaining a secure environment, a typical compromise between security and functionality.