But, we're talking about owning a DC. If you own my DC, I'm not too concerned with what else you already own since you can choose to own any of them at any time. Assuming of course, that all the guests are part of the same forest.
From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, August 25, 2011 11:03 AM To: NT System Admin Issues Subject: Re: [Microsoft support] Is it me... No... If there is an exploit in one of the services which allows me to more easily own the box, then having that service running on the host rather than the VM, makes for a bigger exploit, since access to all hosts would be granted, not just a vulnerable VM. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Thu, Aug 25, 2011 at 11:38 AM, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: Isn't the attack surface already there if there's a DC at all? I suppose there could be some vulnerability that's introduced by the combination of Hyper-V and AD, but that doesn't seem any more likely to me than a vulnerability being introduced by having a DC run _under_ a hypervisor. So, in that sense, I think it's a wash. I would think you'd want your DCs up and running first anyway so in that sense, booting a host that's running AD should take less time than booting a host that's not running AD and _then_ booting a guess that is running AD. Maybe my imagination is lacking, but it seems like it would only simplify DR, especially the datacenter reboot. Yeah, good point. Care would definitely be required, especially regarding NICs. From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>] Sent: Thursday, August 25, 2011 9:16 AM To: NT System Admin Issues Subject: Re: [Microsoft support] Is it me... Re: #1 - Fair point. Re: #2 - It adds attack surface area, beyond just services that need to be patched. Re: #3 - Again, fair enough point, but it does take longer to start up a DC, and this has an impact on when other services get started up. It probably complicates a few DR scenarios as well. :) And you have to pay more attention to how the DC is configured, as such a system will likely be multi-homed. I do it at home today, but would caution that care was taken in going this route -- not a rejection, but not an endorsement either. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Thu, Aug 25, 2011 at 9:40 AM, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: I'm curious why not. The more I think about it, the more it seems like a good idea. 1. It completely negates the issue of virtualizing a DC or having a separate physical DC 2. Second, a potential problem with running services on the host is that it could starve the guests for resources, but if any service NEEDS resources, what better than AD? 3. If you have virtualized DCs, the hosts should be the most protected servers in your environment since a compromise there can easily lead to a compromise of any guest - including a DC. So, if that host is already well protected, since it is in fact as critical as a DC, why not run AD on it? One possible reason against running extra services on the host is he possibility for needing more reboots due to patching, but it should be a fairly insignificant difference, especially if running Server Core. From: Sean Rector [mailto:sean.rec...@vaopera.org<mailto:sean.rec...@vaopera.org>] Sent: Thursday, August 25, 2011 8:27 AM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... I thought it was a no-no. Sean Rector, MCSE From: Brian Desmond [mailto:br...@briandesmond.com]<mailto:[mailto:br...@briandesmond.com]> Sent: Wednesday, August 24, 2011 6:11 PM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... Right - I'm missing what's not best practice about it. Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> c - 312.731.3132<tel:312.731.3132> From: Sean Rector [mailto:sean.rec...@vaopera.org]<mailto:[mailto:sean.rec...@vaopera.org]> Sent: Wednesday, August 24, 2011 1:33 PM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... In my environment - nothing. It's working like a champ. Sean Rector, MCSE From: Brian Desmond [mailto:br...@briandesmond.com]<mailto:[mailto:br...@briandesmond.com]> Sent: Wednesday, August 24, 2011 1:29 PM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... What's wrong with that? Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> c - 312.731.3132<tel:312.731.3132> From: Sean Rector [mailto:sean.rec...@vaopera.org]<mailto:[mailto:sean.rec...@vaopera.org]> Sent: Wednesday, August 24, 2011 6:14 AM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... I know I'm not following best practice, but my Hyper-V hosts are running Datacenter Ed. and are my DCs. Sean Rector, MCSE Information Technology Manager Virginia Opera Association E-Mail: sean.rec...@vaopera.org<mailto:sean.rec...@vaopera.org> Phone: (757) 213-4548<tel:%28757%29%20213-4548> (direct line) ________________________________ From: Michael B. Smith [mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]> Sent: Tue 8/23/2011 7:29 PM To: NT System Admin Issues Subject: RE: [Microsoft support] Is it me... If you are down, you call them and tell them you are down and that it is a "business critical" event. I don't know what the fee for that is, but you are supposed to get a callback in 30 minutes 24x7x365. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Tuesday, August 23, 2011 7:20 PM To: NT System Admin Issues Subject: [Microsoft support] Is it me... ..or is there no 24x7 pay per incident number for support on Microsoft Servers? I keep getting to this page (2008 R2) and choosing "Virtualization" and "Other" I get support times of 6a-6pm. https://support.microsoft.com/oas/default.aspx?st=1&as=1&iid=1059&iguid=d535992c-b4dd-49a7-b4a8-2b14e5649525_1_1&x=10&y=17&c1=508&sd=gn&c=SMC&ln=en-us&prid=13020&gsaid=582847 I had a situation the other night where I thought I was going to have to call them because I uh...have a Hyper-V host that's a domain member and it was requiring connection to a DC to start a guest VM, and the guest VM was the DC it needed to talk to! Invoking some DR steps I got back in business, but still...do you need to have some kind of support contract to have them available 24x7? David Lum Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin