Managing Hyper-V
-
@bigbear said in Managing Hyper-V:
@JaredBusch in the case of the domain being down can you still log in locally?
Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.
Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.
-
@Tim_G said in Managing Hyper-V:
@bigbear said in Managing Hyper-V:
@JaredBusch in the case of the domain being down can you still log in locally?
Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.
Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.
Ransomware. I've seen cryto attack that encrypted all the VMs
-
@John-Nicholson said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
@bigbear said in Managing Hyper-V:
@JaredBusch in the case of the domain being down can you still log in locally?
Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.
Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.
Ransomware. I've seen cryto attack that encrypted all the VMs
I'm not sure how much more likely this is in a domain joined situation that non domained joined. If a computer that's used by an admin of VMs gets infected, it can possibly be used as an attack vector to the rest.
Hopefully you don't have anything open you don't need, like fileshares.
If you're talking about vulnerabilities in SMB, then domain joined or not didn't matter to those.
-
@John-Nicholson said in Managing Hyper-V:
@Tim_G said in Managing Hyper-V:
@bigbear said in Managing Hyper-V:
@JaredBusch in the case of the domain being down can you still log in locally?
Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.
Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.
Ransomware. I've seen cryto attack that encrypted all the VMs
That's not an issue of being on a domain. That's an issue caused by bad IT administration.
I have hypervisors on the domain and they haven't been encrypted.
Other companies had ransomware with hypervisors on the domain, and the VMs themself haven't been encrypted... maybe files inside the VM, but that part is hypervisor agnostic.
-
@Tim_G While you're investigating have you taken a look at xCat? Seems like it may be something that can manage KVM.
-
@coliver said in Managing Hyper-V:
@Tim_G While you're investigating have you taken a look at xCat? Seems like it may be something that can manage KVM.
Seems like no console access but might be convenient for provisioning VM's and maintenance
-
Has anyone tested this?
http://hv-manager.org/#home -
@dbeato said in Managing Hyper-V:
Has anyone tested this?
http://hv-manager.org/#homeNo, is it free? Any idea how active it is? Maybe make a thread for testing it?
-
@scottalanmiller YEah, it is free. I will start the testing.
-
@dbeato said in Managing Hyper-V:
@scottalanmiller YEah, it is free. I will start the testing.
Cool, make a thread for it. And lots of screen shots
-
@dbeato said in Managing Hyper-V:
@scottalanmiller YEah, it is free. I will start the testing.
In my crude testing it appears that one can start, stop, pause, reset a VM.
One cannot modify its settings, access the console, nor create/destroy.It does provide some basic guest details such as cpu, memory, network configuration, replication status, etc.
It is a little slower than I'd like.
-
@manxam said in Managing Hyper-V:
@dbeato said in Managing Hyper-V:
@scottalanmiller YEah, it is free. I will start the testing.
In my crude testing it appears that one can start, stop, pause, reset a VM.
One cannot modify its settings, access the console, nor create/destroy.It does provide some basic guest details such as cpu, memory, network configuration, replication status, etc.
It is a little slower than I'd like.
Limited, but not completely useless.
-
@scottalanmiller Another thing that can be done is PowerShell Web Access
https://technet.microsoft.com/en-us/library/hh831611(v=ws.11).aspx
Found about that today -
Late to the party....but just my two cents...haven't found a situation in which I'd want to join my hosts to a domain. The only consideration I could see here is if you're configuring failover clustering, but I'm fairly certain that applies to pre-2016. Generally when we're talking about Hyper-V Hosts and management pc's I have a dedicated workstation/laptop that's off domain and then create a mirrored Administrator account on the Hyper-V Hosts that's also off domain.
-
@r3dpand4 said in Managing Hyper-V:
Late to the party....but just my two cents...haven't found a situation in which I'd want to join my hosts to a domain. The only consideration I could see here is if you're configuring failover clustering, but I'm fairly certain that applies to pre-2016. Generally when we're talking about Hyper-V Hosts and management pc's I have a dedicated workstation/laptop that's off domain and then create a mirrored Administrator account on the Hyper-V Hosts that's also off domain.
Why go through all this work if you have a domain already? Just join it and be done.
It certainly does not have to be, but if you have a domain already it also certainly does not hurt.
-
@jaredbusch Because I have never needed the very thing supporting my infrastructure to be dependent on one of the vms inside of it. Also I'm not sure why you're saying this like it's a lot of work, it's literally no more or less work than creating a user account for management in AD and joining members to a domain. I wasn't arguing that it would hurt anything, it's just personal preference in all honesty, wasn't trying to be confrontational I just like having my management separated from the rest of the environment. I can imagine the headache that would come from a Host dropping Trust.
-
@r3dpand4 said in Managing Hyper-V:
@jaredbusch Because I have never needed the very thing supporting my infrastructure to be dependent on one of the vms inside of it. Also I'm not sure why you're saying this like it's a lot of work, it's literally no more or less work than creating a user account for management in AD and joining members to a domain. I wasn't arguing that it would hurt anything, it's just personal preference in all honesty, wasn't trying to be confrontational I just like having my management separated from the rest of the environment. I can imagine the headache that would come from a Host dropping Trust.
I thought this whole thread was about how much of a PITA non domain joined Hyper-V and control stations where to use? That would be the reason to join everything to a domain.
Have you some way that makes passing authentication from your non domain joined PC to the non domain joined Hyper-V work easily? Though many would probably argue that you having to maintain yet another PC that is soley for this use, it's pretty expensive.
-
@dashrender Again I am late to the party so I haven't read all 270+ posts, but just from my own experience it's nowhere near as difficult as people make it out to be. As long as you're launching Hyper-V manager on the management PC with a mirrored Administrator credential from the Host then you're good to go. I generally have one mirrored Administrator account for my hosts, if you have multiple domains across different Hosts then you're able to manage them still from one PC and one account. Maintaining a PC is neither expensive nor difficult, Win10 comes with almost all of the Management Tools you would ever need.
-
The following might read as an attack, or that I'm angry - I am neither, and instead am simply trying to understand how you're controlling your environment.
@r3dpand4 said in Managing Hyper-V:
@dashrender Again I am late to the party so I haven't read all 270+ posts, but just from my own experience it's nowhere near as difficult as people make it out to be. As long as you're launching Hyper-V manager on the management PC with a mirrored Administrator credential from the Host then you're good to go.
Sure, so this means logging out of the domain and logging into the PC as a local user with the same username/password as you have setup on the Hyper-V host - what a PITA.
I generally have one mirrored Administrator account for my hosts,
OK sure, see above
if you have multiple domains across different Hosts then you're able to manage them still from one PC and one account.
Why do you have multiple domains, and how would you manage them all from a single PC if the domains aren't trusted, etc?
Maintaining a PC is neither expensive nor difficult, Win10 comes with almost all of the Management Tools you would ever need.
Of course, managing a single machine for an admin shouldn't be hard. But I'm clearly not understanding how you are accomplishing this in any type of easy manner.
For example, I have a Windows 10 Pro machine joined to my domain, it manages my Domain easily through the use RSAT and the right click run as admin ability I use for those tools.
But I can't easily manage a non domain joined Hyper-V host because my PC user account is a domain account, and Hyper-V isn't on the domain. I suppose I could build an account on the Hyper-V host that has the same creds as my user account on my PC, but damn, each time I change my password on my domain account (granted not frequent) I'd have to change it on the Hyper-V host.
Plus, if my PC is compromised, the now compromised PC has unfettered access to the Hyper-V host - that's not good.
-
@r3dpand4 said in Managing Hyper-V:
@jaredbusch Because I have never needed the very thing supporting my infrastructure to be dependent on one of the vms inside of it.
Joining it to the domain does not mean that a local login no longer exists. Why would you think that it requires the guest VM with AD to be running? First your credentials are cached, so you will likely be able to log in anyway. Second, if they are not, you only have to log in with the local account and do whatever you need to reboot the AD VM to regain AD auth.
