Managing Hyper-V

bigbear

@Dashrender said in Managing Hyper-V:

I know Scott has argued for not putting the Hyper-V hosts into the domain at all, it's one less point of failure for the Hyper-V hosts.

But, if you do that, making connections to other domain connected file servers are challenging at least, and impossible at best - when being managed remotely due to delegation of authentication being passed from the management PC through the Hyper-V host to the domain connected resources.

We haven't actually tested this setup yet, so we don't know that it's impossible, but we do know it will be a challenge at the least.

I have been out of the hypervisor world for a minute but I never want that layer joined to a domain. However I have no experience managing larger deployments. Just seems like added stress.

JaredBusch

@bigbear said in Managing Hyper-V:

@Dashrender said in Managing Hyper-V:

I know Scott has argued for not putting the Hyper-V hosts into the domain at all, it's one less point of failure for the Hyper-V hosts.

But, if you do that, making connections to other domain connected file servers are challenging at least, and impossible at best - when being managed remotely due to delegation of authentication being passed from the management PC through the Hyper-V host to the domain connected resources.

We haven't actually tested this setup yet, so we don't know that it's impossible, but we do know it will be a challenge at the least.

I have been out of the hypervisor world for a minute but I never want that layer joined to a domain. However I have no experience managing larger deployments. Just seems like added stress.

All of my Hyper-V deployments are currently on Windows AD based networks so I always join the Hyper-V to the domain for simpler connectivity. There is no downside to it any more than any other server that is domain joined.

matteo nunziati

@FATeknollogee said in Managing Hyper-V:

@Tim_G said in Managing Hyper-V:

Turns out, WebVirtMgr was too good to be true. I couldn't get it working on Fedora 26 or Fedora 25. Hours wasted.

Tried installing WebVirtMgr too...I also gave up

I looked at Proxmox, but that's a Debian "appliance". I'm not using Debian in enterprise and don't want to. No time wasted, didn't bother.

oVirt wouldn't even install on Fedora 26 or 25. Apparently it's built for Fedora 24, I'm not going there. Even then, it doesn't seem like it would install. Time wasted trying to get it working. Packages were updated as of yesterday, so I was thinking they would work. I was wrong.

oVirt does work but you need to use the oVirt installer iso (it's based on CentOS 7.x)

What paid options for managing KVM have you found (the interesting looking ones)?

Webvirtman runs in a virtualenv. Never got issues with it. But it doenst fit me.

black3dynamite

@bigbear said in Managing Hyper-V:

@Dashrender said in Managing Hyper-V:

I know Scott has argued for not putting the Hyper-V hosts into the domain at all, it's one less point of failure for the Hyper-V hosts.

But, if you do that, making connections to other domain connected file servers are challenging at least, and impossible at best - when being managed remotely due to delegation of authentication being passed from the management PC through the Hyper-V host to the domain connected resources.

We haven't actually tested this setup yet, so we don't know that it's impossible, but we do know it will be a challenge at the least.

I have been out of the hypervisor world for a minute but I never want that layer joined to a domain. However I have no experience managing larger deployments. Just seems like added stress.

If you have an domain in placed, you minds well take advantage of having the hypervisor joined too.

Now with Hyper-V 2016 and Windows 10 it is a lot easier to setup in a workgroup compare to 2012 r2.

black3dynamite

@Tim_G My annoyance with Proxmox is the need to change the repo from enterprise to the no subscription repo.

I don't really have an issue with them using Debian because majority of time is spent on the
webui.

I do wonder why they don't use Fedora unless they are more familiar with Debian.

bigbear

@JaredBusch in the case of the domain being down can you still log in locally?

matteo nunziati

@bigbear ad credentials cached afaik

Obsolesce

@bigbear said in Managing Hyper-V:

@JaredBusch in the case of the domain being down can you still log in locally?

Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.

Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.

StorageNinja

@Tim_G said in Managing Hyper-V:

@bigbear said in Managing Hyper-V:

@JaredBusch in the case of the domain being down can you still log in locally?

Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.

Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.

Ransomware. I've seen cryto attack that encrypted all the VMs

Dashrender

@John-Nicholson said in Managing Hyper-V:

@Tim_G said in Managing Hyper-V:

@bigbear said in Managing Hyper-V:

@JaredBusch in the case of the domain being down can you still log in locally?

Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.

Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.

Ransomware. I've seen cryto attack that encrypted all the VMs

I'm not sure how much more likely this is in a domain joined situation that non domained joined. If a computer that's used by an admin of VMs gets infected, it can possibly be used as an attack vector to the rest.

Hopefully you don't have anything open you don't need, like fileshares.

If you're talking about vulnerabilities in SMB, then domain joined or not didn't matter to those.

Obsolesce

@John-Nicholson said in Managing Hyper-V:

@Tim_G said in Managing Hyper-V:

@bigbear said in Managing Hyper-V:

@JaredBusch in the case of the domain being down can you still log in locally?

Same as any Windows server. There's domain logon and local user logon. Also, as matteo said, cached credentials.

Not to mention "other" ways if you have physical access to the server, or remote with iDrac/ilo.

Ransomware. I've seen cryto attack that encrypted all the VMs

That's not an issue of being on a domain. That's an issue caused by bad IT administration.

I have hypervisors on the domain and they haven't been encrypted.

Other companies had ransomware with hypervisors on the domain, and the VMs themself haven't been encrypted... maybe files inside the VM, but that part is hypervisor agnostic.

coliver

@Tim_G While you're investigating have you taken a look at xCat? Seems like it may be something that can manage KVM.

wirestyle22

@coliver said in Managing Hyper-V:

@Tim_G While you're investigating have you taken a look at xCat? Seems like it may be something that can manage KVM.

Seems like no console access but might be convenient for provisioning VM's and maintenance

dbeato

Has anyone tested this?
http://hv-manager.org/#home

scottalanmiller

@dbeato said in Managing Hyper-V:

Has anyone tested this?
http://hv-manager.org/#home

No, is it free? Any idea how active it is? Maybe make a thread for testing it?

dbeato

@scottalanmiller YEah, it is free. I will start the testing.

scottalanmiller

@dbeato said in Managing Hyper-V:

@scottalanmiller YEah, it is free. I will start the testing.

Cool, make a thread for it. And lots of screen shots

manxam

@dbeato said in Managing Hyper-V:

@scottalanmiller YEah, it is free. I will start the testing.

In my crude testing it appears that one can start, stop, pause, reset a VM.
One cannot modify its settings, access the console, nor create/destroy.

It does provide some basic guest details such as cpu, memory, network configuration, replication status, etc.

It is a little slower than I'd like.

scottalanmiller

@manxam said in Managing Hyper-V:

@dbeato said in Managing Hyper-V:

@scottalanmiller YEah, it is free. I will start the testing.

In my crude testing it appears that one can start, stop, pause, reset a VM.
One cannot modify its settings, access the console, nor create/destroy.

It does provide some basic guest details such as cpu, memory, network configuration, replication status, etc.

It is a little slower than I'd like.

Limited, but not completely useless.

dbeato

@scottalanmiller Another thing that can be done is PowerShell Web Access
https://technet.microsoft.com/en-us/library/hh831611(v=ws.11).aspx
Found about that today