Managing Hyper-V



  • Well - as a fellow member has recently discovered, remotely managing Hyper-V can be a bit of a challenge.

    In a multi-domain setup, according to this article Windows 8.1 [Hyper-V] can't be managed from a computer on a different domain.

    zfIAY8R.png

    I'll admit I'm making an assumption that this also includes Hyper-v 2012 R2 (or whatever the full and correct name is) or older.

    On a related note - managing a Hyper-V 2016 VM Host on another domain from your control workstation requires a few setup steps to make function (see article link above).



  • Now we come to my question.

    Is there any reason to not put all the Hyper-V Hosts into a single domain to ease management?



  • I know Scott has argued for not putting the Hyper-V hosts into the domain at all, it's one less point of failure for the Hyper-V hosts.

    But, if you do that, making connections to other domain connected file servers are challenging at least, and impossible at best - when being managed remotely due to delegation of authentication being passed from the management PC through the Hyper-V host to the domain connected resources.

    We haven't actually tested this setup yet, so we don't know that it's impossible, but we do know it will be a challenge at the least.



  • In part of my strategy to prevent CryptoLocker or a bad actor from taking out my backups if a computer/server gets infected, I'm not domain joining my hosts now. I realized that even with a share on the network that used a service account, if a hacker elevates privileges and gets domain admin, they can reset the password on the backup service account and then wipe out my backups. If the backup target is not domain joined, they can't do that. Same idea with the host.

    I'm curious as to what others are thinking. We love disk to disk backups, but it's really hard to air gap them with out physical interaction.



  • @Mike-Davis said in Managing Hyper-V:

    In part of my strategy to prevent CryptoLocker or a bad actor from taking out my backups if a computer/server gets infected, I'm not domain joining my hosts now. I realized that even with a share on the network that used a service account, if a hacker elevates privileges and gets domain admin, they can reset the password on the backup service account and then wipe out my backups. If the backup target is not domain joined, they can't do that. Same idea with the host.

    I'm curious as to what others are thinking. We love disk to disk backups, but it's really hard to air gap them with out physical interaction.

    How are you managing your non-domain connected hyper-v hosts?



  • I'm in the camp of not joining your hypervisors to the domain.

    If you get locked (because of domain controls) out of your hypervisors then you're SOL, along with the domain functions.



  • @wirestyle22 said in Managing Hyper-V:

    How are you managing your non-domain connected hyper-v hosts?

    5nine manager. I first had to use it to manager a Hyper-v 2016 box on a network where I didn't have any Windows 10 machines. It seems to work well.



  • @Mike-Davis said in Managing Hyper-V:

    In part of my strategy to prevent CryptoLocker or a bad actor from taking out my backups if a computer/server gets infected, I'm not domain joining my hosts now. I realized that even with a share on the network that used a service account, if a hacker elevates privileges and gets domain admin, they can reset the password on the backup service account and then wipe out my backups. If the backup target is not domain joined, they can't do that. Same idea with the host.

    I'm curious as to what others are thinking. We love disk to disk backups, but it's really hard to air gap them with out physical interaction.

    OK I can see this. As long as you don't really cripple remote/any admin of the system, I suppose this is doable.

    But in the case of Hyper-V manager, your control workstation just becomes the major target in your scenerio. They infect that, then they keylog your passwords for managing the Hyper-V hosts, and it's still over. If they can get as far as your AD that they are changing passwords there, then it's pretty likely they will get on your workstation as well, and do the same.

    Question - is your admin workstation part of the domain? If yes, then it definitely suffers all the issues you're trying to solve by not having the Hyper-V hosts as part of the domain.



  • @Mike-Davis said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    How are you managing your non-domain connected hyper-v hosts?

    5nine manager. I first had to use it to manager a Hyper-v 2016 box on a network where I didn't have any Windows 10 machines. It seems to work well.

    5nine Hyper-V Manager isn't really an option for me as the only thing that is available now is the 30 day trial of the datacenter edition. The free edition no longer exists as of a week ago.



  • @DustinB3403 said in Managing Hyper-V:

    I'm in the camp of not joining your hypervisors to the domain.

    If you get locked (because of domain controls) out of your hypervisors then you're SOL, along with the domain functions.

    We all had 5Nine for free till a few days ago.



  • Not something that I've looked into yet. But if you use PowerShell to manage Hyper-V, is there anyway to get console access without another tool? Like can PS be used to activate an RDP session to a VM console redirect?





  • @scottalanmiller said in Managing Hyper-V:

    Not something that I've looked into yet. But if you use PowerShell to manage Hyper-V, is there anyway to get console access without another tool? Like can PS be used to activate an RDP session to a VM console redirect?

    I've been able to install screen connect on it and manage it that way.



  • The issue with that is my lack of powershell knowledge



  • @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    base knowledge needed to work on Windows. Just how it is.



  • @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    Not something that I've looked into yet. But if you use PowerShell to manage Hyper-V, is there anyway to get console access without another tool? Like can PS be used to activate an RDP session to a VM console redirect?

    I've been able to install screen connect on it and manage it that way.

    How do you get SC onto a fresh install of Windows? You need to make the base image somewhere with a console.



  • @scottalanmiller said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    base knowledge needed to work on Windows. Just how it is.

    Directly conflicts with me wanting to turn myself into a proper linux systems administrator



  • @wirestyle22 said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    base knowledge needed to work on Windows. Just how it is.

    Directly conflicts with me wanting to turn myself into a proper linux systems administrator

    Not really. Good practices on Windows are good practices on Linux. They are not as different as people think.



  • @scottalanmiller said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    base knowledge needed to work on Windows. Just how it is.

    Directly conflicts with me wanting to turn myself into a proper linux systems administrator

    Not really. Good practices on Windows are good practices on Linux. They are not as different as people think.

    I just mean i have extremely limited time and I have been using it to read about Red Hat and the Linux Command Line. The prospect of also studying for Powershell is off-putting 😞



  • I prefer them on a domain if possible. As soon as the Hyper-V group policies hit, remote management is automatic and guaranteed. (with the exception of Nano Server, I run a script)



  • @scottalanmiller said in Managing Hyper-V:

    @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    Not something that I've looked into yet. But if you use PowerShell to manage Hyper-V, is there anyway to get console access without another tool? Like can PS be used to activate an RDP session to a VM console redirect?

    I've been able to install screen connect on it and manage it that way.

    How do you get SC onto a fresh install of Windows? You need to make the base image somewhere with a console.

    download the .msi installer and use the command line msiexec /i to install it the same way you install the open manage tools. In Screen Connect it's like you're sitting at the console:
    0_1498230085374_sc.png



  • @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    How often are you creating new VMs and all that? Just google it and you're good to go. The day to day stuff is pretty much menu driven:
    0_1498230418313_host2.png



  • @Mike-Davis said in Managing Hyper-V:

    @wirestyle22 said in Managing Hyper-V:

    The issue with that is my lack of powershell knowledge

    How often are you creating new VMs and all that? Just google it and you're good to go. The day to day stuff is pretty much menu driven:
    0_1498230418313_host2.png

    The installation of Hyper-V is easy. I have not been able to figure out how to manager a non-domain connected host from a domain connected workstation via hyper-v manager. If powershell management is the only option then I have a problem



  • @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller said in Managing Hyper-V:

    Not something that I've looked into yet. But if you use PowerShell to manage Hyper-V, is there anyway to get console access without another tool? Like can PS be used to activate an RDP session to a VM console redirect?

    I've been able to install screen connect on it and manage it that way.

    How do you get SC onto a fresh install of Windows? You need to make the base image somewhere with a console.

    download the .msi installer and use the command line msiexec /i to install it the same way you install the open manage tools. In Screen Connect it's like you're sitting at the console:
    0_1498230085374_sc.png

    What's your method for installing and configuring the base OS to get to that point?



  • I know that you can use Hyper-V on Windows 10, make a base image, and then deploy via image. Is that just what people do? Make the starting images via a different process then just use command line PS or similar to manage them once they are deployed? This is how AWS and Azure work, so it isn't crazy. But it's not ideally convenient either, and those systems lose console access which can be a pain and there isn't any reason to have to lose that with Hyper-V.



  • @scottalanmiller

    What's your method for installing and configuring the base OS to get to that point?

    It's a new physical host, so I'm physically in front of the server or using ilo/DRAC. Attach the hyper-v .iso, install, and then map a drive to a share on my laptop to get screen connect and/or open manage, etc.



  • @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller

    What's your method for installing and configuring the base OS to get to that point?

    It's a new physical host, so I'm physically in front of the server or using ilo/DRAC. Attach the hyper-v .iso, install, and then map a drive to a share on my laptop to get screen connect and/or open manage, etc.

    How does that help, though? We want console access to the VMs, not to the Hyper-V host. What does a connection to the Hyper-V host buy us?



  • Sounding more and more like hyperv is a disaster without these kinds of tools



  • @DustinB3403 said in Managing Hyper-V:

    Sounding more and more like hyperv is a disaster without these kinds of tools

    It seems very frustrating to me but a lot of people use it and are happy with it so I chalked it up to my own inexperience, which it still may be



  • @scottalanmiller said in Managing Hyper-V:

    @Mike-Davis said in Managing Hyper-V:

    @scottalanmiller

    What's your method for installing and configuring the base OS to get to that point?

    It's a new physical host, so I'm physically in front of the server or using ilo/DRAC. Attach the hyper-v .iso, install, and then map a drive to a share on my laptop to get screen connect and/or open manage, etc.

    How does that help, though? We want console access to the VMs, not to the Hyper-V host. What does a connection to the Hyper-V host buy us?

    VM creation?