Tuesday, March 18, 2014

Domain Controller on top of Hyper-V - Firewall problem

The problem:


I have:

1. A single physical server which is a Hyper-V host running Windows Server 2012 R2.
2. A single Windows Server 2012 R2 Essentials Guest VM running on top and acting as a domain controller.

Now I have researched a lot whether I should join the host to the domain running on top of it or leave it in a separate workgroup. There is no best practice but many sources confirm that this is possible and joining the domain offers many management benefits, e.g. here see Option #4:
http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx

Now the problem is that after having joined the host to the domain sometimes everything works fine and the host manages to join the domain on startup but sometimes this seems to fail - I think that the join process times out as the DC in the Guest VM does not start up in time. In this case the firewall tells me that the host is connected to a "public network" instead of the "domain network" and I cannot connect to the server via remote desktop as this is not allowed by default. If I disable and reenable the network adapter the "domain network" is recognized fine but this has to be done manually.

The solution:

In the meantime I am pretty sure that I solved the problem:

On my host I had entered two DNS servers: The first was the IP of the Server Essentials Guest VM and the second was Google's DNS server (8.8.8.8); my idea was to have access to the internet even if my Guest VM DNS does not run.

Now I am pretty sure that this second DNS server confused the firewall configuration on startup - it could not detect the primary DNS because the Guest still has not started up, but then saw this second DNS server and fell back to "public network" instead of the desired "domain network" mode. After removing Google's DNS server from the IP v4 configuration now the host seems to start up fine and always ends up in the "domain network".

Delayed domain join?

I really like the idea to delay domain joining on start up but I have not found a way to do this. I only found how to add longer timeouts but this is not really solving all problems:

http://superuser.com/questions/328739/how-to-delay-windows-7-autologon-so-that-the-domain-will-be-available

Any hints on completely delaying domain join on startup are welcome.

Anguel

2 comments:

  1. That’s a nice blog , this blog helps you, please check this url and solve your windows 7 related problem.
    windows firewall error 1068 windows 7
    Thanks
    Aalia lyon

    ReplyDelete
  2. Nice Post, thank you very much for sharing.

    ReplyDelete