4 Reasons Your Hyper-V Host Should Only Run the Hyper-V Role

As IT Pros we’re often told to “Be flexible” and to “Do more with less”. Nothing is more true than when we’re talking about hardware, software licensing and the placement of network-critical services.

While I agree with the above phrases, and Hyper-V allows us to do both with relative ease, there are still some guidelines that need to be followed to keep us from shooting ourselves in the proverbial foot.

Picture the following situation:

You’re an IT administrator for the XYZ corp. The company has a stand alone Hyper-V host with two VMs, One a DC, and the the other an Exchange Server. Bob from accounting shows up and asks that their new application be installed and served up to the network. Your junior admin, being the nice guy he is, decides to take the task upon himself and installs said application on the Hyper-V host, as it has the most resources available of all the company’s servers. Makes sense right?  Sadly your junior admin doesn’t know what he just got himself into.

A couple weeks go by. The web app functions properly for the most part, but one day the memory leak you didn’t know the application had causes the host to run short on memory. Fixing said memory leak may, or may not require a reboot of the host, which would then require a reboot of the VMs running on top of it as well and once the issue is resolved you contact the vendor for support to find out what the heck happened.

Mr. Vendor goes on to explain that “Yeah…  that’s a known issue in that version of the code and to prevent the issue from occurring again you’ll need to install patch blah blah….”

You download the patch and install it to prevent an angry mob from forming outside your office and lo and behold it requires a reboot for the changes to take affect. Now you have to reboot your host AND the associated VMs a second time and either schedule downtime, or disrupt production work if the patch is urgently needed.

It’s not a good situation to be in and could have been entirely preventable. Your Junior admin has effectively eliminated the flexibility benefits of Hyper-V.

The above is just a simple example of what can happen when you don’t let your host be just a host. In addition, there are other concerns as well besides patching and stability. You need to be able to insure the security of the host system, and be able to maintain full resource control as well.

Let’s look at each item in turn

1. Ease of Patching

As Hyper-V is designed to serve up scalable and dynamic workloads, uptime is of paramount importance. Therefore, the less time we spend applying patches, the more time we have for running our production workload and keeping end-users happy. Installing extra software on the host that “should” get installed elsewhere adds to the amount of stuff that needs to be patched and maintained on the host.

Not only does this concept apply to 3rd party software, but it also applies to Windows Server roles and features as well. Microsoft has come to understand this reality and has created Windows Server Core to assist in situations such as this.

For those that don’t know, Windows Server Core is a stripped-down-GUI version of the server OS that contains a minimal toolset and only the core files and services needed to serve up primary production workloads such as AD, DNS, Hyper-V…etc…etc.

As you can see below, the main Windows UI is not present and is instead replaced by a command prompt window and a couple tools, such as Notepad, Powershell and Task Manager. If you’re interested in more information on Server Core, I’ve got a couple posts on my personal blog regarding this topic.

Server Core UI

The default view after login to a server core box.

By removing most parts of the UI, Microsoft has essentially stripped all the bloat out of the OS. Running the host OS in this mode and keeping un-needed 3rd party software and Windows Server roles/features off the host means less time required for you to apply patches and more time serving up the company’s production workload.

2. Stability

Stability is always important, and if things are un-expectantly going offline/running slow, your liable to have a mutiny on your hands. Hyper-V is inherently quite stable, but the more software we add, the more things there are present in the system to potentially cause stability issues.

In short, only install what you absolutely NEED on your Hyper-V hosts and put the rest elsewhere.

3. Security

It has become an everyday reality that IT pros need to be thinking about security in all facets of our jobs. This is doubly true for Hyper-V hosts for one quite obvious reason.

If your Hyper-V host is compromised, all VMs running on said host are potentially compromised as well.

With that said, great care should be given to insure that these critical systems are secure. This can be best achieved by running the hosts in Server Core mode with only the roles needed to do the job.  When a server is running in core mode, most of the items that are typically vulnerable to attack are no longer present in the system, such as IE, Java….etc…etc.

Another area of concern is Anti-Virus. There is some debate in the community as to whether you should run AV on Hyper-V hosts or not. That decision will depend mostly on your workload and whether you have any industry regulations to adhere to.

If you find yourself needing to run AV on your hosts, please take note of the necessary AV exceptions listed here. The article applies to Hyper-V 2008/2008 R2, but it serves as a good baseline for 2012 Hyper-V.

If you’re interested in more regarding security and Hyper-V, check out Eric Siron’s recent post here.

4. Resource Control

In the XYZ Corp. example above, the application needed by accounting experienced memory issues which, in turn, affected all running VMs due to the application being installed in the host partition.

Had this application been installed inside a guest VM, only that VM would have been affected. This is one of the advantages of the proper use of virtualization.

In addition, what happens when the application requires more memory? Yes, most Hyper-V hosts will have quite a bit of memory, but what if it didn’t have enough? You’d have to down the host (again) to install new physical memory. Something that would be easily achievable with no downtime if the application had been running in a VM with Dynamic Memory enabled. This is true for CPU, storage and networking as well.

Not being bound to changes or needs at the hardware level allows Hyper-V to easily scale based on the needs of the business and helps us to not get stuck into one configuration or another.

Summary

Keep these things in mind when setting up your hosts. If you’re already in a situation where some of the above suggestions are not being followed, take the time and effort to make these best practice changes. Your life will be made simpler as a result.

As a wise man once said  “An ounce of prevention is worth a pound of cure”

Thanks for reading all!

 

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

14 thoughts on "4 Reasons Your Hyper-V Host Should Only Run the Hyper-V Role"

  • Randy Hudson says:

    I couldn’t agree more, which leads to one question. Why was Altero Backup for Hyper-V designed so that it must be installed on the Hyper-V Host? Could it not have been installed elsewhere?

  • Aaron Studer says:

    Even better yet, I suggest running the using the stand-alone product Hyper-V Server 2012 R2.

    Hyper-V Server is a dedicated stand-alone product that contains the hypervisor, Windows Server driver model, virtualization capabilities, and supporting components such as failover clustering, but does not contain the robust set of features and roles as the Windows Server operating system. As a result, Hyper-V Server produces a small footprint and requires minimal overhead. Organizations consolidating servers where no new Windows Server licenses are required or where the servers being consolidated are running an alternative OS may want to consider Hyper-V Server.

  • Aaron Studer says:

    Even better yet, I suggest running the using the stand-alone product Hyper-V Server 2012 R2.

    Hyper-V Server is a dedicated stand-alone product that contains the hypervisor, Windows Server driver model, virtualization capabilities, and supporting components such as failover clustering, but does not contain the robust set of features and roles as the Windows Server operating system. As a result, Hyper-V Server produces a small footprint and requires minimal overhead. Organizations consolidating servers where no new Windows Server licenses are required or where the servers being consolidated are running an alternative OS may want to consider Hyper-V Server.

    • Andrew Syrewicze says:

      Indeed! Thank you for the link Aaron!

      Hyper-V Server is a great alternative, and functionally it has the same feature set as Windows Server 2012 (R2) Standard/Datacenter running in core mode!

      The main difference being, you get no licensing rights with it. So if you’re going to run Hyper-V server, you need to have existing licensing already, or you’re not running an OS that requires licensing, such as a Linux Distro.

    • Andrew Syrewicze says:

      Indeed! Thank you for the link Aaron!

      Hyper-V Server is a great alternative, and functionally it has the same feature set as Windows Server 2012 (R2) Standard/Datacenter running in core mode!

      The main difference being, you get no licensing rights with it. So if you’re going to run Hyper-V server, you need to have existing licensing already, or you’re not running an OS that requires licensing, such as a Linux Distro.

  • Will Barrows says:

    I totally agree, now that I have read this article. I wanted to try developing apps for Windows Phone, so I got VS Express for Windows Phone. Then I found out that to test my app I needed a virtual machine running under Hyper-V. I checked and double-checked that my desktop i7 PC with 16Gb of RAM could run Hyper-V. It could, so I upgraded to Windows 8.1 Pro. It worked, I was able to debug Windows Phone apps on my desktop PC. However, something has changed, and now Hyper-V doesn’t work. The PC has lots of other stuff on it as well. I’m getting to the point where I either abandon Win Phone app development, or reset the machine to factory settings and re-install Win 8.1 Pro. There’s no guarantee it will work, and it would not be simple so I think I’ll just abandon Windows Phone app development.

    • Will,

      My apologies for the issues your having.

      While in production scenarios, it’s best practices to keep as much as possible off the Hyper-V host, on a client workstation running Hyper-V, it’s completely ok to have other software installed for test/dev workloads. Windows Phone Development would be a perfect use case for Client Hyper-V installed on Windows 8.1

      I’ve not seen many issues associated with running Hyper-V, let alone one that stops it from working all together! Can you provide a bit more info? Does the Guest VM not even start? Was there a change to your system that prompted the breakage?

      See the following post for more info on Client Hyper-V: http://www.altaro.com/hyper-v/introduction-client-hyper-v/

      Cheers!

  • laurent says:

    Thanks for your blog,

    I have a strange question,

    if i use free hyperv free edition, desinstall hyperv and use the core for install a free software. in fact, I want a strip down windows.

    This is compliant with the licence ?

    Thanks,

    Laurent

    • Eric Siron says:

      This is an overt violation of the license agreement. You must use Windows Server, preferably Standard Edition from your description, and install it in Core mode.
      If you’re just trying things out, I recommend taking advantage of Microsoft’s generous evaluation terms.

  • laurent says:

    Thanks for your blog,

    I have a strange question,

    if i use free hyperv free edition, desinstall hyperv and use the core for install a free software. in fact, I want a strip down windows.

    This is compliant with the licence ?

    Thanks,

    Laurent

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published. Required fields are marked *

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.