Hyper-V Management Mistakes You’ll Never Make Again – Part 2
In our last article, we wrote about the eight most common mistakes that administrators struggle with in their day-to-day operations with hyper-v management. We continue here with eight more common mistakes, and suggest additional remedies and optimization techniques to help you significantly improve your Hyper-V environment.
Mistake 9 — Not Leveraging Dynamic Memory
Too many authors frighten people away from using Dynamic Memory on SQL and Exchange servers. Don’t shy away from it, since you can adjust Dynamic Memory at any time. We recommend setting a good minimum and maximum sizes—but be a bit conservative with each setting. While you can reduce the minimum and increase the maximum dynamic memory any time you want, you can’t modify fixed memory while the guest is running.
Mistake 10 — Blindly Accepting VM Configuration Defaults
Remember, you only get a single vCPU when you use the wizard to create a VM. However, if your guest OS is newer than XP/Server 2003—then you really want at least 2 vCPUs. When you enable Dynamic Memory, its maximum is set to 1 TB. You probably don’t want this, if only because you don’t have 1 TB in physical memory to support it.
As we wrote above: you can increase the maximum at any time, but you’ll need to turn off the guest to reduce memory. If you accept the insanely high default value, you’re vulnerable to an unnecessarily greedy or memory-leaking app that might cause one of the guests to grossly imbalance how the host adjusts its allocation to the other guests.
Mistake 11 — Overloading the Management Operating System
The management OS should only run VMs, backup software, and anti-malware tools. That should be all that resides on the management box. If it’s not a VM, doesn’t backup VMs, or protect VMs, then it should run within one of the VMs. Period. This not only improves performance, but it helps you organize and troubleshoot well.
Mistake 12 — Not Joining a Domain (Leaving the Management OS in Workgroup mode)
Unless you have some very special reason, a Hyper-V host should not be in a DMZ. If you have a domain available, then join the host to it. Don’t leave it in workgroup mode. Think about it: a workgroup can be compromised, and a compromised workgroup is no better than a breach in a domain. Any attacker that penetrates the host will gain read-only access to all VHDX guest files. If any of them reside in the domain, it doesn’t matter if the host is a domain member or not.
Mistake 13 — Lack of Testing
Lack of adequate testing is a highly lamentable, widespread failure of too many IT shops. It is often a bad assumption that known hardware and a familiar configuration will always work well together. We can’t stress it enough: plan well, then deploy carefully, test extensively then go live and perform verification testing. Omitting any of these steps is to portend at least one significant problem in your future.
Mistake 14 — Avoiding PowerShell
We get it: PowerShell is yet one more tool to learn. Trouble is, there is much Hyper-V functionality that is only accessible by using PowerShell. The same is true for much of the functionality in most Microsoft server products. So, go on. Give it a try. There is much power and flexibility to there. Once you automate something that has been a tedious, repetitive, manual task, you won’t go back.
Mistake 15 — Not Figuring Out Licensing in Advance
It’s become incredibly difficult to win any battle on licensing ignorance. While we agree entirely that Microsoft should publish better licensing guidelines, they haven’t—and probably won’t. It’s likely that you know for sure that you have to purchase licenses, and you have a good idea of the authorized Microsoft reseller(s) from which you’ll make those purchases. Don’t waste time trying to find loopholes: pick up the phone and call that vendor. Someone on their staff can ask a few qualifying questions and tell you exactly what you need.
It’s very, very important. If you are found to be non-compliant in an audit (only one phone call is necessary to trigger an audit), you’re likely to face stiff fines. Don’t risk it. A phone call is free, and it takes very little time to get a direct answer.
Mistake 16 — Not Following Anti-Virus Best Practices
Some admins think that running Windows Server in Core mode with careful access control on the management OS is sufficient to keep the host quite safe. While this is an adequate disposition for some companies, many organization are bound by industry constraints or regulations that make it a rigid requirement to implement anti-virus protection on all endpoints—including virtualization hosts. Of course, you can run AV on any Hyper-V host, but it can negatively impact performance and possibly bring down VM services when improperly configured. Ensure that you take special care to properly configure anti-virus if you enable it on your Hyper-V hosts.