Server 2008 NAT and VM adapters

Ok, so I'm a bit of a newbie, but I've gotten pretty far in setting up
our church network. What we got: Windows Server 2008 Enterprise.
I've installed Server Core with Hyper-V as the host machine on the
physical box, and created 3 VM's. VM1 is the primary DC; VM2 is the
backup DC and file server; VM3 has RRAS and NAT on it (w/ print
services following later). The physical server has 2 NIC's: one
connected to the cable modem (Internet) and one connected to the
network switch (LAN).

VM3 has two virtual network adapters, each piggybacking on the
physical adapters. VM3 is acting as the gateway for clients (also
connected to the switch) to the Internet. This was for security
purposes, to isolate the Internet from the LAN. Now, my issue is two
parts:

1. Internet access is pretty slow, much slower than when the gateway
for the clients was the modem. Not quite dial-up slow, but pretty
close. Sometimes connections even time out. Not that internal access
is quite fast.

2. When I create VM's it seems I HAVE to use the legacy adapters.
Here is the weird thing: I originally installed the full version (not
Core) of Enterprise as the host machine to fool around (I later wiped
it and installed Core), and created VM's. I could have sworn that
when I created the VM's, I did not have to use the legacy adapter
option when creating the virtual adapters. Now that I'm using Core,
is there something else I need to do, to not have to use the legacy
adapters? I am wondering if the legacy adapters are making the
Internet access slow for clients?

Bonus question: is it absolutely necessary to isolate the switch from
the Internet to maximize security? Or should I just go ahead and plug
the switch into the modem and have the clients' gateways be the
modem? How would this affect VPN capabilities I'd like to have later?

Your help is much appreciated,
Tom

Hello Tom,

I suggest that you better post this to:
http://social.technet.microsoft.com/...yperv/threads/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, so I'm a bit of a newbie, but I've gotten pretty far in setting up
> our church network. What we got: Windows Server 2008 Enterprise.
> I've installed Server Core with Hyper-V as the host machine on the
> physical box, and created 3 VM's. VM1 is the primary DC; VM2 is the
> backup DC and file server; VM3 has RRAS and NAT on it (w/ print
> services following later). The physical server has 2 NIC's: one
> connected to the cable modem (Internet) and one connected to the
> network switch (LAN).
> VM3 has two virtual network adapters, each piggybacking on the
> physical adapters. VM3 is acting as the gateway for clients (also
> connected to the switch) to the Internet. This was for security
> purposes, to isolate the Internet from the LAN. Now, my issue is two
> parts:
>
> 1. Internet access is pretty slow, much slower than when the gateway
> for the clients was the modem. Not quite dial-up slow, but pretty
> close. Sometimes connections even time out. Not that internal access
> is quite fast.
>
> 2. When I create VM's it seems I HAVE to use the legacy adapters. Here
> is the weird thing: I originally installed the full version (not Core)
> of Enterprise as the host machine to fool around (I later wiped it and
> installed Core), and created VM's. I could have sworn that when I
> created the VM's, I did not have to use the legacy adapter option when
> creating the virtual adapters. Now that I'm using Core, is there
> something else I need to do, to not have to use the legacy adapters?
> I am wondering if the legacy adapters are making the Internet access
> slow for clients?
>
> Bonus question: is it absolutely necessary to isolate the switch from
> the Internet to maximize security? Or should I just go ahead and plug
> the switch into the modem and have the clients' gateways be the
> modem? How would this affect VPN capabilities I'd like to have later?
> Your help is much appreciated,
> To

"Tom M" <(E-Mail Removed)> wrote in message
news:5323696c-db58-408c-85b9-(E-Mail Removed)...
> Ok, so I'm a bit of a newbie, but I've gotten pretty far in setting up
> our church network. What we got: Windows Server 2008 Enterprise.
> I've installed Server Core with Hyper-V as the host machine on the
> physical box, and created 3 VM's. VM1 is the primary DC; VM2 is the
> backup DC and file server; VM3 has RRAS and NAT on it (w/ print
> services following later). The physical server has 2 NIC's: one
> connected to the cable modem (Internet) and one connected to the
> network switch (LAN).
>
> VM3 has two virtual network adapters, each piggybacking on the
> physical adapters. VM3 is acting as the gateway for clients (also
> connected to the switch) to the Internet. This was for security
> purposes, to isolate the Internet from the LAN. Now, my issue is two
> parts:
>
> 1. Internet access is pretty slow, much slower than when the gateway
> for the clients was the modem. Not quite dial-up slow, but pretty
> close. Sometimes connections even time out. Not that internal access
> is quite fast.
>
> 2. When I create VM's it seems I HAVE to use the legacy adapters.
> Here is the weird thing: I originally installed the full version (not
> Core) of Enterprise as the host machine to fool around (I later wiped
> it and installed Core), and created VM's. I could have sworn that
> when I created the VM's, I did not have to use the legacy adapter
> option when creating the virtual adapters. Now that I'm using Core,
> is there something else I need to do, to not have to use the legacy
> adapters? I am wondering if the legacy adapters are making the
> Internet access slow for clients?
>
> Bonus question: is it absolutely necessary to isolate the switch from
> the Internet to maximize security? Or should I just go ahead and plug
> the switch into the modem and have the clients' gateways be the
> modem? How would this affect VPN capabilities I'd like to have later?
>
> Tom


Meinolf is correct. The hyper-v forum would be a better place to post
this.

If it turns up there I will probably answer it anyway, so here are a few
pointers.

1. If you are not an experienced sysadmin proficient at running
installations from the command line, Server Core is a bad decision. You
really need the GUI screens.

2. Core will not be the problem with the synthetic NICs. The drivers for
the synthetic NICs are loaded when you install the integration components
(vmguest.iso).

3. Running RRAS/NAT in a vm is not a problem and you should not notice any
slowdown. (I have a system running that way). However, I cannot see any
reason to do it in your case. It is only sensible if you want to isolate the
machines on the virtual network from the LAN machines. As I see it, your LAN
machines are clients of the DCs running in the vms.

4. Make sure that you have the latest version of Hyper-V. This should be
there already if you have automatic updates configured.

I would go back to a full install, not core. I would install a simple
hardware NAT router between the cable modem and the switch. Configure the
Hyper-V server to have only one NIC associated with a virtual switch (ie
configure the virtual switch so that it is simply an extension of the
physical LAN). Install the integration components on the vms.

Configure the DHCP server on the NAT router to hand out its own IP as
gateway but the DC for DNS. If it cannot do that, disable DHCP here and run
DHCP on your DC.

Configure the DNS server on the DC to forward to a public DNS server.

You now have a much simpler network that looks like this.

Internet
|
cable connection
NAT router
192.168.21.1 (or whatever)
|
client machines
192.168.21.x dg 192.168.21.1 dns 192.168.21.11
|
DC vm
192.168.21.11 dg 192.168.21.1 dns 192.168.21.11