We are in the middle of trying to virtualize our domain controller with Windows 2012. We have a host running Esxi 5.0. We have other guest running that are production and in our domain. We want to bring this new 2012 server as a domain controller but in a test environment. If I give it a separate nic and vSwitch, it should be isolated from our production environment. Our windows admin wants to mimic as much as possible the productions to test probable pitfalls. In this scenario, is there a chance of this test server interfering with our production? Is the separate vSwitch enough to keep it isolated?
Thank you
Edsel
You can even further isolate by creating an internal only network using a vswitch with 0 physical NICs - this will you to create a network completely isolated - downside is the Windows Admin will have to access the test environment through the vSphere client - with this configuration there is no way it will interact with your production configuration.
Hi Edsel,
yes, you can isolate the VM network traffic either at physical network level or virtual (using VLAN). If you are using the physical method you would end up dedicating a physical network only for DC VM traffic which may not be the optimized way. Today isolation for most of the traffic can be done using VLANs unless you are dealing with some high security data.
Again, if you have ample of physical nics like 6-8 or you are not using iSCSI or NFS and dont need dedicated traffic for IP storage then you may chose isolating network at physical layer however if you dont have sufficient nics then you may suggest using VLANs for DC traffic.
-f10
http://highoncloud.blogspot.in/
About VMware Virtualization on NetApp
Be careful with just adding another VLAN to your environment. If you don't have control over inter-VLAN traffic, enabling every VLAN to talk to every other VLAN, you'll be creating the very problem you're trying to avoid. One solution is to get with your Network Admins and create at least one but possibly a set of VLANs that can only talk to each other and are protected from the production environment by a firewall. That way, your test environment can exist on all your hosts, have "normal" network access, but be isolated.
Firewall rules could be allowed for administrator access, RDP, and Internet access.
All the best,
Mike
-----------------------------------------
Please consider marking this answer "correct" or "helpful" if you found it useful.
Mike Brown
VMware, Cisco Data Center, and NetApp dude
Consulting Engineer
Twitter: @VirtuallyMikeB
Blog: http://VirtuallyMikeBrown.com
LinkedIn: http://LinkedIn.com/in/michaelbbrown
Message was edited by: Mike Brown