Advice on Configuring Hyper-V Environment

I would definitely suggest keeping the AD DC in its own VM.  Don't combine it with any other funtions other than DNS.  You will almost have to have DNS functions with it.  Mine is running fine with only 2GB of memory and two virtual cores, but it's only supporting a test lab envirnment.  You may need more, depending on how many machines authenticate to it.  2GB and dual cores should be able to handle upward of 100 machines, though.  

For a web server, depending on the user load, 2GB and dual cores should suffice for <25 users.  Add 1GB of memory per 50 users beyond that.  

Of course, I don't really deal with loads that high, and I could be off.  Thank goodness virtual machines are able to be reconfigured easily.  Try those settings out.  If they work, great.  If you find they're too little or too much, reconfigure as needed.

Oh, and I forgot to mention this.  You may know it already, but do NOT make the host a member of the domain.  That will lead to some...  unfortunate...  consequences.  Let's just say it gets really ugly.  

Most servers don't get rebooted very often, but upon reboot, they log into the domain with the domain controller.  If the domain controller isn't up yet because it is a virtual machine, it may cause authentication problems logging into it.  If the domain controller is on the machine and isn't set to automatically start up, it can cause you to be unable to log into the machien to start it up, putting you in a vicious loop, unable to do anything.  You can possibly avoid it by making the DC an auto startup VM, but even that can fail under certain circumstances.  

Also, if the machine account gets corrupted or the password out of sync, (I've had this happen several times before) the host would be unable to log into the domain, causing you to be unable to authenticate, and then you'd be unable to get into the host to do any management.

In all, the best way would be to remove the host from the domain before trouble hits.

I understand.  That had been explained to me before.  The reason There should be no problem is that I will always have another domain controller running on another box.  At present there will be two DCs on two separate boxes (VMs on different boxes).  I may add a thrird just for safe-keeping.  Does this scenario sound okay to you?

I did not already know that.  The host IS a member of the domain.  I also have another box the host of which is a member of the domain.  I have not encountered any problems at all.  Why should I expect problems?  Please edicate me here.  Thank you.

yeah, that should prevent those troubles.  You didn't mention other DCs, so I assumed.  You know what they say about assumptions.  :)

I thought about this for a while last night and have another question.  If I add the DC (DNS, etc.) role to a VM on this machine my network will then have two DCs, but both being on virtual machines.  From your cautions it sounds like I ought to have a DC that is NOT a VM in the case that I have to bring both servers up after say a power outage.  I would be in trouble in this instance as there would be no DC but those on VMs.  

I have been told to not put anything (roles) on a host but Symantec Backup Exec and antivirus.  But I feel like I should put the DC role on at least one of my hosts so that in the event of an outgage, I can bring the server with the DC on the host up first, then bring my other server that has the DC on a VM up next.  Otherwise, there is no DC to get things rolling.  Your thoughts?

I wouldn't recommend it.  For security and performance reasons, best practices for Hyper-V hosts is to only have the Hyper-V role, and nothing else.  Even Anti-virus software is not needed if you're completely locking down the hosts otherwise.  AV can be a major sap for VM performance.  The machines I use to host my DNS servers in my lab have remote desktop disabled.  the only way to manage the VMs is through iDRAC or a direct console.  I set that up specifically to keep them ultimately secure.  They still have basic access to the internet, so I can patch them, but the firewall is hard locked down.  

Then it goes back to the original advice: take them off the domain.  The simplest answer is many times the best.

I use Symantec Endpoint Protection (SEP).  Symantec had me configure the hosts with firewall completely disabled.  SEP handles all the security.

But if I do not put DC on a host, what will I do if and when (and it WILL happen) I have to power down both boxes and bring them back up after a power outage?  There will be no DC other than the two on VMs.  And as you pointed out earlier, this causes some very bad problems as there is no DC for the hosts (which are part of the domain) to boot into.

Thanks dgingeri for all the help.  If I could burden you some related questions? . . . What are the benefits (if any) of having the hosts as members of the domain?  What are the drawbacks (if any) of having the hosts off the domain?  I have never run a system that is physically connected to our LAN but that is not part of the domain.  I assume then they are in a workgroup?  Any instructions on the proper way to remove the hosts from the domain and to add them to a workgroup?  Again, thank you for the help.

The advantages would be two things: GPO enforcement and common login.  However, those are also the main downsides.  Sure, you can use just one common login and only have to memorize one password, but the authentication is also the weak point, as I pointed out above.  GPOs can be useful in setting and enforcing certain security settings, but those security settings can get you in trouble with Hyper-V as well.  

As for removing them from the domain, I just use the old "windows key - pause" shortcut.  I would advise renaming the administrator account as well, to keep anyone who might want to get into it without authorization guessing, but make sure you document it in a safe place so if, as my manager puts it, you get hit by a bus, your coworkers don't get left with a system they can't manage.  

I asked Symantec if if there is any problem taking the hosts (which run the Symantec Backup Exec 2010 R3 to backup hosts and VMs) off the domain.  Basically they said "YES!" that is not a good configuration and will cause issues with the backup.  The "workaround" should I take one of the hosts off the domain is nightmarish and sounds iffy.  I return to the scenario where I think I simply must put AD and DC on one of my hosts.  What the heck else can I do?  It seems to be a "Catch 22."