Part 1 – Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’


Update 14th Nov 2008. I’ve just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.

You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access – but that’s another blog entry).

wg1
There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.

Step 1 (On Client and Server)

Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).

wg1a

Step 2A (On Server core installations)

See part 3 of this series

Step 2B (On Server full installations)

Enable the firewall rules on the server for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command is successful and responds Updated 4 rules(s). Ok.

wg2 

Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)

wg3

wg4 

Step 3 (On Server)

This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group.

Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.

wg5 Thumbnail

wg6

Right-Click on My Computer, select Properties and select the “COM Security” tab.

wg7
In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area).

wg8

Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate)

wg9

Click OK, then select the added user or group

wg11
In the Allow column, select Remote Launch and Remote Activation, then click OK.

wg12

Close Component Services

Step 4 (On Server)

This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.

Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control

wg13

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

wg14

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them.

wg15

Now select the user and click the Advanced button below the “Permissions for <user>” area.

wg16

Again, make sure the user/group is selected and click Edit

wg17

You need to make three changes here:

  • In the “Apply to:” drop-down, select “This namespace and subnamespaces”
  • In the Allow column, select Remote Enable
  • Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like below. If so, click OK through the open dialogs.

wg18

Repeat for the Root\virtualization namespace

wg19

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 5 (On Server)

This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

wg20

wg21

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

wg22

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.

wg23

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

wg24
In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

wg25

Add the appropriate users or groups (here you can see the “john” account)

wg26
Close the Authorization Manager MMC.

IMPORTANT. You must now reboot your server for the above changes to take effect.

In part 2, I’ll walk through the client configuration steps.

Update 14th Nov 2008. I’ve just released a script which does all this configuration in one or two command lines: HVRemote 

Cheers,
John.

Comments (149)

  1. Anonymous says:

    Hyper-V Monitor Gadget for Windows Sidebar

  2. Anonymous says:

    As I mentioned in my previous post , last month I built out a new virtual environment using Hyper-V on

  3. Anonymous says:

    So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

  4. Anonymous says:

    A TechNet Magazin júniusi számában megjelent cikkem teljes változata. Valamivel több képpel. Különös

  5. Anonymous says:

    It is time to update everyone on the issues our support engineers have been seeing for Hyper-V for the

  6. Anonymous says:

    Apologies for a lack of a new post on the WMI scripts, look for a new double part post Wednesday morning.&#160;

  7. Anonymous says:

    Announcing &quot;HVRemote&quot;…., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

  8. Anonymous says:

    In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and

  9. Anonymous says:

    With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

  10. Anonymous says:

    Source: Microsoft Virtualization Team Blog Apologies for a lack of a new post on the WMI scripts, look

  11. Anonymous says:

    Well you might not be as Vista gadget crazy as I am but this is still very cool! I am a firm believer

  12. Anonymous says:

    I am feeling lazy today – but thankfully my colleagues have been working hard :-) Mike Kolitz has done

  13. Anonymous says:

    This is the one you have been waiting for, get it, install it.&#160; Enjoy :) Windows Server 2008 x64

  14. Anonymous says:

    Im Zuge meiner Hyper-V Aktivitäten finde ich immer wieder sehr interessante Artikel im Netz, die ich

  15. Anonymous says:

    Hyper-V Serverをドメイン環境で使用するには特別な設定する必要は特にありませんが、ワークグループの場合は、あいにくいろいろな設定をいじることが必要になります。 まず、必要なサーバー側とクライアント側の設定があります。変更の比較的少ないサーバーの設定を先に説明します。

  16. Anonymous says:

    More for my own reference, as I keep having to search the Internet for this document and never bookmark

  17. Anonymous says:

    You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.

  18. Anonymous says:

    Well I just want to introduce you to a new writer who is gonna come along and help giving you great content

  19. Anonymous says:

    It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I’ve come

  20. Anonymous says:

    Soon, I promise, I will be publishing part 3 which is the workgroup server-core version of &#8220; Hyper-V

  21. Anonymous says:

    [Weekly Issue] Hyper-V Core e controllo remoto

  22. Anonymous says:

    Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

  23. Anonymous says:

    Amir – just to follow up due to other emails I had, I’ve also seen this problem reported now after 3rd party AV and firewall  application have been installed on the client machine.

    Thanks,

    John

  24. Anonymous says:

    &#160; I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my workstation

  25. Anonymous says:

    Kent – there’s nothing I can spot wrong with the configuration – the length of the computer name should not matter. Are you *sure* you have the right password set in cmdkey on the client for the account "mhyperkmorstain" on the server, and that the password is not null (blank). If you have a blank password, you need to set a password on the server, and recreate the cmdkey entry.

    You can verify access to the server by running wbemtest from the client and hitting connect, entering \mhyperrootcimv2 in the namespace, and entering the credentials mhyperkmorstain in the user, plus the password of the kmorstain account on the *server*. Does this connect OK? If so, hit the "query" button and enter (no quotes) "select * from win32_computersystem" then apply. Do you get one record returned? (Win32_computerSystem.Name="mhyper").

    Thanks,

    John.

  26. Anonymous says:

    Yesterday I finally got around to installing SCVMM 2008 beta onto a virtual machine (mainly to help us

  27. Anonymous says:

    Source: Mindre.net Tore Lervik has create a very cool Hyper-V Monitor Gadget for Windows Sidebar. The

  28. Anonymous says:

    @Alberto. Just finishing off the write up. Hopefully I’ll have the finished post ready tomorrow.

    Thanks,

    John.

  29. Anonymous says:

    Tore Lervik: I&#39;ve created a sidebar gadget so I can see what the Hyper-V server is doing from my

  30. Anonymous says:

    Hyper-V Monitor Gadget for Windows Sidebar

  31. Anonymous says:

    Mike – I’m not sure I understand your point. Hyper-V server is like Windows Server 2008 server core installation – there is no GUI. You have to manage both remotely if you want to use GUI tools which is what this (and the other 4 posts) are about. I recommend though you use HVRemote (link at top) as that makes the process much simpler.

    Thanks,

    John.

  32. Anonymous says:

    It is time to update everyone on the types of issues our support engineers have been seeing for Hyper-V.

  33. Anonymous says:

    Народ начал активно устанавливать и использовать виртуализацию Hyper-V, особенно бесплатный Microsoft

  34. Anonymous says:

    Hyper-V Management Console on Vista x64

  35. Anonymous says:

    Aujourd’hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

  36. Anonymous says:

    Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questo

  37. Anonymous says:

    Improvements Over Hyper-V RC0 In addition to bug fixes and stability improvements, Microsoft also made

  38. Anonymous says:

    Hyper-V Server First Impressions

  39. Anonymous says:

    Shiva – I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces. General RDP clients will not be able to connect over RDP using port 2179 – although VMConnect uses the RDP protocol, the connection establishment is not the quite the same.

    If you need to deploy directly to the Internet, I would recommend you look at building out a Terminal Service Web Access/Gateway protected behind an ISA server (I have previously run through configuring exactly this on my blog, last year IIRC). It would be far more secure.

    Thanks,

    John.

  40. Anonymous says:

    I got home from San Francisco on Friday afternoon.&#160; I had one thing in mind (this is going to be

  41. Anonymous says:

    So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

  42. Anonymous says:

    Hyper-V Beta released as part Windows Server 2008. The final release of Hyper-V happened shortly after

  43. Anonymous says:

    &#922;&#945;&#955;&#951;&#963;&#960;έ&#961;&#945; &#963;&#949; ό&#955;&#959;&#965;&#962; &#964;&#959;&#965;&#962;

  44. Anonymous says:

    Alex – I replied to the other comment you left.

    Thanks,

    JOhn.

  45. Anonymous says:

    日本語だと&#8595;なエラーが出る件です。 「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ &#8216;xxxxxxx&#8217; の承認ポリシーの管理者に問い合わせてください。」

  46. Anonymous says:

    &#160; Top Issues for Microsoft Support for Windows Server 2008 Hyper-V Hyper-V Beta released as part

  47. Anonymous says:

    Ron – are you sure you’re navigating to programdata on the remote box rather than the local Vista client (ie \<serverprogramdata…..)?

    Thanks,

    John.

  48. Anonymous says:

    Pieter – did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won’t be recognised.

    Thanks,

    John.

  49. Anonymous says:

    Jörn – are you logging on with a smartcard? What happens if you go into Hyper-V Manager, and uncheck use default credentials under the user credentials node?

    Thanks,

    John.

  50. Anonymous says:

    Exhotic Hadron – to the best of my knowledge, there was no issue on M3 builds running both Hyper-V and the Management client together on a single box. Unfortuantely though, I don’t have any boxes around any more still running M3 (we’ve moved way past that) to verify.

    Thanks,

    John.

  51. Anonymous says:

    Kent – please can you provide the output with /target:computername rather than /targetcomputer.

    Thanks,

    John.

  52. Anonymous says:

    Kent – please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards.

    Thanks,

    John.

  53. Anonymous says:

    Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

  54. Anonymous says:

    Please.

    I have a windows Hyper-V Server Edition, and is only core mode.

    how i configure security options do enable remote managment ?

  55. Anonymous says:

    NL – No, that isn’t actually necessary.

    Thanks,

    John.

  56. Anonymous says:

    I have gone through these steps twice now for my Win 2008 R2 datacenter cluster. I created a local and domain user of the same name and password as the local user on my Win 7 workstation (workgroup).

    I also destroyed the cluster and tried again, same error.  Seems there is some additional permission or policy that needs to be changed.  Has anyone been successful with 2008 R2?

  57. Anonymous says:

    Siavash – unfortunately this is not possible in Hyper-V today.

    Thanks,

    John.

  58. Anonymous says:

    Ryan – what changed from working to now getting the error – in particular, you mention about passwords being in sync, so could this be tied to that and there’s been a typo on syncing the passwords, especially as you indicate you are getting MMC failures too? It doesn’t sounds like it’s Hyper-V specific, in other words. Are you using cmdkey to set credentials on the client to authenticate to the server?

    Do all users fail now?

    Thanks,

    John.

  59. Anonymous says:

    Lduval – I’ll add it to a list, but I should be up front and say it may be some time off yet. However, you should still be able to run from the command prompt in Hyper-V server net localgroup "Distrubuted COM Users" <username> /add to solve this.

    Thanks,

    John.

  60. Anonymous says:

    Jerrold – unfortunately you’ve pasted the client bit into the server output….

    Thanks,

    John.

  61. Anonymous says:

    David – there is no different in terms of remote management configuration between "v1" and Windows Server 2008 R2/Hyper-V Server R2.

    Thanks,

    John.

  62. Anonymous says:

    Scott – it would be helpful for diagnosis or ease of configuration (unless you really want to do the steps manually) to use HVRemote instead. The link is at the top of the page. Follow that, take a look at the documentation and if you still have problems, please post back the output of hvremote /show on both the client and the server.

    Cheers,

    John

  63. Anonymous says:

    FrankM – please post the output of hvremote /show /target:otherboxname from both boxes. (Obviously correct any suggestions it makes if you see errors first).

    Thanks,

    John.

  64. Anonymous says:

    Thanks John, very useful.

  65. Anonymous says:

    Shva – sorry, I’m not sure what you mean by "consume". What is the goal you are trying to achieve?

    THanks,

    John.

  66. Anonymous says:

    Fábio & Impactro – please use HVRemote (link at top of article), or see other parts of this series which explain how to perform the steps manually on core. However, I strongly recommend you use HVRemote.

    Thanks,

    John.

  67. Anonymous says:

    Hi Christopher – that's a good one too.

    Cheers,

    John.

  68. Anonymous says:

    Mike – that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:programdata….. replacing c: with your system drive.

    Thanks,

    John.

  69. Anonymous says:

    Olexandr – You don’t need that rule enabled on the server firewall. Can you post the full output of hvremote /show /target:othercomputername from both boxes?

    Thanks,

    John.

  70. Anonymous says:

    @Sebastien – actually, no that is not correct. This does work on server core with a few variations. Give me a couple of days – I’m documenting the exact steps and will be posting it up soon. (And part 3 really IS a valiant effort. You’ll see why when you see it!!!)

    Thanks,

    John.

  71. Anonymous says:

    Shiva – no this is not possible in Hyper-V through VMConnect. To the best of my knowledge, it is not possible in RDP, but that’s outside of my area of authoritative expertise. You may want to ask that question on one of the Technet Windows Server forums.

    Thanks,

    John.

  72. Anonymous says:

    Hi Jerrold – unfortunately, you missed the bit I needed :)

    Can you run hvremote /show on both the server and the client? You shouldn’t need to add the /debug – I’ll almost certainly get everything I need from just the /show with the v0.3 version you’re running.

    Can you also confirm you are running from an elevated command prompt?

    Thanks,

    John.

  73. Anonymous says:

    This is failing because you have incorrect stored credentials from the client to authenticate to the server. From the client output:

    ——————————————————————————-

    Stored Credentials

    ——————————————————————————-

    Currently stored credentials:

      Target: morstainhyperv

      Type: Domain Password

      User: morstainhypervaccount

    The server output indicates that you have created and granted an account "morstainhypervkmorstain" access. On the client use cmdkey to remove the currently stored credentials and replace them with morstainhypervkmortain.

    Cheers,

    John.

  74. Anonymous says:

    Matthew – yes, I wrote these articles a few months before RTM came out. You want http://support.microsoft.com/kb/952627 for Vista SP1. The RTM links are on the far right of the blog page.

    Thanks,

    John

  75. Anonymous says:

    Tim – Just so I understand your scenario. You have a box running Hyper-V which is a full install (as opposed to server core). You are using a TS session (mstsc) to log on to the server and/or using a KVM as-if you were sitting in front of the server console to log on to it. From there, you’re running Hyper-V Manager and getting the permission error.

    Are you an administrator on the machine, or if not, have you granted your account the appropriate permissions in AZMan?

    Thanks,

    John.

  76. Anonymous says:

    Yes, this is expected. Saved states are not compatible between 2008 and 2008 R2. You need to cleanly shut down the machines in 2008 before export. You should also merge any online snapshots as these have an implicit saved state in them too.

    Thanks,

    John.

  77. Anonymous says:

    Mike – can you check that the VMMS service is actually running on the target server? (sc query vmms). If you find it is stopping, I’d be interested to see if there’s something in the event logs.

    Thanks,

    John.

  78. Anonymous says:

    Kent – please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards.

    Thanks,

    John.

  79. Anonymous says:

    Jerrold

    You’re logged on to client as zeusvmcmd, but there’s several bits missing from the server side. Client looks good.

    You should simply need to run hvremote /add:vmcmd on the server and reboot (possibly) both sides, depending on whether there are active connections outstanding. You also need to make sure the vmcmd user password is the same on both sides as this is a workgroup.

    Thanks,

    John.

  80. Anonymous says:

    Franck – this is part of our Authorization Manager (AZMan) infrastructure. More information on this will be available in the official documentation very soon. It’s also something that my colleague Ben (http://blogs.msdn.com/virtual_pc_guy) was looking to provide some unofficial (ie blog) information on soon.

    Thanks,

    John.

  81. Anonymous says:

    Amir – see part two for the client firewall settings. Essentially you need to run

    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

    netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console"

    Also see part 5 for the domain client to workgroup server configuration.

    Thanks,

    John.

  82. Anonymous says:

    Asshen – yes, point well taken, but similar steps are necessary for any form of remote WMI/DCOM – it’s not stricly specific to Hyper-V. We’re looking to see how we can get this improved.

    Thanks,

    John.

  83. Anonymous says:

    Mike (Brown) – are you using SCVMM or the in-box UI? I’m wondering this due to some of the terminology you are using. Currently SCVMM is incompatible with Hyper-V RC1, so that could be the cause of the issue. If you are using the inbox UI, please let me know and I’ll assist you working out what’s wrong.

    Thanks,

    John.

  84. Anonymous says:

    John,

    You rock! thanks a lot for this ‘patch’

  85. Anonymous says:

    Mohsen – no, it's not going anywhere.

    Cheers,

    John.

  86. Anonymous says:

    Shiva – wow, I thought I’d heard every question there possibly could be was relating to remote management of Hyper-V. But you’ve stunned me with this one!

    Does this happen every time? When you say restart – as in blue screen, or graceful reboot? In either case, is there anything in the event logs? If a blue-screen, do you have a memory dump file we could analyse? Have you seen the server exhibit similar behaviour at any other time, or is only when using VMConnect?

    Hardware specs would be useful too.

    Thanks,

    John.

  87. Alberto says:

    This is really tricky John.

    What if i have Hyper-v installed on a core based install?

  88. Sebastien Lambla says:

    This cannot work on a core install, because you need to generate the OLE registry key yourself and repalce it, as dcomcnfg is not available.

    I’ve been playing around with this for two days and resorted to creating a new AD forest. Quicker and more reliable.

    I wish I found your articles sooner, as they would’ve confirmed my suspicions much earlier and save me a day of procmon and experimenting with security settings! Thanks for the valiant effort though.

    Seb

  89. A. Kevin B. says:

    This article saved me several days of work!  Thanks, Thanks, Thanks!!!

  90. Mike Gibbs says:

    I followed this as far as step 5 but I don’t have a directory

    ProgramDataMicrosoftWindowsHyper-V on my W2K8 Server

    I cannot find a file called InitialStore.xml

  91. Pieter says:

    Step 2B fails on US English W2K8:

    "Group cannot be specified along with other identification conditions."

    Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match:

    "Windows Management Instrumentation (ASync-In)"

    "Windows Management Instrumentation (DCOM-In)"

    "Windows Management Instrumentation (WMI-In)"

    "Windows Management Instrumentation (WMI-Out)"

    I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work.

    Will RTM make automate this manual configuration process to allow "seamless" remote management?

  92. Ron says:

    I’m stuck on step 5.

    I navigate to ProgramDataMicrosoftWindows but there is no Hyper-V folder.

    Hyper-V is running on core and I’m trying to access it through VIsta SP1.

  93. Tore Lervik says:

    I see PingBack is’t a very good feature in most blogs.

    Sorry about the spam John, feel free to remove the comments above! :)

  94. Franck says:

    and if I need to delegate one user administer one VM, not the entire Hyper-V machine…

    How should I do ?

  95. Alfred says:

    Thank you for spending the 2+ hours to capture this for us. It really made my life so much easier: I would not have figured this out myself this side of Christmas!

    Thank you!!!

  96. NL says:

    Hi,

    Great write up! Just one question…do I need to reboot the server everytime I add a new hyper-v user in azman? Or is the reboot required only for initial setup of the remote management?

    Thanks!

  97. Amir says:

    John, Great detailed information and walk-through! Thank you for your time and sharing it.

    However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop.

    My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home.  I have followed allthe steps to the letter.  The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions.  I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well.  when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer ‘<the server IP address>’ failed.

    Any idea, what is missing?

    BTW, I initially posted this comment by mistake to Part 3 which is for Core installation.  I have full WIN2K8 installation.

    Thanks,

    Amir

  98. Amir says:

    John, further to my note above, I learned that possibly the firewall setting on my laptop is blocking the inbound communication. These firewall settings are controlled by the firewall rules in the  Local Security Policy.  I even cannot ping my laptop from the WIN2K8 server and get timed out while on the other hand I can do remote desktop to the server from my laptop.

    Do you know what inbound or outbound firewall rules I need to enable in order to get Hyper-V Manager on my Vista laptop (joined to a domain) communicate with my WIN2K8 server (on a local work group)?

    Thanks for any tips.

    Amir

  99. Asshen says:

    Is it just me, or did Microsoft make this much too complicated ???

  100. Tim Chen says:

    Hey John just wanted to say thanks for the help but now I have run into some real problems.

    I am not using remote management tool, but am instead going into RDP and have tried KVM to get Hyper V to work.

    I have failed miserably and no matter what I try I can’t create VMs and cannot do anything except "remove server"

    I am hopelessly lost with a "you might not have permission to perform this task error"

    Help ! =)

    Troubled Tim-

  101. zvzvz says:

    ow after 3rd party AV and firewall  application have been installed on the client machine.

    Thanks,

  102. Joe says:

    You keep posting "You do not have the "requested" permission to complete this task. "

    However the error actually reads:

    "You do not have the REQUIRED permission to complete this task".

    It was difficult to find this page because the correct search string in Google was not found.

  103. Chandru says:

    Hi John,

    I have installed Hyper-V on Windows Server 2008 Core. I have installed the Hyper-V Manager in my Windows Vista Client

    The Server and Vista are connected in a domain, also I have administrator rights on both boxes.

    My  Windows Firewall is turned off in Vista box, I am able to connect to the core server using Hyper-V Manager, but it alwasys says the "The Operation on Computer ‘servername’  Failed". I see all the options active but I am unable to create a new Virtual Machine on the server or cofigure VM Switch

    I went through all five of your series and followed all the steps and am still getting the same error.

    When I tried to approach KB950050 and KB966589 patches, it says it does not apply to the system.

    Please point me how to fix this issue and where I am going wrong

    thanks,

    Chandru

  104. Lduval says:

    Hi John,

    Could you please write a similar guide for "Hyper-V Server 2008" (Baremetal). I can’t apply this one to connect with Vista on an Hyper-V in Workgroup BECAUSE there is nothing like DCOMCNFG in  "Hyper-V Server 2008" (which is not a real Core Server).

  105. Mathew says:

    Those links to the management tools don’t work, and I can’t find the tools anywhere. Any ideas?

  106. jerrold Morris says:

    John,

    I’m still trying to run hyper-v on Vista to mange server core.

    Thanks for the great tool.  I downloaded it and have the debug into attached below.  

    My problem is "WMI: Access Denied."  From your reply to Amir above – when I enter the command

    ‘netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" ‘

    Thanks,

    Jerrold

    Client Debug:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is ZEUS

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is zeusvmcmd

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    DEBUG:    Client or Server Mode (1=Client)        1

    DEBUG:    Show mode?                              False

    DEBUG: S: AZMan Update          (1=Yes)           1

    DEBUG: S: Add or Remove User    (1=Add)           0

    DEBUG: S: Add/Remove User/Group                  

    DEBUG: S: Add/Remove Domain                      

    DEBUG: S: Doing DCOM update or display?           1

    DEBUG: S: Domain AZMan update or display          1

    DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton)   3

    DEBUG: S: Update FW WMI Remote Mgmt (1=Yes)       0

    DEBUG: S: Update FW Hyper-V (1=Yes)               0

    DEBUG: S: Role Assignment                         Administrator

    DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

    DEBUG: C: Update FW MMC Exception (1=yes)         0

    DEBUG: C: Update Anon DCOM      (1=Grant)         0

    DEBUG: **START HVREMOTE VERSION**

    TAG Version=0.3

    TAG Date=19th November 2008

    TAG URL=http://code.msdn.microsoft.com/HVRemote/url

    TAG BlogURL=http://blogs.technet.com/jhoward/blah-blah-something-like-this_blah.aspx

    **END HVREMOTE VERSION**

    INFO: Are running the latest version

    ——————————————————

    Server Debug:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is JMSERVER

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is JMSERVERAdministrator

    INFO: Assuming /mode:server as the role is installed

    DEBUG:    Client or Server Mode (1=Client)        2

    DEBUG:    Show mode?                              False

    DEBUG: S: AZMan Update          (1=Yes)           1

    DEBUG: S: Add or Remove User    (1=Add)           0

    DEBUG: S: Add/Remove User/Group                  

    DEBUG: S: Add/Remove Domain                      

    DEBUG: S: Doing DCOM update or display?           1

    DEBUG: S: Domain AZMan update or display          1

    DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton)   3

    DEBUG: S: Update FW WMI Remote Mgmt (1=Yes)       0

    DEBUG: S: Update FW Hyper-V (1=Yes)               0

    DEBUG: S: Role Assignment                         Administrator

    DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

    DEBUG: C: Update FW MMC Exception (1=yes)         0

    DEBUG: C: Update Anon DCOM      (1=Grant)         0

    INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

    DEBUG: Need to connect to virtualization namespace

    DEBUG: ConnectNameSpace Entry: Namespace=rootvirtualization

    DEBUG: ConnectNameSpace Connected to rootvirtualization namespace

    DEBUG: ConnectNameSpace Exit: Namespace=rootvirtualization, RC=0

    DEBUG: Need to get the security desciptor for the CIMv2 namespace

    DEBUG: GetWin32SD(): Get __SystemSecurity

    DEBUG: Current SecurityDescriptor Details:

    instance of __SecurityDescriptor

    {

    ControlFlags = 32772;

    DACL = {

    instance of __ACE

    {

    AccessMask = 393279;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "NETWORK SERVICE";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-20";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "LOCAL SERVICE";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-19";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "Authenticated Users";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-11";

    };

    }};

    Group =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    Owner =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    SACL = NULL;

    };

    DEBUG: GetWin32SD(): Exit RC=0

    DEBUG: Need to get the security desciptor for the virtualization namespace

    DEBUG: GetWin32SD(): Get __SystemSecurity

    DEBUG: Current SecurityDescriptor Details:

    instance of __SecurityDescriptor

    {

    ControlFlags = 32772;

    DACL = {

    instance of __ACE

    {

    AccessMask = 393279;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "NETWORK SERVICE";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-20";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "LOCAL SERVICE";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-19";

    };

    },

    instance of __ACE

    {

    AccessMask = 19;

    AceFlags = 18;

    AceType = 0;

    Trustee =

    instance of __Trustee

    {

    Domain = "NT AUTHORITY";

    Name = "Authenticated Users";

    SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

    SidLength = 12;

    SIDString = "S-1-5-11";

    };

    }};

    Group =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    Owner =

    instance of __Trustee

    {

    Domain = "BUILTIN";

    Name = "Administrators";

    SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

    SidLength = 16;

    SIDString = "S-1-5-32-544";

    };

    SACL = NULL;

    };

    DEBUG: GetWin32SD(): Exit RC=0

    DEBUG: Opening the AZMan policy store

    DEBUG: OpenAuthorizationStore: Enter

    DEBUG: OpenAuthorizationStore: Instantiate StdRegProv

    DEBUG: OpenAuthorizationStore: GetStringValue

    DEBUG: OpenAuthorizationStore: GetStringValue

    DEBUG: Getting localized group name for Distributed COM Users

    DEBUG: GetGroupNameForSID: S-1-5-32-562

    DEBUG: GetGroupNameForSID: RC=0 GroupName=Distributed COM Users

    DEBUG: Distributed COM Users group name (localized) is ‘Distributed COM Users’

    DEBUG: Failed to send

  107. Jerrold Morris says:

    John,

    In the previous message I left out the response I got when I ran on the server :  

    ‘netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" ‘

    The response is: "The following command was not found …"

    Below is the client response (ran at elevated prompt) and server response (ran as administrator) to hvremote /show.

    Thanks again,

    Jerrold

    Client response:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is ZEUS

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is zeusvmcmd

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    WARN: ANONYMOUS LOGON does have remote access

     This setting should only be enabled if required as security on this

     machine has been lowered. It is needed if you need to manage Hyper-V

     on a remote server which is either in an an untrusted domain from this

     machine, or both machines are in a workgroup.

     Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    INFO: Are running the latest version

    —————————————————————

    Server response:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is ZEUS

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is zeusvmcmd

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    WARN: ANONYMOUS LOGON does have remote access

     This setting should only be enabled if required as security on this

     machine has been lowered. It is needed if you need to manage Hyper-V

     on a remote server which is either in an an untrusted domain from this

     machine, or both machines are in a workgroup.

     Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    INFO: Are running the latest version

  108. Jerrold Morris says:

    John,

    I’m sorry for the mistake.  Here’s the client response:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is JMSERVER

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is JMSERVERAdministrator

    INFO: Assuming /mode:server as the role is installed

    INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

    ——————————————————————————-

    DACL for WMI Namespace rootcimv2

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    DACL for WMI Namespace rootvirtualization

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    Contents of Authorization Store Policy

    ——————————————————————————-

    Hyper-V Registry configuration:

    – Store: msxml://C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml

    – Service Application: Hyper-V services

    Application Name: Hyper-V services

    Operation Count: 33

       100 – Read Service Configuration

       105 – Reconfigure Service

       200 – Create Virtual Switch

       205 – Delete Virtual Switch

       210 – Create Virtual Switch Port

       215 – Delete Virtual Switch Port

       220 – Connect Virtual Switch Port

       225 – Disconnect Virtual Switch Port

       230 – Create Internal Ethernet Port

       235 – Delete Internal Ethernet Port

       240 – Bind External Ethernet Port

       245 – Unbind External Ethernet Port

       250 – Change VLAN Configuration on Port

       255 – Modify Switch Settings

       260 – Modify Switch Port Settings

       265 – View Switches

       270 – View Switch Ports

       275 – View External Ethernet Ports

       280 – View Internal Ethernet Ports

       285 – View VLAN Settings

       290 – View LAN Endpoints

       295 – View Virtual Switch Management Service

       300 – Create Virtual Machine

       305 – Delete Virtual Machine

       310 – Change Virtual Machine Authorization Scope

       315 – Start Virtual Machine

       320 – Stop Virtual Machine

       325 – Pause and Restart Virtual Machine

       330 – Reconfigure Virtual Machine

       335 – View Virtual Machine Configuration

       340 – Allow Input to Virtual Machine

       345 – Allow Output from Virtual Machine

       350 – Modify Internal Ethernet Port

    1 role assignment(s) were located

    Role Assignment ‘Administrator’ (Targetted Role Assignment)

      – All Hyper-V operations are selected

      – There are 1 member(s) for this role assignment

      – BUILTINAdministrators (S-1-5-32-544)

    ——————————————————————————-

    Contents of Group Distributed COM Users

    ——————————————————————————-

    2 member(s) are in Distributed COM Users

      – JMSERVERdev1

      – JMSERVERvmcmd

    ——————————————————————————-

    DACL for COM Security Launch and Activation Permissions

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    Everyone    (S-1-1-0)

        Allow: LocalLaunch LocalActivation (11)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    ——————————————————————————-

    Firewall Settings for Hyper-V

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Hyper-V (SPL-TCP-In)

      Enabled:  Hyper-V (RPC)

      Enabled:  Hyper-V (RPC-EPMAP)

      Enabled:  Hyper-V – WMI (Async-In)

      Enabled:  Hyper-V – WMI (TCP-Out)

      Enabled:  Hyper-V – WMI (TCP-In)

      Enabled:  Hyper-V – WMI (DCOM-In)

    ——————————————————————————-

    Firewall Settings for Windows Management Instrumentation (WMI)

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Windows Management Instrumentation (ASync-In)

      Enabled:  Windows Management Instrumentation (WMI-Out)

      Enabled:  Windows Management Instrumentation (WMI-In)

      Enabled:  Windows Management Instrumentation (DCOM-In)

    Note: Above firewall settings are not required for Hyper-V Remote Management

    Thanks,

    Jerrold

  109. Exhotic Hadron says:

    John,

    I am having these problems connecting to vmms (Virtual Machine Management) service on server! I am running the Hyper-V Manager snap-in under the default Administrator account which is as always a member of BUILTINAdministrators group.

    But when I selecct in the Hyper-V Manager, I get the snap-in connecting to the service and then the notorious "You might not have permission to perform this task". (No message to contact administrator or whoever it might be)

    This is observed on PDC build of Windows Server 2008 R2 (Windows Server 7). Any clue?

    I checked all the permissions for WMI and DCOM and they are all FULL CONTROL for BUILTINAdministrators.

    I installed both the Hyper-V role AND the RSAT-Hyper-V feature. Could it be that I should NOT to install RSAT on the same computer where I am running the Hyper-V role?

    Quite interesting, I was unable to install Hyper-V role using the Server Manager snap-in. I was getting errors from UI reported by CLR debugger.

    I was lucky to install the role only after I tried ServerManagerCMD.exe -install Hyper-V -allSubFeatures -restart

    Any clue how to get this working?

    BTW, this is what I get in Event Viewer

    Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin

    Source:        Microsoft-Windows-Hyper-V-VMMS

    Date:          11/30/2008 7:32:59 AM

    Event ID:      14098

    Task Category: None

    Level:         Error

    Keywords:      

    User:          SYSTEM

    Computer:      Server7

    Description:

    One or more driver required by the Virtual Machine Management service is not installed or is disabled. Try reinstalling the Hyper-V role.

    and right after that I get

    Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin

    Source:        Microsoft-Windows-Hyper-V-VMMS

    Date:          11/30/2008 7:32:59 AM

    Event ID:      14096

    Task Category: None

    Level:         Error

    Keywords:      

    User:          SYSTEM

    Computer:      Server7

    Description:

    Virtual Machine Management service failed to start.

  110. Mike S. says:

    Ran through it a couple times and get the error:

    The Virtual Machine Management service is not available.

    when trying to run the Hyper-V Manager on the client.

    i can start the Hyper-V Manager on the server with no problem

    workgroup environment, no firewalls, host entries used to ensure name resolution, passwords verified to be the same, user an admin on both server and workstation.

    i can use the edit disk option to "view" disks on the server… just not connect to them management service.

    very strange. any ideas anyone?

  111. Jerrold says:

    John,

    I’m running!!! Thanks so much for the help and the great tool!

    If you’re free we’d love to have you this year (late Oct.) at Tulsa TechFest where you could present to about 500 people.  Just let us know if you should have the time (another vacation maybe ;<) ) to be here.

    Thanks again,

    Jerrold

  112. Scott says:

    does anyone know about the standalone install of Hyper-V server? I have installed it and read everything i can, but i can not connect. I have the Hyper-V server installed, configured the name and IP (non domain) set the user and on my Vista SP1 computer with Hyper-V server tried to connect (same user name as server). I can not ping the HV server, but the HV server can ping my laptop.  I have tried the commands on these pages by my Hyper-V server does not recognise most of the commands, such as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

    Any help would be muchly appriciated.

    Thanks

  113. Mike says:

    This won’t work in a Hyper-V server since it has no GUI, so what good is this??????????????????????????????????

  114. Jörn Sierwald says:

    I followed the instructions and I am able to remotely configure Hyper-V from a Vista machine that is in the same domain as the server. I can create, start and stop VMs. However, I cannot connect to one, the server asks me for username and password and rejects everything I try, even admin account. What priviledge is required to _connect_ to a VM?

  115. I dont understand says:

    All other solutions ive tested use the same principal. You install the server then you connect against the server using the current server ip. When asked you enter credentials and voila.

    I cant for my life understand how MS can release a free tool like hyper-v and the make it impossible(or just very difficult) to use at home or in a closed testing environment where you most often dont sit on DNS and DOMAIN servers.

  116. cslim says:

    I wonder why we can’t create a icon " enable remote acess" or " allow <login name>" to access this hype-v . i agreed this Hype-v are helpful, but when come to " remote administrative" task. nightmare !!!

  117. Siavash says:

    i just wanted to how can i restrict "clipboard sharing" in vmconnect for a standard user

    it’s not in operations in AZman.msc

    please help me

    THX

  118. David says:

    Hi John

    Just trying out the new Hyper V r2 RC with Windows 7 and the RSAT tols. I get the same error as mentioend originally for the Hyper V (Release 1). The requriement to do enabled and follow all the instructions above shoudlnt be requried should it?

    If so using htis product in a DMZ environment will be very very painful, let alone an internal network.

    Cheers

  119. Shiva says:

    Hi John,

     We are facing a situation in VM Connect. We have a HyperV Server hosting VM’s and this Host Server is available over the internet. Therefore any client machine with RDP Client will be able to connect to a VM via port 2179. The question is if the client machine is behind a firewall, is it require that the firewall has to open port 2179? Also if the server is behind a firewall, is there any specific settings to be taken care? if you have any informaton related to this please  share with us as this will be of great help to us.

    Thanks and Regards

    Sivakumar

  120. Shiva says:

    Hi John,

     We were trying to make a VMConnect from a Windows Server 2008 (A) to a Hyper-V VM hosted on another Windows Server 2008 box(B).  When we close the application, Windows Server 2008 (A) system restarts!! Please let me know if you have any thoughts on the same.

    Thanks

    Shiva

  121. Axel Dahmen says:

    Hi, John, to Shive you wrote: "I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces."

    Er, this is exactly what I want to do with Hyper-V… Use it as the core of my three (virtual) web servers.

    I thought it was a common scenario to maintain them all using SCVMM/SCOM?

  122. Ryan says:

    Hi John,

    In our environment we are using a work group server and domain connected clients.  We hacve 2 people who use a vista client to remotely manage a server core.  Everything was working.  we now both get "You do not have the required permission to complete this task. " The passwords are kept up to date from our laptops to our server.  We can not only not manage hyper-v but we cannot use any remote management mmc’s.  This was originally setup using your guide and i have since tried to confirm settings using your hvremote.wsf routine on server and workstion.  I have not gotten a chance to restart the server to see if this solves the issue as there are production vm’s on the system.  Any suggestions?  

  123. Kent says:

    All this is great if you have a gui.  In standalone there is no gui.  I have followed and followed again the steps for HVRemote in a workgroup with no success.  

    I get the dreaded "You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

    Everything I find seems to point back to GUI.

    Please help.

    Kent

  124. Kent says:

    Client Show:kmorstain-pc

    C:UserskmorstainDownloads>cscript hvremote.wsf /show /targetcomputer:morstain

    hyperv

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Hyper-V Team, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.7 7th August 2009

    INFO: Computername is KMORSTAIN-PC

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is kmorstain-PCkmorstain

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    INFO: Build 6001.18226.x86fre.vistasp1_gdr.090302-1506

    INFO: This machine has Hyper-V Management Client installed (KB952627)

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    ANONYMOUS LOGON has remote access

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : kmorstain-PC

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

      Physical Address. . . . . . . . . : 00-0C-29-6E-5A-10

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      Link-local IPv6 Address . . . . . : fe80::388e:3839:3775:f77%8(Preferred)

      IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 11:16:39 AM

      Lease Expires . . . . . . . . . . : Saturday, August 22, 2009 11:16:39 AM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 6:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{B24A0310-B9E9-4D63-8D92-FCB2E587D

    567}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 7:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:3cf2:2228:3f57:fefb(Pref

    erred)

      Link-local IPv6 Address . . . . . : fe80::3cf2:2228:3f57:fefb%10(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    ——————————————————————————-

    Stored Credentials

    ——————————————————————————-

    Currently stored credentials:

       Target: morstainhyperv

       Type: Domain Password

       User: morstainhypervaccount

    INFO: Are running the latest version

    ——————————————————————————-

    Did you know…. HVRemote can help diagnose common errors?

    Instead of running HVRemote /show, run HVRemote /show /target:servername.

    This runs a series of tests against the server to verify connectivity.

    Note that there is documentation on the HVRemote site to assist with the

    most commonly asked questions. Please consult that before asking for

    assistance.

    ——————————————————————————-

    Server Show morstainhyperv

    C:hvremote>cscript hvremote.wsf /show /targetcomputer:kmorstain-pc

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Hyper-V Team, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.7 7th August 2009

    INFO: Computername is MORSTAINHYPERV

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is MORSTAINHYPERVAdministrator

    INFO: Assuming /mode:server as the role is installed

    INFO: Build 6002.18005.amd64fre.lh_sp2rtm.090410-1830

    ——————————————————————————-

    DACL for WMI Namespace rootcimv2

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    MORSTAINHYPERVAdministrator    (S-1-5-21-486983877-1426526351-2331221960-500)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MORSTAINHYPERVkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    DACL for WMI Namespace rootvirtualization

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    MORSTAINHYPERVAdministrator    (S-1-5-21-486983877-1426526351-2331221960-500)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MORSTAINHYPERVkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    Contents of Authorization Store Policy

    ——————————————————————————-

    Hyper-V Registry configuration:

    – Store: msxml://C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml

    – Service Application: Hyper-V services

    Application Name: Hyper-V services

    Operation Count: 33

       100 – Read Service Configuration

       105 – Reconfigure Service

       200 – Create Virtual Switch

       205 – Delete Virtual Switch

       210 – Create Virtual Switch Port

       215 – Delete Virtual Switch Port

       220 – Connect Virtual Switch Port

       225 – Disconnect Virtual Switch Port

       230 – Create Internal Ethernet Port

       235 – Delete Internal Ethernet Port

       240 – Bind External Ethernet Port

       245 – Unbind External Ethernet Port

       250 – Change VLAN Configuration on Port

       255 – Modify Switch Settings

       260 – Modify Switch Port Settings

       265 – View Switches

       270 – View Switch Ports

       275 – View External Ethernet Ports

       280 – View Internal Ethernet Ports

       285 – View VLAN Settings

       290 – View LAN Endpoints

       295 – View Virtual Switch Management Service

       300 – Create Virtual Machine

       305 – Delete Virtual Machine

       310 – Change Virtual Machine Authorization Scope

       315 – Start Virtual Machine

       320 – Stop Virtual Machine

       325 – Pause and Restart Virtual Machine

       330 – Reconfigure Virtual Machine

       335 – View Virtual Machine Configuration

       340 – Allow Input to Virtual Machine

       345 – Allow Output from Virtual Machine

       350 – Modify Internal Ethernet Port

    1 role assignment(s) were located

    Role Assignment ‘Administrator’ (Targetted Role Assignment)

      – All Hyper-V operations are selected

      – There are 3 member(s) for this role assignment

      – BUILTINAdministrators (S-1-5-32-544)

      – MORSTAINHYPERVAdministrator (S-1-5-21-486983877-1426526351-2331221960-500)

      – MORSTAINHYPERVkmorstain (S-1-5-21-486983877-1426526351-2331221960-1001)

    ——————————————————————————-

    Contents of Group Distributed COM Users

    ——————————————————————————-

    2 member(s) are in Distributed COM Users

      – MORSTAINHYPERVAdministrator

      – MORSTAINHYPERVkmorstain

    ——————————————————————————-

    DACL for COM Security Launch and Activation Permissions

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    Everyone    (S-1-1-0)

        Allow: LocalLaunch LocalActivation (11)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    ——————————————————————————-

    Firewall Settings for Hyper-V

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Hyper-V (SPL-TCP-In)

      Enabled:  Hyper-V (RPC)

      Enabled:  Hyper-V (RPC-EPMAP)

      Enabled:  Hyper-V – WMI (Async-In)

      Enabled:  Hyper-V – WMI (TCP-Out)

      Enabled:  Hyper-V – WMI (TCP-In)

      Enabled:  Hyper-V – WMI (DCOM-In)

    ——————————————————————————-

    Firewall Settings for Windows Management Instrumentation (WMI)

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Windows Management Instrumentation (ASync-In)

      Enabled:  Windows Management Instrumentation (WMI-Out)

      Enabled:  Windows Management Instrumentation (WMI-In)

      Enabled:  Windows Management Instrumentation (DCOM-In)

    Note: Above firewall settings are not required for Hyper-V Remote Management

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : MorstainHyperV

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E

    GBE NIC

      Physical Address. . . . . . . . . : 00-24-21-32-08-12

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      Link-local IPv6 Address . . . . . : fe80::60d6:7bf:526e:88ac%3(Preferred)

      IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 10:48:06 AM

      Lease Expires . . . . . . . . . . : Monday, September 27, 2145 6:50:21 PM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DHCPv6 IAID . . . . . . . . . . . : 50340897

      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-18-14-3C-00-24-21-32-08-12

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection*:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{7B8AC60A-FB1B-4DEB-B054-063DC6EDA

    300}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 2:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:38bb:384b:3f57:fefa(Pref

    erred)

      Link-local IPv6 Address . . . . . : fe80::38bb:384b:3f57:fefa%5(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    INFO: Are running the latest version

    ——————————————————————————-

    Did you know…. HVRemote can help diagnose common errors?

    Instead of running HVRemote /show, run HVRemote /show /target:clientname.

    This runs tests against the client to verify potential connectivity issues.

    Note that there is documentation on the HVRemote site to assist with the

    most commonly asked questions. Please consult that before asking for

    assistance.

    ——————————————————————————-

  125. Kent says:

    The clients hvremote show has an error:

    Failed to connect to rootcimv2

    Error: -2147024891

    So I tried the first step on the server to add user.

    When I try and run hvremote /add:kmorstain I get access denied on the server.

    I did add it as a net user and that worked.  I guess they are not the same.

    Suggestions

    Kent

  126. Kent says:

    John, sorry about that:  Please see below.

    Thanks in advance,

    Kent

    Client

    C:UserskmorstainDownloads>cscript hvremote.wsf /show /target:morstainhyperv

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Hyper-V Team, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.7 7th August 2009

    INFO: Computername is KMORSTAIN-PC

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is kmorstain-PCkmorstain

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    INFO: Build 6001.18226.x86fre.vistasp1_gdr.090302-1506

    INFO: This machine has Hyper-V Management Client installed (KB952627)

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    ANONYMOUS LOGON has remote access

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : kmorstain-PC

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

      Physical Address. . . . . . . . . : 00-0C-29-6E-5A-10

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      Link-local IPv6 Address . . . . . : fe80::388e:3839:3775:f77%8(Preferred)

      IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 11:16:39 AM

      Lease Expires . . . . . . . . . . : Saturday, August 22, 2009 11:16:38 AM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 6:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{B24A0310-B9E9-4D63-8D92-FCB2E587D

    567}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 7:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:3cf2:2228:3f57:fefb(Pref

    erred)

      Link-local IPv6 Address . . . . . : fe80::3cf2:2228:3f57:fefb%10(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    ——————————————————————————-

    Stored Credentials

    ——————————————————————————-

    Currently stored credentials:

       Target: morstainhyperv

       Type: Domain Password

       User: morstainhypervaccount

    ——————————————————————————-

    Testing connectivity to server:morstainhyperv

    ——————————————————————————-

    1: – nslookup for DNS verification.

        Note that failure is OK if you don’t have a DNS infrastructure

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Server:  UnKnown

    Address:  192.168.1.1

    *** UnKnown can’t find morstainhyperv: Non-existent domain

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    2: – ping attempt (ping -4 -n -1 morstainhyperv)

        Note the ping may timeout – that is OK. However, if you get an

        error that morstainhyperv could not be found, you need to fix DNS

        or add an entry to the hosts file. Test 3 will fail and provide more

        guidance.

        This may take a second or two…

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Pinging morstainhyperv [192.168.1.5] with 32 bytes of data:

    Reply from 192.168.1.5: bytes=32 time=7ms TTL=128

    Ping statistics for 192.168.1.5:

       Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

       Minimum = 7ms, Maximum = 7ms, Average = 7ms

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    3: – Connect to rootcimv2 WMI namespace

    ***** Failed to connect to rootcimv2

    ***** Error:     -2147024891 Access is denied.

    ***** Namespace: rootcimv2

        FAIL – Was unable to connect. Diagnosis steps:

        – Have you run hvremote /add:user or hvremote /add:domainuser

          on morstainhyperv to grant access?

        – Are you sure the server name ‘morstainhyperv’ is correct?

        – Did you use cmdkey if needed? More information higher up.

        – Did you restart morstainhyperv after running hvremote /add for

          the very first time? (Subsequent adds, no restart needed.)

        – Is DNS operating correctly and was morstainhyperv found?

          Look at the output of tests 1 and 2 above to verify that the

          IPv4 address matches the output of ‘ipconfig /all’ when run on

          morstainhyperv. If you do not have a DNS infrastructure,

          edit windowssystem32driversetc on KMORSTAIN-PC

          to add an entry for morstainhyperv.

    INFO: Are running the latest version

    ——————————————————————————-

    1 warning(s) or error(s) were found in the configuration. Review the

    detailed output above to determine whether you need to take further action.

    Summary is below.

    1: Cannot connect to rootcimv2 on morstainhyperv

    ——————————————————————————-

    C:UserskmorstainDownloads>

    Server:

    DACL for WMI Namespace rootcimv2

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    MORSTAINHYPERVAdministrator    (S-1-5-21-486983877-1426526351-2331221960-500)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MORSTAINHYPERVkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    DACL for WMI Namespace rootvirtualization

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    MORSTAINHYPERVAdministrator    (S-1-5-21-486983877-1426526351-2331221960-500)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MORSTAINHYPERVkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    Contents of Authorization Store Policy

    ——————————————————————————-

    Hyper-V Registry configuration:

    – Store: msxml://C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml

    – Service Application: Hyper-V services

    Application Name: Hyper-V services

    Operation Count: 33

       100 – Read Service Configuration

       105 – Reconfigure Service

       200 – Create Virtual Switch

       205 – Delete Virtual Switch

       210 – Create Virtual Switch Port

       215 – Delete Virtual Switch Port

       220 – Connect Virtual Switch Port

       225 – Disconnect Virtual Switch Port

       230 – Create Internal Ethernet Port

       235 – Delete Internal Ethernet Port

       240 – Bind External Ethernet Port

       245 – Unbind External Ethernet Port

       250 – Change VLAN Configuration on Port

       255 – Modify Switch Settings

       260 – Modify Switch Port Settings

       265 – View Switches

       270 – View Switch Ports

       275 – View External Ethernet Ports

       280 – View Internal Ethernet Ports

       285 – View VLAN Settings

       290 – View LAN Endpoints

       295 – View Virtual Switch Management Service

       300 – Create Virtual Machine

       305 – Delete Virtual Machine

       310 – Change Virtual Machine Authorization Scope

       315 – Start Virtual Machine

       320 – Stop Virtual Machine

       325 – Pause and Restart Virtual Machine

       330 – Reconfigure Virtual Machine

       335 – View Virtual Machine Configuration

       340 – Allow Input to Virtual Machine

       345 – Allow Output from Virtual Machine

       350 – Modify Internal Ethernet Port

    1 role assignment(s) were located

    Role Assignment ‘Administrator’ (Targetted Role Assignment)

      – All Hyper-V operations are selected

      – There are 3 member(s) for this role assignment

      – BUILTINAdministrators (S-1-5-32-544)

      – MORSTAINHYPERVAdministrator (S-1-5-21-486983877-1426526351-2331221960-500)

      – MORSTAINHYPERVkmorstain (S-1-5-21-486983877-1426526351-2331221960-1001)

    ——————————————————————————-

    Contents of Group Distributed COM Users

    ——————————————————————————-

    2 member(s) are in Distributed COM Users

      – MORSTAINHYPERVAdministrator

      – MORSTAINHYPERVkmorstain

    ——————————————————————————-

    DACL for COM Security Launch and Activation Permissions

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    Everyone    (S-1-1-0)

        Allow: LocalLaunch LocalActivation (11)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    ——————————————————————————-

    Firewall Settings for Hyper-V

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Hyper-V (SPL-TCP-In)

      Enabled:  Hyper-V (RPC)

      Enabled:  Hyper-V (RPC-EPMAP)

      Enabled:  Hyper-V – WMI (Async-In)

      Enabled:  Hyper-V – WMI (TCP-Out)

      Enabled:  Hyper-V – WMI (TCP-In)

      Enabled:  Hyper-V – WMI (DCOM-In)

    ——————————————————————————-

    Firewall Settings for Windows Management Instrumentation (WMI)

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Windows Management Instrumentation (ASync-In)

      Enabled:  Windows Management Instrumentation (WMI-Out)

      Enabled:  Windows Management Instrumentation (WMI-In)

      Enabled:  Windows Management Instrumentation (DCOM-In)

    Note: Above firewall settings are not required for Hyper-V Remote Management

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : MorstainHyperV

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E

    GBE NIC

      Physical Address. . . . . . . . . : 00-24-21-32-08-12

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      Link-local IPv6 Address . . . . . : fe80::60d6:7bf:526e:88ac%3(Preferred)

      IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 10:48:06 AM

      Lease Expires . . . . . . . . . . : Monday, September 27, 2145 9:22:16 PM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DHCPv6 IAID . . . . . . . . . . . : 50340897

      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-18-14-3C-00-24-21-32-08-12

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection*:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{7B8AC60A-FB1B-4DEB-B054-063DC6EDA

    300}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 2:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:38bb:384b:3f57:fefa(Pref

    erred)

      Link-local IPv6 Address . . . . . : fe80::38bb:384b:3f57:fefa%5(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    ——————————————————————————-

    Testing connectivity to client: kmorstain-pc (2 tests in total)

    ——————————————————————————-

    Test 1

    ——

       This test verifies your DNS infrastructure. For Hyper-V remote management,

       MORSTAINHYPERV must be able to resolve the IP address of kmorstain-pc.

       If you do not have a DNS infrastructure, test 1 may legitimately fail.

       However, you will have to edit windowssystem32driversetchosts on this

       computer to add an entry for kmorstain-pc.

       If you have a DNS infrastructure and test 1 fails, this is a strong

       indication that Hyper-V remote management will not work.

           a) Verify that kmorstain-pc is the correct client name

           b) On MORSTAINHYPERV, run ipconfig /flushdns

           c) On kmorstain-pc, run ipconfig /registerDNS

       If you have a DNS infrastructure and test 1 succeeds, verify the IPv4

       address returned matches the IPv4 address of kmorstain-pc. This can be

       found by running ipconfig /all on kmorstain-pc.

       If you find the incorrect IP address is returned, follow steps a) to c)

       described above, plus step d) below.

           d) Check the hosts file on MORSTAINHYPERV for incorrect entries.

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Server:  UnKnown

    Address:  192.168.1.1

    *** UnKnown can’t find kmorstain-pc: Non-existent domain

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Test 2

    ——

       This test attempts to ping kmorstain-pc. Like test 1, the aim is to

       verify name resolution. Examine the output to ensure the IP address is

       that of kmorstain-pc.

       If an incorrect IP address is shown, follow resolution steps a)

       through d) listed above.

       A ping timeout is OK. It is likely the firewall on the client machine

       is blocking inbound pings. No action need be taken.

       If the ping cannot locate kmorstain-pc, you may need to add an entry

       in windowssystem32driversetc (described above). If you have a DNS

       infrastructure, follow steps a) through c).

       This test may take a second or two…

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Pinging kmorstain-pc [192.168.1.4] with 32 bytes of data:

    Reply from 192.168.1.4: bytes=32 time=1ms TTL=128

    Ping statistics for 192.168.1.4:

       Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

       Minimum = 1ms, Maximum = 1ms, Average = 1ms

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    INFO: Are running the latest version

    C:hvremote>

  127. Kent says:

    John,

    I made the change and still no joy.   I thought the server name might be too long..so i changed it to mhyper and that did not work either.

    I have included below the client and server show #2

    thanks,

    Kent

    Client:      

    C:UserskmorstainDownloads>cscript hvremote.wsf /show /target:mhyper

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Hyper-V Team, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.7 7th August 2009

    INFO: Computername is KMORSTAIN-PC

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is kmorstain-PCkmorstain

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    INFO: Build 6001.18226.x86fre.vistasp1_gdr.090302-1506

    INFO: This machine has Hyper-V Management Client installed (KB952627)

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    ANONYMOUS LOGON has remote access

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : kmorstain-PC

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

      Physical Address. . . . . . . . . : 00-0C-29-6E-5A-10

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 7:27:43 PM

      Lease Expires . . . . . . . . . . : Saturday, August 22, 2009 11:16:36 AM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 6:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{B24A0310-B9E9-4D63-8D92-FCB2E587D

    567}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 7:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:c9c:369b:3f57:fefb(Prefe

    rred)

      Link-local IPv6 Address . . . . . : fe80::c9c:369b:3f57:fefb%10(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    ——————————————————————————-

    Stored Credentials

    ——————————————————————————-

    Currently stored credentials:

       Target: mhyper

       Type: Domain Password

       User: mhyperkmorstain

    ——————————————————————————-

    Testing connectivity to server:mhyper

    ——————————————————————————-

    1: – nslookup for DNS verification.

        Note that failure is OK if you don’t have a DNS infrastructure

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Server:  UnKnown

    Address:  192.168.1.1

    *** UnKnown can’t find mhyper: Non-existent domain

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    2: – ping attempt (ping -4 -n -1 mhyper)

        Note the ping may timeout – that is OK. However, if you get an

        error that mhyper could not be found, you need to fix DNS

        or add an entry to the hosts file. Test 3 will fail and provide more

        guidance.

        This may take a second or two…

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Pinging mhyper [192.168.1.5] with 32 bytes of data:

    Reply from 192.168.1.5: bytes=32 time=57ms TTL=128

    Ping statistics for 192.168.1.5:

       Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

       Minimum = 57ms, Maximum = 57ms, Average = 57ms

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    3: – Connect to rootcimv2 WMI namespace

    ***** Failed to connect to rootcimv2

    ***** Error:     -2147024891 Access is denied.

    ***** Namespace: rootcimv2

        FAIL – Was unable to connect. Diagnosis steps:

        – Have you run hvremote /add:user or hvremote /add:domainuser

          on mhyper to grant access?

        – Are you sure the server name ‘mhyper’ is correct?

        – Did you use cmdkey if needed? More information higher up.

        – Did you restart mhyper after running hvremote /add for

          the very first time? (Subsequent adds, no restart needed.)

        – Is DNS operating correctly and was mhyper found?

          Look at the output of tests 1 and 2 above to verify that the

          IPv4 address matches the output of ‘ipconfig /all’ when run on

          mhyper. If you do not have a DNS infrastructure,

          edit windowssystem32driversetc on KMORSTAIN-PC

          to add an entry for mhyper.

    INFO: Are running the latest version

    ——————————————————————————-

    1 warning(s) or error(s) were found in the configuration. Review the

    detailed output above to determine whether you need to take further action.

    Summary is below.

    1: Cannot connect to rootcimv2 on mhyper

    ——————————————————————————-

    C:UserskmorstainDownloads>

    Server:

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

       (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MHYPERkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1005)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    DACL for WMI Namespace rootvirtualization

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    MHYPERAdministrator    (S-1-5-21-486983877-1426526351-2331221960-500)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

       (S-1-5-21-486983877-1426526351-2331221960-1001)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    MHYPERkmorstain    (S-1-5-21-486983877-1426526351-2331221960-1005)

        Allow: EnabAct RemEnab (33)

        Flags: InheritAce NoPropInheritAce ValidInheritFlags  (6)

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    Contents of Authorization Store Policy

    ——————————————————————————-

    Hyper-V Registry configuration:

    – Store: msxml://C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml

    – Service Application: Hyper-V services

    Application Name: Hyper-V services

    Operation Count: 33

       100 – Read Service Configuration

       105 – Reconfigure Service

       200 – Create Virtual Switch

       205 – Delete Virtual Switch

       210 – Create Virtual Switch Port

       215 – Delete Virtual Switch Port

       220 – Connect Virtual Switch Port

       225 – Disconnect Virtual Switch Port

       230 – Create Internal Ethernet Port

       235 – Delete Internal Ethernet Port

       240 – Bind External Ethernet Port

       245 – Unbind External Ethernet Port

       250 – Change VLAN Configuration on Port

       255 – Modify Switch Settings

       260 – Modify Switch Port Settings

       265 – View Switches

       270 – View Switch Ports

       275 – View External Ethernet Ports

       280 – View Internal Ethernet Ports

       285 – View VLAN Settings

       290 – View LAN Endpoints

       295 – View Virtual Switch Management Service

       300 – Create Virtual Machine

       305 – Delete Virtual Machine

       310 – Change Virtual Machine Authorization Scope

       315 – Start Virtual Machine

       320 – Stop Virtual Machine

       325 – Pause and Restart Virtual Machine

       330 – Reconfigure Virtual Machine

       335 – View Virtual Machine Configuration

       340 – Allow Input to Virtual Machine

       345 – Allow Output from Virtual Machine

       350 – Modify Internal Ethernet Port

    1 role assignment(s) were located

    Role Assignment ‘Administrator’ (Targetted Role Assignment)

      – All Hyper-V operations are selected

      – There are 4 member(s) for this role assignment

      – BUILTINAdministrators (S-1-5-32-544)

      – MHYPERAdministrator (S-1-5-21-486983877-1426526351-2331221960-500)

      – S-1-5-21-486983877-1426526351-2331221960-1001 (S-1-5-21-486983877-142652635

    1-2331221960-1001)

      – MHYPERkmorstain (S-1-5-21-486983877-1426526351-2331221960-1005)

    ——————————————————————————-

    Contents of Group Distributed COM Users

    ——————————————————————————-

    2 member(s) are in Distributed COM Users

      – MHYPERAdministrator

      – MHYPERkmorstain

    ——————————————————————————-

    DACL for COM Security Launch and Activation Permissions

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    Everyone    (S-1-1-0)

        Allow: LocalLaunch LocalActivation (11)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    ——————————————————————————-

    Firewall Settings for Hyper-V

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Hyper-V (SPL-TCP-In)

      Enabled:  Hyper-V (RPC)

      Enabled:  Hyper-V (RPC-EPMAP)

      Enabled:  Hyper-V – WMI (Async-In)

      Enabled:  Hyper-V – WMI (TCP-Out)

      Enabled:  Hyper-V – WMI (TCP-In)

      Enabled:  Hyper-V – WMI (DCOM-In)

    ——————————————————————————-

    Firewall Settings for Windows Management Instrumentation (WMI)

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Windows Management Instrumentation (ASync-In)

      Enabled:  Windows Management Instrumentation (WMI-Out)

      Enabled:  Windows Management Instrumentation (WMI-In)

      Enabled:  Windows Management Instrumentation (DCOM-In)

    Note: Above firewall settings are not required for Hyper-V Remote Management

    ——————————————————————————-

    IP Configuration

    ——————————————————————————-

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : mhyper

      Primary Dns Suffix  . . . . . . . :

      Node Type . . . . . . . . . . . . : Hybrid

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E

    GBE NIC

      Physical Address. . . . . . . . . : 00-24-21-32-08-12

      DHCP Enabled. . . . . . . . . . . : Yes

      Autoconfiguration Enabled . . . . : Yes

      Link-local IPv6 Address . . . . . : fe80::60d6:7bf:526e:88ac%3(Preferred)

      IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Lease Obtained. . . . . . . . . . : Friday, August 21, 2009 7:04:30 PM

      Lease Expires . . . . . . . . . . : Tuesday, September 28, 2145 1:56:00 AM

      Default Gateway . . . . . . . . . : 192.168.1.1

      DHCP Server . . . . . . . . . . . : 192.168.1.1

      DHCPv6 IAID . . . . . . . . . . . : 50340897

      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-18-14-3C-00-24-21-32-08-12

      DNS Servers . . . . . . . . . . . : 192.168.1.1

      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection*:

      Media State . . . . . . . . . . . : Media disconnected

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : isatap.{7B8AC60A-FB1B-4DEB-B054-063DC6EDA

    300}

      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 2:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

      Physical Address. . . . . . . . . : 02-00-54-55-4E-01

      DHCP Enabled. . . . . . . . . . . : No

      Autoconfiguration Enabled . . . . : Yes

      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:1cb2:11ec:3f57:fefa(Pref

    erred)

      Link-local IPv6 Address . . . . . : fe80::1cb2:11ec:3f57:fefa%5(Preferred)

      Default Gateway . . . . . . . . . : ::

      NetBIOS over Tcpip. . . . . . . . : Disabled

    ——————————————————————————-

    Testing connectivity to client: kmorstain-pc (2 tests in total)

    ——————————————————————————-

    Test 1

    ——

       This test verifies your DNS infrastructure. For Hyper-V remote management,

       MHYPER must be able to resolve the IP address of kmorstain-pc.

       If you do not have a DNS infrastructure, test 1 may legitimately fail.

       However, you will have to edit windowssystem32driversetchosts on this

       computer to add an entry for kmorstain-pc.

       If you have a DNS infrastructure and test 1 fails, this is a strong

       indication that Hyper-V remote management will not work.

           a) Verify that kmorstain-pc is the correct client name

           b) On MHYPER, run ipconfig /flushdns

           c) On kmorstain-pc, run ipconfig /registerDNS

       If you have a DNS infrastructure and test 1 succeeds, verify the IPv4

       address returned matches the IPv4 address of kmorstain-pc. This can be

       found by running ipconfig /all on kmorstain-pc.

       If you find the incorrect IP address is returned, follow steps a) to c)

       described above, plus step d) below.

           d) Check the hosts file on MHYPER for incorrect entries.

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Server:  UnKnown

    Address:  192.168.1.1

    *** UnKnown can’t find kmorstain-pc: Non-existent domain

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Test 2

    ——

       This test attempts to ping kmorstain-pc. Like test 1, the aim is to

       verify name resolution. Examine the output to ensure the IP address is

       that of kmorstain-pc.

       If an incorrect IP address is shown, follow resolution steps a)

       through d) listed above.

       A ping timeout is OK. It is likely the firewall on the client machine

       is blocking inbound pings. No action need be taken.

       If the ping cannot locate kmorstain-pc, you may need to add an entry

       in windowssystem32driversetc (described above). If you have a DNS

       infrastructure, follow steps a) through c).

       This test may take a second or two…

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    Pinging kmorstain-pc [192.168.1.4] with 32 bytes of data:

    Request timed out.

    Ping statistics for 192.168.1.4:

       Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

    ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

    INFO: Are running the latest version

    C:hvremote>cd hvremote

  128. Shiva says:

    Hi John,

    In VMRC connections to Virtual server based VM’s, multiple connections to the same virtual machine is possible. Is there a similiar feature in RDP Connectivity to Hyper-V based VM’s? Please let me know if you have any information on the same.

    Thanks

    Shiva

  129. Shiva says:

    Hi,

     We are trying to Export Virtual machines in a saved state from Windows Server 2008 Enterprise Edition Service Pack 1-Hyper-V Manager Version: 6.0.6001.18016 to Windows Server 2008 R2 Hyper-V Manager Version: 6.1.7600.16385. We are facing a problem while trying to start the imported machine. (Error: Saved State file version is incompatible). Is this  expected? Is there a solution to this problem?

    Thanks

    Shiva

  130. Olexandr A. Bilyk says:

    I’ve constantly recieved error at step – 5: – Simple query to rootcimv2 WMI namespace – prior I’ve enabled "File and Printer Sharing (Echo Request – ICMPv4-In)" firewall rule on server side (Workgroup member, Microsoft Hyper-V Server 2008 R2)

  131. Phil Haselden says:

    Re Saved State incompatibility issues of 2008 and 2008 R2, Fabien Duchene’s (MSFT) comment elsewhere on the nets helped me:

    Just apply your snapshot. Then right-click the VM and "delete saved state". And then you are now able to start the VM.

  132. Shiva says:

    Hi John,

     Are there any explicit WMI to consume the Saved State files while creating a VM programmatically?

    Thanks,

    Shiva

  133. Hector says:

    Hi John,

    Are you still assisting with Hyper-V Manager connectivity issues?

    I have since day one been able to use Hyper-V Manager to connect, but i (lately) have been attempting to use a different desktop (Vista) other than my laptop, but have failed in every atteempt. i get the dreadfully "RPC server unavailable. Unable to establish communication between ‘Hyper-V Server’ and ‘MyClient’.

    Please note that my laptop continues to function, thank God!.

    Please let me know what i can do to facilitate some assistance with this issue?

    thx,

    Hector

  134. Hector says:

    Never Mind Solved it… wow, i had completely forgotten about enableling the firewall on my "CLIENT" side (Vista).

    fyi, the documentation everywhere shares about enabling the firewall on the server (Hyper-V) but little and small if any is there mention of enabling the firewall on the "CLIENT" side.

    i enabled:

    Start –> All Programs –> Administrative Tools –> Windows Firewall with Advanced Security –> Inbound Rules –> Remote Service Managment (RPC)

    Note: i enabled Remote Service Managment (RPC) for "Domain" only

    thx John…..

    Hector

  135. Chris says:

    I got the ‘WMI access denied’ error, and then followed all the steps as described in this wonderful article, however I never managed to fixed the problem with everything given in this article/comments…

    The error I got when running:

    netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Micros

    oft Management Console"

    Was: IMPORTANT: "netsh firewall" is deprecated

    A simple fix for this was:

    netsh advfirewall firewall add rule program=%windir%system32mmc.exe action=allow dir=in name="Microsoft Management Console"

    That single firewall rule solved all my problems!

    Chris

  136. FrankM says:

    I followed everything in multiple iterations, but couldn't make remot managemtn of HyperV server work from another Windows 2008 R2 with HyperV role. The only way it can work is if I disable the firewall on HyperV Server completely. I set the WMI permissions, firewall rules and what not.

  137. Fábio Ferreira says:

    How configure tihs security itens in server core by command line????

  138. Mohsen Almassud says:

    this is a very detailed and great article. is it going to be removed after some time or is it staying?

    because if it's going to be removed, then I'll need to copy the information to a word document for future use if that's ok with you.

  139. Christopher J. Roberts says:

    One other quick-and-dirty method you can use if you need to connect to a Hyper-V server is to create a RunAs script on the machine that has your Hyper-V management console.

    Assuming you named your new Hyper-V server MyServer, and your msc is stored in the directory mine is (I'd use something better than progra~1 for a path, though):

    runas /netonly /user:MyServeradministrator "%windir%system32mmc.exe c:progra~1Hyper-Vvirtmgmt.msc"

    This will allow you to connect to the hyper-v box if you start the management console with a batch file with this command and enter the administrator's valid password.

  140. Willy Drucker says:

    Holy Crap Chris that worked for me!!!  I've been troubleshooting this for awhile now, thanks!!!

  141. Michael Faklis <Michael_Faklis@EvolSwSys.net> says:

    Chris:  I first used the manual approach, then went back and used hvremote, but I can't get it to work.

    My client is Win 7 Ultimate x64 which is a domain member.  My domain is SBS 2011-based running as a hyper-V guest on a Server 2008 R2 host, in a workgroup.

    I fear the problem is that my Win7 client uses Norton Internet Security, which disables the MS firewall.

  142. Seeberg says:

    Hi, very helpfull! It works also for Windows 7 SP1 Hyper-V Client for Windows Server 2012. After the settings the VMs are in "Saved" mode and did not starts. More details see here: support.microsoft.com/…/2249906

  143. Luiz Felipe Stangarlin says:

    Thank you so much. I was struggling with this for 4 hours. I was thinking my powershell script was bugged with problem with WMI, or that my DCOM security was wrong. i was in ignorance of hyperv autorizatuon. It worked like a charm!

  144. Joy says:

    Hi John,

    Thanks for the blog. It is really helpful. But I have one more question: Does it still work with Clients behind the NAT? Both Hyper-V Server and Client are located in the workgroup.

    Looking forward to your reply. Thanks in advance.

    Regards,

    Joy

  145. Paul says:

    This is a whole lot of struggling and tweaking even before this thing has been installed. With VMware, all we did was install and go – no hassles and no problems out of the gate like this product.

  146. bhrugesh mehta says:

    this worked ;-))))
    basically my domain server is 2008 does not contain hyper -v and hyper v server are 2012 , so simply apply using remote file and hyper v xml file change component services settings

    it's worked

    thank you