Part 3 – Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’


Update 14th Nov 2008. I’ve just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

Although I thought I’d finished at part two, after even more emails and comments on part one and two, it quickly became obvious to me that I need to round off the series by answering “But what if my server is a server core installation”. In server core, you have none of the “niceties” of most of the user interface.

This blog post is an alternate to part one, covering the case where the server is server core. Before going any further, make sure you have followed the steps in my previous post to enable the Hyper-V role on server core and enable remote management. Remote management is important for this walkthrough – you’ll need it to complete the steps. 

Step 10 (On Client and Server)

This mirrors step 1 in part one. Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience). Enter the following command.

net user john * /add

wg45

Step 11 (On Server)

This step mirrors step 2 in part one. Enable the firewall rules on the server for WMI (Windows Management Instrumentation). Enter the following command:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command it successful and responds with Updated 4 rules(s). Ok.

wg49

Note: What you enter in quotes is just a name must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

Step 12 (On Server)

This step mirrors step 3 in part one. It grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. In a full install of Windows Server 2008, this is (relatively) easy using dcomcnfg. Unfortunately, this is not available on server core. However, there is a built-in user group you can use which does the job just as well (in fact, although I haven’t tested it, this should work equally well on a full installation of Windows Server 2008).

You need to add the user account(s) or groups to the “Distributed COM Users” group. In my example, the server is named jhoward-hp2 and the local user account is john.

net localgroup “Distributed COM Users” /add jhoward-hp2\john

wg48

Step 12B (On the remote management console/client)

[Edited 16th May 2008. This was step 15, but moved to before step 13]
Follow steps 5, 6 and 7 in part two. These are identical and must be done on the client machine. 

Step 13 (On Remote Management Machine)

This step mirrors 4 in part one and grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.

This is a little more challenging on server core as there is no computer management MMC. However, as I’ve already enabled remote management, I can do this from my remote management (Vista SP1) workstation. On that machine, I’m logged on with administrator credentials matching an account on the server machine.

Open Computer Management under Start/Administrative Tools. Right-click on the top most node, “Computer Management (Local Computer)”, and click “Connect to another computer …”

wg50

In the select computer dialog, enter the name of the remote server core machine and click OK. In my case, this is jhoward-hp2 (jhoward-hpu was the full installation). Then expand the tree down through Services and Applications\WMI Control and select WMI Control

wg52 

wg51

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

wg53

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” to add them. Note that when doing this remotely, you will be prompted for credentials. Make sure you entere the username as server\username as the default domain will be that of the client management machine

wg54 

wg55

wg56 

Now select the user and click the Advanced button below the “Permissions for <user>” area.

wg57

Make sure the user/group is selected and click Edit

wg58

You need to make three changes here.

  • In the “Apply to:” drop-down, select “This namespace and subnamespaces”
  • In the Allow column, select Remote Enable
  • Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like this. If so, click OK through the open dialogs.

wg59

Repeat for the Root\virtualization namespace

wg60

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 14 (On Remote Management Machine)

This step mirrors step 5 in part one and configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

To make life a little easier, I’m first going to map a network drive on the remote management machine to the system drive on the machine running server core. In my case, the system drive is G.  At an elevated command prompt on the client, type the following (replacing G and jhoward-hp2 as appropriate)

net use * \\jhoward-hp2\g$

wg61

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

wg62 

wg63

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

wg64

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the mapped drive, select InitialStore.xml, then click OK.

wg65

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

wg66

In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

wg67

Note that you are prompted for appropriate administrative credentials. Make sure you enter the username as server\administrativeaccount again, to ensure the domain name is that of the server.

At this point, I would say to add the appropriate users or groups like I did in the full installation option. However, I hit a snag. For some reason, AZMan running remotely did not seem able to find the “john” account (or any other user account I created on the core installation) even though it was definitely there as you can see using Computer Management on the remote machine targeting the server.

wg69

The answer (I thought) was to create a new user group and add the “john” account to that group. However, that also failed. All was not lost. First thing to do was to report a bug. Next, was to come up with a backup plan. Now at this point, I apologise in advance – it’s a really horrible workaround, and involves hand-editing InitialStore.xml

Let’s take a look at InitialStore.xml on the full installation I made in part one, particularly the section with “Name=Administrator”. In the first screenshot taken using Internet Explorer to open the XML file, you can see that the “john” account has been added, the second screenshot being without “john” being an administrator.

wg70 

wg71

So it just is a question of finding and adding the appropriate user/group sid as member. How hard can that be? (OK, don’t answer that quite yet!) Thanks to the scripting guy, it didn’t take long to get the answer. I created the script below, test.vbs, and ran it on the remote management machine using "cscript test.vbs". (Replace jhoward-hp2 in both places with your server name, and john with the appropriate user name. Also make sure there is no space between ‘john’, and Domain= in the penultimate line.)

strComputer = "."
Set objWMIService = _
   GetObject("winmgmts:\\jhoward-hp2\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name=’john’,Domain=’jhoward-hp2’")
Wscript.Echo objAccount.SID

wg72

So now I had the account SID for the "john" account, I could use notepad to edit InitialStore.xml appropriately. I still had my network drive mapped. IMPORTANT: Take a backup copy of InitialStore.xml now!

wg73

Unfortunately, notepad is not the most easy to use editor for XML files. There are plenty of freeware XML editor out there, but I stuck with notepad, if for no more reason than to prove that this whole walkthrough can be done using inbox components. Here you can see I’ve added a new member tag on the bottom line – everything from <Member>S-1-5-21-602….. to the following </Member>

wg74 
Just to make sure I hadn’t made a huge editing error, I used IE again to confirm

wg75

And yes, you can now close the Authorization Manager MMC if it is still open on the remote management machine!

Important. You must reboot your server for the above changes to take effect.

Step 15 (On the remote management console/client)
[Edited 16th May 2008. Moved this step to earlier as step 12B. Ignore step 15 if you did it earlier]

Follow steps 5, 6 and 7 in part two. These are identical and must be done on the client machine.

Step 16 (Away from the keyboard)

This mirrors step 8 in part two. Take a very deep breath and congratulate yourself. Open beer, have a party, whatever takes your fancy. To have got this far, you deserve it. Make sure you have followed all the steps to the letter, especially the bit about restarting the server.

Step 17 (On the client)

Logon as the account you have given permissions to (“john” in my walkthrough) on the client.

Start Hyper-V Manager from Administrative Tools on the Control Panel. Enter appropriate administrative credentials if UAC is enabled and the account is not an administrator on the client.

Click Connect to Server and enter the name of the remote machine, accepting the EULA if this is a pre-release version of Hyper-V.

Watch in even more awe than you did in part 2 as you get a screen like below 😉 Here I’m managing jhoward-hpu which is the full installation, and jhoward-hp2 which is the server core installation. Wow! I need some time off!

wg76

Cheers,
John.

Update 14th Nov 2008. I’ve just released a script which does all this configuration in one or two command lines: HVRemote

Comments (130)

  1. Anonymous says:

    Hyper-V Management Console on Vista x64

  2. Anonymous says:

    Hyper-V Monitor Gadget for Windows Sidebar

  3. Anonymous says:

    Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

  4. Anonymous says:

    Stu – hvremote reveals all. Honestly, it’s the best way to understand what is and what isn’t configured. Output of hvremote /show on both the client and the server, plus a ping attempt in each direction will give 99% of everything needed for diagnosis.

    Thanks,

    John.

  5. Anonymous says:

    So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

  6. Anonymous says:

    Paul – Glad you got it working.

    For 1) I don’t have a good answer  – in a general sense, I would recommend you don’t run anything but the Hyper-V role itself on the parent partition. However, not knowing what you’re referring to about the HD SCSI optimizer, if it’s a necessary OEM supplied driver for accessing the local DAS, then obviuosly you need it. But I suspect it’s more than that – do you actually see a perf gain using it on other servers? Is it essentially doing a background defrag or something?

    For question two – I assume you are referring to running a DC inside a virtual machine. For the same reason as for one, I would not recommend running any other workload on the parent partition except for Hyper-V itself. You should certainly read http://support.microsoft.com/kb/888794 for some guidance.

    Thanks,

    John.

  7. Anonymous says:

    Evan – thanks for the feedback :)

    Glad you got it going. We’re still investigating and can’t currently repro the problem in-house but working with a couple of people who have given us some great information to work on. I’ll post up more info when we have a workaround and understand the problem.

    Cheers,

    John.

  8. Anonymous says:

    M.Salah

    Please can you

    – run hvremote /show on both the server and the client

    –  ipconfig /all on both the server and the client

    –  verify that a ping of the server from the client, and ping from the client to the server hits the correct address as shown in ipconfig /all

    – Verify that the username and password you are using (if workgroup) is exactly the same on both sides.

    – Verify that you did try restarting both client and server (with the firewall enabled)

    – That you don’t have any alternate firewall software installed either side (eg OneCare etc)

    If you can post the results back, that will give me what I need to diagnose.

    Thanks,

    John.

  9. Anonymous says:

    George – did you reboot the server after applying the AZMan changes?

    Thanks,

    John.

  10. Anonymous says:

    David – stand alone being workgroup, not domain. Correct? If so, unless you really feel the need to follow the steps manually, I would very strongly recommend you use HVRemote to complete the configuration. Of course though, I’ll assist if you want to go the long route (especially in workgroup).

    Thanks,

    John.

  11. Anonymous says:

    Peter/Lance – finally got a chance to update it.

    Thanks,

    John.

  12. Anonymous says:

    A noob/freshman – There are so many things wrong here. First, we do not support Hyper-V running as a nested Hypervisor. You should run it on bare metal. As for the namespace not being present, the most likely cause is you have not enabled the Hyper-V role. How are you determining it was successfully installed? (And you go on to say physical computer, yet you say Hyper-V on 2008 is running in a VM. I'm confused what is what).  Why are you running Server 2008, not 2008 R2, 2012 or even 2012 R2 Preview for Hyper-V? And finally…. why are you doing the configuration manually? It would be FAR easier to use HVRemote – code.msdn.microsoft.com/HVRemote

    Thx, John.

  13. Anonymous says:

    Peter – Hyper-V manager and the server components use IP, not NetBIOS. DNS has to be right for it to work. Yes, there is a problem with 0.5 HVRemote if you run it on a 2K8 box which only has the management components. Take a look at the response to Patrick in the HVRemote thread: http://blogs.technet.com/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx. That will give you a workaround for now. Working on a fix (I have it ready, but not quite ready to publish).

    Thanks,

    JOhn.

  14. Anonymous says:

    Aujourd’hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

  15. Anonymous says:

    In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

  16. Anonymous says:

    Well guys … kalo dah ada yang coba Hyper V … let&#39;s disccuss this .. i was trying to install Hyper

  17. Anonymous says:

    Announcing &quot;HVRemote&quot;…., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

  18. Anonymous says:

    Esta build (7100. 0. winmain_ win7rc. 090421- 1700) foi compilada na passada Terça- Feira e ao que parece já começou a ser distribuída a parceiros OEM.

  19. Anonymous says:

    Timbo – I’m pretty sure you’ll see this error if you have older bits on the management computer. Are you sure you’re running RTM bits on both server and client (950050 for server and 952627 for vista sp1 client).

    Thanks,

    John.

  20. Anonymous says:

    @PBaldwin

    In my experience, you typically see things like this due to time synchronisation in a domain not operating correctly. Is there a difference of more than a minute or so between the server core machine and the management client?

    Thanks,

    John.

  21. Anonymous says:

    In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

  22. Anonymous says:

    Toby – HVRemote only deals with Hyper-V management, not other administrative capabilities such as the ones you list. The best way to diagnose is if you run the latest (0.7) version of hvremote with the /target:otherboxname parameter on both boxes (client and server) to diagnose.

    Thanks,

    John.

  23. Anonymous says:

    Anthony – are you sure you followed step 2B in part 1, and noticed I updated the above post for 12B immediately before step 13.

    That all said, I really strongly recommend that unless you have a need to perform the steps manually, the use of hvremote will save you a lot of pain.

    Thanks,

    John.

  24. Anonymous says:

    dock-levy – you would need to contact Lenovo/IBM to verify. I don’t have one of those machines available. Have you checked you do have the latest BIOS on your machine? There is no registry setting – this is under control of the OEM. If VPC can recognize it, it will be turned on though – can’t think of any reason why not. Anything in the Hypervisor or system event logs when you attempt to start a virtual machine under Hyper-V? What about DEP? Could that be the cause and it isn’t correctly set in the BIOS?

    Thanks,

    John.

  25. Anonymous says:

    Tim – 18004 is RC1 (IIRC). RTM release is 18016. Apply the KB articles I mentioned above to both sides, and the problem should go away.

    Thanks,

    John.

  26. Anonymous says:

    going through step 14 above – the ProgramData directory (as part of the path to the InitialStore.xml) is apparently a Hidden directory as it isn’t directly browsable.  I did a search and then copied the path; however, you can simple cut and paste the path from Step 14 instructions or type it out.

  27. Anonymous says:

    Paul – you really do not need to turn off the firewall to make Hyper-V remote management work, and I strongly recommend you do not take that approach. The output from hvremote /show on both server and client would go a long way to diagnosing a problem.

    For Win7, it depends which build of Win7 you are using. Sure, there are some bugs in build 7000 (beta), but it should work. If you can clarify which build you are running, what you are doing when it crashes and get that hvremote /show output, I could take a look.

    Thanks,

    John.

  28. Anonymous says:

    Michael – can you post the full output of hvremote /show /target:othercomputername from both boxes. Also info of whether you have firewalls/routers between the client and server, or whether there is any 3rd party AV or firewall software installed on either box.

    Thanks,

    John.

  29. Anonymous says:

    It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I’ve come

  30. Anonymous says:

    For those that cannot expand the "root" note, in Tony’s case, this was resolved by not having followed the instructions on the Vista machine to enable anonymous logon remote access in DCOM Security (step 15 above).

    Thanks,

    John.

  31. Anonymous says:

    Dillon – is it possible that you’re running on a non-English locale system (the group names are localized).

    Can you save the following as group.vbs and run it using "cscript group.vbs" from a command prompt. That should list the actual localgroups on your machine.

    Set cGroups = GetObject("WinNT://localhost")

    cGroups.Filter = Array("group")

    For Each oGroup In cGroups

       wscript.echo oGroup.Name

    Next

    Thanks,

    John.

  32. Anonymous says:

    Simone – can you post up the output of hvremote /show on both boxes, plus the output of a "ping -4 otherboxname" to try to diagnose.

    Thanks,

    John.

  33. Anonymous says:

    @Well…. can you try using HVRemote. This is much simpler than trying to follow the steps manually.

    John.

  34. Anonymous says:

    I can successfully remotely manage my Hyper-V Server 2012 Core in a workgroup environment. I can also remotely manage the disks on the Hyper-V server.

    I wrote a quick 12-step tutorial (article and video) showing exactly what I did to get this working.

    pc-addicts.com/12-steps-to-remotely-manage-hyper-v-server-2012-core

    Hopefully this can help others who found this to be a very frustrating task.

    -Chris

    http://PC-Addicts.com

  35. Anonymous says:

    Thanks Derek for the update.

    What you are seeing is by design and a result of the beta version of Hyper-V being present on the Windows Server 2008 media and the beta integration services which run in a VM including the drivers to support networking are not compatible with Hyper-V RTM. The easiest solution is simply to insert vmguest.iso into the virtual CD drive of the virtual machine by selecting Actions/Insert Integration Services setup disk in virtual machine connection, and running setup in the VM.

    Alternately:

    – Slipstream KB950050 into the media/WDS image (as you mention)

    – Add a legacy network adapter which is supported in-box in Windows Server 2008 to allow you to get to download KB950050 (but remember to go back to a "synthetic" NIC afterwards for the performance gains)

    – Have the update on an ISO using a third party tool – but in reality, as it’s already present on vmguest.iso, a little redundant.

    Thanks,

    John.

  36. Anonymous says:

    Hi Thomas

    My apologies. Was giving a "lazy" answer :)

    BTW – I did cover this in http://blogs.technet.com/jhoward/archive/2008/03/29/how-to-add-the-hyper-v-role-to-a-windows-server-2008-server-core-machine.aspx and it was also mentioned right at the top of this article:  

    << Before going any further, make sure you have followed the steps in my previous post to enable the Hyper-V role on server core and enable remote management. Remote management is important for this walkthrough – you’ll need it to complete the steps. >>

    :)

    Thanks,

    John.

  37. Anonymous says:

    Ralph – Unless you have a seperate DC physically somewhere, you run into the chicken and egg problem. I would strongly recommend that you do not only run a single virtual DC on a Hyper-V machine and have the Hyper-V machine itself joined to that domain. While it technically can be done (with some caveats), it is not a supported scenario.

    Thanks,

    John.

  38. Anonymous says:

    @Ryan – no I have a test environment up and running, I’ll try this and get back to you.

    @Dale – am investigating. I saw this once too, but was not able to reproduce it or get a list of steps to make it happen.

    @Alberto – Curry would be nicer :) (Although "American" curry takes a lot of getting used to after my "British" indian cuisine up-bringing). Glad you got it going.

    Thanks,

    John

  39. Anonymous says:

    Tom – difficult to diagnose based on the info above. Do you want to email me using the link at the top with some more information on the specifics of the error you’re hitting, maybe some ipconfig /all output from a working and non-working machine plus the server, a simple ping test, and info about what domain/workgroup each machine is in.

    Thanks,

    John.

  40. Anonymous says:

    Wesley

    You should be able to log on with a cached domain account, or a local administrator to remove the box from the domain. They you just treat it as a workgroup to workgroup scenario. Alternately, create a matching local account on the domain joined server to the account on the client, passwords matching. Then again it should still be WG to WG configuration without any need for the server to contact the domain.

    Thanks,

    John.

  41. Anonymous says:

    No, 0.7 does not support WS2012 (it works somewhat by accident, but I strongly recommend you do not use it). I will be releasing a version which support Windows 8/WS2012 (and Hyper-V Server 2012, and for R2/Win7 and 2008/Vista) before GA. It's being tested now, but not ready to be made public.

    Windows 7 can communicate to 2012 using the v1 WMI namespace, however, it is not recommended. Any of the new capabilities in 2012 will not be available unless you use a Windows 8 client with the newer Hyper-V Manager which uses the v2 namespace.

    John.

  42. Anonymous says:

    So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

  43. Anonymous says:

    Remote management of Server Core installations helps you. It prevents you from having to struggle with

  44. Anonymous says:

    Ryan/Tony  (Hilton – already sent you an email).

    Can both of you email me using the link at the top. This is not something we can reproduce in house, so I’d like to understand a bit more about the configuration.

    – Verification of domain vlient to domain server (same domain), or combination of workgroup/domain, or workgroup-workgroup (same workgroup)

    – x86 vs x64 client

    – Whether the client was RTM Vista then upgraded to SP1 or a "slipstream" install.

    – SKU (Business/Enterprise/Ultimate)

    – Whether UAC is enabled (Server and client)

    – Whether user is a local administrator (Server and client)

    – Whether windows firewall is turned off or on (server and client)

    – Whether there’s any additional software installed on server or client (eg Antivirus)

    – If domain joined, whether there could be group policy being pushed down to the firewall settings

    If the firewall is currently on, one suggestion from a colleage to also try:

    >>Can you try add

    >> %windir%System32wbemunsecapp.exe

    >> into Firewall.cpl to unlock the app.

    >> Then reconnect in the UI, it should work.

    Thanks,

    John.

  45. Anonymous says:

    Stu – thanks. Yes, you’re correct, RTM is required (I believe if memory serves correctly we fixed it in RC0, but beta – ie on the Windows Server 2008 RTM media – does not work). Unfortunately, I’m 99% certain that in Windows Server 2008, neither of those management tools work remotely. Devcon.exe and diskpart are your friends….

    Cheers,

    John.

  46. Anonymous says:

    Derek – have you enabled remote management on the server? It also depends if you are domain joined or in a workgroup. If you are workgroup, do you have matching usernames and passwords both sides?

    There should be no issue running the remote management machine under Virtual PC.

    Thanks,

    John.

  47. Anonymous says:

    David – I confess, I’m completely stumped. Do you get this for all groups and all users using net localgroup, or just the Distributed COM Users group?

    Thanks,

    John.

  48. Anonymous says:

    Hi Ryan. I’m in the process of setting up a private domain outside of the Microsoft corporate network to work through the same steps in a controlled domain scenario – the fairly complex corpnet enforced policies and IPSec make it difficult to track down issues without a private domain. It’s unlikely I’ll get my private network walkthrough finished before the end of the week, but I’ll post up my results as soon as I can – I guess parts one two AND three weren’t enough. I don’t have any suggestions currently. Sorry!

    Cheers,

    John.

  49. Anonymous says:

    Donald – I would have to defer to WMI under-the-covers networking experts (and I assure you I am not – Hyper-V utilizes WMI rather than us dealing with WMI internals), but I believe this will probably be due to some firewalling or routing issue. WMI is not "firewall friendly". A workaround many people use in this situation is for a VPN or a Temrinal Server publishing the application. That is significantly more secure for Internet access.

    Thanks,

    John.

  50. Anonymous says:

    ecscomp – this is most likely a DNS issue. Rather than ping (as the firewall will probably block you in a default installation), try an nslookup on each machine of the other machine. It must work both ways. If it doesnt’ run an ipconfig /all on each machine and then add the IP address to windowssystem32driversetchosts as a workaround to DNS to verify if that is indeed the cause.

    Thanks,

    John.

  51. Anonymous says:

    Thomas

    On the server, run hvremote /add:thomas

    As you are in a workgroup, on the client, run hvremote /anondcom:grant

    Reboot both boxes (to be sure – it may work, but just in case) and you should be good to go.

    You’ve checked the passwords are the same, great. Only other thing you should check is pinging by name rather than IP does indeed hit the other box, in both directions. I guess you have done that already though as you mention about editing the hosts file.

    Thanks,

    John.

  52. Anonymous says:

    George – if you can connect in the first place, then it sounds like you didn’t setup the AZMan bit correctly. Can you run the script on the server core machine and confirm that under IE on the remote machine, the correct SID is in the administrator part like in the screenshot above.

    Thanks,

    John.

  53. Anonymous says:

    I too have experienced a difference between the first run of the Hyper-V mmc UI from my Vista managment and the subsequent runs.  Specifically I need to change the path to where the Virtual Hard Drives are to be stored and located; howver, I’m unable and am getting a message:

    —————————

    Remote File Browser

    —————————

    You may not browse the local file system when connecting to a remote Hyper-V server.

    —————————

    OK  

    ————————-

  54. Ryan says:

    John,

    Thank you for all the great information, however, I am still having problems. I am running Hyper-V on Server Core and I am trying to access it from a workstation running Vista SP1 with the Hyper-V console installed. Both computers are added to the same domain and both computer have my domain username added as a member of the local administrators group. I applied the Hyper-V RC0 update to the install.wim file, I then installed server core using the updated wim. I am getting the "don’t have requested permission" error on my workstation. What is interesting is that the first time I opened the management console, it worked and I was able to configure my virtual switches. Now it won’t let me change any settings. Any ideas?

    Thanks,

    Ryan Lenkersdorfer

  55. Alberto says:

    Thanks John. I now have a Windows Server 2008 Core DC, a Windows server 2008 NAP, a windows Server 2003 exchange 2007 sp1 server all in the same Core Hyper-v black box.

    A complete network for testing and funny.

    I do hope this issues are RC0 related, though. I’ll stay tuned to your blog.

    You deserve a good italian pizza! :)

  56. HiltonT says:

    Hi John,

    I get to step 13 fine, however when I connect to the WMI Control, it connects fine, but the "Security" tab contains only the "Root" and no namespaces below this.

    Any ideas why?

    (Server is WS2K8 Ent Core with Hyper-V RC0 and guest is Vista x86 SP1 with RSAT and Hyper-V Management tools loaded.)

  57. George says:

    Thanks for the lesson. Everything you showed worked fine for me as far as you went, but when I go to add my first virtual machine I get an error that the Wizard cannot load because I do not have permission. Did I miss a step?

    Actually I can move the error message box to one side and navigate the wizard, but when I hit finish it throws another permissions error and I am forced to acknowledge and close the wizard. Any thoughts?

    Thanks again for getting me this far.

  58. George says:

    As a matter of fact I ran the vbs script on the server in the first place.

    After I edited the initial store XML file, I reimported it into AZMan (deleting the previous initial store entry).

    When I look in AZMan at the "Administrator" role assignment I see my specified domainusername listed as a "user" type right under the "Administrators(BUILTINAdministrators)" group.

    I am conected to the hyperv server and see the "No virtual machines were found…" message. It just seems I am missing whatever permission is needed to create new VMs.

  59. Tony says:

    I have the same problem as HiltonT above, where I open the WMI Control Properties Security Tab and expanding the "Root" node displays nothing.  The "plus" sign button goes away and no child of "Root" ever appears.

    All the steps leading up to that point were fine and I can connect via RDC and I can browse to the administrative shares in the file explorer.  I just can;t seem to get any of the "root" children.

    Any ideas?  

  60. evan says:

    Any update on nothing displayed below the root node?  I also am running into this.

  61. evan says:

    Since I also had the issue where only Root would show I just followed step 13 and applied it only to Root.  Was able to get it working! Not sure of the security implication, but I’m running it all privately anyway.   Thanks for the great info John.  Figuring out a problem like this wouldn’t t have been possible a few years back.  You guys at Microsoft are doing a good job opening everything up.

  62. peter says:

    You might want to reoder the guide so step 15 is before step 13 if thats the fix to the empty root issue.

    I followed step 15 and then the root wasn’t empty but it also wouldn’t expand so I just applied the right to the root as mentioned above.

    Working great now thanks for the Guide!

    Peter

  63. Lance Fisher says:

    Thanks!!!!

    I would also suggest putting step 15 before step 13 in your guide :)

  64. Rob Prideaux says:

    Christopher!

    Then sacrifice a goat at the dark of the moon!!!

    Your explanantions are tremendous John – but it is a tortuous process, is it not??? :)

  65. Taylor H says:

    I verified Windows Management Instrumentation (WMI) group is enabled:

    –Inbound Rules–

    Windows Management Instrumentation (ASync-In)

    Windows Management Instrumentation (DCOM-In)

    Windows Management Instrumentation (WMI-In)

    –Outbound Rules–

    Windows Management Instrumentation (WMI-Out)

    Yet, I cannot connect with the Hyper-V Manager unless I disable the firewall on the Server Core Install.  

    What did I miss?

  66. AndrewL says:

    This guide is worth its weight in Gold, If it were printed on paper 100 times. Thanks a lot.

  67. Mads Nissen says:

    Hi!

    I also had the empty WMI root node issue. For me it was due to my clientmachine firewall settings. Had norton running and it didn’t ask (as it usually do) about the ports beeing used for WMI. Turned it off and the wmi tree appeared.

  68. Tom Lantz says:

    Hi John! Thanks for the great information. I have a strange problem. I cannot connect to server running Hyper-V from my laptop running Vista SP1 but I can connect from other workstations running Vista SP1. Seem like the problem is on my machine but I am not sure where to look. Any thought would be helpful.

  69. PBaldwin says:

    Hello John – Followed your guide but couldn’t get the Hyper-V Manager to connect so went back to the beginning. I get to the WMI edits, attempt to add a user and rather than be prompted for username/password I get "The program cannot open the required dialog box because it cannot determine whether the computer named … is joined to a domain". Press close and I get the "RPC Server Unavailable". It worked a few hours ago!

  70. PBaldwin says:

    Hi John – Nope, times were alright.

    Tried "netsh firewall set service fileandprint enable": Humm, I’ll review the hole this makes later, but it got by the WMI hurdle mentioned above.

    Couldn’t then add a user/group to WMI Security (just like you describe for AZMan) so edited the Authenticated User entry. Nope, still can’t connect Hyper-V Manager to server (I’m still running as Administrator on client – same password on server).

    So try "CMDKEY" as per your Part 5: The Hyper-V Manager springs to life with connection to server! Whipee! (And I can again add users to WMI Security and the "Local Users and Groups" snap-in is now functional as a bonus!).

    Now I logon as my ordinary user on the client and again use CMDKEY. Damn, Hyper-V Manager doesn’t give me the previous error box but instead says "the Virtual Machine Management service is not available".

    Almost there: Any suggestions?

    Thanks

    Paul

  71. PBaldwin says:

    Update: In replacing the Authenticated User WMI Security entry with "Hyper-V Administrators" I’d neglected a tick for "enable account". I also found that my XML edits for AZMan had gone (don’t think I should have renamed the server after editing it). BTW running CMDKEY didn’t get me out of hand-editing this file!

    On reboot everything is just rosey.

    Don’t know why I needed CMDKEY to make this work. Might help others struggling with this. But thanks for this article because there is no way I’d have got this far without it!

    Paul

  72. Timbo says:

    John – Thanks for the great guide.. never thought trying to setup a system without a domain would cause so much trouble.

    I’m Having the same problem as GEORGE stated previously.  Followed everything to the tee… and all worked as expected until attempting to run the New -> Virtual Machine… which yields an error "Loading Wizard Page Failed. You might not have permissions to perform this task"

    You can move the pop-up away, but after you finish entering details it gives another error "The server encountered an error while configuring hard disk on <machinename>. You might not have the permission to perform this task.

    Looking at the location it has created two folders "Virtual Machines" and "Snapshots", so it doesn’t appear to be a disk permisisons issue.  I was able to finish the Wizard without attaching a disk.

    When trying to add a Hard Disk after the Virtual Server is "The Server encountered an error trying to create the virtual hard disk.  You might not have permissions to perform this task".

    So I got everything else but a disk?  Any ideas.

  73. Tim says:

    Hyper-V Manager Client:   6.0.6001.18004

    Not sure how to tell on the server side.

  74. Tim says:

    John – Thanks Again, worked like a charm.

    Just for others to note…

    wmic qfe list {To get a list of installed Patches)

    Wusa.exe Windows6.0-KB950050-x64.msu /quiet {To Install on core)

    Cheers!  

  75. Jason says:

    Great Walthrough!!  Thanks for the help.  I couldn’t connect after running through the tutorial, though.  I configured server core with Automatic Updates and trusted it to install the latest update needed for Hyper-V.  So I went through this tutorial thinking I was good-to-go.  It took me almost a full day to find the problem.  Save yourself some time and make sure you download the newest update (KB950050) and manually install it on the server!

  76. Derek Davis says:

    Great Information, but I do have an issue getting to the WMI Permissions.  When I use Computer Management MMC to attach to my Server Core machine, I navigate to the WMI Control and Right-Click on "Properties", I get

    Failed to connect to \servername because "WMI:Access Denied"

    KB950050 is installed on Server Core, and 952627 for vista sp1 client installed on Vista 32 Bit.

    The Vista Machine is running as a virtual PC on my laptop.  Don’t know if this could cause any craziness?

  77. Amir says:

    John, Great detailed information and walk-through! Thank you for your time and sharing it.

    However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop.

    My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home.  I have followed allthe steps to the letter.  The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions.  I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well.  when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer ‘<the server IP address>’ failed.

    Any idea, what is missing?

    Thanks,

    Amir

  78. Derek Davis says:

    john,

    I joined my Vista machine (Actually a Vista Virtual SP1 PC on my laptop) to the domain and it worked.  I can connect to the server fine now.

    My question now is – When I installed a Virtual Server on top of the Server Core, it would not install the Network, nor the HID Miniport.  (I assume this is the mouse).

    I did not have Hyper-V slipstreamed when I installed 2K8 onto the virtual machine… so I am wondering if that might help?  Or, is there a way to update the installation of 2K8 so that KB950050 is included.  (Remember, there isn’t a network installed on the VM)

    Thanks!

  79. wminkjan says:

    Be aware of the fact that by default the user account on thews08 server will expire. When this happens you will get the "RPC service unavailable"error.

  80. Donald Roy Airey says:

    John,

      Great post.  I’ve got a strange error.  I’m able to run Hyper-V Manager just fine when my laptop is connected to the same subnet as the Hyper-V host.  But when I take my laptop out of the data center and try to connect in over the internet, I get the RPC Error.  Everything else is the same.  Any ideas why changing from a subnet to the Internet might cause it to choke?

  81. Greg Brail says:

    Thanks so much for this blog — I was rather shocked when, after installing Hyper-V Server 2008 on a little-used PC with no domain or anything, that there was no easy way to bring up a VM on it without going through all this! But the product looks good now that I can actually use it.

    Anyway, after following these instructions, I was running in to a few problems:

    — Remote "Computer Management" works fine, but when I click on "Disk Management" the process blocks for a minute or two and displays an "RPC service unavailable" error

    — When right-clicking on the "WMI Control" part of "Computer Management" to set security policies, I was unable to expand the "Root" folder the way that the instructions described. Instead, the process blocked for a minute or two

    — Hyper-V Manager comes up fine and connects to the server, but after a minute or two it displays the "RPC service unavailable" message

    These three problems are all the same — the server cannot make callbacks to the management client using DCOM.

    In my case, the root cause was that my firewall — Windows OneCare — was blocking all incoming traffic to port 135 (the RPC service "endpoint mapper" port).

    Once I enabled incoming access to port 135, all these things worked fine.

    I should point out that first of all, I have no domains anywhere, so things might work differently in that case. And second of all, port 135 has been associated with many seucurity holes over th years, so I told OneCare to only allow connections from my local subnet, which at least helps avoid some of them.

  82. George says:

    Microsoft is NOT ready for this solution. This is only sentence I can say.

  83. Dillon Griffiths says:

    Any thoughts why I would get this error when following step 12:

    C:Usersadministrator>net localgroup "Distributed COM Users" /add tpa01vh01dillon

    System error 1376 has occurred.

    The specified local group does not exist.

    Thank you!

  84. Nick Ou says:

    John, Thank you very much. I did out of this issue per your walkthrough.  I used the same account administrator both on the hyper-v server and hyper-v manager(remote management clinet).  at step 14, i added the "authenticated user". after reboot the hyper-v server, hyper-v manger working. :) Thanks again!

    Nick

  85. David says:

    Hello John,

    I am having the same trouble as Dillon G.  I am just running the Hyper-V Server 2008 on my system.  So I have tried to run the "group.vbs" script but I am have some difficulity in creating the script on the system.

    I run the command "net localgroup" and get the following…

    C:>net localgroup

    Aliases for \[MyServerName]

    ———————————–

    *Administrators

    *Backup Operators

    *Certificate Service DCOM Access

    *Cryptographic Operators

    *Distributed COM Users

    *Event Log Readers

    *Guests

    *IIS_IUSRS

    *Network Configuration Operators

    *Performance Log Users

    *Performance Monitor Users

    *Power Users

    *Print Operators

    *Remote Desktop Users

    *Replicator

    *Users

    The command completed successfully.

    So I see the "*Distributed COM Users" group.  

    Any suggestions?

    Thanks,

    David

  86. Adam says:

    I had the same problem as Dillon and David, running the script showed that I indeed had the DCOM Users group, all I did to fix it was copy and paste the group from the net localgroup command into the command to add the user to the group and it worked fine – even though I could not see any notable difference between the command here, and the command I entered… Go figure…

  87. Bryan Oser says:

    Did all steps and I’m expriencing the same as David

  88. Martin says:

    I got the same error when I tried to add my user to the "Distributed COM Users group". For me it was the quotation marks that messed it up. If I just copied the command and then pasted it in to the command prompt it wouldn’t work, but when I typed the command it worked.

  89. ecscomp says:

    John,

    Question, more like questions; My Hyper-v server 2008 test scenario is on a workgroup with a vista client Remote Management. I have went most of the steps that I am able to perform. OKay! I am able to RDP the Hyper-v server, but not able to Hyper-V manage. I can ping the Vista RM computer from the Hyper-v server, but not able to ping the Hyper-v server from the Vista RM computer. My goal is to create 3 VM to play with EBS 2008, however is seems like I can’t pass Vista RM to create and manage the VM machines.

  90. Elbaramouny says:

    David’s problem is due to double quote formate. Just remove them and retype them again in the shell

  91. M.Salah says:

    Dear Mr. Jhon

    thank you very much

    i tried your script, but i have the same error

    "I verified Windows Management Instrumentation (WMI) group is enabled:

    –Inbound Rules–

    Windows Management Instrumentation (ASync-In)

    Windows Management Instrumentation (DCOM-In)

    Windows Management Instrumentation (WMI-In)

    –Outbound Rules–

    Windows Management Instrumentation (WMI-Out)

    Yet, I cannot connect with the Hyper-V Manager unless I disable the firewall on the Server Core Install.  

    What did I miss?"

    like Mr. taylor

    :(

  92. Maurizio says:

    Solution for add user in "Distributed COM Users group" (STEP 12), type: net localgroup “Distributed COM Users” /add "jhoward-hp2john". Bye!!!

  93. TMcLeod says:

    John,

    Thanks for the effort in writing (and maintaining) this blog.

    There is quite a bit of good information here. However, after following the directions exactly, I still cannot connect to Hyper-V Server 2008 from Vista SP1 in a workgroup without disabling the server firewall.

    The process is failing at step 13, because I cannot connect to the Hyper-V Server with the Computer Managment mmc.  The error popup says "Computer \VT-HYPER-V cannot be managed. (null) ‘Chose another computer’ from the Action menu to manage a different computer." Oh, so helpful.

    When I disable the firewall on the server, I can connect, albeit to only some of the management functions.

    Following your instructions above, (to M. Salah)  I have verified that both machines can ping each other at their correct (IP4) addresses and that the logon names and passwords are exactly the same. (It was necessary to use the hosts file on the client).

    Here is the output from HVRemore /show on the client:

    C:Windowssystem32>cscript UsersThomasDesktopHVRemote.wsf /show

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is DEV-PRECM70

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is Dev-PrecM70Thomas

    INFO: Assuming /mode:client as the Hyper-V role is not installed

    ——————————————————————————-

    DACL for COM Security Access Permissions

    ——————————————————————————-

    Everyone    (S-1-1-0)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch (7)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch (7)

    NT AUTHORITYANONYMOUS LOGON    (S-1-5-7)

        Allow: LocalLaunch RemoteLaunch (7)

    ——————————————————————————-

    ANONYMOUS LOGON Machine DCOM Access

    ——————————————————————————-

    WARN: ANONYMOUS LOGON does have remote access

     This setting should only be enabled if required as security on this

     machine has been lowered. It is needed if you need to manage Hyper-V

     on a remote server which is either in an an untrusted domain from this

     machine, or both machines are in a workgroup.

     Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

    ——————————————————————————-

    Firewall Settings for Hyper-V Management Clients

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Hyper-V Management Clients – WMI (Async-In)

      Enabled:  Hyper-V Management Clients – WMI (TCP-Out)

      Enabled:  Hyper-V Management Clients – WMI (TCP-In)

      Enabled:  Hyper-V Management Clients – WMI (DCOM-In)

    ——————————————————————————-

    Windows Firewall exception rule(s) for mmc.exe

    ——————————————————————————-

    Private Firewall Profile is active

      Enabled:  Microsoft Management Console (UDP)

      Enabled:  Microsoft Management Console (TCP)

    INFO: Are running the latest version

    and on the server with the firewall enabled:

    Microsoft (R) Windows Script Host Version 5.7

    Copyright (C) Microsoft Corporation. All rights reserved.

    Hyper-V Remote Management Configuration & Checkup Utility

    John Howard, Microsoft Corporation.

    http://blogs.technet.com/jhoward

    Version 0.3 20th Nov 2008

    INFO: Computername is VT-HYPER-V

    INFO: Computer is in workgroup WORKGROUP

    INFO: Current user is VT-HYPER-VAdministrator

    INFO: Assuming /mode:server as the role is installed

    INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

    ——————————————————————————-

    DACL for WMI Namespace rootcimv2

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    DACL for WMI Namespace rootvirtualization

    Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

    HVRemote also sets NoPropInheritAce and ValidInheritFlags

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYNETWORK SERVICE    (S-1-5-20)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYLOCAL SERVICE    (S-1-5-19)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    NT AUTHORITYAuthenticated Users    (S-1-5-11)

        Allow: Exec ProvWrt EnabAct (19)

        Flags: InheritAce InheritedAce ValidInheritFlags  (18)

    ——————————————————————————-

    Contents of Authorization Store Policy

    ——————————————————————————-

    Hyper-V Registry configuration:

    – Store: msxml://C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml

    – Service Application: Hyper-V services

    Application Name: Hyper-V services

    Operation Count: 33

       100 – Read Service Configuration

       105 – Reconfigure Service

       200 – Create Virtual Switch

       205 – Delete Virtual Switch

       210 – Create Virtual Switch Port

       215 – Delete Virtual Switch Port

       220 – Connect Virtual Switch Port

       225 – Disconnect Virtual Switch Port

       230 – Create Internal Ethernet Port

       235 – Delete Internal Ethernet Port

       240 – Bind External Ethernet Port

       245 – Unbind External Ethernet Port

       250 – Change VLAN Configuration on Port

       255 – Modify Switch Settings

       260 – Modify Switch Port Settings

       265 – View Switches

       270 – View Switch Ports

       275 – View External Ethernet Ports

       280 – View Internal Ethernet Ports

       285 – View VLAN Settings

       290 – View LAN Endpoints

       295 – View Virtual Switch Management Service

       300 – Create Virtual Machine

       305 – Delete Virtual Machine

       310 – Change Virtual Machine Authorization Scope

       315 – Start Virtual Machine

       320 – Stop Virtual Machine

       325 – Pause and Restart Virtual Machine

       330 – Reconfigure Virtual Machine

       335 – View Virtual Machine Configuration

       340 – Allow Input to Virtual Machine

       345 – Allow Output from Virtual Machine

       350 – Modify Internal Ethernet Port

    1 role assignment(s) were located

    Role Assignment ‘Administrator’ (Targetted Role Assignment)

      – All Hyper-V operations are selected

      – There are 1 member(s) for this role assignment

      – BUILTINAdministrators (S-1-5-32-544)

    ——————————————————————————-

    Contents of Group Distributed COM Users

    ——————————————————————————-

    1 member(s) are in Distributed COM Users

      – VT-HYPER-VThomas

    ——————————————————————————-

    DACL for COM Security Launch and Activation Permissions

    ——————————————————————————-

    BUILTINAdministrators    (S-1-5-32-544)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    Everyone    (S-1-1-0)

        Allow: LocalLaunch LocalActivation (11)

    BUILTINDistributed COM Users    (S-1-5-32-562)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    BUILTINPerformance Log Users    (S-1-5-32-559)

        Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

    ——————————————————————————-

    Firewall Settings for Hyper-V

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Hyper-V (SPL-TCP-In)

      Enabled:  Hyper-V (RPC)

      Enabled:  Hyper-V (RPC-EPMAP)

      Enabled:  Hyper-V – WMI (Async-In)

      Enabled:  Hyper-V – WMI (TCP-Out)

      Enabled:  Hyper-V – WMI (TCP-In)

      Enabled:  Hyper-V – WMI (DCOM-In)

    ——————————————————————————-

    Firewall Settings for Windows Management Instrumentation (WMI)

    ——————————————————————————-

    Public Firewall Profile is active

      Enabled:  Windows Management Instrumentation (ASync-In)

      Enabled:  Windows Management Instrumentation (WMI-Out)

      Enabled:  Windows Management Instrumentation (WMI-In)

      Enabled:  Windows Management Instrumentation (DCOM-In)

    Note: Above firewall settings are not required for Hyper-V Remote Management

    INFO: Are running the latest version

  94. TMcLeod says:

    John,

    Thanks for the feedback.

    Some of us do configuration manually where we can, so that we have an understanding of the process for future reference. That’s why I was attempting to follow your manual instructions.

    For all those who are doing the same and are unable to connect with Computer Mangement (step 13, above) to a remote Hyper-V Server 2008, you need to know that Remote Administration is blocked by the firewall on Hyper-V Server 2008 by default. To fix, execute the following on command line on the Hyper-V Server 2008:

    Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

    For more info see:

    http://blogs.technet.com/server_core/archive/2008/01/02/configuring-the-firewall-on-server-core-for-remote-management.aspx

    Thomas

  95. Eric says:

    Client: Vista 64bit sp1

    server: 2008 core – hyper-v

    Followed your notes…after launching computer management I was not able to manage the 2008 core/hyper-v server.  It looked like a problem with WMI..

    This left me stuck at step 12/13

    Looking around the -net I found instructions to disable all firewall functions on the 2008 core server.  As soon as I did that I could run the ‘computer management’ and the hyper-v MMC functions.

    After going through your notes numerous times..either I’m missing something obvious or it’s a 64Bit issue?  

    Thoughts?

    Many thanks for your instructions, notes and willingness to work to improve all of our lives!

    later,

    eric

  96. eric says:

    Sorry!  I missed the post from December 5, 2008 about the extra blog.

    amazing how we ask a question and then immediately find the answer…

    Thanks,

    eric

  97. Roger Lipscombe says:

    On the "You may not browse the local file system when connecting to a remote Hyper-V server." error (although I get "browse the local file system when connecting to a remote Hyper-V server."):

    I suspect that it’s because the browser remembers which directory you last browsed to. I removed that directory, so it failed. But it couldn’t figure out what actually happened, so it gave me this error. Twice.

    If you type directly into the edit box, the autocomplete works fine, so it’s definitely talking to the remote filesystem.

  98. David says:

    Can you tell me how to proceed from Step 14 on a Hyper-V Server 2008 stand-alone box? How do I access the authorization manager? Also, I can remote into and even connect to computer in computer management from my Windows 2008 Enterprise Server box to my Hyper-V stand-alone box but when I ping the IP address from either side I never get a response and it always times out. Is that going to be a problem when I try to remote into Hyper-V standalone using Hyper-V Manager on my 2008 Enterprise box?

  99. dock-levy says:

    hey john

    first thank u for this article… helped me a lot!.

    i have a lenovo 3000 with intel T7250 (has intel VT)

    my bios for some reason does not have Enable VT option.

    when i use vista and virtual pc it recognize the VT and use it… but Win2K8 Hyper V does not for some reason…

    can i use the registry to enable??

  100. William Powley says:

    John,

    Everything in the manual process worked great.

    Vista x64 SP1 -> Windows 2008 Server Core

    After 3 days of searching various sites, your’s covered all the areas I needed to fill in.

    Cheers!

  101. Peter Klavins says:

    Can the "RPC problem" be related to netbios not knowing the hostname? I was setting up a 2008 Core server from a 2008 Full client, and since the 2008 Full client never resolved the server name to the IP address, I was always using the IP address whenever specifying the server in your instructions. I gave up yesterday with Hyper-V Manager on the client only once out of many attempts succeeding in connecting to the server, but then showing an RPC error in the "Virtual Machines" central panel. Today, I succumbed and entered the server/ip equivalence into etc/hosts, and, cross fingers, so far Hyper-V Manager is working. The reason I hadn’t done this before is that both the client and the server are on a home DHCP network. Can your instructions include setting up the server turning on netbios broadcast (or whatever it’s called :-)) so the client computer can resolve it? There is also something wrong with HVRemote.wsf if running on a 2008 Full client, it tells me I need to install KB952627 when in fact this is not available for 2008.

    Despite these problems, thanks for your web pages and tool, without them I would be far worse off!

  102. stu says:

    hey john,

    fantastic work on the core post – youre a life saver! i think youre covered it in a consequent blog post but i found that kb950050 is absolutely necessary on the hyper-v boxes in order to use remote management tools elsewhere.

    just need to find a way to get the remote disk and device management tools up and running now :)

    cheers,

    -stu

  103. stu says:

    im working with the release by the way and still found the kb was required, even with the firewalls disabled.

    i manged to get disk management working correctly. you need to modify a gpo to allow remote pnp connectivity. alas im working on machines in a workgroup for security reasons and so had to apply a hard registry hack:

    reg add hklmsoftwarepoliciesmicrosoftwindowsdeviceinstallsettings /v AllowRemoteRPC  /t reg_dword /d 0x1 /f

    same difference really. im having a hell of a time working out all of the different server and client side windows firewall changes that need to be applied just to allow snapin access. i guess i’ll be knocking up some internal IP for that at some stage … unless of course you happen to know whether MS have a handy reference guide? :)

    -stu

  104. stu says:

    hi again,

    working back through my build guide doc im getting stuck on step 13 unless i disable the firewall completely on the remote server. ive run through it a second time and its just not happening. fwiw the fw policy updates im applying server side are the following:

    netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

    netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

    netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

    netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes

    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

    netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes

    client side the firewall is enabled but a i say the issue only occurs when the firewall is activated on the server. i noted some feedback you made above and so applied the following to the server also:

    netsh firewall add allowedprogram program=%windir%System32wbemunsecapp.exe name="WMI Control Component"

    alas that hasnt helped and ive removed it.

    obviously i can proceed with a couple of extra steps (disable fw …. run through step 13 … enable fw) but that wont be possible with a production machine so it would be good to understand how to avoid this.

    cheers,

    -stu

  105. stu says:

    just an fyi – i checked the isos i was provided and sure enough it wasnt the final release of windows! guess that explains it!

  106. stu says:

    ok, ive rebuilt all over again with two clients – one with the firewall enabled (as defined in my earlier post) and one without.

    with the firewall enabled i recieve rpc errors and can confirm that tcp/135 is definitely open (as per greg brails post) on both.

    in addition when the server has its firewall enabled i cant connect at all from either server. its all very odd! every box is only in a workgroup and this issue occurs both for local admins and for local users accounts configrued in the steps youve defined.

    is there any way of identifying the gap?

  107. Paul Kayadoe says:

    Hi john,

    Thank you for you efford, it helped me a lot.

    My problem was that the manager could not connect.

    I tried all of the above, the one thing that helped was turn off the firewall on the core.

    After I did all you sugested.

    Ill figure out later what when wrong.

    Does the manger run on Windows 7, cause it crashed 😉

    Could be because of all the fiddeling.

    10x man, keep it up, its blogs like this that make IT work. 😉

  108. Paul Kayadoe says:

    Hi John,

    I’ve been very busy on other projects, and could not respond sooner.

    I’m running Windows 7 Build 7077, on virtual PC, on a local machine.

    And 2008 Core (on a server platform).

    I have solved most of my problems, reading up on you web site.

    One of them, I could connect to the core via the manager but got "RPC server connection error", with the firewall off.

    I could connect and do things but no VHD’s showed up after I created them.

    Then I read that WMI could not pass NAT, I thought, hmm I’m not using NAT right so…

    When back to square 1 and rechecked everything.

    Including the Virtual pc, and guess what it was running thru NAT on the network adapter, called myself a dumbass, changed it and like magic all works great.

    So now I’m going to reinstall everything and do it all over again, this time the proper way.

    With all firewalls in place.

    Move it from the lab to the test environment and see what’s what.

    About the manager crashing, I have not fully looked in to it yet, but is comes right after the RPC connection error, it’s there, don’t have it any more since I can connect properly now 😉

    Could be because of the virtual environment but I’m not sure, MMC plugins are sometimes unloading slowly to but not crashing.

    I do have Two question thou,

    Question one: I’m running Core, HD SCSI optimizers/drivers and such on my current servers.

    All ready tried a core optimizer, and it installed ok, no errors during boot and such.

    Would it be advised to run this on the Core?

    Question two: Do you have any information on running a DC on the core?

    All ready found some stuff about high availability, but do you have any other "must" read info on this?

    Well that’s it; I’ll be picking up this project again soon.

    I like it :)

    Thank you for taking the time and maintaining this site.

    Best regards

    Paul Kayadoe.

  109. Simone Meggiato says:

    Hi John,

    I have a WORKGROUP Hyper-V (English) server and a WORKGROUP Vista Client (Italian).

    I followed your instruction but I cannot connect the Hyper-V console to the server (it says that it can not connect to the RPC service) except when I disable the firewall on the server side. Disabling the firewall on the server, the client connects fine.

    Using /show with HVRemote confirms that all firewall rules for Hyper-V and WMI are enabled.

    Any idea?

    Thank you,

    Simone

  110. Antony Jordan says:

    I keep getting stuck at step 13, and cannot get any further.

    When i right click on WMI Control/properties/security there is nothing in the box at all, not even root

    In the general tab i get "Failed to connect to \WT-HYPERV because "Win32 Access is denied."

    I have no idea how to get arround this, I’ve been sitting here for 4 hours tying to get this thing to work.

  111. Toby Groves says:

    Hi,

    Having a major problem getting this working and wonder if you can help.  Basically I have a Hyper-V Server installed from a fresh ISO download taken yesterday and have allowed it to patch itself up via Windows Update.

    Connecting to this is a Win7 RC (7100) box, logged in with a duplicate username/pass.

    Have run all the script commands according to the 10-second guide and, whilst I can administer pretty much everything on the server, such as services, event logs, users, groups & disk management, trying to access Hyper-V blocks for 5-10 secs with "Connecting to Virtual Machine Management service…", then fails with the message "You might not have permission to perform this task".

    Now I’ve noted that this message is subtly different to the usual "you do not have required permission to complete this task" so I’m not quite sure what’s going on.  What could prevent the Hyper-V manager from connecting to the VMM service when all other administrative functions are working fine?

    The /show command with your script gives no issues at either end and I’ve tried completely disabling both firewalls (it’s just a test setup anyway so no great problem with that) but to no avail.

    I’ve even read through some of your old "pre-script" guides to check that elements such as the authorization manager are configured correctly and they appear to be.

    At a total loss here, any advice appreciated :)

  112. Michael Price says:

    Been through the script.  still get make sure virtual management service is running.  must have been the fine printI I missed.

    can rdp and everything else except hyper v console on windws 7.  all features enabled.

  113. Felipe says:

    John,

    I wanted to thank you. Having used the other popular Hypervisor software for some time, I decided to see how things were in the Microsoft pond in regards to Hyper-V.

    After reading up a good deal on configuring Server Core, I decided that I would give Hyper-V a shot running on Windows Core.

    Knowing the task at hand would prove to be a learning experience I kept an open mind (and an open browser!).

    After struggling with Server Manager and Disk management – still not resolved – I fired up the Hyper-V console and tried to connect to my Server. I was exasperated to see the “You are no authorized” message.

    After a couple minutes of poking around I Bing’d the problem and found your site.

    I read a little more and downloaded your script. Within minutes I was installing my first VM on Hyper-V.

    Thank you so much for going above and beyond to help the Hyper-V community with your script.  

  114. Ralph Hendriks says:

    John,

    Thanks for all your hard work! I thought I would share my issues along the way, maybe it’ll help someone.

    I used two boxes, one Vista SP2 (client) and one Hyper-V Server 2008. Both are configured as being in a workgroup.

    After running your 10s I still had to do following:

    – run updates 941314, 952627, 970203 on the client

    – update the Hosts file on both sides

    – enable my Onecare firewall on the client to allow inbound traffic on port 135. (Thanks to Greg, this was one of those ‘d*mn, I knew that!’ problems.)

    As I’m configuring this network for home and small office, I’d appreciate your take on this: I’d like to run a domain controller VM that also does DHCP, DNS and perhaps some filesharing for my network. Obviously I would love to add all boxes to the domain, including the Hyper-V server. Is this wise? (I had previously thought – because my AD would be extremely empty – that I’d be able to run it on the Hyper-V Server itself, but saw you advise against this..) Thanks in advance.

    Regards,

    Ralph.

  115. Wesley says:

    Hey John, this is a great article but I am stuck.  I have a dev Hyper-V box that was unplugged from the domain and shipped to me without being removed from the domain.  Now it is in my Dev lab with no connectivity to the domain.  When I try to add the account from my lab workgroup to the DCOM Users I get a "The trust relationship between this workstation and the primary domain failed."  

    How do I get around this?

  116. mogyi says:

    I’m in the finish line, and the last step is driving me crazy.

    I was trying to edit InitialStore.xml at the server (Win2008 R2) by invoking notepad in an administrator level command prompt.

    When I’m trying to save the updated file it says : "Access denied!"

    This message is the true symbolic meaning to Microsoft’s virtualization strategy. "It’s free but You can’t use it."

    I spent so much time to get this working, that I wont stop near the finish line.  Using Win2008 R2 Hyper-V and Vista SP2.

    Your script warns about  "Cannot connect to rootcimv2 on server"

    Thanks for hvremote.wsf !

    Istvan

  117. Steve says:

    great work but why is it so difficult to remote manage a Hyper V server. The time I have spent messing around trying to get this working is a bit of a joke. Both Microsofts main rivals have a product that instals and is manageable without any fuss ? please please sort this out

  118. Alex (RG2Q TEAM) says:

    Hey Guys, I cannt add my User to some group in Core Hyper-V server, but after run in "cmd.exe" powershell and try in there type command to add user… All works.. Thanks All, sorry for my bad English….

  119. Neil says:

    Wow! I’m so unimpressed with how difficult it is to setup remote management of core Hyper-V. I currently use VMware ESX and wanted to see how Hyper-V compares. When I first used ESX & vSphere, I had it up and running in around 20 minutes with full remote management from any Windows box I choose. I had a VM running Windows in 30 minutes. After 3 hours mucking around with core Hyper-V I’m getting a little frustrated. :-( Fortunately I do have a Windows Server 2008 R2 Enterprise license, so I will see if that’s any better.

  120. Joshua Klingbeil says:

    You forgot to repeatedly remind me to make sure my passwords were the same on client and server …. shame on you … 😉

  121. Scott says:

    “Wow! I need some time off! ” said the author of the blog, a gentleman who seemingly sports the title:

    “Senior Program Manager in the Hyper-V team at Microsoft”

    This is perhaps the richest definition of irony I’ve ever seen.  The hyper-v manager DOESN’T WORK without some major tweaking.  And when, after much trial and tribulation one does get the tool to connect, the virtual disk creator hangs – until you kill it manually.  Perhaps this forum is not the time/place to plug for a vacation given the hardship your release is causing.

  122. René Hézser says:

    Thank you for this guide.

    After I removed that d….. stored password, I could connect via Hyper-V Manager.

  123. Need A. new Virtual platform says:

    This is rediculous… all this to get a virtual platform working?  ESX requires 'certain' hardware also, so that's a no go!  I think someone needs to re-write the VM platform book, and create a 'one size fits all'

  124. Well.... says:

    thanks for the effort, but even though it got me a small step further, I still can't create VMs. Now at least the Hyper-V-Manager will connect to the core server without error, but still I get the same error message when I try to finish a VM creation. I'm very frustrated… all this tweaking and still no success. For what seems to be the simpe first step. It's kind of ridiculous, really.

  125. Well.... says:

    thanks for the effort, but even though it got me a small step further, I still can't create VMs. Now at least the Hyper-V-Manager will connect to the core server without error, but still I get the same error message when I try to finish a VM creation. I'm very frustrated… all this tweaking and still no success. For what seems to be the simpe first step. It's kind of ridiculous, really.

  126. hyper-v server 2012 says:

    Thanks for HVRemote.

    Question is this tool supports Hyper-v server 2012

    Could it be used foc connection windows7  -> hyper-v server 2012

  127. hyper-v server 2012 says:

    Thank you very much for answers.

  128. A noob / freshman says:

    Hello John!

    First of all, I'm an absolute and complete beginner in Hyper-V, who has no experience in this field, and I have tried to follow the steps, which are mentioned on this page.

    Here's my (short) story: I'm currently running Hyper-V Manager as a client (with administrative rights / required permissions of course) an my (physical) machine (OS: Windows 7 Professional x86/32bit) and I've also installed Hyper-V on a virtual machine (OS: Windows Server 2008 SP1 Core x64, that is being used as a server. This "virtual server" is hosted on a PC/machine running "VMWare vSphere Hypervisor (EXSi) 5.1 Update 1". (VMware vSphere Client is working well on Windows 7 Prof. 32bit and I can also log into the "Windows Server 2008 core Virtual Machine" with no hassles. I can log into the virtual machine via a "Remote Desktop Connection" with ease.) My issue is that in the properties window of "WMI Control" in the Security-tab, I don't have a namespace called "Rootvirtualization" despite the fact that Hyper-V was successfully installed on my physical computer. According to the Windows Powershell, "Rootvirtualization" is even considered an invalid WMI query. Is there a "rookie-friedly" way to easily create/restore this "virtualization" namespace, so I can add the apropriate permission(s)?

    Thank you in advance!

    Yours sincerely

    A freshman to Hyper-V

  129. Bruun says:

    Why doesn't Microsoft release something like vmware did with their client?