Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote
Quick links to the all parts in the series: 1, 2, 3, 4 and 5
After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.
You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access - but that's another blog entry).
There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.
Step 1 (On Client and Server)
Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).
Step 2A (On Server core installations)
See part 3 of this series
Step 2B (On Server full installations) Enable the firewall rules on the server for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
Make sure the command is successful and responds Updated 4 rules(s). Ok.
Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is. If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)
Step 3 (On Server) This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group. Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.
Right-Click on My Computer, select Properties and select the “COM Security” tab. In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area). Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate) Click OK, then select the added user or group In the Allow column, select Remote Launch and Remote Activation, then click OK. Close Component Services
Step 4 (On Server)
Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control
Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node. IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.
Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them. Now select the user and click the Advanced button below the “Permissions for <user>” area. Again, make sure the user/group is selected and click Edit You need to make three changes here:
The screen should look like below. If so, click OK through the open dialogs. Repeat for the Root\virtualization namespace Click OK as appropriate to confirm all open dialogs and close Computer Management. Step 5 (On Server) This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage. Open Authorization Manager by typing “azman.msc” in the box on the start menu.
Right-click on the Authorization Manager and choose Open Authorization Store from the context menu. Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK. I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator. In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”. Add the appropriate users or groups (here you can see the “john” account) Close the Authorization Manager MMC. IMPORTANT. You must now reboot your server for the above changes to take effect.
In part 2, I'll walk through the client configuration steps.
I followed this as far as step 5 but I don't have a directory
\ProgramData\Microsoft\Windows\Hyper-V on my W2K8 Server
I cannot find a file called InitialStore.xml
Step 2B fails on US English W2K8:
"Group cannot be specified along with other identification conditions."
Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match:
"Windows Management Instrumentation (ASync-In)"
"Windows Management Instrumentation (DCOM-In)"
"Windows Management Instrumentation (WMI-In)"
"Windows Management Instrumentation (WMI-Out)"
I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work.
Will RTM make automate this manual configuration process to allow "seamless" remote management?
Pieter - did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won't be recognised.
Mike - that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:\programdata\..... replacing c: with your system drive.
Mike (Brown) - are you using SCVMM or the in-box UI? I'm wondering this due to some of the terminology you are using. Currently SCVMM is incompatible with Hyper-V RC1, so that could be the cause of the issue. If you are using the inbox UI, please let me know and I'll assist you working out what's wrong.
I'm stuck on step 5.
I navigate to \ProgramData\Microsoft\Windows but there is no Hyper-V folder.
Hyper-V is running on core and I'm trying to access it through VIsta SP1.
Ron - are you sure you're navigating to \programdata on the remote box rather than the local Vista client (ie \\<server\programdata\.....)?
Hyper-V Monitor Gadget for Windows Sidebar
I see PingBack is't a very good feature in most blogs.
Sorry about the spam John, feel free to remove the comments above! :)
With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit
So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary
Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questo
In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and
and if I need to delegate one user administer one VM, not the entire Hyper-V machine...
How should I do ?