John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Part 4. Domain joined environment: Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Part 4. Domain joined environment: Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

  • Comments 78
  • Likes

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary to perform Hyper-V remote administration in a domain joined environment.

For reference:

  • Part one is the server configuration for a full server installation in a workgroup environment
  • Part two is the client configuration for parts one and three
  • Part three is the server configuration for a server core installation in a workgroup environment
  • Part four, this post, contains the relevant bits from parts two and three as applicable to deploying remote management of Hyper-V in a domain environment
  • Setting up and the pre-requisites for Hyper-V on server core are in this post.
  • More information on server core commands is here

Follow the same steps for setting up the server core box itself as before, but remember to join the machine to the domain by using netdom join <computername> /domain:<domainname> /userd:<domain user> /passwordd:*. Don't forget to enable remote administration.


dom1
Let’s first logon as domain administrator on the Vista machine and connect to the remote machine using Hyper-V Manager. As you can see, that works fine.

dom2

Obviously running as domain administrator isn’t a practical option in anything but a contrived lab environment. So I’ve created a standard user account in the domain called “domainuser” who is not an administrator either in the domain, the server core box with the Hyper-V role enabled, or on the Vista machine. Let’s see what happens when I start Hyper-V Manager on the Vista machine targeting the remote server core box. As you can in the screenshot below, it indicates that I am unauthorized. This is expected at this stage.

dom3 

Step 1 Authorization Manager configuration

I need to authorize the domain user account for operations on the Hyper-V server, the same as I did in the workgroup environment. This is easier if I use an administrative account on the remote server core machine. For simplicity, I’m going to log back on to the Vista machine as domain administrator and run configure the Hyper-V authorization policy. (Note in the real world, you don't need domain administrator - this is for simplicity in the walkthrough only).

Logon to the Vista machine as Domain Admin and click start/run AZMan.msc.

dom4 

dom5
Now open InitialStore.xml from the %systemdrive%\programdata\microsoft\windows\Hyper-V directory on the remote server machine. Right click on Open Authorization Manager and select Open Authorization Store…

dom6

Select XML and enter the path to InitialStore.xml (or browse to it, noting that the programdata directory is hidden).

dom7 

Expand the tree through Hyper-V services\Role Assignments\Administrator and select “Administrator”. Note that I’m making this walkthrough as simple as possible by making the domain user an administrator in the context of being able to perform all operations on the machine running the Hyper-V role. This does not however mean that the domain user becomes, or needs to be a local administrator on the Hyper-V machine (or on the Vista machine).

dom8 

In the right-hand side of the window, right click and select Assign Users and Groups then From Windows and Active Directory….

dom9

Select the domain user account and click OK.

dom10 

dom11 

You can now close Authorization Manager

Step 2 DCOM Configuration

Again, this is similar to the configuration steps necessary in the workgroup environment. You need to grant the appropriate users access rights to remote DCOM on the server. Use the same steps as in the workgroup configuration and add those users to the Distributed COM Users group.

On the Vista machine logged on with an account with administrative rights on the server core machine, click start/control panel/administrative tools/computer management.

dom12 

Remember in the server core configuration steps, I allowed remote management to enable this to work. If you get an error - go back to the server core configuration steps (links at top of this post). Right Click on the top of the tree on the “Computer Management (Local Computer)” node and click Connect to another computer…

dom13

Enter the name of the remote server (jhoward-hp2 in my walkthrough)

dom14 

Expand the tree down through Computer Management/System Tools/Local Users and Groups/Groups and select Distributed COM Users on the right hand side.

DOM15 

Double click on "Distributed COM Users", click Add… and select the appropriate users (domainuser in my walkthrough), and click OK.

dom16 

Step 3. Remote WMI

This step is the same as the configuration steps necessary in the workgroup environment. You need to allow the domain user account access to the Root\CIMV2 and Root\virtualization namespaces. While Computer Management is still open from Step 2, expand out Services and Applications and select WMI Control.

dom17

Right click on WMI Control and select properties. Then switch to the "Security" tab. Expand the tree and select the "Root\CIMV2" namespace node.

dom18 

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the "Security" button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 2 above to add them.

dom19 


Now select the user and click the Advanced button below the “Permissions for <user>” area.

dom20 

Again, make sure the user/group is selected and click Edit.

DOM21 

You need to make three changes here:

  • In the “Apply to:” drop-down, select “This namespace and subnamespaces”
  • In the Allow column, select Remote Enable
  • Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like below. If so, click OK through the open dialogs.

dom22 

Repeat for the Root\virtualization namespace

dom23

Click OK as appropriate to confirm all open dialogs and close Computer Management.

After completing this step, reboot your server for the changes you made in step 2 to take effect.

Step 4. Test it out

I logged back onto the Vista machine using the test domain user account. I started Hyper-V Manager and targeted jhoward-hp2, the remote server core machine. I then created a new virtual machine with all default settings, except selecting to add a virtual hard disk later. I started the virtual machine and connected to it. And as you can see in the screenshot below, the virtual machine is up and running (the boot failure message is expected as there’s no bootable media in the virtual machine).

Cool!

DOM24 

Cheers,
John.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote

Comments
  • <p>Hilton - so your environment is different to the walkthrough I'm describing. I have not validate this scenario, but you will probably need to enable anonymous callbacks to make this work in your setup. Using dcomcnfg you will need to allow remote access to &quot;ANONYMOUS LOGON&quot;. See step 7 in part two. I'm still tracking down why WMI namespace enumeration is failing in the clean environment described above in Ryans case - as you have a mixmatch of domain and non-domain machines, it is possible you are hitting a different problem.</p> <p>I see a part 5 coming....</p> <p>Thanks,</p> <p>John.</p>

  • <p>Ryan - I'm running short of ideas to be honest short of me rebuilding my environment with the domain at Windows 2000 functional level.... Is there any chance you could run a network monitor trace on the vista box, or see if there's anything obvious can be seen?</p> <p>Thanks,</p> <p>John.</p>

  • <p>Very Interesting development here, I went ahead and removed Server Core and installed a full version of Server 2008 Datacenter with the Hyper-V RC0 update applied to it. I got it all configured and back on the domain with the exact same user permissions. I went through the above steps and applied them to the system, including the WMI Control. I am still not able to connect to the server through the Hyper-V Manager installed on my Vista SP1 box. I was able to use the Hyper-V Manager installed on the Server and was able to create and run a VM. When it booted I made sure that it said &quot;Microsoft Hyper-V Release Candidate 0&quot;</p> <p>Just on a side thing, I went ahead and tried to manage the WMI security remotely from my Vista SP1 box again. It had the same error as before.</p> <p>The next thing I am going to try is setting up a 2K8 domain and put both computers in there. I also found out that my previous information about my domain setup was incorrect, it is actually a native 2K3 domain. If I can get a hold of Vista Enterprise media with SP1 (I have a license for it, just not the media) then I am also going to try and see if that works.</p> <p>It really seems like it something on my end that is messed up. If none of the above tests fix this, I think I am just going to have to stick with Hyper-V beta until Hyper-V RTM. I again want to thank you for all your help, but I don't want to waste any more of your time either. I will report back here with the results of my tests when I get them done, which might be a couple of days.</p> <p>Thanks,</p> <p>Ryan Lenkersdorfer</p>

  • <p>Hi John,</p> <p>My scenario is more akin to Part 3 than Part 4, the only reason I moved into here was that I am seeing the exact same authentication/WMI Control issues as Ryan.</p> <p>So, I basically have a Core box not on the domain with a CoreAdmin local administrator account, a Vista SP1 laptop not on a domain with a CoreAdmin local administrative user and a domain-joined desktop PC with Vista SP1 with a CoreAdmin limited user account (on the domain).</p> <p>With all of the above, I see the same issues that Ryan sees.</p> <p>I say, bring along part 5! &nbsp;:)</p>

  • <p>John,</p> <p>Thanks for the help (so far). &nbsp;I too have a mixed domain issue. &nbsp;My case is typical for a classroom environment. &nbsp;The HV host contains a unique 2k8 domain controller (Full 2008, not core). &nbsp;Students will connect using laptops they provide and are clearly not in this domain. &nbsp;I want to give them access to the Hyper-V manager from machines that are not in the domain. &nbsp;It is looking like I will have to give them remote logon access from where they can start it from within the domain. &nbsp;I have followed your instructions, but attempting to provide all permissions to 'everyone'. &nbsp;Still, ultimately, the wbemtest will fail to connect unless I provide a domain account.</p> <p>It is looking to me like the remote Hyper-V Manager needs to allow specification of alternate credentials so it can pass them along in the WMI calls, but there does not seem to be a way to do that.</p> <p>I thought I would pass this on and I am hoping you might find a &quot;part 5&quot; solution!</p>

  • <p>I have setup a VM running Vista Enterprise SP1 x86 and joined it to my existing domain. I was able to point it at my Hyper-V RC0 server and it was able to connect and manage Hyper-V with no additional configuration! Why I am still having problems on my Vista Business SP1 x64 box is a mystery to me. Perhaps it doesn't like Business or maybe it doesn't like 64-bit. If I can, I will try Vista Enterprise SP1 x64 and see what happens.</p> <p>Thanks again for all your help!</p> <p>-Ryan</p>

  • <p>So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote</p>

  • <p>I was getting the same problem. &nbsp;It appears that the new management client for 2008 Hyper-V on x64 cannot connect to the Hyper-V Beta. &nbsp;I just installed this patch &quot;<a rel="nofollow" target="_new" href="http://www.microsoft.com/downloads/details.aspx?FamilyID=ddd94dda-9d31-4e6d-88a0-1939de3e9898&amp;DisplayLang=en&quot;">http://www.microsoft.com/downloads/details.aspx?FamilyID=ddd94dda-9d31-4e6d-88a0-1939de3e9898&amp;DisplayLang=en&quot;</a> and it fixed it for me. &nbsp;Hope this helps.</p>

  • <p>Eric - yes, absolutely correct. Remote management does not work on Hyper-V beta. This series is specific to our RC release.</p> <p>Thanks,</p> <p>John.</p>

  • <p>Any idea how to make this work when the hyper-v server is also a DC without a local dcom user group? &nbsp;Client is Vista Ultimate x64.</p>

  • <p>Mr. Mott - Follow part one of this series where I configure DCOM in a workgroup without using the Distributed COM Users Group, but add a domain user account instead of a workgroup account. It should work, but I haven't tried it.</p> <p>But please note - our recommendation will *always* be to run the Hyper-V role without any other roles installed, ideally on server core as well. Just in case you weren't aware.</p> <p>Cheers,</p> <p>John.</p>

  • <p>Excuse me for my very poor English))) I'm install s2k8 Enterprise Full + Hyper-V. My Vista x86 box with SP1 have Hyper-V manager. I perform all steps from Part 4. I connect to my Hiper-V server, with no errors. But when i attempt create new machine, I recive message &quot; Loading Wizard page failed. You might not have permission to perform this task&quot;. My domain user account is memmber of Administrators groups both in my Vista box and Hyper-V server. In Authetication manager for my domayn user account assigned Administrator role. Help me please to resolve my problem.</p>

  • <p>Oleg - I have seen this when there are incompatible versions between the management client and the server. Remote management does not work in Beta from a Vista client - I suspect that you have not applied the RC0 update to your server (KB949219). That should resolve the problem.</p> <p>Thanks,</p> <p>John.</p>

  • <p>I have hyper-v running on a core 2008 install in a 2k8 domain. &nbsp;I used your walkthrough and was able to get everything working correctly, with one exception. &nbsp;After I create a VM, I am unable to connect to it to install the OS. &nbsp;I simply get an error stating &quot;Cannot connect to the virtual machine. Try to connect again. If the problem persists, contact your system administrator.&quot; &nbsp;Also at the bottom of the MMC, the heartbeat is reporting as no contact, if that helps. &nbsp;Hyper-V is running RC0, and the MMC is running on a 2k8 DC (for testing purposes only). &nbsp;Any help would be appreciated. &nbsp;Thanks.</p>

  • <p>Kyle - Can you verify a few things to start narrowing this down.</p> <p>- The &quot;No Heartbeat&quot; is because the Integration Services aren't installed inside the virtual machine. However, if you can't connect to the virtual machine to be able to do this, that explains that one, so it's probably not relevant.</p> <p>- On the Domain Controller, did you installed KB949219 as well to get the RC0 version of the management tools installed as well? </p> <p>- Is it possible to verify if there is a firewall issue here by disabling the firewall on both the computer running the MMC and the server core installation of Hyper-V? (netsh firewall set opmode disable).</p> <p>Thanks,</p> <p>John.</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment