Recently we came across a case where Windows Server 2008 and Windows Server 2008 R2 servers running under Hyper-V were all failing to start one of the (five) Integration Services offered by the host.
The services created by the Integration Services are: Hyper-V Data Exchange Service Hyper-V Guest Shutdown Service Hyper-V Heartbeat Service Hyper-V Time Synchronization Service Hyper-V Volume Shadow Copy Requestor
It was the Hyper-V Data Exchange Service (vmickvpexchange) that was failing to start, and an attempt to start it manually resulted in the error: ”Windows could not start the Hyper-V Data Exchange Service service on Local Computer. Error 87: The parameter is incorrect.”
Through trial & error the problem was isolated to a group policy affecting all of the servers, and specifically the setting controlling the startup and security of the TermService service:
Computer Configuration / Policies / Windows Settings / Security Settings / System Services / Terminal Services
(Note that the display name on W2K8 is “Terminal Services” where on W2K8R2 it is “Remote Desktop Services” – but the underlying service name is consistent so the policy will correctly apply to both versions of the OS.)
Enabling this setting and even leaving it at the default of Automatic as the startup type will cause vmickvpexchange to fail in this way – the reason is because TermService is running under the context of Network Service, whereas vmickvpexchange is running under Local Service.
vmickvpexchange needs to be able to verify the state of TermService (but it does not need start/stop control), and by default the Security of the service is set to: SYSTEM (Allow: Full Control) Administrators (Allow: Full Control) INTERACTIVE (Allow: Read)
The simple workaround is to add Local Service with (Allow: Read) permission in the group policy setting’s Security list for Terminal Services / Remote Desktop Services.
Brilliant!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I've been scratching my head for a while over this one :)