SC VMM 2012 RC: Understanding the Hyper-V host addition operation if Window Remote Management (WinRM) is configured using Group Policy (GPO) settings

SC VMM 2012 RC: Understanding the Hyper-V host addition operation if Window Remote Management (WinRM) is configured using Group Policy (GPO) settings

  • Comments 1
  • Likes

 

One of the  very first operational steps when using System Center Virtual Machine Manager (VMM) 2012 or an earlier version of VMM is adding a host. In VMM 2012 , this can be a Hyper-V, VMware ESX or a Citrix XenServer host. This article applies to only Hyper-V host addition.

As part of Hyper-V host addition, VMM installs an agent on the host machine. This agent communicates with the host using Windows Remote Management (WinRM) transport. We configure a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address. There can be three types of Hyper-V hosts:

1. Trusted: There is a two-way trust between the VMM management server domain and the domain that the host is in. We use HTTP over WinRM’s default port 5985 for WinRM communication.

2. Non-Trusted: There is no two-way trust between the VMM management server domain and the domain of the host. We use HTTPS over WinRM’s default port 5986 for WinRM communication.

3. Perimeter network (or DMZ): These are non-domain-joined machines. We use HTTPS over WinRM’s default port 5986 for WinRM communication.

Note:  Earlier versions of VMM used HTTP over port 80.

If you are adding a host in a domain that has WinRM-related domain-wide Group Policy (GPO) settings enabled, the WinRM listener is already configured by the GPO settings. The listener created by Group Policy might conflict with the listener SCVMM host agent created during the agent installation. In previous versions of VMM, the agent installation would fail due to a Group Policy error (details below). In VMM 2012 we have started to support some of the Group Policy configurations as described later in this article. Note that since you cannot change anything at the local level (without domain admin permissions) with a Group Policy Object (GPO)-controlled policy setting. Our current recommendation to customers is to, if possible, disable the GPO for WinRM for the domain. Another reason for this recommendation is that any change to the WinRM GPO, after the hosts have been added, can disrupt the VMM management server-to-host communication. Further below, this article provides more detailed information about what is supported and how to troubleshoot it.

 

How can you check if WinRM is configured using a GPO in your host computer’s domain?

Open the Local Group Policy Editor on the host computer or the Group Policy Management Console (GPMC). The WinRM policy settings are located under the “Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service” node. Check if any of the following policies are configured:

1. Allow automatic configuration of listeners

2. Turn on Compatibility HTTP Listener

3. Turn on Compatibility HTTPS Listener

image

 

Sometimes the policy settings might not appear in the Local Group Policy Editor. You can enumerate the WinRM listeners on the host computer to find this information. To do this, open an elevated command prompt on the host computer, and then do the following:

a) For “Automatic configuration of listeners” type “winrm e winrm/config/listener”, and then press ENTER.

image

a) For “Turn on Compatibility HTTP Listener” type “winrm get winrm/config”, and then press ENTER.

clip_image001

Supported Configurations

We only support some Group Policy configurations. If it is possible, we recommended to fully or partially (only for the hosts OU) disable the GPO that contains WinRM policy settings. To partially disable a GPO, you can exclude the host OU or host computers from the GPO. Following are the currently supported configurations:

 

Group Policy setting enabled

Allow automatic configuration of listeners

(IPv4 and IPv6 filter should be set to *)

Turn on Compatibility HTTP Listener

Turn on Compatibility HTTPS listener

Adding a trusted Hyper-V host

Host can be added successfully.

Keep in mind that if the host is added while this Group policy setting is configured, the host agent will rely on the WinRM listeners created by the policy setting. The policy settings should not be changed after you add the host. Otherwise, communication with the host will be disrupted and the host can go into a “Needs attention” state.

Host can be added successfully.

Host can be added successfully.

Adding an un-trusted Hyper-V host

Host can be added successfully.

Host can be added successfully.

Host can be added successfully.

Error

clip_image001[6]

If the host addition operation fails due to a conflict with a GPO, you will see the following error:

Error (421)

Agent installation failed on host1.contoso.com because of a WS-Management configuration error.

Recommended Action

Ensure that the Windows Remote Management service is enabled and running on the server host1.contoso.com. Additionally, in the Local Group Policy Editor (gpedit.msc), navigate to Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM), and then ensure that there are no policy settings configured for WinRM Client or WinRM Service.

Note: This error can potentially happen due to multiple other reasons and not necessarily Group Policy settings.

Additional items

Additional items to keep in mind are the following:

1. If “Automatic configuration of listeners” is enabled, it’s important that the IPv4 and IPv6 filter is set to *.

clip_image003

2. In addition to the host addition operation, the information in this article also applies to the host upgrade operation.

3. The information in this article applies to only VMM 2012 RC and later. In previous versions of VMM, host addition fails if a WinRM service-related domain-wide GPO is enabled.

Wrapping Up

I hope that you found this post helpful. Please feel free to submit feedback through the Connect site and ask questions on the VMM forums. Also, make sure to visit the VMM 2012 TechNet Library!

 

Thanks,

Radhika Gupta [MSFT]

System Center Virtual Machine Manager Development

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment