Comments

# John Howard : Part 1 - Hyper-V Remote Management: You do not have the requested permission to complete this task. Contact the administrator of the authorization policy for the computer ???COMPUTERNAME??? said:

PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

28 March 08 at 11:13 PM

# Virtual PC Guy's WebLog said:

I am feeling lazy today - but thankfully my colleagues have been working hard :-) Mike Kolitz has done

29 March 08 at 3:01 AM

# John Howard said:

More for my own reference, as I keep having to search the Internet for this document and never bookmark

29 March 08 at 6:08 PM

# Mike P said:

I use Windows One Care on my Vista PC. The settings above do not work as the Windows FW is turned off.

Can you post the specific programs, ports etc... to accomplish the same thing as listed above.

If I turn off the firewall on the Vista PC all works as advertised.

Thanks is advance

30 March 08 at 12:29 PM

# John Howard said:

Although I thought I’d finished at part two, after even more emails and comments on part one and two

30 March 08 at 8:58 PM

# John Howard said:

So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

04 April 08 at 10:49 PM

# Ivan Versluis said:

Hi John, thank you. I took me around 15 minutes to configure this remote management Hyper-V MMC console in a workgroup scenario. It works fine for me, but I had couple of problems with copy and paste of the netsh scripts in your post and enabled the rules manually using control panel. Kind regards, Ivan Versluis

07 April 08 at 7:08 AM

# Tore said:

I have a wierd problem.

I got 2 computers (main and laptop) both running vista ultimate in workgroup mode.

I have the same user\password on both but only the main one can access the hyper-v server.

The only difference i've found is that the main one uses x64 while the laptop uses Vista x86.

Any idea why one should fail when the other works perfectly?

10 April 08 at 2:41 PM

# jhoward said:

Tore -  I got your email and have just replied.

Thanks,

John.

11 April 08 at 12:50 PM

# Andrew Somervell said:

Brand new Vista x64 install, i'm getting a "Group cannot be specified along with other identification conditions" error when I enter the "netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes" command. Any clues?

Regards,

andrew (at) somervell dot com

17 April 08 at 6:58 AM

# jhoward said:

Andrew - were you copying and pasting by any chance from above? I had exactly this error when copying and pasting when setting up another box. Have you tried typing it manually? (And no, I really can't explain why)!

Thanks,

John.

17 April 08 at 3:47 PM

# robr said:

I was pointed here after trying to connect and getting the error "Cannot connect to the RPC service, make sure your RPC service is running".

I followed all the instructions, with the exception of the firewalls steps as Windows Firewall is disabled on both computers.

My client PC is here at the office behind a firewall.  I log into a domain here at work from the PC, so it's not a workgroup config on the client side.

The server is located remotely at a data center, no firewall in front of it, windows firewall disabled, and is a standalone server.  Because of this setup, I need to get this working so I can have mouse control of the remote VMs.

Could my error be a firewall issue here at work related to RPC?  Thanks for all the work and well documented instructions.

17 April 08 at 3:48 PM

# jhoward said:

Rob - there's a couple of things here. Make sure you cover the steps in part 5 which covers a domain joined client to a workgroup server. Similar to this, but a couple of nuances.

However, what's most likely blocking this working is the external firewall you are describing. WMI/DCOM are not particularly "external firewall friendly" due to the number of ports you need to open, so I would not recommend the scenario you are trying to achieve. I'm not sure the exact list of ports you need for this - haven't tried it myself, but as I understand it the default ports are

135

49152-65535  

2179

There's a couple of articles about this you may want to read: http://msdn2.microsoft.com/en-us/library/ms809327.aspx

http://support.microsoft.com/kb/217351

If you're also behind a NAT router, I don't believe remote DCOM calls would work.

I'm not sure of your exact topology, but I would look towards a TSGateway which you can remote Hyper-V manager through and use mouse (once the integration services are installed - I have an entry a short while ago describing how to use the keyboard to drive the installation of that without mouse), or use TS directly to the server and run Hyper-V Mnaager on the server (unless it is Server Core).

Hope that helps.

Thanks,

John.

17 April 08 at 8:11 PM

# robr said:

Thanks very much John, I'll take a look at some of your other suggestions.  I'm running some Linux VMs, so I'm not certain integration services (in the case of SLES 10 which does have integration services installed, but I also have a Fedora VM) will solve all my mouse related issues.  I've installed them remotely without a mouse and just ssh in, but it would be nice to have access to the GNOME desktop.  

So far, Hyper-V has been absolutely brilliant, but this ONE issue just makes everything they've done so right seem tarnished.  I have to imagine a great majority of people will be running production Hyper-V servers remotely.

18 April 08 at 8:24 AM

# jhoward said:

Robr - I was thinking about this some more. With the caveat that I have never tried this, it may be possible to tunnel DCOM over HTTP using the RPC over HTTP proxy mechanism. When I get a chance, I'll build up a lab environment to see whether it's possible. There's some interesting information here: http://msdn2.microsoft.com/en-us/library/ms809302.aspx

You will still need port 2179 for the VMConnect video RDP connection though.

Thanks,

John.

18 April 08 at 4:02 PM

# robr said:

I'd absolutely love to see if you can get this working in your copious free time :).   I have previously played around with RPC over HTTP trying to get Outlook clients on the outside of our network to connect to the Exchange server behind our NATted firewall and failed miserably :).

18 April 08 at 4:18 PM

# Michael Sainz said:

John- I'm experiencing the same problem as Robr, but my topology is different. Instead of going through firewalls, mine is being routed by firewalls. I use ISA 2004 at two points to create a site to site VPN tunnel. Other MMC consoles seem to work, but this Hyper-V one does not. Again, it's not going through NAT, but in a routed environment.

I would like to be kept up to date also if you could.

-Michael

michaelsainz@(takemeout)sunsetpres.org

18 April 08 at 8:18 PM

# Andrew Somervell said:

Hahaha, you wouldnt believe how much I danced around when it worked John, you were right i had to type it in. Thank you.

So when's this all become less of a pain in the.... ? :P

A

22 April 08 at 4:10 AM

# Rhynier said:

Thank you very much! I would never have thought it would be so difficult to get Hyper-V Manager running with a remote connection. Two comments below.

1) I installed the RC0 for Hyper-V and found both on the server and my Vista SP1 client that some new firewall rules had been added which looked very much like the WMI rules (same ports, etc.), but starting with "Hyper-V". I disabled the WMI firewall rules from your steps and everything still worked.

2) The reason you can't copy and paste the firewall rules from the blog post is that the open and closing quotes are not the same ASCII character as the one on the keyboard :). I've seen this many times using Word as it replaces the quote character with fancy open and close quotes that the command prompt does not recognize.

24 April 08 at 8:08 PM

# mmcaulay said:

I couldn't get this to work until I explicitly added my user name to the appropriate steps in the server portion of this guide.  Even though that user was a member of the Administrators group on the server.  This was not enough to allow the connection. The user had to be added separately. At least on my setup. Running Server 2008 Full x64 with a client running Vista Business x86 SP1.

26 April 08 at 3:12 PM

# Greg said:

The reason the shell commands don't work if you cut and paste them is because the inverted commas - ie " " don't come across right - they must be some kind of unicode character I imagine - if you paste the command into a command prompt box, then just go back and re-type the " over the existing ones, they'll work.

02 May 08 at 10:23 PM

# Darin said:

What about if Hyper-V server and Client Vista are in different domains? Do I need to create the two indentical users in both domains?

16 May 08 at 4:51 AM

# jhoward said:

Darin - untrusted domains or part of the same forest? If the latter, then part 4 should work. Untrusted domains has seperate challenges which I'm still working through for a future part.

Cheers,

John.

16 May 08 at 1:14 PM

# evan said:

robr, I ran into this error message.  Not sure if my issue is the same but it ended up being that the user account I was connecting with through Hyper-v remote management tools had an expired password.  Odd error message but that is what it ended up being for me.

27 May 08 at 6:44 PM

# Tom Ace said:

I'm in!  Thanks so much.  There's no way I would've figured any of that out.

10 June 08 at 4:59 AM

# Thomas Goddard said:

Hey it works!!!  I  hope this issue is somehow resolved in the next release.  Would be great if the setup did this for us!

11 June 08 at 6:05 PM

# iWalker said:

Jonh,

thanks a lot for this post, it is very useful.

But, in scenarios with Windows Live OneCare this solution doesn't work due to OneCare firewall restrictions :(

Only one solution turn off firewall at all... :(

15 June 08 at 6:12 AM

# Ask the Core Team said:

With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

25 June 08 at 7:43 AM

# John Howard said:

So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

25 June 08 at 5:48 PM

# Christian said:

YOU ROCK!!!

thanks john, great walkthrough!!!

/Chris

27 June 08 at 8:39 PM

# John Howard - Hyper-V and virtualization blog said:

Soon, I promise, I will be publishing part 3 which is the workgroup server-core version of “ Hyper-V

29 June 08 at 7:49 PM

# uddhav regmi said:

I did all the way as mentioned in this article.

I have windows 2008 in vmware workstation installed as bare metal

Vista Ultimate is also in same box, as virtual.

I did all the way in vista as well as in 2008

Now, while loading Hyper V manager and connecting, I get this error exactly

Hyper-V Manager

An error occured while attempting to connect to server 10.10.10.100, check that the virtual machine management service is running and that you are authorized to connect to server

02 July 08 at 4:19 PM

# jhoward said:

I'm not sure I understand your configuration: Are you saying that Windows Server 2008 is in the virtual machine under VMWare workstation? Have you enabled the Hyper-V role (which I don't believe will succeed when the OS instance is running in a VM - never actually tried)?

Thanks,

John.

03 July 08 at 1:13 PM

# Oliver Schroeder said:

Thank you, thank you, thank you!

Regards from Germany.

Oliver

07 July 08 at 6:00 AM

# Gottfried Auer said:

Thank you - from Austria

Gottfried

22 July 08 at 4:18 PM

# Roshan said:

Thank you John for such a detailed post.

After connecting to the core server from my W2k8 full server i see the following message under Virtual Machines "You might not have permission to perform this task".

I have a windows 2008 full installation server and a core server. I did the following on the core server

assign Hostname, IP, DNS, WINS.

Enabled remote management and remote desktop

applied patched and enabled hyper-V role

Just to make things simpler I used the administrator username and gave the same password to both the machines.

Then on W2k8 full and core servers I

enabled firewall rules for WMI

since I used the administrator account i didnot have to do any changes for DCOM etc.

I rebooted the server and from the full installation server opened Hyper-V manager. I was able to connect to the core server and it displayed correctly under hyper-V manager.

But on the middle pane under Virtual Machines i got the following messages in this order

"Connecting to virtual machine management service" foilowed by

"You might not have permission to perform this task"

Please help

Thanks

24 July 08 at 1:19 PM

# NguyenIvan said:

I also get "Cannot connect to RPC service on 'servername' Make sure RPC Service is running" error when trying to bring up Hyper-V manager.

THe issue definitely has some thing to do with DNS server (If you point the client and Hyper-V server dns to dns server on active directory, the problem goes away). Will figure out a way to resolve NetBIOS and DNS right.

27 July 08 at 11:44 AM

# ScottW said:

Brilliant walkthrough, and quite dissapaointing that it actually needs to be this complicated!

One observation and one question:

Observation: You don't need to restart the server after making the changes for it to work. Just restart the "Windows Management Instrumentation" service, which will in turn restart Hyper-V for you. Much easier than a whole reboot!

Question: What security issues are there now that you have enabled anonymous logon remote wmi to the admin workstations?

29 July 08 at 3:54 AM

# jhoward said:

Scott - correct. I was being over cautious in saying reboot. Restarting the Hyper-V services which are dependent on winmgmt is sufficient - it was just easier to say "reboot".

Obviously allowing anonymous callbacks has a security implication, but I don't know the specifics. The closest information I could find published was at http://technet2.microsoft.com/windowsserver/en/library/4c9a2873-2010-4dbb-b9dd-6a7d1e275f0f1033.mspx?mfr=true.

However, please note that you do not need to enable anonymous callbacks if both machines are in trusted domains. This is something I keep meaning to add to the walkthrough, but haven't got  round to quite yet.....

Thanks,

John.

30 July 08 at 5:04 PM

# jhoward said:

Roshan - if this is a workgroup environment, you still need to enable anonymous DCOM callbacks to the client machine (ie the Windows Server 2008 full machine in your configuration).

Thanks,

John.

07 August 08 at 1:50 PM

# Jonathan Gray said:

Great read and I can see this one is commented all over the web now..

But I followed it and it did progress me further but I now get

"Cannot connect to RPC service on 'servername'

I get this on my Vista SP1 Desktop and I have been through all stages. This is on domain (server/client).. I have all the firewall entries in but still if I disable firewall on the vista desktop  it works first time.. as soon as I enable firewall it kills it off with that message.

I am using Onecare on Vista which is the only difference I can see.

13 August 08 at 10:39 AM

# jhoward said:

Hi Jonathan - Yes, I've seen reports of OneCare which (as I understand it - never have used it) has it's own firewall which blocks part of remote management. Let me see if I can get hold of a copy to install and see what the problem is to find the solution. Stay tuned...

Thanks,

John.

15 August 08 at 10:30 PM

# Jonathan Gray said:

Hi John, For those with Onecare I cracked it for me, rather than cover it here I covered it with screenshots below

http://itreallyisfun.spaces.live.com/

This is NOT replacing Johns info but dealing specifically with Onecare..

16 August 08 at 3:33 AM

# Jonathan Gray said:

Hi again John,

To update the previous blog link I sent which goes direct

http://itreallyisfun.spaces.live.com/blog/cns!34EB0BCD9D9A2686!1355.entry

That was they just get the article and not the blog entries totally unrelated.

16 August 08 at 3:44 AM

# Hiroshi Okunushi's Blog ☆ミ said:

日本語だと↓なエラーが出る件です。 「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ ‘xxxxxxx’ の承認ポリシーの管理者に問い合わせてください。」

20 August 08 at 2:42 PM

# Kim said:

Brilliant! Thanks a lot! You saved my day!!!!!!!!!!! You're the hero of the month!!

27 August 08 at 8:18 AM

# JohnFF said:

With ESXi, you just download and install the VI Client and it works. Why is this so HARD???

02 October 08 at 5:25 PM

# Paul said:

JohnFF,  you are so correct.  The problem is that ESXi crashes when I try to install Windows Server 2008 and it's doesn't read my SATA card on my other computer.

11 October 08 at 8:30 PM

# Robin said:

Thanks great walk through worked perfectly.

04 November 08 at 11:22 AM

# Geek Noise said:

Hyper-V Management Console on Vista x64

04 November 08 at 6:34 PM

# Tomohawk said:

John, thank you very much, the steps are crystal and worked like a charm

06 November 08 at 9:51 PM

# joel said:

Hello John:

I'm on my 2nd try with your directions, no joy.  Workgroup setting, Hyper-V standalone (downloaded fresh today!) with a Vista client.

All goes well until I go to use Hyper-V manager to connect. I get this error:

>>>

[Window Title]

Hyper-V Manager

[Main Instruction]

An error occurred while attempting to connect to server "VIRTUALSERVER". Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.

[Content]

The computer 'VIRTUALSERVER' could not be resolved. Make sure you typed the machine name correctly and that you have network access.

[Close]

>>>>

I can RDP into the server fine.

I can ping from the SERVER to the CLIENT

I can NOT ping from the CLIENT to the SERVER (via name or IP).

Any suggestions?

Thanks in advance.

joel*

09 November 08 at 11:59 PM

# jhoward said:

Joel - first off, try and resolve the ping issue. Pings by default are disabled on Server, so try temporarily disabling the firewall and trying again. That should work by IP address at least. If name does not work, then it's a DNS issue. You can verify that by temporarily putting an entry in \windows\system32\drivers\etc on the client machine for the name and IP address of the server.

I have a stack of subsequent troubleshooting steps, but let's get the ping and DNS issue sorted out first - it's often a common cause.

Thanks,

John.

10 November 08 at 10:48 PM

# John Howard - Hyper-V and virtualization blog said:

It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come

14 November 08 at 8:44 PM

# Dave said:

John,

I am receiving the same "exact" error as what "Joel" has stated (above).

Error:

"An error occurred while attempting to connect to server "VIRTUALSERVER". Check that the Virtual Machine Management service is running and that you are authorized to connect to the server"

If I disable the firewall on the Hyper-V server, then my Vista client connects remotely just fine (via Hyper-V Manager).

BTW: The new "HVRemote" you uploaded last night is pretty slick!

Here is a piped text file from HVRemote of my configuration on my Hyper-V server:

Microsoft (R) Windows Script Host Version 5.7

Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation. http://blogs.technet.com/jhoward

Version 0.2 14th Nov 2008

INFO: Computername is SVSS2K8PM1

INFO: Computer is in workgroup WORKGROUP

INFO: Assuming /mode:server as the role is installed

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

-------------------------------------------------------------------------------

Discretionary Access for WMI Namespace root\cimv2

-------------------------------------------------------------------------------

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

BUILTIN\Administrators    (S-1-5-32-544)

    Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\NETWORK SERVICE    (S-1-5-20)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\LOCAL SERVICE    (S-1-5-19)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\Authenticated Users    (S-1-5-11)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

-------------------------------------------------------------------------------

Discretionary Access for WMI Namespace root\virtualization

-------------------------------------------------------------------------------

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

BUILTIN\Administrators    (S-1-5-32-544)

    Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\NETWORK SERVICE    (S-1-5-20)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\LOCAL SERVICE    (S-1-5-19)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

NT AUTHORITY\Authenticated Users    (S-1-5-11)

    Allow: Exec ProvWrt EnabAct (19)

    Flags: InheritAce InheritedAce ValidInheritFlags  (18)

-------------------------------------------------------------------------------

Contents of Authorization Store Policy

-------------------------------------------------------------------------------

Hyper-V Registry configuration:

- Store: msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

- Service Application: Hyper-V services

Application Name: Hyper-V services

Operation Count: 33

   100 - Read Service Configuration

   105 - Reconfigure Service

   200 - Create Virtual Switch

   205 - Delete Virtual Switch

   210 - Create Virtual Switch Port

   215 - Delete Virtual Switch Port

   220 - Connect Virtual Switch Port

   225 - Disconnect Virtual Switch Port

   230 - Create Internal Ethernet Port

   235 - Delete Internal Ethernet Port

   240 - Bind External Ethernet Port

   245 - Unbind External Ethernet Port

   250 - Change VLAN Configuration on Port

   255 - Modify Switch Settings

   260 - Modify Switch Port Settings

   265 - View Switches

   270 - View Switch Ports

   275 - View External Ethernet Ports

   280 - View Internal Ethernet Ports

   285 - View VLAN Settings

   290 - View LAN Endpoints

   295 - View Virtual Switch Management Service

   300 - Create Virtual Machine

   305 - Delete Virtual Machine

   310 - Change Virtual Machine Authorization Scope

   315 - Start Virtual Machine

   320 - Stop Virtual Machine

   325 - Pause and Restart Virtual Machine

   330 - Reconfigure Virtual Machine

   335 - View Virtual Machine Configuration

   340 - Allow Input to Virtual Machine

   345 - Allow Output from Virtual Machine

   350 - Modify Internal Ethernet Port

1 role assignment(s) were located

Role Assignment 'Administrator' (Targetted Role Assignment)

  - All Hyper-V operations are selected

  - There are 1 member(s) for this role assignment

  - BUILTIN\Administrators (S-1-5-32-544)

-------------------------------------------------------------------------------

Contents of Group Distributed COM Users

-------------------------------------------------------------------------------

There are no members in Distributed COM Users

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V

-------------------------------------------------------------------------------

Public Firewall Profile is active

  Enabled:  Hyper-V (SPL-TCP-In)

  Enabled:  Hyper-V (RPC)

  Enabled:  Hyper-V (RPC-EPMAP)

  Enabled:  Hyper-V - WMI (Async-In)

  Enabled:  Hyper-V - WMI (TCP-Out)

  Enabled:  Hyper-V - WMI (TCP-In)

  Enabled:  Hyper-V - WMI (DCOM-In)

-------------------------------------------------------------------------------

Firewall Settings for Windows Management Instrumentation (WMI)

-------------------------------------------------------------------------------

Public Firewall Profile is active

  Enabled:  Windows Management Instrumentation (ASync-In)

  Enabled:  Windows Management Instrumentation (WMI-Out)

  Enabled:  Windows Management Instrumentation (WMI-In)

  Enabled:  Windows Management Instrumentation (DCOM-In)

Note: Above firewall settings are not required for Hyper-V Remote Management

Thanks, Dave

15 November 08 at 9:41 PM

# jhoward said:

Dave - That's really odd if disabling the firewall on the *SERVER* makes connections start working. Can you try turning it back on again and creating a seperate user account - I'm assuming you're using "Administrator" here: On server net user <username> /add *, type the password. Do same on client and make sure the passwords are the same. Then run hvremote /add:username on server. If the client is workgroup, please also run hvremote /anondcom:grant. Also remember to run hvremote /mmc:enable on the client. Try that, when logged on as the new user. If that still fails, and also fails after a reboot, please can you re-post the hvremote /show on both the client AND the server.

Thanks,

John.

15 November 08 at 10:05 PM

# Dave said:

John,

Before I setup a new user and try it, I wanted to confirm that 'yes" I am using the Administreator account on both the client and server and am using the same password on both platforms.

Also, (to be more accurate in my setup), I'm actually using the Administrator group, instead of the built-in Administrator account.

Also, both platforms are in a workgroup called "WORKGROUP".

Thanks, Dave

15 November 08 at 10:37 PM

# jhoward said:

Dave - in which case, you should get the same result as creating a new user by simply runing "hvremote /add:yourusername" on the server. You still need to verify the client settings though (mmc and anondcom) as this is a workgroup. It *should* work then :) I hope, anyway!

Cheers,

John.

15 November 08 at 10:55 PM

# Dave said:

John,

Disable "File and Printer Sharing" on your Hyper-V server (via Windows Firewall - Exceptions) and then try using your Vista client to connect to your Hyper-V server.

Do you get the following error after doing this?

Error:

"An error occurred while attempting to connect to server "VIRTUALSERVER". Check that the Virtual Machine Management service is running and that you are authorized to connect to the server"

If you do receive this error, then I have a question that you may be able to answer:

Why does Hyper-V Manager (on the Vista client) require the enabling of "File and Printer Sharing" on the Hyper-V server?

Thanks, Dave

16 November 08 at 2:42 PM

# jhoward said:

Dave - I'm not sure is the simple answer - I'll need to verify in my "test lab" which is all setup in my office at work (quicker than trying to set it up on my home servers) and run some network traces to work that out. Let me check tomorrow. If that is the case, as you seem to be saying, then I'll add that to HVRemote to report on in the /show and to have the ability to change in the next version....

That having been said, now you mention it, this does ring some distant bells. I'll have to have a dig through my archives in the office. Out of interest, did you deliberately change any of the firewall rules on the server before running the tool. When I was doing my testing, I used a vanilla install and only ran the tool for the configuration, so I never tried it with other combinations.

Thanks,

John.

16 November 08 at 3:13 PM

# HyperVoria said:

Announcing &quot;HVRemote&quot;...., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

17 November 08 at 4:34 PM

# Dave said:

John,

I also noticed the folowing:

HVRemote commands do not work on the Hyper-V server unless you are the "Built-in" Administrator. If you use another "Administrator" account or "User" account, you will receive a "Failed to call GetSecurity Descriptor" and will stop at the "Cimv2 Namespace".

All HVRemote commands work fine on the Vista client.

Thanks, Dave

17 November 08 at 5:14 PM

# jhoward said:

Dave - I should have made it a bit clearer in the post (and I can make a check in the code if I can work out how). You must run the script as an administrator from an elevated command prompt. Without elevation, or running it as a standard user will give exactly that error. It should work when elevated by any account that is a local administrator.

Thanks,

John.

17 November 08 at 5:23 PM

# jhoward said:

Dave - regardling your ealier question about file and printer sharing, I can't repro this. I have a Hyper-V Server (rather than 2008) and ran "netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no", even restarted the server and connected from a vista box successfully. Is it possible you have other firewall software running on the server?

Thanks,

John.

17 November 08 at 5:44 PM

# Dave said:

Hi John,

I have Windows 2008 DataCenter Edition with the Hyper-V role installed. Do you have the standalone Hyper-V Server version that does not include additional roles (other than the Hyper-V role)? Does it boot up to a blue configuration box? on top of a WinPE (green background)?

BTW: I haven't changed any of the Windows Firewall settings.

Thanks, Dave

17 November 08 at 8:16 PM

# Dave said:

How come HVRemote operates in Windows Vista without having to elevate the command prompt? HVRemote runs as a standard "User" or "Administrator" without have to run in an elevated command prompt.

Does the settings (ex: "Cimv2 Namespace, etc") that HVRemote needs to configure require elevated privileges to set them up properly?

Thanks, Dave

17 November 08 at 8:25 PM

# jhoward said:

Dave - actually not quite true. You can /show the settings as an administrator from an unelevated command prompt on a Vista client, but not change the /mmc or /anondcom settings - you will hit permission denied.

Similarly on the server, you cannot read the security permission for a WMI namespace unless you are elevated. I'm pretty sure this is related (for WMI) to UAC token filtering as described http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx. However, in both client and server cases, this is really a question for those who developed the security model rather than for myself who's trying to manipulate it :)

So nutshell.... you still need to be elevated on both client and server to do anything useful.

Thanks,

John.

17 November 08 at 8:57 PM

# jhoward said:

re "I have Windows 2008 DataCenter Edition with the Hyper-V role installed. Do you have the standalone Hyper-V Server version that does not include additional roles (other than the Hyper..." question. Not sure I understand the question, but I've tried this on full and Hyper-V Server with no repro.

Microsoft Hyper-V Server is not based on WinPE - it should have a black background with a default install, so not sure where green comes into this.

Realistically, if you're still having problems here, please run hvremote /show /debug:verbose on the server and the client and let's see if there some other clue in there. Email link is at the top.

Thanks,

John.

17 November 08 at 9:02 PM

# Microsoft, su tecnología y yo said:

Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

18 November 08 at 3:49 PM

# David Overton's Blog said:

In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

22 November 08 at 8:45 PM

# Zoltan said:

Hello

we tested it brutally.)Turned off the fireall also on the vista and also on the server.Nothing, the same rpc error.As I plug back the vista to the locla network, everything works fine.So?Any idea?

I can ping the server by name from client and back.

But I can not nslookup it, but I really dont understand, whí does it needed?

24 November 08 at 10:48 AM

# jhoward said:

Zoltan - I answered your other comment on the HVRemote article. Please follow up on that one.

Thanks,

John.

24 November 08 at 11:14 AM

# Kyle said:

I'm completely stumped... I have three systems, one Hyper-V server 2k8 (server core install w/ hyper-v role), a windows server 2008 standard edition install and the last being my Vista SP1 workstation.

I am trying to connect to the Hyper-V role on the server-core install via remote management on my Vista box and I am getting the authorization policy error that has been posted a million times. I have ran hvremote on both my client machine and the remote server-core instance.

It is important to note that I can connect to the hyper-v role on the server-core instance from my win2k8 standard edition box that also has the hyper-v role installed and configured. So I can remotely manage the hyper-v role on the server-core system from the 2k8 server but not my vista box.

I do not have the firewall enabled on the server-core or my vista box. All systems are in the same domain and are in the same subnet with no ACL's between them. The fact that I can remotely manage it from another server instance but I can't from my vista box tells me that it is a problem with my workstation's security. Also important to note that I cannot remotely connect to the hyper-v role on the windows server 2008 standard box either.

I have done everything multiple times and followed instructions to the letter. I have also gone out and turned off UAC on my vista box. Still nothing works...

Any ideas?

02 December 08 at 1:39 PM

# David Overton's Blog said:

In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

02 December 08 at 8:04 PM

# jhoward said:

Kyle - there really shouldn't be any need to turn off the firewall or UAC, so there's probably something really simple making this not work in your case.

Can you run hvremote /show on both the server and the vista box and send it to me using the email option at the top of my blog, or post it back as another comment.

It would be helpful also if you can verify you have the RTM management tools installed on the Vista box, rather than pre-release. RTM is KB952627.

If you can also include the output of ipconfig on both machines, and an attempt to ping by name the server from the client and the client from the server (just to verify there isn't a DNS issue as well).

Thanks,

John.

08 December 08 at 8:38 PM

# Clive said:

When copying and pasting

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

from the web page it uses the "wrong sort" of double-quotes. If you copy into Notepad, change the quotes and then copy/paste from Notepad it will work.

10 December 08 at 5:50 PM

# Dave said:

Hi John,

I run the following command on my Hyper-V server:

cscript hvremote.wsf /mode:server /show

...and receive the following error:

***** Failed to call GetSecurityDescriptor

***** Giving up as not able to get the security descriptor for the cimv2 namespace

This error is happening because I am not running the hvremote.wsf script in elevated mode.

Could you put some error checking in the code when a user is not running a elevated command prompt (like you did with the client side).

The client-side message that you created in v0.3 was something like this:

“All client operations which change the configuration must be run from an elevated command prompt.”

Thanks, Dave

18 December 08 at 12:58 AM

# jhoward said:

Dave - I thought I *HAD* put this check into v0.3 for both client *AND* server. Are you sure you are running 0.3 on the server as well? If you are, please can you drop me an email using the option at the top of the blog.

Thanks,

John.

18 December 08 at 1:02 AM

# Dave said:

Hi John,

I'm tired tonight.

I had v0.2 on this server. I thought I had copied v0.3 on each of my Hyper-V hosts. Forgot one...I guess :+)

Thanks, Dave

18 December 08 at 1:14 AM

# Dave said:

What's this message at the bottom of the /show results:

INFO: Are running the latest version

Is the script checking it's version?

Thanks, Dave

18 December 08 at 1:20 AM

# jhoward said:

Dave. Yes. See the documentation for more info.

Thanks,

John.

18 December 08 at 1:46 AM

# pascals.blog said:

Aujourd'hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

29 December 08 at 4:50 AM

# Brett said:

I think it's pathetic it's this difficult to admin a Hyperv box.  Wasn't there ever a "Man, we can't release this to the public" statement made at MS head quarters?  I kicking myself for deciding to go this route--should have went with VMWare.

30 December 08 at 9:10 PM

# Jacques said:

hi wonder if everyone can help me, i have this same error message but only it is on Server 2008 standard edition with the hyper-v role installed, but we use terminal sessions to connect to this server! please if anyone can help me!!

thank you very much!

26 January 09 at 8:37 AM

# jhoward said:

Jacques - what do you mean by terminal sessions. Do you mean you are using mstsc to logon to the hyper-v server and then running the Hyper-V management client locally on the server that is being targetted?

Who is connecting? Standard users, administrators, both?

What happens if you log on to the console of the Hyper-V machine and start Hyper-V Manager. Does it connect and work correctly? In the out of box configuration, as a local administrator, this should work with no configuration needed. For users to access, you need to update authorization manager as the access denied is an expected valid denial - you haven't granted them access.

Thanks,

John.

26 January 09 at 10:00 PM

# rloureiro said:

John,

Excellent guide, it worked perfectly for me.

Thanks!

Rafael

05 February 09 at 1:36 PM

# Fabrice said:

Maybe one step is missing in the post (which is handled by the script), at least for Microsoft Hyper-V Server 2008.

For this release, no configuration seems needed on server side, all setup has to be done on Vista.

The missing step could be the cmdkey command is case of a workgroup scenario. On Vista : cmdkey /add:<server-name> /user:<admin-user-on-server> /pass:<admin-user-password>

19 February 09 at 3:25 AM

# jhoward said:

Fabrice - it depends entirely on whether you are using "The Administrator" account, and whether you are are in a workgroup or domain. Generally, as "The administrator", you don't need any configuration on the server. See part 5 of the series for a scenario where you do need to use cmdkey for Hyper-V remote management.

Thanks,

John.

19 February 09 at 8:50 AM

# Evandro Reis said:

John, first of all congratulations for the great HVRemote tool. It rocks. Also, your articles are of great value. Thank your for putting them together. I have a weird situation here. I have two machines running on the same WORKGROUP and inside the same network segment (same IP class/net mask for both - 192.168.1.25 server e 192.168.1.7 client). I am able to connect to the server and change its configurations via Remote Management running on Vista SP1. But in the Virtual Machines group I get the message "RPC Server unavailable". And when I try to create new vms, HVRM creates de VHD file but crashes in the middle with the error above. In summary, I can change Hyper-V Server configuration (like default folders and virtual networks), but when I try to manage VMs (create, for instance) I get the RPC error.

Any thoughts?

Thanks again.

22 April 09 at 9:41 PM

# Evandro Reis said:

One additional comment: after getting the "RPC unavailable" error and clicking on "Refresh" Hyper-V Manager sits idle with the message: "Loading virtual machines..." and nothing happens. I am running Hyper-V as a role of a Windows 2008 Server Core.

22 April 09 at 9:49 PM

# jhoward said:

Evandros - can you post up the output of hvremote /show, plus a ping by name in each direction.

Thanks,

John.

23 April 09 at 8:55 PM

# Eric said:

Thanks John for taking the time to put this together!  I didn't use your HVRemote because I wanted to see what was involved to configure Hyper-V Manager.

You did an excellent job!  Thanks Again!

11 May 09 at 11:27 PM

# dbinfl said:

Wow!  I just followed these instructions, and indeed got this working.  So, hats off to you for taking the time to document and post this; I sure appreciate it.

Now, as to MS, maybe they could make this a little harder, but why bother since they've pretty much aced this in the PITA department (including a reboot -- wouldn't be complete without a reboot).

Thanks for this and all the other helpful posts I've found here.

cheers

22 May 09 at 11:12 PM

# Larry said:

John, you are definately a legend!!  We need guys like you around. :)

Cheers

30 June 09 at 12:01 PM

# Greg L said:

Thanks for such detailed work. I've followed the examples to a "T" but this problem persists for me: Once I've connected to the Hyper-V server from the client (Vista Ent 64, SP2), I get an  RPC error. After refreshing the detail pane simply says "loading virtual machines" but nothing ever comes up. I can manage the server settings, and have even created a VM, but I cannot see them. I disabled the firewall on both server and client and the same thing happens. Any ideas? Thanks!

09 July 09 at 12:17 PM

# Greg L said:

Ok, at the last moment, I found the source of my problem. My the network adapter in my Vista client, running as a VM in Sun VirtualBox, was configured with NAT. Once I switched it to bridged, all worked fine. Thanks, sorry for the false alarm.

09 July 09 at 12:25 PM

# jhoward said:

Greg - glad you resolved it :)

Cheers,

John.

09 July 09 at 12:28 PM

# jpavly said:

Thanks a lot, that totally worked!

25 September 09 at 5:24 AM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

Name (required) 

Your URL (optional)

Comments (required) 

  

Enter Code Here: Required

Remember Me?