Comments

# Ryan said:

Again, I can't thank you enough for taking the time to find a solution for this problem. However, it is still not working for me. I got through steps one and two without any problems and then hit a snag at step three. When I go to the WMI Control Security Tab all I can see it the Root namespace, nothing below it, not even after I expand it. This shouldn't really matter because my domain user is part of the Local Administrators group on my Server Core install and that group is given full control over all of WMI by default. I am really at a complete loss here, it should be working just fine. I haven't been able to see if I can manage it from a full Server 08 install using its Hyper-V Manager so that is what I am going to have to try next.

Thanks,

Ryan Lenkersdorfer

01 April 08 at 11:01 PM

# jhoward said:

Ryan - you have enabled remote management on the server core box? I suspect that is the most likely cause.

Thanks,

John.

01 April 08 at 11:14 PM

# Ryan said:

I am able to remotely manage everything else but Hyper-V. I have enabled all the firewall rules that exist for WMI and remote administration in general on both the client and the server, still nothing. Is there some specific command that you had in mind?

Thanks,

Ryan

01 April 08 at 11:29 PM

# jhoward said:

Ryan - yes, these two specifically:

netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes

and

netsh advfirewall firewall set rule group=”Remote Administration” new enable=yes

It's also possible that you're getting domain policy being pushed down for the firewall. Of that though, I can't comment on what's present, but it is possible you are being blocked by it.

Thanks,

John.

01 April 08 at 11:39 PM

# Ryan said:

I ran both commands, I am pretty sure I have ran them in the past as well, but it said it updated a few rules. I also went though our Group Policies and removed all policies regarding the firewall config on the server. I then ran a gpupdate on the server and restarted it. I then ran gpresult to make sure it wasn't applying anything else and tested it. Nothing. I am not sure what in the world could be wrong now. Clean install of Server 2008 Datacenter Server Core x64 with nothing else running on it. Clean install of Vista Business SP1 x64. Both on the same domain (Windows 2000 level domain if that matters), both have my domain user added to their Local Admin groups. I also get the same error if I point the Management Console at another server running Hyper-V Beta. Disabling the firewall on both client and server does nothing. It just doesn't make any sense.

Thanks,

Ryan

02 April 08 at 12:36 AM

# jhoward said:

Ryan.  Hmmmm. This seems a little odd. So first off, I'd rule out pointing a Vista SP1 RC0 Hyper-V management box at a beta Hyper-V server. That is destined for failure as there are several WMI changes between Beta and RC0. The firewall disabling similarly I can probably rule out as this is WMI/DCOM permissions most likely. I could believe there could be discrepancy between Business and Enterprise Vista (I know of one issue, but that should have been resolved in RC0) - I was using Enterprise.

There is one clear difference - my test domain is at 2K8 functional level, with only a single 2K8 DC in the picture.

So you are saying that when you go into Start/COntrol Panel/Administrative Tools/Computer Management and target the remote Hyper-V RC0 box, you can, for example, add local users in System Tools\Local Users and Groups, or view the event log, or stop/start services under Services and Applications\services just cannot get to enumerate the WMI namespaces under Services and Applications\WMI Control?

It makes no sense that _just_ WMI Control would not be working remotely (at least no sense that I can make of it). Can you confirm you have access remotely to the other examples?

Thanks for your patience!

Cheers,

John.

02 April 08 at 12:51 AM

# Ryan said:

I have just verified that I can remotely manage anything but WMI security using Computer Management on my Hyper-V RC0 box. When I open the security tab in WMI Control I see Root with a plus sign next to it. When I click on the plus sign to expand root it waits a second and then the plus sign disappears, nothing else happens. I have left it open like this for a good 5 min now and still nothing. I also know that there is a command line tool available in server core to manage WMI. It is a very complex tool and I have been unable to find good documentation on it so far. I am going to try to find out how to make the WMI security changes using that tool so I can bypass this remote WMI control problem since it is not my primary problem right now.

Thanks,

Ryan

02 April 08 at 1:12 AM

# Ryan said:

I am sorry, I forgot to mention that the WMI command line tool is wmic.exe.

Thanks,

Ryan

02 April 08 at 1:13 AM

# HiltonT said:

HI John,

Although I don't have a domain-joined Core+Hyper-V setup, I have the exact same issue - I can start and stop services via Computer Management on my Vista SP0 machine, yet I have no namespaces under Root in WMI Control.  (I also posted this, or similar, at the end of Part 3, but since Ryan's issue above is almost identical to my issue, I thought it only sensible to tag along in here instead.  :)

02 April 08 at 10:11 AM

# jhoward said:

Ryan/Hilton - can you both please confirm the details of the account you are running step 3 in. If you have the opportunity, can you confirm if you can expand the namespaces when logged on as "the" domain admin. If that is not possible, please confirm you are running this as a _domain_ user account which has local administrative rights on both the vista and remote server core machines, and not a local account.

One other interesting thing would be to run wbemtest on the Vista machine and attempt to connect to \\remoteserver\root\cimv2 and \\remoteserver\root\virtualization. Does that succeed, or do you get an access denied error?

Thanks,

John.

02 April 08 at 4:10 PM

# HiltonT said:

Hi John,

OK.  To test this, since the Core+Hyper-V in my network is not and will never be domain-joined (no sense if one of the guests is the AD controller), I created a CoreAdmin account on a laptop running Vista SP1+RSAT+Hyper-V Management Tool which is a local admin, the same as on the Core box (CoreAdmin is a local admin).  This is the laptop I take with me to onsites and use for tech work.

I can successfully connect via RDP to the Hyper-V machine and I can successfully connect to it using "net use \\qrk01hyperdev", so I know the username and password are identical on both machines.

When I try to connect to Computer Management via the laptop, I get "Error 5: Access is denied" if I try to look at the Hyper-V server's services and in WMI Control it reports that it Failed to connect to \\qrk01hyperdev because "Win32: Access is denied."'

So, this is getting curioser and curioser - why can I *almost* connect using my desktop with Vista SP1 + RSAT + Hyper-V Management Tool but I cannot even get that close using my laptop with Vista SP1 + RSAT + Hyper-V Management Tool?

This maketh absolutely no sense to me!

02 April 08 at 5:10 PM

# HiltonT said:

... and as to the wbemtest test, I can connect to both cimv2 and virtualization without errors, but past that, I'd not know what to do to know that these have actually connected properly.

So, as for not getting errors saying access is denied, it seems that this works fine.

02 April 08 at 5:40 PM

# Ryan said:

Okay, I have verified that I am running a true domain user and that the user has been added to the local administrators group on both the Vista machine and the remote server core machine. I do not have the ability to log in as 'the' domain admin but I have verified the above information.

I also used wbemtest and was able to connect to both namespaces without issues.

Thanks again for you help!

-Ryan

02 April 08 at 5:41 PM

# Ryan said:

Here are the results of "net localgroup Administrators" ran on both machines:

Remote Server Core Machine:

C:\Users\scs!admin>net localgroup Administrators

Alias name     Administrators

Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------

AD\Domain Admins

AD\rdlenk

Administrator

The command completed successfully.

Vista Workstation:

C:\Users\rdlenk>net localgroup Administrators

Alias name     Administrators

Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------

AD\Domain Admins

AD\rdlenk

Administrator

The command completed successfully.

02 April 08 at 5:48 PM

# Ryan said:

Our domain here is "AD" and both computers are joined to it. My domain username is AD\rdlenk, so it is defiantly added to both admin groups and it is defiantly a domain account.

Thanks,

Ryan

02 April 08 at 5:50 PM

# jhoward said:

Hilton - so your environment is different to the walkthrough I'm describing. I have not validate this scenario, but you will probably need to enable anonymous callbacks to make this work in your setup. Using dcomcnfg you will need to allow remote access to "ANONYMOUS LOGON". See step 7 in part two. I'm still tracking down why WMI namespace enumeration is failing in the clean environment described above in Ryans case - as you have a mixmatch of domain and non-domain machines, it is possible you are hitting a different problem.

I see a part 5 coming....

Thanks,

John.

02 April 08 at 7:20 PM

# jhoward said:

Ryan - I'm running short of ideas to be honest short of me rebuilding my environment with the domain at Windows 2000 functional level.... Is there any chance you could run a network monitor trace on the vista box, or see if there's anything obvious can be seen?

Thanks,

John.

02 April 08 at 7:31 PM

# Ryan said:

Very Interesting development here, I went ahead and removed Server Core and installed a full version of Server 2008 Datacenter with the Hyper-V RC0 update applied to it. I got it all configured and back on the domain with the exact same user permissions. I went through the above steps and applied them to the system, including the WMI Control. I am still not able to connect to the server through the Hyper-V Manager installed on my Vista SP1 box. I was able to use the Hyper-V Manager installed on the Server and was able to create and run a VM. When it booted I made sure that it said "Microsoft Hyper-V Release Candidate 0"

Just on a side thing, I went ahead and tried to manage the WMI security remotely from my Vista SP1 box again. It had the same error as before.

The next thing I am going to try is setting up a 2K8 domain and put both computers in there. I also found out that my previous information about my domain setup was incorrect, it is actually a native 2K3 domain. If I can get a hold of Vista Enterprise media with SP1 (I have a license for it, just not the media) then I am also going to try and see if that works.

It really seems like it something on my end that is messed up. If none of the above tests fix this, I think I am just going to have to stick with Hyper-V beta until Hyper-V RTM. I again want to thank you for all your help, but I don't want to waste any more of your time either. I will report back here with the results of my tests when I get them done, which might be a couple of days.

Thanks,

Ryan Lenkersdorfer

02 April 08 at 7:43 PM

# HiltonT said:

Hi John,

My scenario is more akin to Part 3 than Part 4, the only reason I moved into here was that I am seeing the exact same authentication/WMI Control issues as Ryan.

So, I basically have a Core box not on the domain with a CoreAdmin local administrator account, a Vista SP1 laptop not on a domain with a CoreAdmin local administrative user and a domain-joined desktop PC with Vista SP1 with a CoreAdmin limited user account (on the domain).

With all of the above, I see the same issues that Ryan sees.

I say, bring along part 5!  :)

02 April 08 at 10:42 PM

# Tim said:

John,

Thanks for the help (so far).  I too have a mixed domain issue.  My case is typical for a classroom environment.  The HV host contains a unique 2k8 domain controller (Full 2008, not core).  Students will connect using laptops they provide and are clearly not in this domain.  I want to give them access to the Hyper-V manager from machines that are not in the domain.  It is looking like I will have to give them remote logon access from where they can start it from within the domain.  I have followed your instructions, but attempting to provide all permissions to 'everyone'.  Still, ultimately, the wbemtest will fail to connect unless I provide a domain account.

It is looking to me like the remote Hyper-V Manager needs to allow specification of alternate credentials so it can pass them along in the WMI calls, but there does not seem to be a way to do that.

I thought I would pass this on and I am hoping you might find a "part 5" solution!

03 April 08 at 10:14 AM

# Ryan said:

I have setup a VM running Vista Enterprise SP1 x86 and joined it to my existing domain. I was able to point it at my Hyper-V RC0 server and it was able to connect and manage Hyper-V with no additional configuration! Why I am still having problems on my Vista Business SP1 x64 box is a mystery to me. Perhaps it doesn't like Business or maybe it doesn't like 64-bit. If I can, I will try Vista Enterprise SP1 x64 and see what happens.

Thanks again for all your help!

-Ryan

04 April 08 at 6:07 PM

# John Howard said:

So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

04 April 08 at 10:49 PM

# Eric Liddon said:

I was getting the same problem.  It appears that the new management client for 2008 Hyper-V on x64 cannot connect to the Hyper-V Beta.  I just installed this patch "http://www.microsoft.com/downloads/details.aspx?FamilyID=ddd94dda-9d31-4e6d-88a0-1939de3e9898&DisplayLang=en" and it fixed it for me.  Hope this helps.

09 April 08 at 2:59 PM

# jhoward said:

Eric - yes, absolutely correct. Remote management does not work on Hyper-V beta. This series is specific to our RC release.

Thanks,

John.

09 April 08 at 3:04 PM

# Mr. Mott said:

Any idea how to make this work when the hyper-v server is also a DC without a local dcom user group?  Client is Vista Ultimate x64.

15 April 08 at 9:32 PM

# jhoward said:

Mr. Mott - Follow part one of this series where I configure DCOM in a workgroup without using the Distributed COM Users Group, but add a domain user account instead of a workgroup account. It should work, but I haven't tried it.

But please note - our recommendation will *always* be to run the Hyper-V role without any other roles installed, ideally on server core as well. Just in case you weren't aware.

Cheers,

John.

15 April 08 at 10:32 PM

# Oleg Krylov (Russia) said:

Excuse me for my very poor English))) I'm install s2k8 Enterprise Full + Hyper-V. My Vista x86 box with SP1 have Hyper-V manager. I perform all steps from Part 4. I connect to my Hiper-V server, with no errors. But when i attempt create new machine, I recive message " Loading Wizard page failed. You might not have permission to perform this task". My domain user account is memmber of Administrators groups both in my Vista box and Hyper-V server. In Authetication manager for my domayn user account assigned Administrator role. Help me please to resolve my problem.

18 April 08 at 4:19 AM

# jhoward said:

Oleg - I have seen this when there are incompatible versions between the management client and the server. Remote management does not work in Beta from a Vista client - I suspect that you have not applied the RC0 update to your server (KB949219). That should resolve the problem.

Thanks,

John.

21 April 08 at 10:44 PM

# Kyle said:

I have hyper-v running on a core 2008 install in a 2k8 domain.  I used your walkthrough and was able to get everything working correctly, with one exception.  After I create a VM, I am unable to connect to it to install the OS.  I simply get an error stating "Cannot connect to the virtual machine. Try to connect again. If the problem persists, contact your system administrator."  Also at the bottom of the MMC, the heartbeat is reporting as no contact, if that helps.  Hyper-V is running RC0, and the MMC is running on a 2k8 DC (for testing purposes only).  Any help would be appreciated.  Thanks.

07 May 08 at 8:37 AM

# jhoward said:

Kyle - Can you verify a few things to start narrowing this down.

- The "No Heartbeat" is because the Integration Services aren't installed inside the virtual machine. However, if you can't connect to the virtual machine to be able to do this, that explains that one, so it's probably not relevant.

- On the Domain Controller, did you installed KB949219 as well to get the RC0 version of the management tools installed as well?

- Is it possible to verify if there is a firewall issue here by disabling the firewall on both the computer running the MMC and the server core installation of Hyper-V? (netsh firewall set opmode disable).

Thanks,

John.

07 May 08 at 9:04 PM

# Kyle said:

John,  Thanks for the quick reply.  I have verified that KB949219 has been installed on the DC.  After I disabled the firewall on both servers, I was able to connect.  I double checked my firewall policy to ensure that I did have the inbound rule set to allow "Hyper-V Management Clients - WMI (Async-In, DCOM-In, and TCP-In)" on the DC.  Is there another rule that I have overlooked?  Thanks,

Kyle

08 May 08 at 10:32 AM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

Name (required) 

Your URL (optional)

Comments (required) 

Remember Me?