14 November 2008

Configure Hyper-V Remote Management in seconds

Update 19th Nov - v0.3 now released!

It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come up with something worth waiting for. Announcing "HVRemote"...., a tool to "automagically" configure Hyper-V Remote Management. (Amazing what can be done with a few days vacation to kill before you lose them at the end of the year....).

I'm not going into the gory detail here as I've created a PDF containing the documentation, and a site on http://code.msdn.microsoft.com/HVRemote where you can download the tool and the documentation. All I ask, is that if you find the tool useful, drop me an email or a comment. Thanks!

What does the tool do: It reduces the manual configuration steps needed for Hyper-V Remote Management that I blogged about back in March this year 1, 2, 3, 4 and 5 down to one or two commands.

It can configure Full installations and Server Core Installations of Windows Server 2008 with the Hyper-V role enabled, plus configure Microsoft Hyper-V Server. It runs across all locales (I've tested English and Japanese) and it doesn't matter if the server is domain or workgroup joined.
It can configure Vista SP1 and Server 2008 configured with the Hyper-V Remote Management tools. Again, doesn't matter if the client is domain or workgroup joined.

Quick how-to:

1. Server: To give or remove a user access permissions:

hvremote /add:domain\user or
hvremote /remove:domain\user

2. Server & Client: Display current settings (server or client): (Screenshot is client side)

hvremote /show

The other useful options are:

3. Find out all the command line options: hvremote /help or hvremote /?

and a couple of client side options:

4. Client: Add firewall exception for MMC: hvremote /mmc:enable
5. Client: Allow anonymous access to Distributed COM: hvremote /AnonDCOM:grant

I've tried this out with a a lot of test "guinea pigs" internally at Microsoft, and using the script literally dropped their remote configuration time down to seconds. Hopefully it will do the same for you.

But I must also point you to the disclaimer on my blog, the disclaimer in the documentation, and the license conditions at http://code.msdn.microsoft.com/HVRemote before use:

HVRemote and the associated documentation are provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided. It is not supported or endorsed by Microsoft Corporation and should be used at your own risk.

Cheers,
John.

Filed under: How to Articles, Information, Downloads, Misc Factoids & Rambling, Hyper-V

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# John Howard - Hyper-V and virtualization blog : Part 1 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ???COMPUTERNAME??? said:

PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

14 November 08 at 8:53 PM

# Paul said:

Josh,

Great tool.

I've been playing around with Hyper-V Server 2008 in a workgroup configuration for over a week now, and I can not figure out, for the life of me, how to configure 'Local Security Policies', including User Rights!!! When I launch a Group Policy Object Editor MMC remotely, it provides access to the Administrative Templates, etc, but not no local policies.

Now, the reason I need access to local policies in the first place is that I'm trying to figure out how to configure Hyper-V to run under a different user-account (...other than local system). The reason being is that I have several NAS devices on my network setup with SMB shares, hosting all of the necessary ISOs for use with Hyper-V. Rather than having to copy them all locally over to the Hyper-V Server, I want to be able to mount ISOs from the SMB shares on the NAS devices from all of my VMs. I figure by creating an identical user account on the NAS devices to the one which the Hyper-V service(s) run as, this should provide an nice solution to my problem.

As of now, I've created a user called 'HyperVService', and added the user to the Administrators, and Remote Com Users security groups; however, when I attempt to start Hyper-V Machine Management service using this account, it errors out, claiming that the account lacks privileges. ha.... Unfortunately, I can't being assigning rights to the account using security policy until I can somehow gain access to it. As a side note, I've already granted the 'HyperVService' user all authorization rights / privileges in Authorization Manager (as specified in your article).

I apologize for the extent of this comment, but if you can help in any way, it would be much appreciated.

15 November 08 at 5:17 AM

# Paul said:

Josh,

Great tool.

I apologize for the extent of this comment, but if you can help in any way, it would be much appreciated.

15 November 08 at 5:28 AM

# jhoward said:

Paul, thanks.

Kudos for your experimentation, but I think it is futile. Sorry to say! :) You're heading in a direction which is well into the realms of unsupported and untested. Changing the account under which the service runs may cause all sorts of side effects (I can think of at least one).

In a domain environment, to access a network ISO, you need to add the machine account to the share for read permissions (ie domain\machinename$). On top of that, if you are remotely administering the Hyper-V server, you need to setup constrained delegation. However, I'm 99.8% sure that you will not be able to get ISOs on a network share to work in a workgroup setting, and to the best of my knowledge, there isn't a workaround for this apart from copying the ISO locally. Sorry!

Cheers,

John.

15 November 08 at 10:01 AM

# TONYSO said:

Hyper-V How to: Configure Hyper-V Remote Management in seconds John's blog post describes his HVRemote

15 November 08 at 6:42 PM

# Paul said:

I appreciate such a quick response. I searched TechNet forums, and someone was able to get it to work... ...unfortunately they did not leave enough detail in the post. Also, their installation was a full-install of 2K8, not Core, so they had direct access to local security policy for assigning account rights. Either way, until Microsoft officially addresses this issue in a supported manner, I'm not going to attempt an unsupported work-around in any sort of production environment, so I guess there is no point looking into this further.

On that note, what about local user rights... ...as in editing local policy on Server Core or Hyper-V Server in a workgroup environment? Does Microsoft provide a supported method for editing these policies?

Thanks again.

16 November 08 at 5:23 AM

# jhoward said:

Paul

Secedit and generating the policy from another machine are your answer. Take a look at these two posts:

http://blogs.msdn.com/neilhut/archive/2007/11/06/managing-local-policy-on-a-windows-server-core-installation-set-to-workgroup-config.aspx

http://social.technet.microsoft.com/forums/en-US/winservercore/thread/cedf320b-cbf5-4f32-b37c-5d44706181dc

Thanks,

John.

16 November 08 at 1:32 PM

# Hans Vredevoort said:

Hi John,

You mentioned that your tool should not be used if Virtual Machine Manager 2008 is used for managing Hyper-V hosts. It does not explain why. Can you elaborate on that?

Thankx,

Hans Vredevoort

16 November 08 at 2:19 PM

# jhoward said:

Hi Hans - sure. Apart from the "I haven't done any testing with SCVMM in the picture" answer, there is at least one very good reason. SCVMM replaces the default authorization store with one which they maintain. Any changes made by this tool made to their store would (as I understand it, but I'm not on the SCVMM team) be overridden regardless by their agent (or a combination of the SCVMM server pushing policy down through their agent). For this reason on my list for v0.3 is a hard block if it is detected that the server is being managed by SCVMM.

Thanks,

John.

16 November 08 at 2:35 PM

# Hans Vredevoort said:

Thanks John,

That's the explanation I was looking for. As a VMM2008 user, I would appreciate a check on this as azman stores might get mixed up. I appreciate your work as I have tried all the steps in your blog and know how easy it was to forget one step, make a spelling error or some other mistake. So now you have a nice and clean solution for remote Hyper-V management from Vista an Windows Server 2008 computers.

16 November 08 at 2:53 PM

# robtheailean said:

Dear John,

Firstly - you should have more vacation time!

I basically gave up on HyperV some months back - as try as I may, I could not get the remote mgmt working - on a core install. Also, for the life of me, could not see why you would run Hyper V on a "Full" install - may as well use VS 2007/VMW's free server product!

This is a tremedous tool~ it seems to address all the "overlooked/missing" functionality in the Core/HyperV scenario.

I lost track of the hours I wasted on this previously - and as a small shop, time is never in any real abundance...

Many thanks for a great piece of work

Rob

16 November 08 at 3:31 PM

# Paul said:

Hey John,

I had already seen both of those links. Unfortunately, neither work. Enabling PnP interface is great for enabling Remote Disk Management, but I'm not sure what it has to do with being able to edit local policy. I think another user points that out on the response to the post.

As for secedit, it doesn't work... ...at least not for me. Another user on the forum had the same experience as I did... ...secedit command seems to function as expected, but no real result / policy change. Plus, this is so inconvenient, especially when you need to enable / disable a policy one at a time while testing something until you get it to work. Using this method, I would have to export / import a policy again and again if attempting to troubleshoot some form of security issue or rights management issue. True, I could set up another machine using a full version of Windows 2008, but editing local policy shouldn't be as complicated as requiring multiple 2K8 servers. What about small businesses, or other users that either cannot afford a second license, or do not have a second server / machine available to install Win2K8 Full? lol... Does Microsoft even think of these things when releasing their products?

Anyway, as always, I sincerely appreciated the quick responses, feedback, and solutions.

I know this is a little bit off topic, but I wanted to address one other issue that no TechNet forum and / or deployment guide has seemed to address... ...best practices for storage on the host hypervisor server. I currently have set my host server to store VHD files of the VMs on separate physical RAID arrays, snapshots on another dedicated physical RAID array (snapshots for all machines stored on a single dedicated array), and VM configuration files on the system / OS array. However, I've noticed that the system / OS array gets hammered, and impacts the VM system performance. Originally, I was under the assumption that once the XML files were loaded into memory, the configuration file was no longer needed / used by the system. Obviously, my assumption was ignorant and now I'm paying for it. Basically, my question is: Where should VM configuration files / data be stored in relation to VHD files? Should they be stored together? Should I create a separate dedicated RAID10 array for configuration files (for all machines), or does each VM require a dedicated disk per VM configuration file? There doesn't seem to be any "best practices" guide that addresses any of these questions (other than the recommendation to stored VHDs on separate disks).

Thanks in advance.

16 November 08 at 3:59 PM

# ReubenC said:

Hi John,

Execellent post, tool, etc. your orginal post helped me a great deal connecting to a server core install I'd setup earlier in the year from a WS2008 laptop... remote mgmt worked a treat until I rebuilt the server with Hyper-V Server (same name, same IP) and now for the love of christ I can't connect... 'You do not have permission....' same network, same creds, same name.. (different SID & GUID's of course..), slowely loosing the will to live and went on a VMware seminar only last week... Vi3 looks good ;-)

16 November 08 at 5:00 PM

# jhoward said:

ReubenC - If it's still not working, can you post

- the output of hvremote /show from both the server and the client machine,

- the output of ipconfig /all on both machines

- username you are using.

- contents of /windows/system32/drivers/etc/hosts on both machines

I'm assuming the usernames and passwords are the same on both machines.....

I assume also you're in a workgroup(?) rather than domain and have run hvremote /add:user on the server, plus the hvremote /mmc:enable and hvremote /anondcom:grant on the client machine?

Any other info about your setup would be useful. With the tool, should be pretty easy to diagnose :)

Thansk,

John.

16 November 08 at 5:25 PM

# matthew said:

Note for anyone experiencing the 'RPC server unavailable' error. If you've disabled the Windows Firewall service, this will give this error!

Not sure why, but enabling it, startng, and running the script to add the firewall rule fixed the problem.

16 November 08 at 5:53 PM

# Luke Edson said:

John, you've outdone yourself! I do have to ask you though if you understand the concept of "vacation" though! Ha! Here's a drink to you!

17 November 08 at 5:01 PM

# Hilton Travis said:

Hi John,

I'm back again with the same issues that we were discussing the last time we spoke (a few months back). :(

If you recall, I have a non domain connected Hyper-V Server that I'm trying to connect to from a non-domain connected laptop running Vista SP1 and the Hyper-V Management tool (and using HVRemote).

The Hyper-V Server will not be a part of a domain because in the SMB world, with generally only one physical server, having the Hyper-V Server a member of a single DC domain which is a guest under the Hyper-V Server is not a good move.

Also, the laptop will never be a part of the same domain that is hosted on the Hyper-V Server as the laptop belongs to our techs and the Hyper-V Server and its hosted SBS 2003|8 Server belongs to our client.

Now, what I've done is as follows:

Laptop

======

1. Vista SP1, latest fixes/updates

2. KB952627 Hyper-V Management Tool

3. Add Local Administrative user: Hyper-V

4. Local Hyper-V Password: "Password 123"

Server

======

1. Hyper-V Server 080912, Name = HyperVServer, Manual Windows Update, configure Region, Date and Time

2. Enable RDP (more secure clients only)

3. Add Local User: Hyper-V

4. Local Hyper-V Password: "Password 123"

I've downloaded, extracted and copied (via USB Key) HVRemote.wsf to the C:\HVRemote folder on both the laptop and the Hyper-V Server.

I've followed the documentation in your PDF and performed the following actions:

Server

======

1. cscript hvremote.wsf /mode:server /add:Hyper-V

1a. Result: successful (all reports = OK)

2. Reboot Hyper-V Server

Laptop

======

1. cscript hvremote.wsf /mode:client /AnonDCOM:grant

1a. Seemed to be successful

2. cscript hvremote /mode:client /FirewallHyperVClient:Enable

2a. Made no changes as this was already the setting

3. Rebooted the laptop.

4. Opened Hyper-V Manager and connected to HyperVServer

4a. Failed: The Computer 'TechLaptop' failed to perform the requested operation.

Also, as a side note, unless I run "netsh firewall set service remoteadmin enable" on the server, I cannot connect to it via "Computer Management" and even after I've run this, Computer Management makes a connection but fails to allow me to connect to WMI Control with the following error: 'Failed to connect to \\HyperVServer because "WMI: Access denied"'.

This error was exactly what we were talking about a few months back when I was unable to connect to the Hyper-V Server (that time running under WS2K8 Ent Core, this time running Hyper-V Server), so there still seems to be something wrong with the instructions/operation of HVRemote, or something major that I'm unable to see and am totally missing here.

I'd *like* to be able to actually add guests to my Hyper-V Server and to be able to manage them, it would be a nice use of a Hyper-V Server. ;)

(PS, The "Windows Malicious Software Tool x64 - November 2008" was shown as needed when I ran the initial WU scan, yet it failed to install. On subsequent attempts, it also fails to install. Any idea why this is failing to install on a brand spanking new Hyper-V Server install?)

17 November 08 at 8:36 PM

# jhoward said:

Hilton - you also need to run hvremote /mmc:enable on the client as well (if it wasn't enabled)

I think the best way to try to solve this is if you can email me (preferred) using the link at the top or post up

- the output of hvremote /show /debug:verbose on both the client and the server

- ipconfig /all from the server AND the client

- output of ping <server> from client (will fail, but I want to check the IP addresses are correct and there's no a DNS issue)

- output of ping <client) from the server

- Verify through wbemtest: On the client start/run wbemtest; hit connect and enter \\servername\root\cimv2. Also try using IP addresss ie \\ip.dotted.add.ress\root\cimv2 of the server. Does that connect?

(TBH - I've no idea about the WU update. There's nothing unique to Hyper-V Server in terms of how updates are applied. Let's get the remote management working first - I'll see who I can find to help with WU seperately).

Thanks,

John.

17 November 08 at 9:11 PM

# Hilton Travis said:

Hi John,

I ran the /mmc:Enable switch on the client - same issue after running this. There's no DNS issues here, but I'll email all of the info you asked for. The WMI Tester seems to connect (at least all boxes show as selectable), so I assume that means it is working.

The WU was just an additional query as an extra because I noticed it. If you can find someone who can answer it, it would be good, though - definitely not as important as not being able to see the Hyper-V Server to manage it, tho! :)

17 November 08 at 9:39 PM

# jhoward said:

(To followup for others...) I got the information from Hilton and a TS session onto the boxes. In this case, the laptop was domain joined rather than non-domain as mentioned above, and the server was in a workgroup. The missing piece was needing to run cmdkey on the client in this scenario.

Cheers,

John.

18 November 08 at 2:27 PM

# IT-Professional Community Blog said:

Mijn vorige blogpost over het installeren van Microsoft’s Hyper-V Server 2008 was een lap tekst met plaatjes

18 November 08 at 4:55 PM

# Virtual PC Guy's WebLog said:

Just the other day my colleague - John Howard - made a new tool available to the world.  HVRemote

19 November 08 at 1:27 AM

# Размышления ИТ-психолога said:

John Howard из компании Microsoft, который является Senior Program Manager в группе разработки Hyper-V,...

19 November 08 at 3:26 AM

# John Howard - Hyper-V and virtualization blog said:

While working on the next version of HVRemote yesterday evening, one of the things I wanted to address

19 November 08 at 3:35 PM

# Daniel Anderson said:

G'day John

Just wanted to put my 2 bobs worth in and thank you like many have already, for the GREAT Tool. I just tested it here and it worked a treat.

Cheers

Daniel

19 November 08 at 8:44 PM

# Daniel McCay said:

Thank you for producing this tool.

Is the managment tool safe to use over WAN? ie. To manage a host in a datacentre?

As I understand it I would be sending unencrypted mmc packets across the internet. Is that risky?

20 November 08 at 4:47 AM

# Daniel McCay said:

Thank you for producing this tool.

Is the managment tool safe to use over WAN? ie. To manage a host in a datacentre?

As I understand it I would be sending unencrypted mmc packets across the internet. Is that risky?

20 November 08 at 5:11 AM

# x(perts)64 said:

I've seen folks disabling the Windows Firewall on Hyper-V Server and on Windows Server Core in order

20 November 08 at 10:25 AM

# jhoward said:

Daniel - my recommendation if you need to manage a secure environment over an insecure network such as the Internet would be to publish the management tools over a TS Gateway such as http://blogs.technet.com/jhoward/archive/2008/02/09/terminal-services-gateway-and-terminal-services-web-access-using-hyper-v-part-1.aspx (part 2 also), or to have a secured RDP session to the server using something like ISA protecting it. However, you may have captured mouse mode if Integration Services are not installed on guests.

I'm not sure that the credentials are passed unencrypted (I'll have to verify that, but don't think so), it's more the range of ports you need open also.

Another alternative is to use SCVMM where they tunnel management commands using WSMan rather than native WMI.

Thanks,

John

20 November 08 at 10:52 AM

# Igor Shastitko Technical Blog said:

Народ начал активно устанавливать и использовать виртуализацию Hyper-V, особенно бесплатный Microsoft

20 November 08 at 11:40 AM

# crai hackman said:

I had same problem, i.e. unable to ping and run hyper-v manager from client. As there is no gui on hyper-v server I ran RDP to server (after enabling on server of course) and from the cmd prompt diasabled firewall on hyper-v server with:-

"netsh firewall set opmode disable"

once that was done I could ping and run hyper-v manager remotely.

Shame Hyper-V server doesn't have Hyper-V manager for XP clients.

21 November 08 at 9:22 AM

# jhoward said:

Crai - you should not need to disable the firewall on the Hyper-V Server, and I would absolutely not recommend that you do. I'd be very interested in finding out what's going on in your configuration - if you have time to re-enable the firewall, verify it doesn't work and run hvremote /show on both the client and the server and post back (or email me using the link at the top) the results, it will give me a much better idea and whether there's something else I need to add to hvremote. It would also be helpful if you could run an ipconfig /all on both boxes and verify that DNS is operating correct in both directions by trying to ping the client from the server and the server from the client to verify that the IP addresses that the ping is trying to hit matches that shown in the ipconfig.

I suspect strongly though that this is an IP address mismatch from the server to the client.

Thanks,

John.

21 November 08 at 12:28 PM

# ReubenC said:

Hi John,

Apologues delay in reply, have been a week of SCCM & SCOM 2007 training & exams (passed :-)).

I've resolved the issue, although it appears to be a strange one am afraid, is password history related...

During the time of rebuilding my VM host from a server core to a hyper-v server deployment I decided it was time to strengthen the Administrator password account from a standard one I've used for some time (we never worried too much about the Administrator as until WS2008 we have always disabled the Administrator account, but now not so simple for WS2008 :-( but that’s another post! ;-), I also changed the password of the WS2008 laptop connecting to the Hyper-V server (both workgroup).

I knew the laptop could connect as configured, as it was working with the previous server core deployment. Even before using your most excellent HVremote tool I was pretty confident I'd opened everything up as needed on the Hyper-V server (I'd written up and blogged the server core commands inc. Hyper-V back in March/April when involved in the UK Hyper-V RDP - http://reubenjcook.wordpress.com/2008/04/21/windows-server-2008-server-core-setup-scripts-common-commands/).

This morning after much banging of the keyboard, and my head! (we celebrated hard after passing the exams ;-), it came to me... try the old password... I changed both sides and instantly it worked!

I almost cried with relief as getting this working was a pre-req to reinstating my virtualised home server with dual passthrough disks containing all of our music, video, recorded tv, and..... family photos!!! (the wife would have killed me am sure you appreciate!).

I've since tested by changing the password again, and it immediately breaks Hyper-V management, change it back and voila, straight away you’re back connected.

..now to work on my Hyper-V guest VM being a DHCP server issue (yep 2nd NIC for mgmt), although I think that might be another blogpost! ;-)

btw, am happy to provide further info on this offline, if I've found an issue worth investigating....

Very best regards, Reuben

22 November 08 at 12:49 PM

# jhoward said:

Hi Reuben, glad you got the remote management issue resolved. By all means, drop me a line using the contact me option at the top if you're having problems with a child partition running DHCP. It does work - have done it many times.

Thanks,

John.

22 November 08 at 2:43 PM

# David Overton's Blog said:

In my last post on installing Hyper-V for my home setup I said I had a number of issues.  One was

22 November 08 at 8:45 PM

# Zoltan said:

Hello

I tried to run the hvremote on the server (core ed.), it says access denied.I logged in the admin account.

The server is configured and work ok, except the hyper-v management from outside of the local network.Any idea?it says the wellknown rpc error.

24 November 08 at 8:11 AM

# Matt Barrett said:

Hi John

I've followed along with your 5 part series, but never managed to get remote management of my Hyper V Server working.

I've now just run through the process of setting up the server (from a fresh install) and the client, but I'm not having any luck, and am getting an error that I've not seen before.

HVRemote works as expected on both client/server. I've also performed the cmdkey operation as the Hyper V server is in a workgroup, and I am trying to perform remote management from my local machine that is in a domain.

When I try to add the remote server (via IP address), the Hyper V Manager pops up an error dialog saying, "An error occured while attempting to connec to server "<ip address>". Check that Virtual MAchine Management service is running and that you are authorized to connect to the server.

The computer '<ip address>' could not be resolved. Make sure you typed the machine name correctly and that you have network access.'

The username and password is the same on both boxes - I'm not sure what else to try. Any help you could give would be greatly appreciated.

We are trying to use Hyper V Server in our integration/testing labs, and those machines are not typically joined to a domain. Would I see less problems if I tried managing from a machine not on a domain, too?

24 November 08 at 11:11 AM

# jhoward said:

Zoltan - what are you getting access denied to? Can you provide the output you are getting? (hvremote /show) Are you sure you are running from an *elevated* command prompt (ie one that says "Administrator:" in the title bar, not just as an admin?

You get RPC errors 99% of the time when there is a DNS issue. Try pinging server from client and other way around. Verify that the IP address each is pinging matches the output of ipconfig on the other box. It will probably be the server not having the clients IP address. See my article on managing Hyper-V over VPN where I went into a lot of detail over this.

Thanks,

JOhn.

24 November 08 at 11:12 AM

# jhoward said:

Matt - this sounds like a networking DNS issue rather than Hyper-V config. Remote management works fine from a domain client to a workgroup if configured correctly. I do it all the time.... :)

Can you verify by posting back:

- Output of ipconfig /all on both client and server

- Output of hvremote /show on both client and server

- Output of an attempt to ping by *name* client from server and server from client

- Output of an attempt to ping by *ip* client from server and server from client.

One other question: Do you have IPSec policy being applied to the domain joined machine, or any other additional firewall software installed?

Thanks,

John.

24 November 08 at 11:18 AM

# Patrick said:

I am having the same issues as Zoltan, I am running an administrator command prompt. I run hvremote /show and get access denied. I am logged in as the local admin account.

24 November 08 at 12:02 PM

# jhoward said:

Patrick

Same as for my response to Zoltan: what are you getting access denied to? Can you provide the output you are getting? (hvremote /show) Are you sure you are running from an *elevated* command prompt (ie one that says "Administrator:" in the title bar, not just as an admin?

BTW - if you use v0.3, it will tell you if you are not running elevated as well (not sure if you're using 0.2).

Thanks,

John.

24 November 08 at 12:44 PM

# Patrick said:

I guess I was unclear, but I am running hvremote /show

The only output is access denied. The command prompt says Administrator so I assume it is elevated. The script is placed on c:\ and run from that location. Logged into server as local admin account.

Thanks for your help.

24 November 08 at 1:48 PM

# jhoward said:

Patrick - it sounds like either you don't have permissions to the hvremote.wsf file itself, or possibly a policy blocking execution of scripts?

Does running icacls hvremote.wsf indicate you have access to it? Can you "notepad" it. What about if you do type hvremote.wsf > test.wsf and run cscript test.wsf instead (assuming you have read access to the file).

Thanks,

John.

24 November 08 at 3:39 PM

# Chris D said:

Hi John, I can connect to Hyper-V Core Server with Hyper-V Manager (both in a Domain) and created VMs but I cannot access the VMs. I see the thumbnail there waiting for my input but when I click on it, I get the error that your administrator does not allow you to connect to this computer. But the thing is I have changed the local policy on the Core server to allow default Credentials with NTLM-only Server authentication. I have even put * to allow any server to connect to it. Also I put the IP address of the Hyper-V manager server as well TERMSRV/*, for good measure. I have used the hvremote tool to create a user on the Core server then logged on the Hyper-V Manager server with that account, but still it will not allow me to connect. I have enabled any Remote client to connect and added my hvremote user to the remote desktop group on the Core server.

But what I have discovered that is really odd is that when I use Remote Desktop client from XP Pro I cannot connect to the Core server. I get errors that the server is not on the network. But if I try and connect via the Hyper-V Manager server Remote Desktop but hold off putting in the username and password, I can actually connect via my XP Pro Remote Desktop. XP Pro Remote Desktop can now find the Core server and allow me to logon. Somehow I think this is connected to the problem I have above.

Regards

Chris

24 November 08 at 5:17 PM

# Patrick said:

Thanks for your responses John. I had checked permissions before and they looked ok, I just noticed that in the general tab there was a button for unblock, I clicked it and now it is working.

Thanks.

24 November 08 at 6:14 PM

# Pål Røtnes said:

This is a great tool! A wonderful help for someone who is tired of backtracking through your (also excellent) blog post to figure out which little thing is not done just right.

However: And why does not MS officially develop and support a tool like this? It seems to me this is essentially what thousands of IT personell needs to get Core+Hyper-V working in a good and time-efficient way.

Windows Core Server is a very good idea, but without a few tools like HVRemote and CoreConfigurator it would be a lot more of a hassle to set up and manage. And honestly it seems a bit rushed by the total lack of tools, when the management is so bothersome.

Some tools like these should be built in, or at least downloadable/optional in the setup. IT people would love it and I can't see how these tools which are basically only menus that use existing commands in the OS can have an adverse effect on security.

25 November 08 at 3:52 AM

# Matt Barrett said:

Hi John,

Thanks for the pointer! I went back over all the settings, and found an issue when resolving the hostname from the client. It was resolving to an IP address that was bound to an interface on the server that couldn't be reached from the client.

Simple!

With that fixed, everything is working - thanks for your help, and all your blog posts and the HVRemote script. We're rolling this out much more heavily, due mainly to the fact we can get other departments up and running without a lot of hand holding.

25 November 08 at 4:47 AM

# Matt Barrett said:

Patrick and John,

I had that same problem, too. The download process is setting a don't execute bit on the binary - I needed to unset it on the client (with the GUI) then copy it across to Server Core again.

Cheers

25 November 08 at 5:43 AM

# jhoward said:

Pål - Thanks. I wish I had a better answer for you, but I don't except the age old answer of a balance of time and resources.

Thanks,

John.

25 November 08 at 10:49 AM

# jhoward said:

Chris - To be honest, I don't know the answer. Let me do some digging and see what I can find. Can you confirm you can connect if you don't change that policy? Do you have any additional firewall software installed on the client that might be blocking port 2179 for VMConnect (or 3389 for RDP on the XP box)?

Thanks,

John.

25 November 08 at 10:54 AM

# jhoward said:

Matt - good news. Glad it's sorted :)

Cheers,

John.

25 November 08 at 10:56 AM

# jhoward said:

Matt & Patrick - re this setting on the general tab. Any chance you can send me a screenshot?? On a Vista SP1 box, I don't see that setting. Where are you downloading the file to - a local drive, a network share,..... ? And from what OS? If I can repro it, I'll add it to the list of FAQ in the documentation.

Thanks,

John.

25 November 08 at 10:58 AM

# Chris D said:

Hi David,

I only implemented the "only default Credentials with NTLM-only Server authentication" policy when I received the error "your administrator does not allow you to connect". As for firewall blocking, the firewalls on the XP box and on the Hyper-V Management server are disabled, the Core server is the only one using its firewall.

Regards

Chris

26 November 08 at 11:00 PM

# Tim said:

John,

Thanks for the tool. Like others, I have failed - basically out of time - but want to provide additional feedback on what I noticed. Hyper-V Server is installed on a workgroup laptop. The remote management tools on a domain joined machine. Did all the HVRemote commands and cmdkey stuff. Did the AnonDCOM thing too.

In my situation, I have partial RPC connectivity. While the HV Manager reports RPC issues, I find that I can right click on the machine and perform actions such as setting up the networking and createing a VM. I can even see the empty VHD in the folder on the Hyper-V Server. But from the Manager I can't see the new VM thanks to RPC.

Differences in my environment.

1) I was using different user accounts. I switched to working with the same user name but different passwords.

2) My DNS is funny. This is at a home office. DNS and DHCP come from an ISP router. Normally I modify a machine to pick up DNS from this box and my domain controller. I don't seem to be able to do this in Hyper-V server. So I opted to use the hosts file on both machines, adding both the vista machine and ADDS machine to the Hyper-V Server, and the HV Server to the Vista machine. In working with netdom on the hyper-v server (in a failed attempt to join the domain), I determined that while machine names help significantly, only operations from the HV Server that allow me to specify the ADDS Server work. It seems that the HV server was able to resolve that the domain exists in the enironment, but not to locate the machine itself.

Quite frankly, I had great hope for HV-Server, but it does not meet my needs. The bottom line is that the lack of a manager in the host partition to run and access VMs just makes it a non-starter.

29 November 08 at 11:02 AM

# jhoward said:

Tim

This should be straightforward to get working with the HVRemote tool in your configuration. Trust me :) It honestly sounds though like you have DNS issues as the primary culprit, _especially_ if you are unable to join the Hyper-V Server to your domain - that really should be the first thing you should resolve - it should "just work" and has nothing to do with remote management configuration. If DNS is wonky, you'll get all sorts of other errors. dcdiag /test:dns is your first point of call on the DC.

If you want me to assist once you have DNS straight, can you use the email option at the top of this page and send me

- the output of hvremote /show on both the client and the server;

- the output of a ping attempt from the client to the server and visa-versa;

- the contents of the hosts files as you have modified them.

- ipconfig /all on your DC and the Hyper-V Server

- results of netdom on the Hyper-V Server when attempting to join the domain.

A screenshot of the RPC error you are getting would be really useful too.

Thanks,

John.

29 November 08 at 4:21 PM

# Chris D said:

Hi John,

I have to agree with Tim, without a host management to run and access VMs on the host partition, managing Hyper-V core server is an issue. So far I have spent over two weeks trying to connect to the Hyper-V core server and manage the VM I created. If I include the time of installing and reinstalling Hyper-V, setting up, rebooting and trying to get Hyper-V manager to connect, I would have had the free version of VMware working and VMs online. The documentation you provide is wonderful, but one gets the feeling its purpose is to compensate for a lack of Hyper-V Core documentation. It is odd that when Microsoft wants one do something, it is easy, but when Microsoft doesn’t want one to do something, they make it not so easy. For example when installing System Center Virtual Machine Manager (which I could not connect to Hyper-V Core) it was easy to turn on automatic updates, it required one single click. But if one wanted to turn off sending information back to Microsoft, there was a whole list of instructions on how to do this, no single click of “opt in” or “opt out”. I get the feeling that the Hyper-V Core Server is the same, if Microsoft wanted one to use it, there be a user friendly management interface that would allow one to create and manage the VMs on the Hyper-V Core server locally. Such management options could still be in keeping with the theme of simplicity of the Hyper-V Core. However when one considers the difficulties one experiences setting up and managing Hyper-V Core Server, it makes one wonder, why is this so, why is this not so easy.

When I made the decision to virtualise all our College servers, being an MSCE I decided to go down the Hyper-V instead of VMware track. But the difficulties I have experience has made me turn back to VMware free version.

Thank you for your help.

Regards

Chris

30 November 08 at 6:24 PM

# David Overton's Blog said:

In my last post on installing Hyper-V for my home setup I said I had a number of issues.  One was

02 December 08 at 8:04 PM

# Andrej Gregoric said:

I had the same problem with hvremote - access is denied.

The problem is I guess Vista Explorer download, that sets some kind of attribute for script, that suggests that this script comes from another computer.

When you open properties of this script, you also get the message on the bottom, that says: this file came from another computer and might be blocked to help protect this computer.

and you have radio button Ublock beside it.

I did it on a client (Vista64 SP1), copied it to server and it is working.

I still do not know, how to reset this attribute on server core or Hyper-V server.

Hope this helps somebody else.

Regards

03 December 08 at 3:14 AM

# g_malusardi said:

Very useful.

Thanks John!

Giorgio

04 December 08 at 5:04 AM

# Taylor Brown's Blog said:

I have been getting people asking where I’ve been and why I haven’t been posting very often (or very

10 December 08 at 11:17 PM

# Lawrence Hsu said:

Thanks for the script.

spend three hours before your script and 3 minutes after the script.

hyper-v server with 64 bit vista business( workgroup) is now connected.

good job!

11 December 08 at 4:22 AM

# Rod Trent at myITforum.com said:

HVRemote: Configure Hyper-V Remote Management in seconds Feed: System Center Guide Posted on: Wednesday

17 December 08 at 1:51 PM

# Jerrold Morris said:

John,

Thanks to your help I connected to and set up virtual machines on server core form my Vista machine. However I recently did an apparently dumb thing, I clicked on the option in hyper-v add hardware to add connectivity between the host machine and vm, I think as I can't get to it now. It was the 3rd and bottom option in the networking of vm's. What's the purpose of that option?

Now I can't connect to server core with an error of "cannnot connect to RPC service on sever, make sure service is running". When I check on the server RpcSs is running.

When I do ipconfig on both machines the default gateway is different (192.168.1.1 on server, 192.168.1.254 on client) also.

The output from hvremote is below.

Do you have suggestions on how to fix this?

Thanks,

Jerrold

Client:

Microsoft (R) Windows Script Host Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is ZEUS

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is zeus\vmcmd

INFO: Assuming /mode:client as the Hyper-V role is not installed

DEBUG: Client or Server Mode (1=Client) 1

DEBUG: Show mode? False

DEBUG: S: AZMan Update (1=Yes) 1

DEBUG: S: Add or Remove User (1=Add) 0

DEBUG: S: Add/Remove User/Group

DEBUG: S: Add/Remove Domain

DEBUG: S: Doing DCOM update or display? 1

DEBUG: S: Domain AZMan update or display 1

DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton) 3

DEBUG: S: Update FW WMI Remote Mgmt (1=Yes) 0

DEBUG: S: Update FW Hyper-V (1=Yes) 0

DEBUG: S: Role Assignment Administrator

DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

DEBUG: C: Update FW MMC Exception (1=yes) 0

DEBUG: C: Update Anon DCOM (1=Grant) 0

DEBUG: **START HVREMOTE VERSION**

TAG Version=0.3

TAG Date=19th November 2008

TAG URL=http://code.msdn.microsoft.com/HVRemote/url

TAG BlogURL=http://blogs.technet.com/jhoward/blah-blah-something-like-this_blah.aspx

**END HVREMOTE VERSION**

INFO: Are running the latest version

Server:

Microsoft (R) Windows Script Host Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is JMSERVER

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is JMSERVER\Administrator

INFO: Assuming /mode:server as the role is installed

DEBUG: Client or Server Mode (1=Client) 2

DEBUG: Show mode? False

DEBUG: S: AZMan Update (1=Yes) 1

DEBUG: S: Add or Remove User (1=Add) 0

DEBUG: S: Add/Remove User/Group

DEBUG: S: Add/Remove Domain

DEBUG: S: Doing DCOM update or display? 1

DEBUG: S: Domain AZMan update or display 1

DEBUG: S: Namespaces (1=Cimv2;2=Virtualizaiton) 3

DEBUG: S: Update FW WMI Remote Mgmt (1=Yes) 0

DEBUG: S: Update FW Hyper-V (1=Yes) 0

DEBUG: S: Role Assignment Administrator

DEBUG: C: Update FW Hyper-V Rmt Mgmt Clnt (1=yes) 0

DEBUG: C: Update FW MMC Exception (1=yes) 0

DEBUG: C: Update Anon DCOM (1=Grant) 0

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

DEBUG: Need to connect to virtualization namespace

DEBUG: ConnectNameSpace Entry: Namespace=root\virtualization

DEBUG: ConnectNameSpace Connected to root\virtualization namespace

DEBUG: ConnectNameSpace Exit: Namespace=root\virtualization, RC=0

DEBUG: Need to get the security desciptor for the CIMv2 namespace

DEBUG: GetWin32SD(): Get __SystemSecurity

DEBUG: Current SecurityDescriptor Details:

instance of __SecurityDescriptor

{

ControlFlags = 32772;

DACL = {

instance of __ACE

{

AccessMask = 33;

AceFlags = 6;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "JMSERVER";

Name = "vmcmd";

SID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 76, 123, 219, 156, 85, 61, 160, 98, 39, 162, 84, 45, 235, 3, 0, 0};

SidLength = 28;

SIDString = "S-1-5-21-2631629644-1654668629-760521255-1003";

};

instance of __ACE

{

AccessMask = 393279;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "NETWORK SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-20";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "LOCAL SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-19";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "Authenticated Users";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-11";

};

}};

Group =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

Owner =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

SACL = NULL;

};

DEBUG: GetWin32SD(): Exit RC=0

DEBUG: Need to get the security desciptor for the virtualization namespace

DEBUG: GetWin32SD(): Get __SystemSecurity

DEBUG: Current SecurityDescriptor Details:

instance of __SecurityDescriptor

{

ControlFlags = 32772;

DACL = {

instance of __ACE

{

AccessMask = 33;

AceFlags = 6;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "JMSERVER";

Name = "vmcmd";

SID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 76, 123, 219, 156, 85, 61, 160, 98, 39, 162, 84, 45, 235, 3, 0, 0};

SidLength = 28;

SIDString = "S-1-5-21-2631629644-1654668629-760521255-1003";

};

instance of __ACE

{

AccessMask = 393279;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "NETWORK SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-20";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "LOCAL SERVICE";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-19";

};

instance of __ACE

{

AccessMask = 19;

AceFlags = 18;

AceType = 0;

Trustee =

instance of __Trustee

{

Domain = "NT AUTHORITY";

Name = "Authenticated Users";

SID = {1, 1, 0, 0, 0, 0, 0, 5, 11, 0, 0, 0};

SidLength = 12;

SIDString = "S-1-5-11";

};

}};

Group =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

Owner =

instance of __Trustee

{

Domain = "BUILTIN";

Name = "Administrators";

SID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};

SidLength = 16;

SIDString = "S-1-5-32-544";

};

SACL = NULL;

};

DEBUG: GetWin32SD(): Exit RC=0

DEBUG: Opening the AZMan policy store

DEBUG: OpenAuthorizationStore: Enter

DEBUG: OpenAuthorizationStore: Instantiate StdRegProv

DEBUG: OpenAuthorizationStore: GetStringValue

DEBUG: Getting localized group name for Distributed COM Users

DEBUG: GetGroupNameForSID: S-1-5-32-562

DEBUG: GetGroupNameForSID: RC=0 GroupName=Distributed COM Users

DEBUG: Distributed COM Users group name (localized) is 'Distributed COM Users'

DEBUG: Failed to send

20 December 08 at 5:13 PM

# ericv said:

I cannot connect with HyperV Manager in the case of domain user and workgroup HyperV server.

The domain is a SBS2008 child with HyperV as the parent.

The client is a member of the domain. I used your instructions and also the HVRemote tool without luck.

Sometimes I get the impression that domain user connected to workgroup server is no problem. Sometimes there is a comment that this combination is not possible. For example with HVRemote /add:domainname\user executed on the server , I get the response "if domainname is a domain you need to be connected to the domain to make this work". I.e the workgroup server should be joined to the domain, Correct?

However Microsoft recommends that a HyperV parent should not be part of a SBS2008 child domain, So I am hesitant to join the HyperV server to the domain.

Any advice is appreciated. -Eric

22 December 08 at 1:05 PM

# jhoward said:

Eric - this scenario does work with a limitation which is a bug in Windows Server 2008 WMI (fixed in SP2) which means you may have to hit refresh in the Hyper-V MMC as state change notifications for VMs (running/stopped etc) are not received. However, it sounds like ou're not even close to that far yet. That warning messsage I put in is for the case of a domain client pointing at a workgroup server so isn't relevant here.

What is the exact error you get in Hyper-V manager. What does the output of hvremote /show on both the client and server show? Can you ping *BOTH* ways *BY NAME* and hit the right ipv4 address (even if the firewall blocks the ping itself) to verify DNS? Do you have other firewalls which might be getting in the way? Have you checked the troubleshooting section of the hvremote document?

(Please note I'm on vacation so may be slow to respond....)

Thanks,

John.

22 December 08 at 1:17 PM

# ericv said:

John - thanks for your quick response.

Seems 'I'm halfway!

Updated the host file to force name/IPv4@ resolution and used cmdkey (again).

Then invoke Hyper-V Manager.

My error is now "Access denied. Unable to establish communication between WSHYPERV and ERIC-PC".

The names are OK for server and client.

Good news is that I get the actions pane and I can look at the remote Hyper-V settings, virtual network manager.

But if I hit the Refresh link, the message "loading Virtual machines" is displayed and does not finish and locks the window more or less.

I use OneCare as firewall at the client - I turned if off - no luck.

Will use the troubleshooting list further.

Enjoy your vacation! -Eric

23 December 08 at 4:37 AM

# JB said:

Hey John,

Great tool. I've followed all of your directions to a T for setting up the connection between two machines. I am not able to get a connection though. I get an error on the remote machine when I try to connect that says to make sure that Virtual Machine Management service is running.

Well I go to my service manager browser and find there is no VMM service at all. Help?

Remote machine is Running Vista Ultimate x64 SP1

23 December 08 at 12:16 PM

# JB said:

Hey John,

Well I go to my service manager browser and find there is no VMM service at all. Help?

Remote machine is Running Vista Ultimate x64 SP1

23 December 08 at 12:20 PM

# jhoward said:

Eric - Glad you got further. Sounds like you didn't reboot possibly? If you're still stuck, send me the hvremote info. That will probably provide the missing answer.

Thanks,

John.

23 December 08 at 12:57 PM

# jhoward said:

Eric - the VMMS service runs on the Hyper-V Machine - it sounds like you are checking the vista client rather than the server? Even "sc query vmms" on the server gives nothing back? If you're still stuck, please post back

ipconfig /all on both client and server

Attempt to ping by name client from server and server from client

Output of hvremote /show on both server and client

Result of sc query vmms on server (just in case)

Thanks,

John.

23 December 08 at 1:00 PM

# ericv said:

John - got it working now!

Thanks for your advice.

After all attempts I can only summarize what I did not completely understand initially in your .PDF doc. and what (I think) caused my breakthrough. Hope this helps for other readers.

ENVIRONMENT: a domain client (Vista SP1) and a WORKGROUP WS2008 server with Hyper-V role enabled (parent).

My Hyper-V server has a static IP address 192.168.1.1

Not relevant but I have additionally SBS2008 as a child with DHCP server (sbs2008 does not like any other dhcp servers in its subnet).

1. follow the instructions in the HVRemote .PDFdocument for client and server

2. on the server, invoke: HVREMOTE /add:userID to grant "userID" access. "userID" is a local server user that has been defined on the server thru Control Panel/add user. I made userID an administrator (not sure if this is required)

3. on the client update the hosts file (/windows/system32/drivers/etc/hosts) as 192.168.1.1 SERVERname

4. on the client, in a cmd-window, issue:cmdkey /add:SERVERname /user:SERVERname\userID /pass where userID is exactly the same as on the server. You are then prompted for the password of userID.

5. Definitely re-boot both client and server

6. Start Hyper-V Manager.

Then you should see the much anticipated virtual machine panel.

Hope these additional comments are useful.

Happy Holidays, -Eric

24 December 08 at 6:21 AM

# Simon Dean said:

I too received the following error when I tried to run the HVRemote.wsf script on Hyper-V Server:

C:\HVRemote>HVRemote.wsf /show

Access is denied.

I found the solution was to prefix the command with "cscript ". E.g.:

C:\HVRemote>cscript HVRemote.wsf /show

Microsoft (R) Windows Script Host Version 5.7 ...

I guess this has something to do with file associations for the "wsf" file extension on Hyper-V Service.

Whilst I remember, there's a typo in one of the bits of the output of the client part of the script. It asks you to run "hvremote.wsf /Mode:Client /MMC:Enable" when it should ask you to run "hvremote.wsf /mode:client /MMC:Enable" - the "C" of "Client" has to be in lower case.

Thanks for the script John. Hopefully it's going to save me a lot of time and confusion (I've not yet finished using the script to know whether it works for me!).

PS Could you pass on a message to the Hyper-V Manager MMC Snap-in developers to say that it doesn't seem possible to connect to an Hyper-V server IP address using the snap-in if the local machine cannot resolve the machine name of the IP address. Instead you get the rather cryptic message:

"An error occurred while attempting to connect to server "10.8.2.3". Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.

The computer "10.8.2.3" could not be resolved. Make sure you typed the machine name correctly and that you have network access."

Obviously the IP address "10.8.2.3" is just an example. The clue seems to be in the bit "The computer "10.8.2.3" could not be resolved" - there should be no need to "resolve" the IP address and in fact that would be impossible - IP addresses can't be resolved into IP addresses. I had to work around this issue by adding an entry to my "C:\Windows\System32\drivers\etc\hosts" file - adding a DNS server to my network would have been too much trouble.

Not being able to use pure IP addresses kind of runs contrary to the parts of the MS document "Hyper-V Server Configuration Tool Guide v 1.2.docx" that ask you to "enter the name or the IP address of the server".

Thanks again

Simon

27 December 08 at 7:52 PM

# jhoward said:

Simon - That's good feedback, thanks. If you open the properties of hvremote.wsf, there's a security checkbox somewhere on one of the tabs (I have a screenshot somewhere but not to hand) which basically says that you can't execute it as it originated from another computer. So far, the only people I've found who have downloaded it who have that checkbox checked is people using Firefox, but I'm not sure why - I haven't had a chance to dig. Would that be the case for you too?

As for IP address, unfortunately, DNS or a name resolution is needed and sure, I'll follow up on the documentation (and file a bug to get it working by IP - no promises though on the resolution of it.)

Cheers,

John.

27 December 08 at 10:57 PM

# Jan van Zeggelaar said:

Hello John,

your tool worked like a breeze. I had been stuck for a long time and this fixed it. Only now the MMC just shows "Loading VIrtual Machines" and then nothing ... but I'll try to fix this myself first.

One small issue though: When I tried to configure the client, I forgot one step. The output of the hvremote command supplied the exact command I forgot so the lazy person I am just copied and pasted. This resulted in an error since the command parameters seem to be case sensitive. When I changed all capitals in "hvremote.wsf /Mode:Client /MMC:Enable" to lower case, the command executed succesfully.

But thanks a lot. I may be able to meet my goal this year (three hours left and two meetings ... well probably not).

Jan

31 December 08 at 6:06 AM

# Colin Bruce said:

Dear John,

Thanks for making this available. Sadly I still can't get remote access working. I have the same problem as several others: That is it partly works but them the Hyper-V manager gives the error which others have had i.e. "RPC server unavailable. Unable to establish communication between 'TDVS01' and "WL101-1"." The server and the client are both in the same workgroup.

In my scenario TDVS01 is the server running the GUI version of Windows 2008 with the Hyper-V role and WL101-1 is a PC running Vista (64 bit).

I have tried all the fixes that others have used to get their systems working but none work for me. I know from other replies that DNS issues are a common cause so I've carefully checked. "Nslookup TDVS01" on the client returns 10.255.249.1 which is the correct address. Similarly "nslookup WL101-1" on the server returns the correct address for the client. ALthough ping is blocked I've checked that and it too is returning the correct address in each direction. I've rebooted the server and the client many times but it still doesn't work. I've done the cmdkey instruction as descibed by ericv but to no avail.

One other thing that may or may not be related. I am using the username ccx004 on both the client and the server. If I create a group on the server called "Remote Hyper-V Users", put ccx004 in it and then do HVREMOTE /add:"Remote Hyper-V Users" it all seems to work. However, after rebooting both the client and the server I get "Permission denied" when I run the manager on the client. However, if I use the same username by add it directly with HVREMOTE /add:ccx004 it works to some extent. At least I don't get the "permission denied" error. The group is set up correctly with the user in it. HVREMOTE /show lists it in all the correct places but it doesn't work.

I would be happy to send output from HVREMOTE /show if you have time to have a look.

Best wishes....

Colin

02 January 09 at 7:28 PM

# jhoward said:

Colin

Yes, let's start with the output of hvremote /show on both the client and the server. Are you on a VPN or a routed subnet different between the client and server - firewalls in between, or even a different firewall on the client?

I would still strongly suspect DNS, so if you can also post up ipconfig on both machines and the attempt of the ping client from server and server from client, it would give me peace of mind to see the output.

Thanks,

John.

03 January 09 at 12:11 AM

# Dipam Patel said:

I am trying to setup a server with Hyper-V server.I have been at this for several days now..without success.I am not quite sure how to run the HVRemote script.I copied into a directory on the Hyper-V server and then ran "cscript hvremote.wsf"I did the some on the client machine (Vista SP1).But I still get "permission denied". I then tried to follow the steps in Part 5 of John's blog. However, at the AZMan section, I cannot see the ProgramData folder in my mapped drive as it is a hidden folder.If anyone can assist me in this I would greatly appreciate it.

03 January 09 at 4:07 PM

# jhoward said:

Dipam - for the access denied, see my reply to Simon 2 or 3 entries up.

Although hidden, ProgramData is still accessible through a mapped drive if you type it in to the address bar such as \\server\SystemDrive$\ProgramData\....

Thanks,

John.

05 January 09 at 9:36 PM

# Colin Bruce said:

Dear John,

Thanks for the reply and sorry not to reply sooner - I had a couple fo days of flu. At least that's one virus that can't be transmitted across a network. Anyway here is the information you asked for.

I am on a routed network.

First for the client.

Windows IP Configuration

Host Name . . . . . . . . . . . . : wl101-1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : coventry.ac.uk

services.coventry.ac.uk

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : coventry.ac.uk

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

Physical Address. . . . . . . . . : 00-19-BB-46-68-56

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.16.42.3(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : 06 January 2009 10:28:49

Lease Expires . . . . . . . . . . : 14 January 2009 10:28:47

Default Gateway . . . . . . . . . : 10.16.42.252

DHCP Server . . . . . . . . . . . : 192.168.64.6

DNS Servers . . . . . . . . . . . : 192.168.64.1

192.168.64.2

192.168.64.3

192.168.64.4

192.168.64.5

192.168.64.6

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : coventry.ac.uk

Description . . . . . . . . . . . : isatap.coventry.ac.uk

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Pinging TDVS01.coventry.ac.uk [10.255.249.1] with 32 bytes of data:

Request timed out.

Ping statistics for 10.255.249.1:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Control-C

Microsoft (R) Windows Script Host Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is WL101-1

INFO: Computer is in workgroup T&D

INFO: Current user is wl101-1\ccx004

INFO: Assuming /mode:client as the Hyper-V role is not installed

-------------------------------------------------------------------------------

DACL for COM Security Access Permissions

-------------------------------------------------------------------------------

\Everyone (S-1-1-0)

Allow: LocalLaunch RemoteLaunch (7)

NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7)

Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Distributed COM Users (S-1-5-32-562)

Allow: LocalLaunch RemoteLaunch (7)

BUILTIN\Performance Log Users (S-1-5-32-559)

Allow: LocalLaunch RemoteLaunch (7)

-------------------------------------------------------------------------------

ANONYMOUS LOGON Machine DCOM Access

-------------------------------------------------------------------------------

WARN: ANONYMOUS LOGON does have remote access

This setting should only be enabled if required as security on this

machine has been lowered. It is needed if you need to manage Hyper-V

on a remote server which is either in an an untrusted domain from this

machine, or both machines are in a workgroup.

Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V Management Clients

-------------------------------------------------------------------------------

Private Firewall Profile is active

Enabled: Hyper-V Management Clients - WMI (Async-In)

Enabled: Hyper-V Management Clients - WMI (TCP-Out)

Enabled: Hyper-V Management Clients - WMI (TCP-In)

Enabled: Hyper-V Management Clients - WMI (DCOM-In)

-------------------------------------------------------------------------------

Windows Firewall exception rule(s) for mmc.exe

-------------------------------------------------------------------------------

Private Firewall Profile is active

Enabled: Microsoft Management Console (HVRemote.wsf Created) (UDP)

Enabled: Microsoft Management Console (HVRemote.wsf Created) (TCP)

INFO: Are running the latest version

and now the server

Windows IP Configuration

Host Name . . . . . . . . . . . . : TDVS01

Primary Dns Suffix . . . . . . . : coventry.ac.uk

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : coventry.ac.uk

ac.uk

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter - Virtual Network

Physical Address. . . . . . . . . : 00-21-5A-AC-F5-9C

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.255.5.1(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Management Network:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter #2

Physical Address. . . . . . . . . : 00-21-5A-AC-F5-9A

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.255.249.1(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.255.249.252

DNS Servers . . . . . . . . . . . : 192.168.64.1

192.168.64.2

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : isatap.{204F4A7F-DF88-41BF-8964-AF1D0217B502}

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : isatap.{538DC963-83B4-4B1C-8537-ACAD477B9F3C}

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 02-00-54-55-4E-01

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Pinging wl101-1.coventry.ac.uk [10.16.42.3] with 32 bytes of data:

Request timed out.

Ping statistics for 10.16.42.3:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Microsoft (R) Windows Script Host Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.3 20th Nov 2008

INFO: Computername is TDVS01

INFO: Computer is in workgroup T&D

INFO: Current user is TDVS01\Administrator

INFO: Assuming /mode:server as the role is installed

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

-------------------------------------------------------------------------------

DACL for WMI Namespace root\cimv2

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

-------------------------------------------------------------------------------

BUILTIN\Distributed COM Users (S-1-5-32-562)

Allow: EnabAct RemEnab (33)

Flags: InheritAce NoPropInheritAce ValidInheritFlags (6)

TDVS01\ccx004 (S-1-5-21-1256379756-912478012-384010367-1003)

Allow: EnabAct RemEnab (33)

Flags: InheritAce NoPropInheritAce ValidInheritFlags (6)

BUILTIN\Administrators (S-1-5-32-544)

Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\NETWORK SERVICE (S-1-5-20)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\LOCAL SERVICE (S-1-5-19)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\Authenticated Users (S-1-5-11)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

-------------------------------------------------------------------------------

DACL for WMI Namespace root\virtualization

Required for Hyper-V remote mangement: Allow, EnabAct, RemEnab, InheritAce

HVRemote also sets NoPropInheritAce and ValidInheritFlags

-------------------------------------------------------------------------------

TDVS01\ccx004 (S-1-5-21-1256379756-912478012-384010367-1003)

Allow: EnabAct RemEnab (33)

Flags: InheritAce NoPropInheritAce ValidInheritFlags (6)

BUILTIN\Administrators (S-1-5-32-544)

Allow: Exec FullWrt PartWrt ProvWrt EnabAct RemEnab RdSec EdSec (393279)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\NETWORK SERVICE (S-1-5-20)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\LOCAL SERVICE (S-1-5-19)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

NT AUTHORITY\Authenticated Users (S-1-5-11)

Allow: Exec ProvWrt EnabAct (19)

Flags: InheritAce InheritedAce ValidInheritFlags (18)

-------------------------------------------------------------------------------

Contents of Authorization Store Policy

-------------------------------------------------------------------------------

Hyper-V Registry configuration:

- Store: msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

- Service Application: Hyper-V services

Application Name: Hyper-V services

Operation Count: 33

100 - Read Service Configuration

105 - Reconfigure Service

200 - Create Virtual Switch

205 - Delete Virtual Switch

210 - Create Virtual Switch Port

215 - Delete Virtual Switch Port

220 - Connect Virtual Switch Port

225 - Disconnect Virtual Switch Port

230 - Create Internal Ethernet Port

235 - Delete Internal Ethernet Port

240 - Bind External Ethernet Port

245 - Unbind External Ethernet Port

250 - Change VLAN Configuration on Port

255 - Modify Switch Settings

260 - Modify Switch Port Settings

265 - View Switches

270 - View Switch Ports

275 - View External Ethernet Ports

280 - View Internal Ethernet Ports

285 - View VLAN Settings

290 - View LAN Endpoints

295 - View Virtual Switch Management Service

300 - Create Virtual Machine

305 - Delete Virtual Machine

310 - Change Virtual Machine Authorization Scope

315 - Start Virtual Machine

320 - Stop Virtual Machine

325 - Pause and Restart Virtual Machine

330 - Reconfigure Virtual Machine

335 - View Virtual Machine Configuration

340 - Allow Input to Virtual Machine

345 - Allow Output from Virtual Machine

350 - Modify Internal Ethernet Port

1 role assignment(s) were located

Role Assignment 'Administrator' (Targetted Role Assignment)

- All Hyper-V operations are selected

- There are 2 member(s) for this role assignment

- BUILTIN\Administrators (S-1-5-32-544)

- TDVS01\ccx004 (S-1-5-21-1256379756-912478012-384010367-1003)

-------------------------------------------------------------------------------

Contents of Group Distributed COM Users

-------------------------------------------------------------------------------

1 member(s) are in Distributed COM Users

- TDVS01\ccx004

-------------------------------------------------------------------------------

DACL for COM Security Launch and Activation Permissions

-------------------------------------------------------------------------------

BUILTIN\Administrators (S-1-5-32-544)

Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

\Everyone (S-1-1-0)

Allow: LocalLaunch LocalActivation (11)

BUILTIN\Distributed COM Users (S-1-5-32-562)

Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

BUILTIN\Performance Log Users (S-1-5-32-559)

Allow: LocalLaunch RemoteLaunch LocalActivation RemoteActivation (31)

-------------------------------------------------------------------------------

Firewall Settings for Hyper-V

-------------------------------------------------------------------------------

Public Firewall Profile is active

Enabled: Hyper-V (SPL-TCP-In)

Enabled: Hyper-V (RPC)

Enabled: Hyper-V (RPC-EPMAP)

Enabled: Hyper-V - WMI (Async-In)

Enabled: Hyper-V - WMI (TCP-Out)

Enabled: Hyper-V - WMI (TCP-In)

Enabled: Hyper-V - WMI (DCOM-In)

-------------------------------------------------------------------------------

Firewall Settings for Windows Management Instrumentation (WMI)

-------------------------------------------------------------------------------

Public Firewall Profile is active

Enabled: Windows Management Instrumentation (DCOM-In)

Enabled: Windows Management Instrumentation (WMI-In)

Enabled: Windows Management Instrumentation (ASync-In)

Enabled: Windows Management Instrumentation (WMI-Out)

Note: Above firewall settings are not required for Hyper-V Remote Management

INFO: Are running the latest version

It will probably turn out to be something stupid I've done but hopefully you will spot it.

Best wishes....

Colin

06 January 09 at 1:32 PM

# jhoward said:

Colin

Can you verify you are using the same password for user ccx004 on both the client and the server. It may also be worth checking whether or not you have a set of cached old credentials for that user stored in cmdkey (use /list). The other thing I noted is that the server has two IP addresses: It also has 10.255.5.1. Can you try disabling that adapter in case traffic is going through a wonky route causing the problems.

Otherwise, it all looks OK. Could it be possible that there is a firewall also between the two machines on your network blocking some traffic? Let's cross that bridge after you verify the first set above.

Thanks,

John.

06 January 09 at 2:52 PM

# Colin Bruce said:

Dear John,

Thanks for the reply and help. I checked the password and it is the same on both client and server and I also did a cmdkey/list and then it struck me that perhaps the password there was incorrect. I re-added ccx004 to that very carefully as my typing is often erratic. Sadly I still get the same error message. I also disabled the second network card on the server but no go after that either. Perhaps there is a block between the two networks. Sadly I can't check that just now as I will need the help of my colleagues in networks but I can ask them tomorrow. Do you know the relevant port numbers by any chance?

06 January 09 at 8:17 PM

# jhoward said:

Colin - the ranges of ports is relatively large due to WMI and DCOM not being particularly firewall friendly. I confess though, I don't have the list of default ports easily to hand. However, if there really is a firewall inbetween these two boxes, that will almost certainly be a problem for remote management - to the best of my knowledge, most firewalls cannot pass RPC/DCOM/WMI traffic cleanly through them. Let's see what your network folks say first.

Thanks,

John.

06 January 09 at 8:43 PM

# Blog TechNet Brasil said:

Recentemente o Senior Program Manager do Hyper-V (John Howards) liberou uma ferramenta por linha de comando

08 January 09 at 3:35 PM

# Colin Bruce said:

Dear John,

As I expected my networking colleagues did the usual "not a network problem" :-) However, on further questioning they said that there is a firewall between my PC and the server but that it isn't doing anything. By that they mean they have only recently installed it so it is currently allowing all traffic through in either direction. I suspect what they really mean is that has the "out of the box" installation on it and although that allows most traffic through it blocks or mangles some by default. I think I'll carry MY PC downstairs and plug it directly into the same network as the server and see if that works. I'll let you know how I get on.

Best wishes....

Colin

08 January 09 at 6:07 PM

# Orpheustic said:

Very nice. I have our AD and Exchange environment all running on a few hyper-v boxes across a vpn. The Hyper-V boxes are not joined to any domain and this util proved to be quite worthy. I ran it on my vista box and now I can manage everything, even across the vpn. I remember looking for an easy way to do this last year but couldn't find anything as worthy as this. Thanks!

09 January 09 at 9:02 PM

# virtualboy. said:

After my post a few days back, talking about the availability of both Windows 7 Client, and Windows Server

10 January 09 at 9:44 AM

# chrisouth said:

Great tool John. Worked treat.

I've got a Vista laptop in a domain (offline though) and a Hyper-V Core in a workgroup. The only issue I had was not being able to connect to the server once I used the tool after rebooting (ICMP traffic blocked). I disabled the firewall on the server and all good now. Would the tool inevitably apply strengthen firewall policies?

Thank you :)

13 January 09 at 11:39 PM

# Patrick said:

Dear John

You write "It can configure Vista SP1 and Server 2008 configured with the Hyper-V Remote Management tools".

My client is Windows Server 2008 with installed Hyper-V remote management feature.

After typing "cscript hvremote.wsf /mode:client /show" I have this message:

*****

***** You need to install KB952627 for Hyper-V Remote Management from Vista

***** http://support.microsoft.com/kb/952627

Remember, that the OS is not Vista.

Have you got an idea?

Thanks,

Patrick

15 January 09 at 4:37 PM

# jhoward said:

Patrick - Yes, I think you've hit what a couple of other folks have also hit - a bug in my script :)

Try installing KB950050 on the "client" server (Hyper-V RTM update) and retrying.

Thanks,

John.

15 January 09 at 4:44 PM

# jhoward said:

Patrick - actually, I just installed a machine with Windows Server 2008 (ie with Hyper-V beta) and enabled the role/management tools, tried this and could not reproduce, so I'm a little stumped now. Can you post the entire output of hvremote /show, and confirm which version of HVRemote you are using.

Thanks,

John

16 January 09 at 12:31 AM

# Patrick said:

Dear John

My Hyper-V KB950050 cannot be a beta: Since I am not able to uninstall it, I simply tried to install the version I just downloaded over the existing one: "The update is not for your system". I promise you, I didn't try to install the x64 version on my 32bit Windows Server 2008.

For the moment this Windows version is a Trial (bot not beta) edition, which trial period was extended (slmgr.vbs –rearm). Tell me, if you think, that this is the problem.

I downloaded the hvremote version yesterday (1/15/2009). It is the version 0.4 of 7th Jan 2009.

The output is like this:

C:\hvremote>cscript hvremote.wsf /mode:client /show

Microsoft (R) Windows Script Host, Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.4 7th Jan 2009

INFO: Computername is CTWS1

INFO: Computer is in domain test.local

INFO: Current user is TEST\testuser

WARN: The Windows firewall is not active in one or more active profiles.

Not all functionality of HVRemote will be available.

Use 'netsh firewall set opmode enable' to turn it on!

*****

***** You need to install KB952627 for Hyper-V Remote Management from Vista

***** http://support.microsoft.com/kb/952627

The good part of the story:

With "cscript hvremote.wsf /mode:server /add:Administrator" on the machine with Windows Server 2008 x64 Core everything was ok.

Thanks,

Patrick

16 January 09 at 4:42 AM

# Patrick said:

John,

now I installed a virtualized version of Windows Server 2008 onto the Server Core (with Hyper-V role). The virtualized Windows Server 2008 should be the client. After installing KB950050 and rolling out Hyper-V remote management feature I did "cscript hvremote.wsf /mode:client /show" again and I still have the message, that I need to install this Vista update.

This brand new installation was just updated with windows update and I did nothing else than preparing the OS for remote management.

Does this statement help you?

Patrick

16 January 09 at 5:19 PM

# Colin Bowern said:

Great too John! Just used it to get Hyper-V 2008 R2 beta setup on my new home server box. Saved a lot of time messing around in the command line.

17 January 09 at 8:12 PM

# jhoward said:

Patrick

Yes, I think I know the issue (looking at the code only - haven't had a chance to 100% verify, but I'm 99% sure). Quickest fix for you would be to a small manual edit to the script in notepad. The real fix is a little more involved though....

Remove the following block of code and that will bypass the Vista client check and get you moving forward. I'll fix it properly in the next release.

>>Start delete

' Do Vista checks

if (NO_ERROR = lReturn) and _

(glClientServerMode = HVREMOTE_MODE_CLIENT) and _

(gbRunningOnWin7 = False) Then

lReturn = DoVistaChecks(oWbemServicesCIMv2)

end if

>>End delete

Let me know how you get on.

Thanks,

John.

17 January 09 at 10:16 PM

# jhoward said:

Chrisouth

It is not necessary to disable the firewall to connect (I assume by connect, you mean connect using Hyper-V Manager, which does not BTW need ICMP Ping to operate).

What did you mean by "connect"? I would strongly recommend you turn the firewall back on in the meantime.

If "connect" meant for example, to be able to TS/RDP to it, the instructions for that are in the server core guide: http://blogs.technet.com/jhoward/archive/2008/03/29/idiots-guide-to-server-core-aka-server-core-installation-option-of-windows-server-2008-step-by-step-guide.aspx. I deliberately avoided putting "features" into HVRemote which were not specifically for Hyper-V remote management (although I did fail in one case).

Thanks,

John.

18 January 09 at 12:08 AM

# jhoward said:

Jan - glad the tool was useful and hope you hit your deadline :) (Or at least have it working by now, 2 and a half weeks later!)

Apologies though - I totally missed your comment and only just now noticed. Yes, I fixed the capitalization issue in the latest releases.

Thanks,

John.

18 January 09 at 12:13 AM

# John said:

After an hour I realised there were steps 4 and 5, :)

Note to self :RTFM

Very nice tool by the way.

Thank you

18 January 09 at 7:49 PM

# Patrick said:

Yes John,

after deleting this part of code, the command "cscript hvremote.wsf /mode:client /show" on Windows Server 2008 works fine.

Thanks a lot for helping me.

Patrick

19 January 09 at 10:47 AM

# David said:

Hello Just letting u know i have installed Hyper V server R2 and tried to run the sript u made and i got this message when i run it with any commands

C:\Scripts>hvremote /?

Access is denied.

any ideas

20 January 09 at 9:02 AM

# jhoward said:

David - take a look at the response to Simon further up the comments.

Thanks,

John.

20 January 09 at 1:21 PM

# Ron Jones said:

I have 2 computers:

One running Hyper-V Server 2008

One running Vista

The Vista PC has Hyper-V Manager installed and I use this to manage the Hyper-V machine. This works great in the current config:

- Vista PC in the workgroup "WORKGROUP"

- Hyper-V machine in the workgroup "WORKGROUP"

- Both computers on the same network/switch

- I used the Hyper-V Remote Management Configuration Utility to finalize the security setup

Now, here's where the problem comes in. If I try this configuration, EXCEPT that the Vista PC is now on an entirely different network, in Hyper-V Manager I get:

"Cannot connect to the RPC service on computer "HYPER1". Make sure your RPC service is running:

So, I guess my question is, is "remote location" management possible with Hyper-V Server (without a VPN)? The remote Vista PC is behind a router on a cable-modem network. So I don't know if it's possible to map certain ports, add appropriate entries to both HOSTS files, and then get this working? Or is this just a futile attempt, and both PCs need to be on the same physical network?

Thanks for any assistance.

22 January 09 at 11:47 PM

# jhoward said:

Ron - unfortunately this is not possible. It's inherent in the way in which WMI traffic is unable to pass through a routed network in that manner (at least that's what I'm told by the WMI/DCOM team - we rely on their technology under the covers). The two solutions I recommend are either a VPN as you state, or to publish the Hyper-V management applications on a Terminal Server gateway.

Thanks,

John.

26 January 09 at 5:13 PM

# TONYSO said:

Performance Tuning Guidelines for Windows Server 2008 Hyper-V Release Notes Planning for Hyper-V Security

30 January 09 at 3:42 PM

# HyperVoria said:

Performance Tuning Guidelines for Windows Server 2008 Hyper-V Release Notes Planning for Hyper-V Security

01 February 09 at 10:17 AM

# Hiroshi Okunushi's Blog ☆ミ said:

昨年の 8/21 に書いた投稿の続きです。「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ ‘xxxxxxx’ の承認ポリシーの管理者に問い合わせてください。」の Workgroup

08 February 09 at 5:12 PM

# Patrick said:

John,

I left my test-equipment to finally install my production-solution. Hyper-V Role is on W2k8 Core, in Workgroup. Remote-Management Server is W2k8 in the same Workgroup. Usernames and passwords are the same on both machines. I used the latest hvremote-version. Everything was ok with hvremote on both servers.

With addition of

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

and

netsh advfirewall set currentprofile settings remotemanagement enable

on Hyper-V core I am even able to remotely manage computer-management, firewall, etc. via mmc. The connection is only possible with the IP (192.168.x.x.) but not with the computername.

And I cannot connect at all with Hyper-V Manager on Remote-Management Server to my hyper-v core server.

How do I find out the blocking element here? Remember, that I am able to remotely manage the firewall. Is there an element in the firewall which might block the connection?

Thanks a lot.

Patrick

10 February 09 at 10:30 AM

# Patrick said:

John, I needed to add the server-name with IP-address to the hosts file. Now it works fine: I can manage the core server via mmc and the hyper-v manager can remotely connect now.

Patrick

11 February 09 at 4:19 AM

# jhoward said:

Patrick - Glad you got it resolved. Yes, you are correct about DNS being key to this working.

Thanks,

John.

12 February 09 at 1:46 PM

# Off Campus said:

Got this question twice this week so I’d say it is blog worthy.  How to configure a Hyper-V server

13 February 09 at 12:30 PM

# Jay D. Carter said:

Hi John,

I had your tool working well on a Hyper-V server, now something has changed and I get the error:

***** Failed to call GetSecurityDescriptor

DEBUG: GetWin32SD(): Exit RC=-1

***** Giving up as not able to get the security descriptor for the cimv2 namespace

***** Are you running as an admin from an *ELEVATED* prompt???

...this happens when executing the /show option from the server console, when logged in as {localmachine}\Administrator .

The command prompt IS an elevated command prompt when logged in as administrator correct?

Any suggestions?

I am able to access the server, etc. but i am wondering if this indicates some kind of problem (it is about to go 'live').

Thanks,

JDC

16 February 09 at 11:47 AM

# jhoward said:

Jay - this isn't an error I've seen before. If you are the local admin running elevated, it sounds like somehow the security permissions have got wacked somehow on the namespace to local admins. If this is a full install of Windows Server, can you put local admins back following the manual steps for remote management configuration. Is there anything which you can think of which would have changed? (Domain membership, for example?). I'm kind of stumped on this at the moment.

Thanks,

John.

16 February 09 at 12:10 PM

# Jay D. Carter said:

This problem is on Hyper-V server, not Win2k8 with the Hyper-V role.

Acutally, I just removed it from the domain, rebooted, and re-added it to the domain thinking this might have an impact on the problem, but I am still getting the same issue.

I am also having the problem of being unable to connect a virtual network to a physical NIC: "setup switch failed. The switch could not bind to {physical NIC} because it is already bound to another switch." It is not bound to anything I can see in the management interface. How can change/check the bindings? NCPA.CPL does not seem to exist in Hyper-V server.

Thanks,

JDC

16 February 09 at 2:10 PM

# jhoward said:

Jay - several hours of investigation and after talking to the WMI team here - it turns out there is a bug in Windows which HVRemote is exposing. (If you're interested.... GetSecurityDescriptor fails for WMI namespace operations when there is an unknown SID in an ACE contained in the DACL. You get an unknown SID in there if, for example, you have a domain joined machine, add a domain account access through HVRemote, and then move the machine to a workgroup, or an alternate untrusted domain. The SID in the ACE can't be resolved as the original domain is unavailable and GetSecurityDescriptor fails).

But the good news is, I have a fix for it. I haven't done exhaustive testing, but it seems to work in a repro scenario I contrived. I'm not ready to release 0.6, but if you want to use the contact me option at the top of my blog, I can send you an early copy of HVRemote 0.6 with the workaround in it.

Thanks,

John.

17 February 09 at 1:34 PM

# Joel said:

When running the script on a new Win 2k8 DC Core and attempting to add my domain account, I get an error. The server is joined to a domain, and DNS at least appears to be working correctly (nslookups work from the server).

C:\Users\Administrator\HyperV>cscript HVRemote.wsf /add:ent\bennettj

Microsoft (R) Windows Script Host Version 5.7

Hyper-V Remote Management Configuration & Checkup Utility

John Howard, Microsoft Corporation.

http://blogs.technet.com/jhoward

Version 0.6 2nd Mar 2009

INFO: Computername is ENTHYPEV01

INFO: Computer is in domain ent.co.ventura.ca.us

INFO: Current user is ENTHYPEV01\Administrator

INFO: Assuming /mode:server as the role is installed

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

***** GetTrustee Failed: ent\bennettj not found

***** If ent is a domain, you need to be connected to the domain for this to wor

06 March 09 at 11:08 AM

# jhoward said:

Joel - this will be because your local administrator account cannot resolve domain accounts as it has no authority in the domain. There are three workarounds.

1. Logon to the core box with a domain account which is also a local administrator on the box (hence ensuring you can get an elevated command prompt).

2. Continue logging on as local admin, but enter runas /user:domain\user cmd where user is also a local admin on the core box to get an elevated command prompt.

3. (Need to confirm) If the local administrator account has the same password as domain\administrator, it should work as-is.

Thanks,

John.

06 March 09 at 12:13 PM

# James said:

Thank you John for the scripts. However, after running the latest scripts (downloaded March 09, 2008) and following your quick instructions within the pdf documentation, I was still unable to remotely manage my freshly installed Hyper-V Server 2008 installation from Vista (running in a workgroup).

I could ping my Vista client from the Hyper-V console, but couldn't ping the server. After a little frustration (thinking all I had to do was run the scripts per the quick guide), and seeing how ICMP was still being blocked by the Hyper-V server, I searched and found the command to open the firewall on the Hyper-V server. Tada! That did it for me!

Perhaps I ran through your documentation too quickly (I certainly wouldn't put it past me) but I don't remember seeing this step within your quick guide nor surrounding that section in the pdf docs. Did I miss it, or would this be something that would be great to add into your script and quick guide documentation?

I really do thank you! You did end up saving me much time! Perhaps you have some influence with the team at Microsoft to simplify the process in future iterations? I've seen Hyper-V getting beat up quite a bit over all these elusive steps needed to setup Hyper-V (especially from VMware users and employees. I wouldn't mind seeing some of their bragging rights disappear!).

Thank you,

James

09 March 09 at 8:23 PM

# jhoward said:

Hi James - glad you got it resolved, but I believe you've fixed it the "wrong" way.... HVRemote only opens the firewall ports needed for Hyper-V Remote management, not for other traffic such as ping. I'm wondering whether you ended up turning the firewall off on the server? I'd be interested if you could undo that command, and if remote management still fails, send me the output of hvremote /show on both the server and the client, plus the ping attempts by name of server from client and client from server (ignore the failure - I'm more interesting in validating the correct IP addresses).

Yes, I work on the Hyper-V engineering team, so have plenty of influence, but this will still be almost identical in configuration steps for Windows Server 2008 R2. I'm also working on a new version of HVRemote which will make this configuration even easier - more will follow on my blog soon, I hope.

Thanks,

John.

09 March 09 at 8:36 PM

# Chandra said:

hello John,

We are planning to deploy a lab and share it with our peers as part of our learning process. We are using Hyper-V to deploy the labs.

I am able to access the VM remotely. But when another user tries connecting to it, I get the following message, which i would like to disable.

"Another user is connected to <vm>. If you continue they will be disconnected. Would you like to connect to <vm>?."

1. Is there a way that i can disable this prompt and always have the first user continue accessing it?

2. This brings a scenario, where we need to timeout idle sessions, something like we had in Virtual server. Can we achieve these in Hyper-V?

11 March 09 at 8:58 AM

# jhoward said:

Chundra - unfortunately neither of these are possible in Hyper-V. 1 can be somewhat mitigated through using using scopes in AZMan if the restriction of one user per VM is an option.

Thanks,

John.

11 March 09 at 4:28 PM

# Shan said:

Hi John,

First of all thank you for maintaining your blog; to be honest it has helped me several times when I was lost in Hyper-V.

We’re planning to go live with two W2K8 Hyper-V boxes in our production environment during the next QTR, but I’m facing a challenge in my Proof of Concept network when accessing the Virtual Machine Connection via Hyper-V consoles. I believe you are the right person who can help me.

I have installed two Hyper-V servers in a Windows 2003 Domain environment (namely VM-04 & VM-05). When I try to execute the VMC in the VMs that are in their respective hosts, I have no challenge, everything work perfectly as described in the build guides. But when I try to access the Virtual Machines which are hosted in VM-04 from VM-05 Hyper-V console (or the other way round), the system prompts a window to type the password for the local Administrator account of the server. In the “Windows Security” windows it says “Your credentials did not work. The credentials that were used to connect to VM-04.domain.local did not work. Please enter new credentials”. What I can’t understand is I’m using my Domain Admin account, but Hyper-V doesn’t like accept it to open the VMC. If I type the local Administrator credentials, then it’ll show the screens to the Virtual Machines properly. But I don’t want to do that every time.

I used your HVREMOTE tool to modify the access rights on the “Initialstore.xml” file to grant the permission to my Domain Admin account. But unfortunately I can’t see any progress here.

Occasionally I can see the following error appearing in the Hyper-V even log too.

Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin

Source: Microsoft-Windows-Hyper-V-VMMS

Date: 11/03/2009 12:47:17

Event ID: 17030

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Computer: VM-04.domain.local

Description:

Virtual machine 'TEST-05' is assigned to an authorization scope that is not defined in the policy store: 'd6f6318b-79d1-4f72-a9b4-baa2701d3e4e'. The virtual machine will be reassigned to the default authorization scope. (Virtual machine ID E28AEE78-6616-4FED-BEAB-EF6F3EE69694)

Any advice on this would be really appreciated,

Thank you in advance.

12 March 09 at 1:01 AM

# jhoward said:

Shan

I'm a little confused by the explanation of your configuration. Could you post back on a failing setup: hvremote /show from the server; hvremote /show from the client; ping attempt by name from the server to the client and visa-versa. That will tell me what I need to know.

However, there is something interesting in the output above which has nothing to do with HVRemote. Has the server at some point been managed by SCVMM (or currently is being managed by SCVMM)? HVRemote doesn't put VMs into scopes, whereas SCVMM does. I think the event log is a red-herring especially now it indicates the VM has been placed back in the default scope.

Thanks,

John.

16 March 09 at 1:29 PM

# Simon said:

Hi,

Great script. I second what Simon Dean said earlier -- not being able to work by IP is a nuisance. I suspect this will be an RPC cannot fix though so a feature request for the next version of the script instead please:

Attempt to do a dns lookup / reverse dns lookup on a server name / IP address passed into the script. Even better, after the lookup, do the reverse and cross-check the results.

Took me an age to figure out the problem but probably not helped by looking at it at 2am and not finding the comments above until afterwards. Ho hum.

Thanks,

Simon

16 March 09 at 4:45 PM

# Prahalad said:

**** I posted this on MSDN Code gallery. I dont know if you frequent that or not so I thought I will post here as well *****-

Hi,

I am trying to connect from one Win 2008 Standard machine in a domain to a non domain Hyper-V server core and getting a " Access denied. Unable to establish communication between"SERVER CORE" and "Client". While trying to debug this issue I noticed the hvremote /show gives the following error when executing as a domain user with domain admin right. I double checked that they can ping each other using names because I added appropriate host entries. I did configure both the server and client as described in the documentation

DEBUG: Opening the AZMan policy store

DEBUG: OpenAuthorizationStore: Enter

DEBUG: OpenAuthorizationStore: Instantiate StdRegProv

DEBUG: OpenAuthorizationStore: GetStringValue

* OpenAuthorizationStore failed: Failed to query registry

* 0

* Giving up as could not open the authorization store

But if I logoff and login to a local account the same command completes successfully. Any ideas on why the difference in behaviour and/or suggestions on moving forward? Any help is greately appreciated.

Prahalad

25 March 09 at 6:52 PM

# jhoward said:

Prahalad - Not something I've had reported before.

To be clear, you're hitting this on the "client" machine which is a domain joined 2K8 box (as opposed to on the workgroup server core machine or "server" machine).

Do you have the Hyper-V role enabled on the "client" machine as well? It sounds like you must have as it would only go down the path to this output if it determined that the role was enabled (or of course, I have a bug ;) ).

Have you tried adding /mode:client to the when running hvremote /show on the "client" machine?

Do you only get this if you are a domain user with domain admin rights? You mentioned it works OK with a local account, but what about a domain account which does not have domain admin rights?

Is this also using HVRemote v0.6?

Thanks,

John.

25 March 09 at 7:56 PM

# Prahalad said:

John,

First off thanks for the quick reply. You donot know how much it is appreciated.

The answers first.

1> I have enabled the hyper-v role on the client machine.

2> I have used the /mode:client option with /show. It ends normally.

3> When I mentioned that "it works" I meant the /show command works. But I still cannot connect to my server core either with a local account or a domain account

4> I have not tried it with a non domain admin account. But will try that next.

5> Yes it is the HVRemote v0.6

Now to throw another kink into the situation, I just tried the command and connecting to server core from another win 2008 machine(lets call it client2) in the domain with the same domain ID that failed earlier and it worked. The /show command completes without an error and I am able to connect and list the VM on my server core. There are some differences between these clients. I will try to list everything that comes to my mind. This list might not cover each and every difference.

1> Client2 was actually in a test domain which I changed to my production domain and client1 was always in my production domain.

2> Client2 is an Enterprise edition and Client1 is Standard edition.

3> Client2 has less roles that client1. client1 has IIS and App server role as well as other roles

4> Client1 has lot more software installed on it (SQLServer 2000 & 2005, VS 2003, VS2005, VS2008, Office2007 etc) as I am using it is my workstation.

Prahalad

PS: By the way I forgot to thank you for such a neat utility. It is really a God sent while I am working on my Server virtualization project.

25 March 09 at 10:05 PM

# jhoward said:

Prahalad

If your "client" is a 2K8 box with the Hyper-V role added, you will need to add /mode:client to all client commands to HVRemote as it will assume it's the server if it detects the role. That's probably why it worked with client2 - nothing in HVRemote or remote management configuration should be affected by what's installed on the client machine.

So if a client is domain joined and the server is workgroup, you need to treat this the same as you would a workgroup to workgroup scenario. But you can still use a domain account on the client machine rather than a local account which matches the account name on the server if you use cmdkey.

That means:

- Local account on the server

- On server hvremote /add:localaccountname

On client

- Login as the domain user you want to grant access. From an elevated prompt:

- hvremote /mmc:enable (plus /mode:client as above)

- hvremote /anondcom:grant (plus /mode:client)

---note anondcom:grant is required as server is workgroup

- cmdkey /add:servername /user:servername\serveraccount /pass

That should be everything.

Glad you found HVRemote useful :)

Cheers,

John.

25 March 09 at 10:33 PM

# Prahalad said:

John,

I think I fixed the problem but I am not really sure how.

I compared all the services between non working client and a working client and found that WSRM was turned off. I turned it back on and the /show worked and I was able to issue a /anondcom:grant successfully and after a reboot I was able to connect to my server core and list the VM's in the hyper-v manager. Here is the "I think" part. To duplicate the error I stopped WSRM but I was unable to duplicate the error. Now /show as well as connection to server core works with the WSRM service stopped. I don't have a real good explantion why it is working now. Maybe you have a better explanation.

Thanks for lending me a helpful ear. And once again thank you so much for the script.

Prahalad

25 March 09 at 10:35 PM

# jhoward said:

Prahalad - nope, can't explain that one, sorry. WSRM shouldn't affect Hyper-V remote management. I suspect the reboot is the more likely cause - the output of HVRemote after you /add (it's a bit clearer in the docs) says that you may need to reboot both machines if it's the very first, and generally only the very first time - something I haven't dug into to understand fully why that is the case though. It's a curious problem, but time to investigate eludes me.......

Glad you got it working.

Cheers,

John.

25 March 09 at 10:50 PM

# Aaron said:

If I wanted to do this much manual configuration, I would have learned Linux.

31 March 09 at 12:36 AM

# Libis Bueno said:

John, best tool ever.. Thank you. I kind of automated the process a bit more...

http://code.msdn.microsoft.com/Hvautomated

Thanks for the hard work and for sharing this tool with the community.

01 April 09 at 6:16 PM

# jhoward said:

Thanks Libis - looks good. Can I ask though that you do not package hvremote.wsf in your distro though and point people to the master download site instead?

Thanks,

John.

01 April 09 at 6:33 PM

# Craig Fisher said:

The Access denied message keeps coming up for the hvremote script on a Hyper V server and I have tried everything with no luck. I have two servers loaded remotley in a hosting facility with a database server (2008) and a hyper V server. I have tried connection from the database server and a remote Windows Vista machine. I have got the hvremote working on both the database server and vista machines and made sure everything is good. When I run it on the remote Hyper V server I get access denied message. I have had connection to the hyper V from the database server before it was sent off for hosting but this was spasmodic. Any ideas.

03 April 09 at 11:56 PM

# jhoward said:

Craig - when you say in a hosting facility - you mean as in somewhere out on the Internet with firewalls and routers and stuff inbetween it and the client machines, correct?

Hyper-V remote management is build on WMI and DCOM which don't generally traverse those types of networks as you would have to have the Internet facing servers with many many ports open which is not a good thing. In those scenarios, the best solutions are to limit the number of ports open on the servers and manage if possible through an RDP connection to the server, or publish Hyper-V Manager and VMConnect through a TS gateway.

Thanks,

John.

06 April 09 at 12:12 PM

# James Senecal said:

John:

Great tool. It worked great on my Vista x64, but on Windows 7 x64 build 7057 & 7068 there seems to be an issue. The Hyper-V Manager connects to the remote server, but whe I try to connect to a VM I get the error "Your remote desktop connection failed because the remote computer cannot be authenticated".

I am using the same credentials, and i have installed the certificate from my Hyper-V server with no luck. (It used to work great with the 7000 build.) Any suggestions?

Thanks,

James

06 April 09 at 1:24 PM

# jhoward said:

James - I'm guessing (?) you're an MVP if you have access to 7057 and 7068, or part of a TAP program? What I suspect you're hitting is actually something quite different and a different bug which affected several winmain builds post 7000 (I'd need to verify, but believe 7068 was the last build before the fix made it's way into winmain). I'm assuming you're in a workgroup - the bug was not present in domain to domain configurations. There is a horrible workaround, far too long to type up. Realistically, you need to wait for a later build though..... sorry.

Cheers,

John.

06 April 09 at 1:41 PM

# James Senecal said:

John:

Thanks for the quick response. Yes, I am part of a TAP, and yes, both boxes are in a workgroup. I wasn't able to find anything specific about the issue anywhere, so i hoped you could help.

Thanks again, and I'll keep my eyes peeled for the next build or even the RC.

Cheers.

James

06 April 09 at 1:46 PM

# Bob said:

I found your script helpful but I'm still unable to remotely manage a Hyper-V server remotely. I have 2 computers in the same workgroup. One computer is running W2K8 X64 Enterprise SP1 (Full Installation). The second computer us running W2K8 X64 Enterprise SP1 (ServerCore Installation). I'm using the computer running Hyper-V Manager to remotely manage the Hyper-V server running on the ServerCore computer. The Hyper-V Server Role was installed on the ServerCore computer. I've used the HVRemote.wsf script to help me debug and configure the environments on each computer. KB950050 is installed on the computer being remotely managed. The error "'Msvm_VirtualSystemManagementService' object was not found" is reported by the Hyper-V Manager while trying g to connect to the remote Hyper-V server. Do you have any suggestions? Thanks.

09 April 09 at 1:20 PM

# jhoward said:

Bob - do you have KB950050 installed on the server machine acting as the client too?

Thanks,

John.

09 April 09 at 2:16 PM

# John W. said:

John,

I've got Windows Vista Business SP1 with KB95952627 installed. Hypver-V 2008 installed on the server. Both in a workgroup called TEST. When I run hvremote /add:user1 from the server I get an error about not being able to generate a trusted list...so not able to add a user and connect remotely.

Thanks,

John W.

14 April 09 at 2:52 PM

# jhoward said:

John W - can you give me the exact command and exact error you're hitting? If it is a GetTrustee Failed type message, it's possible you're hitting a bug in HVRemote which was fixed in 0.6

Thanks,

John.

14 April 09 at 3:02 PM

# John W said:

I was getting the GetTrustee Failed message. Downloaded and used HVRemote 0.6. Was able to add user1 on server. Passwords synced between Hyper-V server and Vista Business SP1 laptop. Added user1 to local adminstrator's group on server. Still not able to connect with Hyper-V Manager using user1. Reformatting drives and installing VMWare...

Thanks anyway,

John W.

15 April 09 at 12:12 PM

# jhoward said:

John W - it would have been a lot more useful if you could have provided the output of hvremote /show on both boxes....

Thanks,

John.

15 April 09 at 12:21 PM

# NMelnik said:

First off, Thank you John for this script. It really helps with our lab deployments.

I had an odd quirk with the .6 script and wanted to share my results. I needed to check the connectivity to some of our lab servers and went through the manual process on two of our servers to check (one working, one non).

The non-working was failing with "You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer xxxx”, even though the output from "hvremote /add" reported no errors. /show came up with an odd difference between the two, however. The two users we add with the script were reported as role admins with the working server, but not on the other. I fully expected to find those two groups missing in the auth manager msc, but they were added. The server had been rebooted a few times since the script was first ran, so I wasn't expecting that to be the cause here. Instead, I found through the comments that a reboot was not required when adding role admins, so I deleted and restored the two groups, then attempted to connect via HyperV man on a Vista SP1 client. After one or two failed attempts, it connected.

Here's the final oddity: the /show output only changed on one of the now-working servers and still reports the default users as role admins on the rest. They are both listed as dcom group users, btw.

In any case, it's all good now, so again, thank you for the effort you put into this script.

04 May 09 at 2:23 PM

# NoClue said:

Hi!

Have a problem. I do not have a domain server, and i do not have a dns server. I do not want any of them on my local test network either, since its totally unnessecary.

How do i administer a plain hyper-v server install by ipconnection or whatever?

07 May 09 at 8:23 PM

# jhoward said:

NoClue - the easiest way is to assign static IP addresses and edit the \windows\system32\drivers\etc\hosts file to ensure each machine can resolve each other by name.

Thanks,

John.

08 May 09 at 12:17 PM

# Stuart said:

In response to James Senecal's message, I scratched my head for some time and finally got a fix going for the latest RC of Windows 7 (build 7100) and Hyper-V Manager. Thought I'd share it in case others were having the same. Basically I couldn't connect to the virtual machine via the manager despite RDP working fine. Always got the "Your remote desktop connection failed because the remote computer cannot be authenticated" error. So I basically I went ahead and installed the cert from our Core Server 2008 (it prompts you to install this the first time you try to connect anyway). Once done, I fired up MMC and added the Certificates Snap In for User Account. I then found the cert I just added from the Core box, and exported it (right click). Then I removed the snap in, and re-added the same snap-in but this time for Computer Account Certs. Then you right click on "Trusted Root Certification Authorities" and import the cert we just exported. Job done, you can now connect. I know it's a hack but hey it works for now.

Finally for all those struggling to connect to Hyper-V server full stop, I just added the line in the HOSTS file like John suggested on the client machine and it worked for me (Workgroup environ).

09 May 09 at 6:06 PM

# Christopher Lohman said:

Thanks very much. I just installed from the Hyper-V Server 2008 R2 iso and this script worked flawlessly. After reading the manual steps I sure am glad I didn't have to figure that out.

Now that we can download a hyperv iso instead of enabling it from a server core install, perhaps you can recommend to someone that these necessary settings be included as part of the installer. In fact, since the sconfig.cmd launches automagically upon login, they should just plug your script in as part of the server config.

14 May 09 at 2:44 PM

# Brian Q said:

John

have everything working thanks to your directions and I belatedly found the script. I'm using the RSAT from a Win 7 client , but it seems the RPC regularly goes to sleep if I'm not using it (get that same message "Cannot connect to RPC service " ) then I can't reconnect, Have to completely reboot then it ' s back on.

Any ideas why it drops out?

Brian

15 May 09 at 1:39 AM

# Jeff H. said:

John,

Great script and great documentation. As feedback, it seems that the script doesn't perform the firewall exception steps (on the server) for RemoteAdmin or Remote Volume Management. Are these not necessary steps in all cases?

Also, for documentation purposes, which steps of your manual process does the script automate? I wasn't completely sure if it was all of the steps, or just a subset.

20 May 09 at 3:51 PM

# jhoward said:

Thanks Jeff

For the firewall side, the script manipulates the Hyper-V rules on the server. In addition, it can manipulate the server side WMI management, but that isn't strictly necessary (I should remove it probably). It doesn't change any other firewall groups as they are not needed for Hyper-V Remote Management itself.

Client-side, it manipulates the firewall for the MMC exception, and for the built-in Hyper-V rules.

Other than that - the steps it does are

- Add/remove users to Distributed COM Users group; AZMan (as an administrator); The two WMI namespaces. This is server side

- Allows config of remote DCOM access on the client (optional depending on workgroup-ness)

To all intents and purposes, the script implements everything needed for remote management. You should not need to perform any additional steps unless you start needing more granular AZMan settings.

Cheers,

John.

20 May 09 at 4:04 PM

# Jeff H. said:

John,

I think I understand where I got confused. For one thing, I performed the cardinal sin of changing multiple things at a time, so I'm not sure which fix ended up being the solution.

After doing your script, I tried using remote Computer Management, without success. I ran netsh firewall for both RemoteAdmin and Remote Volume Management. At the same time, I also noticed your comment in the Troubleshooting section about "It is vitally important that the client can locate the server by name *and* that the server can locate the client by name." I had considered the former, but not the latter. Good move, me.

Of course, remote Computer Management was not at all necessary at that point, so I may have been trying to fix a non-issue.

Also, in the troubleshooting, you recommend using nslookup or ping to see if the machines can communicate. If you're using a local host file (in my experience), nslookup will fail. Also, by default, ping doesn't return when pinging 2008. I would think most of your readers would know to see if ping knows who to contact, rather than for a return, but it's still a caveat.

I have another question, but for sake of sanity I'm going to make it in a second comment post, to keep them separate.

20 May 09 at 4:49 PM

# Jeff H. said:

In your manual steps, you emphasized that the same username/password needs to have access to both machines, and be an Admin on the server.

In my case, my client is Windows Server 2008 (full) 32-bit. Whether this is by design of 2008 or something another admin changed, UAC seems to be gone and every command prompt I can find is the elevated command prompt.

I log in as 'user1', let's say. But when I go to the elevated command prompt, a 'whoami' returns WIN-alphanumeric\administrator. Which user do I need to grant privleges on the Hyper-V server?

20 May 09 at 4:52 PM

# gamerboys said:

Thank you very much.

My Hyper-v has blocked 4 days,then you tool helped me just before.

Cheers too,

21 May 09 at 3:36 AM

# Derek Davis said:

john,

I've had much success with Hyper-V in the past, but am now trying to use the Hyper-V Manager in a workgroup with a new server loaded with the Hyper-V Server 2008.

When I try to add a new user on the server (to match the user ID on my laptop) I get a message after entering command:

cscript hvremote.wsf /add:derek

INFO: Computername is B2B-HOST

INFO: Computer is in workgroup WORKGROUP

INFO: Current user is B2B-HOST\Administrator

INFO: Assuming /mode:server as the role is installed

INFO: This machine has the Hyper-V (v1) QFE installed (KB950050)

***** GetTrustee Failed: B2B-HOST\derek not found

***** If B2B-HOST is a domain, you need to be connected to the domain for this to work

any idea why this command would do this?

Many thanks!

21 May 09 at 2:25 PM

# jhoward said:

Derek - have you already created the account "derek" on the server itself? HVRemote doesn't create user accounts, the /add option adds a pre-existing account access to the necessary configuration items to allow Hyper-V remote management to work.

Thanks,

John.

21 May 09 at 2:33 PM

# Derek Davis said:

Ok - that was easy enough.

Have you ever seen a Hyper-V Server in Workgroup that could not be discovered by the network? ie - browse the network and the machine doesn't appear. Can't ping it by name. (pinging by IP address works fine)

When I try the hyper-v manager, after following the steps in your HVREMOTE document, I still get "The computer '10.0.0.176' could not be resolved.

If I try it by computer name, It can't find it.

Is there another firewall setting somewhere that I need to set to allow the vista machine (or any machine) to see it by name?

21 May 09 at 5:36 PM

# jhoward said:

@Christopher - unfortunately, it's not quite that simple.... (as you can probably imagine!), but thanks for the feedback.

Cheers,

John.

21 May 09 at 5:40 PM

# jhoward said:

@Brian Q - you get the RPC error most commonly when there is a problem with DNS/name resolution. When it's in a failed state, verify that a ping by name in *both* directions is attempting to hit the correct IP address. Are you on a network where IP addresses are changing frequently.

(I'm assuming that by "sleep" you just mean you get the cannot connect message after a period of time, nothing to do with putting the client itself to sleep.)

Thanks,

John.

21 May 09 at 5:43 PM

# Derek Davis said:

John,

Have you ever seen a Hyper-V Install that you could not PING by name ... but doing a Ping by IP Address is fine?

This is a Hyper-V Server in WORKGROUP... I've tried static and dynamic IP Addresses, but I still can't get to the server by name.

22 May 09 at 3:11 PM

# jhoward said:

Jeff H. Yes, I probably over emphasised the point of matching user names/passwords as you can overcome that using cmdkey as I used in the last part. As for being an administrator on the server - to do the server configuration steps you have to run elevated.

It sounds like either you're logged in as the local administrator, or domain administrator in which case on Server 2008 command prompts are normally elevated. If that isn't the case, UAC could have been turned off either though domain policy or from the Control Panel/User Accounts applet.

For the last part though, I'm truly stumped as to why you log in as one user but whoami returns a different account. I've never heard of this one before. The account you use on the client (particularly in a workgroup) is orthogonal to the account you add on the server - and I guess you are in a workgroup here due to the ability to use cmdkey. For WG, you should create a standard user on the server who does not have admin rights and when logged on as an administrator on the server, add the newly created user accounts the rights. (Note: Make sure a password is set for the new account). Then on the client, either have a matching username and password and it will "just work", or logon with a different username and use cmdkey to authenticate to the server using the credentials of the new user account you created there.

Hope that makes sense!

Cheers,

John.

22 May 09 at 4:29 PM

# Brent said:

I kept receiving RPC error when trying to get workgroup client (w2k08 R2) accessing workgroup hyper-v Server (w2k08 R2 Hyper-v Server).

I was adding the server using the IP address. As soon as I changed to the servername everything worked.

24 May 09 at 7:41 AM

# Julian said:

Thank you, John !

Now, after 24 hours struggling, I am able to work remotely in a workgroup. Unfortunately I didn't notice the 2 commands to issue on the client.

Now, one last thing ... what account is required on the Hyper-V 2008 server ? I defined lots of accounts on the server, and, now it is working correctly, I am scared to delete some of these !! (copy of my currente account, copy of the local UAC-required account, and so on).

Cheers,

Julian

25 May 09 at 5:53 AM

# jhoward said:

Julian - it depends. In some ways, if it is only you accessing the remote server, then you could use cmdkey to use the built in administrator account to authenticate from the client to the server. However, for best practice, I would probably recommend you just create a single non-admin account on the server (which can optionally match username/password to the client in which case cmdkey is not needed) and configure the client cmdkey option to authenticate as that user.

Thanks,

John.

25 May 09 at 9:35 PM

# jhoward said:

Derek - apologies, didn't spot you comment until now. I'm no expert in workgroup name resolution by any means. I would recommend you configure static IP addresses and ensure the host files are correctly configured on both (or all) systems. You would need to enter an entry for the server on the client, and the client on the server.

Thanks,

John.

25 May 09 at 9:41 PM

# Jeff H. said:

@Derek: Sadly, that's a common thing in a workgroup environment. As John said, look at your host file configurations on the machines in question.

In my experience though, even local HOSTS files won't always fix that. If you have a DNS server, Windows will sometimes insist on skipping the HOSTS file, so it will never resolve by name. At least that's the case with nslookup. Can't recall off hand if that also affects ping.

@John: According to my teammates, the user in question was created as part of the normal Server 2008 setup, when it asks for a username/password combination before initial login. My personal suspicion is that the elevated command prompt is what is returning 'administrator'.

To make matters more confusing, it appears that Administrator/"User1's Password" is what is needed on the Hyper-V machine.

It's a non-issue now, as I've got it all working (thanks for your help!), but that intrigues me. Perhaps the elevated command prompt is simply using (and therefore returning) the privlages of the local administrator.

26 May 09 at 4:34 PM

# Jason said:

@STUART

Regarding your hack for the Certificates issue... worked perfectly for me on my Win 7 7100 build. Thanks!

06 June 09 at 12:32 PM

# TomH said:

John,

First thanks for all of your hard work. I used your HVRemote script and got the Hyper-V Remote Management working on the first try.... after days of frustration before HVRemote.

Now, a question. I'm using this in a small development domain and I have one issue that, apparently, was caused during the install of the Hyper-V Remote Management tools or HVRemote. I have SQL Server Express installed on the same server that runs Hyper-V and the DC. Client computers can no longer find the SQL instance since I installed the tools and ran HVRemote.

If I turn off the firewall in a client I can see the SQL Server so it probably has to do with the fact that my SQL Server is still using dynamic ports. I thought the issue was in the client firewall or something the remote magement software modified but I tested from another client that does not have any Remoting software and runs a plain-vanilla firewall, in fact the whole system is plain-vanilla. It also can no longer find the SQL Instance. They can both still connect to an instance on another server (also dynamic ports) over a VPN.

I've gone through your (excellent) write-up on what HVRemote changes but I don't see anything that triggers an ah-ha.

Any idea on where to start?

03 July 09 at 1:30 PM

# jhoward said:

TomH - I'm not even sure where to start with this one - I can't think of anything HVRemote would change to affect SQL operations. I've asked around internally, but TBH, I don't know many SQL experts to ask where to begin diagnosing it. If you reverse the changes made by HVRemote (ie /remove rather than /add), does SQL start operating normally again?

Thanks,

John.

14 July 09 at 3:54 PM

# Pieter said:

John,

Does hvremote also work on Hyper-V server 2008 R2?

03 August 09 at 8:23 AM

# jhoward said:

Pieter - yes, it does.

Cheers,

John.

03 August 09 at 12:47 PM

# David said:

Thanks alot for this. Works a treat!

05 August 09 at 9:36 AM

# Pedro Moreira said:

There seem to be situations where MachineAccessRestriction under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Instrumentation does not exist (in fact the whole key did not exist).

In these circunstances the script fails.

One has to go to Component Services and manually grant anonymous access.

Once this is done, the referred keys are added and the script works as expected.

08 August 09 at 2:08 PM

# jhoward said:

Pedro - interesting, I've not had this reported before or come across a situation where that is the case. Can you provide any more information about under what circumstances you have hit this - what version of Windows Server (or Hyper-V server), whether you have a reliable repro of this to diagnose, any other software installed on the machine, anything unusual in any way etc. The key should be present as part of a base Windows install which is why I'm really surprised if it wasn't present.

Thanks,

John.

09 August 09 at 1:05 AM

# True Playa said:

John you are my Hero, good work man.

Greez from switzerland at 01:00 am !

Thanx so much

16 September 09 at 7:05 PM

# Blackie said:

Hi John, running Windows 7 Enterprise and Windows Hyper-V Server R2 in workgroup mode. Your HVRemote tool worked perfectly first time. You are a top man.

22 September 09 at 1:43 PM

# Patrick said:

Hi John

Is it possible that the installation of KB967723, KB971961, KB972036 on W2k8 (management server) could be the reason why I lost the ability to remotly manage W2K8 Server Core (with Hyper-V) ?

In fact, I am almost sure, that shortly after installing the above updates the connection was broken. Then I uninstalled these updates. Without success. Later Windows re-installed them automaticly "by accident", and now it works again.

Is this a know or rather an exceptional case?

remark: Beside this case the configuration with your hvremote-guide works on EVERY single day since February 2009. Congratulations!

Patrick

26 September 09 at 3:29 PM

# doug said:

Thanks for this info. I seem to have everything working except I cannot connect to the virtual machines using the Virtual machine connection application becvause I get a certificate is not from a trusted certifying authority. I added it to the trusted root certificate authorities using View Certificate and install and selecting the specific trusted root etc. But I still cannot get past that point.

When I run the hvremote show command I get no errors on my WIN7 build 7100 machine. On the 2008 sp2 server I added my system to the hosts file because I have no public dns address for it since everything is workgroup. But I have DNS. PING is successful but DNS resolution does fail on server side.

HELP maybe?

08 October 09 at 9:30 PM

# jhoward said:

Doug - you are probably hitting a known issue in Win7 pre-release. It certainly affected RC client builds connecting to some server builds (can't recall specific numbers though). At this point with Win7 having hit RTM a while back and GA very soon (and available on Technet/MSDN), you really need to re-install with Win7 RTM where the bug has been fixed.

Thanks,

John.

09 October 09 at 1:27 PM

# jhoward said:

Patrick - we had someone here verify that those KBs didn't break remote management, and I can't think of a reason looking at those updates why it would impact it in any way. If you have a broken system again, posting up hvremote /show /target:othercomputername from each box would go a long way to determining what the issue could be.

Thanks,

John.

09 October 09 at 2:32 PM

# Eric said:

John -- thanks for putting this out there. Made smooth migration to Windows 7 box as main workstation managing other W2K8 HV VM's. Happy words - 7,7,7!

20 October 09 at 11:22 AM

# Stefan said:

Worked. Thanks for putting this together. Was able to install, configure HyperV Server 2008 R2 and boot my first VM in a couple of hours. Widows 7 as client, workgroup setting.

Was using the sample commands at the http://code.msdn.microsoft.com/HVRemote page.

Only thing that slowed me down was that i was not running them in elevated privileges CMD. Once I did that, all was OK.

01 November 09 at 4:16 PM

# Chaz Beck said:

John, I've tried running your tool and it passes when I do a /show /target:servername

But when I use the Hyper-V manager on my client, I get the error "Cannot connect to the RPC service". Both client and server are on the same workgroup.

I've also tried doing it by hand but I get the same error

03 November 09 at 2:57 PM

# Chaz Beck said:

Fixed my own problem. Before starting this proces, I renamed my admin account on the server to the name of my client. Than I ran the script, restarted computer, etc.

Fix:

I changed the admin name back and created a new user with my client's name on the server and ran the script again, restarted, and it now works great!!

Thanks for the tool and the info on your site!

03 November 09 at 3:09 PM

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

Name (required)
Your URL (optional)
Comments (required)

Enter Code Here: Required
Remember Me?

Configure Hyper-V Remote Management in seconds

Comment Notification

Comments

Leave a Comment

John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Recent Posts

Tags

Archives

Search

Blogroll

Disclaimer

Hyper-V FAQ

Hyper-V RTM Links

Recommended blogs

Shortcuts

Virtual Corner