Hyper-V Remote Management Configuration Utility

I have a question I have been trying to use your guides to setup a hyper-v server but I keep facing an issue where I receive this message. "The Security Database on the server does not have a computer account for this workstation" It appears to join our domain fine I reboot and receive this error. It does appear in our AD structure. I can log in as local admin and then add a domain group to the admin group fine. I then try to login with a domain account again and receive the same thing. I found something similar to this for Vista but nothing that definitively helped me correct this. Thanks

Sounds like http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3117915&SiteID=17
Thanks, John.

Great tool. Resolved my problem in connecting from Vista SP1 to Hyper-V running on a core installation. Too bad I didn't know about it when I began my current project.

John, I have used this on my client, and no matter what I can not connect from my Vista machine to the HyperV server. I keep getting RPC Server Unavailable. Unable to Establish Communication between "HyperVServerName" and "MyComputersName". Any ideas? I have added Anonymous DCOM access and the firewall exception is in place.

This has been a nightmare. Basic remote management from a Windows 2008 server fails. How about just a simple auth prompt to allow access. This is a metaphor for how convoluted Microsoft technology can be. I have given up on my project with HyperV and will now revert to VMware ESXi for my project. Come on this basic functionality we are talking about. DCOM remote object permissions? The fact you had to right a program to get simple connectivity and remote management to work speaks volumes. I am disappointed.

Got to say I am disappointed too. Can you get the tech writer to add your tool to the release note for the free Hyper-V download? All the documents there make it look like you install it, install the remote management tool and connect. Nothing at all about firewall stuff!!

Great tool John, worked good for me. Much thanks for all your effort behind it.

Too complicated for dummies like I am. I have a fresh hyper-v server installation (stand alone) and spent half a day serching for clear instructions on how to enable remote connections. Why don't you guys add option to allow remote connections to the hvconfig.cmd? This would ease life of tens of thousands admins.
As for your guide, a few words how to get to the elevated prompt would be helpfull.
Anyway thanks for listening and have a great holidays!

@LE2Strat - This will almost certainly be DNS related. Take a look at the troubleshooting section of the PDF documentation.
Thanks,
John.

To second Vitaly-K's question; How do you open an elevated command prompt in Server Core??? The usual Vista/Server 2008 options are not available. I tried various runas tricks but they didn't seem to work. I keep getting Access Denied errors when I try to run hvremote on the server. Can't find anything in the KnowledgeBase or on Google either or in my MS Server Core book.....

P.S. - I have installed a generic Hyper-V Server install right off of the DVD and then I logged in as administrator. Curiously when I do a "runas /showtrustlevels" I get

C:\Users\administrator>runas /showtrustlevels
The following trust levels are available on your system:
0x20000 (Basic User)
C:\Users\administrator>

Looks like something is missing in the base install....?!?!??

This thing's great. Saved me a ton of time. Thanks!

This is a great script! Saved me an as* full of time in trying to figure out how to get HyperV to do what I need! Thanks John!

@jhoward

I can perform NSlookups from both sides and the names resolve perfectly, both fowward and reserve.
Adding my clients name to the host file on the server, and adding the servers name to my clients host file didn't help at all. I still get the same error. (Also, we will have serveral people wanting to remote manage our HyperV servers...we don't want ot keep track of editing host files, it should just work!) Any other ideas?

@LEStrat

Can you email me through my blog (blogs.technet.com/jhoward) the results of ipconfig /all on server and client, the ping results in each direction, and the output of hvremote /show on both client and server. Any additional information about third party firewalls or "unusual" network configuration would be useful if there is anything to report.
Thx
John.

I'm not sure what I'm doing wrong, but I'm trying to remotely manage Hyper-V Server 2008. Both the server and my workstation on on a workgroup. I've followed the instructions, but when I run hvremote /show it tells me, "1: Found an account with an expired password"

If I scroll up, the error is in the "Contents of Group Distributed COM Users" it shows: "****WARN: This account has an expired password"

I created the account using this command: "net user lance * /expires:never" I can even log in fine as lance, but when I log back in as admin and run the program, I still get the error.

I appreciate all your hard work on blogging and building this tool, John, but I have been pretty disappointed with remote management of Hyper-V. It should be much easier than this to get it working.

@Lance - yes, I found this bug on Friday and am working on getting a 0.5 out there any day. My bad, sorry. Ignore that message. The script was *supposed* to check for expired passwords, but actually doesn't. What that message means is that the password is set to expire at some point in the future and you can safely ignored.
Thanks,
John.

Great tool, but I have 1 problem with it...

On a newly installed Hyper-V 2008 machine (only Hyper-V on Server Core), I get this message:

When joined a domain:
***** GetTrustee Failed: DOMAINNAME\USERNAME not found
***** If DOMAINNAME is a domain, you need to be connected to the domain for this to work

When joined a workgroup:
***** GetTrustee Failed: SERVERNAME\USERNAME not found
***** If SERVERNAME is a domain, you need to be connected to the domain for this to work

Can anyone please help me?

@Caveman85 - I've not seen this before. It would imply that connectivity to the domain is not available (in the domain case), but that wouldn't explain the workgroup case. Has there been anything which would indicate a problem joining the domain? (And I assume you did have connectivity to the domain - net view works for example). Have you double and triple checked that the username does in fact exist in the domain (or locally in the workgroup case).
Feel free to email me direct through the email option on my blog at blogs.technet.com/jhoward. Would be helpful if you added output of hvremote /show and any other info you can think of.
Thanks,
John.

@jhoward - Hello John, I've send you an email with the settings applied to the server. I hope you can give me some advice. Thanks in advance

Great tool but I am having an issue or running into a limitation...
I am also having the above mentioned:
***** GetTrustee Failed: DOMAINNAME\USERNAME not found
***** If DOMAINNAME is a domain, you need to be connected to the domain for this to work
error. In my case it works for the domain that the Hyper-V Server belongs to but when I try to add an account from another domain (trust is established) then I get the error.
Thanks in advance for any help

Just an update on my above mentioned problem. In one of my domains the two domain controllers (both with DNS) were not pointed at each other. After fixing this I was able to add users from the trusted domain...not sure why this happened because the trust itself was working fine. After fixing this I ran into the 'Cannot connect to the RPC service on computer' problem when trying to administer the Hyper-V server from a workstation in the other trusted domain using the Hyper-V Manager. It seems that the Hyper-V Manager is not using the FQDN since after adding the workstationX in domain X to the DNS zone of domain Y they were able to find each other. I should add that this is traversing a Linux firewall using Shorewall from the local network to a lab environment. One more tip for those using the Core Server in domain it is easy enough to add the Computer Management snap in for remote server and manage the users in the Management Console using MMC.

Jasbo - sorry for not replying sooner. I don't tend to check comments added here very often - through my blog goes straight to my inbox (although also filtered as it's not my full time job.... :) ). There is a good chance that Shorewall does the same as most firewalls - they are unable to pass WMI traffic as a general rule (at least that is the case for ISA, and although I'm no ISA expert, that's my general understanding at least) unless they are completely open and able to pass RPC traffic across, effectively acting as a router.... which somewhat defeats the point of having a firewall in the first place. Are you able to confirm that without the FW in between, you do not get any error?

I have everything running now... On Shorewall I opened up ports 135, 2179, and 49152:65535. This is a lab environment and is not open to the internet so it is not a problem for us. The lab has it's own zone separate from our local network for testing purposes. When we need access from outside of the firewall we use VPN. I have another problem now with some VM's rebooting but I think that is a problem for a different forum :) Thanks

I agree with those who find this totally confusing especially for those trying virtualisation for the first time. I have just spent a most frustrating Saturday trying to connect my Vista laptop to my Hyper-V server. I am now so confused I am not sure what questions to ask! This seems to me to be a simple job made unnecessarily difficult by code freaks who revel in convoluted commands and processes.

All I want to do is connect my Vista laptop to my Hyper-V server and get some work done!

Rant over!!

As far as I can tell I have implemented the two updates 950050 and 952627 but cannot get a sensible response out of HVRemote. I have been trying to do the stuff shown on page 9 of the document “Hyper-V Remote Management Configuration Script” but cannot get a sensible response; is there a command line buried in the screen dumps somewhere?

Running hvremote /firewallwmimgmt:enable and hvremote /firewallhpervmgmt:enable just produces error messages.

Trying to connect using Hyper-V Manager from the Vista laptop produces nothing.

Can anyone help, preferably using words of one syllable?

Tagglet - It would be far more beneficial if you could post the exact error than saying "just produces error messages". It's impossible to even hazard a guess as to what you're running into. You then say "...from the Vista laptop produces nothing.". I've never seen "nothing" - does it hang, does it give an error? To be honest, the best way forward would be for you to **THROUGH MY BLOG** at http://blogs.technet.com/jhoward use the email option at the top to post back the following five items which will allow diagnosis.

hvremote /show (on the server)
hvremote /show (on the client)
ping server-name -4 (from the client)
ping client-name -4 (from the server)
The message you get in Hyper-V Manager when you attempt to connect to the server.

I am having some trouble connecting my Windows 7 Machine to the hyper-v server. I get a RPC service unavailable error. I have run your script on the server and my client. I am in the MSHOME workgroup on both computers. The username and password are the same on both machines. i installed only one update for the hyper-v tools for windows 7. any ideas please??

Killervette - RPC errors (regardless of Win7 or VistaSP1 against R2 or 2008) are almost always DNS related (or secondary that you have a firewall inbetween the client and server). You have to be able to ping *BY NAME* in both directions - from client to server and server to client. Run ipconfig /all on each box, note the IP v4 address. Then try to ping on each box the other box by name (ping <otherbox> -4) and verify it's hitting the right IPv4 address. If not, either edit the hosts file, or fix DNS. More information in the docs for HVRemote (troubleshooting section).

Caveman85- to follow up, I think I now know the problem and have a fix in 0.6, but it's not ready for general consumption. Turns out to be a bug in Windows exposed by HVRemote. Drop me an email through my blog and I'll send you an early version of HVRemote 0.6 which works around the problem, if you need it. Thanks.

Hi John, thanks for the tool. I am in the process of using it to get my test system working.

I have to echo the comments above though, it is truly ridiculous that you had to create this at all! Why does the documentation not show all the extra steps we have to take to make this work? Why is this not in the config menu system already? Come ON microsoft guys, get a grip will you and either update the documents with a step by step guide or make it so we can connect in an easy simple way to configure the server!

John, thanks for your response. I am new to Windows Server 2008, Windows Vista and to Virtualisation in any form and so I am on an almost vertical learning curve but I do perceive expertise in these areas as fundamental to my future livelihood. There again I always was a glutton for punishment. I tell you this so you have some idea why I may be asking stupid questions or doing stupid things.

I have completely reinstalled the server using the Microsoft Hyper-V Server 2008 download. At a considerable expense to the environment I have printed off your blogs Parts 1-5 (double sided!) and the “How to add the Hyper-V role to Windows Server 2008 Server core machine” and worked through it bit by bit (or byte by byte!). I hope to notice that I am trying desperately to retain a sense of humour in a, to me, very stressed situation.

The environment comprises the server, running Hyper-V Server 2008 fully patched and client running Windows Vista fully patched. Both are in a workgroup called workgroup and are the only machines in that workgroup. Both are on a physically independent network connected to the Internet through a WatchGuard firewall, router, and ADSL modem and both can connect to the Internet. The username Tegglet has been added to the server with the same password as the Vista client. Tegglet already existed on the Client. Tegglet has administrative rights on both machines.

I did not use the hvremote.wsi script as sometimes you learn more doing it the hard way!

As far as I can tell I have done everything to the letter except that at step 12
net localgroup “Distributed COM users” /add TVN-HV01\Tegglet
did not work, I had to type
net localgroup “Distributed COM users” /add Tegglet.
I presume because I am in a workgroup rather than a domain.

When I run “hvremote show” everything corresponds with your screen dumps except the last one on page 9 which is three lines starting “ADMINISTRATOR1\user (S-1-5-21-1233540721 …

This I cannot identify nor can I work out what command is required to do whatever has to be done to create this entry. It appears to relate to permissions so is probably relevant.

When I run Hyper-V Manager on the Vista Client and try to connect to the server I cannot find it using the browse button but I do get some form of connection by typing the name of the server in the box. The server name is displayed in the left hand pane and the message “You might not have permission to perform this task” is displayed in the central pane. If I shut down the server the icon in the LH pane changes to indicate the connection has been lost.

I cannot ping the machines from each other but can ping the workstation from the server if I turn off the windows firewall.

I can find no trace of the “Virtual Machine Management Service” anywhere. I have changed the locale to UK which some say can affect this service although it did run in the first attempt to get all this working.

Sorry this is so long but I have tried to include all relevant information.

I look forward to you response.

John - I have just realised had not finished! I am finding the instructions a bit of a jigsaw puzzle; having jumped back from Part 3 Step 12B to Part 2 Steps 5,6, and 7 I forgot to jump forward again!

Implementing step 13 results in the error message “Failed to connect to \\TVN-HV01 because “Win32: the RPC Server is unavailable”. I can connect remotely to \\TVN-HV01 services alright and can see that the RPC service is running on the server. On the client machine the RPC service was also running but the RPC Locator service was not running. I started the Locator service to see if this helped; it did not.

John - Rebooting the server then the client seems to have got me a bit further but when I get to the security tab and select Root\CIMV2 the error message “The program cannot open the required dialog box because it cannot determine whether the computer named “TVN-HV01” is joined to a domain. Close this message and try again.” Closing the message gets another dialog box displaying the message “Unable to display the user selection dialog. The RPC Server is unavailable”

The server claims that the RPC service is running.

Tegglet - to the best of my knowledge, they key in why this is not working is almost certainly your statement that the client and the server are on physically independent networks. WMI and DCOM are not suitable for use through this type of configuration unless you effectively have no firewall and router in between them which would be a very bad security practice for a public facing network. My recommendation in this configuration would be publish the server on the Internet through a TS gateway for access to RDP, or publishing VMConnect and Hyper-V Manager of a TSWeb front end.

John - We have a misunderstanding here. Both machines are on the same network (192.168.250.11 and 192.168.250.51) that is physically independant of any other network in the office.

Tegglet - fair enough. However, by far the easiest way to allow diagnosis would be for you run run hvremote /show and the ping commands I mentioned earlier and post them to me in an email by using the email option on my blog (rather than this site which truncates long output). These will tell me what I need to know, whether you choose to do manual configuration or configuration through HVRemote.wsf.

John - I have finally beaten it into submission!!! Being a newbie I found the need to pick ‘n’ mix from the articles a bit confusing and I suspect I have been missing a vital element each time I tried. This time I made up some batch files to run the commands so once included a step was not forgotten the next time.

The worst bit is doing what azman.mmc should do although I thought this was done by running the command:
net localgroup administrators Tegglet /add
from the server.
Did I do it twice or is this something else?

Anyway the virtual machine is now installing and with luck will run to completion.

One more comment from VERY VERY VERY frustrated user. This is not my first aproach (see my previous post earlier in this list) to master Hyper-V server (standalone in workgroup environment). I got lost in multiple branching of your blog posts, it is completely unrealistic to go through all of them! I couldn't get elevated prompt on the server as well as many other points.
Is it really that hard to embed another menu point in the Hyper-V configuration on the server to simply enable remote hyper-v console connections???
Sory John, your script is useles for me.

Vitaly_K - To be up front, it frustrates me more than anyone (and believe me, I feel your pain) that the steps to configure this are difficult. However, it is what it is, and nothing is changing in Windows Server 2008 or R2 (applies equally to Hyper-V server). This is exactly why I've spent literally several hundred near-thankless hours trying to put something together which makes this so much easier without needing to follow those guide. (Those hours don't even include another few hundred working on a seriously revamped version which I haven't yet released to make the entry point to access as close to zero as I can make it. That's for another day though).

My best suggestion would be to persevere - with HVRemote, it really is straight forward and I will provide whatever help anyone asks. Forget the detailed posts - you really don't need to know what HVRemote is doing or how to do it manually unless you want to go through the steps manually.

If you log on with an account which is local administrator on a server core box, you will get an elevated command prompt. It's that simple. I'm guessing you are in a workgroup. Once you log on with a local administrator account, cscript hvremote /add:username will be the first thing you need to do assuming username has already been created as an account on the machine.

I can't help more unless you provide more info on where else you are getting stuck.

Vitaly_K - I understand your frustration and have gone through the same process. I wanted to do a manual configuration so I had a better idea of what was involved and found it easier to create batch files containing the commands. This ensured that the same process was used for each attempt and nothing was forgotton. Hyper-V Server 2008 as downloaded from the Microsoft site is so quick and easy to install that I just reinstalled and started again after making whatever corrections or additions to the batch files that were required. One thing I did find was that for a Workgtoup environment an entry in the Host file is required! How's that for a rave from the grave! To me this was not clear from the articles but as soon as I added the entry everything lept into life.
Hope this helps.

Yesterday received my new test server after one frustrating day I searched and found John's hvremote script and exelent documentation, tanx. HyperV server and Vista remote management client works fine in a workgroup on my new test server. I had also like Tegglet to add the server name in the hosts file on the client and on the HyperV server command prompt I added a user name (net user "name" *) (password must include 1 capital and 1 digit?) that is the same on the client and server. Tip : Don't make any mistakes and don't forget to reboot the client and server after the changes, this took me 2 hours extra time.

Great Tool!! I am able to RDP Connect to a VM hosted on a Hyper-V Server with a user other than Administrator

Tegglet
Would you be willing to share your batch files?

John, I just want to say thank you for this tool... I just wished I had founded sooner... but, I tried it and it worked just fine...The only issue I ran was modifying the host file.. in Vista or Win08 you can't modified the hosts file. one has to first edit the file and save it somewhere else then copy the file to the correct path (%systemroot%\system32\drivers\etc).. So, I automated the process a bit more. How can I post my script so that others can use it? I automate the client and Server process...

Thanks

John, I just created a new post http://code.msdn.microsoft.com/Hvautomated for those that want to take a look at the script I created.

thanks
LBueno

For those still having problems, here's one more thing for you to try: Make sure you can ping the unqualified name of the server; the fully-qualified name wasn't good enough, at least not in my case.

I was trying to connect to vmserver.otherdomain.com from a computer on mydomain.com, and kept getting RPC errors. Eventually, I ended up adding an A record to mydomain.com's DNS server for "vmserver" (i.e., vmserver.mydomain.com would now resolve to the same IP as vmserver.otherdomain.com). This allowed me to successfully ping "vmserver" using the unqualified server name. Once I did that, I was able to connect using the unqualified server name in the management tool.

And thanks for the excellent tool John! It was definitely helpful.

I have a bit of a problem, since I just installed the free version of Hyper-V, and, I could not find any UI options for installing my first virtual machine. I am also planning to install Virtual Server 2005 R2 and load some existing virtual machines, although I'm aware that the performance may not be optimal for these machines.

So how do I get that screen where I can install virtual machines? Remotely? Locally?

I mainly use WinXP but I also have a Vista machine around, although I tried to install KB952627 unsuccessfully because Vista rejected it.

jon80 - the remote management tools are only available for Vista SP1 (you have the right KB) or a full install of Windows Server 2008. For the rejection case on Vista, which SKU of Vista are you running, and are you sure you are attempting to install the update for the correct architecture and have SP1 installed?
Thanks,
John.

Great tool, thanks!

I've logged into my server core 2008 server both as the domain administrator and as the local administrator. When I try the script, I still get the "Must run from an elevated command prompt for all sever operations" message. My understanding is that all command prompts in server core are already elevated. I have no idea how to get an elevated command prompt from a nonelevated one.

I just wanted to say that I figured out my problem mention (just above). There is at least one time you don't have elevated command prompts in server core. If the server has UAC turned on, then the prompts are no longer elevated. This was happening to me because I joined the server core installation to a windows domain that had a group policy enabling UAC on all devices. Hope this saves someone some trouble - it sure caused me a great deal...

Script works fine for me now. I appreciate all the work that was put into it. I just wish it wasn't necessary...

dlsteelejr - that's good to know, thanks. I was asking around here, and was still trying to find out why that would have been the case. Certainly something I should include in the documentation some time (or enhance the error message).
Cheers,
John.

thanks a lot !
1. great for workgroup(client)->workgroup(server) by hrremote;
2. upset for domain(client)->workgroup(server) by hrremote, there's no firewall on the gateway, still cannot connect, error: "You do not have the required permission to complete this task. ...", i read the part 5 of your blog. Finnally, i used "netsh advfirewall set allprofiles state off" to disable completely the firewall on the Hyper-V R2 server, it passed, but once i shift to "state on", the same error retruned.

So problem about the firewall on Hyper-V R2?
(my client is windows server 2008 standard with SP2)

How can i install hvremote on a core install???
When i setup hyper-v everything worked great!
I was able to use hyper-v manager from home to configure my server.

Then i took the server to a colo facility.
In Server 2008 R2 core i setup the IP address that the colo gave me.
I went home.
I have RDP access to the core. Its a cmd line and some options to change the ip.

But when i try to connect with Hyper-V manager on my desktop i get the error cannot connect to the RPC service on computer "computer name" make sure RPC service is running.

I need to get Hyper-V manager to run so i can configure my VHD's with appropritate IP addresses.

I cannot get HV remote installed on the core.
How can i download it form command prompt?

download hvremote to your admin station, map with explorer the partition on your hyper-v where you want to place hvremote into ( for example: \\<ip-of-hyper-v>\c$ - with the host admin credentials) and copy the file.
then you can start hvremote via the remote desktop (you have to activate rdp on the hyper-v prior to that)
It works fine for me.

a worthy hint: the remote management via the hyper-v mmc-snap-in work only if you enter the dns-name of the hyper-v host in the connection dialog. The IP doent' work (for me), so be sure, that yout client can resolve the name of the hostor put the name in the host file.

Wont run for me. I get "Access is denied" When attempting to run hvremote.wsf from the Hyper-v server even when logged in as a domain admin.

I have to tell you, this is an EPIC FAIL For Hyper-V. I've already spent 2 DAYS! trying to simply manage the hyper-v server. I took 3 minutes for me to install XenCenter and manager Xen! ON XP!. EPIC FRICKING FAIL!!!!!!!!!!!!!! M$

mesdrg - In the documentation, troubleshooting section, point 1 pasted below:

"“Access Denied” when running HVRemote. This is a Windows security mechanism. On the machine where you downloaded HVRemote, in Windows Explorer, right-click on the file and select properties. On the general tab at the bottom of the page, there will be a message saying “Security: This file came from another computer and might be blocked to help protect this computer”. To the right of that is an Unblock button. You need to click that to allow HVRemote to work."

Thanks,
John.

I agree with mesdrg sentiment. John has done great work with this script, but he should not have had to create a script at all. MS neglected administrative niceties in their rush to market.

Almost there...I agree though..it's been quite frustrating so far...I can ping from the HyperV server but cannot ping to the Hyper V server from my win2k8r2 workstaion running hyperv manager so essentially i cannot connect to it!!!!
I've gone though all the steps without any errors so i cannot see it being a firewall issue and as I can ping from the hyper v standalone i'm guessing it's not a dns problem...Unless i can figure it out today I'll be reverting back to esxi...so much easier and faster...Just wanted to try MS effort though.

okay i'm now guessing it is a firewall issue although I've gone through all the steps outlined in this forum and also the following too: http://msmvps.com/blogs/xperts64/archive/2008/10/22/configuring-hyper-v-server-for-remote-management.aspx#comments

with no errors but on trying to connect to the server form the management console I've typed in the ip address where it asks for the admin credentials then i click ok twice then after 5 seconds a popup tells me that i do not have the required permission to complete this task???? so do i try a reinstall and go throught this again?

Try with the host-name, not the IP. If you can't use DNS, put the host-name in the local hosts file of your admin station. I've had the same issue: with IP doesn't work, with name resolution it worked perfectly.

Call me a Hyper-V convert from VMWare now that I'll finally be able to import my VMs! Thanks John, this tool rocks! Found that last 'issue', thank you very much due to being dual-boot with another IP registering the hostname in DNS. Your tool pointed that out - along, with the DCOM, cmdkey add credentials, WMI perms, and on and on - compared to VMWare!

Anyway, I was up and running in 10 minutes once I found your tool which took me about 2 days...

OMG!! i'm at my wit's end. after 3 days of f**ing around with this, i thought i had it all working. vista's mmc could see the server finally (without ha ving to disable the server firewall). so, i try to create a new virtual machine. everything seems to be going well, then i click finish and..."blah, bla h, you don't have rights to open this ISO file...".
makes no sense. i can traverse thru the network, find an iso to install the vm, and select it. then when its trying to make the vm, hyper-v spazzes out o n me. FRAK!!!
what do i do now? i'm using hyper-v server 2008 r2 (not the core or full installation). & vista sp2.
PS. I tried to install RSAT (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d) on win7 RC and the .msu
said it wasn't "right" for my system. what gives? yes, i used the 32bit sw on my 32bit os.
thanks for any help :)

mastapat11: Where is the ISO located? Locally on the server, or on a network share (from the servers perspective). If you are in a workgroup, you will not be able to manage a VMs configuration to add an ISO on a network share. This is because the server where the ISO is located needs to have permissions for the machine account of the Hyper-V box added (machine$), but in a workgroup, the server hosting the ISO will not know anything about the machine account of the Hyper-V box.

If you are in a domain, again you need to add the machine account (domain\machine$) with permissions to the share. If you are managing *locally* on the Hyper-V box (which would have to be through script), you can add the ISO to the configuration. If you are managing *remotely* from the Hyper-V box, you need to configurre constrained delegation in AD too.

RSAT on the download site will only install on Windows 7 RTM, not on any pre-release versions.
Thanks,
John.

, but it can be done locally on the server.

Hello,

I have some thoughts to share, and am also asking for help.
First, the hvremote script seems to succeed on both the client and the server, as follows:

On the windows 7 client:

C:\Users\aaronbarrus.AARONBA-VM7-LT\Downloads>cscript hvremote.wsf /show /target:win2k-vmhost

1: fails, I don't have it in DNS. But I put it in the hosts file, and I can ping it (see below)

2: - ping attempt (ping -4 -n -1 win2k-vmhost)

Pinging win2k-vmhost [10.1.4.219] with 32 bytes of data:
Request timed out.

Ping statistics for 10.1.4.219:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~


3: - Connect to root\cimv2 WMI namespace
PASS - Connection established

4: - Connect to root\virtualization WMI namespace
PASS - Connection established

5: - Simple query to root\cimv2 WMI namespace
PASS - Simple query succeeded

6: - Simple query to root\virtualization WMI namespace
PASS - Simple query succeeded
- 1 computer system(s) located

7: - Async notification query to root\virtualization WMI namespace
PASS - Async notification query succeeded

INFO: Are running the latest version

on the windows hyper-v 2008 R2 server

Test 2
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Pinging aaronba-vm7-lt [10.1.4.128] with 32 bytes of data:
Reply from 10.1.4.128: bytes=32 time<1ms TTL=128

Ping statistics for 10.1.4.128:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
INFO: Are running the latest version

Again, no DNS for test 1, but it's in the hosts file for test2.

I have been able to map drives back and forth between both machines (which is how I got hvremote.wsf onto the 2k8 hyper-v box). they both resolve each other for pings. and all tests succeed between both machines.

On my win7 box with rsat and hyper-v mmc installed, both of those tools fail. server manager says "Server Manager cannot connect to win2k-vmhost. Click Retry to try to connect again.", then it goes on to tell me to use WinRM blah blah blah. Hyper-V Manager actually lets me connect, but if I try to create a virtual machine, it fails and tells me: "Cannot connect to the RPC service on computer '10.1.4.219'. Make sure your RPC service is running."

I am familiar with authentication protocols that MS uses, and run a DC at work, and even at home for my household network (because I can and its fun). All ports are open between these boxes, and they're on the same subnet, in the same workgroup, using the same account and same password. Both machines can perform authentication to each other for file & print. But nothing I can find will convince the MMC snapins to talk to the win2k hyper-v server.

I have used VMWare Server and VMWare ESX for years, and they work (sort-of). VMWare Server has angered me lately by not releasing patches on time and not responding to major outages experienced by large customer bases. I have a few servers that I planned to set up as hosts, and thought I might try hyper-v. But I've spent an entire day reading all documentation I can find (is there any, other than marketing?!), and have found sketchy information at best. How does the rest of the world actually use this product? Is there a customer base? I've found little-to-no information on the entire product-line. This is an R2--shouldn't there be official documentation downloadable from MS somewhere? The two-page deployment guide is a joke. The quick-setup guide is a regurgitation of the onscreen instructions when you install it. I already had networking configured, users added, RDP established, and the snapins installed on my win7 before I ventured to find instructions. I never found anything that went beyond what i've already done. Not only that, but there is absolutely no documentation anywhere saying that users need to be added to roles or permissions on the hyper-v server in order to be allowed to respond to remote management requests by clients. I only guessed at that by reading your code. My best "documentation" so far is the actual code in your .wsf file, which I read thoroughly as best I could, but still have no idea where to proceed.

Am I missing the 200+ page manual entitled "Setup and Deployment Guide for Hyper-V Server 2008 R2"? Is the entire world missing it? Is there an actual customer who is actually using this product in a real-life deployed scenario? Or is this product just slideshows and presentations and ROI calculators and advertisements for how cool it would be if we told people how to use it?

As much as I was hoping for something more cool, and as excited as i was to run the virtualization on bare-metal, I'm headed back to vmware to continue that fight on redhat. I guess I have to run unpatched servers with outdated kernels to keep it compatible with vmware's products. At least they're straight-forward and work out-of-the-box. I don't want my virtualization environment to require me to depend on all sorts of haphazard authentication mechanisms full of what if's and exceptions and logs that go nowhere and toolkits and snapins that GPF or fail without saying why. The idea of running virtualization on bare metal is that it's simple--where nothing can go wrong. Creating a virtualized environment really doesn't require a lot of options and management. But it seems that this has gone in the wrong direction. If I actually got this working, I'm not sure I would trust it in a production environment. Since when did remotely administering a virtual machine running busybox or centos or anything else in the world require me to authenticate to a DC? What if I actually had a server down, and had to submit one tiny little command to bring it back up, but I had changed my password an hour earlier on a DC that hadn't replicated yet? What do I say when the president is screaming about our ecommerce system being down, or our VOIP server not transferring calls? should I say: "I'm not sure why I can't talk to the server... maybe it's down? maybe it's bluescreened? maybe it's busy replicating? Maybe I'll wait fifteen minutes and try again? Maybe I'll open a ticket with microsoft? Maybe we'll be back up in about twenty-four hours? Yeah, go ahead and send the production team home, I have no idea what's wrong, so i have no idea how long it'll take to fix..."

I must be missing something, right?

Thanks for the tool AND "michaelvirture", I was using ip address!!

"Try with the host-name, not the IP. If you can't use DNS, put the host-name in the local hosts file of your admin station. I've had the same issue: with IP doesn't work, with name resolution it worked perfectly"

GOT PWNED IN TEST3!
I hope you can assist me on this, since even your documentation says you haven't encounter that before. -.-
This remote management crap is depressing. Btw, I'm using Hyper-V Server Core & Win7.

KvChaos - and the specifics of the problem I haven't encountered before are......?

Failing test 3? -.-
My simple query failed. Using Hyper-V(domain) and Win7 (standalone).

KvChaos - and the *FULL* output from *BOTH* machines ie hvremote /show /othermachinename? Impossible to diagnose from what you've provided... I will be away though until next year.

Anybody knows 100% for sure if upgrading the 1.0 Schema on the Server's(W2008r2) Authorization Manager to 2.0 Schema still/or is compatible to Vista's RSAT ?

"c:\programdata\microsoft\windows\hyper-v\initialstore.xml" lists under the .xml properties from the Authorization manager. On that properties window there's an upgrade button and a beware text saying that the upgrade is a one-way operation. Any reply greatly appreciated, thanks..

Thanks for the tool and everyone's comments. I was trying the lightest of installs to test the Windows 2008 Server R2 evaluation Virtual hard Disk, so all I wanted was a Hyper-V only server and a Windows 7 laptop for remote admin. I only had two main problems....
1) The MSU update that provides the Hyper-V Manager for Windows 7 Professional *won't install* on the Windows 7 Release Candidate. I needed a commercial version.
2) When only following the instructions in the Hyper-V download's instructions I gor the 'RPC' errors described above. Resolved by using the HVRemore.wsf tool and adding IP address for both client and server to the local HOSTS files on the client and server.
That's all. It seems to work.
Thanks
Paul G

I have run this app against both my server and client but still can't create a virtual hard disk properly if I'm not running the MMC snap-in on the client as the local administrator account for the server. I want to be able to use active directory domain accounts to create and manage my Hyper-Vs but when I try this, the New Virtual Machine Wizard hangs on the "Creating disk..." step. I see the VHD file is created but the process still hangs with the status bar showing activity but it won't continue on. I run into the same issue when creating a VHD file using the New->Hard Disk option. Any issues?

I also can't connect to any of my running VMs in the Hyper-V manager without Windows Security prompting me for a user name and password; only the local admin account for the server will work - not my domain account, which is part of a domain security group assigned to the Administrators group on the server.

Anyone have any idea how to fix this? Using the /show option from the HVRemote script doesn't identify any issues.

Based on my above comment, I found these articles that show other people are having the same issues. I've tried several of these steps, especially from the second thread, with no solution:

http://social.technet.microsoft.com/Forums/en-ZA/windowsserver2008r2virtualization/thread/46f79bd7-b42f-4049-9ea7-955f246d5bc6
http://social.technet.microsoft.com/Forums/en/virtualmachinemanager/thread/9306a338-48ca-4fad-9a04-1818ddcf6f60

I have a Workgroup Hyper-V server and a client that is on a domain. I want to manage the Workgroup Hyper-v via the Domain client. In your 10 second guide I see a command for the client:
Client Set credentials for local account Use cmdkey /add:servername /user:servername\accountname /pass. Where do I enter the /add:servername....etc string? I dont know what is meant by cmdkey.

This took me two full days.....

cmdkey is a command line tool to cache credentials.

The weird thing is that you have to specify the servername as a fqdn even if the server is not member of a domain nor has a dns suffix specified:

cmdkey /add:hypervserver.domain.local /user:hypervserver\myname /pass

where domain.local is the domain your workstation is member of.

FYI for everyone. I was struggling to get a Windows 7 box to remotely manage a Hyper-V Server 2008 R2 server. Turns out that Symantec Endpoint clients that have Network Threat Protection enabled blocks access. Once I disabled, it worked like charm after following the documentation for HVRemote.

Got a strange one with my attempt at setting up Hyper-V server 2008 R2 in workgroup. Followed the 10 second guide, got everything working fine, hvremote tests pass but I just get a hang when trying to create a virtual hard drive on the server. Just sits at the creating prompt and never finishes. I can do everything else , so I wonder if it is a permissions issue ? . Could do with some input from an experienced source :)

While I have to agree with others that this should be a LOT simpler than this, I just managed to configure everything on my domain joined laptop (win7) connecting to Windows Server 2008 R2 Server Core. Saved me hours of pain and suffering - thanks much!

Hyper-V Core 2008 R2 server in a non-domain workgroup environment and a Windows 7 Professional client. From client, trying to run Hyper-V Manager, when attempting to connect to Hyper-V server by *IP Address*, I kept getting:

Cannot connect to the RPC service on computer '192.168.144.101'. Make sure your RPC service is running.

It turns you cannot use IP address. The fix for me (since I'm not using DNS) was to add an entry in the hosts file on the client computer for the Hyper-V server.

Upon further review of this thread, others have mentioned this, too; I added this comment for emphasis.

Just want to share how to fix "Cannot connect to the RPC service on computer 'IpAddress or ServerName'. Make sure your RPC service is running" issue on HyperV.

I've been running Hyperv since beta, and I think HyperV works very well. I am now running Hyperv 2008R2, after installing R2, from some odd reason,a few weeks later I started having a problem connecting to the server via HyperV-manager. I kept getting error message, "Cannot connect to the RPC service on computer 'IpAddress or ServerName'. Make sure your RPC service is running". Nothing was changed on the server nor I had made any changes on the PC. I began to troubleshoot the issues, by performing the basic network troubleshooting steps.

My network settings:

Server: Dell powerEdge, 32GB, 2NIC, HyperV 2008 R2
PC: Windows 7 Ultimate.

1st I made sure I was able to ping and connect to the server via RDP, but not via HypervManager.
2nd I made sure that the local PC account existed on the server (hyperv) by login inot hyperv and running net users.

I search on Google and on this forum and all the steps mentioned on articles I came across I tried but no luck, at this point I was ready to just backup the server and reinstall R2, but I dont' give up that easy.

So, I began to dive deeper into the issues by doing the following:

1) I made sure that my Hostfile had an entry for the server iP maping to the server, that was oK.
2) I ran the hvremote to verify that the PC was able to connect to the server. it seems fine except the was a reference communicating to the server.
3) I ran the cdkey command and added the user from my PC to server. That did not work. At this point this was driving me creazy.
4) So, I logged in to the hyperv server via RDP
5) I removed the user from my PC on the server.
6) I restarted the server.
7) I added the PC user to the local administrator group on the server,
8) I ran the cmdkey /add:HyperV-SRV /user:UserName /pass:Password at the computer.
9) Launched HyperV Manager and it worked. Some how the user account from my pc got corrupted on the server.

So you may want to try this before, re-installing the OS or making more drastic changes on the server, this saved me a lot of time. Hope this helps.

Thanks,

Libis Bueno

First wanted to thank John for developing this tool, as well as explaining in pretty good details the various steps.

However, I do want to express my dismay for the need of such a tool and the increasingly complex procedures needed and the deeper and deeper microsoft seems to be digging a hole into an endless interaction of disjointed components coupled with very poor documentation and real-world scenarios.

In any event, I wanted to mention a couple of tips for anyone who might have struggled a little bit as I did getting this set up.

My particular scenario was trying to get this authentication working between my Windows 7 Professional workstation that is joined to DOMAINA and a 2008 Hyper-V R2 server that was standalone (workgroup).

Using the HVRemote tools and the '10 Second Guide' above, I followed the steps under the "Client domain, Server workgroup" section - as this was what my scenario was.
After configuration I kept getting an "access denied" message in Hyper-V manager as well as the following messages when running "cscript hvremote.wsf /show /target:servername" from my workstation:

--------------------------------------------------------------------------------
7: - Async notification query to root\virtualization WMI namespace
FAIL - Notification query failed Access is denied.
....
4: Cannot perform async query against root\virtualization
Please see resolution steps above.
--------------------------------------------------------------------------------

It turns out that the additional step of " cscript hvremote.wsf /anondcom:grant" is necessary on the client.

The '10 second guide' leaves this step out, but John does seem to indicate that you do need to do this in his Part #2 on client configuration (step 7) where he states: "IMPORTANT!!!! You need to do this step in the following scenarios: ... Client is in a domain and server is in a workgroup." So, I believe the step was just left out of the '10 second guide' but you will probably need to be sure to perform it.

Also, I found out I actually needed to do much less configuration if you plan to use the build in Administrator account from 2008 Hyper-V R2. On my brand new 2008 Hyper-V R2 install, the only steps I needed to perform were the following:

1) CLIENT: use cmdkey to set up credentials to the server using the administrator account
e.g.: cmdkey /add:servername /user:servername\administrator /pass

2) CLIENT: cscript hvremote.wsf /anondcom:grant
(as discussed above)

With only these two steps I was able to access the workgroup H-V server from my Domain workstation. Strangely enough, the steps i followed were ALL client based! I actually didn't need to do anything at all on the server (other than set the administrator password during setup). I didn't even need to allow MMC access via sconfig (hvconfig) to allow the Hyper-V Manager console to connect.

Should you want to use an account other than the local administrator account on the server, you should still follow the two server steps on "Client domain, Server workgroup" above.

Also, it would seem that all the firewall configuration on the client may not be necessary in all scenarios... I'm still experimenting with that, but I have some tests where everything seems to work with the MMC rule off and the Hyper-V group rules disabled as well.

@bhendin

Thanks for the feedback. I have corrected the omission from the 10-second guide. Absolutely, in that scenario, anonymous DCOM access is required on the client. I'm pretty sure HVRemote gives a "additional configuration *may* be required warning" as well.

You are correct about not needing as much configuration if using the administrator (in fact any local administrator) account on the server. I would recommend you don't use an admin account unless absolutely necessary though - security best practices 101 etc. The HVRemote documentation and guide is primarily intended to grant access to non-admin users.

The firewall comment though is an interesting one. If the firewall is enabled, the rule groups *should* need to be enabled in order for Hyper-V Manager and VMConnect to connect. Is there a third party firewall somewhere involved here?
Thanks,
John.

I was having trouble with the "Connect to root\cimv2 WMI namespace" test. As it turns out I had a password with a special character (/) and the password wasn't stored correctly in the cmdkey utility. I changed the password on the Hyperv server and on the client to something else and everything worked fine.

hi

I am curious. Is there a way to back out all these changes? Like an "Undo" cscript or something? I am not that impressed with HyperV... even in R2 and will go back to ESXi. I just don't like registry changes, hacks, and firewall rules all having to be updated on my desktop client in order to connect to it. ESXi is far easier and doesn't require all this jazz to setup.

I haven't seen anything, but if you know of anything- please send something

I got the same issue as Xanexman. Szenario: Client Workgroup, Server Domain. All HVREMOTE tests pass, except that the firewall is turned off on both, server and client side - which shouldn't be a problem thought. However: i'm able to login using hyper v manager, on the client, but i'm unable to create new virual drives (in both, create new machine and create new virtual drive). the process starts and the bar keeps going FOREVER. so i would say its a permissions problem. checked server permissions myself, the user i'm logging in using hyper v manager is within the administrators group and the distributed com-user group.

whats the matter?

@stephen560 - all hvremote commands which change things have an associated undo - for example, opposite to /add is /remove, opposite to /mmc:enable is /mmc:disabled. All this is in the PDF documentation. John.

Hi, I use 2008R2 and Win7 both in domain. At first I didn't open client firewall for mmc, but it seemed working well. Is there any harmful effect not to allow mmc in domain environment? When "/show /target:2008R2", it shows warning about mmc firewall.

Hi! I am using Hyper-V Manager from a Windows 7 Client (in domain) to a Hyper-V Server 2008 R2 (in Workgroup and different physical subnet). After a installed Hyper-V Manager on Windows 7. I configured Client and Server using HVRemote and i put a DNS record about server name in hosts file (otherwise i had a problem with RPC service when running hyper-v manager), and now i get a message «You might not have permission to perform this task”. (same username and password are used in client and server) Any ideas?????

@AlexandrosG - have you used /add on the server? Otherwise, I would need the output of /show /target:otherboxname from both boxes after you've gone through the advice it gives.

Ooops! My mistake! :-( The dns record in hosts was wrong! It worked now! Thanks, anyway!!!!

My configuration is that my hyperv server is in a workgroup in the DMZ and my Win7 machine is a client on our corporate internal domain. While I was configuring the server I had it on the internal network (and attached to the domain) this was a 192.168.1.0 network. During that time the HYPERV management console worked like a champ. So today I moved it to the DMZ and reassigned it's final static real world IP and followed your directions for the Client in Domain and Server in Workgroup above.

Right now I can RDP to the server from my workstation and I can ping it as well. But I can not ping from the server back to my workstation. I added an entry in the HOSTS file as directed and i does displays the correct internal address during the test.

I ran the tests and on the workstation and server everything seemed to pass except for the following:

7: - Async notification query to root\virtualization WMI namespace
FAIL - Notification query failed The RPC server is unavailable.

I tried the recommended solution but it does not seem to resolve the issue. Right now when I open the HYPERV Manager on my workstation it looks like it is partially connecting and returning some data. For example, I can click the hyper-v settings link and it appears to know how I configured the drives for the server (unless this is somehow left over from previous connections yesterday) But it keeps returning no virtual machines found. I know this is incorrect because I had 3 of them running before I moved the server.

Now what?

@bschriver - this will almost certainly be your firewall between your DMZ and your 'safe' network blocking the async callback made for instance modification events. Hyper-V uses WMI for management which uses a large range of ports which means your firewall would have to be far more open than I would recommend to make this work. However, it should be possible depending on your firewall to allow communication to a single management box on corpnet. One more secure solution in this scenario would be a dedidated management workstation in the DMZ which you remote to. In either case, you should have a seperate NIC for management, not expose the management interfaces to the Internet.

John,

thanks for the script and for your work on it. After progressing through your manual steps, I ended up a bit stuck and thankfully found your script. However, it wasn't until I realised that I needed to run the script on my client Vista machine that I fixed the anon dcom issue and it finally all came together.
:)

Great John !!! Thanks for your works

really great tool! thank you very much john~

John, thanks a lot for your work! But I have one problem. I'm trying to connect to virtual machine on workgroup server from hyper-v manager on domain computer. Error: An authentication error has occurred. The token supplied to this function is invalid. Remote computer: name. All other management tools works fine.

I've got a scenario that makes things hard for me. My client is on a domain and the server is in a workgroup. I've farted around with this silly thing for HOURS. Finally, I came across this page. Your tool made it all work for me. For that, I thank you. For being a PM in the Hyper-V group, I grumble at you for not building a little bit more friendly way of getting this to work into the product. :-)

Jamie

John,

I appreciate your efforts but I have to say trying to manage a Hyper-V Server in a Workgroup from a workstation in a domain is just not working for me. Followed you instructions, have hosts file entries AND DNS working yet it fails. Here is the error.

***** Failed to connect to root\cimv2
***** Error: -2147023174 The RPC server is unavailable.
***** Namespace: root\cimv2
FAIL - Was unable to connect. Diagnosis steps:

I went through all of the diagnosis steps and still can't connect. I would have loved to use Hyper-V Server 2008 R2 for this client but at this point I am spinning my wheels and may have to look at alternatives. Have you seen those errors before? Do you have any ideas? I wish this were easier.

Works perfectly. Thanks guys.

John,

Please remove the word "Use" in the "Client Set credentials for local account Use cmdkey /add:servername /user:servername\accountname /pass " command for client(domain) server(workgroup).

Thanks,

Philip

Brilliant! It worked!! Nicely done. it's also insane that it takes these steps to do, but without this tool you'd be dead in the water. nice job.

Very nice utility, I can learn some from the used scripting.
But i have a problem with the script. there is a BUG in the "Net localgroup" commandline utility. Net.exe cannot work with groupnames > 20 characters!!!! That is a bug in net.exe since the oldest Windows NT versions. since your script uses the net.exe utiliy to add the group to the "distributed COM users" localgroup, the script errors when granting an AD group name excessing 20 chars.
(the 'bug' is documented in MS KB article 324639, http://support.microsoft.com/kb/324639 along with some vbscript code to work around. you may use that code...)

Nice work.

Thanks,
Bart

I had been getting "You might not have permission to perform this task” -- found the cause to be that I had not enabled "Virtualization Technology" in the BIOS.
Even after enabling VT; still getting the error until I reinstalled Hyper-V Server 2008 R2. Perhaps you could just remove & replace the role; but I don't know how to do that on the 'skinny OS' of Hyper-V Server.

Thanks for the script!!

I've found a solution for the following problem:
....
***** Failed to connect to root\cimv2
***** Error: -2147023174 The RPC server is unavailable.
***** Namespace: root\cimv2
FAIL - Was unable to connect. Diagnosis steps:
....


Go on the PC where hyperv manager is running and type the following:
cmdkey /delete:<hypervservername>

That worked for me.
Bye

I'm seeking for help, for more information please go to my created discussion
http://archive.msdn.microsoft.com/HVRemote/Thread/View.aspx?ThreadId=5235
I'd really appericate if anyone could help me.

This is great, but I can't configure Failovercluster-Manager in the Windows 7 Client remotely. It says, that I have to be logged in with a Domain-User account. So I can't create a Failover-Cluster without DC? Because I have only 2 Hyper-V 2008 R2 CORE Servers. Please help, I really don't know how to realize the Failover via Remote-MMC when the servers are in a Workgroup.