Part 3 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

Although I thought I’d finished at part two, after even more emails and comments on part one and two, it quickly became obvious to me that I need to round off the series by answering “But what if my server is a server core installation”. In server core, you have none of the “niceties” of most of the user interface.

This blog post is an alternate to part one, covering the case where the server is server core. Before going any further, make sure you have followed the steps in my previous post to enable the Hyper-V role on server core and enable remote management. Remote management is important for this walkthrough - you'll need it to complete the steps.  

Step 10 (On Client and Server)

This mirrors step 1 in part one. Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience). Enter the following command.

net user john * /add

Step 11 (On Server)
This step mirrors step 2 in part one. Enable the firewall rules on the server for WMI (Windows Management Instrumentation). Enter the following command:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command it successful and responds with Updated 4 rules(s). Ok.

Note: What you enter in quotes is just a name must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

Step 12 (On Server)

This step mirrors step 3 in part one. It grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. In a full install of Windows Server 2008, this is (relatively) easy using dcomcnfg. Unfortunately, this is not available on server core. However, there is a built-in user group you can use which does the job just as well (in fact, although I haven’t tested it, this should work equally well on a full installation of Windows Server 2008).

You need to add the user account(s) or groups to the “Distributed COM Users” group. In my example, the server is named jhoward-hp2 and the local user account is john.

net localgroup “Distributed COM Users” /add jhoward-hp2\john

Step 12B (On the remote management console/client)
[Edited 16th May 2008. This was step 15, but moved to before step 13]
Follow steps 5, 6 and 7 in part two. These are identical and must be done on the client machine.

Step 13 (On Remote Management Machine)

This step mirrors 4 in part one and grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.

This is a little more challenging on server core as there is no computer management MMC. However, as I’ve already enabled remote management, I can do this from my remote management (Vista SP1) workstation. On that machine, I’m logged on with administrator credentials matching an account on the server machine.

Open Computer Management under Start/Administrative Tools. Right-click on the top most node, “Computer Management (Local Computer)”, and click “Connect to another computer …”

In the select computer dialog, enter the name of the remote server core machine and click OK. In my case, this is jhoward-hp2 (jhoward-hpu was the full installation). Then expand the tree down through Services and Applications\WMI Control and select WMI Control

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” to add them. Note that when doing this remotely, you will be prompted for credentials. Make sure you entere the username as server\username as the default domain will be that of the client management machine

Now select the user and click the Advanced button below the “Permissions for <user>” area.

Make sure the user/group is selected and click Edit

You need to make three changes here.

• In the “Apply to:” drop-down, select “This namespace and subnamespaces”
• In the Allow column, select Remote Enable
• Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like this. If so, click OK through the open dialogs.

Repeat for the Root\virtualization namespace

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 14 (On Remote Management Machine)

This step mirrors step 5 in part one and configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

To make life a little easier, I’m first going to map a network drive on the remote management machine to the system drive on the machine running server core. In my case, the system drive is G.  At an elevated command prompt on the client, type the following (replacing G and jhoward-hp2 as appropriate)

net use * \\jhoward-hp2\g$

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the mapped drive, select InitialStore.xml, then click OK.

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

Note that you are prompted for appropriate administrative credentials. Make sure you enter the username as server\administrativeaccount again, to ensure the domain name is that of the server.

At this point, I would say to add the appropriate users or groups like I did in the full installation option. However, I hit a snag. For some reason, AZMan running remotely did not seem able to find the “john” account (or any other user account I created on the core installation) even though it was definitely there as you can see using Computer Management on the remote machine targeting the server.

The answer (I thought) was to create a new user group and add the “john” account to that group. However, that also failed. All was not lost. First thing to do was to report a bug. Next, was to come up with a backup plan. Now at this point, I apologise in advance - it's a really horrible workaround, and involves hand-editing InitialStore.xml

Let’s take a look at InitialStore.xml on the full installation I made in part one, particularly the section with “Name=Administrator”. In the first screenshot taken using Internet Explorer to open the XML file, you can see that the “john” account has been added, the second screenshot being without “john” being an administrator.

So it just is a question of finding and adding the appropriate user/group sid as member. How hard can that be? (OK, don't answer that quite yet!) Thanks to the scripting guy, it didn’t take long to get the answer. I created the script below, test.vbs, and ran it on the remote management machine using "cscript test.vbs". (Replace jhoward-hp2 in both places with your server name, and john with the appropriate user name. Also make sure there is no space between 'john', and Domain= in the penultimate line.)

strComputer = "."
Set objWMIService = _
   GetObject("winmgmts:\\jhoward-hp2\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='john',Domain='jhoward-hp2'")
Wscript.Echo objAccount.SID

So now I had the account SID for the "john" account, I could use notepad to edit InitialStore.xml appropriately. I still had my network drive mapped.
IMPORTANT: Take a backup copy of InitialStore.xml now!

Unfortunately, notepad is not the most easy to use editor for XML files. There are plenty of freeware XML editor out there, but I stuck with notepad, if for no more reason than to prove that this whole walkthrough can be done using inbox components. Here you can see I’ve added a new member tag on the bottom line – everything from <Member>S-1-5-21-602….. to the following </Member>

 
Just to make sure I hadn’t made a huge editing error, I used IE again to confirm

And yes, you can now close the Authorization Manager MMC if it is still open on the remote management machine!

Important. You must reboot your server for the above changes to take effect.
Step 15 (On the remote management console/client)
[Edited 16th May 2008. Moved this step to earlier as step 12B. Ignore step 15 if you did it earlier]

Follow steps 5, 6 and 7 in part two. These are identical and must be done on the client machine.

Step 16 (Away from the keyboard)
This mirrors step 8 in part two. Take a very deep breath and congratulate yourself. Open beer, have a party, whatever takes your fancy. To have got this far, you deserve it. Make sure you have followed all the steps to the letter, especially the bit about restarting the server.

Step 17 (On the client)

Logon as the account you have given permissions to (“john” in my walkthrough) on the client.

Start Hyper-V Manager from Administrative Tools on the Control Panel. Enter appropriate administrative credentials if UAC is enabled and the account is not an administrator on the client.

Click Connect to Server and enter the name of the remote machine, accepting the EULA if this is a pre-release version of Hyper-V.

Watch in even more awe than you did in part 2 as you get a screen like below ;) Here I’m managing jhoward-hpu which is the full installation, and jhoward-hp2 which is the server core installation. Wow! I need some time off!

Cheers,
John.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote

Comments

• Anonymous
  January 01, 2003
  Hyper-V Management Console on Vista x64

• Anonymous
  January 01, 2003
  Hyper-V Monitor Gadget for Windows Sidebar

• Anonymous
  January 01, 2003
  Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administra

• Anonymous
  January 01, 2003
  Stu - hvremote reveals all. Honestly, it's the best way to understand what is and what isn't configured. Output of hvremote /show on both the client and the server, plus a ping attempt in each direction will give 99% of everything needed for diagnosis. Thanks, John.

• Anonymous
  January 01, 2003
  So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

• Anonymous
  January 01, 2003
  Paul - Glad you got it working. For 1) I don't have a good answer  - in a general sense, I would recommend you don't run anything but the Hyper-V role itself on the parent partition. However, not knowing what you're referring to about the HD SCSI optimizer, if it's a necessary OEM supplied driver for accessing the local DAS, then obviuosly you need it. But I suspect it's more than that - do you actually see a perf gain using it on other servers? Is it essentially doing a background defrag or something? For question two - I assume you are referring to running a DC inside a virtual machine. For the same reason as for one, I would not recommend running any other workload on the parent partition except for Hyper-V itself. You should certainly read http://support.microsoft.com/kb/888794 for some guidance. Thanks, John.

• Anonymous
  January 01, 2003
  Evan - thanks for the feedback :) Glad you got it going. We're still investigating and can't currently repro the problem in-house but working with a couple of people who have given us some great information to work on. I'll post up more info when we have a workaround and understand the problem. Cheers, John.

• Anonymous
  January 01, 2003
  M.Salah Please can you

• run hvremote /show on both the server and the client
•  ipconfig /all on both the server and the client
•  verify that a ping of the server from the client, and ping from the client to the server hits the correct address as shown in ipconfig /all
• Verify that the username and password you are using (if workgroup) is exactly the same on both sides.
• Verify that you did try restarting both client and server (with the firewall enabled)
• That you don't have any alternate firewall software installed either side (eg OneCare etc) If you can post the results back, that will give me what I need to diagnose. Thanks, John.

• Anonymous
  January 01, 2003
  George - did you reboot the server after applying the AZMan changes? Thanks, John.

• Anonymous
  January 01, 2003
  David - stand alone being workgroup, not domain. Correct? If so, unless you really feel the need to follow the steps manually, I would very strongly recommend you use HVRemote to complete the configuration. Of course though, I'll assist if you want to go the long route (especially in workgroup). Thanks, John.

• Anonymous
  January 01, 2003
  Peter/Lance - finally got a chance to update it. Thanks, John.

• Anonymous
  January 01, 2003
  A noob/freshman - There are so many things wrong here. First, we do not support Hyper-V running as a nested Hypervisor. You should run it on bare metal. As for the namespace not being present, the most likely cause is you have not enabled the Hyper-V role. How are you determining it was successfully installed? (And you go on to say physical computer, yet you say Hyper-V on 2008 is running in a VM. I'm confused what is what).  Why are you running Server 2008, not 2008 R2, 2012 or even 2012 R2 Preview for Hyper-V? And finally.... why are you doing the configuration manually? It would be FAR easier to use HVRemote - code.msdn.microsoft.com/HVRemote Thx, John.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Aujourd'hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous servira

• Anonymous
  January 01, 2003
  In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

• Anonymous
  January 01, 2003
  Well guys ... kalo dah ada yang coba Hyper V ... let&#39;s disccuss this .. i was trying to install Hyper

• Anonymous
  January 01, 2003
  Announcing &quot;HVRemote&quot;...., a tool to &quot;automagically&quot; configure Hyper-V Remote Management

• Anonymous
  January 01, 2003
  Esta build (7100. 0. winmain_ win7rc. 090421- 1700) foi compilada na passada Terça- Feira e ao que parece já começou a ser distribuída a parceiros OEM.

• Anonymous
  January 01, 2003
  Timbo - I'm pretty sure you'll see this error if you have older bits on the management computer. Are you sure you're running RTM bits on both server and client (950050 for server and 952627 for vista sp1 client). Thanks, John.

• Anonymous
  January 01, 2003
  @PBaldwin In my experience, you typically see things like this due to time synchronisation in a domain not operating correctly. Is there a difference of more than a minute or so between the server core machine and the management client? Thanks, John.

• Anonymous
  January 01, 2003
  In my last post on installing Hyper-V for my home setup I said I had a number of issues.&#160; One was

• Anonymous
  January 01, 2003
  PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

• Anonymous
  January 01, 2003
  Toby - HVRemote only deals with Hyper-V management, not other administrative capabilities such as the ones you list. The best way to diagnose is if you run the latest (0.7) version of hvremote with the /target:otherboxname parameter on both boxes (client and server) to diagnose. Thanks, John.

• Anonymous
  January 01, 2003
  Anthony - are you sure you followed step 2B in part 1, and noticed I updated the above post for 12B immediately before step 13. That all said, I really strongly recommend that unless you have a need to perform the steps manually, the use of hvremote will save you a lot of pain. Thanks, John.

• Anonymous
  January 01, 2003
  dock-levy - you would need to contact Lenovo/IBM to verify. I don't have one of those machines available. Have you checked you do have the latest BIOS on your machine? There is no registry setting - this is under control of the OEM. If VPC can recognize it, it will be turned on though - can't think of any reason why not. Anything in the Hypervisor or system event logs when you attempt to start a virtual machine under Hyper-V? What about DEP? Could that be the cause and it isn't correctly set in the BIOS? Thanks, John.

• Anonymous
  January 01, 2003
  Tim - 18004 is RC1 (IIRC). RTM release is 18016. Apply the KB articles I mentioned above to both sides, and the problem should go away. Thanks, John.

• Anonymous
  January 01, 2003
  going through step 14 above - the ProgramData directory (as part of the path to the InitialStore.xml) is apparently a Hidden directory as it isn't directly browsable.  I did a search and then copied the path; however, you can simple cut and paste the path from Step 14 instructions or type it out.

• Anonymous
  January 01, 2003
  Paul - you really do not need to turn off the firewall to make Hyper-V remote management work, and I strongly recommend you do not take that approach. The output from hvremote /show on both server and client would go a long way to diagnosing a problem. For Win7, it depends which build of Win7 you are using. Sure, there are some bugs in build 7000 (beta), but it should work. If you can clarify which build you are running, what you are doing when it crashes and get that hvremote /show output, I could take a look. Thanks, John.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come

• Anonymous
  January 01, 2003
  For those that cannot expand the "root" note, in Tony's case, this was resolved by not having followed the instructions on the Vista machine to enable anonymous logon remote access in DCOM Security (step 15 above). Thanks, John.

• Anonymous
  January 01, 2003
  Dillon - is it possible that you're running on a non-English locale system (the group names are localized). Can you save the following as group.vbs and run it using "cscript group.vbs" from a command prompt. That should list the actual localgroups on your machine. Set cGroups = GetObject("WinNT://localhost") cGroups.Filter = Array("group") For Each oGroup In cGroups    wscript.echo oGroup.Name Next Thanks, John.

• Anonymous
  January 01, 2003
  Simone - can you post up the output of hvremote /show on both boxes, plus the output of a "ping -4 otherboxname" to try to diagnose. Thanks, John.

• Anonymous
  January 01, 2003
  @Well.... can you try using HVRemote. This is much simpler than trying to follow the steps manually. John.

• Anonymous
  January 01, 2003
  I can successfully remotely manage my Hyper-V Server 2012 Core in a workgroup environment. I can also remotely manage the disks on the Hyper-V server. I wrote a quick 12-step tutorial (article and video) showing exactly what I did to get this working. pc-addicts.com/12-steps-to-remotely-manage-hyper-v-server-2012-core Hopefully this can help others who found this to be a very frustrating task. -Chris http://PC-Addicts.com

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi Thomas My apologies. Was giving a "lazy" answer :) BTW - I did cover this in http://blogs.technet.com/jhoward/archive/2008/03/29/how-to-add-the-hyper-v-role-to-a-windows-server-2008-server-core-machine.aspx and it was also mentioned right at the top of this article:   << Before going any further, make sure you have followed the steps in my previous post to enable the Hyper-V role on server core and enable remote management. Remote management is important for this walkthrough - you'll need it to complete the steps. >> :) Thanks, John.

• Anonymous
  January 01, 2003
  Ralph - Unless you have a seperate DC physically somewhere, you run into the chicken and egg problem. I would strongly recommend that you do not only run a single virtual DC on a Hyper-V machine and have the Hyper-V machine itself joined to that domain. While it technically can be done (with some caveats), it is not a supported scenario. Thanks, John.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Tom - difficult to diagnose based on the info above. Do you want to email me using the link at the top with some more information on the specifics of the error you're hitting, maybe some ipconfig /all output from a working and non-working machine plus the server, a simple ping test, and info about what domain/workgroup each machine is in. Thanks, John.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  No, 0.7 does not support WS2012 (it works somewhat by accident, but I strongly recommend you do not use it). I will be releasing a version which support Windows 8/WS2012 (and Hyper-V Server 2012, and for R2/Win7 and 2008/Vista) before GA. It's being tested now, but not ready to be made public. Windows 7 can communicate to 2012 using the v1 WMI namespace, however, it is not recommended. Any of the new capabilities in 2012 will not be available unless you use a Windows 8 client with the newer Hyper-V Manager which uses the v2 namespace. John.

• Anonymous
  January 01, 2003
  So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remote

• Anonymous
  January 01, 2003
  Remote management of Server Core installations helps you. It prevents you from having to struggle with

• Anonymous
  January 01, 2003
  Ryan/Tony  (Hilton - already sent you an email). Can both of you email me using the link at the top. This is not something we can reproduce in house, so I'd like to understand a bit more about the configuration.

• Verification of domain vlient to domain server (same domain), or combination of workgroup/domain, or workgroup-workgroup (same workgroup)
• x86 vs x64 client
• Whether the client was RTM Vista then upgraded to SP1 or a "slipstream" install.
• SKU (Business/Enterprise/Ultimate)
• Whether UAC is enabled (Server and client)
• Whether user is a local administrator (Server and client)
• Whether windows firewall is turned off or on (server and client)
• Whether there's any additional software installed on server or client (eg Antivirus)
• If domain joined, whether there could be group policy being pushed down to the firewall settings If the firewall is currently on, one suggestion from a colleage to also try: >>Can you try add >> %windir%System32wbemunsecapp.exe >> into Firewall.cpl to unlock the app. >> Then reconnect in the UI, it should work. Thanks, John.

• Anonymous
  January 01, 2003
  Stu - thanks. Yes, you're correct, RTM is required (I believe if memory serves correctly we fixed it in RC0, but beta - ie on the Windows Server 2008 RTM media - does not work). Unfortunately, I'm 99% certain that in Windows Server 2008, neither of those management tools work remotely. Devcon.exe and diskpart are your friends.... Cheers, John.

• Anonymous
  January 01, 2003
  Derek - have you enabled remote management on the server? It also depends if you are domain joined or in a workgroup. If you are workgroup, do you have matching usernames and passwords both sides? There should be no issue running the remote management machine under Virtual PC. Thanks, John.

• Anonymous
  January 01, 2003
  David - I confess, I'm completely stumped. Do you get this for all groups and all users using net localgroup, or just the Distributed COM Users group? Thanks, John.

• Anonymous
  January 01, 2003
  Hi Ryan. I'm in the process of setting up a private domain outside of the Microsoft corporate network to work through the same steps in a controlled domain scenario - the fairly complex corpnet enforced policies and IPSec make it difficult to track down issues without a private domain. It's unlikely I'll get my private network walkthrough finished before the end of the week, but I'll post up my results as soon as I can - I guess parts one two AND three weren't enough. I don't have any suggestions currently. Sorry! Cheers, John.

• Anonymous
  January 01, 2003
  Donald - I would have to defer to WMI under-the-covers networking experts (and I assure you I am not - Hyper-V utilizes WMI rather than us dealing with WMI internals), but I believe this will probably be due to some firewalling or routing issue. WMI is not "firewall friendly". A workaround many people use in this situation is for a VPN or a Temrinal Server publishing the application. That is significantly more secure for Internet access. Thanks, John.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  George - if you can connect in the first place, then it sounds like you didn't setup the AZMan bit correctly. Can you run the script on the server core machine and confirm that under IE on the remote machine, the correct SID is in the administrator part like in the screenshot above. Thanks, John.

• Anonymous
  January 01, 2003
  I too have experienced a difference between the first run of the Hyper-V mmc UI from my Vista managment and the subsequent runs.  Specifically I need to change the path to where the Virtual Hard Drives are to be stored and located; howver, I'm unable and am getting a message:

Remote File Browser

You may not browse the local file system when connecting to a remote Hyper-V server.

OK  

• Anonymous
  March 31, 2008
  John, Thank you for all the great information, however, I am still having problems. I am running Hyper-V on Server Core and I am trying to access it from a workstation running Vista SP1 with the Hyper-V console installed. Both computers are added to the same domain and both computer have my domain username added as a member of the local administrators group. I applied the Hyper-V RC0 update to the install.wim file, I then installed server core using the updated wim. I am getting the "don't have requested permission" error on my workstation. What is interesting is that the first time I opened the management console, it worked and I was able to configure my virtual switches. Now it won't let me change any settings. Any ideas? Thanks, Ryan Lenkersdorfer

• Anonymous
  April 01, 2008
  The comment has been removed

• Anonymous
  April 02, 2008
  Hi John, I get to step 13 fine, however when I connect to the WMI Control, it connects fine, but the "Security" tab contains only the "Root" and no namespaces below this. Any ideas why? (Server is WS2K8 Ent Core with Hyper-V RC0 and guest is Vista x86 SP1 with RSAT and Hyper-V Management tools loaded.)

• Anonymous
  April 02, 2008
  The comment has been removed

• Anonymous
  April 03, 2008
  As a matter of fact I ran the vbs script on the server in the first place. After I edited the initial store XML file, I reimported it into AZMan (deleting the previous initial store entry). When I look in AZMan at the "Administrator" role assignment I see my specified domainusername listed as a "user" type right under the "Administrators(BUILTINAdministrators)" group. I am conected to the hyperv server and see the "No virtual machines were found..." message. It just seems I am missing whatever permission is needed to create new VMs.

• Anonymous
  April 11, 2008
  I have the same problem as HiltonT above, where I open the WMI Control Properties Security Tab and expanding the "Root" node displays nothing.  The "plus" sign button goes away and no child of "Root" ever appears. All the steps leading up to that point were fine and I can connect via RDC and I can browse to the administrative shares in the file explorer.  I just can;t seem to get any of the "root" children. Any ideas?  

• Anonymous
  April 15, 2008
  Any update on nothing displayed below the root node?  I also am running into this.

• Anonymous
  April 15, 2008
  Since I also had the issue where only Root would show I just followed step 13 and applied it only to Root.  Was able to get it working! Not sure of the security implication, but I'm running it all privately anyway.   Thanks for the great info John.  Figuring out a problem like this wouldn't t have been possible a few years back.  You guys at Microsoft are doing a good job opening everything up.

• Anonymous
  April 26, 2008
  You might want to reoder the guide so step 15 is before step 13 if thats the fix to the empty root issue. I followed step 15 and then the root wasn't empty but it also wouldn't expand so I just applied the right to the root as mentioned above. Working great now thanks for the Guide! Peter

• Anonymous
  May 14, 2008
  Thanks!!!! I would also suggest putting step 15 before step 13 in your guide :)

• Anonymous
  June 05, 2008
  Christopher! Then sacrifice a goat at the dark of the moon!!! Your explanantions are tremendous John - but it is a tortuous process, is it not??? :)

• Anonymous
  June 21, 2008
  I verified Windows Management Instrumentation (WMI) group is enabled: --Inbound Rules-- Windows Management Instrumentation (ASync-In) Windows Management Instrumentation (DCOM-In) Windows Management Instrumentation (WMI-In) --Outbound Rules-- Windows Management Instrumentation (WMI-Out) Yet, I cannot connect with the Hyper-V Manager unless I disable the firewall on the Server Core Install.   What did I miss?

• Anonymous
  June 26, 2008
  This guide is worth its weight in Gold, If it were printed on paper 100 times. Thanks a lot.

• Anonymous
  July 04, 2008
  Hi! I also had the empty WMI root node issue. For me it was due to my clientmachine firewall settings. Had norton running and it didn't ask (as it usually do) about the ports beeing used for WMI. Turned it off and the wmi tree appeared.

• Anonymous
  July 11, 2008
  Hi John! Thanks for the great information. I have a strange problem. I cannot connect to server running Hyper-V from my laptop running Vista SP1 but I can connect from other workstations running Vista SP1. Seem like the problem is on my machine but I am not sure where to look. Any thought would be helpful.

• Anonymous
  July 16, 2008
  The comment has been removed

• Anonymous
  July 17, 2008
  The comment has been removed

• Anonymous
  July 17, 2008
  Update: In replacing the Authenticated User WMI Security entry with "Hyper-V Administrators" I'd neglected a tick for "enable account". I also found that my XML edits for AZMan had gone (don't think I should have renamed the server after editing it). BTW running CMDKEY didn't get me out of hand-editing this file! On reboot everything is just rosey. Don't know why I needed CMDKEY to make this work. Might help others struggling with this. But thanks for this article because there is no way I'd have got this far without it! Paul

• Anonymous
  July 18, 2008
  John - Thanks for the great guide.. never thought trying to setup a system without a domain would cause so much trouble. I'm Having the same problem as GEORGE stated previously.  Followed everything to the tee... and all worked as expected until attempting to run the New -> Virtual Machine... which yields an error "Loading Wizard Page Failed. You might not have permissions to perform this task" You can move the pop-up away, but after you finish entering details it gives another error "The server encountered an error while configuring hard disk on <machinename>. You might not have the permission to perform this task. Looking at the location it has created two folders "Virtual Machines" and "Snapshots", so it doesn't appear to be a disk permisisons issue.  I was able to finish the Wizard without attaching a disk. When trying to add a Hard Disk after the Virtual Server is "The Server encountered an error trying to create the virtual hard disk.  You might not have permissions to perform this task". So I got everything else but a disk?  Any ideas.

• Anonymous
  July 18, 2008
  Hyper-V Manager Client:   6.0.6001.18004 Not sure how to tell on the server side.

• Anonymous
  July 18, 2008
  The comment has been removed

• Anonymous
  July 31, 2008
  Great Walthrough!!  Thanks for the help.  I couldn't connect after running through the tutorial, though.  I configured server core with Automatic Updates and trusted it to install the latest update needed for Hyper-V.  So I went through this tutorial thinking I was good-to-go.  It took me almost a full day to find the problem.  Save yourself some time and make sure you download the newest update (KB950050) and manually install it on the server!

• Anonymous
  August 12, 2008
  Great Information, but I do have an issue getting to the WMI Permissions.  When I use Computer Management MMC to attach to my Server Core machine, I navigate to the WMI Control and Right-Click on "Properties", I get Failed to connect to \servername because "WMI:Access Denied" KB950050 is installed on Server Core, and 952627 for vista sp1 client installed on Vista 32 Bit. The Vista Machine is running as a virtual PC on my laptop.  Don't know if this could cause any craziness?

• Anonymous
  August 12, 2008
  John, Great detailed information and walk-through! Thank you for your time and sharing it. However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop. My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home.  I have followed allthe steps to the letter.  The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions.  I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well.  when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer '<the server IP address>' failed. Any idea, what is missing? Thanks, Amir

• Anonymous
  August 13, 2008
  john, I joined my Vista machine (Actually a Vista Virtual SP1 PC on my laptop) to the domain and it worked.  I can connect to the server fine now. My question now is - When I installed a Virtual Server on top of the Server Core, it would not install the Network, nor the HID Miniport.  (I assume this is the mouse). I did not have Hyper-V slipstreamed when I installed 2K8 onto the virtual machine... so I am wondering if that might help?  Or, is there a way to update the installation of 2K8 so that KB950050 is included.  (Remember, there isn't a network installed on the VM) Thanks!

• Anonymous
  September 07, 2008
  Be aware of the fact that by default the user account on thews08 server will expire. When this happens you will get the "RPC service unavailable"error.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 13, 2008
  Thanks so much for this blog -- I was rather shocked when, after installing Hyper-V Server 2008 on a little-used PC with no domain or anything, that there was no easy way to bring up a VM on it without going through all this! But the product looks good now that I can actually use it. Anyway, after following these instructions, I was running in to a few problems: -- Remote "Computer Management" works fine, but when I click on "Disk Management" the process blocks for a minute or two and displays an "RPC service unavailable" error -- When right-clicking on the "WMI Control" part of "Computer Management" to set security policies, I was unable to expand the "Root" folder the way that the instructions described. Instead, the process blocked for a minute or two -- Hyper-V Manager comes up fine and connects to the server, but after a minute or two it displays the "RPC service unavailable" message These three problems are all the same -- the server cannot make callbacks to the management client using DCOM. In my case, the root cause was that my firewall -- Windows OneCare -- was blocking all incoming traffic to port 135 (the RPC service "endpoint mapper" port). Once I enabled incoming access to port 135, all these things worked fine. I should point out that first of all, I have no domains anywhere, so things might work differently in that case. And second of all, port 135 has been associated with many seucurity holes over th years, so I told OneCare to only allow connections from my local subnet, which at least helps avoid some of them.

• Anonymous
  October 19, 2008
  Microsoft is NOT ready for this solution. This is only sentence I can say.

• Anonymous
  October 21, 2008
  Any thoughts why I would get this error when following step 12: C:Usersadministrator>net localgroup "Distributed COM Users" /add tpa01vh01dillon System error 1376 has occurred. The specified local group does not exist. Thank you!

• Anonymous
  October 29, 2008
  John, Thank you very much. I did out of this issue per your walkthrough.  I used the same account administrator both on the hyper-v server and hyper-v manager(remote management clinet).  at step 14, i added the "authenticated user". after reboot the hyper-v server, hyper-v manger working. :) Thanks again! Nick

• Anonymous
  November 01, 2008
  Hello John, I am having the same trouble as Dillon G.  I am just running the Hyper-V Server 2008 on my system.  So I have tried to run the "group.vbs" script but I am have some difficulity in creating the script on the system. I run the command "net localgroup" and get the following... C:>net localgroup Aliases for [MyServerName]

*Administrators *Backup Operators *Certificate Service DCOM Access *Cryptographic Operators *Distributed COM Users *Event Log Readers *Guests *IIS_IUSRS *Network Configuration Operators *Performance Log Users *Performance Monitor Users *Power Users *Print Operators *Remote Desktop Users *Replicator *Users The command completed successfully. So I see the "*Distributed COM Users" group.   Any suggestions? Thanks, David

• Anonymous
  November 04, 2008
  I had the same problem as Dillon and David, running the script showed that I indeed had the DCOM Users group, all I did to fix it was copy and paste the group from the net localgroup command into the command to add the user to the group and it worked fine - even though I could not see any notable difference between the command here, and the command I entered... Go figure...

• Anonymous
  November 04, 2008
  Did all steps and I'm expriencing the same as David

• Anonymous
  November 05, 2008
  I got the same error when I tried to add my user to the "Distributed COM Users group". For me it was the quotation marks that messed it up. If I just copied the command and then pasted it in to the command prompt it wouldn't work, but when I typed the command it worked.

• Anonymous
  November 07, 2008
  John, Question, more like questions; My Hyper-v server 2008 test scenario is on a workgroup with a vista client Remote Management. I have went most of the steps that I am able to perform. OKay! I am able to RDP the Hyper-v server, but not able to Hyper-V manage. I can ping the Vista RM computer from the Hyper-v server, but not able to ping the Hyper-v server from the Vista RM computer. My goal is to create 3 VM to play with EBS 2008, however is seems like I can't pass Vista RM to create and manage the VM machines.

• Anonymous
  November 17, 2008
  David's problem is due to double quote formate. Just remove them and retype them again in the shell

• Anonymous
  November 22, 2008
  Dear Mr. Jhon thank you very much i tried your script, but i have the same error "I verified Windows Management Instrumentation (WMI) group is enabled: --Inbound Rules-- Windows Management Instrumentation (ASync-In) Windows Management Instrumentation (DCOM-In) Windows Management Instrumentation (WMI-In) --Outbound Rules-- Windows Management Instrumentation (WMI-Out) Yet, I cannot connect with the Hyper-V Manager unless I disable the firewall on the Server Core Install.   What did I miss?" like Mr. taylor :(

• Anonymous
  November 26, 2008
  Solution for add user in "Distributed COM Users group" (STEP 12), type: net localgroup “Distributed COM Users” /add "jhoward-hp2john". Bye!!!

• Anonymous
  December 03, 2008
  The comment has been removed

• Anonymous
  December 05, 2008
  The comment has been removed

• Anonymous
  January 12, 2009
  Client: Vista 64bit sp1 server: 2008 core - hyper-v Followed your notes...after launching computer management I was not able to manage the 2008 core/hyper-v server.  It looked like a problem with WMI.. This left me stuck at step 12/13 Looking around the -net I found instructions to disable all firewall functions on the 2008 core server.  As soon as I did that I could run the 'computer management' and the hyper-v MMC functions. After going through your notes numerous times..either I'm missing something obvious or it's a 64Bit issue?   Thoughts? Many thanks for your instructions, notes and willingness to work to improve all of our lives! later, eric

• Anonymous
  January 12, 2009
  Sorry!  I missed the post from December 5, 2008 about the extra blog. amazing how we ask a question and then immediately find the answer... Thanks, eric

• Anonymous
  January 26, 2009
  The comment has been removed

• Anonymous
  January 28, 2009
  The comment has been removed

• Anonymous
  January 31, 2009
  hey john first thank u for this article... helped me a lot!. i have a lenovo 3000 with intel T7250 (has intel VT) my bios for some reason does not have Enable VT option. when i use vista and virtual pc it recognize the VT and use it... but Win2K8 Hyper V does not for some reason... can i use the registry to enable??

• Anonymous
  February 12, 2009
  John, Everything in the manual process worked great. Vista x64 SP1 -> Windows 2008 Server Core After 3 days of searching various sites, your's covered all the areas I needed to fill in. Cheers!

• Anonymous
  February 15, 2009
  Can the "RPC problem" be related to netbios not knowing the hostname? I was setting up a 2008 Core server from a 2008 Full client, and since the 2008 Full client never resolved the server name to the IP address, I was always using the IP address whenever specifying the server in your instructions. I gave up yesterday with Hyper-V Manager on the client only once out of many attempts succeeding in connecting to the server, but then showing an RPC error in the "Virtual Machines" central panel. Today, I succumbed and entered the server/ip equivalence into etc/hosts, and, cross fingers, so far Hyper-V Manager is working. The reason I hadn't done this before is that both the client and the server are on a home DHCP network. Can your instructions include setting up the server turning on netbios broadcast (or whatever it's called :-)) so the client computer can resolve it? There is also something wrong with HVRemote.wsf if running on a 2008 Full client, it tells me I need to install KB952627 when in fact this is not available for 2008. Despite these problems, thanks for your web pages and tool, without them I would be far worse off!

• Anonymous
  February 19, 2009
  hey john, fantastic work on the core post - youre a life saver! i think youre covered it in a consequent blog post but i found that kb950050 is absolutely necessary on the hyper-v boxes in order to use remote management tools elsewhere. just need to find a way to get the remote disk and device management tools up and running now :) cheers, -stu

• Anonymous
  February 25, 2009
  The comment has been removed

• Anonymous
  February 25, 2009
  The comment has been removed

• Anonymous
  February 26, 2009
  just an fyi - i checked the isos i was provided and sure enough it wasnt the final release of windows! guess that explains it!

• Anonymous
  March 12, 2009
  The comment has been removed

• Anonymous
  April 09, 2009
  Hi john, Thank you for you efford, it helped me a lot. My problem was that the manager could not connect. I tried all of the above, the one thing that helped was turn off the firewall on the core. After I did all you sugested. Ill figure out later what when wrong. Does the manger run on Windows 7, cause it crashed ;) Could be because of all the fiddeling. 10x man, keep it up, its blogs like this that make IT work. ;)

• Anonymous
  April 21, 2009
  The comment has been removed

• Anonymous
  July 10, 2009
  Hi John, I have a WORKGROUP Hyper-V (English) server and a WORKGROUP Vista Client (Italian). I followed your instruction but I cannot connect the Hyper-V console to the server (it says that it can not connect to the RPC service) except when I disable the firewall on the server side. Disabling the firewall on the server, the client connects fine. Using /show with HVRemote confirms that all firewall rules for Hyper-V and WMI are enabled. Any idea? Thank you, Simone

• Anonymous
  July 29, 2009
  The comment has been removed

• Anonymous
  August 16, 2009
  The comment has been removed

• Anonymous
  October 20, 2009
  Been through the script.  still get make sure virtual management service is running.  must have been the fine printI I missed. can rdp and everything else except hyper v console on windws 7.  all features enabled.

• Anonymous
  November 01, 2009
  John, I wanted to thank you. Having used the other popular Hypervisor software for some time, I decided to see how things were in the Microsoft pond in regards to Hyper-V. After reading up a good deal on configuring Server Core, I decided that I would give Hyper-V a shot running on Windows Core. Knowing the task at hand would prove to be a learning experience I kept an open mind (and an open browser!). After struggling with Server Manager and Disk management - still not resolved - I fired up the Hyper-V console and tried to connect to my Server. I was exasperated to see the "You are no authorized" message. After a couple minutes of poking around I Bing'd the problem and found your site. I read a little more and downloaded your script. Within minutes I was installing my first VM on Hyper-V. Thank you so much for going above and beyond to help the Hyper-V community with your script.  

• Anonymous
  November 26, 2009
  The comment has been removed

• Anonymous
  December 01, 2009
  The comment has been removed

• Anonymous
  December 07, 2009
  The comment has been removed

• Anonymous
  December 08, 2009
  great work but why is it so difficult to remote manage a Hyper V server. The time I have spent messing around trying to get this working is a bit of a joke. Both Microsofts main rivals have a product that instals and is manageable without any fuss ? please please sort this out

• Anonymous
  December 15, 2009
  Hey Guys, I cannt add my User to some group in Core Hyper-V server, but after run in "cmd.exe" powershell and try in there type command to add user... All works.. Thanks All, sorry for my bad English....

• Anonymous
  December 16, 2009
  The comment has been removed

• Anonymous
  January 19, 2010
  You forgot to repeatedly remind me to make sure my passwords were the same on client and server .... shame on you ... ;-)

• Anonymous
  February 15, 2010
  The comment has been removed

• Anonymous
  March 07, 2010
  Thank you for this guide. After I removed that d..... stored password, I could connect via Hyper-V Manager.

• Anonymous
  June 24, 2011
  This is rediculous... all this to get a virtual platform working?  ESX requires 'certain' hardware also, so that's a no go!  I think someone needs to re-write the VM platform book, and create a 'one size fits all'

• Anonymous
  May 14, 2012
  thanks for the effort, but even though it got me a small step further, I still can't create VMs. Now at least the Hyper-V-Manager will connect to the core server without error, but still I get the same error message when I try to finish a VM creation. I'm very frustrated... all this tweaking and still no success. For what seems to be the simpe first step. It's kind of ridiculous, really.

• Anonymous
  May 14, 2012
  thanks for the effort, but even though it got me a small step further, I still can't create VMs. Now at least the Hyper-V-Manager will connect to the core server without error, but still I get the same error message when I try to finish a VM creation. I'm very frustrated... all this tweaking and still no success. For what seems to be the simpe first step. It's kind of ridiculous, really.

• Anonymous
  August 17, 2012
  Thanks for HVRemote. Question is this tool supports Hyper-v server 2012 Could it be used foc connection windows7  -> hyper-v server 2012

• Anonymous
  August 17, 2012
  Thank you very much for answers.

• Anonymous
  July 05, 2013
  The comment has been removed

• Anonymous
  January 28, 2014
  Why doesn't Microsoft release something like vmware did with their client?