I'm trying to configure our Hyper-V server so that a user on our domain has administrative control. Our Hyper-V server is on the domain running 2008 R2 (named SERVER85 below), and the client is on Win 7 Ent x64 (named DEV03 below, username accuraty\jkessel).
In the output below you can see that it appears we might have a problem with this user's access to the WMI path root\CIMv2, but if I pull up the advanced security settings for that node in WMI, I see:
Name: Justin Kessel (jkessel@accuraty.local)
Apply to: This namespace and subnamespaces
Permissions allowed: "Enable Account" and "Remote Enable" (no others, no denies).
IMHO, the server, the desktop, and user are all fairly "vanilla" with nothing unusual going on. Maybe one thing worth noting: our Small Business Server 2008 (i.e. domain controller) is running as a VPS on SERVER85, so SERVER85 never boots with the
domain controller on. This hasn't ever caused problems except that the machine always thinks it's firewall should be in the "work" configuration instead of the "domain" configuration. I tested running the HVRemote script while the SERVER85 firewall
was turned off, and I get exactly the same results below.
One more note: this user currently can logon through RDP to SERVER85 and administer Hyper-V just fine. This user is *not* a domain admin or an admin on that server - I've simply provided him with the right permissions to be able to RDP and admin Hyper-V
only.
We used HVRemote and it output this info when run on the client:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Hyper-V Remote Management Configuration & Checkup Utility
John Howard, Hyper-V Team, Microsoft Corporation.
http://blogs.technet.com/jhoward
Version 0.7 7th August 2009
INFO: Computername is DEV03
INFO: Computer is in domain accuraty.local
INFO: Current user is ACCURATY\JKessel
INFO: Assuming /mode:client as the Hyper-V role is not installed
INFO: Build 7600.16617.amd64fre.win7_gdr.100618-1621
INFO: Detected Windows 7/Windows Server 2008 R2 OS
INFO: Remote Server Administration Tools are installed
INFO: Hyper-V Tools Windows feature is enabled
-------------------------------------------------------------------------------
DACL for COM Security Access Permissions
-------------------------------------------------------------------------------
\Everyone (S-1-1-0)
Allow: LocalLaunch RemoteLaunch (7)
NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7)
Allow: LocalLaunch (3)
BUILTIN\Distributed COM Users (S-1-5-32-562)
Allow: LocalLaunch RemoteLaunch (7)
BUILTIN\Performance Log Users (S-1-5-32-559)
Allow: LocalLaunch RemoteLaunch (7)
-------------------------------------------------------------------------------
ANONYMOUS LOGON Machine DCOM Access
-------------------------------------------------------------------------------
ANONYMOUS LOGON does not have remote access
This setting should only be enabled if required as security on this
machine will be lowered. This computer is in a domain. It is not
required if the server(s) being managed are in the same or trusted
domains.
Use hvremote /mode:client /anondcom:enable to turn on
-------------------------------------------------------------------------------
Firewall Settings for Hyper-V Management Clients
-------------------------------------------------------------------------------
Domain Firewall Profile is active
Enabled: Hyper-V Management Clients - WMI (Async-In)
Enabled: Hyper-V Management Clients - WMI (TCP-Out)
Enabled: Hyper-V Management Clients - WMI (TCP-In)
Enabled: Hyper-V Management Clients - WMI (DCOM-In)
-------------------------------------------------------------------------------
Windows Firewall exception rule(s) for mmc.exe
-------------------------------------------------------------------------------
Domain Firewall Profile is active
Enabled: Microsoft Management Console (UDP)
Enabled: Microsoft Management Console (TCP)
-------------------------------------------------------------------------------
Additional configuration may be necessary
-------------------------------------------------------------------------------
This computer is in a domain. If the target server is in a workgroup,
you may need to set credentials for the server for Hyper-V Remote
Management to operate correctly. This step should not be necssary if
the target server is in the same or trusted domain as this computer.
If necessary, from a *NON* elevated command prompt, enter:
cmdkey /add:ServerComputerName /user:ServerComputerName\UserName /pass
Note that you MUST enter ServerComputerName to BOTH parameters.
You will be prompted for a password after entering the command.
-------------------------------------------------------------------------------
IP Configuration
-------------------------------------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : DEV03
Primary Dns Suffix . . . . . . . : accuraty.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : accuraty.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : accuraty.local
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-19-D1-05-57-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4406:b48c:dea3:de50%11(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.48.185(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, November 10, 2010 3:19:23 AM
Lease Expires . . . . . . . . . . : Monday, December 20, 2010 9:39:25 AM
Default Gateway . . . . . . . . . : 172.16.48.1
DHCP Server . . . . . . . . . . . : 172.16.48.210
DHCPv6 IAID . . . . . . . . . . . : 234887633
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-62-35-81-00-19-D1-05-57-01
DNS Servers . . . . . . . . . . . : 172.16.48.210
66.209.192.5
8.8.8.8
66.209.192.15
8.8.4.4
4.2.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.accuraty.local:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
-------------------------------------------------------------------------------
Stored Credentials
-------------------------------------------------------------------------------
Currently stored credentials:
Target: WindowsLive:name=jkessel@accuraty.com
Type: Generic
User:
jkessel@accuraty.com
Local machine persistence
Target: LegacyGeneric:target=WindowsLive:(token):name=jkessel@accuraty.com;serviceuri=contacts.msn.com
Type: Generic
User:
jkessel@accuraty.com
Local machine persistence
Target: Domain:target=TERMSRV/server85
Type: Domain Password
User: ACCURATY\jkessel
Local machine persistence
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02mybhosqazs
Local machine persistence
-------------------------------------------------------------------------------
Testing connectivity to server:server85
-------------------------------------------------------------------------------
1: - nslookup for DNS verification.
Note that failure is OK if you don't have a DNS infrastructure
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Server: sbs01.accuraty.local
Address: 172.16.48.210
Name: server85.accuraty.local
Address: 172.16.48.201
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
2: - ping attempt (ping -4 -n -1 server85)
Note the ping may timeout - that is OK. However, if you get an
error that server85 could not be found, you need to fix DNS
or add an entry to the hosts file. Test 3 will fail and provide more
guidance.
This may take a second or two...
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
Pinging server85.accuraty.local [172.16.48.201] with 32 bytes of data:
Reply from 172.16.48.201: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.48.201:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
3: - Connect to root\cimv2 WMI namespace
***** Failed to connect to root\cimv2
***** Error: -2147024891 Access is denied.
***** Namespace: root\cimv2
FAIL - Was unable to connect. Diagnosis steps:
- Have you run hvremote /add:user or hvremote /add:domain\user
on server85 to grant access?
- Are you sure the server name 'server85' is correct?
- Did you use cmdkey if needed? More information higher up.
- Did you restart server85 after running hvremote /add for
the very first time? (Subsequent adds, no restart needed.)
- Is DNS operating correctly and was server85 found?
Look at the output of tests 1 and 2 above to verify that the
IPv4 address matches the output of 'ipconfig /all' when run on
server85. If you do not have a DNS infrastructure,
edit \windows\system32\drivers\etc on DEV03
to add an entry for server85.
INFO: Are running the latest version
-------------------------------------------------------------------------------
3 warning(s) or error(s) were found in the configuration. Review the
detailed output above to determine whether you need to take further action.
Summary is below.
1: Anonymous Logon does not have remote access (may be ok)
2: You *may* need to set credentials for access to the server
3: Cannot connect to root\cimv2 on server85
-------------------------------------------------------------------------------
I'd greatly appreciate some help!
Thanks!