Monday, 2 April 2012

Access Denied Error Attempting to Manage a Remote Hyper-V Server in a Workgroup Environment


Access Denied Error Attempting to Manage a Remote Hyper-V Server in a Workgroup Environment


Overview

When you attempt to use the Hyper-V management tools on a Windows Vista or Windows 7 computer, and connect to a remote Windows Server 2008 R2 machine running the Hyper-V role enabled, if both machines are in a workgroup, you will get a nasty error:
You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer `IP address`
Here is what it looks like in the UI:
You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer `IP address`
I will not go into details on why this happens. The reasons for this were well documented on the official Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc794756.aspx.

How to enable remote management of Hyper-V

All the steps that need to be taken in order to make it work. The process is long, it has many steps that need to be done (part on the server side, part on the client side, and part on both ends). Because of that and all the complication involved, it's quite easy to make errors that will prevent you from successfully completing the necessary steps.
However, and here is the nice part, John Howard also has a solution for us: A tool he wrote, called HVRemote, which was developed in order to avoid the manual steps required for remote configuration.


By using this command line tool and running a bunch of simple commands, you will be able to easily enable remote management of Hyper-V. Let's see what needs to be done:
Note: If your server is being managed by System Center Virtual Machine Manager 2008, you should not use this script.
After downloading the tool, copy HVRemote.wsf to a location on both target machine - the server and the client. It is recommended to create a new sub-directly such as C:\HVRemote in which to store the script.
  1. Open a command prompt window and point it to that folder. It's recommended that you open it as an administrator (right-click and choose "Run As Administrator").
  2. On the Hyper-V server: Add a user rights to remotely access Hyper-V.
  3. cscript hvremote.wsf /add:domain\user (if machine is in a domain)
    or
    cscript hvremote.wsf /add:user (if machine is in a workgroup)
  4. On the client if using Vista or Windows 7 client (not needed on Windows Server 2008 or Windows Server 2008 R2): Add a firewall exception for the Microsoft Management Console.
  5. cscript hvremote.wsf /mmc:enable
  6. On the client (if the client and server are both in workgroups, or on the client and server are in untrusted domains): Allow anonymous DCOM access
  7. cscript hvremote.wsf /anondcom:grant
  8. Reboot both Hyper-V server and client.
  9. Optional - On the client: Display current configuration and verify common configuration problems.
  10. cscript hvremote.wsf /show /target:servercomputername
  11. Optional - On the server: Display current configuration and verify common configuration problems.
  12. cscript hvremote.wsf /show /target:clientcomputername


Now, you can add the remote Hyper-V server to the Windows 7 Hyper-V management console:
Connect to Hyper-V Server
Add Computer
Successfully connect to remote Windows Server 2008 from Vista or Windows 7 machine.

 Summary

So there you have it!  By default, connecting to Windows Server 2008 R2 from a Vista or Windows 7 machine while using Hyper-V management tools leads to an annoying denial error. Fortunately the workaround for this is pretty straight forward. 

No comments:

Post a Comment