Run Hyper-V in an Active Directory Environment

Hyper-V in an Active Directory Environment

Running Hyper-V in an Active Directory environment is by far the best implementation of Hyper-V. Microsoft has truly shined with the ability to remotely manage a server. The ability to remotely manage the Hyper-V server allows for it to be installed on a Core installation of Windows freeing up those valuable resources from the system for use within the VM’s. When this is combined with an Active Directory Domain Controller, you are now able to manage all your Hyper-V servers from a single Hyper-V Manager running on any 2008 or Vista computer that is connected to the Domain.

Requirements

  • A 64bit Windows 2008 Datacenter server running Hyper-V (Full or Core installation of the OS)
  • A global group on the Domain that will be used to manage Hyper-V (The group named Hyper-V will be used from this point forward in the documentation)
  • Domain Admin access to enable changes to be made on the Hyper-V server from the computer you are working from.

Configuring the Hyper-V Server

  1. Open a management connect to the Hyper-V server
  2. Add Hyper-V group to the Distributed COM Users group
  3. Add Hyper-V group to the CIMV2 and Virtualization namespaces.
  4. Add Hyper-V group to the Authorization store for Hyper-V on the Hyper-V server.
  5. Provide the Hyper-V group permissions to the Hyper-V Directory on the Hyper-V server.

Remote Management Connection

The following information assumes you are logged into a computer on the domain with Domain Admin privileges.

  1. Open the Control panel -> Administrative Tools -> Computer Management.
  2. From the Action menu, select Connect to another computer.
  3. Provide the server name or IP and click ok.

Distributed COM Users Group

We first need to add the Hyper-V group to the Distributed COM Users group on the Hyper-V server.

  1. Select System Tools -> Local Users and Groups -> Groups -> Distributed COM Users -> Add to Group.
  2. Click Add and enter the group name for the Hyper-V group and click ok.

CIMV2 and Virtualization Namespaces

Update the permissions for Remote access to the server for Virtualization and CIMV2

  1. From the Computer Management window that is already open.
  2. Select Service and Applications -> WMI Control.
  3. Right Click and select Properties.
  4. Security -> Root -> CIMV2 and then click the Security button.
  5. Add the Hyper-V group, select it and click advanced.
  6. Ensure the new group is selected and click edit.
  7. Change the Apply to: option to The namespace and all subnamespaces
  8. Ensure Allow is checked for Enable Account and Remote enable.
  9. Check the box for Apply these permissions to objects and/or containers within this container only
  10. Click Ok.

11.Repeat steps 4 through 10 for Virtualization.

Update Authorization Store

The authorization Store for Hyper-V is the final component that will actually allow the domain group to access Hyper-V.

  1. Open the Authorization Manager by running the command azman.msc from the run menu or a command prompt.
  2. From the Action menu select Open Authorization Store.
  3. Ensure XML is selected. From here you will need to remotely access the InitalStore.xml file on the Hyper-V server.
    • Use the following path \HOSTNAME\c$\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml
  4. From that InitialStore.xml select Hyper-V services -> Role Assignments -> Administrator
  5. From the Action Menu select Assign Users and Groups -> From Windows and Active Directory
  6. Add the Hyper-V group.

Folder Permissions

Now that the Hyper-V group has complete permissions to manage Hyper-V remotely, it needs to have permissions to write to the C:\Users\Public\Documents\Hyper-V folder.

  1. Open My Computer and go to the following address
    • \HOSTNAME\c$\Users\Public\Documents
  2. Select Hyper-V -> Properties -> Security
  3. Add the Hyper-V group and ensure that is has the ability to Read, Write and Execute files within that directory. In general, it is easier to just give Full control.

Finalize Configuration


All configuration changes have now been made. To finalize the configuration, you will need to reboot the Hyper-V server. Once the server is back online, connect to it from your Local Hyper-V Manager. At this point, you should have full access to manage all VM's and the Hyper-V Service itself.