It's possible to configure a Hyper-V host running core to be fully managed remotely. I have read various suggestions on the web saying it’s better and more secure to leave the Hyper-V host in a workgroup, but the effort required when doing that just doesn’t make it worth it in my opinion. And we actually want 1st and 2nd line technicians to be able to do as much troubleshooting as possible before escalating, rather than adding complexity.
OK if you haven’t already run the following on the core server do it now:
|
Enable-PSRemoting
|
If you don’t know the hostname, run the command now.
|
hostname
|
All being well, that should be the last time we need to run commands locally on the core server. The machine you use to administer the core server must have the required Remote Server Administration Tools installed and, for ease of access, be a member of the domain.
So let’s connect to the host (obviously switch “oobehostname” for whatever the hostname of your machine is).
|
Enter-PSSession <oobehostname>
|
Next, rename it specifying your credentials
|
Rename-Computer -NewName "contosohv012" -DomainCredential contoso\admdel.griffith -Restart
|
Once the server has restarted, reconnect. Then you can either do
|
Enter-PSSession contosohv012 Install-WindowsFeature -Name Hyper-V -Restart
|
Or to execute the command remotely
|
Install-WindowsFeature -Name Hyper-V -ComputerName “contosohv012” -Restart
|
If you aren’t sure whether Hyper-V is installed or not, you can run
|
Get-WindowsFeature -Name Hyper-V -ComputerName “contosohv012”
|
Next comes the firewall settings. This Microsoft document explains that to enable remote management of a 2016 core server you should run:
|
Enable-NetFirewallRule -DisplayGroup "Remote Administration"
|
But this group was removed starting with Windows Server 2012. So instead I ran:
|
Get-NetFirewallRule | select-object -expand DisplayGroup
|
to find the names of the services I needed.
To allow access for each follow these steps:
Windows Firewall with Advanced Security (I preferred just setting this on the Domain profile so I edited the rule first)
|
Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Profile Domain Enable-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management"
|
Services
|
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
|
Event Viewer
|
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"
|
Shared Folders
|
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"
|
Performance Logs and Alerts There are rules on each of the different profiles, so just the regular -DisplayGroup won’t cut the mustard here
|
Get-NetFirewallRule | Where {$_.DisplayGroup -eq "Performance Logs and Alerts" -and $_.Profile -eq "Domain"} | Enable-NetFirewallRule
|
Disk Management Disk Management is also a little more complicated. First run this on the remote machine:
|
Enable-NetFirewallRule -DisplayGroup "Remote Volume Management"
|
Then run the same command on the local machine. Next, we need to start the virtual disk service.
|
Set-Service -Name vds -StartupType Automatic Set-Service -Name vds -Status Running -PassThru
|
Now you should be able to connect computer management, and all other required mmc consoles by right clicking and choosing “Connect to another computer”.
|
No comments:
Post a Comment