Thursday, 28 June 2018

How to install and configure Hyper-V Host (core) for remote administration

 

 

It's possible to configure a Hyper-V host running core to be fully managed remotely.  I have read various suggestions on the web saying it’s better and more secure to leave the Hyper-V host in a workgroup, but the effort required when doing that just doesn’t make it worth it in my opinion.

And we actually want 1st and 2nd line technicians to be able to do as much troubleshooting as possible before escalating, rather than adding complexity.

 

OK if you haven’t already run the following on the core server do it now:

 

 

Enable-PSRemoting

 

 

If you don’t know the hostname, run the command now.

 

 

hostname

 

 

All being well, that should be the last time we need to run commands locally on the core server.  The machine you use to administer the core server must have the required Remote Server Administration Tools installed and, for ease of access, be a member of the domain.

 

So let’s connect to the host (obviously switch “oobehostname” for whatever the hostname of your machine is).

 

 

Enter-PSSession <oobehostname>

 

 

Next, rename it specifying your credentials

 

 

Rename-Computer -NewName "contosohv012" -DomainCredential contoso\admdel.griffith -Restart

 

 

Once the server has restarted, reconnect.  Then you can either do

 

 

Enter-PSSession contosohv012

Install-WindowsFeature -Name Hyper-V -Restart

 

 

Or to execute the command remotely

 

 

Install-WindowsFeature -Name Hyper-V -ComputerName “contosohv012” -Restart

 

 

If you aren’t sure whether Hyper-V is installed or not, you can run

 

 

Get-WindowsFeature -Name Hyper-V -ComputerName “contosohv012”

 

 

Next comes the firewall settings.  This Microsoft document explains that to enable remote management of a 2016 core server you should run:

 

 

Enable-NetFirewallRule -DisplayGroup "Remote Administration"

 

 

But this group was removed starting with Windows Server 2012.  So instead I ran:

 

 

Get-NetFirewallRule | select-object -expand DisplayGroup

 

 

to find the names of the services I needed.

 

To allow access for each follow these steps:

 

Windows Firewall with Advanced Security (I preferred just setting this on the Domain profile so I edited the rule first)

 

 

Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Profile Domain

Enable-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management"

 

 

Services

 

 

Enable-NetFirewallRule -DisplayGroup "Remote Service Management"

 

 

Event Viewer

 

 

Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"

 

 

Shared Folders

 

 

Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

 

 

Performance Logs and Alerts

There are rules on each of the different profiles, so just the regular -DisplayGroup won’t cut the mustard here

 

 

Get-NetFirewallRule | Where {$_.DisplayGroup -eq "Performance Logs and Alerts" -and $_.Profile -eq "Domain"} | Enable-NetFirewallRule

 

 

Disk Management

Disk Management is also a little more complicated.  First run this on the remote machine:

 

 

Enable-NetFirewallRule -DisplayGroup "Remote Volume Management"

 

 

Then run the same command on the local machine.  Next, we need to start the virtual disk service.

 

 

Set-Service -Name vds -StartupType Automatic

Set-Service -Name vds -Status Running -PassThru

 

 

Now you should be able to connect computer management, and all other required mmc consoles by right clicking and choosing “Connect to another computer”.

 

 

 

No comments:

Post a Comment