In-Depth
Configuring Workgroup Connectivity to a Hyper-V Host with PowerShell
Here's how to get Hyper-V's management tools configured to manage connections in five steps.
Active Directory (AD) is one of those products that seems ubiquitous. It's something that's taken for granted and is just assumed to be around. However, for those computers that are not part of AD group, you'll find out just how handy having AD around is. One situation where it's much more difficult to not have AD is when configuring remote connectivity to a Hyper-V host in a workgroup.
When working with a Hyper-V host, you're probably not going to work directly on the box and there's a good chance that this machine is in a workgroup because, afterall, it's supposed to host machines not actually be one that's managed a lot. This means in order to get the Hyper-V Remote Management MMC and also to perform management to it via PowerShell, you're required to perform some additional configuration in order to get this working well.
This configuration roughly consists of X different activities:
- Adding the remote host to the local hosts file
- Adding the remote host to PowerShell's trusted hosts
- Enabling PowerShell Remoting on the remote host
- Enabling some firewall rules on the remote and localhost
- Enabling anonymous DCOM access to both the local and remote host
Now see what I mean when you were taking AD for granted? Let's see how we can make short work of these requirements. To do most of the work, we'll use PowerShell.
Adding the Remote Host to the Local Host File
This step requires opening up your local hosts file at C:\Windows\System32\Drivers\Etc\Hosts and adding a line that looks like this assuming the hostname of your Hyper-V host is HYPERVHOST and it's IP address is 192.168.1.2. This is done since they Hyper-V host assuming that your Hyper-V host will not be in DNS. If so, skip this step.
HYPERVHOSTHERE 192.168.1.2
Adding the Remote Host to PowerShell's Trusted Hosts
Next, we'll add the remote hose to PowerShell's trusted host. Since the Hyper-V host isn't in AD, we'll have to tell PowerShell it's OK to connect to it. Here's a few lines you can add the host with.
$TrustedHosts = (Get-Item -Path WSMan:\localhost\Client\TrustedHosts).Value
$TrustedHosts = ($TrustedHosts -split ',') + 'HYPERVHOST'
Set-Item -Path wsman:\localhost\Client\TrustedHosts -Value ($TrustedHosts -join ',') -Force
Enabling PowerShell Remoting on the Remote Host
Let's now enable PowerShell remoting on the remote host. Because we'ce go ta chicken and egg thing going on here, we'd normally do something like this with PowerShell Remoting. Since that's obviously not available yet, we can use WMI to remotely invoke it.
$wmiParams = @{
'ComputerName' = 'HYPERVHOST'
'Credential' = (Get-Credential)
'Class' = 'Win32_Process'
'Name' = 'Create'
'Args' = 'c:\windows\system32\winrm.cmd quickconfig -quiet'
}
$process = Invoke-WmiMethod @wmiParams
Enabling Firewall Rules
Since, by default, the Windows firewall does not allow this communication on both the local and remote hosts, we must open up some ports. This can also easily be done with a few lines of PowerShell. These lines should be executed both on the local and remote hosts.
$scriptBlock = {
Enable-NetFirewallRule -DisplayGroup 'Windows Remote Management'
Enable-NetFirewallRule -DisplayGroup 'Remote Event Log Management'
Enable-NetFirewallRule -DisplayGroup 'Remote Volume Management'
}
## Run locally
& $scriptBlock
## Run remotely
Invoke-Command -ComputerName HYPERVHOST -Credential (Get-Credential) -ScriptBlock $scriptBlock
Enable Anonymous DCOM Access to Both the Local and Remote Host
Finally, in order to get the Hyper-V management MMC working correctly, we'll need to relax the DCOM permissions a little bit. To do this, we'll add the ANONYMOUS LOGON user to the Distributed COM Users groups both locally and remotely. To prevent a lot of clicking around, we can also get this done with PowerShell using a few lines.
$scriptBlock = {
$group = [ADSI]"WinNT://./Distributed COM Users"
$members = @($group.Invoke("Members")) | foreach {
$_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)
}
if ($members -notcontains 'ANONYMOUS LOGON')
{
$group = [ADSI]"WinNT://./Distributed COM Users,group"
$group.add("WinNT://./NT AUTHORITY\ANONYMOUS LOGON")
}
}
## Run locally
& $sb
## Run remotely
Invoke-Command -ComputerName HYPERVHOST -Credential (Get-Credential) -ScriptBlock $scriptBlock
If each of these code snippets runs successfully, you should now be able to both use the Hyper-V management tools MMC snapin as well as all of the Hyper-V PowerShell cmdlets as well.
About the Author
Boe Prox is a Microsoft MVP in Windows PowerShell and a Senior Windows System Administrator. He has worked in the IT field since 2003, and he supports a variety of different platforms. He is a contributing author in PowerShell Deep Dives with chapters about WSUS and TCP communication. He is a moderator on the Hey, Scripting Guy! forum, and he has been a judge for the Scripting Games. He has presented talks on the topics of WSUS and PowerShell as well as runspaces to PowerShell user groups. He is an Honorary Scripting Guy, and he has submitted a number of posts as a to Microsoft's Hey, Scripting Guy! He also has a number of open source projects available on Codeplex and GitHub. His personal blog is at http://learn-powershell.net.