在 Active Directory 域和平面网络环境中,以相同的管理用户帐户运行 Hyper-V 管理器:
- 在至少 2 台 Windows 10 电脑上并尝试连接到:
1a。10 个 Hyper-V Server 2012 R2 服务器中的任何一个都出现错误RPC server unavailable. Unable to establish communication between '<Hyper-V server FQDN>' and '<client PC hostname>'.
1b。2 个 Hyper-V Server 2016 服务器中的任何一个都成功。 - 在 Windows Server 2012 R2 域控制器服务器上(我知道,我知道),并尝试连接到:
1a。10 个 Hyper-V Server 2012 R2 服务器中的任何一个都成功。
1b。2 个 Hyper-V Server 2016 服务器中的任何一个都成功。
因此,根本原因似乎是受影响的客户端和服务器之间的连接。
提升的命令cscript "<path>\hvremote.wsf" /show /target:%affectedServer% /override
输出以下(匿名):
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
Hyper-V Remote Management Configuration & Checkup Utility
John Howard, Hyper-V Team, Microsoft Corporation.
http://blogs.technet.com/jhoward
Version 1.08 9th Sept 2013
INFO: Computername is %affectedClient%
INFO: Computer is in domain %ADDNSDomainName%
INFO: Current user is %ADNetBIOSDomainName%\ben.hooper
INFO: OS is 10.0.16299 64-bit Microsoft Windows 10 Enterprise
INFO: Assuming /mode:client as the Hyper-V role is not installed
WARN: User override to assume Windows 8.1/Windows Server 2012 R2 behaviour
INFO: Hyper-V Tools are enabled
-------------------------------------------------------------------------------
DACL for COM Security Access Permissions
-------------------------------------------------------------------------------
\Everyone (S-1-1-0)
Allow: LocalLaunch RemoteLaunch (7)
NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7)
Allow: LocalLaunch (3)
BUILTIN\Distributed COM Users (S-1-5-32-562)
Allow: LocalLaunch RemoteLaunch (7)
BUILTIN\Performance Log Users (S-1-5-32-559)
Allow: LocalLaunch RemoteLaunch (7)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES (S-1-15-2-1)
Allow: LocalLaunch (3)
\ (S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256)
Allow: LocalLaunch (3)
-------------------------------------------------------------------------------
ANONYMOUS LOGON Machine DCOM Access
-------------------------------------------------------------------------------
ANONYMOUS LOGON does not have remote access
This setting should only be enabled if required as security on this
machine will be lowered. This computer is in a domain. It is not
required if the server(s) being managed are in the same or trusted
domains.
Use hvremote /mode:client /anondcom:grant to turn on if required
Both computers are in domain %ADDNSDomainName%
-------------------------------------------------------------------------------
Firewall Settings for Hyper-V Management Clients
-------------------------------------------------------------------------------
Domain Firewall Profile is active
Public Firewall Profile is active
-------------------------------------------------------------------------------
IP Configuration
-------------------------------------------------------------------------------
%IPConfig%
-------------------------------------------------------------------------------
Stored Credentials
-------------------------------------------------------------------------------
%storedCredentials%
-------------------------------------------------------------------------------
Testing connectivity to server:%affectedServer%
-------------------------------------------------------------------------------
1: - Remote computer network configuration
PASS - Found one or more network adapters
Network adapter 1 of 1
- Hyper-V Virtual Ethernet Adapter #2
- Host Name:%affectedServer%
- IP Addresses: 172.16.100.111 fe80::3cb0:1dda:7e90:c948
- IP Subnets: 255.255.255.0 64
2: - Remote computer general information
PASS - Queries succeeded
- Name: %affectedServer%
- Domain: %ADDNSDomainName%
- OS: 6.3.9600 64-bit Microsoft Hyper-V Server 2012 R2
- OS Type: Server
3: - Ping and resolve name of remote computer
PASS - Server found
- Protocol Address: 172.16.100.111
- Protocol Address resolved: 172.16.100.111
The name could not be resolved using WMI. A regular ping will be done
to see if name resolution is working. This is not a sign of an issue.
4: - Ping %affectedServer% using IPv4
A timeout is OK, but if you get an error that %affectedServer%
could not be found, you need to fix DNS or edit
\windows\system32\drivers\etc\hosts.
>
> Pinging %affectedServer%.%ADDNSDomainName% [172.16.100.111] with 32 bytes of data:
> Reply from 172.16.100.111: bytes=32 time=2ms TTL=128
>
> Ping statistics for 172.16.100.111:
> Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 2ms, Maximum = 2ms, Average = 2ms
>
5: - Ping %affectedServer% using IPv6
A timeout is OK, but if you get an error that %affectedServer%
could not be found, you need to fix DNS or edit
\windows\system32\drivers\etc\hosts.
> Ping request could not find host %affectedServer%. Please check the name and try again.
>
6: - Connect to root\cimv2 WMI namespace
PASS - Connection established
7: - Connect to root\virtualization\v2 WMI namespace
PASS - Connection established
8: - Simple query to root\cimv2 WMI namespace
PASS - Simple query succeeded
9: - Simple query to root\virtualization\v2 WMI namespace
PASS - Simple query succeeded
- 3 computer system(s) located
10: - Async notification query to root\virtualization\v2 WMI namespace
FAIL - Notification query failed The RPC server is unavailable.
There may be a DNS issue and the server cannot locate this machine.
You should check this by performing a ping test from the server to
this machine verifying that the IP address the server is trying to
reach matches the IP address of this machine shown in the output above.
Note that it does not matter if the ping succeeds or fails, just that
the IP address is correct.
Run on %affectedServer%: ping -4 %affectedClient%
Note that if you do not have DNS in your infrastructure, you can edit
the \windows\system32\drivers\etc\hosts file on the server to add an
entry for %affectedClient%
If you do have DNS in your infrastructure, you may want to try flushing
the DNS cache on the server, and re-registering against DNS on the client
Run on %affectedServer%: ipconfig /flushdns
Run on %affectedClient%: ipconfig /registerdns
If you are connected over a VPN, see %StackExchange-bannedURL% for
information about another likely cause.
If the server is in an untrusted domain to this client, you need to
enable anonymous logon access to DCOM on this machine:
Run 'hvremote.wsf /mode:client /anondcom:grant' and retry.
If this machine has IPSec policy enforced on it, and the server is in a
workgroup or untrusted domain from this computer, inbound connections
to the client may be blocked by your administrator. You may be able to
temporarily work around this by running net stop bfe on this machine,
but you may lose access to some network services while that service
is stopped. However, this may be against the policy of your administrator.
If the server is behind a router/firewall from the client, WMI/DCOM
calls may be being blocked. This will likely be the case if the server
is, for example, on a public IP directly to the Internet. In this
situation, some solutions to consider are:
- VPN to tunnel traffic
- Publish Hyper-V Manager through a TS/RD Gateway
- Access the server through RDP and perform 'local' management
- Run a management machine (physical or virtual) and RDP to that
There have been several instances of third party firewalls and/or
anti-virus software having adverse effects on remote management.
In some cases, disabling that software has not been sufficient to
resolve the issue, and it has been necessary to completely remove
the program.
INFO: Are running the latest version
-------------------------------------------------------------------------------
3 warnings or errors were found in the configuration. Review the
detailed output above to determine whether you need to take further action.
Summary is below.
1: Running on a later OS than tested on. User override given
2: Cannot perform async WMI query. See detailed resolution steps above.
3: Some tests were not run due to prior failures
-------------------------------------------------------------------------------
INFO: HVRemote complete
我已经彻底研究过这个错误,没有人有这个确切的问题/环境,但无论如何,没有推荐的修复(验证域信任关系是否健康,验证 DNS 在两端正常工作,验证本地管理权限,验证本地允许 ICMPv4 重定向等)已经奏效,因此这篇文章。
重要说明:
- 这在 Cyber Essentials Plus 相关更改之前一直有效。
- Hyper-V 2012 R2 和 2016 服务器的计算机对象位于同一个 OU 中,因此应用了相同的 GPO。
更新时间:2017/12/22 08:47:
- 由 Windows 10 v1709 引起。这与我所看到的相符。
- 可以通过在 Hyper-V 服务器的 Windows 防火墙中允许 WMI 入站连接来解决。我还没有能够测试这个,但我会在有的时候更新它。
更新时间:2017/12/27 14:15:
我创建了一个 GPO 来重新配置 Windows 防火墙创建规则以允许入站 WMI 连接,并通过以下方式验证它是否成功应用:
- 执行
gpresult /v
和检查输出。 - 连接
regedit
并检查注册表项HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
。
但是,即使在所有配置文件上完全禁用服务器的 Windows 防火墙后,问题仍然存在。
PC上的 Windows 防火墙需要允许 WMI 入站连接,而不是 Hyper-V 服务器。