The purpose of this post is to document the steps I had to follow to get my Hyper-V Server 2016 (the free hypervisor) manageable on my Windows Server 2016 GUI server via Server Manager. Both servers are in a workgroup, which means you need to do a number of things to get this working. The same steps would also apply to a Windows Server 2016 Core installation.

The GUI server is my production Hyper-V host, and I wanted to use Server Manager to keep an eye on the lab server. There are many, many guides on this out there. However, what I found since the last time I did this was that something is always missing from my notes or the posts I am trying to follow. For example, I had the server showing up and populated correctly in Server Manager, but I was unable to view the storage.

First off, I'll assume you have completed the installation of the operating system. Once logged in, you will see the SConfig tool. Here, our goal is to configure Windows Remote Management (WinRM) to work over HTTPS. First, we have to enable Remote Desktop.

Choose option 7 (Remote Desktop) and then press E to enable it.

SConfig menu on Server Core

SConfig menu on Server Core

When asked which authentication method to enable, choose option 1.

SConfig menu option 7

SConfig menu option 7

You should then see a message box indicating it has enabled Remote Desktop.

SConfig menu enabling Remote Desktop

SConfig menu enabling Remote Desktop

Now you can Remote Desktop to your Core server if you wish.

Once logged in, select the cmd window floating in the background. Enter this command:

winrm e winrm:config:listener

This will show you the current listeners configured by WinRM.

Check WinRM listener

Check WinRM listener

You can see we just have one listener enabled using the default HTTP.

Type PowerShell and press Enter.

Run this command:

get-childitem cert:\localmachine\my
Check local certificates

Check local certificates

You should receive no output for this, and this means you have no certificates installed on the machine.

Using this post as a guide, we can set up a self-signed certificate and assign it to a WinRM listener.

New-SelfSignedCertificate -DnsName hyper-v-host.sbs.local ‑CertStoreLocation cert:\localmachine\my
New-SelfSignedCertificate

Now this certificate is self-signed, so our GUI server won't trust it. We will need to install this certificate on our GUI server. Make a note of the thumbprint from your new certificate, as we will need that in our next command.

First, we can store our certificate in a variable.

$cert = get-childitem cert:\localmachine\my | where { $_.ThumbPrint -eq "E941D147E708A1EA04EEA8E48B7A88328B5AC47D" }

We need to protect our certificate with a password, which we need to store as a secure string.

$password = ConvertTo-SecureString P@ssw0rd -AsPlainText –Force

Now we can export our certificate.

$cert | Export-PfxCertificate -FilePath c:\hyper-v-host.pfx -Password $password
Export certificate

Export certificate

We can collect that file later and then install it on our GUI server.

Now we need to set up our WinRM HTTPS listener. Switch back to cmd.

The command we need to enter is quite long and needs two pieces of information: your server's fully qualified domain name (FQDN) and the thumbprint of the certificate we just generated.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="hyper-v-host.sbs.local"; CertificateThumbprint="E941D147E708A1EA04EEA8E48B7A88328B5AC47D"}
New HTTPS listener

New HTTPS listener

Now we can run our first WinRM command and make sure our listener is enabled.

winrm e winrm/config/listener

We can see here we now have two listeners enabled.

Show HTTPS listeners

Show HTTPS listeners

Moving over to our GUI server, we need to configure some things before we can connect to the Core server.

We need to store the password for the Core server's built-in Administrator account in the credential store.

Open a PowerShell window and enter the following:

cmdkey /add:hyper-v-host /user:administrator /pass:P@ssw0rd
cmdkey /add:hyper-v-host.sbs.local /user:administrator /pass:P@ssw0rd
Save credentials

Save credentials

Notice we have saved the credential for the hostname and the FQDN.

Next we can add the Core server as a trusted host.

set-item wsman:\localhost\client\trustedhosts -Value hyper-v-host ‑Concatenate
set-item wsman:\localhost\client\trustedhosts -Value hyper-v-host.sbs.local ‑Concatenate
Add trusted host

Add trusted host

Again we add both the hostname and the FQDN.

We can now use PowerShell remoting to connect to our Core server, which is lucky since we need to do a couple of other bits. We need to configure the firewall for file and print sharing, allow remote access for local accounts, and enable remote firewall management.

Enter-PSSession HYPER-V-HOST
New-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWORD
netsh advfirewall set currentprofile settings remotemanagement enable
netsh advfirewall set rule group="File and Printer Sharing" new enable=Yes
Edit the registry

Edit the registry

We can now browse the folders on our Core server.

If we open the c$ share, we can get our certificate and install it.

Right-click the PFX file and follow the Certificate Import Wizard to install the certificate into the Trusted Root Certificate Authorities for the local machine.

Import PFX

Import PFX

Trusted Root Certificate Authorities store

We should now have done enough to get Server Manager able to manage our Core server remotely.

Open Server Manager and choose option 3 to add other servers.

Server Manager

Server Manager

Choose the DNS tab and enter the name of your Core server.

Use the arrow to add it to the list of selected computers and click OK. Server Manager will add the server.

Adding a server

Adding a server

Move to All Servers and we can see our server listed.

Subscribe to 4sysops newsletter!

Server online

Server online

You should see Online in the Manageability column, and that's all there is to it.

 

avatar
4 Comments
  1. Michael Bast 5 years ago

    Hi Robert, this is a great how to. I am dealing with a similar setup now. I followed your how to. I am not sure if there are any HTTPS secured connections in the end. You are creating the HTTPS-Listener on Port 5986. If I netstat the connections while running Server Manager, Hyper-V Manager or a PS Session there is no traffic to port 5986 – only to 5985. If I do a “Enter-PSSession HYPER-V-HOST -UseSsl” I can see a connection to 5986. So for PS Session there is a switch to force HTTPS (in my opinion this is missing in your how-to). Since I could not find any equivalent HTTPS-/UseSsl-option in Server Manager and Hyper-V Manager I think there is no possibility to secure those connections with HTTPS. What do you think? Am I missing something?

    Another thing is that in my opinion you do not need to export the private key to the connection machine. The private key is only necessary on the machine with the HTTPS-listener.

    Greetings

    Michael

    • John 4 years ago

      Exactly Michael! Just adding the HTTPS Listener wont make it use it.  You can easily test it if you remove the HTTP Listener, Server Manager won't work.

      winrm delete winrm/config/Listener?Address=*+Transport=HTTP

      Of course, to be able to delete it you need to remove the "Allow remote server management through WinRM" Policy.

      I've try to run exclusively on HTTPS and this work with the switch -usessl for WinRS/WinRM/PS and WEF work fine with only a HTTPS Listener. Ex:

      winrs -r:<some computer> -usessl ipconfig /all

      winrm invoke stopservice wmicimv2/Win32_Service?name=w32time -r:<some computer> -usessl

      But, as said here https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#windows-remote-management-winrm-listener-settings

      Server Manager relies on default WinRM listener settings on the remote servers that you want to manage. If the default authentication mechanism or the WinRM listener port number on a remote server has been changed from default settings, Server Manager cannot communicate with the remote server.

  2. John Sofilos 4 years ago

    Hello Robert and thanks for this guide. While tedious as a task it was quite fun getting to the end (almost got it).

    Some remarks:
    1. C:\Users\Administrator.TESTDOM>winrm e winrm:config:listener
    WSManFault

    To make it work I had to replace the colons with the backslash.

    C:\Users\Administrator.TESTDOM>winrm e winrm/config/listener
    Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 172.19.120.131, ::1, fe80::5efe:172.19.120.131%3, fe80::e91b:de5b:80db:af16%2

    2. While I had the local administrator credentials correctly stored into the remote machine I couldn’t initiate the remote PSS. It was strange I had to put the user in machine\user format to make it work.
    *I don’t know if it matters I was logged on as a domain admin while working on core server.
    So what worked for me was:
    PS C:\Users\Administrator> Enter-PSSession -ComputerName core2016 -Credential core2016\Administrator

    Now I can connect to the core server via Windows Server Manager BUT… in Manageability I get:
    Online – Access Denied

    So close 🙂

    Checked the LocalAccountTokenFilterPolicy it was created just fine. Using the domain admin account it connected just fine.

  3. Guy 3 years ago

    Hi!

    Seriouly, a great guide for any newcomer, like me, to the "core" business…

    As you, I spent days looking around for working guides to be able to manage entirely my 2019 core server remotely from Win10's server manager apps.  With your help, I was able to manage my disks, network cards and use a certificate with others servers on the lan.  I have found only one typo (or maybe it happens only with WS2019?). I was never able to run this command :

    netsh advfirewall set rule group="File and Printer Sharing" new enable=Yes

    I had to add "firewall" to make it work:

    netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

    Hope it might help someone!

    thanks!

    Guy

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account