locked
Error Creating New Virtual Machine RRS feed

  • Question

  • I am running a two node Windows Server 2008 Datacenter Edition Failover Cluster with Cluster Shared Volumes. Things were swell until I began configuring Group Policy Objects, now I get the following errors and cannot seem to find the correct answer. I tried adding NT Virtual Machine\Virtual Machines to the GptTmpl.inf file as suggested at http://blogs.msdn.com/b/robertvi/archive/2010/06/08/error-message-the-server-encountered-an-error-while-creating-name-of-the-vm.aspx The setting now appears in Group Policy Management but following a gpupdate on the Hyper-V hosts, they are not being applied.

    The server encountered an error while creating <NEW VIRTUAL MACHINE>.

    The operation failed.

    Failed to create external configuration store at 'C:\ClusterStorage\Volume1\Hyper-V\Virtual Machines\<NEW VIRTUAL MACHINE>': A required privilege is not held by the client. (Virtual machine ID 0x080070522)

    The operation failed.

    User '<REDACTED>' failed to create external configuration store at 'C:\ClusterStorage\Volume1\Hyper-V\Virtual Machines\<NEW VIRTUAL MACHINE>': A required privilege is not held by the client. (Virtual machine ID 0x080070522).

    The redacted user account above is the same user account I have been using all along with domain admin privilieges. As I said, this only became an issue after I started implementing GP.

    Suggestions, please.

    Thanks,

    Vint


    Thanks, Vint

    Tuesday, September 25, 2012 2:43 PM

Answers

All replies

  • Using Group Policy Management, I granted the domain admin account above the 'Create Symbolic Links' privilege under 'User Rights Assignment'. This did not work and I could not create a new VM. After granting 'Everyone' the same permission, it worked and I was able to create a new VM.

    The VHD file was a copy (cut and paste) of a "base image" that I had previously prepared. The error seems to be generated when trying to create a link to the settings file (xml, aka the external configuration store), which has as it's name and owner the SID, or global logical identifier if you are reading the xml file, for the virtual machine. AFAIK, it is not possible to know in advance what the SID of a new VM might be, and it would be a major pain in the buttocks to manage something like this every time I want to create a new VM.

    So, what are the security implications of giving 'Everyone'  the 'Create Symbolic Links' privilege? What is the Best Practice?


    Thanks, Vint

    • Proposed as answer by Zankalewa Wednesday, May 8, 2013 7:00 PM
    Tuesday, September 25, 2012 6:52 PM
  • BTW, at no time during this process did I reboot the VM host servers or restart any services, I was afraid to at that point in time. I don't know if that may have allowed me to use the domain admin account, though I doubt it because as soon as I added Everyone and ran gpupdate it worked.

    My concerns still remain: What are the security implications and Best Practices?


    Thanks, Vint

    Tuesday, September 25, 2012 6:57 PM
  • Hi,

    If you change the default setting for “Create Symbolic Link” on a Hyper-V Server you can get this error.  This is due to the Virtual machines needing this right in order to link to the VHA storage areas.  By default, when you install the Hyper-V role, a special group called "virtual machines" is created and given the “Create Symbolic Link” right.  If you change this right with say a GPO, you will not be able to create virtual machines and will get the above error.  This group contains all the virtual machine Service SIDs.

    Look here for more info; http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/storage-management/hyper-v-file-storage-permissions.html

    A similar thread for you to refer to:

    Hyper-V Failed to create a new virtual machine A required privilege is not held by the client        

    http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/b810795c-a078-49a8-b584-9ac1e1b896d1

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    • Marked as answer by Yan Li_ Wednesday, October 3, 2012 1:56 AM
    Thursday, September 27, 2012 5:58 AM
  • Hi,

    Any update about the issue?

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Monday, October 1, 2012 1:45 AM
  • Yes, yes. I already read and know this. My concerns, as stated earlier are, what are the security implications of giving 'Everyone'  the 'Create Symbolic Links' privilege? What is the Best Practice?


    Thanks, Vint

    Wednesday, October 3, 2012 12:53 PM