A Guide to Managing Hyper-V Host from a Non-Domain Windows Client

Microsoft allows you to manage Hyper-V hosts remotely. The most widely used method for managing Hyper-V Server remotely is by connecting from Hyper-V Manager of a client machine to Hyper-V Server. If both Hyper-V Server and client are members of an Active Directory domain, a connection is established without any issues. However, a common situation is when users or administrators connect to Hyper-V Server from a Windows machine that is not a domain member and belongs to a Workgroup. This type of connection to Hyper-V Server is possible but requires additional configuration. This blog post explains how to connect to a remote Hyper-V Server by using Hyper-V Manager of a client Windows machine.

Configuration Used in This Blog Post

First of all, let me explain the machine configurations used in this tutorial on how to configure a Hyper-V Server and client. The Hyper-V Server role is installed on a Windows Server 2019 machine that is a member of a domain. Windows 10 20H2 is installed on a client machine that is in Workgroup.

The Active Directory domain name: id.test

The hostname of the Hyper-V Server: win-dc2019

The fully qualified domain name of the Hyper-V Server: win-dc2019.id.test

The IP address of the Hyper-V Server: 192.168.101.209

The IP address of the Windows 10 machine: 192.168.101.210

The hostname of the Windows 10 machine: HOME-PC

The user account used to configure the Hyper-V Server is Administrator.

The user account used to configure the Windows 10 machine is user1. The account has local administrator permissions on the Windows 10 machine.

Note: Don’t install the Hyper-V role on a domain controller. Configure another Windows Server as a domain member and then install the Hyper-V role on that server. Read these blog posts to learn how to install Hyper-V on Windows Server and Windows 10. It is recommended that you use a custom user account with appropriate permissions in a domain rather than the account of a domain administrator. If a domain machine running Windows Server and Hyper-V is updated, and the latest updates are installed, you may need to update your Windows 10 machine to have all latest patches, fix possible errors, and avoid compatibility issues.

Make sure that all Hyper-V features are installed on your Hyper-V client machine before you begin. When you install Hyper-V for Windows 10, you need Hyper-V Manager and PowerShell management tools to be installed on the client Windows 10 machine.

Enable Hyper-V Windows 10

Explanation of the Error

Let’s try to connect to our Hyper-V host running on Windows Server 2019 that is a domain member from our Windows 10 machine that is in Workgroup. Open Hyper-V Manager on the Windows 10 machine, and click Connect to Server. In the Select Computer window, select Another Computer, and type the hostname or IP address of your Hyper-V Server. In my case, I’ll enter win-dc2019 or 192.168.101.209 in the Another Computer field. Hit OK to connect.

Connecting to Hyper-V Server 2019 from Hyper-V for Windows 10

The following error message is displayed, and the connection is not established:

An error occurred while attempting to connect to server "192.168.101.209". Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.

Hyper-V for Windows 10 in Workgroup displays an error

This error is displayed because Microsoft requires the appropriate security configuration and authentication scheme. This issue is encountered by users who want to manage Hyper-V Server 2019 remotely from non-domain Windows machines.

Hostname Resolving Configuration

To access a Hyper-V host that is a member of a domain by using the hostname of this server, DNS names must be resolved to IP addresses. An Active Directory domain controller operates as a DNS server in a local area network to resolve hostnames. If a computer is not a member of a domain, issues may occur when you need to resolve a hostname in a domain (especially when it comes to fully qualified domain names). If your Windows 10 operating system cannot resolve a hostname by using a DNS server defined in the network configuration, the operating system reads the hosts file. The hosts file is a plain text file located in the system directory of Windows.

Make sure that the hostname of your Hyper-V Server is resolved on your Windows 10 client machine, and check the configuration in the hosts file. If a Hyper-V Server name is not resolved, add a record to the hosts file on a non-domain Windows machine.

C:\Windows\System32\drivers\etc\hosts is the location of the hosts file in Windows.

You can check the contents of the hosts file manually by opening this file in Notepad, or view records of this file in PowerShell with the command:

Get-Content -Path "C:\Windows\System32\drivers\etc\hosts"

Editing the hosts file in PowerShell of the Windows client machine

Add the records to resolve the DNS name of your Hyper-V Server (a hostname and fully qualified domain name). We use PowerShell for this purpose in our tutorial:

Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "192.168.101.209 win-dc2019"

Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "192.168.101.209 win-dc2019.id.test"

Check whether the records have been added correctly:

Get-Content -Path "C:\Windows\System32\drivers\etc\hosts"

Editing the hosts file in PowerShell

As you can see in the PowerShell output on the screenshot above, changes have been saved successfully to the hosts file.

Try to ping your Hyper-V host from your Windows 10 machine by using a server name.

ping win-dc2019

ping win-dc2019.id.test

Name resolution should work fine now.

The Firewall Network Profile

Firewall configuration of a non-domain Windows 10 machine matters when you need to connect to a Hyper-V host that is a member of a domain. You don’t need to create new firewall rules manually, but you need to check the network connection profile selected in the firewall. The Private connection profile must be set in the Windows firewall.

Check the current network profile on your Windows 10 client machine in PowerShell:

Get-NetConnectionProfile

If the Public network profile is selected (on the client machine), the needed connections are blocked, and PowerShell remoting commands fail.

Checking the Windows firewall network profile

If the profile is Public, change the network profile to Private in PowerShell with the command:

Set-NetConnection -InterfaceAlias "Ethernet" -NetworkCategory Private

Then check the network profile again:

Get-NetConnectionProfile

The Windows firewall network profile is changed to Private

The firewall profile is now set to Private in Windows 10, and the required connections are now allowed for Hyper-V (see the NetworkCategory string).

On the machine that is a member of a domain, the Domain (DomainAuthenticated) profile is used.

The Domain profile of the firewall is used on Windows machines in a domain

Enable PowerShell Remoting and CredSSP

PowerShell Remoting is a feature used to run PowerShell commands on remote Windows machines and manage remote Windows hosts in PowerShell by getting access to full PowerShell sessions. PowerShell Remoting is disabled by default, and you have to enable this feature on the host that you want to manage remotely (enable PowerShell Remoting on your Hyper-V Server that is a member of a domain). You need your Hyper-V Server to accept remote connections.

Run the command on the Hyper-V host to enable PowerShell Remoting in the elevated PowerShell console:

Enable-PSRemoting

Enable CredSSP on the Hyper-V host. CredSSP is an authentication method used to delegate permissions from the client to other machines for authentication. CredSSP is the Win32 API developed to perform security-related operations such as authentication and provides an encrypted channel by using the security protocol of the transport layer.

Enable CredSSP

You should enable firewall rules for WinRM and CredSSP and allow remote access to public zones.

Enable-WSManCredSSP -Role server

Hit Y to enable CredSSP authentication when prompted.

Enabling PowerShell Remoting on a Hyper-V Server

If you see the error message:

The machine is not configured to allow delegating fresh credentials

run the following command on the client machine:

Enable-WSManCredSSP -Role Client -DelegateComputer "*.id.test"

where id.test is the domain name.

You can check whether the delegation is configured properly with the command:

Get-WSManCredSSP

Enable the WinRM service on the Hyper-V host:

winrm quickconfig

Enabling the WinRM service on Hyper-V Server 2019 or Windows Server 2019

Add Your Hyper-V Server to Trusted Hosts

Trusted Hosts is a security feature in PowerShell used to specify computers to which PowerShell Remoting is allowed to connect if conditions are met. As the Windows client machine is not in the domain, you must add each non-domain host to the list of trusted hosts manually. Then a non-domain host can connect to a trusted domain host.

Check the list of trusted hosts with the Get-Item cmdlet:

Get-Item -Path WSMan:\localhost\Client\TrustedHosts

Checking the list of trusted hosts in PowerShell

If you see the error:

Cannot find path 'WSMan:\localhost\Client\TrustedHosts' because it does not exist

run these commands in Windows 10:

Enable-PSRemoting

Enable-PSRemoting -Force

Note: You may need to start the WSMan service temporarily, add a Hyper-V Server to the list of trusted hosts, and then stop the service on the Windows 10 client machine:

Start-Service -Name winrm

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "win-dc2019.id.test"

Stop-Service -Name winrm

Add your Hyper-V Server running on Windows Server 2019 to the list of trusted hosts on your Windows client machine. I’ll add all hosts of our id.test domain to the list of trusted hosts.

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "*.id.test"

Then verify that the value was added:

Get-Item -Path WSMan:\localhost\Client\TrustedHosts

Editing the list of trusted hosts in PowerShell

Configuring Credentials for the Connection Manager

Now you need to add Hyper-V connection credentials to the Credential Manager. This is because your Windows 10 host is not in the domain. When a client Hyper-V machine is in the domain, Kerberos authentication works seamlessly for you. If a machine is in Workgroup, you should manually specify the credentials and save them in cache credentials. When cache credentials are saved, the client Hyper-V can connect to the Hyper-V Server with the connection manager.

Add the cache credentials for the Hyper-V host running on Windows Server 2019 domain machine. Run this command on the Windows 10 machine where client Hyper-V is installed.

cmdkey /add:win-dc2019.id.test /user:Administrator /pass:Password

where:

win-dc2019.id.test is the fully qualified domain name (FQDN) of the Hyper-V host

Administrator is the user name used for authentication on Hyper-V host

Password is the password of the specified user (Administrator in this case)

Define the appropriate username and password according to your configuration.

Verify that the connection credentials for your Hyper-V host have been added to cache credentials:

cmdkey /list

Adding credentials of Hyper-V Server to cache credentials

Connecting to Hyper-V Server with Hyper-V Manager

Open Hyper-V Manager on your non-domain Windows 10 machine. Click Hyper-V Manager, then click Action > Connect to Server.

In the Select Computer window, select Another computer, type the name of your Hyper-V Server running on the Windows Server 2019 machine in the domain. In our case win-dc2019.id.test is the name of the Hyper-V Server. Hit OK to proceed.

Connecting to the remote Hyper-V Server

If you have configured everything correctly, the connection to the remote Hyper-V host should be established successfully. In the navigation pane of Hyper-V Manager, you should see the name of the remote Hyper-V host running in the domain, and virtual machines residing on the remote Hyper-V host are displayed in the Virtual Machines section of the main window. Select virtual machines and other items available on the remote host in Hyper-V Manager, and configure everything you need just as you do when managing a local Hyper-V host.

Connection to the remote Hyper-V Server is established successfully

In order to check whether you can establish the remote session and connect to the Hyper-V host in PowerShell, use the Invoke-Command cmdlet, and run this command, for example:

Invoke-Command -ComputerName win-dc2019.id.test -ScriptBlock {whoami; hostname}

This command executes whoami and hostname command line utilities on the remote Hyper-V Server and returns the output in your PowerShell console on the Windows client operating system version 10.x.

Checking connection to the remote Windows machine in PowerShell

As you see on the screenshot above, commands are executed, and the correct output is displayed in PowerShell.

Conclusion

This blog post has explained how to connect to Hyper-V Server running in the Active Directory domain from the client Hyper-V running on the non-domain Windows 10 machine. Configuration on both machines can be done in PowerShell. You have to configure resolving hostnames, the Windows firewall profile, enable PowerShell Remoting, CredSSP, add the Hyper-V host to trusted hosts, and configure cache credentials on the appropriate machines. After configuring a Hyper-V host running in a domain and Windows client machine properly, you can manage the remote Hyper-V host conveniently without joining your Windows machine to the domain. When using Hyper-V in a domain and non-domain environments, don’t forget to protect your Hyper-V VMs to avoid data loss. Use NAKIVO Backup & Replication, which is a universal data protection solution that supports backup and replication of Hyper-V virtual machines. Download the Free Edition of NAKIVO Backup & Replication on the NAKIVO website and try the product for Hyper-V backup in your environment.

A Guide to Managing Hyper-V Host from a Non-Domain Windows Client
Rate this post