Mat’s Techblog

Microsoft Data Protection Manager (DPM) 2007 and 2010 allow online backups of Hyper-V guests, providing the guests and the Hyper-V server meet the necessary requirements as follows: -

http://technet.microsoft.com/en-us/library/dd347840.aspx

http://technet.microsoft.com/en-us/library/dd637102.aspx

There is another condition that I’ve encountered that causes a Hyper-V guest to report as “Backup Using Saved State” rather than “Backup Using Child Partition Snapshot”, where disks are marked as read-only.

In order to correct this, use diskpart to select the applicable disk and run “attrib disk clear readonly”, and then check that the Hyper-V guest reports as “Backup Using Child Partition Snapshot”.

Recently I had to replace a hard drive in one of my servers running Microsoft Hyper-V 2008 R2 which contained the virtual machine configuration and VHD files. I used robocopy to copy the data from the server drive, to a temporary drive, then replaced the drive before copying the data on to it.

Unfortunately, I forgot to copy the ACL’s as well, which caused issues when trying to start the virtual machines again. I use System Center Virtual Machine Manager, so when I tried to start my virtual machines again, I got the following error logged in the Jobs log: -

Error (12700)
VMM cannot complete the Hyper-V operation on the server.domain server because of the error: ‘Unnamed VM’ could not initialize. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)

‘Unnamed VM’ could not read or update the virtual machine configuration because access was denied: General access denied error (0×80070005). Check the security settings on the folder in which the virtual machine is stored. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)
 (Unknown error (0×8001))

Recommended Action
Resolve the issue in Hyper-V and then try the operation again.

In Hyper-V Manager, the following error is displayed when trying to start the same machine: -

‘SERVER’ failed to start.

Microsoft Emulated IDE Controller (Instance ID {598AFA1B-1726-44B7-8435-E00B2ACAF2B5}): Failed to Power on with Error ‘General access denied error’

IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’

 Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’

[Expanded Information]
‘SERVER’ failed to start. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)

‘SERVER’ Microsoft Emulated IDE Controller (Instance ID {598AFA1B-1726-44B7-8435-E00B2ACAF2B5}): Failed to Power on with Error ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)

‘SERVER’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)

‘SERVER’:  Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)

The issue is of course, that because the ACL’s weren’t preserved, Hyper-V can’t read the virtual machine files. Unfortunately, it’s not as simple as just adding the SYSTEM account to the root and applying permissions down, as Hyper-V R2 has it’s own security “namespace” (referred to in Microsoft documentation as the Service SID) called “NT VIRTUAL MACHINE” which contains the GUID’s for all registered virtual machines.

The easiest way to add permissions back to your virtual machines, in order to have them accessible via Hyper-V, is to use the following process on each machine (this is assuming you’re using System Center Virtual Machine Manager): -

• Open the directory that stores your virtual machine
• Open the “Virtual Machines” subdirectory under your virtual machine directory
• Record the GUID as per the file name of the .xml file in this directory
• Run icacls “<virtualmachinefolder>” /grant “NT VIRTUAL MACHINE\<virtualmachineguid>”:F /T (for example icacls “D:\Virtual Server\Virtual Machines\Server” /grant “NT VIRTUAL MACHINE\598AFA1B-1726-44B7-8435-E00B2ACAF2B5″:F /T

Now you should be able to start your virtual machine.

I came across a problem when I was installing SCCM 2007 on my Windows 2008 R2 server, where my Management Point was reporting this critical error: -

SMS Site Component Manager faild to install component SMS_MP_CONTROL_MANAGER on server myserver.

The WebDAV server extension is either not installed or not configured properly.
Solution: Make sure WebDAV is installed and enabled. Make sure there is an authoring rule that allow “All users” read access to “All content”. Make sure the WebDAV settings “Allow anonymous property queries” and “Allow property queries with infinite depth” are set to “true” and “Allow Custom Properties” is set to false.

Fair enough. I loaded the IIS management console, connected to the local server and opened the “WebDAV Authoring Rules” option. Here, I added a new authoring rule as the error message suggested, and altered the WebDAV settings to specify the advanced properties.

I had made another change that required a restart, so I restarted my server at this stage intending to re-test the management point when it restarted, however the error persisted. I re-checked the authoring rules and properties, and confirmed that they were correct, yet SCCM was still reporting this critical error.

I tracked down the configuration file for WebDAV under “C:\Windows\System32\inetsrv\config\schema\WebDAV_schema.xml” and compared this to the properties I had set via the IIS management console – They didn’t match!

The following section doesn’t line up with what I specified via the IIS management console: -

<attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”false” />
<attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”false” />
<attribute name=”allowCustomProperties” type=”bool” defaultValue=”true” />

These values should be “true”, “true”, “false”.

I wasn’t able to make any changes to this file without first taking ownership, due to the default ACL’s, but after I did that, I modified the values and re-saved the file (and also reverted the permissions back to the default).

After a restart of the “World Wide Web Publishing Service” and the “SMS_SITE_COMPONENT_MANAGER” service, everything started working correctly.