Recently I had to replace a hard drive in one of my servers running Microsoft Hyper-V 2008 R2 which contained the virtual machine configuration and VHD files. I used robocopy to copy the data from the server drive, to a temporary drive, then replaced the drive before copying the data on to it.
Unfortunately, I forgot to copy the ACL’s as well, which caused issues when trying to start the virtual machines again. I use System Center Virtual Machine Manager, so when I tried to start my virtual machines again, I got the following error logged in the Jobs log: -
Error (12700)
VMM cannot complete the Hyper-V operation on the server.domain server because of the error: ‘Unnamed VM’ could not initialize. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)‘Unnamed VM’ could not read or update the virtual machine configuration because access was denied: General access denied error (0×80070005). Check the security settings on the folder in which the virtual machine is stored. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)
(Unknown error (0×8001))Recommended Action
Resolve the issue in Hyper-V and then try the operation again.
In Hyper-V Manager, the following error is displayed when trying to start the same machine: -
‘SERVER’ failed to start.
Microsoft Emulated IDE Controller (Instance ID {598AFA1B-1726-44B7-8435-E00B2ACAF2B5}): Failed to Power on with Error ‘General access denied error’
IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’
Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’
[Expanded Information]
‘SERVER’ failed to start. (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)‘SERVER’ Microsoft Emulated IDE Controller (Instance ID {598AFA1B-1726-44B7-8435-E00B2ACAF2B5}): Failed to Power on with Error ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)
‘SERVER’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)
‘SERVER’: Account does not have sufficient privilege to open attachment ‘D:\Virtual Server\Virtual Machines\server\system.vhd’. Error: ‘General access denied error’ (0×80070005). (Virtual machine ID 598AFA1B-1726-44B7-8435-E00B2ACAF2B5)
The issue is of course, that because the ACL’s weren’t preserved, Hyper-V can’t read the virtual machine files. Unfortunately, it’s not as simple as just adding the SYSTEM account to the root and applying permissions down, as Hyper-V R2 has it’s own security “namespace” (referred to in Microsoft documentation as the Service SID) called “NT VIRTUAL MACHINE” which contains the GUID’s for all registered virtual machines.
The easiest way to add permissions back to your virtual machines, in order to have them accessible via Hyper-V, is to use the following process on each machine (this is assuming you’re using System Center Virtual Machine Manager): -
- Open the directory that stores your virtual machine
- Open the “Virtual Machines” subdirectory under your virtual machine directory
- Record the GUID as per the file name of the .xml file in this directory
- Run icacls “<virtualmachinefolder>” /grant “NT VIRTUAL MACHINE\<virtualmachineguid>”:F /T (for example icacls “D:\Virtual Server\Virtual Machines\Server” /grant “NT VIRTUAL MACHINE\598AFA1B-1726-44B7-8435-E00B2ACAF2B5″:F /T
Now you should be able to start your virtual machine.
Great post!! Thx for this!
Bert
This Post is exactly my Problem… but i have a German Version installed and procedure comes up with the Error that the Account was not found…. i think it is talking about the NT Virtual Machines account. Where can i find the german name? What about a solution without System Center ?
Thanks for the post anyway… now i am on the right road.
Best Regards
jojo
Hi jojo,
I recommend reading this article, which will help you identify the correct account name for your virtual machine – http://www.virtualizationteam.com/microsoft/hyper-v/hyper-v-a-new-breed-of-sid.html
You sir are awesome! I thought for sure we had lost one of our virtual machines and the fix above worked. Thank you so much.
Awesome! Thank you. I wanted to add that if you have multiple vhd files in the same folder, you need to sort out with GUID you need to use, from the Virtual Machines folder, and specify the vhd file to apply it to.
THANKS Mat! You… almost solved my problem.
Made the exact same mistake with two VMs. Unfortunately the first was made with SCVMM so all files where indeed in the same place, but the second was created by Hyper-V console. I had to manually do the same process on each file/folder/vhd/avhd to make that second machine start.
Unfortunately I crashed on a second problem. Although my VM starts, the second VHD shows as unformatted. Probably some file corruption while copying the disks back (“copying back” if I am lucky – “copying” if I am not).
Thanks anyway, you helped me greatly.
Excellent. This little gem will save me hours in the future. Thank you for posting the tip!
Thanks NLS and MDrysea for your comments.
[...] to this post for helping my find the [...]
I found that Hyper-V Manager will add the correct GUID by detaching and reattaching the VHD to the proper VM.
Thanks
Thanks John. That worked a lot easier by just detaching and reattaching.