Deploy Hyper-V Management from Azure

In this post, I’m going to explain how to deploy the Azure Server Management Tools solution (which is in preview at the time of writing) so that you can manage your on-premises Windows Server 2016 (WS2016) Hyper-V hosts securely from anywhere, and from pre-Windows 10 PCs, Macs, and non-Windows tablets.



Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The Solution

The Server Management Tools solution will provide us with an Azure-hosted web interface for managing Hyper-V hosts that are running on-premises. We need to deploy two items:

  • Gateway: A gateway object in Azure will connect to a small management proxy that we will deploy to an on-premises server. All management traffic will flow through this single installation.
  • Connection: Each host that we want to manage will be configured as a connection in Azure. We will require either a DNS name or an IPv4/IPv6 address and administrative credentials for each host.
Overview of Azure Server Management Tools architecture [Image Credit: Microsoft]
Overview of Azure Server Management Tools architecture [Image Credit: Microsoft]

Deploy the First Connection and the Gateway

We will start by deploying a new connection; this might seem a bit backward, but this process allows us to create a new gateway.

Note that the service was still in preview when this article was written, so:

  • Exact names are likely to change over time.
  • I didn’t find a way to deploy the gateway without a connection from the portal via the Marketplace

Log into the Azure Console, click New and search for Server Management Tools. Select Server Management Tools from the list of results and click Create.

Enter the computer name; this can be a fully qualified domain name (FQDN or DNS name that is valid on your LAN), or an IPv4 or IPv6 address. My demo lab for this post is a workgroup, so I used an IPv4 address.

Select the subscription, if you have more than one subscription, and use an existing resource group or create a new one.

You will then have the option to create a gateway. You only need one gateway. Enter the name of the object that you want to create in Azure; this does not have to match the name of the server that will be your on-premises gateway server.

Creating a Server Management Tools connection and the gateway [Image Credit: Aidan Finn]
Creating a Server Management Tools connection and the gateway [Image Credit: Aidan Finn]
Click the Create button at the bottom of the blade when you have double-checked the entered information. You will have your gateway and connection objects in Azure after a few seconds.

Configure the Gateway

The new connection will not work. You will be told that:

Gateway not detected. Click here to configure the gateway.

We need to deploy a gateway on the local network where the Hyper-V host is located. Follow the link; it’s the quickest path to completing the setup of your gateway.

A new blade called Gateway Configuration will appear. We are told that the desired on-premises gateway server must meet the following requirements:

  • Must be running Windows Server 2012 (WS2012), Windows Server 2012 R2 (WS2012 R2), or Windows Server 2016 (WS2016).
  • If the gateway server is running WS2012 or WS2012 R2, then Management Framework (WMF) 5.0 must be installed.
  • The gateway server must have outbound Internet access.
  • It must be possible for the gateway server to make WinRM connections to the Hyper-V hosts.

There are two things that we must do in the Gateway Configuration Blade:

  1. Decide if the Server Mangement Tools gateway software will be automatically or manually updated (I recommend automatic updates because of the rate of change seen in hybrid cloud software).
  2. Generate a unique download link to retrieve the gateway installer. Click Generate A Pack Link and copy the link. Download the software (zip file) and copy it to your on-premises gateway server.

Configure the Server Management Tools gateway [Image Credit: Aidan Finn]
Configure the Server Management Tools gateway [Image Credit: Aidan Finn]
Extract the zip file on the on-premises gateway server and run the installation.

Note: The zip file contains an MSI installer and a JSON file; it is the JSON file that creates a unique connection between your on-premises gateway and your Server Management Tools gateway object in Azure.

The installation is a simple affair. You will be prompted to either use a self-signed certificate or use one that was previously deployed; I opt for the self-signed option because I do not have a PKI deployed on the network. The installation will complete in a few seconds.

Not long after the installation, the status of the gateway should be updated to show a connection.

The status of an Azure Server Management Tools gateway [Image Credit: Aidan Finn]
The status of an Azure Server Management Tools gateway [Image Credit: Aidan Finn]

Enter Connection Credentials

The Connection will not function, which is the ability to manage your host, until you enter local or domain credentials with local administrative rights on the server.

Open the connection. You are told that:

Click the Manage as command to enter administrative credentials.

So the obvious thing to do is click Manage as. Enter the administrative credentials and decide if you want Azure to save them or not.

Enter the on-premises server administrative credentials [Image Credit: Aidan Finn]
Enter the on-premises server administrative credentials [Image Credit: Aidan Finn]
Click Refresh in the connection object to force a connection to be attempted. If all things are OK, then Azure will connect to your on-premises server and enable management from the Azure Portal. If you get a failure, then you either need to look at the above pre-requisites (especially WinRM and the Windows Firewall) or the change the supplied credentials.

Once your host is shown as connected you can start to manage Hyper-V using the Hyper-V toolset in Server Management Tools.

Managing Workgroup Servers

Workgroup servers are a nightmare to manage in all ways. Server Management Tools will require the following additional steps:

You need to add the server that will be managed to Trusted Hosts on the gateway server:

winrm set winrm/config/client ‘@{TrustedHosts=””}’

You are going to be using a local administrator for the Azure connection’s credentials. This requires the following registry update to be run at the command prompt on the host that will be managed:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

If the host and the gateway are on different subnets, then you need to modify the Windows Firewall on the host:
NETSH advfirewall firewall add rule name=”WinRM 5985” protocol=TCP dir=in localport=5985 action=allow

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: