Browsed by
Category: Hyper-V

Configure Hyper-V NAT Virtual Switch and NAT Forwarding

Configure Hyper-V NAT Virtual Switch and NAT Forwarding

Windows Server 2016 and Windows 10 adds the native ability for a NAT forwarding Hyper-V switch. This is really handful software-defined networking (SDN) or even lab environment. By default, there is no inbound access from the LAN to the virtual machines that are connected to an NAT-enabled (Internal) virtual switch. And you might want to access isolated virtual machines in your lab through RDP with your laptop. Actually, the old way was to create a specific virtual machine in this lab to act as a gateway. You can find more information in Microsoft documentation.

To create a new NAT switch using subnet on your Hyper-V host, use these PowerShell commands:

Of course, you will need to map your virtual machine network adapter to the right virtual switch and assign an IP in this subnet to your virtual machine and set address as the default gateway. Then if you want to access this virtual machine through RDP for example, run this PowerShell command:

With this configuration, you will be able to connect to your isolated lab virtual machine (IP: through your host “public” IP and the port 50000 using RDP without additional VM to configure.

You will need to configure the firewall of the Hyper-V host (and even maybe your router if pointing to a public address) accordingly to the NAT mapping rule.
Multiple NAT networks are not supported.
Windows Server 2016 Hyper-V Checkpoints

Windows Server 2016 Hyper-V Checkpoints

Checkpoints enable you to capture point-in-time snapshots of a VM. This gives you an easy method of quickly restoring to a known working configuration, making them useful before installing or updating an application. When a checkpoint is created, the original VHD becomes read-only, and all changes are captured in an AVHD file. Conversely, when a checkpoint is deleted, the contents of the AVHD are merged with the original disk, which becomes the primary writable file.

Prior to Windows Server 2016, the only checkpoint type available was the standard checkpoint, which takes a snapshot of both the disk and the memory state at the time that the checkpoint is taken. But Windows Server 2016 introduces production checkpoints, with uses the Volume Shadows Copy Service on Windows guests or File System Freeze on Linux guests. This enables you to take a consistent snapshot of a VM without the running memory.

Production checkpoints are used by default on Windows Server 2016. And if taking production checkpoint fails, by default the host attempts to create a standard checkpoint.

You can configure the type of checkpoint a VM uses by using the Set-VM cmdlet.

To set the VM to only use production checkpoints, without the ability to fall back to a standard checkpoint, replace the Production option with ProductionOnly.

Checkpoints can also be configured from Hyper-V Manager by editing the settings of a VM.

Perform Remote Management of Hyper-V Hosts

Perform Remote Management of Hyper-V Hosts

Performing remote management of Hyper-V hosts within the same domain simply requires the permissions or delegation discussed in this previous article. However, managing a Hyper-V server that is in a Workgroup is slightly more complicated.

First, the Hyper-V server must have PowerShell remoting enabled. This is easily accomplished by running the Enable-PSRemoting cmdlet.

The network provided on the server must be set to Private. Otherwise, you also need to specify the -SkipNetworkProfileCheck parameter.

The second task on the Hyper-V host is to enable the WSMan credential role as a server. To accomplish this, run the following command:

The more complicated steps occur on the computer from which you plan to manage the Hyper-V. First, you must trust the Hyper-V server from the remote client. If the Hyper-V host is named LAB01, run the following command:

Then still on the remote client, you must also enable the WSMan credential role as a client, and specify the server to manage remotely through this command:

Finally, you will also need to configure the local policy (or a Group policy if you plan to have multiple remote management points on your domain) to allow credentials to be passed.


For each of the client settings, TrustedHosts, Delegate Computer, and WSMan, you can use a wildcard mask (*) as a substitute for specifying multiple Hyper-V hosts.

Beginning with Windows 10 and Windows Server 2016, you also have the option to specify different credentials to manage Hyper-V host from Hyper-V Manager. But the above steps must still be taken if the remote host is in a workgroup.

Enable Nested Virtualization on Hyper-V and Windows Server 2016

Enable Nested Virtualization on Hyper-V and Windows Server 2016

As you should know, through the latest version of Hyper-V coming with Windows Server 2016 & Windows 10 you can enable Nested Virtualization, which means you can install Hyper-V role on a Hyper-V virtual machine.

But in order to activate this functionality you need to meet some requirements, otherwise you will face this kind of error.

  • Dynamic Memory must be disabled on the virtual machine containing the nested instance of Hyper-V
  • VM must have more than 1 vCPU
  • MAC address Spoofing must be enabled on the NIC attached to the virtual machine. This setting can be found in the advanced settings under the NIC in the virtual machine’s properties.
  • Virtual Machine version must be 8.0
  • Virtualization Extensions need to be exposed to the VM as seen below.

By default the virtualization extensions setting is disabled. To enable this setting, you have to use this command:

You need to power off the virtual machine to apply most of these settings.

Once all these settings have been applied, you can now install Hyper-V role and features on your virtual machine.

Virtual machines that are being used with nested virtualization no longer support these features:

  • Runtime memory size
  • Dynamic memory
  • Checkpoints
  • Live migration
Manage Virtual Machines Using Windows PowerShell Direct

Manage Virtual Machines Using Windows PowerShell Direct

Coming with Windows Server 2016, PowerShell Direct is a new feature which gives you a way to run Windows PowerShell commands in a VM from the host. Windows PowerShell Direct runs between the host and the VM. This means it doesn’t require networking or firewall requirements, and it works regardless of your remote management configuration.

Windows PowerShell Direct works much like remote Windows PowerShell except that you do not need network connectivity. To connect to the VM from a host, use the Enter-PSSession cmdlet.

You will be prompted for credentials and then you can manage the VM from this PSSession. The Invoke-Command cmdlet has been updated to perform similar tasks; for example, you can execute a script from the host against the VM.

To enter into a PowerShell direct session, you must be logged onto the host as a Hyper-V administrator. The VM must be running locally and already booted to the OS.


Delegate Virtual Machine Management in Hyper-V

Delegate Virtual Machine Management in Hyper-V

The most simple and effective method of enabling others to manage Hyper-V and virtual machines is to add them to the Hyper-V Administrators local security group for each of the Hyper-V hosts to which you plan to delegate management. However, this might not be the most secure method because doing so gives the new administrators permissions to change virtual switch and host settings in addition to VMs.

To delegate access to individual VMs, you need to modify the Hyper-V Authorization Manager store. This enables you to create task and role definitions to which you can delegate access. Find below the general steps to modifying the Hyper-V services authorization.

In order to accomplish this, launch an MMC (Microsoft Management Console) session, and add the Authorization Manager to the console.

Then right-click the Authorization Manager, and click Open Authorization Sore. In the window, ensure that XML File is selected and browse to %systemroot%\ProgramData\Microsoft\Windows\Hyper-V\ to select InitialStore.xml.

Expand Authorization Manager, Initial Store, Hyper-V services, Role Assignments. Note that by default, the only role assignment is an Administrator. To create new role assignment, expand Definitions and then right-click Task Definitions. Select New Task Definition.

Name the task definition “VM Operator” for example. And select operations that you would want the custom role to do.

Now that you have created a group of tasks, you can create the role that can use these tasks. For this, right-click Role Definitions, and then select New Role Definition. Name the Role Definition such as VM Operator role, and then click OK. There are now two role definitions.

Next, you can create the Role Assignment, which is what user accounts are linked to for the permissions. Right-click Role Assignments, and click New Role Assignment. Select the VM Operator Role, and then click OK.

Right-click the new role assignment, select Assign Users and Groups, and then click From Windows and Active Directory. Select a user or group that you plan to delegate the permissions to, and then click OK.

Error: Failed while creating virtual Ethernet switch

Error: Failed while creating virtual Ethernet switch

If you encounter the error Failed while creating virtual Ethernet switch with Invalid class string as an explanation, it means that you need to repair some DLL on your OS.

To resolve this issue you will have to use System File Check tool that is built into the Operating System to look for system file corruption. (Keep in mind it is always a good idea to have a backup of your data). Follow these steps to launch the repair process:

  • Start a CMD as Administrator
  • If you want to verify and repair the OS type : sfc /scannow
  • If you want to check (verify only) the OS type : sfc /verifyonly (no changes will be made and it will generate a report)
  • Reboot your system when the repair is successful
  • Try to create again your virtual switch in Hyper-V
Install Hyper-V role on an Hyper-V VM

Install Hyper-V role on an Hyper-V VM

In order to avoid the error message when you try to install Hyper-V role on a Hyper-V VM through GUI, you will have to run several Powershell commands:

  • First, you need to change your Powershell execution policy script to at least Remote Signed: Set-ExecutionPolicy RemoteSigned
  • Then you will have to install Hyper-V role: Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
  • This step is to install Hyper-V management tools: Install-WindowsFeature RSAT-Hyper-V-Tools -IncludeAllSubFeature
  • (Optional) Finally, you can also install Failover Cluster and MPIO feature: Install-WindowsFeature RSAT-Clustering,Multipath-IO -IncludeAllSubFeature

Then you will just need to reboot your VM to complete the installation process. But don’t forget, you will be able to create an Hyper-V failover cluster and create highly available VM but you will not be able to start them.