Thursday, June 03, 2010

Using SCVMM Console on a foreign Domain

Microsoft designed windows AD Domains to put security boundaries around organisations, and enable structured administration of them. There are some times when you wish that your machine could be a member of more than one domain, but that is just not possible without setting up AD domain trusts etc.

My home lab is a good example - My laptop is on my employer's domain where other people in other countries are the administrators, and my virtual machines are on another where I am the evil overlord.

While it would be cool to link them all together, it's far too complicated and frankly I dont want my employer's IT department tinkering with my lab machines, and they wont be setting up any employer-employee domain trusts anytime soon.

I wanted to manage my virtual machines from my laptop, without changing it from the configuration I had, here's how I managed to get it working for System Center Virtual Machine Manager, and Hyper-V Administation tools:

My lab looks like this:

SCVMM R2 on a Hyper-V VM Win2k8 box, in it's own domain (its a DC actually as well, but that doesnt matter), and  a Laptop client running Win7 x64 in a different domain (no relationship between them)

•Login to client PC as your normal domain user account
•Install SCVMM console from media as usual.
•create an account on the SCVMM servers' domain with the same username and password as your client, make yourself a domain admin for good measure (you may not need this step, but all home labs need lots of domain admins!)
•Make SCVMMDomain\youraccount a SCVMM admin in the SCVMM console on the server.
•Get hold of John Howard's HVRemote script and run on both client and server to enable anonymous dcom (cscript hvremote.wsf /AnonDCOM:grant ) _ WARNING: You are opening up your DCOM security here, be aware of this and read-up if you are concerned.

•Each time, just before you launch the console on the client Establish a secure connection from client to server: (non admin command prompt on client) :

net use \\scvmmserver\ipc$ /user:scvmmdomain\youruser

(note that if you've setup correctly you shouldnt be asked for a pw)

Now launch SCVMM console, and connect to server

Boom.

(worked for me, your mileage may vary, if you cannot get this to work, follow John's blog details for remote Hyper-V admin console access from your client to the server - I had this working first, then added SCVMM console afterwards) I seem to get remote consoles and everything to my VM's as well, with the occasional disconnect - but hey.

BTW, unless an app is coded specifically to close all sessions and re-authenticate against the server or to 'get' the domain it's connecting to from the client (e.g ad domain tools) this trick should work for most apps like this that 'assume' (quite rightly) that everything is on the same AD domain, or a trusted domain.

2 comments:

Jared H said...

Any idea on how to use SCVMM without the server being part of a domain? ie. I don't want to setup a domain on the server just to use the software...

mart said...

Hi Jared - I think you'll struggle with that one, unfortunatley the SCCM product is built around having a domain as it uses AD to store some attributes related to machine management etc. Why not make your SCCM VM (or server) a DC, that will probably work?