Skip navigation
Menu

Q. What permissions do I need to set on the file system and share to host Hyper-V virtual machines on a SMB 2.2 file share with Windows Server 2012?

A: Windows Server 2012 (formerly code-named Windows Server 8) introduces the ability for virtual machines (VMs) to be stored on a file share that supports SMB 2.2 (Windows Server 8 file server). The computer accounts (computer$) need Full Control of both the folder and the share.

Also, the administrator creating the VMs also needs Full Control on the file system and share. The easiest way to do this is from the command prompt.

Run the commands below to create the folder and set the NTFS permissions for Hyper-V servers ServA and ServB plus the domain admins: 

 md C:\HVShare
ICACLS C:\HVShare /Inheritance:R
ICACLS C:\HVShare /Grant "domainname\domain admins:(CI)(OI)F"
ICACLS C:\HVShare /Grant domainname\serva$:(CI)(OI)F
ICACLS C:\HVShare /Grant domainname\servb$:(CI)(OI)F

Next run the Windows PowerShell cmdlet below to create the share with the same Full Control permissions (run within PowerShell window): 

New-SmbShare -Name HVShare -Path C:\HVShare –FullAccess "domainname\domain admins:(CI)(OI)F", domainname\serva$, domainname\servb$

An example execution in my environment with 3 Hyper-V servers can be seen below. C:\>md C:\HVShare

C:\>ICACLS C:\HVShare /Inheritance:R
processed file: C:\HVShare
Successfully processed 1 files; Failed processing 0 files

C:\>ICACLS C:\HVShare /Grant "savilltech\domain admins:(CI)(OI)F"
processed file: C:\HVShare
Successfully processed 1 files; Failed processing 0 files

C:\>ICACLS C:\HVShare /Grant savilltech\savdalbfs08$:(CI)(OI)F
processed file: C:\HVShare
Successfully processed 1 files; Failed processing 0 files

C:\>ICACLS C:\HVShare /Grant savilltech\savdalscs01$:(CI)(OI)F
processed file: C:\HVShare
Successfully processed 1 files; Failed processing 0 files

C:\>ICACLS C:\HVShare /Grant savilltech\savdalscl08$:(CI)(OI)F
processed file: C:\HVShare
Successfully processed 1 files; Failed processing 0 files


PS C:\> New-SmbShare -Name HVShare -Path C:\HVShare –FullAccess "savilltech\domain admins", savilltech\savdalbfs08$, savilltech\savdalscs01$, savilltech\savdalscl08$

Name ScopeName Path Description
---- --------- ---- -----------
HVShare * C:\HVShare

 

If you use the graphical interface, make sure you select Computers as an object type when adding the security or it won't find the names of your Hyper-V servers.(See screen shot below.)

Win8VMonSMBSetup
Win8VMonSMBSetup

Permissions can be checked with the ICACLS.EXE /T command and Get-SmbShareAccess PowerShell cmdlet.

Below are the outputs from mine, respectively.

C:\>ICACLS.EXE C:\HVShare /T
C:\HVShare SAVILLTECH\domain admins:(OI)(CI)(F)
SAVILLTECH\savdalscl08$:(OI)(CI)(F)
SAVILLTECH\savdalscs01$:(OI)(CI)(F)
SAVILLTECH\savdalbfs08$:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


PS C:\> Get-SmbShareAccess HVShare

Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
HVShare * SAVILLTECH\domain ad... Allow Full
HVShare * SAVILLTECH\savdalbfs08$ Allow Full
HVShare * SAVILLTECH\savdalscs01$ Allow Full
HVShare * SAVILLTECH\savdalscl08$ Allow Full

After writing this I found a great MSDN blog post "Windows Server 2012 Beta - Test cases for Hyper-V over SMB (includes PowerShell examples)," which I would recommend reading as it covers lots of scenarios using SMB and Hyper-V. 

 

See FAQs on Windows, virtualization, systems management, and all things Microsoft, at John Savill's FAQs.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish