Error Message: The server encountered an error while creating “Name of the VM”

Recently, I worked on the below issue and though this might be worth to blog:

On a Hyper-V Server, existing VMs where running just fine, however, we could not create new VMs. The error at the final stage of the Wizard was:

The server encountered an error while creating “Name of the VM”
The operation failed
Failed to create external configuration store at <Path to the VM>: A required privilege is not held by the client. (Virtual machine ID 0x80070522)

As it turned out, the Virtual Machine Management Server was not able to create a symbolic link for the machine at "%systemdrive%\programdata\Microsoft\Windows\Hyper-V\Virtual Machines"

By default the local User Right “Create Symbolic links” is assigned to the Adminstrators group. Once you install Hyper-V a extension is installed on this machine that allows Service SIDs to be used and the Service SID “Virtual Machines” is allowed to  “Create Symbolic links”

Now, you might have the requirement to configure the User Right “Create Symbolic links” with a Domain GPO. Once configured it replaces the local assignment, and for Hyper-V Hosts you'd need to add the “Virtual Machines” Service SID. The Domain Controller is most likely not a Hyper-V Host, and does not have the necessary Hyper-V extension. Also the GPO Admin tools will not allow you to browse the Service SID namespace. Simply adding the string “Virtual Machines” does not help either as it needs to have the Hyper-V Service SID Prefix “NT VIRTUAL MACHINES”.

To get the necessary Service SID added, you need to edit the GptTmpl.inf that is associated with the GPO on the Sysvol directly. [You need to locate the correct GptTmp.inf by the GPO's Unique ID]

Example with Administrators and added “Virtual Machines”

….
[Privilege Rights]
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544, NT Virtual Machine\Virtual Machines

 

Cheers

Robert

Comments

  • Anonymous
    January 05, 2011
    That's all and well, except that this privilege can't be applied via Group Policy (the resultant setting is "Virtual Machines" instead of " NT Virtual MachineVirtual Machines" - i.e. the Group Policy extension does not understand the "NT Virtual Machine" authority).

  • Anonymous
    January 28, 2011
    Is there any way to edit that in the Local Security Policy? On a Hyper-V host, I granted someone the Create Symbolic Links user right, which destroyed the Virtual Machines SID from that user right, and now that host is broken in Hyper-V sense.

  • Anonymous
    February 23, 2011
    I don´t get this work. vmm says same error

  • Anonymous
    August 21, 2014
    You're the man! Editing the .ini within SYSVOL policy location was the trick! Would have spent a little bit of time on this one, Thanks!

  • Anonymous
    October 08, 2014
    Worked for me.  Since you spell the prefix ending with an 'S' in the paragraph above, I'll add that the correct format is how you have it listed in the example: NT Virtual MachineVirtual Machines From the below blog, it sounds as though Server 2012 handles this a little differently.  Server 2008r2 uses the Network Service acct to do some things like start a VM (but apparently not for VM creation), but Server 2012 uses the Virtual Machine's SID for everything.  Here is an important excerpt:  "To ensure members of the NT VIRTUAL MACHINEVirtual Machines security group maintain the rights they need, VMMS registers with Group Policy in order to update the local security policy whenever Group Policy is refreshed."  So they learned from this problem with 2008r2 and built in necessary communication in 2012 to make sure the VM services didn't loose the rights they needed. blogs.technet.com/.../logon-failures-involving-virtual-machines-in-windows-server-2012.aspx