Windows – “RPC server unavailable” trying to access Hyper-V server from Hyper-V Manager on Windows 8.1 client

hyper-vnetworkingrpcwindows 8.1windows-server-2012-r2

The problem

After searching for uses for my old laptop, I've decided to turn the Wyvern into a virtualization server running Microsoft Hyper-V Server 2012 R2 (freely available, essentially a heavily stripped-down Windows Server 2012 R2 with just the hypervisor features). However, I'm having some trouble connecting to it from my Windows 8.1 Pro client, the Dragon. I'm getting the following error message from Hyper-V Manager on the client:

RPC server unavailable. Unable to establish connection between WYVERN and DRAGON.

If I disable Windows Firewall on the server altogether (with net stop MpsSvc), I get the following:

Cannot connect to the RPC service on computer WYVERN. Make sure your RPC service is running.

In both cases, Hyper-V Manager displays "Loading virtual machines…" before displaying the error message, indicating that the client is otherwise able to connect to the server.

Note: While the community at Server Fault is probably better able to address this problem, it is technically off-topic there as this is in a home environment (but see this Meta Server Fault question for a relevant debate). As a result, I'm posting this question here.

Networking information

The computers are connected over a LAN and joined to the same workgroup (not a domain). Both computers are able to resolve the other computer's name to the correct IP address, can ping each other successfully, and are able to access the Internet.

Oddly enough, it works when the server is directly connected to the client via an Ethernet cable, with Internet Connection Sharing to the Ethernet adapter on the client and DHCP enabled on the server. This might provide a clue as to the exact cause of the problem.

Steps taken

I've done extensive research into this issue and have taken the following steps:

Client side

  • I've added the Wyvern into the hosts file on the client.
  • I've configured the firewall to allow all communication between the two computers. (Disabling the firewall altogether does not help.)
  • I've set DCOM permissions on the client to allow ANONYMOUS LOGON remote access.
  • I've set up authentication credentials so that it always logs into the server with the correct username (Administrator) and password (so no "Access is denied" errors).

Server side

  • I've installed all Windows Updates at the server.
  • I've rebooted the server several times.
  • I've assigned the server a static IP address, which is listed in the client's hosts file.
  • I've added the Administrator user to the "Distributed COM Users" group: net localgroup "Distributed COM Users" /add Administrator
  • I've run the PowerShell command Enable-NetFirewallRule -DisplayGroup "Windows Remote Management", as well as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes, to ensure that the firewall on the server side is not blocking remote management access.
  • I've run Enable-NetFirewallRule -DisplayGroup "Network Discovery" to perform the equivalent of what is described in this blog post.

I'm at my wit's end as to what the problem is. Any ideas?

Best Answer

Running HVRemote helped to elucidate the cause, and it turns out the firewall on the client was misconfigured.

The Dragon is protected by Norton Internet Security. While I had a firewall rule explicitly granting access to the server, it was placed at the bottom of the list of rules, so it did not have the intended effect and DCOM communication was blocked by the firewall anyway. After moving the rule to the top of the list, I am able to reach the server through Hyper-V Manager without any issues.

To clarify the issue, here's what the online documentation for Norton Internet Security says:

The Smart Firewall processes Traffic rules before it processes Program rules. For example, when there is a Program rule that allows Internet Explorer to access Internet using port 80 with TCP protocol and a Traffic rule that blocks TCP communication through port 80 for all applications. The Internet Explorer application cannot access the Internet as Norton Internet Security gives precedence to Traffic rules over the Program rules.

Within the list of Traffic rules, rules are processed in order of appearance, from top to bottom. Program Rules entries are not processed in order. The rules within each Program Rules entry, however, are processed in order of appearance, from top to bottom.

For example, you have a Program rule for the Symantec pcAnywhere application that blocks the use of the application with any other computer. You add another rule for the same application that allows its use with a specific computer. You then move the new rule before the original rule in the program rule list. Norton Internet Security processes the new rule first and lets you use Symantec pcAnywhere with that specific computer. It then processes the original rule and prevents its use with any other computer.

As a happy ending, here's the openSUSE installer running on a VM hosted on the Wyvern and displayed on the Dragon:

Remote virtual machine displayed on desktop

Related Question