Cloudtidings.com

Hi

Thanks to Dan Boldo (MSFT) and Ben Armstrong (MS Virtualisation PM), here are an explanation and the fix for the error.

Notes:

• This error only affects VMConnect and does not affect remote desktop connections.
•  Though this error may occur, the Hyper-V service will continue to operate.   Neither the Hyper-V host nor the running virtual machines will go offline.
• Microsoft Virtualization Team also confirmed that this issue also affects  Windows 2008 R2 Hyper-V.
• For Configuring Certificates for Virtual Machine Connection, please read http://technet.microsoft.com/en-us/library/ff935311(WS.10).aspx

The Error

 
Hyper-V Manager

[Main Instruction]
An error occurred while attempting to change the state of virtual machine ‘VMxxx’.

[Content]
‘VMxxx’ failed to initialize.

Could not initialize machine remoting system. Error: ‘Unspecified error’ (0x80004005).

Could not find a usable certificate. Error: ‘Unspecified error’ (0x80004005).

[Expanded Information]
‘VMxxx’ failed to initialize. (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not initialize machine remoting system. Error: ‘Unspecified error'(0x80004005).(Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not find a usable certificate. Error: ‘Unspecified error’ (0x80004005). (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

The Explanation

This error is basicaly cause when the certificate expired, users couldn’t connect or start a VM and then VMMS raise an error. If you try connecting again, this will generate the same message because the certificate was still in an expired state.

The Solutions

Initial one

For Windows 2008, Microsoft introduced a fix (http://support.microsoft.com/kb/KB967902) which auto-generated a new certificate and sent the VMMS to grab it. 

The idea was to have certificates that lasted for one year and then auto-renew.

But, this fix let to another issue : “After a new Hyper-V VMMS certificate is generated, there are mouse and screen resolution issues when managing a virtual machine using the Hyper-V Manager Console”, described  in this KB http://support.microsoft.com/kb/2413735  :

• When in one year, self-signed certificate expirees, the VMMS grabs a new one but the certificate refresh process is flawed.
• During the refresh the user loses control of their mouse and their connection resolution drops back to default.

This problem is due the certificate refresh triggers a reset in the VMConnect RDPEncoder. It then initializes a method which puts the mouse in PS2 mode and it change the display settings to RdpEncoderDefaultxxx.

Workaround for this second issue:

•  
  • Place the virtual machines in a saved state and then resume the virtual machines.
  • Restart the virtual machines.

Important Notes : 

• This will restart the VMMS and affect all running VMs on that host.
• Save as ps1
• Make sure you have MakeCert on the host
• For more information on how to obtain Makecert.exe, please visit the following Microsoft web site: http://msdn.microsoft.com/en-us/library/aa386968(VS.85).aspx

 

The Script :

#######################################################################
# Dan Boldo (MSFT)
#

#
#define exception behavior
trap
{
  trap { continue }
  write-host -ForegroundColor Red “Unexpected Exception!`n`r”
  write-host -ForegroundColor White ($_.invocationinfo.positionmessage -replace “`n”)
  0..100 | foreach { write-host -ForegroundColor White   ((gv -ErrorAction SilentlyContinue -scope $_ myinvocation).value.positionmessage -replace “`n”) }
  write-host -ForegroundColor Red “$($_.Exception)”
  exit 1
}
$hostname = “$((gwmi win32_computersystem).dnshostname).$((gwmi win32_computersystem).domain)”
write-host “Host name found:” $hostname
function CreateCert()
{
    write-host “Creating a new certificate using makecert.exe”
    .\makecert.exe -r -pe -n “CN=$hostname” -b 01/01/2005 -e 01/01/2050 -sr LocalMachine -ss My -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1
}
function FindCert()
{
    $t = new-object System.DateTime(2049,1,1,1,10,10)
    $certs = @(dir cert:\LocalMachine\My -recurse | ?{$_.subject -eq “CN=$hostname”} | ? { $_.NotAfter.CompareTo($t) -eq 1 })
    if($certs[0] -eq $null)
    {
        return $null;
    }
    if($certs.Length -ne 1)
    {
        write-warning “More than one certificate is found in store. Please don’t run makecert.exe multiple times.”
    }
    $certs[0];
}

#Find the certificate of interest
$cert = FindCert
if($cert -eq $null)
{
    CreateCert
    $cert = FindCert;
    if($cert -eq $null)
    {
        throw “Certificate Not Found error. Check if makecert.exe is successful or not”
    }
}
write-host “Found certificate of interest:”
write-host $cert | select NotBefore, NotAfter

#tweak system settings to let VMMS use the certificate of interest.
$thumbprint = $cert.Thumbprint 
$location = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$folderlocation = gc env:ALLUSERSPROFILE
$folderlocation = $folderlocation + “\Microsoft\Crypto\RSA\MachineKeys\”
$filelocation = $folderlocation + $location
icacls $filelocation /grant “*S-1-5-83-0:(R)”
$thumbprint = $cert.Thumbprint
reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization” /v “AuthCertificateHash” /f /t REG_BINARY /d $thumbprint

#fix loopback case.
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)  
$store.open(“MaxAllowed”)   
$store.add($cert)   
$store.close()   

#restart vmms
net stop vmms
net start vmms

# Wait for job completion
function WaitForResult($ret)
{
  if($ret.ReturnValue -eq 0) { return; }
  if($ret.ReturnValue -ne 4096)
  {
    Throw “Error was returned from WMI call: $($ret.ReturnValue)”;
  }
  $timeout = 300; # 5 minute timeout
  while($true)
  {
    $job = [wmi]$ret.job
    if($job.JobState -eq 7) { return; }
    if($job.JobState -gt 7) { throw “Error while processing WMI job! $($job | fl * | out-string)” }

    if($timeout -le 0) { throw “Timeout while processing WMI job! $($job | fl * | out-string)” }

    $timeout -= 5;
    Sleep 5
  }
}

# get all VMs in Running state.
$vms = gwmi -n root\virtualization msvm_computersystem
$vms = $vms | where {$_.Name -ne $env:computername}
$vms = $vms | where {$_.EnabledState -eq 2}

#Save/Restore for all running VMs
foreach($vm in $vms)
{
    if($vm -ne $null)
    {
     Write-Host “Doing Save/Restore for VM:” $vm.ElementName
     WaitForResult  $vm.RequestStateChange(32769)
     WaitForResult  $vm.RequestStateChange(2)
    }
}