Symbolic link creation for SMB Share | Hyper V

New users might want to migrate their existing Hyper-V VMs to the Nutanix Platform. One challenge is if the existing customer environment customer is using traditional storage (CSV or a SCSI disk) for the VHDX virtual disk.

Symlink Path 

  • On W2k12R2 “C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines”
  • On W2k16 “C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines Cache”

I need to validate the symlink configuration process 2016 Servers, the specified steps seem like not applicable.

The import feature doesn’t work with SMB shares from GUI but Import-VM from powershell can used.

The challenge comes in if customer wants these SMB shares to be accessible as a local mount points. It can vary from customer to customer, depending upon their requirement. for instance, there are backup application which requires local reparse point. So customer may come up with the requirement where they want to access the SMB share as a local folder & it should be accessible remotely when queried via
SCVMM, nodes (like a normal SMB share \ accessed via UNC path \\XXX\c\______ ). There is a chance that he may require the VHDX paths to available locally. The core idea behind writing this KB is that how we can ensure that our SMB datastore stays available on the hyper v hosts as a local directory.

For instance this is the SMB path which we want to access on a windows server a local directory   \\stooge-smb\stooge\test\import .

In a nutshell, this are the steps which needs to be performed . We can use same mechanism to map the SMB container to a Windows based server , by creating a symbolic link , it can appears as a local folder & application can use it without any restriction .

1. We need to add the IP which will access the share to  Nutanix File system whitelist .
2. Create symbolic link using Mklink /D on the server to create a local folder which will map the SMB path .

The simplest way to ensure that a SMB share is accessible to the host as a local folder is by creating a permanent symbolic link, which can be achieved using Mklink . In our case I created a symbolic link for SMB path  \\stooge-smb\stooge\test\import & it’s mapped to a local directory named Mylink  .

For instance , in order to map as a local directory following command need to be executed ,

mklink /D Mylink \\stooge-smb\stooge\test\import
Symbolic link created for Mylink <<===>> \\stooge-smb\stooge\test\import

This symlink is now appearing as a directory , if we browse the local directory on the server

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 5853-2EA6

 Directory of C:\

01/08/2015  08:42 AM             1,920 dshb_metro.ps1
10/01/2014  11:44 AM    <DIR>          Java
09/17/2015  11:48 PM    <SYMLINKD>     Mylink [\\stooge-smb\stooge\test\import]
08/07/2014  03:10 PM    <DIR>          NutanixUtils​

However, if you query the same location from the network, you do not see this Mylink folder.  In order to make sure the Mylink folder starts behaving as a local folder when queries remotely, we need to ensure on each machine which will query this symbolic link have symlinkevaluation enabled for remote ( R2L ,L2R & R2R)  files which is disabled by default.

fsutil behavior set symlinkevaluation R2L:1 R2R:1

C:\>fsutil behavior query symlinkevaluation
Local to local symbolic links are enabled.
Local to remote symbolic links are enabled.
Remote to local symbolic links are enabled.
Remote to remote symbolic links are enabled.

For Hyper-V

On each Hyper-V host at “%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\virtual machine files”,  you will find symlinks of actual VM configuration file, which point to the actual location of the XML files, if you are not sure of the VM for which the symlink exist.

If you look at the properties of one of the symlinks, you’ll see the path to the XML file and you should be able to identify the VM it’s supporting. Or else you can use following command.

fsutil reparsepoint query "%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\virtual machine files\<./symlink>"

Screen Shot 2017-06-02 at 2.15.25 PM

There can be scenario when symbolic link is broken. However,  normally VMWP should be able to recreate it automatically but in certain situations, it may be possible that it fails to do that, for instance if AV is causing some issues.

Let’s say in one of my cases, symlink was getting deleted because AV engine was scanning the files and treating it as a virus.
Once you are sure the symlink is actually broken and you see following error,

Log Name: System
Source: Microsoft-Windows-Hyper-V-High-Availability
Date:
Event ID: 21502
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer:
Description:
‘Virtual Machine Configuration XX-XX-XX-XX’ failed to register the virtual machine with the virtual machine management service

You can proceed with following steps to fix this.

1) On Hyper-V host, go to the following location

%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\virtual machine files”, here we store the symlinks.

2) You should be aware of the Virtual Machine configuration file location.

Let’s say in my case it is \\Server\Container\Hyper-V\TestVMFolder\GUID.xml

C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines>mklink GUID.xml "\\Server\Container\Hyper-V\TestVMFolder\GUID.xml"

symbolic link created for GUID.xml <<===>> "\\Server\Container\Hyper-V\TestVMFolder\GUID.xml"

When we create a VM, Hyper-V creates a security entry (ACE) on this symbolic link for the SID of the worker process for the VM. Unfortunately, this ACE isn’t re-created when you recreate the symbolic link using mklink as detailed above. VM may fail to initialize. We need to add the Service SID to this Symbolic link so that Hyper-V is allowed to access it.

Service SID access

icacls “C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines\<GUID>.xml” /grant “NT VIRTUAL MACHINE\<GUID>“:(F) /L
icacls \\Server\Container\Hyper-V\TestVMFolder /T /grant “NT VIRTUAL MACHINE\GUID“:(F)

(This is just a good practice, to give the Service SID access to all files of our VM)

/L parameter to indicate we work on a symbolic link.

If your machine had Snapshots, we also need to create another symbolic link
The snapshot itself has yet another guid.xml found in the snapshots folder.

 
C:\>mklink “%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\snapshot_guid.xml” "\\Server\Container\Hyper-V\TestVMFolder\snapshot\snapshot_GUID.xml"

Service SID access here too:

 
C:\>icacls “%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\snapshot_guid.xml” /grant “NT VIRTUAL MACHINE\snapshot_guid“:(F) /L

This has to be done for each individual snapshot

Reference Article

  1. Manipulate Symbolik link
  2. Howto manually add a VM Configuration to Hyper-V
  3. Recommended antivirus exclusions for Hyper-V hosts

  4.  Planning for Hyper-V Security

Advertisements