TOTD: Non-administrators access in Hyper-V, AzMan, FAQ

What is AzMan and why should I know about it?

AzMan (azman.msc) is the Windows Authorization Manager. AzMan was the preferred method to provide granular access to the Hyper-V functions to non-administrators .

Unfortunately, it was deprecated in Windows Server 2012 and it doesn’t work in Windows Server 2012 R2.

How to use AzMan?

Enter to Hyper-V host, win+r and type AzMan.msc  -> open configuration store (C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml)

Then create new scope (optionally), role and tasks definition and then assign user to this role. That’s it.


Err..What about Server 2012 R2?

You may notice AzMan.msc and InitialStore.xml are still existed in 2012 R2. But…it doesn’t really work. In Server 2012 R2 Hyper-V uses simple authorization. It’s just a group “Hyper-V Administrators”.


So , if you want to provide Full Access  to Hyper-V you simply add users/groups to this built-in group. There is no RBAC (Role-Based Access Control).100% RBAC is available only in VMM.

TOTD: DC is not advertising as a time server

#Hello, guys! 
#Here is a new tip of the day (TOTD). 
#Today we discuss how to fix the most common warning which you may receive on DCs

#You run dcdiag on your DC and receives warning " not advertising as a time server"

dcdiag /q
Warning: nameofdc is not advertising as a time server.
......................... nameofdc failed test Advertising

#The main time source in domain is DC with PDC role . Run the following command to query FSMO owners:

netdom query fsmo

#On your PDC you have to set up w32tm with external (generally) or internal time source. for example,

w32tm /config / /syncfromflags:manual /reliable:yes /update

#On your additional DCs run
w32tm /config /syncfromflags:domhier /update

#Restart w32time service on each DC
net stop w32time
net start w32time

#Update w32tm config
w32tm /config /update

#Resync time
w32tm /resync

#Re-run dcdiag
dcdiag /q /s:yourDCname

Time Synchronization in an AD DS Hierarchy