Q. What permissions do I need to set on the file system and share to host Hyper-V virtual machines on a SMB 2.2 file share with Windows Server 2012?

A:Windows Server 2012 (formerly code-named Windows Server 8) introduces the ability for virtual machines (VMs) to be stored on a file share that supports SMB2.2 (Windows Server 8 file server). The computer accounts (computer$) need Full Control of both the folder and the share.

Also, the administrator creatingthe VMs also needs Full Control on the file system and share. The easiest way to do this is from the command prompt.

Run the commands below to create thefolder and set the NTFS permissions for Hyper-V servers ServA and ServB plus the domain admins:

 md C:HVShareICACLS C:HVShare /Inheritance:RICACLS C:HVShare /Grant "domainnamedomain admins:(CI)(OI)F"ICACLS C:HVShare /Grant domainnameserva$:(CI)(OI)FICACLS C:HVShare /Grant domainnameservb$:(CI)(OI)F

Next run the Windows PowerShell cmdlet below to create the share with the same Full Control permissions (run within PowerShell window):

New-SmbShare -Name HVShare -Path C:HVShare –FullAccess "domainnamedomain admins:(CI)(OI)F", domainnameserva$, domainnameservb$

An example execution in my environment with 3 Hyper-V servers can be seen below.C:>md C:HVShare

C:>ICACLS C:HVShare /Inheritance:R
processed file: C:HVShare
Successfully processed 1 files; Failed processing 0 files

C:>ICACLS C:HVShare /Grant "savilltechdomain admins:(CI)(OI)F"
processed file: C:HVShare
Successfully processed 1 files; Failed processing 0 files

C:>ICACLS C:HVShare /Grant savilltechsavdalbfs08$:(CI)(OI)F
processed file: C:HVShare
Successfully processed 1 files; Failed processing 0 files

C:>ICACLS C:HVShare /Grant savilltechsavdalscs01$:(CI)(OI)F
processed file: C:HVShare
Successfully processed 1 files; Failed processing 0 files

C:>ICACLS C:HVShare /Grant savilltechsavdalscl08$:(CI)(OI)F
processed file: C:HVShare
Successfully processed 1 files; Failed processing 0 files


PS C:> New-SmbShare -Name HVShare -Path C:HVShare –FullAccess "savilltechdomain admins", savilltechsavdalbfs08$, savilltechsavdalscs01$, savilltechsavdalscl08$

Name ScopeName Path Description
---- --------- ---- -----------
HVShare * C:HVShare

If you use the graphical interface, make sure you select Computers as an object type when adding the security or it won't find the names of your Hyper-V servers.(See screen shot below.)

Win8VMonSMBSetup

Permissions can be checked with the ICACLS.EXE /T command and Get-SmbShareAccess PowerShell cmdlet.

Below are the outputs from mine, respectively.

C:>ICACLS.EXE C:HVShare /T
C:HVShare SAVILLTECHdomain admins:(OI)(CI)(F)
SAVILLTECHsavdalscl08$:(OI)(CI)(F)
SAVILLTECHsavdalscs01$:(OI)(CI)(F)
SAVILLTECHsavdalbfs08$:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files


PS C:> Get-SmbShareAccess HVShare

Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
HVShare * SAVILLTECHdomain ad... Allow Full
HVShare * SAVILLTECHsavdalbfs08$ Allow Full
HVShare * SAVILLTECHsavdalscs01$ Allow Full
HVShare * SAVILLTECHsavdalscl08$ Allow Full

After writing this I found a great MSDN blog post "Windows Server 2012 Beta - Test cases for Hyper-V over SMB (includes PowerShell examples)," which I would recommend reading as it covers lots of scenarios using SMB and Hyper-V. 

See FAQs on Windows, virtualization, systems management, and all things Microsoft, at John Savill's FAQs.