Hyper-V Guest OS unable to connect to Microsoft

Weirdest thing I've seen.  Brand new W2K8 R2 Enterprise server, hypervisor install went fine.  Built a new VM (also W2K8 R2), went to register Windows and got timeout error 0x80072EE2.  Windows update failed with 8024402F.  The hypervisor can hit microsoft.com, register, update and the like with no problems.  Guest OS can hit google in a browser with no problem.  Can ping other sites by name or IP with no error, but a ping attempt at MS does a DNS resolution and times out on the ping.

Basically the OS will just NOT communicate with MS anything.  Kind of sounds like virus in the hosts file type behavior...but isn't.  It's a brand new build.  Haven't even added roles, RDP, shares, or anything.  Disabled the on-system firewall and still no luck.  Filtering not happening via our perimeter routing/firewall system either.

Blew away the VM, and started from scratch.  Same behavior on the second and third attempts.

Not sure if this is significant, but it's an HP OEM version of the OS.

Completely at a loss for what could be causing this.

Thanks in advance for any pointers,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Svet PaperovIT ManagerCommented:
This thread says that both errors are connection-related: http://support.microsoft.com/default.aspx?scid=kb;en-us;836941

Do you have an external firewall between the Virtual machine and your DNS server? Some hardware firewalls could cause timeouts with Windows Server 2008 DNS requests, Cisco ASA is one of them.

Check if Background Intelligent Transfer Service is running on the VM. It has to be Automatic (delayed start) startup type.

The OEM DVD should not cause a problem but you need to use the serial number for virtual machines. However, you could download the evaluation version of WS 2008 R2 and install it on a VM to rule out the installation media.
fuatsAuthor Commented:
Turns out MS has disabled ICMP.  Didn't think to check ping from other machines.  Still no connection with Win Update, Registration, or web.  Turned IE Enhanced Security Configuration to off for Admin and users (temporarily) and same results.

BITS is active (starts auto when Windows Update begins, even though it was set to "Manual" initially.)  I set it to Auto (Delayed Start) and fired it off again.  Still no-go.

We do have a firewall, but it's not blocking anything related to this.  That, and the host OS is hitting everything fine.  Also put the problematic guest OS on the domain with no issues.

I've tried most of the steps on that link a few times already, but in no particular order.  I think I'm going to stop, clear my head, and go through it step-by-step again in an orderly fashion - because sometimes in my haste I miss little things.
Svet PaperovIT ManagerCommented:
I would check the firewall for a dns inspection as well, especially if this is the first WS 2008 that has been installed on the network. I don’t know about the other firewalls, but the dns inspection engine on Cisco ASA limits the dns udp packets to 512 bytes by default. WS 2008 uses larger dns udp packets and that could cause domain name related timeouts.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

fuatsAuthor Commented:
I don't think our firewalling system has that limitation, but at this point I'll check anything.  It will save me hair-loss.

This is the second 2008 system, kind of; if you count the hypervisor that it's running on.  That machine is working fine, which is the frustration for me.  If one didn't work initially, and the second failed too - that's expected, but the non VM install went pretty slick and worked out of box.  Same media, same OS, same physical hardware, same NICs, and firewalling.

Another just-found situation that sucks, but is good in that it's a second data-point, is that my AV install isn't getting to the external update server, but the host system can.  I'm leaning toward something getting lost between the VM and host.
Svet PaperovIT ManagerCommented:
Is this AV host is also a virtual machine? If yes, it makes sense.

Did you rule out any hardware problem, like cables, switch ports, etc.? I presume your server has multiple network ports and, I also presume, you have had separated the management traffic to the Hyper-V host from the data traffic of the virtual machines on different network ports. May be you could try to create another virtual switch from different network adapter on the Hyper-V host and plug the VMs there.

What the Windows Update log says? You should be able to find much more information about the error there. Obviously, all those problems are related, I just think that the update issue will be easier to troubleshoot. It’s located in %windir%\Windowsupdate.log.
fuatsAuthor Commented:
AV Server it's set to pull updates from is on the internet.  Update log file didn't have a lot of extra information, unfortunately.  Nothing jumped out at me.

Odd twist though.  I went to update.microsoft.com and it spooled for a second and then started its redirection.  Ended up loading the "Use your Start menu to check for updates" page - so I'm thinking there's some kind of security settings somewhere that is blocking it from connecting.  No idea why the hypervisor is not doing this.  I've tuned IE down ( I have also turned off Certificate Revocation, as per: http://support.microsoft.com/kb/816897) and still getting nowhere.

The fact that it's going to the rerouted page on microsoft is promising though.  I have a request up on tech net too.  So, if I get a solution, I'll be sure to repost.

I just got wire and ends (lending out cable bit me in the butt this time), so I'm going to put it in different switch ports and switches - just in case.  I don't think it will help, but it certainly can't hurt.
Svet PaperovIT ManagerCommented:
If it is a fresh installation of WS 2008 there is no security setting that will prevent a local/domain administrator from activating Windows or executing Windows Update. It works without any special configurations.

Did you try to install WS2008 from an evaluation DVD on a new VM, to rule out the OEM? Do you have the same problems with it or other VMs (besides, the one with AV)? Do you have another services installed on the Hyper-V host, like anti-virus for example?
fuatsAuthor Commented:
Two more VMs added, and same symptoms.  I'm going to start looking at settings on the hypervisor itself to see if it's doing something goofy to the connections the VMs are using...even though I made sure to isolate the NICs from the host OS.
Svet PaperovIT ManagerCommented:
It seems more as a connection problem. You could test the DNS using nslookup. Try the following commands:
nslookup update.microsoft.com

Open in new window

> server
> update.microsoft.com

Open in new window

The first will test the local dns server for Microsoft update web site. The second will test one of the biggest DNS servers at

Then you could set different DNS server addresses for you servers and try again.

You can also run a constant ping command against

ping -t  

Open in new window

fuatsAuthor Commented:
nslookup resolved the address, and the ping works to (and a myriad of other sites), and of course the ping to the resolved MS update address ( times out because they have ICMP reply turned off on their end.

I'm really starting to think there's something on the hypervisor that is blocking the VMs from connecting to ActiveX, or sites with anything short of plain HTML.  Well, that's the theory so far.  I have a feeling I'm going to have to pony up the dough and call MS tomorrow.

(Appreciate all the help, BTW!)
Svet PaperovIT ManagerCommented:
There is nothing on the hypervisor that could block something in the VMs. The only way the host communicates with the virtual machines is throught its integration services.

I would check the external firewall again. You could also bypass it if it is possible. It won’t hurt just for several minutes; Windows 2008 has very good integrated firewall that blocks everything when it is set to public network profile.

Did you try an evaluation version of Windows 2008 or even Windows 7?
fuatsAuthor Commented:
Finally got around to getting an eval copy up and running.  

Same thing.

Time to start drinking and calling Redmond...
fuatsAuthor Commented:
90 minutes with Microsoft, and the conclusion was...

... tier-2 time.  (More as situation develops.)
fuatsAuthor Commented:
Over 20 hours of phone/email work and MS still has no answer...

...but in my fiddling around with it, I noticed something weird.

I deleted ALL the virtual net connections, and created just one.  The hypervisor uses NIC#2 w/ static address.  

I set the single Virtual Switch to use NIC#1.  Hypervisor works fine.  

I select "Allow management operating system to share this network adapter" and now the hypervisor stars exhibiting the same symptoms.

I am using IPTABLES for firewalling.  It's not blocking this MAC, IP, etc.  Right now that's the direction the tech at MS wants to go.  Going to run back to them with this new information.
Svet PaperovIT ManagerCommented:
As I pointed in a previous post, it seams more likely a firewall problem outside of the Hyper-V host and the VMs. Is there any way to bypass your firewall and plug it directly to the Internet router? Windows 2008 has a pretty good firewall and you won’t be exposed if the server is connected directly to Internet for several minutes. Even better if you have a cheap home router, you could use it for NAT.
fuatsAuthor Commented:
Cracked it!

I had to disable offloading.  It's an HP NIC, but from what I can see...it's basically a Broadcom board branded HP.  There have been problems with Broadcom Teaming with VMs.

I'm going to slowly enable Large Send Offload 1 & 2, TCP and UDP Checksum Offload, and Large Receive Offload on the NICs and see which ones cause the problem.  I'm suspecting LRO is the only one that needs disabled, but since it's working, I'm going to slowly back it up to a non-working point.

I wonder if we still get billed from MS for the "fix"?  :p

Some of the places I found information:




Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Svet PaperovIT ManagerCommented:
Good news! Did you tell MS that you are have teamed NICs? They officially do not support teaming with Hyper-V.
fuatsAuthor Commented:
Ultimately did not turn out to be any problem external to the VM and HP (Broadcomm) NIC.  Firewall and network were performing as expected.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Virtual Server

From novice to tech pro — start learning today.