Ins and Outs of Virtual Server 2005 Administration and IIS

A very common belief about Virtual Server 2005 administration is that it requires IIS to be installed, either on the host machine itself or on the remote admin machine.

My day job has me spending lots of time testing and working with the internals of IIS, and I am also an avid user of Virtual Server 2005 since its internal pre-release beta days. So, I decided to investigate the details of this common belief and shine some light on what is going on beneath the covers.

Bottom Line

  • You DO NOT need to install nor use IIS to administer Virtual Server 2005
  • You DO NOT need to be at the Virtual Server 2005 machine to administer it
  • You DO NOT even need to be a local system administrator to be able to administer Virtual Server 2005 or its Virtual Machines

Yes, Virtual Server is highly flexible when it comes to administration possibilities, even if the currently shipping administration tool does not provide it. Virtual Server administration can be decentralized, delegated, and does not even require a web server for remote access. I know because I wrote a commandline tool that does this. 🙂


Virtual Server introduces a COM based Administration API that is accessible by Windows Script Host, native code, and managed code.

The API exposes everything related to Virtual Server such as:

  • Create/Manipulate/Delete Virtual Machine (VMC files)
  • Create/Manipulate/Delete Virtual Network (VNC files)
  • Create/Manipulate Virtual Harddrives (VHD files)
  • Create/Manipulate other virtual hardware/peripherals like RAM, Floppy, DVDROM, IDE/SCSI Bus, SCSI Controller, COM ports, Parallel ports
  • Transition Virtual Machine state (start/save/pause/resume/off)
  • Assign Virtual Server Security
  • Lots of other miscellaneous features like CPU throttling per VM, virtual keyboard/mice, async event callbacks, etc for the type A admin

Helpful Reference

I found this great diagram inside of Virtual Server documentation (Virtual Server Technical Reference\How Virtual Server Works\Architecture\Virtual Server architecture) that gives a high-level glance at the logical pieces and connection protocols. The diagram's URL is:


Virtual Server 2005 ships with a native code EXE program named VSWebApp.exe which calls the native COM based API. VSWebApp.exe implements CGI/1.1 to read/parse input and provide HTML as output, so it naturally runs as a CGI executable on IIS to provide a web-based administration interface.

VSWebApp.exe is very nicely abstracted into logical layers and has no IIS-specific dependencies that I could find (the IO layer is pure CGI and abstracts the underlying platform away such that higher-level parts of the CGI do not worry about HTTP concepts like reading/writing entity body, retrieving/setting form parameters, HTML/HTTP encoding, etc).

Although I have not tried, VSWebApp.exe should run unmodified as a CGI on Apache for Windows. But, as I have alluded to earlier, you do not need a web server to administer Virtual Server. So, changing web servers is merely a exercise left to the reader. We can do one better by not needing the web server at all.

Virtual Server 2005 supports DCOM Remoting for its COM based API, and this support is registered within vssrvc.exe. This allows you to perform the aforementioned administration tasks against a remote Virtual Server by merely instantiating the COM object differently. In fact, VSWebApp.exe liberally uses this feature to "tunnel" and allow you to administer against a remote Virtual Server which does not have IIS installed.

Virtual Server 2005 introduces a simple internal security model. At a server-wide scope, you declare allow or deny ACL for a given user identity and the specified list of privileges, which include:

  • Modify - gives access to add Virtual Machine and Virtual Network configuration
  • Remove - gives accees to delete Virtual Machine and Virtual Network configuration
  • View - gives access to read Virtual Server and Virtual Machine configuration as well as view the Virtual Machine with VMRC
  • Change - gives ability to change these privileges in Virtual
  • Control - gives access to the COM interface itself. You cannot administer Virtual Server without it
  • Special - currently, I do not know what it does. It is available to be set via the administration API, but I have not found a way to make it persist.

Basically, you give "Control" access to allow someone to be able to use/administer Virtual Server, "Change" to give someone the admin bit, and the others are the usual Read/Modify/Delete permissions securing Virtual Machine and Virtual Networks. And since Virtual Machines are just files, you can also apply NTFS ACLs on the files to get more interesting and granular combinations.

For example, you can give a user "View" privileges, so they can theoretically view any Virtual Machine registered on the system... but you can set NTFS ACLs on the VMC, VNC, and VHD files such that they can only see and run certain Virtual Machines.


By now, what I stated earlier should be clear.

  • You DO NOT need to install nor use IIS to administer Virtual Server 2005. Administration of Virtual Server requires you to manipulate its COM based API somehow, either via native code, managed code, or Windows Script Host. The product provides a web-based administration tool by default, but it does not preclude other administration forms. For example, I know of GUI and control panels using managed code being developed. Personally, I implemented a lightweight commandline VS administration tool using Windows Script Host in about 3,000 lines of code where I can create a newly configured Virtual Machine with a single commandline and about 8 switches.
  • You DO NOT need to be at the Virtual Server 2005 machine to administer it. Virtual Server supports DCOM remoting so that you can use the same COM based API but targetted at Virtual Server on a different machine. VSWebApp.exe also allows a HTTP-based front end (to hop across firewalls, for example) before using DCOM on that server to target another remote Virtual Server.
  • You DO NOT even need to be a local system administrator to be able to administer Virtual Server 2005 or its Virtual Machines. You just need to give the user identity Control and View privileges in Virtual Server as well as Read/Write privileges to the NTFS filesystem where the Virtual Machine / Virtual Network is stored.

For example, I exclusively run as non-administrator (i.e. just plain normal User) on all of my machines. I use my administrator account to install Virtual Server 2005, add my non-administrator user to Virtual Server with all privileges except Change, and then as non-administrator I can create/delete/view any Virtual Machine that my user identity has read/write access to the physical files that make up the Virtual Machine.


Comments (27)

  1. Nektar says:

    The other day I was trying to administer or just author web page running as non-admin for FrontPage 2002 Server Extentions. It was impossible for me to achieve this. When running as local admin everything worked but when running as a normal user I would get the logon dialog and whatever password I would enter it would not log me into FrontPage Server. I got so frastrated that I remove FP 2002 Server Extentions.

  2. Matt says:

    Can you share your commandline VS admin tool written in WMI?

  3. David.Wang says:

    I do not have a WMI-based commandline VS admin tool to share.

    If you have specific questions about how to script Virtual Server Administration, I can try and answer that.


  4. Dmitry Polyakovsky says:

    I installed Virtual Server 2005 Standard edition Win XP Pro SP2 and keep

    getting this error when I browse to

    http://localhost/VirtualServer/VSWebApp.exe?view=1 .

    I am logged in as Administrator.

    I uninstalled and re-installed but no luck.

    Virtual Server virtual web directory is located under Default WebSite in

    IIS. The virtual web folder points to C:Program FilesMicrosoft Virtual

    ServerWebSiteVirtualServer where VSWebApp.exe is present.

    The page cannot be found

    The page you are looking for might have been removed, had its name

    changed, or is temporarily unavailable.


    Please try the following:

    a.. If you typed the page address in the Address bar, make sure that

    it is spelled correctly.

    b.. Open the localhost home page, and then look for links to the

    information you want.

    c.. Click the Back button to try another link.

    HTTP 404 – File not found

    Internet Information Services


    Technical Information (for support personnel)

    a.. More information:

    Microsoft Support

  5. cognitivecharm says:

    Hi there …

    i have a problem like i am not able access com api from vb6 … or more specifically none of the function supported by IVMVirtualServer works …

    i have included the refrence required that i needed to refer com api thru vb …

    the error i get (say findvirtualmachine) is

    Run-Time Error -214703550 (80070542):

    Method FindVirtualMachine of object IVMVirtualMachine failed

    even i get the same error in python com

    am i missing something like initiating the server …

    i dont know what it is .. and even the com api doc at msdn isn’t much helping

    one more thing … these thing with vbscript works absolutely fine …

    i hope u can sort out my prob or may build me a way to tackle the problem

  6. David Wang says:

    cognitivecharm – 0x80070542 translates into:

    1. an error – the highest order bit in the first number is 1 (0x8 = 0b1000)

    2. in Win32 – that is what the 0x007 means

    3. of 0x0542 = 1346 decimal.

    NET HELPMSG 1346 gives:

    "Either a required impersonation level was not provided, or the provided impersonation level is invalid."

    Documentation on MSDN is not going to help much because it is documentation on how to use technology, not how to troubleshoot it. In other words, MSDN documentation assumes you got things working.

    At this point, you say that the COM interface from VBScript works perfectly fine, so it does not look like anything is wrong from the COM nor Virtual Server side of things. I do not know the syntax to import COM TLB into VB6 nor whether there are special requirements to having it work in VB…

    Sorry, I really can’t help much further other than to say it definitely works in JScript/VBScript, VB.Net, and C/C++.


  7. Biffer says:

    I’m also having trouble under Python com, and it’s really irritating the hell out of me. I’ve got jscript and vbscript working fine. So I thought I’d be clever, and invoke a dispatch interface to the script control (from Python), and feed the lines one-by-one to the jscript interpretter. Bam! this blows up too… Doh!

    It seems you can get an object instance, but the moment you call any methods on it you get a COM exception (-2147352567)

    If the same problem happens in VB6 this is interesting, implying it’s not simply a problem with pythoncom as I’d suspected.

  8. Mahokka says:

    Hi everybody 🙂

    This message is for Dmitry Polyakovsky: I don’t know if it’s too late or not (somehow) and if you’ve already gotten the answer to your problem, but I had the same one and to resolve it, I wrote the loopback address ( in the url instead of "localhost". For me it worked so much better like that ;-).

  9. Barney says:

    re the 0x80070542 err – if you get this from a remote machine, its because your default dcom is set at identity – to verify – component services/Computers/My Computer – Properties/Default Properties/Default Impersonate = Impersonate … and try again

  10. Benjamin says:

    Sharing files with host on Virtual server 2005.

    I would like to be able to share files with the host operating system. Just normal textfiles which i need to transfer between virtual server and the host.

    I installed the loopback adapter and used this as network adapter for a virtual network. When running the virtual server i am still not able to acces the host file system. I am not even able to ping the host from the virtual server and vice versa.

    I am not able to browse whe opening IE

    Any suggestions on what to do?

  11. David.Wang says:

    Benjamin – In general, I suggest reading and following the Virtual Server documentation on how to setup the loopback adapter and general networking documentation.

    One of the most common mistakes (after not creating a Virtual Network bound to the Loopback and configuring the Guest to use a Virtual NIC bound to this Virtual Network) is to fail to have the Loopback adapter on the Host and Virtual NIC in the Guest on the same TCP/IP Segment – i.e. basic networking 101.

    In other words:

    – set up the Loopback Adapter on the Host to have the following Static IP:

    – set up the Virtual NIC inside the Guest to have the following Static IP:

    And you should now be able to communicate from Host to Guest via and Guest to Host with

    As for ability to browse the Internet with IE from the Guest – that is a separate network routing issue.

    I suggest visiting the Virtual Server Newsgroup because these are frequently asked questions and full-answers exist – use either NNTP reader like Outlook Express or Web-based reader:


  12. Carrie McLeish says:

    My company is deploying exchange server 2003 Enterprise on six different virtual servers for six different forests.  What are some of the pitfalls when doing this?  I have read documentation supporting and not supporting exchange on VS 2005.  What are your thoughts?


    Carrie McLeish

  13. David.Wang says:

    Carrie – since Exchange is heavily disk IO intensive and Virtual Machines do not help disk IO, I am not certain of the rationale to deploy Exchange on Virtual Machine.

    I believe Exchange 2003 SP1 is supported on Virtual Server 2005. This stuff is all documented on website, and you can also query microsoft.public.virtualserver newsgroup/community.


  14. NickB says:

    This article answered my question perfectly in all respects but one – How to install without IIS.  Clearly you do not need to use IIS to adminsister virutal server, but the tool you decribe – VSWebApp.exe – is contained within the executable download and you do not seem to be able to extract it without running the install.  Here’s the Gotcha – the install won’t run unless you have IIS running.

    Seems to me that means I need to install IIS in order to extract the file I want to use to run against my Apache server… no?

    Any workaround greatly appreciated. NickB

  15. David.Wang says:

    NickB – Ah, I see. Then, your comment is really just a complaint about the requirements of installing the VSWebApp.exe component.

    Virtual Server installs without IIS. Just don’t check the WebApp component on installation and IIS is not required. I install Virtual Server like this all the time.

    To avoid the requirements of the VSWebApp component, I wrote my own VS admin script which depends only on JScript and VS2005, so I can install and administer VS2005 perfectly without IIS installed anywhere at any time.

    Of course, if you *want* to use VSWebApp.exe, then you obviously need to install the WebApp component and meet its requirements.

    Since that component ties the file VSWebApp.exe with the configuration of IIS, it is impossible to install/extract it without IIS running. Personally, I see no problems with this requirement since it is what is tested and supported.

    Even if it is possible, running VSWebApp.exe on Apache is not a supported scenario, so even if you have to do something contorted like first install IIS, then install VS to extract VSWebApp.exe, then uninstall IIS, and finally configure VSWebApp.exe on Apache, that seems fine to me — it comes with the territory of being "unsupported".

    Because if Apache or commandline support support was intended, VS2005 Setup would probably be changed into :

    + Administration

    +-+ Install VSWebApp.exe

       +- Add IIS Configuration

       +- Add Apache Configuration

    So that you can pick to install VSWebApp.exe as-is, without IIS installed. That is the meaning of "supported" and "by-design".

    Of course, if you know how to tweak MSI, you can author what I just described into the existing VS2005 MSI, and then you CAN just extract VSWebApp.exe without everything else. But that advanced discussion is for another time…


  16. NickB says:

    Errr… Thanks, I think.  I suspect your underlying assumption is that I was hoping for a quick and easy solution.  And you would be right.  I do not like the bundling approach which is taken in this instance, and as I am already running Apache on Wintel for a number of other reasons I guess I am just going to have to put some effort in. C’est la Vie!  Thanks again. NickB

  17. David Wang says:

    I started typing this as a response to this blog entry and then decided that I was investing a little…

  18. David.Wang says:

    My response started to get a bit too long, so I made it a blog entry.


  19. Eviltesdall says:

    if you wish to install the VS without having IIS running just do not do a complete install do a CUSTOM install and remove the IIS portion.

  20. Tony Ko says:

    please help me, i have deleted the default site on iis and now when i install virtual server it wont add itself to iis. ive added a new site and by right clicking it, ive added virtualserver as an new application.. now when i go to my link it just downloads the exe instead of running it.. i cant access web admin now. how do i get it to work?

  21. Tony Ko says:

    ive also tried installing it after ive made the new site, but it still wont work >< help!

  22. David.Wang says:

    Tony – If the issue is with downloading vs running an EXE, then this is your misconfiguration:

    If you want to how to duplicate what VS Setup does for IIS admin website configuration, then I suggest asking the microsoft.public.virtualserver newsgroup:


  23. mitthu says:

    I want to customize the Microsoft virtual server, what i want is the admin gui page it shows I want to customize that like I want to create 4 VirtualMachine at a time by running a VB script ,can u provide that script to me which take input  for creating many VMs at atime.

    please provide me the script. thanks

  24. Yo don’t need it, but it makes your life easier

  25. Peter Gu says:

    Thanks to Barney, I solved the 0x80070542 problem by running dcomcnfg and change the default impersonate configuration. Thanks!

Skip to main content