Del via


Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration

In Windows Server 8 we added the ability to live migrate virtual machines without the requirement of a cluster i.e. standalone live migration.  For this feature to work the storage the virtual machine is using must be available to both Hyper-V severs which implies that it’s hosted on an SMB share – we also have the ability to perform a live storage migration in concert with the virtual machine live migration in Windows Server 8 but I’ll get to that latter. If you read my last post on Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB which discusses configuring the Hyper-V severs to delegate credentials to the SMB server this process is similar to that and the configuration of the SMB delegation is a prerequisite for this post.

overview_web

Going back to the example from my last post let’s take an environment similar to this – we have a two node Windows Server 8 Scale-Out file server cluster, two standalone Hyper-V servers and a remote management workstation.  In the last post we configured constrained delegation between the two Hyper-V servers and the SMB server which allowed us to create a new virtual machine on the one of the Hyper-V servers with the virtual machines storage residing on the SMB share.  Now we want to live migrate that virtual machine to the second Hyper-V server.  In order to accomplish this we again must enable constrained delegation.


Overview of Process

  1. Configure Constrained Delegation Between the two Hyper-V Servers
  2. Enable Live Migration on Both Hyper-V Servers
  3. Live Migrate The Virtual Machine

Configure Constrained Delegation Between the two Hyper-V Servers

For Each Hyper-V Server…

  1. Using The Active Directory Users and Computers Dialog Open The Properties Dialog On The Computer Account and Select The Delegation Tab 
    blogs.msdn.com_taylorb.fix3
  2. “Trust this computer for deliberation to the specified services only” Correction Use Kerberos only works and “Use any authentication protocol”  should already be selected and the CIFS service should be enabled with the SMB server.
  3. Select “Add” and Provide the Name Of The Other Hyper-V Server(s) (37-4611K2717L in my example)
    2 blogs.msdn.com_taylorb.fix1

Enable Live Migration on Both Hyper-V Servers

For each Hyper-V Server you need to enable live migration this is disabled by default as a security precaution as not every server may want to allow migrations to and from it. 

  1. From the Hyper-V Manager UI open the Hyper-V Settings
  2. Select the Live Migration node
  3. Check the “Enable incoming and outgoing live migrations” option
  4. Select “Use Kerberos” from the authentication protocol – if you don’t select this when you try to live migrate using a remote UI you will get an error (here’s the error message so bing will find it when someone forgets this step :)
    “Virtual machine migration failed at migration source. Failed to establish a connection with host <destination> The credentials supplied to the package where not recognized (0x8009030D). Failed to authenticate the connection at the source host: no suitable credentials available.”
  5. Optionally you can specify the networks that allow live migrations over them – this is recommended to prevent live migrations (which are unencrypted) from going over public networks.
    4

Live Migrate The Virtual Machine

We are now ready to live migrate the virtual machine.

  1. From the Hyper-V Manager Right Click on The Virtual Machine and Select Move
    5
  2. Select “Move the virtual machine” to specify a live migration
    6
  3. From the Move Options Page Select “Move only the virtual machine” as the VHD and configuration are already on our SMB server
    7
  4. Select Finish To Start the Live Migration
    89

Done…

 

Taylor Brown
Hyper-V Enterprise Deployment Team
taylorb@microsoft.com
https://blogs.msdn.com/taylorb

WS08R2-HyperV_v_rgb

Comments

  • Anonymous
    May 30, 2012
    Hello, What if my two Hyper-V server are out of any AD Domains ? Thanks

  • Anonymous
    September 28, 2012
    Why can't you use CREDSSP?

  • Anonymous
    November 06, 2012
    See my new post blogs.msdn.com/.../remote-administration-without-constrained-delegation-using-principalsallowedtodelegatetoaccount.aspx

  • Anonymous
    July 22, 2013
    I had a small query that as per the article technet.microsoft.com/.../jj134187.aspx "In Windows Server 2012, you can now use SMB 3.0 file shares as shared storage for Hyper-V. With this new capability, Hyper-V can store virtual machine files, which includes configuration, virtual hard disk (VHD) files, and snapshots, on SMB file shares. " I tried to save the Hyper-v configuration & VHD files on 2008 r2 servers & I did not get any errors. Any ideas why?

  • Anonymous
    July 22, 2013
    Generally SMB 2.0 (which is what Windows Server 2008 R2 speaks) will work however it has almost no tolerance to any faults (i.e. network glitches) and there are a number of scenarios we knew just didn’t work well.  So we wrote SMB 3.0 to fix all of those.

  • Anonymous
    November 23, 2013
    Your screen shots could have a little more resolution - it is really hard to make out the names of the services and the server names. Also, please clarify which server should be listed in the delegation tab and the name of the services.

  • Anonymous
    April 21, 2015
    Hi! Can I ask where I can find the error this permission issue causes? I set up everything just as this article sugested, but I still can't import remotely, from a fileshare...