11

I am trying to do my first live migration with Windows server 2012 hyper-v 3.0. I have two servers joined into a domain.local domain and both are hypervisors with constrained delegation setup. Each server has the CIFS and Microsoft virtual service delegated with Kerberos. Both hypervisors have Kerberos only setup for the live migration.

Replica works great, but when I try to do a live migration (not a VM that is being replicated either) I get this when trying to select a destination computer, even though I have all firewalls turned off (the servers and the domain are private no internet access only):

An error occurred while attempting to contact the Virtual Machine Management service on destination computer "blah". Verify that the service is running and that you are authorized to connect to the destination computer. You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer "blah".

Anyone have an idea? I'm fairly new to AD-DS but the domain controller I believe was seutp with the correct constrained delegation.

Could it be some sort of super user I need to setup or login as a particular user into the hypervisor? I feel like I am just missing something rather simple here but have spent a good deal of time looking online and haven't quite found anything that relevant to my problem.

Bryan
  • 7,538
  • 15
  • 68
  • 92
Matt Wall
  • 221
  • 1
  • 6
  • Are the VMs stored on local disk on the hyper-v servers or on an SMB share? Is the user account attempting the migration a domain account that has rights on both hyper-v computers? – Steven Murawski Dec 13 '12 at 14:23
  • Does the user account that initiated the live migration is a member of the local Hyper-V Administrators group on both machines. And possibly try to set it up as a member of local Administrators on both machines. – Muhammad Dec 26 '12 at 06:08
  • And did you reboot the machine, after you modified the computer object in ADUC (after adding the cifs and mvs delegation using kerberos), you need to do that before doing the live migration. – Muhammad Dec 26 '12 at 06:11
  • 1
    The account that initiate the live migration, need to be a member of domain administrator group. More details here: http://technet.microsoft.com/en-us/library/jj134199.aspx – Muhammad Dec 26 '12 at 06:22
  • actually no, the live migration account does not need to be, only the constrained delegation configuration account. Reread the page linked: The account you use to configure live migration and to perform the live migrations must be a member of the local Hyper-V Administrators group or the Administrators group on both the source and destination computers. – MikeBaz - MSFT Feb 27 '13 at 17:31

3 Answers3

1

You didn't mention which services are delegated to. You should have the following on each Hyper-V host:

  • Microsoft Virtual System Migration Service/COMPUTER
  • Microsoft Virtual System Migration Service/COMPUTER.FQDN
  • cifs/COMPUTER
  • cifs/COMPUTER.FQDN

Have you tried (as a test) allowing all services to be delegated?

leftcase
  • 710
  • 3
  • 9
  • 18
1

An answer to this old question. It's a bug. You have to start the migration from the source server and not from the destination server or the Hyper-V GUI installed on another machine.

If you're doing this on server core or Hyper-V server 2012, you need to log into the source server and initiate the migration from the powershell console. If you're using the GUI, again, it must launch it from the destination machine.

Try this and migrations should work properly.

HTH

leftcase
  • 710
  • 3
  • 9
  • 18
-1

The following article should get you going

http://blogs.technet.com/b/uspartner_ts2team/archive/2012/07/23/shared-nothing-live-migration-on-windows-server-2012.aspx

Flowcom
  • 1
  • 1
  • 4
    Hi, While the link you posted might solve the problem it is better if you include relevant information in your answer from the article. – Jacob Apr 05 '13 at 21:08
  • @Jacob agreed. If this is the answer, it should be updated to include the relevant parts. – john Jul 22 '13 at 09:43