Mar 21, 2017

Hyper-V Live Migration and Constrained Delegation

Cavlin Yeh

Cavlin Yeh

Default image background

With Microsoft’s continued enhancements to Hyper-V, the number of companies leveraging Hyper-V as the platform for their enterprise solutions continues to grow. Building a highly available Hyper-V cluster requires time and attention to detail. Testing and validation is a key step in this process. One of the first critical steps of testing a Hyper-V cluster is doing a Live Migration, which is moving an existing virtual machine (VM) from one host to another.

But what do you do now when you try to migrate a VM and you encounter the dreaded, “There was an error during move operation?” This error is a show stopper. You won’t be able to do a Live Migration and any and all VMs will not be moved during a failover scenario if the current host is down.

The error is seen below:

hyper 1
hyper 1

There are two action items that stand out to me in the error message:

  1. Ensure the operation is initiated on the source host of the migration.

  2. Verify the source host is configured to use Kerberos for the authentication migration connections and Constrained Delegation is enabled for the host in Active Directory.

To tackle number one, you could log into the source host where the VM is currently running and initiate a move. However, that’s not very efficient, and still would not address what would happen in a disaster recovery scenario if that host is down. This leads you to number two. Now, we’ll look at the specific steps to configure Constrained Delegation.

Step 1

Go to Hyper-V Settings for the host machines and enable Kerberos authentication. This is located under the Live Migrations section and under Advanced Features. Select “Use Kerberos” and under Performance Options, select “Compression.” Remember, this needs to be done on all hosts in the cluster.


Step 2

Go to Active Directory Users and Computers and find your hosts’ computer object in their respective organizational unit. Right click on the object, go to properties, then go to the Delegation tab. Select the radio button that says “Trust this computer for delegation to specific services only” and the nested radio tab of “Use Kerberos only.” Click “Add” and select only these two services: “cifs” and “Microsoft Virtual System Migration Service” for all the servers you want to be able to migrate to/from. In this case, we are on HYPER-VDR4’s properties, so this step must be repeated for all the other cluster nodes’ computer account properties.


Step 3

A reboot of all the hosts is recommended.

Test Live Migrations and failover and your VMs should be able to live migrate without issue now!

Hyper-V has been steadily improving and adding new features, and it is a great way to easily add scalable and resilient capacity to your infrastructure. Do you want to explore options for virtualizing your infrastructure on Hyper-V? Credera has extensive experience in designing, planning, and implementing virtualization solutions. If you have questions about this blog post, points of view, or IT infrastructure, please leave a comment below, tweet us @CrederaIT, or contact us online.

Conversation Icon

Contact Us

Ready to achieve your vision? We're here to help.

We'd love to start a conversation. Fill out the form and we'll connect you with the right person.

Searching for a new career?

View job openings