Join Log in
Score:0
Chris Stankevitz avatar Server

Cannot live migrate VM from certain user on certain host

in flag
Chris Stankevitz

Layout

Forest A Forest B
Forest ForestA ForestB
Domain DomainA DomainB
Computers ComputerA1, ComputerA2 (none)
User UserA UserB

Administration

  • ForestA trusts ForestB
  • ForestB trusts ForestA
  • UserA is an administrator of ComputerA1 and ComputerA2
  • UserB is an administrator of ComputerA1 and ComputerA2

Moving VMs with Hyper-V

I have Hyper-V running on ComputerA1 and ComputerA2. I have Hyper-V live migration configured so that users move VMs between the two computers. Users can use PowerShell cmdlet Move-VM to move a VM from ComputerA2 to ComputerA2. This cmdlet can be run from either ComputerA1 or ComputerA2. If running from ComputerA1 ("remotely") the -ComputerName argument must be provided.

Moving VM from ComputerA2 to ComputerA1 (locally from ComputerA2)

Move-VM -Name "VMNAME" -DestinationHost "ComputerA1" -IncludeStorage -DestinationStoragePath "c:\VMNAME"

Moving VM from ComputerA2 to ComputerA1 (remotely from ComputerA1)

Move-VM -Name "VMNAME" -DestinationHost "ComputerA2" -IncludeStorage -DestinationStoragePath "c:\VMNAME" -ComputerName ComputerA1 (note use of the -ComputerName argument)

Users

UserA or UserB could issue the commands above. But in my environment, UserB can only "locally" move the VM. When UserB tries to invoke Move-VM with the -ComputerName "remote" option, UserB gets this error:

Move-VM : Virtual machine migration operation failed at migration source.
Failed to establish a connection with host 'ComputerA1': No credentials are available in the security package (0x8009030E).
The virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available. Make sure the operation is initiated on the source host of the migration, or the source host is configured to use Kerberos for the authentication o fmigration connections and Constrained Delegation is enabled for the host in Active Directory.
Virtual machine migration operation for 'VMNAME' failed at migration source 'ComputerA2'.
The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host `ComputerA1`: No credentials are available in the security package (0x8009030E).
Failed to authenticate the connection at the source host: no suitable credentials available.

Results

UserA UserB
Move-VM from ComputerA2 without -ComputerName OK OK
Move-VM from ComputerA1 with -ComputerName OK FAIL

Question

Q: Why does UserB get the error above when passing -ComputerName to the Move-VM cmdlet?

Non-Answers

UserB is not a domain admin of DomainA

If this were a problem, UserB would also FAIL when trying to use Move-VM without -ComputerName

You did not set up forest trust correctly

If this were true, UserB would also FAIL when trying to use Move-VM without -ComputerName

You didn't setup Constrained Delegation or Live Migrations properly

If this were true, no user would be able to move VMs.

Your CredSSP kerberos SPN name is invalid because NETBIOS didn't update the forest trust token before the tombstone lifetime expired on the PDCe

Well, maybe it's that.

175
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.