Layout
|
Forest A |
Forest B |
Forest |
ForestA |
ForestB |
Domain |
DomainA |
DomainB |
Computers |
ComputerA1 , ComputerA2 |
(none) |
User |
UserA |
UserB |
Administration
ForestA
trusts ForestB
ForestB
trusts ForestA
UserA
is an administrator of ComputerA1
and ComputerA2
UserB
is an administrator of ComputerA1
and ComputerA2
Moving VMs with Hyper-V
I have Hyper-V running on ComputerA1
and ComputerA2
. I have Hyper-V live migration configured so that users move VMs between the two computers. Users can use PowerShell cmdlet Move-VM
to move a VM from ComputerA2
to ComputerA2
. This cmdlet can be run from either ComputerA1
or ComputerA2
. If running from ComputerA1
("remotely") the -ComputerName
argument must be provided.
Moving VM from ComputerA2
to ComputerA1
(locally from ComputerA2
)
Move-VM -Name "VMNAME" -DestinationHost "ComputerA1" -IncludeStorage -DestinationStoragePath "c:\VMNAME"
Moving VM from ComputerA2
to ComputerA1
(remotely from ComputerA1
)
Move-VM -Name "VMNAME" -DestinationHost "ComputerA2" -IncludeStorage -DestinationStoragePath "c:\VMNAME" -ComputerName ComputerA1
(note use of the -ComputerName
argument)
Users
UserA
or UserB
could issue the commands above. But in my environment, UserB
can only "locally" move the VM. When UserB
tries to invoke Move-VM
with the -ComputerName
"remote" option, UserB
gets this error:
Move-VM : Virtual machine migration operation failed at migration source.
Failed to establish a connection with host 'ComputerA1': No credentials are available in the security package (0x8009030E).
The virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available. Make sure the operation is initiated on the source host of the migration, or the source host is configured to use Kerberos for the authentication o fmigration connections and Constrained Delegation is enabled for the host in Active Directory.
Virtual machine migration operation for 'VMNAME' failed at migration source 'ComputerA2'.
The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host `ComputerA1`: No credentials are available in the security package (0x8009030E).
Failed to authenticate the connection at the source host: no suitable credentials available.
Results
|
UserA |
UserB |
Move-VM from ComputerA2 without -ComputerName |
OK |
OK |
Move-VM from ComputerA1 with -ComputerName |
OK |
FAIL |
Question
Q: Why does UserB
get the error above when passing -ComputerName
to the Move-VM
cmdlet?
Non-Answers
UserB
is not a domain admin of DomainA
If this were a problem, UserB
would also FAIL when trying to use Move-VM
without -ComputerName
You did not set up forest trust correctly
If this were true, UserB
would also FAIL when trying to use Move-VM
without -ComputerName
You didn't setup Constrained Delegation or Live Migrations properly
If this were true, no user would be able to move VMs.
Your CredSSP kerberos SPN name is invalid because NETBIOS didn't update the forest trust token before the tombstone lifetime expired on the PDCe
Well, maybe it's that.