Server 2012 (8 beta) Hyper-V live migration via SMB problem
-
quinta-feira, 7 de junho de 2012 00:18
I have 2 Hyper-V servers both joined to a domain and I can do live migration between them using local storage - works great. I wanted to try with an SMB share. So I created a share on one of the 2 HyperV servers (servers are 10.10.10.5 and 10.10.10.15) The share is located at \\10.10.10.15\smbshare - so on each server i mapped the Z drive to this. So yes, one hyper-V server has an SMB share and a drive mapped to intself. The VM is installed on 10.10.10.5 and was installed using drive as the install location. VM starts and runs fine, but when i go to migrate just the VM - I get an error:
'': account does not have permission required to open attachment '\\10.10.10.15\smbshare\Win8Beta\Virtual Hard Disks\Win8Beta.vhdx'. Error: 'General access denied error' (0x80070005). (Virtual machine ID )
Both machine accounts have full permissions on the share; Delegation for all protocols via Kerberos is set. Could this be due to my "loopback" share? I don't remember this in past versions of windows, but i think i confirmed it as i can't even create a new VM using the VHDX when i use this loopback share.
Anyone know of a workaround? I Just have 2 physical servers for testing - I would never do this in production.
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
Microsoft.Virtualization.Client.Management.ObjectNotFoundException: Hyper-V encountered an error trying to access an object on computer 'rdvh1' because the object was not found. The object might have been deleted, or you might not have permission to perform the task. Verify that the Virtual Machine Management service on the computer is running. If the service is running, try to perform the task again by using Run as Administrator.
at Microsoft.Virtualization.Client.Management.View.GetRelatedObject[T](Association association, Boolean throwIfNotFound)
at Microsoft.Virtualization.Client.Management.VMComputerSystemBaseView.get_Setting()
at Microsoft.Virtualization.Client.Wizards.VMMove.MoveWizard.WizardActionFailed(Exception exception)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.ManagementConsole
Assembly Version: 3.0.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.ManagementConsole/3.0.0.0__31bf3856ad364e35/Microsoft.ManagementConsole.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
MMCFxCommon
Assembly Version: 3.0.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/MMCFxCommon/3.0.0.0__31bf3856ad364e35/MMCFxCommon.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
Microsoft.Virtualization.Client.VMBrowser
Assembly Version: 6.2.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.VMBrowser/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.VMBrowser.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
Microsoft.Virtualization.Client.Management
Assembly Version: 6.2.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Management/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Management.dll
----------------------------------------
Microsoft.Virtualization.Client
Assembly Version: 6.2.0.0
Win32 Version: 6.2.8250.0 (winmain_win8beta.120217-1520)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.dll
----------------------------------------
System.Management
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Management/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Management.dll
----------------------------------------
Microsoft.Virtualization.Client.Wizards
Assembly Version: 6.2.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Wizards/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Wizards.dll
----------------------------------------
Microsoft.Virtualization.Client.Settings
Assembly Version: 6.2.0.0
Win32 Version: 6.2.8250.0
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Settings/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Settings.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17379 built by: FXBETAREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
- Movido Vincent HuModerator quinta-feira, 7 de junho de 2012 01:42 (From:Hyper-V)
Todas as Respostas
-
quinta-feira, 7 de junho de 2012 15:08
Drive mappings exist in the User Security space, not the machine / computer security space.
If the VM is running on the machine where the SMB share is - are the drive mapping configured as an UNC path? They should be.
Jose from teh Windows Storage team has lots of blogs posts about setting up the permissions for Hyper-V and an SMB share. This all applies even if your VM is looping back to a share on the host where it runs - you need to think of this as still a remote share.
And Ben talks about how it actually works:
Also big overall of the SMB share here:
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Disclaimer: Attempting change is of your own free will. -
quarta-feira, 20 de junho de 2012 20:26Thanks for the response... I rebuilt my lab with the latest version of server 2012 and will be trying again. I know past apps and functions behaved funny when trying to use a locally mapped UNC path - now I have a central share on a 3rd server and the RC version of 2012 - so I am able remove many of the variables i had before.
-
quinta-feira, 21 de junho de 2012 15:26
OK, so new architecture but still having some permission issue that i can't figure out... already looked at test case link which has permissions to apply - nothing magic there - but I still get an error trying to move a VM from hyperv-1 to hyperv-2 when VM is on SMB share.
3 physical machines - DC with an smb share, 2 physical Hyper-V servers that are member servers. Trying to move VM (running or not) from Hyperv-1 to HyperV-2 i get the following error:
Virtual Machine migration operation failed at migration destination. Failed to create planned Virtual Machine at migration destination. Failed to create external configuration store at '\\dc1\test': General access deined error. (0x80070005).
The error is repeated for the name of the VM and for the domain admin. Permissions on share and folder are full control for everyone, and the machine accounts.
Anyone have any ideas? Live migration between machines works fine on local storage.
- Marcado como Resposta ChromeDome00 sábado, 23 de junho de 2012 11:34
- Não Marcado como Resposta ChromeDome00 sábado, 23 de junho de 2012 11:34
-
sábado, 23 de junho de 2012 11:36
OK, I solved the problem. Hopefully this will help someone else:
Need to add the computer account with the share as a delegate for the 2 hyper-v machines in ADUC - just as was done to allow live migration between machines. Once DC1 was added - all worked.
- Marcado como Resposta ChromeDome00 sábado, 23 de junho de 2012 11:36
-
quinta-feira, 5 de julho de 2012 16:51
Hi Chrome,
Please can you give us more details how did you made the delegation ?
Thanks
Regards, Samir Farhat Infrastructure Consultant
-
segunda-feira, 15 de outubro de 2012 22:07
I think this is what was done:
http://technet.microsoft.com/en-us/library/jj134187.aspx#BKMK_Step1
Using constrained delegation
When using Hyper-V Manager from a computer running Windows Server 2012 to manage virtual machines on another computer running Windows Server 2012, you may experience an error that says access to an SMB file share is denied. Typically, this is because you need delegation rights to use your credentials to access the remote share on another computer. This is a security feature that prevents a user from gaining access to a computer in your network for the purpose of performing actions on other computers in your network. To address this issue, you have two choices:
Option 1: Use Remote Desktop. Use Remote Desktop to access the computer and run Hyper-V Manager directly on that computer.
Option 2: Configure constrained delegation. You can change the properties of the computer account in Active Directory Users and Computers to allow delegation. When enabled, constrained delegation gives you the ability to use a specific SMB remote file share without requiring you to perform an action on any computer. Constrained delegation tells Active Directory Users and Computers that between two computers, (in this case, the Hyper-V server and the SMB file server), and for specific services, (in this case, SMB), it is allowed to re-issue access to the resources.
To configure constrained delegation, for each server running Hyper-V, perform the following procedure:
-
In Active Directory Users and Computers, click to open Properties for the computer account, and then click to open the Delegation tab.
-
Select both Trust this computer for delegation to the specified services only and Use Kerberos only.
-
Click Add, and provide the name of the SMB file server (or the Cluster Access Point for a Scale-Out File Server).
-
Select the CIFS service. Note that Common Internet File System (CIFS) is the previous name for SMB.
-
On the SMB file share created for virtual machines, add Full Control permissions for the Hyper-V Administrators.
Cheers, Patrick McMahon
-
.png)
