none
Server 2012 (8 beta) Hyper-V live migration via SMB problem

    Question

  • I have 2 Hyper-V servers both joined to a domain and I can do live migration between them using local storage - works great. I wanted to try with an SMB share. So I created a share on one of the 2 HyperV servers (servers are 10.10.10.5 and 10.10.10.15) The share is located at \\10.10.10.15\smbshare - so on each server i mapped the Z drive to this. So yes, one hyper-V server has an SMB share and a drive mapped to intself. The VM is installed on 10.10.10.5 and was installed using drive  as the install location. VM starts and runs fine, but when i go to migrate just the VM - I get an error:

    '':  account does not have permission required to open attachment '\\10.10.10.15\smbshare\Win8Beta\Virtual Hard Disks\Win8Beta.vhdx'. Error: 'General access denied error' (0x80070005). (Virtual machine ID )

    Both machine accounts have full permissions on the share; Delegation for all protocols via Kerberos is set. Could this be due to my "loopback" share? I don't remember this in past versions of windows, but i think i confirmed it as i can't even create a new VM using the VHDX when i use this loopback share.

    Anyone know of a workaround? I Just have 2 physical servers for testing - I would never do this in production.

    See the end of this message for details on invoking
    just-in-time (JIT) debugging instead of this dialog box.

    ************** Exception Text **************
    Microsoft.Virtualization.Client.Management.ObjectNotFoundException: Hyper-V encountered an error trying to access an object on computer 'rdvh1' because the object was not found. The object might have been deleted, or you might not have permission to perform the task. Verify that the Virtual Machine Management service on the computer is running. If the service is running, try to perform the task again by using Run as Administrator.
       at Microsoft.Virtualization.Client.Management.View.GetRelatedObject[T](Association association, Boolean throwIfNotFound)
       at Microsoft.Virtualization.Client.Management.VMComputerSystemBaseView.get_Setting()
       at Microsoft.Virtualization.Client.Wizards.VMMove.MoveWizard.WizardActionFailed(Exception exception)
       at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
       at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


    ************** Loaded Assemblies **************
    mscorlib
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
    ----------------------------------------
    Microsoft.ManagementConsole
        Assembly Version: 3.0.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.ManagementConsole/3.0.0.0__31bf3856ad364e35/Microsoft.ManagementConsole.dll
    ----------------------------------------
    System
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
    ----------------------------------------
    MMCFxCommon
        Assembly Version: 3.0.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/assembly/GAC_MSIL/MMCFxCommon/3.0.0.0__31bf3856ad364e35/MMCFxCommon.dll
    ----------------------------------------
    System.Configuration
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
    ----------------------------------------
    System.Xml
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
    ----------------------------------------
    System.Windows.Forms
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
    ----------------------------------------
    System.Drawing
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
    ----------------------------------------
    Microsoft.Virtualization.Client.VMBrowser
        Assembly Version: 6.2.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.VMBrowser/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.VMBrowser.dll
    ----------------------------------------
    System.Core
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
    ----------------------------------------
    Microsoft.Virtualization.Client.Management
        Assembly Version: 6.2.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Management/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Management.dll
    ----------------------------------------
    Microsoft.Virtualization.Client
        Assembly Version: 6.2.0.0
        Win32 Version: 6.2.8250.0 (winmain_win8beta.120217-1520)
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.dll
    ----------------------------------------
    System.Management
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Management/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Management.dll
    ----------------------------------------
    Microsoft.Virtualization.Client.Wizards
        Assembly Version: 6.2.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Wizards/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Wizards.dll
    ----------------------------------------
    Microsoft.Virtualization.Client.Settings
        Assembly Version: 6.2.0.0
        Win32 Version: 6.2.8250.0
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.Virtualization.Client.Settings/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.Virtualization.Client.Settings.dll
    ----------------------------------------
    Accessibility
        Assembly Version: 4.0.0.0
        Win32 Version: 4.0.30319.17379 built by: FXBETAREL
        CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
    ----------------------------------------

    ************** JIT Debugging **************
    To enable just-in-time (JIT) debugging, the .config file for this
    application or computer (machine.config) must have the
    jitDebugging value set in the system.windows.forms section.
    The application must also be compiled with debugging
    enabled.

    For example:

    <configuration>
        <system.windows.forms jitDebugging="true" />
    </configuration>

    When JIT debugging is enabled, any unhandled exception
    will be sent to the JIT debugger registered on the computer
    rather than be handled by this dialog box.

    Thursday, June 07, 2012 12:18 AM

Answers

  • OK, I solved the problem. Hopefully this will help someone else:

    Need to add the computer account with the share as a delegate for the 2 hyper-v machines in ADUC - just as was done to allow live migration between machines. Once DC1 was added - all worked.

    • Marked as answer by ChromeDome00 Saturday, June 23, 2012 11:36 AM
    Saturday, June 23, 2012 11:36 AM

All replies

  • Drive mappings exist in the User Security space, not the machine / computer security space.

    If the VM is running on the machine where the SMB share is - are the drive mapping configured as an UNC path?  They should be.

    Jose from teh Windows Storage team has lots of blogs posts about setting up the permissions for Hyper-V and an SMB share.  This all applies even if your VM is looping back to a share on the host where it runs - you need to think of this as still a remote share.

    http://blogs.technet.com/b/josebda/archive/2012/03/06/windows-server-quot-8-quot-beta-test-cases-for-hyper-v-over-smb.aspx

    And Ben talks about how it actually works:

    http://blogs.msdn.com/b/virtual_pc_guy/archive/2012/03/14/how-does-storage-migration-actually-work.aspx

    Also big overall of the SMB share here:

    http://blogs.technet.com/b/josebda/archive/2012/05/18/updated-links-on-windows-server-2012-file-server-and-smb-3-0.aspx


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    Thursday, June 07, 2012 3:08 PM
  • Thanks for the response... I rebuilt my lab with the latest version of server 2012 and will be trying again.  I know past apps and functions behaved funny when trying to use a locally mapped UNC path - now I have a central share on a 3rd server and the RC version of 2012 - so I am able remove many of the variables i had before.
    Wednesday, June 20, 2012 8:26 PM
  • OK, so new architecture but still having some permission issue that i can't figure out... already looked at test case link which has permissions to apply - nothing magic there - but I still get an error trying to move a VM from hyperv-1 to hyperv-2 when VM is on SMB share.

    3 physical machines - DC with an smb share, 2 physical Hyper-V servers that are member servers. Trying to move VM (running or not) from Hyperv-1 to HyperV-2 i get the following error:

    Virtual Machine migration operation failed at migration destination. Failed to create planned Virtual Machine at migration destination. Failed to create external configuration store at '\\dc1\test': General access deined error. (0x80070005).

    The error is repeated for the name of the VM and for the domain admin. Permissions on share and folder are full control for everyone, and the machine accounts.

    Anyone have any ideas? Live migration between machines works fine on local storage.

    • Marked as answer by ChromeDome00 Saturday, June 23, 2012 11:34 AM
    • Unmarked as answer by ChromeDome00 Saturday, June 23, 2012 11:34 AM
    Thursday, June 21, 2012 3:26 PM
  • OK, I solved the problem. Hopefully this will help someone else:

    Need to add the computer account with the share as a delegate for the 2 hyper-v machines in ADUC - just as was done to allow live migration between machines. Once DC1 was added - all worked.

    • Marked as answer by ChromeDome00 Saturday, June 23, 2012 11:36 AM
    Saturday, June 23, 2012 11:36 AM
  • Hi Chrome,

    Please can you give us more details how did you made the delegation ?

    Thanks


    Regards, Samir Farhat Infrastructure Consultant

    Thursday, July 05, 2012 4:51 PM
  • I think this is what was done:

    http://technet.microsoft.com/en-us/library/jj134187.aspx#BKMK_Step1 

    Using constrained delegation

    When using Hyper-V Manager from a computer running Windows Server 2012 to manage virtual machines on another computer running Windows Server 2012, you may experience an error that says access to an SMB file share is denied. Typically, this is because you need delegation rights to use your credentials to access the remote share on another computer. This is a security feature that prevents a user from gaining access to a computer in your network for the purpose of performing actions on other computers in your network. To address this issue, you have two choices:

    Option 1: Use Remote Desktop. Use Remote Desktop to access the computer and run Hyper-V Manager directly on that computer.

    Option 2: Configure constrained delegation. You can change the properties of the computer account in Active Directory Users and Computers to allow delegation. When enabled, constrained delegation gives you the ability to use a specific SMB remote file share without requiring you to perform an action on any computer. Constrained delegation tells Active Directory Users and Computers that between two computers, (in this case, the Hyper-V server and the SMB file server), and for specific services, (in this case, SMB), it is allowed to re-issue access to the resources.

    To configure constrained delegation, for each server running Hyper-V, perform the following procedure:

    1. In Active Directory Users and Computers, click to open Properties for the computer account, and then click to open the Delegation tab.

    2. Select both Trust this computer for delegation to the specified services only and Use Kerberos only.

    3. Click Add, and provide the name of the SMB file server (or the Cluster Access Point for a Scale-Out File Server).

    4. Select the CIFS service. Note that Common Internet File System (CIFS) is the previous name for SMB.

    5. On the SMB file share created for virtual machines, add Full Control permissions for the Hyper-V Administrators.


    Cheers, Patrick McMahon

    Monday, October 15, 2012 10:07 PM