Link to home
Start Free TrialLog in
Avatar of sglee
sglee

asked on

Enabling replication failed in Hyper-V

User generated imageUser generated imageUser generated imageHi,
 I have two Hyper-V servers - W2012 (running Windows Server 2012, 192.168.1.139) & W2016 (running Windows Server 2016, 192.168.1.145) on the same network.  When I select the VM on W2012 and go thru replication, I get an error.
(1) I can ping W2016 from W2012 and ping W2012 from W2016.
(2) Both Hyper-V servers are "Enabled as a Replica server" using "Kerberos port 80" and chose "Allow replication from any authenticated server".
(3) I tried to replicate the VM in W2016 onto W2012, but it failed because I could not replicate 2016 VM to older version of HyperV.
(4) so I tried to replicate the VM in W2012 onto W2016, but I am getting this error. (please see the screenshot).
(5) On both Hyper-V servers, I enabled "Hyper-V Replicate HTTP and HTTPS Listeners" and rebooted the servers.
(6) Both Hyper-V servers have the same administrator password.


What can I do?
ASKER CERTIFIED SOLUTION
Avatar of Ravi Kumar Atrey
Ravi Kumar Atrey
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
can you please also share the event logs in detail?
Avatar of sglee
sglee

ASKER

Currently both servers are not domain-joined. If that is a requirement, then I will join them to existing domain and try again.
I will report back.
"If that is a requirement, then I will join them to existing domain and try again." - I suppose so, too. However, since you have an alternative, why use kerberos at all, use https. - even better, since the data in transit will be encrypted. You will need a certificate for both replication partners that needs to be trusted at the other end. These certificates can be self-signed.
Yes, its the requirement because it uses the Kerberos authentication.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi McKnife,

Yes its true. Either you can use kerberos or use certificate but the easiest way to go with kerberos as "Windows" security system works primarily on Kerberos where user must be authenticated and authorized on network to perform the activity on second server. Check the last summary in your given link:

Windows defaults we granted "Authenticated Users" group the following user right "Access this computer from the network." to both machines which resolved issue!

Even when replica starts, it carries the authentication token of the current user who is logged in or the user who has the Hyper-V administrator rights and with that token it tries to perform the replication on replica server.

Even with this error occurred if you check the even logs on replica server, you will find below log:

The user has not been granted the requested logon type at this machine

Now question of having both nodes in domain or not then it is always recommended to be in AD domain but if you don't want to put them then the only way to create users on both nodes with same user id and password and login with that user and perofrm the replication. Even with this way, in background "Kerberos" perform the action.
Please acknowledge: if you don't want to use unencrypted traffic, you cannot use kerberos!
Avatar of sglee

ASKER

@Ravi
Yes it works now after (1)  joining both servers to the domain and (2) logging in a domain admin on both server.

Thank you.
I will repeat once more: for secure replication traffic, we need encryption. If you use kerberos, the replication traffic is not secured. If you want that, just say, but don't leave it uncommented.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sglee

ASKER

@Philip,
 When I clicked "this blog post", I see "All content was migrated to GitHub" clickable link. What I clicked that link, it goes to https://github.com/vfedenko with no relevant information.
I'll update my link and here is the page via GitHub.
Before I quit: could you please confirm that encryption does not matter for your scenario?
Avatar of sglee

ASKER

@McKnife
"encryption does not matter for your scenario?" --> Since both Hyper-V servers are on the same network in the same room, I do not believe it is necessary to use encryption.
Having said that, I think it is ga ood idea to use HTTPS method because it is more secure. I will try to replicate one VM using HTTPS to see how it works.
I will report back.
Hm... I don't know what to make of that. WHY do you on one hand believe https is more secure and on the other you say you don't need encryption? So why would https be more secure if it wasn't for the encryption?
That's good news.