Enabling replication failed in Hyper-V

Replication ErrorReplication ConfigurationFirewall Inbound RulesHi,
 I have two Hyper-V servers - W2012 (running Windows Server 2012, & W2016 (running Windows Server 2016, on the same network.  When I select the VM on W2012 and go thru replication, I get an error.
(1) I can ping W2016 from W2012 and ping W2012 from W2016.
(2) Both Hyper-V servers are "Enabled as a Replica server" using "Kerberos port 80" and chose "Allow replication from any authenticated server".
(3) I tried to replicate the VM in W2016 onto W2012, but it failed because I could not replicate 2016 VM to older version of HyperV.
(4) so I tried to replicate the VM in W2012 onto W2016, but I am getting this error. (please see the screenshot).
(5) On both Hyper-V servers, I enabled "Hyper-V Replicate HTTP and HTTPS Listeners" and rebooted the servers.
(6) Both Hyper-V servers have the same administrator password.

What can I do?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ravi Kumar AtreyCloud Specialist- AzureCommented:

I hope both servers are a member of AD domain and replication should be done with a domain admin account which should have local administrator permissions.

This issue more over looks like kerberos permission issue.

Please check and confirm.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ravi Kumar AtreyCloud Specialist- AzureCommented:
can you please also share the event logs in detail?
sgleeAuthor Commented:
Currently both servers are not domain-joined. If that is a requirement, then I will join them to existing domain and try again.
I will report back.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

"If that is a requirement, then I will join them to existing domain and try again." - I suppose so, too. However, since you have an alternative, why use kerberos at all, use https. - even better, since the data in transit will be encrypted. You will need a certificate for both replication partners that needs to be trusted at the other end. These certificates can be self-signed.
Ravi Kumar AtreyCloud Specialist- AzureCommented:
Yes, its the requirement because it uses the Kerberos authentication.
I wouldn't be that sure that domain membership is required for kerberos, since kerberos does work without being a domain member.

1 there is an alternative
2 the alternative (https) is better, because it's encrypted
3 kerberos auth. can be a pain to setup (see https://blogs.technet.microsoft.com/davguents_blog/2013/02/06/the-case-of-the-unexplained-windows-server-2012-replica-kerberos-error-0x8009030c-0x00002efe/ )
Ravi Kumar AtreyCloud Specialist- AzureCommented:
Hi McKnife,

Yes its true. Either you can use kerberos or use certificate but the easiest way to go with kerberos as "Windows" security system works primarily on Kerberos where user must be authenticated and authorized on network to perform the activity on second server. Check the last summary in your given link:

Windows defaults we granted "Authenticated Users" group the following user right "Access this computer from the network." to both machines which resolved issue!

Even when replica starts, it carries the authentication token of the current user who is logged in or the user who has the Hyper-V administrator rights and with that token it tries to perform the replication on replica server.

Even with this error occurred if you check the even logs on replica server, you will find below log:

The user has not been granted the requested logon type at this machine

Now question of having both nodes in domain or not then it is always recommended to be in AD domain but if you don't want to put them then the only way to create users on both nodes with same user id and password and login with that user and perofrm the replication. Even with this way, in background "Kerberos" perform the action.
Please acknowledge: if you don't want to use unencrypted traffic, you cannot use kerberos!
sgleeAuthor Commented:
Yes it works now after (1)  joining both servers to the domain and (2) logging in a domain admin on both server.

Thank you.
I will repeat once more: for secure replication traffic, we need encryption. If you use kerberos, the replication traffic is not secured. If you want that, just say, but don't leave it uncommented.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Kerberos does indeed require the replica partners be domain joined and Constrained Delegation set up to make things easier to implement.

Since all of our standalone hosts are never joined to the guest domain we always use HTTPS with self-issued certificates.

Use this blog post to get that going as it outlines some of the "hidden gems" the documentation seemed to miss the last time we had to do this.
sgleeAuthor Commented:
 When I clicked "this blog post", I see "All content was migrated to GitHub" clickable link. What I clicked that link, it goes to https://github.com/vfedenko with no relevant information.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I'll update my link and here is the page via GitHub.
Before I quit: could you please confirm that encryption does not matter for your scenario?
sgleeAuthor Commented:
"encryption does not matter for your scenario?" --> Since both Hyper-V servers are on the same network in the same room, I do not believe it is necessary to use encryption.
Having said that, I think it is ga ood idea to use HTTPS method because it is more secure. I will try to replicate one VM using HTTPS to see how it works.
I will report back.
Hm... I don't know what to make of that. WHY do you on one hand believe https is more secure and on the other you say you don't need encryption? So why would https be more secure if it wasn't for the encryption?
Ravi Kumar AtreyCloud Specialist- AzureCommented:
That's good news.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.