Avatar of sglee
sglee
 asked on

Enabling replication failed in Hyper-V

Replication ErrorReplication ConfigurationFirewall Inbound RulesHi,
 I have two Hyper-V servers - W2012 (running Windows Server 2012, 192.168.1.139) & W2016 (running Windows Server 2016, 192.168.1.145) on the same network.  When I select the VM on W2012 and go thru replication, I get an error.
(1) I can ping W2016 from W2012 and ping W2012 from W2016.
(2) Both Hyper-V servers are "Enabled as a Replica server" using "Kerberos port 80" and chose "Allow replication from any authenticated server".
(3) I tried to replicate the VM in W2016 onto W2012, but it failed because I could not replicate 2016 VM to older version of HyperV.
(4) so I tried to replicate the VM in W2012 onto W2016, but I am getting this error. (please see the screenshot).
(5) On both Hyper-V servers, I enabled "Hyper-V Replicate HTTP and HTTPS Listeners" and rebooted the servers.
(6) Both Hyper-V servers have the same administrator password.


What can I do?
Windows 10Hyper-VAzureWindows Server 2012Windows Server 2016

Avatar of undefined
Last Comment
Ravi Kumar Atrey

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Ravi Kumar Atrey

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ravi Kumar Atrey

can you please also share the event logs in detail?
sglee

ASKER
Currently both servers are not domain-joined. If that is a requirement, then I will join them to existing domain and try again.
I will report back.
McKnife

"If that is a requirement, then I will join them to existing domain and try again." - I suppose so, too. However, since you have an alternative, why use kerberos at all, use https. - even better, since the data in transit will be encrypted. You will need a certificate for both replication partners that needs to be trusted at the other end. These certificates can be self-signed.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ravi Kumar Atrey

Yes, its the requirement because it uses the Kerberos authentication.
SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ravi Kumar Atrey

Hi McKnife,

Yes its true. Either you can use kerberos or use certificate but the easiest way to go with kerberos as "Windows" security system works primarily on Kerberos where user must be authenticated and authorized on network to perform the activity on second server. Check the last summary in your given link:

Windows defaults we granted "Authenticated Users" group the following user right "Access this computer from the network." to both machines which resolved issue!

Even when replica starts, it carries the authentication token of the current user who is logged in or the user who has the Hyper-V administrator rights and with that token it tries to perform the replication on replica server.

Even with this error occurred if you check the even logs on replica server, you will find below log:

The user has not been granted the requested logon type at this machine

Now question of having both nodes in domain or not then it is always recommended to be in AD domain but if you don't want to put them then the only way to create users on both nodes with same user id and password and login with that user and perofrm the replication. Even with this way, in background "Kerberos" perform the action.
McKnife

Please acknowledge: if you don't want to use unencrypted traffic, you cannot use kerberos!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
sglee

ASKER
@Ravi
Yes it works now after (1)  joining both servers to the domain and (2) logging in a domain admin on both server.

Thank you.
McKnife

I will repeat once more: for secure replication traffic, we need encryption. If you use kerberos, the replication traffic is not secured. If you want that, just say, but don't leave it uncommented.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
sglee

ASKER
@Philip,
 When I clicked "this blog post", I see "All content was migrated to GitHub" clickable link. What I clicked that link, it goes to https://github.com/vfedenko with no relevant information.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Philip Elder

I'll update my link and here is the page via GitHub.
McKnife

Before I quit: could you please confirm that encryption does not matter for your scenario?
sglee

ASKER
@McKnife
"encryption does not matter for your scenario?" --> Since both Hyper-V servers are on the same network in the same room, I do not believe it is necessary to use encryption.
Having said that, I think it is ga ood idea to use HTTPS method because it is more secure. I will try to replicate one VM using HTTPS to see how it works.
I will report back.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

Hm... I don't know what to make of that. WHY do you on one hand believe https is more secure and on the other you say you don't need encryption? So why would https be more secure if it wasn't for the encryption?
Ravi Kumar Atrey

That's good news.