Enabling replication failed in Hyper-V

sglee
sglee used Ask the Experts™
on
Replication ErrorReplication ConfigurationFirewall Inbound RulesHi,
 I have two Hyper-V servers - W2012 (running Windows Server 2012, 192.168.1.139) & W2016 (running Windows Server 2016, 192.168.1.145) on the same network.  When I select the VM on W2012 and go thru replication, I get an error.
(1) I can ping W2016 from W2012 and ping W2012 from W2016.
(2) Both Hyper-V servers are "Enabled as a Replica server" using "Kerberos port 80" and chose "Allow replication from any authenticated server".
(3) I tried to replicate the VM in W2016 onto W2012, but it failed because I could not replicate 2016 VM to older version of HyperV.
(4) so I tried to replicate the VM in W2012 onto W2016, but I am getting this error. (please see the screenshot).
(5) On both Hyper-V servers, I enabled "Hyper-V Replicate HTTP and HTTPS Listeners" and rebooted the servers.
(6) Both Hyper-V servers have the same administrator password.


What can I do?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cloud Specialist- Azure
Commented:
Hi,

I hope both servers are a member of AD domain and replication should be done with a domain admin account which should have local administrator permissions.

This issue more over looks like kerberos permission issue.

Please check and confirm.
Ravi Kumar AtreyCloud Specialist- Azure

Commented:
can you please also share the event logs in detail?

Author

Commented:
Currently both servers are not domain-joined. If that is a requirement, then I will join them to existing domain and try again.
I will report back.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Distinguished Expert 2018

Commented:
"If that is a requirement, then I will join them to existing domain and try again." - I suppose so, too. However, since you have an alternative, why use kerberos at all, use https. - even better, since the data in transit will be encrypted. You will need a certificate for both replication partners that needs to be trusted at the other end. These certificates can be self-signed.
Ravi Kumar AtreyCloud Specialist- Azure

Commented:
Yes, its the requirement because it uses the Kerberos authentication.
Distinguished Expert 2018
Commented:
I wouldn't be that sure that domain membership is required for kerberos, since kerberos does work without being a domain member.
Anyway:

1 there is an alternative
2 the alternative (https) is better, because it's encrypted
3 kerberos auth. can be a pain to setup (see https://blogs.technet.microsoft.com/davguents_blog/2013/02/06/the-case-of-the-unexplained-windows-server-2012-replica-kerberos-error-0x8009030c-0x00002efe/ )
Ravi Kumar AtreyCloud Specialist- Azure

Commented:
Hi McKnife,

Yes its true. Either you can use kerberos or use certificate but the easiest way to go with kerberos as "Windows" security system works primarily on Kerberos where user must be authenticated and authorized on network to perform the activity on second server. Check the last summary in your given link:

Windows defaults we granted "Authenticated Users" group the following user right "Access this computer from the network." to both machines which resolved issue!

Even when replica starts, it carries the authentication token of the current user who is logged in or the user who has the Hyper-V administrator rights and with that token it tries to perform the replication on replica server.

Even with this error occurred if you check the even logs on replica server, you will find below log:

The user has not been granted the requested logon type at this machine

Now question of having both nodes in domain or not then it is always recommended to be in AD domain but if you don't want to put them then the only way to create users on both nodes with same user id and password and login with that user and perofrm the replication. Even with this way, in background "Kerberos" perform the action.
Distinguished Expert 2018

Commented:
Please acknowledge: if you don't want to use unencrypted traffic, you cannot use kerberos!

Author

Commented:
@Ravi
Yes it works now after (1)  joining both servers to the domain and (2) logging in a domain admin on both server.

Thank you.
Distinguished Expert 2018

Commented:
I will repeat once more: for secure replication traffic, we need encryption. If you use kerberos, the replication traffic is not secured. If you want that, just say, but don't leave it uncommented.
Philip ElderTechnical Architect - HA/Compute/Storage
Commented:
Kerberos does indeed require the replica partners be domain joined and Constrained Delegation set up to make things easier to implement.

Since all of our standalone hosts are never joined to the guest domain we always use HTTPS with self-issued certificates.

Use this blog post to get that going as it outlines some of the "hidden gems" the documentation seemed to miss the last time we had to do this.

Author

Commented:
@Philip,
 When I clicked "this blog post", I see "All content was migrated to GitHub" clickable link. What I clicked that link, it goes to https://github.com/vfedenko with no relevant information.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
I'll update my link and here is the page via GitHub.
Distinguished Expert 2018

Commented:
Before I quit: could you please confirm that encryption does not matter for your scenario?

Author

Commented:
@McKnife
"encryption does not matter for your scenario?" --> Since both Hyper-V servers are on the same network in the same room, I do not believe it is necessary to use encryption.
Having said that, I think it is ga ood idea to use HTTPS method because it is more secure. I will try to replicate one VM using HTTPS to see how it works.
I will report back.
Distinguished Expert 2018

Commented:
Hm... I don't know what to make of that. WHY do you on one hand believe https is more secure and on the other you say you don't need encryption? So why would https be more secure if it wasn't for the encryption?
Ravi Kumar AtreyCloud Specialist- Azure

Commented:
That's good news.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial