PowerShell: Kerberos Constrained Delegation for Hyper-V Live Migration

Posted on 2013/07/19 by rcmtech

If you want to use Move-VM to live migrate a Hyper-V VM from one host to another then you need to allow the source host to access the destination host to push the VM at it. The preferred way of doing this is by configuring Kerberos Constrained Delegation.

Step one is to ensure that all your hosts are set to use Kerberos as the authentication protocol for Hyper-V Live Migrations. Step two is to add the KCD settings to the hosts’ Active Directory object Delegation settings.

This script does both of the above for all Hyper-V hosts in the specified OU. If you add more hosts to the OU, just run this script again – it won’t complain nor will you end up with multiple KCD entries.

$OU = [ADSI]"LDAP://OU=Hyper-V Hosts,OU=Servers,DC=rcmtech,DC=co,DC=uk"
$DNSSuffix = "rcmtech.co.uk"
$Computers = @{} # Hash table

foreach ($child in $OU.PSBase.Children){
   # add each computer in the OU to the hash table
   if ($child.ObjectCategory -like '*computer*'){
      $Computers.Add($child.Name.Value, $child.distinguishedName.Value)
   }
}

# Process each AD computer object in the OU in turn
foreach ($ADObjectName in $Computers.Keys){
   Write-Host $ADObjectName
   Write-Host "Enable VM Live Migration"
   Enable-VMMigration -ComputerName $ADObjectName
   Write-Host "Set VM migration authentication to Kerberos"
   Set-VMHost -ComputerName $ADObjectName -VirtualMachineMigrationAuthenticationType Kerberos
   Write-Host "Processing KCD for AD object"
   # Add delegation to the current AD computer object for each computer in the OU
   foreach ($ComputerName in $Computers.Keys){
      Write-Host (" Processing "+$ComputerName+", added ") -NoNewline
      $ServiceString = "cifs/"+$ComputerName+"."+$DNSSuffix,"cifs/"+$ComputerName
      Set-ADObject -Identity $Computers.$ADObjectName -Add @{"msDS-AllowedToDelegateTo" = $ServiceString}
      Write-Host ("cifs") -NoNewline
      $ServiceString = "Microsoft Virtual System Migration Service/"+$ComputerName+"."+$DNSSuffix,"Microsoft Virtual System Migration Service/"+$ComputerName
      Set-ADObject -Identity $Computers.$ADObjectName -Add @{"msDS-AllowedToDelegateTo" = $ServiceString}
      Write-Host (", Microsoft Virtual System Migration Service")
   }
}
This entry was posted in Hyper-V, PowerShell and tagged , , , , , , , , . Bookmark the permalink.

3 Responses to PowerShell: Kerberos Constrained Delegation for Hyper-V Live Migration

  1. Pingback: PowerShell: Live migration of all VMs from one host to another | Robin CM's IT Blog

  2. Rudi says:
    2014/03/18 at 11:02

    You are a Biscuit! Thanks
    Note that on HyperV 2012 R2 you do get some errors “Set-VMHost : No changes were made to the host because no parameters were specified.”
    and on HyperV 2012 (i think) Warning “Live migrations of virtual machines cannot be sent to the destination host because no migration networks are specified ”

    But the tedious part of KCD still works!

    Like

    Reply

  3. Pingback: Configure Shared-nothing & Hyper-V 2016 Replica – EdwinLaguniJr

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.