Kerberos Enabled VM Migration

• Log into a domain controller that both Hyper-V hosts are capable of communicating with
• Open "Server Manager > Tools " Active Directory Users & Computers"
• Locate the computer objects representing both of the Hyper-V servers and repeat the steps below for each Hyper-V computer object:
  • Right-Click > "Properties"
  • Click on the "Delegation" Tab
  • Check the radiobox for the open "Trust this computer for delegation to specified services only."
    • Ensure that "User Kerberos Only is checked
  • Click on the "Add" button
  • Click the "Users or Computers..." button
    • Within the object search field, type in the name of the Hyper-V server you want to delegate access to (this will be the opposite host. e.g. VIRT-NODE-02, then repeat these steps later to delegate access for VIRT-NODE-01, etc)
  • You will see a list of services that you can allow delegation to, add the following services:
    • cisvc
    • mcsvc
    • Virtual Machine Migration Service
    • Microsoft Virtualization Console
  • Click the "Apply" button, then click the "OK" button to finalize these changes.
  • Repeat the above steps for the opposite Hyper-V host. This way both hosts are delegated to eachother
    • e.g. VIRT-NODE-01 <---(delegation)---> VIRT-NODE-02

• Log into both Hyper-V Hosts as the same administrative user. Preferrably a domain administrator
• From the Hyper-V host currently running the GuestVM that needs to be migrated, open Hyper-V Manager and right-click > "Move" the guestVM.
• Select the destination by providing the fully-qualified domain name of the destination server (or in some cases the shorthand hostname of the destination server)
• It should begin the migration process.

Note: Do not perform a "Pull" from source to the destination. You want to always "Push" the VM to its destination. It will generally fail if you try to "Pull" the VM to its destination due to the way that CredSSP works in this context.