Configure Delegation for Live Migration (using Kerberos)


Hyper-V 2012 R2 offers Live Migration; the ability to move a running VM (and it’s storage) between one Hyper-V host and another. Which you can just to enable the Live Migration feature on the Hyper-V Server settings on each host, the migration must be initiated from the Hyper-V host currently hosting the VM. In order to initiate the Live Migration from any host to any host delegated rights must be provided in Active Directory to each target host.

In this example I have four Hyper-V hosts; svr-hyperv1, svr-hyperv2, svr-hyperv3 and svr-hyperv4.

Initial Live Migration Configuration

Log on as Domain Administrator to each Hyper-V 2012 R2 host that is to participate in Live Migrations.

Open the Hyper-V console, right click the Hyper-V server name, select Hyper-V Settings and Live Migrations 


Check the option “Enable incoming and outgoing live migrations”

Expand the Advanced Features, select option: “Use Kerberos” (leave all other defaults)


Repeat steps 1-4 for each Hyper-V host.

Active Directory Delegation

Log on to Active Directory users and Computers as a domain admin.

Open the properties of one of the Hyper-V hosts e.g. svr-hyperv1 and select the delegation tab. By default all computers are not trusted for delegation:


Select option “Trust this computer for delegation to specified services only and select “use kerberos only”


Click the “Add” button to add the permitted services.

Click “Users or Computers” and select the other Hyper-V hosts e.g. svr-hyperv2, svr-hyperv3 and svr-hyperv4 and click OK.

In the Add Services screen select cifs and Microsoft Virtual System Migration Service. Click OK twice to exit to ADUC.

Repeat this for svr-hyperv2 (delagating to svr-hyperv1, svr-hyperv3 and svr-hyperv4), svr-hyperv3 (delagating to svr-hyperv1, svr-hyperv2 and svr-hyperv4) and svr-hyperv4 (delagating to svr-hyperv1, svr-hyperv2 and svr-hyperv3).


Disclaimer: provided “AS IS” with no warranties and confer no rights