Last week I had a very interesting case at a customer and previously I thought it was really easy to do. Yes it is easy, when you know how to deal with it and before I forget it I will write it down now.
So what was the case?
I had a Windows Server 2012 Hyper-V Failover Cluster in an old AD domain that should be migrated to a new AD domain and at the same time to Windows Server 2012 R2 Hyper-V without any downtime for the running workloads. Tough isn’t it?
What have I done to accomplish this scenario?
First I had to evict one or two nodes out of the current Windows Server 2012 Hyper-V Failover Cluster to create the new Windows Server 2012 R2 Hyper-V Failover Cluster. It is the same step I always do when I migrate from Windows Server 2008 R2 Hyper-V to Windows Server 2012 Hyper-V or 2012 R2 Hyper-V when the hardware should be reused. Instead of using the Cluster Migration Wizard which causes some downtime I took another solution to accomplish the zero downtime objective. It is the Shared Nothing Live Migration and now comes the tricky part. The Shared Nothing Live Migration needs Kerberos Delegation if you want to use the remote management tools.
-> https://technet.microsoft.com/en-us/library/jj134199.aspx
But Kerberos Delegation between two different AD forests even with a cross-forest trust does not work or otherwise said you can not configure it. I have done a lot of research last week trying to get the Kerberos authentication to work for the Shared Nothing Live Migration. Even with the Resource-Based Kerberos Constrained Delegation which you can configure between two AD forests in a cross-forest trust. I did not get the Shared Nothing Live Migration to work.
A bit disappointed I switched back to CredSSP and checked that the two accounts I was working with are in the local administrators group on the Hyper-V hosts. From my point of view that should be working without any issues. But trying to initiate a Shared Nothing Live Migration through the Hyper-V Manager from the source Hyper-V host to the target Hyper-V host failed immediately. After trying again and again my last hope was PowerShell. So I typed in Move-VM with all the required parameters and hit enter. I expected I would get directly the error message when hitting enter. To my surprise the Shared Nothing Live Migration kicked in and was migrating the VM to the target Hyper-V host in the new AD domain without any downtime. What a happy ending for me and the customer!