Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, May 30, 2019 10:47 PM
Hello,
I've done replications between servers all the time - sometimes they aren't on the same subnet but never between two domains - first time - not sure if there is something different I need to do.
I have two servers each host running 2016 (and all guest VMs are 2016). I have set up a trust between the two and conditional forwarders. I can ping each server by name.
I have the hyperV settings set for kerberos. I've disabled all firewalls on both servers - there are NO firewall policies, rules, or anything else between the two domains. All firewalls are disabled.
When I set up a replication from one host to other using kerberos, I get these two messages
event 3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)
THis is the setting on the server I'm replicating from -
Not sure if that ! about configuration details is the source of the issue.
These are settings on the server I'm replicating to -
event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.
All replies (53)
Friday, May 31, 2019 3:02 AM
Hi,
Thanks for posting in our forum!
Check for Kerberos errors. Sometimes, Kerberos packets arrive out of sequence over a VPN tunnel and since it's UDP, they will not be reassembled. You can change Kerberos to use TCP instead of UDP but first check connectivity using host names and firewall issues. If you see a lot of Kerberos errors, consider changing it to TCP.
Make sure the host name you are using resolves to the correct IP address for the target server and vice versa. Check the port you are using make sure it's open in the tunnel as well as in the Windows firewall. Since you are using a host name to connect to the target server, the tunnel must support NetBIOS. Consider using a FQDN or IP address instead.
For more information, you can also refer to here:
http://www.chicagotech.net/netforums/viewtopic.php?f=3&t=16686&start=0
Here is a similar post for your reference:
Hope this can help you, if you have any question, please feel free to let me know.
Best Regards,
Daniel
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, May 31, 2019 2:01 PM
Thanks - no windows firewall on either server. There is no additional antivirus/firewall and the windows firewall is disabled in services as well as through the gui. There is a VPN tunnel between the two but no filtering or policies - wide open.
Both servers can resolve to each other by name to the right IP- I don't have to include the domain for them to resolve. When I do I still get that error when try to replicate.
I'm not sure where to switch it to TCP - insn't using kerberos authentication using HTTP already using TCP? On my 2016 server replication requires a name - it will not accept an IP - must have a valid DNS or FQDN name.
The two errors I get are - (there are no other errors on either host)
3200 Hyper-V failed to enable replication for virtual machine 'Test': A connection with the server could not be established (0x00002EFD). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)
event 29230 Hyper-V cannot connect to the specified Replica server 'HOST1'. Error: A connection with the server could not be established (0x00002EFD). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.
Monday, June 3, 2019 6:35 AM | 1 vote
I noticed your message in the link I gave you, so now, i suggest you discuss with Kerberos experts over here:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Cheers,
Daniel
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 3, 2019 1:44 PM
Thanks for the suggestion, I'll give it a try. It could be kerberos - not sure how to switch it from UDP to tcp.
I did an nltest /sc_verify with both domains and they test OK
I also checked to see if I was listening on port 80 with netstat and it checks out OK.
Monday, June 3, 2019 1:53 PM
Try to enable Kerberos loggins on your Hyper-V hosts
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1 /f
Then look into the System logs. If you have Kerberos issues, they will be logged there.
hth
This posting is provided AS IS without warranty of any kind
Monday, June 3, 2019 3:53 PM
Thank - I think I'm getting close to the solution although I think the solution might be slightly different in 2016. https://www.jacksontechnical.com/article.htm?id=57
I tried setspn but failed
setspn -S "Hyper-V Replica Service/hostname" host1
or
setspn -S "Hyper-V Replica Service/host1" host1 or with the domain extension
Call to DsGetDcNameWithAccountW failed with return value 0x00000525
I can get to the other by name by ping or smb file share.
I'm trying to find the AD settings in the link above in 2016 and must be looking in the wrong place. I'm in active directory users and computers. I went to advanced view. I selected the host server properties. I have no idea how to add Microsoft Virtual Console Service or any of the other services listed there. I have found a few similar articles but can't find something I can follow on how to add the service.
Tuesday, June 4, 2019 2:25 AM
OK, looking forward to hearing your good news.
Cheers,
Daniel
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 4, 2019 12:15 PM
I still haven't figured out how to adjust those SPNs - add rights in AD.
Wednesday, June 5, 2019 1:12 AM
I'm sorry to hear that. At present, we don't have any more suggestions to give. We look forward to getting useful suggestions from AD experts.
Thanks for your understanding!
Daniel
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, June 5, 2019 9:20 AM
Have you tried to add the server name like this... Domain\Server
in your case, it should look like this:
setspn -S "Hyper-V Replica Service/host1" Domain\505-HQ-HOST-1
Also, be sure that the user you run this command has enough rights or you will receive insufficient access rights.
If you want to give the least access, be sure to add the account from Domain A the right:
write servicePrincipalName on the computer account in Domain B.
This should fix your issue.
hth
This posting is provided AS IS without warranty of any kind
Thursday, June 6, 2019 2:26 PM
Cth - thanks for the response. Thanks - I've tried that as well. I can't remember what changes I made as I tried a lot of stuff (with no progress) but I'm getting -
Failed to assign SPN on account 'CN=505-HQ-HOST1,OU=Domain Controllers,DC=xxxx,DC=lan', error 0x2098/8344 -> insufficient access rights to perform the operation.
I'm logged into the server as the domain admin. I've opened powershell as administrator.
I am interested in the write SPN suggestion you have maybe that will fix it. I'm sorry for being an idiot but I have no idea exactly what I should type.
Thursday, June 6, 2019 6:03 PM
On the computer object (the destination computer where you want to add a SPN), open the computer objet and look into Security Tab (be sure to have check the Advanced Features in the view tab in AD Users and Computers)
Then, add the user account that will perform the action (the user from the other domain). Give this user Write ServicePrincipalName rights.
Then, on the remote computer while logged with the same user account you have give the rights to write ServicePrincipalName, run the setspn command…
setspn -S "Hyper-V Replica Service/505-HQ-HOST-1" Domain\505-HQ-HOST-1
hth
This posting is provided AS IS without warranty of any kind
Sunday, June 9, 2019 11:46 PM
Thanks - when you say the computer object - are you talking about on the production server in active director or the replica server? They each have a different domain.
Monday, June 10, 2019 12:49 AM
Let say you are logged on domain1.local and you want to set SPN on the computer objet 505-HQ-HOST-1 in the domain domain2.local, you will run the following command on a computer in domain1.local
Setspn -S Hyper-VReplicaService/505-HQ-HOST-1 domain2\505-HQ-HOST-1
hth
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 2:18 AM
Thanks! I appreciate all your help.
I got on the production server which is on domain1 and tried to run the command with the nebios domain name for the second domain as well as the full domainname.lan and neither worked. I am able to ping the domain of the replica server from the production server.
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Unable to locate account 505-HQ-HOST-1
It isn't as much of an emergency as I ended up setting up nested hyper-v host guest machine with a machine that was on the primary domain from the replica server.
I still very much would like to solve the problem in case I encounter this in the future if you have any thoughts.
Monday, June 10, 2019 2:22 AM
what command line have you ran ?
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 2:58 AM
domain1 is domain1.local with a host of 505-NMD-HOSTP (production server)
domain2 is domain2.lan with a host of 505-HQ-HOST1 (replica server)
From domain1 hostp, I ran
Setspn -S Hyper-VReplicaService/505-HQ-HOST1 nmdist.local\505-HQ-HOST1
Monday, June 10, 2019 2:59 AM
just type the NetBIOS domain name...
Setspn -S Hyper-VReplicaService/505-HQ-HOST1 nmdist\505-HQ-HOST1
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 12:39 PM
Hi,
Sorry to change the subjet, but why not just user certificate based replication. More secure and can be used in any environment. See something like: https://www.vkernel.ro/blog/configuring-hyper-v-replica-using-certificate-based-authentication-https
You would use the "Replication in a workgroup" section
Regards,
Leslie
Monday, June 10, 2019 12:51 PM
just type the NetBIOS domain name...
Setspn -S Hyper-VReplicaService/505-HQ-HOST1 nmdist\505-HQ-HOST1
This posting is provided AS IS without warranty of any kind
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Unable to locate account 505-HQ-HOST1
Monday, June 10, 2019 1:04 PM
The computer account 505-HQ-HOST1 in the domain nmdist.lan is the real computer name… not an alias ?
From the production server (505-NMD-HOSTP) Can you connect to the destination computer using the FQDN ?
somtehing like… [\505-HQ-HOST1\](file://\505-HQ-HOST1\nmdist.local)[nmdist.lan\](file://\nmdist.local)
Does it work ?
You may get a prompt for authentication but that's ok.
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 3:22 PM
Both.
I can't go \505-hq-host1\nmdist.lan but I can go to \505-hq-host1\netlogon or \505-hq-host\c$ with a prompt.
Monday, June 10, 2019 3:34 PM
Sorry… \505-HQ-HOST1.nmdist.lan\ is also working right ?
be sure that the user you want to run the command with has the rights to "Write Principal Name" on the computer account 505-HQ-HOST1 in the xxx.lan domain
The computer 505-HQ-HOST1 is a domain controller right ?
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 4:02 PM
no,, \505-hq-host1\nmdist.lan is not working.
\505-hq-host1\netlogon is working.
I've run the command from an elevated prompt and am logged in a the domain administrator.
505-hq-host1 is a domain controller.
Monday, June 10, 2019 4:11 PM
And the user from which you run the command to add the SPN has the right to "WriteServicePrincipalName" on the computer object ?
(Within the security tab of the computer object)
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 5:51 PM
Thanks for the reply. I'm not sure where you are asking me to go.
I'm in active directory users and computers on the production server. I go to the computer account from which I'm trying to run the SPN command (the domain controller on domain 1 - the computer I'm logged into using AD for the domain of the productions server).
Monday, June 10, 2019 6:09 PM
On the destination server (the replica Server), you go in the security tab and add the user account from which you want to run the command (the setspn command) and give this user the right "Write ServicePrincipalName". This attribute can be seen from the Advanced view
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 7:52 PM
Thanks so before I start as there is a lot of room for confusion -
On the destination/replica server, go to Active directory - domain2 - the one the replica server is a member of and go to active directory users and computers, select the destination/replica server - advanced view, security tab, advanced button and click on the box for write service principalname?
I'm thinking I have to be in the wrong place as I don't see writeserviceprincipalname.
I did find Validated Write to Service Principal Name - sorry for being obtuse but is that the right one?
Monday, June 10, 2019 8:00 PM
Correct!
Give the right to the user account with which you want to run the setspn command.
The user account is member of the Production domain. Give him the right to "write servicePrincipalName" on the destination server (the replica server)
Because the user account in the production domain must have the right to "write serviceprincipalname" on the computer account in the destination domain (the replica server)
This posting is provided AS IS without warranty of any kind
Monday, June 10, 2019 9:04 PM
Thanks - still the same issue - when attempting to sync from the production server to the replication server I get the following (if I use 80 or 443 other than the number being different the rror is the same
I'll restart vmms after hours and see if it makes a difference.
Tuesday, June 11, 2019 12:01 AM
Have you enabled the Kerberos logging on both servers ?
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1 /f
After that, flush the Kerberos tickets on both servers (production and replica) by running this command line (run as admin)
klist purge -li 0x3e7
Then try again the replication. You may get the same issue… look into the System Event log of both computers and look for Kerberos errors.
If you get pre-authentication failed, it's not a big issue, if you get other errors, please let me know.
hth****
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 12:41 PM
Thanks so much for hanging in. I have not made that kerberos logging change but I appreciate it. I'm hanging tight until the initial sync to the nested host is done. THen I'll restart VMs and then test. That should be later today. I don't want you to think I'm ignoring your help since I'll have to hold tight for a bit.
Tuesday, June 11, 2019 1:05 PM
No problem.
Quick question… does the trust is a 2-way trust ? Forest trust or external trust ?
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 5:51 PM
Two way trust between two domains.
Tuesday, June 11, 2019 6:30 PM
I've turned on the kerberos logging.
On the replica server 550-HQ-HOST1.domain1.lan - errors when trying to sync to it
Event 29212
Hyper-V failed to authenticate the primary server using Kerberos authentication. Error: The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)
Event 3
A Kerberos error message was received:
on logon session domain1.LAN\505-hq-host1$
Client Time:
Server Time: 18:21:0.0000 6/11/2019 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error:
Client Realm:
Client Name:
Server Realm: Domain1.LAN
Server Name: krbtgt/Domain1.LAN
Target Name: krbtgt/[email protected]
Error Text:
File: e
Line: e17
Error Data is in record data.
On the production server trying to send the initial vm - 505-NMDIST-HOSTP.Domain2.local
Event 3
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 18:21:38.0000 6/11/2019 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: Domain2.local
Server Name: Hyper-V Replica Service/505-HQ-HOST1
Target Name: Hyper-V Replica Service/[email protected]
Error Text:
File: 9
Line: 1289
Error Data is in record data.
Event ID 29210
Hyper-V failed to authenticate the Replica server 505-HQ-HOST1 using Kerberos authentication. Error: The specified target is unknown or unreachable (0x80090303)
I could be misreading it but it looks like they are trying to authenticate with the servername at the wrong domain name.
Tuesday, June 11, 2019 6:43 PM | 1 vote
Ok, so there is spaces in the SPN name…
KDC_ERR_S_PRINCIPAL_UNKNOWN = missing SPN
I think the SPN was Added without spaces… and the system is looking for the SPN with spaces…
Run this command line to register the SPN
Setspn -S "Hyper-V Replica Service/505-HQ-HOST1" Domain2\505-HQ-HOST1
Setspn -S "Hyper-V Replica Service/505-HQ-HOST1.Domain2.local" Domain2\505-HQ-HOST1
Also, you can delete the previous SPN that are not correctly Registered…
Setspn -D Hyper-VReplicaService/505-HQ-HOST1 Domain2\505-HQ-HOST1
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 8:15 PM
Thanks - just ran the commands - same errors
I think you've been through thick and thin but I think I'll just stick with nested VMs.
I do appreciate your help.
Tuesday, June 11, 2019 8:54 PM
Any Kerberos errors in the system log in the Event Viewer?
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 10:03 PM
Same ones as before.
Tuesday, June 11, 2019 10:33 PM
Can you see the SPN if you run the Following command ?
setspn -l ReplicaDomain\505-HQ-HOST1
Replace ReplicaDomain with the NetBIOS name of the replica domain
Theorically, you should be able to have the Following SPN (or at least those)
Hyper-V Replica Service/505-HQ-HOST1
Hyper-V Replica Service/505-HQ-HOST1.ReplicaDomain
HOST/505-HQ-HOST1
HOST/505-HQ-HOST1.ReplicaDomain
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 10:39 PM
So run all these on the production or the replica server?
Tuesday, June 11, 2019 10:42 PM
On the replica server. Those SPN should be registered on the computer object in the replica domain
This posting is provided AS IS without warranty of any kind
Tuesday, June 11, 2019 11:00 PM
Tried the first one -
from powershell (with admin rights):
Hyper-V Replica Service/505-HQ-HOST1
Hyper-V : The term 'Hyper-V' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
- Hyper-V Replica Service/505-HQ-HOST1
-
+ CategoryInfo : ObjectNotFound: (Hyper-V:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I'm guessing you want me to type -
Setspn -S "Hyper-V Replica Service/505-HQ-HOST1
If I do that I get a >> prompt which I thinks it thinks I want to type more
Tuesday, June 11, 2019 11:22 PM
What is the result you have if you run this command line?
setspn -l ReplicaDomain\505-HQ-HOST1
Replace ReplicaDomain with the NetBIOS domain name of the replica domain
This posting is provided AS IS without warranty of any kind
Wednesday, June 12, 2019 1:24 AM
Ran with admin right on replica server in domain 2 (not on production server)
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B
Could not find account domain2.lan
Wednesday, June 12, 2019 1:44 AM
If you are logged in the replica domain, just run the command without adding the domain name before the host…
something like: setspn -l 505-HQ-HOST1
If you want to run the same command but from the production domain, add the domain name:
setspn -l ReplicaDomain\505-HQ-HOST1
hth
This posting is provided AS IS without warranty of any kind
Wednesday, June 12, 2019 3:19 AM
Thanks -
From VM test setting up replication from the production server (in the production server logs)
Event 3200
Hyper-V failed to enable replication for virtual machine 'Test': The specified target is unknown or unreachable (0x80090303). (Virtual machine ID 71EFDF26-BD0D-4C85-81FB-6C6918AA036E)
Event 3
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 3:17:4.0000 6/12/2019 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Even 29210
Hyper-V failed to authenticate the Replica server 505-HQ-HOST1 using Kerberos authentication. Error: The specified target is unknown or unreachable (0x80090303)
Wednesday, June 12, 2019 3:41 AM
Have you already looked at this thread ?
There is a list of Service Principal Name that need to be defined on the Hyper-V host
This posting is provided AS IS without warranty of any kind
Wednesday, June 12, 2019 12:56 PM
Thanks - just tried on the replica server (domain2)
setspn -s Hyper-V Replica Service/domain1.local domain1
same error - target is unknow or unreachable, failed to authenticate.
Wednesday, June 12, 2019 3:10 PM
If there is spaces in your SPN name, you have to put them within quotes " "
Setspn -S "Hyper-V Replica Service/domain1.local" domain1
This posting is provided AS IS without warranty of any kind
Wednesday, June 12, 2019 4:06 PM
thanks - same error - target is unknow or unreachable, failed to authenticate when trying to set up replication.
Thursday, June 13, 2019 1:33 AM | 1 vote
Do you have Kerberos errors on the host server in the production domain ? (in the system event log)
Look also on the host server in the replica domain (system event log)
This posting is provided AS IS without warranty of any kind
Friday, June 14, 2019 6:40 PM
Hello,
Thanks again for all your help. I called MS and they didn't seem to think this was possible. Although the person I spoke too didn't seem very knowledgeable about hyper-v as I had to show her why some things wouldn't be right after the restore and spent a lot of time talking to a higher level engineer. I gave up on it and created a second virtual host (since the first one seems to work well) - so now I'm syncing from 2 different domains which are both offsite. It might be possible with certificates but I just didn't feel like going that way. Again, thanks for all your help!