Script to setup Hyper-V Live Migration (Constrained Delegation and Kerberos)

  • 27 April 2015
Setting up constrained delegation is one of the more compelx things to do, so I wrote up a script to do this for me. Hopefully others can get use out of this as well!

#script to configure Kerberos Authentication on the hosts in a particular cluster#and to configure constrained delegation (CD) for the cluster#run from a workstation logged in as a domain admin as we need to edit domain objects for CD#written 4/2015 by rtpchris.comparam( [Parameter(Mandatory=$True,Position=0)] [string]$clusterName )$clusterNodes = @(get-clusternode -cluster $clusterName)$DNs = @()$FQDNs = @()$domainName = (get-addomain).forest#In this loop we get the AD DN and the FQDN for each host in the cluster#after that we check if authentication is set to kerberos on the host#and set change it to kerberos if notforeach ($node in $clusterNodes) { $DNs += (Get-ADComputer $ $FQDNs += ($node).name + "." + $domainName if((get-vmhost $ -notcontains "Kerberos") { Set-VMHost ($node).Name -VirtualMachineMigrationAuthenticationType Kerberos }}#in this loop we setup the constrained delegation (CD)#the first loop iterates though the nodes in the cluster that we are configuring CD for#the second loop iterates though the other nodes that we need to add to that#for live migration we need CIFS and Microsoft Virtual System Migration Servicefor ($i = 0; $i -le ($DNs).Length - 1; $i++) { for ($j = 0; $j -le ($DNs).Length; $j++) { if ($j -eq $i) {Continue} $name = ($node).name Set-ADObject $DNs[$i] -Add @{"msDS-AllowedToDelegateTo"="cifs/$name","Microsoft Virtual System Migration Service/$name"} }}Write-host "Script complete. Please verify AD settings, purge the tickets on the hosts and log out/log in of the management server to use live migration"Write-host "If running Nutanix run the following command to purge all the tickets at once"Write-host "allssh `"source /etc/profile; winsh `'klist purge`'`""

cbrown Can the script be added to the repository in Github?
I think aluciani can upload it if u don't have write access
Yeah of course! I don't think I have write access though.