Geek of All Trades: Live Migrations

No SAN? No problem. You can live migrate Hyper-V virtual machines without using shared storage.

Greg Shields

This was written using the Windows Server 8 beta. All information is subject to change.

The jack of all trades (JOAT) is a special breed of IT professional. Some might argue he’s the hardest-working IT pro in the business. He’s responsible for keeping technology afloat in a small business or even a small environment within a larger enterprise. The JOAT has extreme responsibilities with few tools and little support. Sound like you?

The JOAT is the master of the freebie. He fills his toolbox with whatever no-cost, downloadable tools he can find. He gets the job done using every resource at his disposal. This “get ’er done” mentality drives many a JOAT toward Hyper-V as the virtual platform of choice. Even the smallest IT environment usually has one or two Windows Server licenses, and those are all you need to virtualize atop Hyper-V.

Until recently, however, Hyper-V was a fickle friend to the cost-conscious. Setting up a single Hyper-V server with DAS was an exercise in simplicity. Extending that environment any further quickly added complexity with Windows Clustering and cost with SAN storage.

Hyper-V version 3 in Windows Server 8 appears to improve the link between hypervisor capabilities and the hypervisor administrator. One new feature, the ability to live migrate virtual machines (VMs) without the need for shared storage, looks like a huge win. Hyper-V servers that aren’t SAN-attached will be able to migrate VM processing as well as storage without the extra complexity and cost. Here’s how it works.

SAN-Less Live Migration

Imagine you have two Hyper-V servers: \\win8hv1 and \\win8hv2. You’re running a variety of VMs on these two servers. The disk files for those VMs are stored elsewhere on the network on a file server and share: \\win8fs1\VM.

With this configuration, you would use Hyper-V Manager to migrate VM processing from one server to the other. Right-click the VM requiring relocation and choose Move to launch the Move Wizard. This wizard (see Figure 1) gives you options for moving VM processing, storage or both. In any of these scenarios, the migration is a live migration. This means the move happens without requiring a VM restart or any loss of service.

Figure 1 TheHyper-V Move Wizard lets you move and reassign storage for Virtual Machines.

That’s impressive. When you realize you can do this live migration without needing Windows Failover Clustering or a SAN, this new feature could quickly become your new best friend.

“Now, wait a minute,” you’re probably asking. “This SAN-less live migration works because the VM is hosted on a Server Message Block (SMB) share? That’s great, but doesn’t that mean it will perform poorly?”

Not so, thanks to the significant investment Microsoft has spent in improving the SMB protocol. That investment includes performance as well as capability enhancements. These enhancements are designed to make SMB just as useable as iSCSI or Fibre Channel, but without the complex management those protocols require. Microsoft is essentially saying that Hyper-V VMs running atop SMB on remote file servers will perform well enough for a wide range of production uses.

Some Assembly Required

Making this clusterless and SAN-less live migration work requires a couple of prerequisite steps, at least in the beta version of Windows Server 8. You’ll need a Windows Server 8 file server to host the share. This in itself requires some special permissions. You’ll need to configure each Hyper-V server to support incoming and outgoing live migrations. Last, if you want to remotely invoke a live migration, you’ll need to set up something called “constrained delegation.”

Luckily, none of these tasks are all that difficult. First, when installing the Hyper-V role to a Windows Server 8 computer, make sure to check the option marked “Allow this server to send and receive live migrations of virtual machines.” There’s a page in the Add Roles and Features Wizard (see Figure 2) where you’ll configure this.

Figure 2 Enable Virtual Machine Live Migration on the Hyper-V Role.

There are two selections for the authentication protocol available. The first, called CredSSP, requires no extra configuration, but requires that you’re logged into the source server’s console to kick off a live migration. The second uses the more secure Kerberos protocol. This also requires the extra step of setting up constrained delegation in Active Directory. For most purposes, you’ll want to choose the second option.

Setting up constrained delegation sounds more difficult than it really is. Start by creating an Active Directory Global Security group in Active Directory Users and Computers. Add to this group the computer accounts of any Hyper-V servers that will participate in live migration.

Next, view Properties on the computer account for each Hyper-V server. Under the Delegation tab, choose to Trust this computer for delegation to specified services only. Select Use Kerberos only, and then click the Add button.

In the Add Services window that appears, click Users or Computers and supply the computer name of the file server hosting your VM virtual disk files. Then, under Available services, select the cifs service. When you’ve completed these steps, you’ll see a screen similar to Figure 3.

Figure 3 You’ll have to configure constrained delegation.

This delegation lets a service act on behalf of another security principal. It’s considered “constrained” because you’re limiting the delegation in this case to just the cifs, or SMB service type. Repeat this process for all your Hyper-V servers.

For your final step, create and set permissions on a file share running atop Windows Server 8. Create this file share using File and Storage services in Server Manager. Add the computer accounts for each Hyper-V server to the default permissions, granting those accounts Full Control permissions. Full Control is required here because the Hyper-V server must have the ability to modify access control lists on the file share. You can see how this has been done for the computers \\win8hv1 and \\win8hv2 in Figure 4.

Figure 4 Create and set permissions for your file share.

Once complete, you’ll be able to live migrate VMs between the Hyper-V hosts to which you’ve assigned privileges.

One Solution Fits Most

While this clusterless and SAN-less live migration can proactively relocate VMs before an outage occurs, it doesn’t support reactive VM migrations in the case of a host loss. So you can’t technically call this a high availability (HA) solution. Adding HA requires also adding a Windows Failover Cluster with all its accoutrements.

Also, this architecture places heavy reliance on the file server. If that file server goes down, so, too, do all your VMs. Windows Clustering helps here as well. With Windows Clustering in Windows Server 8, you can create a new type of file server cluster called a Scale-Out File Server. This is a new active/active clustering technology that’s designed specifically for Hyper-V and SQL applications.

Notwithstanding these limitations, live migrating in Windows Server 8 is a wholly new and entirely better experience. It supports a range of architectures, each with an accompanying increase in features and complexity. Hyper-V easily supports any special requirements you might have for now. Better yet, when you’re ready to add SANs and clusters, Hyper-V stands ready to handle all your enterprise-level needs.

Greg Shields, MVP, is a partner at Concentrated Technology. Get more of Shields’ Jack-of-all-trades tips and tricks at ConcentratedTech.com.

Related Content

• Geek of All Trades: The Curiosity that Killed the App
• Geek of All Trades: The USMT Is Your Friend
• Geek of All Trades: The Rule of 3