How to Set Up Hyper-V Live Migration on Windows Server 2025

How to Set Up Hyper-V Live Migration on Windows Server 2025

Live Migration is one of the most valuable features in the Hyper-V platform. It allows a running virtual machine to be moved from one Hyper-V host to another with zero perceived downtime from the guest’s perspective — network connections remain active, user sessions stay open, and the VM continues servicing requests throughout the move. Windows Server 2025 improves Live Migration performance with enhanced compression, support for SMB Direct (RDMA) as a migration transport, and tighter Kerberos constrained delegation workflows. This tutorial walks through every aspect of configuring and using Live Migration, from enabling the feature and configuring authentication, through to performing and monitoring migrations.

Prerequisites

• Two or more Windows Server 2025 hosts with the Hyper-V role installed
• Hosts joined to the same Active Directory domain (required for Kerberos authentication)
• A dedicated migration network (1 GbE minimum; 10 GbE or 25 GbE strongly recommended)
• Matching hardware architecture on source and destination hosts (compatible but not identical CPUs)
• For shared storage Live Migration: both hosts must have access to the same SMB 3.0 share, iSCSI LUN, or CSV (Cluster Shared Volume)
• For storage migration (no shared storage): sufficient disk space on the destination host and a fast network between hosts
• Windows Firewall rules opened for Live Migration (covered in Step 3)
• Administrator credentials with permissions on both source and destination hosts

Step 1: Enable Live Migration on Both Hosts

Live Migration must be enabled on every host that will participate — both source (the host sending the VM) and destination (the host receiving the VM). When Hyper-V is installed this feature is disabled by default outside of a Failover Cluster.

# Run the following on BOTH Hyper-V hosts

# Enable Live Migration on the host
Enable-VMMigration

# Verify it is enabled
Get-VMHost | Select-Object ComputerName, VirtualMachineMigrationEnabled, `
             VirtualMachineMigrationAuthenticationType, `
             VirtualMachineMigrationPerformanceOption, `
             MaximumVirtualMachineMigrations

# Set the maximum number of simultaneous live migrations (default: 2)
Set-VMHost -MaximumVirtualMachineMigrations 4

# Set the maximum simultaneous storage migrations
Set-VMHost -MaximumStorageMigrations 2

Step 2: Configure the Migration Network

Hyper-V should use a dedicated high-bandwidth network for migration traffic rather than the production NIC. You configure this by specifying which IP subnets are allowed to carry migration traffic.

# On BOTH hosts — add the migration network subnet
# This tells Hyper-V to prefer the 192.168.100.0/24 network for migrations
Add-VMMigrationNetwork -Subnet "192.168.100.0" -SubnetMask "255.255.255.0" -Priority 1

# Optionally remove the default entry that allows all networks (prevents production NIC being used)
Get-VMMigrationNetwork | Format-Table Subnet, SubnetMask, Priority

# Remove a network from the allowed list if it should not carry migration traffic
Remove-VMMigrationNetwork -Subnet "192.168.1.0"

Step 3: Open Windows Firewall Rules for Live Migration

# Enable the built-in Live Migration firewall rule group on BOTH hosts
Enable-NetFirewallRule -DisplayGroup "Hyper-V - Live Migration"

# Verify the rules are enabled
Get-NetFirewallRule -DisplayGroup "Hyper-V - Live Migration" | `
    Select-Object DisplayName, Enabled, Direction, Action | Format-Table

# If using SMB 3.0 as the migration transport, also enable the SMB firewall rules
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

Step 4: Choose and Configure Authentication — CredSSP vs Kerberos

Hyper-V Live Migration supports two authentication protocols. Understanding the difference is critical for both security and operational reliability:

• CredSSP (Credential Security Support Provider): Delegates the user’s credentials to the source host, which then uses them to authenticate to the destination. Simple to set up — no Active Directory configuration required — but credentials are transmitted to the source host, which is a security concern (CredSSP is vulnerable to credential theft if the source host is compromised).
• Kerberos: Preferred for production. The Hyper-V host authenticates using its own computer account (no credential delegation to the host). Requires Constrained Delegation to be configured in Active Directory — specifically, the source host’s computer account must be trusted to delegate to the destination host’s Hyper-V service.

Configure CredSSP Authentication (Simple — Lab Use)

# On BOTH hosts — set authentication type to CredSSP
Set-VMHost -VirtualMachineMigrationAuthenticationType CredSSP

# To perform migrations using CredSSP, you must be logged on locally or via a console session
# on the source host (not over a remote PowerShell session) — this is a CredSSP limitation

Configure Kerberos Constrained Delegation (Production)

Kerberos constrained delegation is configured in Active Directory Users and Computers (ADUC) or via PowerShell on a Domain Controller. You must grant each host permission to delegate to the Hyper-V Virtual Machine Management service (Microsoft Virtual System Migration Service) on every other host it will migrate VMs to.

# Run on a Domain Controller with the Active Directory PowerShell module

# Import the AD module
Import-Module ActiveDirectory

# Define the two Hyper-V hosts (adjust names to match your environment)
$sourceHost = Get-ADComputer -Identity "HVHOST01"
$destHost   = Get-ADComputer -Identity "HVHOST02"

# Add constrained delegation: allow HVHOST01 to delegate to HVHOST02's VM migration service
Set-ADComputer -Identity $sourceHost -Add @{
    "msDS-AllowedToDelegateTo" = @(
        "Microsoft Virtual System Migration Service/$($destHost.DNSHostName)",
        "cifs/$($destHost.DNSHostName)"
    )
}

# Repeat for the reverse direction so HVHOST02 can migrate to HVHOST01
Set-ADComputer -Identity $destHost -Add @{
    "msDS-AllowedToDelegateTo" = @(
        "Microsoft Virtual System Migration Service/$($sourceHost.DNSHostName)",
        "cifs/$($sourceHost.DNSHostName)"
    )
}

# Enable Kerberos-only (not protocol transition) constrained delegation
# This must be set via ADUC GUI: Computer Properties > Delegation tab
# Set to: "Trust this computer for delegation to specified services only" > "Use Kerberos only"

# On BOTH Hyper-V hosts — switch to Kerberos authentication
Set-VMHost -VirtualMachineMigrationAuthenticationType Kerberos

# Verify configuration
Get-VMHost | Select-Object ComputerName, VirtualMachineMigrationAuthenticationType

After configuring delegation, restart the Virtual Machine Management Service (vmms) on both hosts and run klist purge to clear any cached Kerberos tickets before testing.

Restart-Service -Name vmms
klist purge

Step 5: Perform a Live Migration

With authentication configured, you can migrate a running VM using Move-VM. There are two main scenarios: shared storage (the VM’s VHDX is on a storage location accessible by both hosts) and no shared storage (the VHDX must be copied during migration).

Live Migration with Shared Storage

# Migrate a running VM to HVHOST02 — storage remains on the shared SMB path
# Only the VM state and memory are transferred over the network
Move-VM -Name "WEBSRV01" -DestinationHost "HVHOST02.contoso.local"

# Verify the VM is running on the destination
Get-VM -ComputerName "HVHOST02.contoso.local" -Name "WEBSRV01" | `
    Select-Object Name, State, ComputerName

Live Migration Without Shared Storage (IncludeStorage)

# Migrate VM including all of its storage files to the destination host
# The VHDX files are copied while the VM continues running
Move-VM -Name "APPSRV01" `
        -DestinationHost "HVHOST02.contoso.local" `
        -IncludeStorage `
        -DestinationStoragePath "D:Hyper-VVMsAPPSRV01"

# Move only storage to a different path on the SAME host (Storage Migration — no downtime)
Move-VMStorage -VMName "APPSRV01" -DestinationStoragePath "E:Hyper-VVMsAPPSRV01"

SMB Live Migration

SMB Live Migration uses an SMB 3.0 file share as both the migration transport and the destination storage. This is the preferred method for large environments because SMB Direct (RDMA) can be used to achieve very high throughput with minimal CPU overhead.

# Migrate VM to a destination host that will store the VM on an SMB share
Move-VM -Name "DBSRV01" `
        -DestinationHost "HVHOST02.contoso.local" `
        -IncludeStorage `
        -DestinationStoragePath "\FILESERVER01Hyper-VVMsDBSRV01"

Step 6: Quick Migration vs Live Migration

Live Migration keeps the VM running throughout the move — the guest OS is never paused from a user perspective. Quick Migration saves the VM state to disk (similar to hibernation), transfers the saved state file and VM configuration to the destination, then resumes the VM. Quick Migration causes a brief interruption (seconds to minutes depending on VM memory size) but requires far less bandwidth and is suitable for scheduled maintenance windows.

# Live Migration — VM stays running, requires Kerberos or CredSSP
Move-VM -Name "WEBSRV01" -DestinationHost "HVHOST02.contoso.local"

# To simulate Quick Migration behaviour manually (save, move config, restore)
Save-VM -Name "WEBSRV01"                                      # Save VM state to disk
Move-VMStorage -VMName "WEBSRV01" -DestinationStoragePath "\HVHOST02D$Hyper-VVMsWEBSRV01"
Move-VM -Name "WEBSRV01" -DestinationHost "HVHOST02.contoso.local"
Start-VM -ComputerName "HVHOST02.contoso.local" -Name "WEBSRV01"

Step 7: Monitor Migration Progress

# Watch live migration status in real time
while ($true) {
    $vm = Get-VM -Name "WEBSRV01" -ComputerName "HVHOST01.contoso.local" -ErrorAction SilentlyContinue
    if (-not $vm) {
        Write-Host "VM has moved to destination host"
        break
    }
    $migration = $vm | Get-VMGroup -ErrorAction SilentlyContinue
    Write-Host "$(Get-Date -Format 'HH:mm:ss') — State: $($vm.State) | Status: $($vm.Status)"
    Start-Sleep -Seconds 2
}

# Check event log for migration events
Get-WinEvent -LogName "Microsoft-Windows-Hyper-V-VMMS-Operational" |
    Where-Object { $_.Message -like "*migration*" } |
    Select-Object TimeCreated, Id, LevelDisplayName, Message |
    Select-Object -First 20 | Format-List

Conclusion

Hyper-V Live Migration on Windows Server 2025 is a robust, production-ready feature that enables zero-downtime workload mobility across your virtualisation infrastructure. In this tutorial you enabled Live Migration on both hosts, designated a dedicated migration network, opened the necessary firewall rules, and chose between CredSSP (simple lab setup) and Kerberos constrained delegation (secure production setup). You performed Live Migrations both with and without shared storage, understood the trade-offs between Live Migration and Quick Migration, and used PowerShell to monitor migration progress. Combined with the Hyper-V Replica feature covered in the next article, Live Migration gives you the operational flexibility and business continuity capabilities expected in an enterprise private cloud.