my personal blog about systemcenter

‘VMNAME’ could not initialize. (Virtual machine ID GUID)

Recently ran into a issue where i couldnt start a VM located on a NetApp Running SMB 3.

Rights on the filesystem looked without issue , opening the vhd over the network worked but anything manipulated from HYper-V failed with a resource attached to the system failed.

After digging around a bit i found that the time was shifted on the NetApp box so any kerebous authentication failed

image

And the culprint on the NetApp was

secd.kerberos.clockskew: Kerberos client or node clock skew error (-1765328351). 

Description :

This message occurs when there is a “time error”(clock skew, time skew, time out of bounds). This error indicates that there is a time discrepancy between client and node or client and Key Distribution Center (KDC). The kerberos authentication request from the client was forwarded to the KDC and it failed because the timestamp encrypted in the client’s kerberos ticket was different by more than the maximum time difference that is configured on the KDC.

Action :

Ensure that the clock time of the node is identical to that of the client and to that of the KDC. Ensure that the correct time zone setting is selected on the node. To keep the node and KDC time clocks in synchronization automatically, configure Network Time Protocol (NTP) services on the node. You might also want to increase the clock skew interval. To do so, modify the kerberos-realm configuration clock-skew (“Maximum tolerance for computer clock synchronization” in Windows(R) Active Directory) parameter from the default 300 seconds to 600 seconds or more. Note: Increasing the clock-skew interval makes the client protocols less secure against network replay attacks.

and then setting a NTP server that actually worked then everything was working again after a few minutes.

And then setting a NTP server on the NetApp box that are in sync with ActiveDirectory = Sucess.