Certificate Based Replication between Hyper V Servers
(Based on Server 2012 R2)
The purpose of this article is configure certificate based replication enabled and working between Microsoft’s Hyper V platform.
This procedure performed here uses Self Signed Certificate which we will generate during the process.
If you already have a live environment then you will have the following already in place:
- 2 Physical Servers which host Virtualization
- Windows Server 2012 R2 Standard installed on both servers
- exe which will help you create self signed certificates
- A Virtual Machine on the primary server
You can download makecert.exe from here
Makecert.exe is part of Windows SDK w
hich can be accessed here
Step 1: Download Makecert.exe and save it in a folder c:\makecert
Step 2: Open Up elevated Command Prompt and navigate to the folder c:\makecert as shown in the pic
Figure 1-CD to makecert Folder
Type the commands as below:
- exe –pe –n “CN=ReplicaServerRootCA” –ss root –sr LocalMachine –sky signature –r “ReplicaServerRootCA.cer”
- What you have done above is create a Certificate Authority which you can use to issue certificates locally.
- exe –pe –n “CN=ntc-dc1” –ss my –sr LocalMachine –sky exchange –eku 188.8.131.52.5..184.108.40.206, 220.127.116.11.5..18.104.22.168 –in “ReplicaServerRootCA” –is root –ir LocalMachine –sp “Microsoft RSA SChannel Cryptographic Provider” –sy 12 ntc-dc1
- What you have done here is use the same CA i.e: ReplicaServerRootCA to issue a certificate. You need to make sure you run “hostname” command in command prompt to get the exact hostname.
Explanation of Parameters in abov
e 2 commands
pe : this parameter means the private key generated is exportable & can be included in the certificate
n: “CN=CARoot” The certificate name must be formatted as the standard
sr: LocalMachine The certificate’s store location
ss root : The certificate store name
r: indicates the certificate is self signed
sky: this parameter specifies key type i.e: signature,exchange or integer
eku: usage object identifiers
You can learn more about fully parameters by following this link
Figure 2-Create Certificates
Reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virutalization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
By default, a certificate revocation check is mandatory. Because self signed certificates which we are using here do not support checks, we amend the registry to disable the check with above registry value.
Figure 3-Cert Revocation
At this point you should be able to see your certificate in MMC/Certificates/Computer Account Snap In as shown in the screenshot
Open Certificates Snap by following steps:
Type mmc in Command Prompt and below window will open
Figure 4-CMD MMC
Click on File -> Add / Remove Snap Ins
Figure 5-MMC Computer Account
Add as a Computer Account
Figure 6-Snap In Local Computer
Figure 7-MMC Certificates
Open up Hyper-V manager as shown and you should be able to see the certificate once you check Use Certificate-based Authentication (HTTPS)
Figure 8-Hyper V Manager on Replica Server
At this point, repeat Step 2 – Step 7 on the Primary Server to generate a certificate.
Figure 9-Generate Cert on Primary
Figure 10-HpyerV Manager on Primary Server
Once, that is complete, the only left to do is to add the certificate of Primary Server to the Replica Server and vice versa.
Adding Certificates to both servers
You will need to copy certificates to certificate stores on both servers.
- Open Up MMC by going to Run -> MMC
Figure 11-Snap In Open
- You will be saving the certificate you generated in Personal and Trusted root Certification Authorities Store.
Figure 12-Cert Locations
- Right Click and Import
Figure 13-Right click import
- You need to import your server certificate in here.
- Go to Trusted Root Certification Authorities -> Certificates and import CA certificate in there.
- Repeat the process to import the certificate on other server.
- Open Up Hyper-V Manager on the Primary Server and right click on the VM which you want to replicate to the Replica Server.
Enter the replica server name and click Next
Choose your port which you defined on replica server and select the certificate as below