Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hyper-V Replica Self Signed cert authentication on different domains

Posted on 2014-09-09
5
Medium Priority
?
803 Views
Last Modified: 2014-11-12
I want to enable replication from a Hyper-V server to another Hyper-V server at the datacenter.  But the two  Hyper-V servers are not part of the same AD network.   I've been looking into some articles.   But I'm still a little confused.  The server at the datacenter is already receiving replication from a Hyper-V on the same AD network.   No problem here.

Do I need a SAN certificate that will have all domains listed?

Thanks
0
Comment
Question by:quadrumane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 200 total points
ID: 40314445
you have to create the certificate on each machine and import the other servers self-signed certificate.

Since Self Signed certificates don't have a revocation url and Hyper-V replica checks for revocation you have to do the following on both servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Open in new window


Complete walkthrough is available at http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 1800 total points
ID: 40314467
Microsoft documentation says that the certificate must be an X.509v3 certificate for which Enhanced Key Usage (EKU) supports both Client Authentication and Server Authentication.

Creating self-signed certificate on both primary and replica servers is relatively easy process. Follow the instructions here: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx and http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication/

When using self-signed certificates, you will have to export the public certificates and import them on respective servers.

Each certificate must have the FQDN of the server as Subject Name, or it can be a wildcard certificate. No, you don’t need to put both domains in each certificate – just the local server’s FQDN like primary.domain1.com for the Primary server and replica.domain2.com for the Replica. http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

If you have a Root CA on Windows Server 2012 Datacenter it also can be used to generate the certificates. The best solution will be using a public CA as for web server certificate but since the certificates will be used to authenticate private communication, a issuing them from a public CA is not required.
0
 

Author Comment

by:quadrumane
ID: 40314659
Thank you for the enlightenment.  I have a better understanding.  Two last questions.  

1 - In my understanding if many source servers from different domains are replicated on the Replica server only the certificate created locally (from the replica server) will be selected in Hyper-V settings/Replica configuration.    But if each certificate from each Hyper-V source server is exported and imported in the Hyper-V replica server it can't work as only one certificate can be selected in Hyper-V.  

2 - If I use a public (digicert) ssl certificate on the Replica server do I still need to export self signed certificate from the Hyper-V source servers?

Thank again
0
 
LVL 20

Accepted Solution

by:
Svet Paperov earned 1800 total points
ID: 40314736
Q1:
It will work because, in Hyper-V replica, you select the local certificate and not the public certificates exported from the primary servers. Here how PKI works in general: the source server identifies itself with its (private) certificate on the target server; the target server checks the certificate chain until it finds the fingerprints of the (public) certificate of the issuer (the name of the issuer is included in the certificate).

In the case of Hyper-V replica, both primary and replica server authenticate each other in that way. Don’t forget that on the replica server, you still can lock down the allowed primary servers by “Allow Replication From The Specified Servers”.

Q2:
If you are using self-signed certificate on the primary server, yes, its public certificate must be exported and imported on the replica server. However, if publicly-signed certificate is used its certificate chain already exists in Windows Server. I would recommend using publicly-signed on the primary server as well.
0
 

Author Comment

by:quadrumane
ID: 40314775
Thanks for the explanations.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
A look into Log Analysis and Effective Critical Alerting.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question