Solved

Hyper-V Replica Self Signed cert authentication on different domains

Posted on 2014-09-09
5
744 Views
Last Modified: 2014-11-12
I want to enable replication from a Hyper-V server to another Hyper-V server at the datacenter.  But the two  Hyper-V servers are not part of the same AD network.   I've been looking into some articles.   But I'm still a little confused.  The server at the datacenter is already receiving replication from a Hyper-V on the same AD network.   No problem here.

Do I need a SAN certificate that will have all domains listed?

Thanks
0
Comment
Question by:quadrumane
  • 2
  • 2
5 Comments
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 40314445
you have to create the certificate on each machine and import the other servers self-signed certificate.

Since Self Signed certificates don't have a revocation url and Hyper-V replica checks for revocation you have to do the following on both servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Open in new window


Complete walkthrough is available at http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 450 total points
ID: 40314467
Microsoft documentation says that the certificate must be an X.509v3 certificate for which Enhanced Key Usage (EKU) supports both Client Authentication and Server Authentication.

Creating self-signed certificate on both primary and replica servers is relatively easy process. Follow the instructions here: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx and http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication/

When using self-signed certificates, you will have to export the public certificates and import them on respective servers.

Each certificate must have the FQDN of the server as Subject Name, or it can be a wildcard certificate. No, you don’t need to put both domains in each certificate – just the local server’s FQDN like primary.domain1.com for the Primary server and replica.domain2.com for the Replica. http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

If you have a Root CA on Windows Server 2012 Datacenter it also can be used to generate the certificates. The best solution will be using a public CA as for web server certificate but since the certificates will be used to authenticate private communication, a issuing them from a public CA is not required.
0
 

Author Comment

by:quadrumane
ID: 40314659
Thank you for the enlightenment.  I have a better understanding.  Two last questions.  

1 - In my understanding if many source servers from different domains are replicated on the Replica server only the certificate created locally (from the replica server) will be selected in Hyper-V settings/Replica configuration.    But if each certificate from each Hyper-V source server is exported and imported in the Hyper-V replica server it can't work as only one certificate can be selected in Hyper-V.  

2 - If I use a public (digicert) ssl certificate on the Replica server do I still need to export self signed certificate from the Hyper-V source servers?

Thank again
0
 
LVL 20

Accepted Solution

by:
Svet Paperov earned 450 total points
ID: 40314736
Q1:
It will work because, in Hyper-V replica, you select the local certificate and not the public certificates exported from the primary servers. Here how PKI works in general: the source server identifies itself with its (private) certificate on the target server; the target server checks the certificate chain until it finds the fingerprints of the (public) certificate of the issuer (the name of the issuer is included in the certificate).

In the case of Hyper-V replica, both primary and replica server authenticate each other in that way. Don’t forget that on the replica server, you still can lock down the allowed primary servers by “Allow Replication From The Specified Servers”.

Q2:
If you are using self-signed certificate on the primary server, yes, its public certificate must be exported and imported on the replica server. However, if publicly-signed certificate is used its certificate chain already exists in Windows Server. I would recommend using publicly-signed on the primary server as well.
0
 

Author Comment

by:quadrumane
ID: 40314775
Thanks for the explanations.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question