Solved

Hyper-V Replica Self Signed cert authentication on different domains

Posted on 2014-09-09
5
724 Views
Last Modified: 2014-11-12
I want to enable replication from a Hyper-V server to another Hyper-V server at the datacenter.  But the two  Hyper-V servers are not part of the same AD network.   I've been looking into some articles.   But I'm still a little confused.  The server at the datacenter is already receiving replication from a Hyper-V on the same AD network.   No problem here.

Do I need a SAN certificate that will have all domains listed?

Thanks
0
Comment
Question by:quadrumane
  • 2
  • 2
5 Comments
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 40314445
you have to create the certificate on each machine and import the other servers self-signed certificate.

Since Self Signed certificates don't have a revocation url and Hyper-V replica checks for revocation you have to do the following on both servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Open in new window


Complete walkthrough is available at http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 450 total points
ID: 40314467
Microsoft documentation says that the certificate must be an X.509v3 certificate for which Enhanced Key Usage (EKU) supports both Client Authentication and Server Authentication.

Creating self-signed certificate on both primary and replica servers is relatively easy process. Follow the instructions here: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx and http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication/

When using self-signed certificates, you will have to export the public certificates and import them on respective servers.

Each certificate must have the FQDN of the server as Subject Name, or it can be a wildcard certificate. No, you don’t need to put both domains in each certificate – just the local server’s FQDN like primary.domain1.com for the Primary server and replica.domain2.com for the Replica. http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

If you have a Root CA on Windows Server 2012 Datacenter it also can be used to generate the certificates. The best solution will be using a public CA as for web server certificate but since the certificates will be used to authenticate private communication, a issuing them from a public CA is not required.
0
 

Author Comment

by:quadrumane
ID: 40314659
Thank you for the enlightenment.  I have a better understanding.  Two last questions.  

1 - In my understanding if many source servers from different domains are replicated on the Replica server only the certificate created locally (from the replica server) will be selected in Hyper-V settings/Replica configuration.    But if each certificate from each Hyper-V source server is exported and imported in the Hyper-V replica server it can't work as only one certificate can be selected in Hyper-V.  

2 - If I use a public (digicert) ssl certificate on the Replica server do I still need to export self signed certificate from the Hyper-V source servers?

Thank again
0
 
LVL 20

Accepted Solution

by:
Svet Paperov earned 450 total points
ID: 40314736
Q1:
It will work because, in Hyper-V replica, you select the local certificate and not the public certificates exported from the primary servers. Here how PKI works in general: the source server identifies itself with its (private) certificate on the target server; the target server checks the certificate chain until it finds the fingerprints of the (public) certificate of the issuer (the name of the issuer is included in the certificate).

In the case of Hyper-V replica, both primary and replica server authenticate each other in that way. Don’t forget that on the replica server, you still can lock down the allowed primary servers by “Allow Replication From The Specified Servers”.

Q2:
If you are using self-signed certificate on the primary server, yes, its public certificate must be exported and imported on the replica server. However, if publicly-signed certificate is used its certificate chain already exists in Windows Server. I would recommend using publicly-signed on the primary server as well.
0
 

Author Comment

by:quadrumane
ID: 40314775
Thanks for the explanations.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question