Solved

Hyper-V Replica Self Signed cert authentication on different domains

Posted on 2014-09-09
5
690 Views
Last Modified: 2014-11-12
I want to enable replication from a Hyper-V server to another Hyper-V server at the datacenter.  But the two  Hyper-V servers are not part of the same AD network.   I've been looking into some articles.   But I'm still a little confused.  The server at the datacenter is already receiving replication from a Hyper-V on the same AD network.   No problem here.

Do I need a SAN certificate that will have all domains listed?

Thanks
0
Comment
Question by:quadrumane
  • 2
  • 2
5 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 50 total points
ID: 40314445
you have to create the certificate on each machine and import the other servers self-signed certificate.

Since Self Signed certificates don't have a revocation url and Hyper-V replica checks for revocation you have to do the following on both servers
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Open in new window


Complete walkthrough is available at http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx
0
 
LVL 20

Assisted Solution

by:Svet Paperov
Svet Paperov earned 450 total points
ID: 40314467
Microsoft documentation says that the certificate must be an X.509v3 certificate for which Enhanced Key Usage (EKU) supports both Client Authentication and Server Authentication.

Creating self-signed certificate on both primary and replica servers is relatively easy process. Follow the instructions here: http://blogs.technet.com/b/virtualization/archive/2013/04/13/hyper-v-replica-certificate-based-authentication-makecert.aspx and http://blog.powerbiz.net.au/hyperv/how-to-create-self-signed-certificates-for-hyper-v-replication/

When using self-signed certificates, you will have to export the public certificates and import them on respective servers.

Each certificate must have the FQDN of the server as Subject Name, or it can be a wildcard certificate. No, you don’t need to put both domains in each certificate – just the local server’s FQDN like primary.domain1.com for the Primary server and replica.domain2.com for the Replica. http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

If you have a Root CA on Windows Server 2012 Datacenter it also can be used to generate the certificates. The best solution will be using a public CA as for web server certificate but since the certificates will be used to authenticate private communication, a issuing them from a public CA is not required.
0
 

Author Comment

by:quadrumane
ID: 40314659
Thank you for the enlightenment.  I have a better understanding.  Two last questions.  

1 - In my understanding if many source servers from different domains are replicated on the Replica server only the certificate created locally (from the replica server) will be selected in Hyper-V settings/Replica configuration.    But if each certificate from each Hyper-V source server is exported and imported in the Hyper-V replica server it can't work as only one certificate can be selected in Hyper-V.  

2 - If I use a public (digicert) ssl certificate on the Replica server do I still need to export self signed certificate from the Hyper-V source servers?

Thank again
0
 
LVL 20

Accepted Solution

by:
Svet Paperov earned 450 total points
ID: 40314736
Q1:
It will work because, in Hyper-V replica, you select the local certificate and not the public certificates exported from the primary servers. Here how PKI works in general: the source server identifies itself with its (private) certificate on the target server; the target server checks the certificate chain until it finds the fingerprints of the (public) certificate of the issuer (the name of the issuer is included in the certificate).

In the case of Hyper-V replica, both primary and replica server authenticate each other in that way. Don’t forget that on the replica server, you still can lock down the allowed primary servers by “Allow Replication From The Specified Servers”.

Q2:
If you are using self-signed certificate on the primary server, yes, its public certificate must be exported and imported on the replica server. However, if publicly-signed certificate is used its certificate chain already exists in Windows Server. I would recommend using publicly-signed on the primary server as well.
0
 

Author Comment

by:quadrumane
ID: 40314775
Thanks for the explanations.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now