Hyper-v Replica Certificate Based with your own Root Authority #WS2012 #hyperv #HRM #DRAAS

With the new products that are available end of 2013 ( Windows 2012R2 and the system center R2 ) releases Replication will be important all the way and will be easier to create but also the environment will be more complex.  Replication on Kerberos is easy to uses even shared nothing is quick and fast but what about certificate based ?

Easy to use click a certificate and use it. It is that easy or not ? well it is almost.

image

In this case I have My DC that hold a Enterprise Root CA and two clusters and 4 VMM servers,

Well You will only need the Root CA and Two Hyper-v server Clustered in different clusters.

yes we will do Clustered Based Certificate Based Replication ( CBCBR )

 

image

Open Certification Authority (certsrv.msc) from Administrative Tools

Right click on Certificate Template and click on Manage then we duplicate the Workstation Authentication template

image image

 

 

imageGive the Certificate a nice name like  Hyper-v Replica Authentication

That you know where the certificate is for.

There are a few things we need to change or can change

image I choose for 2012 usage only in the compatible settings Certificate recipient and authority can be set to Windows Server 2012

image The Security settings Ensure that Authenticated Users are allowed to Read and Enroll.

image imageimage

Edit Application Policies and add Server Authentication

Subject Name Change the option to Supply in the Request

image

 

Now that the Certificate template is ready we are going to import this certificate

imageimage

Open Certification Authority on the server and click on Certificate Templates

Select Action and choose the New option followed by Certificate Template to Issue.

Choose the certificate template name from the pop-up box

imageimage

Now that the basic is ready on our DC we can deploy the Certificate to the clusters / hyper-v server

If you try to add a cert now in the Hyper-v broker. You will see a nice error wrong or no certificate.

image A cool thing in 2012 is that you can do PowerShell in the certificate store.

image

go to c:\windows\system32

cd cert:

use the :

then

cd .\\localmachine\root  then a Dir and you will see all the certificates

How cool is that !

image  Open an MMC and open the localmachine store.Requesting Hyper-V Replica Certificates from an Enterprise CA based on our current template.

image image

Next and see here is our new certificate template

image Now check the certificate and click on the blue line more information is required.

imageUse the CN = Common name  / friendly name to identify the certificate. and use the computer names to connect to the certificate but you can also use the *.domain.local for a wildcard certificate

hit apply and the next on enroll

imageimage

and in the certificate store the certificate should been listed image

 

And that’s the process for customizing and requesting certificates. Your final step in configuring Hyper-V Replica happens back in Cluster Failover Manager.

image now check the broker Role in the cluster and do right click

Launch replication Settings and click the Select Certificate button in Replication Configuration. If you’ve done everything correctly, you’ll see your recently installed and customized certificate

image image

and I n my case I have two clusters and won’t to replicate from and to the both clusters.

there for I used the same certificate import and export with private key and put it on all the nodes remember the node name should be in the certificate FQDN !

 

image image In the VM you can enable replication and choose the certificate. But you can also mix one VM with Kerberos and the other with a certificate

 

image

Once It is done it is keep working unless the certificate is expired !

 

Next stop will be Hyper-v Recovery Manager.

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog https://robertsmit.wordpress.com Linkedin Profile Http://nl.linkedin.com/in/robertsmit Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project