I have two standalone non-domain joined Hyper-V servers - HV01 and HV02. I need to configure Hyper-V replica between them. Many blog post and guides provide syntax for MakeCert tool. Interesting thing is that MakeCert is deprecated and it is recommended to use New-SelfSignedCertificate cmdlet instead. Of course it is great but there are some limitations of this cmdlet in PowerShell 4.0. Actually there is huge difference between New-SelfSignedCertificate cmdlet in PowerShell 4.0 and 5.0. I will create self-signed certificate using new cmdlet that's why I use Windows 10 with PowerShell 5.0. The name of Windows 10 workstation will be ADMIN01.
1. Go to ADMIN01 and generate root certificate. It will be used to sign certificates for HV01 and HV02. Sure you can use -NotAfter setting to specify certificate expiration date but this property was omitted here:
New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=www.fedenko.info" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "Signature" -KeyUsage "CertSign"
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB CN=www.fedenko.info
2. Create and sign certificates for HV01 and HV02. Make sure that you specify thumbprint of certificate above.
New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV01" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV02" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
As result you will see 3 certificates in Local Computer certification store.
3. Export certificates and copy to Hyper-V servers:
On HV01/02 click export - Yes, export the private key - Next (Unselect Include all certificates in the certification path if possible. We will copy root certificate manually) - Specify the password and click Next - Specify path location and click Next - Complete the certificate export wizard by clicking Finish.
Repeat the same for HV02 certificate. Then export root certificate (www.fedenko.info in my case). With root certificate there is no need to export private key.
4. Import certificates to the Hyper-V servers. HV01/02 into personal store of Local Computer on each server respectively. And Root certificate into Trusted Root Certification Authorities store. Check the certificate status afterward.
5. Last trick with Certificate Revocation Lists. On each Hyper-V server add the following registry key:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
6. Once all certificates are imported on servers Hyper-V Replica can be configured.
On second server PowerShell script can be used to achieve the same configuration as above.
PS C:\> Get-ChildItem Cert:LocalMachine\My | fl Subject,Thumbprint
Subject : CN=HV02
Thumbprint : A03A46DE4085F7EE53D5B3451363AE0B73328F43
Set-VMReplicationServer –ReplicationEnabled $true -AllowedAuthenticationType Certificate -CertificateThumbprint "A03A46DE4085F7EE53D5B3451363AE0B73328F43" –ReplicationAllowedFromAnyServer $true –DefaultStorageLocation "D:\Hyper-V\Virtual Hard Disks"
7. Then enable Replication on VM level.
Useful info. thanks
ReplyDeleteAWESOME, searched for hours trying to solve error 0x80092007
ReplyDeleteThanks!!!
Great work sir! wish this post was somewhat more visible on internet.
ReplyDeleteThank you all!
ReplyDeleteVery handy, thanks a lot! Best and fastest way. Was very helpful.
ReplyDeleteExcellent article, exactly what I was looking for replicating from 2012 r2 to 2016 across VPN.
ReplyDeleteif ur using Hyper-V free server, u cant import via remote mmc cert to localmachine\my
ReplyDeleteuser there is script: 1 - password for cert's
$mypwd = ConvertTo-SecureString -String "1" -Force –AsPlainText
Import-PfxCertificate –FilePath C:\cert\HV01.pfx cert:\localMachine\my -Password $mypwd
Import-PfxCertificate –FilePath C:\cert\HV02.pfx cert:\localMachine\my -Password $mypwd
Thanks for sharing.
DeleteBy default, the keys are generated with SHA1 hash algorithm which is deprecated. To fix that, you can add -HashAlgorithm "SHA256"
ReplyDeleteGood point!
DeleteGreat instructions.... I did know how to set this up on Server 2012 but thanks to you I can now use Server 2016.
ReplyDeleteThank You!
Thank you
DeleteI had tons of problems with the differences between Fully-qualified domain names, and simple computer names. My certificate would only show on HyperV if it had the FQDN, but would only work to start replication (from powershell) if it had a simple computer name! I ended up using this command:
ReplyDeleteNew-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -DnsName "HV01", "HV01.somedomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\D99D4A0F988A78CE87A3A73470C1541236CDFD41" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
That DnsName parameter will put TWO valid names into the certificate, which makes Hyper-V accept it when before, it wouldn't. (The first DnsName provided will also be used automatically as the CN name).
Even so, I had another problem when creating the VM replication, it would give error 0x00002EFE "failed to establish connection". I solved this by going into the command-line:
Enable-VMReplication -VMName "Suite CRM Ubuntu" -AuthenticationType Certificate -CertificateThumbprint "145F7835E57D068BFE3FB120D99D7E0864F30825" -ReplicaServerName "HV02" -ReplicaServerPort 443
The issue was, again, a problem with FQDN's, but this time, the other way around! The Hyper-V GUI always changes your replica server name to add domain name. From the command-line I was able to use only the simple name... after that first step, I can configure all the rest on the Hyper-V Manager.
Finally, a tip for your tutorial: there are TWO registry entries needed on your step 5, you're missing the one for failover:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Anyway, your tutorial was the only thing that got me going on the free Hyper-V Server 2016! Thanks a lot!
Awesome!
DeleteCouple questions for remote site replication:
ReplyDelete1) What syntax must the hostname be for each remote site (ie. no VPN connection between the two). Is it just a matter of port forwarding to the internal Hyper-V host on each side of the router/firewall?
2) In response to user 'Pgr' above which certificate thumbprint must be used in order to enable replication?
I do wish this certificate creation were a little easier, lots of post comment input going on so I'm not sure how valid the OP's post is.
Thank you so much. I've spent hours trying get it to work. Your guide got me up and running very quickly. Thanks again. Andre
ReplyDeleteYou are welcome :)
DeleteHello,
ReplyDeleteHello,
thank you very much for this tip.
By default, expiration time is one year. Is it possible to level up this delay?
Hello,
DeleteFor example try to add "-NotAfter (Get-Date).AddMonths(24)" parameter to New-SelfSignedCertificate cmdlet to generate a certificate, which expires in 2 years.
Thanks!!
ReplyDeleteThis looks a much easier process than I have seen elsewhere, I plan to try it in the next day or so. But, I'm confused with the solution Pgr has offered.
ReplyDeleteEnable-VMReplication -VMName "Suite CRM Ubuntu" -AuthenticationType Certificate -CertificateThumbprint "145F7835E57D068BFE3FB120D99D7E0864F30825" -ReplicaServerName "HV02" -ReplicaServerPort 443
Presumably we need to substitute "Suite CRM Ubuntu" with our own virtual machine name? But I have 5 VM's I want to replicate, do I run this command for each VM?. And replace the thumbprint with which thumbprint?
Yes, you are right replace the name and repeat for each VM. Thumbprint of host certificate where you are setting up the replication.
DeleteHI nice article, but I can't get it to work. I'm using ps version 5.0
ReplyDelete-Type "Custom" -KeyExportPolicy "Exportable" -Subject fields are not found by ps, and are not options as such..windows 2012 with framework 5 installed that gives me PS version 5.
any ideas?
What output do you get when you run "Get-Host | select version" ?
Deletethanks for the quick reply!
ReplyDeleteget-host | select version
Version
-------
5.0.10586.117
Unfortunately, WMF doesn't upgrade cmdlets in PKI module. It is required to use Windows 10 or Windows Server 2016.
DeleteAwesome :)
ReplyDeleteGreat article
You are welcome!
Deletehi, thanks for the wonderful post. it helped me one year back.
ReplyDeletethe self signed certs are expired and replica was stopped. I have created new certs with the same steps and installed in host servers. but replication couldn't start back, this is the error i receive
"Hyper-V could not validate certificate with thumbprint '4C04D3967273EB9AB9AC88618EC978E2F4B90C7D'. The certificate cannot be verified upto the trusted certification authority. Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800B0109)"
how to solve this prob??
thank you
Maybe try to regenerate a root certificate?
Delete