{"id":1451,"date":"2015-01-24T21:03:34","date_gmt":"2015-01-25T02:03:34","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1451"},"modified":"2015-01-24T21:03:34","modified_gmt":"2015-01-25T02:03:34","slug":"hyper-v-replication-between-two-workgroup-servers","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=1451","title":{"rendered":"Hyper-V Replication between two workgroup servers"},"content":{"rendered":"

Hyper-V Replication between two workgroup servers<\/h2>\n

http:\/\/blogs.catapultsystems.com\/IT\/archive\/2014\/04\/04\/hyper-v-replication-between-two-workgroup-servers.aspx<\/a><\/p>\n

 <\/p>\n

Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with\u00a0makecert.exe<\/a>\u00a0and a registry key to bypass the revocation check.<\/p>\n

The reason why makecert is required is because the certificate\u00a0Enhanced Key Usage<\/strong>\u00a0must support both Client and Server authentication, and the default IIS certificate CSR wizard does not include the client EKU.<\/p>\n

Machine #1<\/h2>\n
    \n
  1. Generate a root cert:
    \nmakecert -pe -n CN=PrimaryTestRootCA -ss root -sr LocalMachine -sky signature -r PrimaryTestRootCA.cer<\/li>\n
  2. Generate a self-signed cert from the root cert:
    \nmakecert.exe -pe -n CN=HV2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in PrimaryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV2.cer<\/li>\n
  3. Disable the revocation checking since that won\u2019t work on self-signed certs:<\/li>\n
  4. Generate a root cert:
    \nmakecert -pe -n CN=RecoveryTestRootCA -ss root -sr LocalMachine -sky signature -r RecoveryTestRootCA.cer<\/li>\n
  5. Generate a self-signed cert from the root cert:
    \nmakecert.exe -pe -n CN=HV1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in RecoveryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV1.cer
    \n(Note: even though it outputs a .cer file, it automatically inserts into the LocalMachine certificate store, so there is no additional import step)<\/li>\n
  6. Copy the PrimaryTestRootCA.cer from Machine #1 and then run this command:\u00a0certutil -addstore -f\u00a0 Root \u201cPrimaryTestRootCA.cer\u201d<\/em><\/li>\n
  7. Copy the RecoveryTestRootCA.cer from Machine 2 and then runcertutil -addstore -f\u00a0 Root RecoveryTestRootCA.cer<\/em><\/li>\n
  8. Disable the revocation checking since that won\u2019t work on self-signed certs:<\/li>\n
  9. Now you can select the self-signed certificate in replication on both servers.<\/li>\n<\/ol>\n

    reg add “HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\\Replication” \/v DisableCertRevocationCheck \/d 1 \/t REG_DWORD \/f<\/p>\n

    Machine #2<\/h2>\n

    reg add “HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\\Replication” \/v DisableCertRevocationCheck \/d 1 \/t REG_DWORD \/f<\/p>\n

    Important: if you have windows firewall enabled, create an allow rule for TCP 443 on both servers:<\/p>\n

    netsh advfirewall firewall add rule name=\u201dHttps Replica in\u201d dir=in protocol=TCP localport=443 action=allow<\/strong><\/p>\n

     <\/p>\n

    Credits to these two blogs for helping me figure this out:<\/p>\n

    http:\/\/jsmcomputers.biz\/wp\/?p=360<\/a>\u00a0 (<- The only problem with his blog is the quotes \u201c\u201d do not work in his command-line syntax, those need to be removed otherwise you get an error \u201cCryptCertStrToNameW failed => 0x80092023 (-2146885597)\u201d<\/p>\n

    http:\/\/blogs.technet.com\/b\/virtualization\/archive\/2013\/04\/13\/hyper-v-replica-certificate-based-authentication-makecert.aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Hyper-V Replication between two workgroup servers http:\/\/blogs.catapultsystems.com\/IT\/archive\/2014\/04\/04\/hyper-v-replication-between-two-workgroup-servers.aspx   Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with\u00a0makecert.exe\u00a0and a registry key to bypass the revocation check. The reason why makecert is required is because the certificate\u00a0Enhanced Key Usage\u00a0must support … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,4],"tags":[],"class_list":["post-1451","post","type-post","status-publish","format-standard","hentry","category-hyperv","category-windows"],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1451"}],"version-history":[{"count":1,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1451\/revisions"}],"predecessor-version":[{"id":1452,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1451\/revisions\/1452"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1451"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}