Enable replication using certificate based authentication - in PowerShell

Enable replication using certificate based authentication - in PowerShell

  • Comments 5
  • Likes

Update in July 2012: This post is applicable only if you on Windows Server "8" Beta. For Windows Server 2012 RC and later, refer to the updated blog post @ http://blogs.technet.com/b/virtualization/archive/2012/07/16/hyper-v-replica-certificate-based-authentication-in-windows-server-2012-rc.aspx

 

In an earlier post, we have discussed the prerequisites for certificate based deployment. This blog now captures the administrator workflow to enable replication using PowerShell in Windows Server “8” Beta.

 

If your primary or replica server is part of a cluster, configure the Hyper-V Replica Broker before following the instructions in this blog. The PS cmdlets in the blog "Why is Hyper-V Replica Broker required” enable you to configure the broker.

Configure Replica Server

  1. From an elevated PowerShell cmdlet, run the following command to view the certificate thumbprint of the Trusted Root Certification Authorities

 

PS C:\Windows\system32> cd cert:

 

PS Cert:\> cd .\\LocalMachine\Root

 

PS Cert:\LocalMachine\Root> dir

 

 

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

 

 

Thumbprint                                Subject                             

----------                                -------                             

4BFFF00509B97C782603F1DF3AF8C0399778FD70  CN=IntRootCA                         

 

Copy the thumbprint of the certificate which has issued the Personal store certificate whose attributes match the criteria mentioned in the Prerequisites for certificate based deployment post.

In this example, IntRootCA has issued BrokerHyd which meets the prerequisite in the blog article, hence we copy the thumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70"

 


2. To enable replication on the Replica server/cluster, issue the following PowerShell cmdlet, using the above thumbprint information in <CertThumbprint>:

Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "<CertThumbprint>” -DefaultStorageLocation “<Storage Location>” -CertificateAuthenticationPort <Listenerport>

 PS C:\Windows\system32> Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -DefaultStorageLocation "C:\ClusterStorage\Volume2\Replica" -CertificateAuthenticationPort 5000

 

PS C:\Windows\system32> Get-VMReplicationServer

 

RepEnabled AuthType IntAuth CertAuth AnyServer MonInterval MonStartTime

---------- -------- ------- -------- --------- ----------- ------------

True       Cert     80      5000     True      12:00:00    10:00:00   

 

 

Hyper-V Replica finds a matching certificate and brings up an https listener on port 5000.

3. Verify: To check if the listener is running, issue the following command from an elevated PowerShell or command prompt:

 

PS C:\Windows\system32> netsh http show servicestate

 

Snapshot of HTTP service state (Server Session View):

-----------------------------------------------------

 

Server session ID: FF0000002001FC7F

    Version: 2.0

    State: Active

    Properties:

        Max bandwidth: 4294967295

        Timeouts:

            Entity body timeout (secs): 120

            Drain entity body timeout (secs): 120

            Request queue timeout (secs): 120

            Idle connection timeout (secs): 120

            Header wait timeout (secs): 120

            Minimum send rate (bytes/sec): 150

    URL groups:

    URL group ID: FD000000400216FA

        State: Active

        Request queue name: Request queue is unnamed.

        Properties:

            Max bandwidth: inherited

            Max connections: inherited

            Timeouts:

                Entity body timeout (secs): 300

                Drain entity body timeout (secs): 0

                Request queue timeout (secs): 0

                Idle connection timeout (secs): 300

                Header wait timeout (secs): 0

                Minimum send rate (bytes/sec): 0

            Number of registered URLs: 2

            Registered URLs:

                HTTPS://TECHED-HYD-01:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/

                HTTPS://TECHED-HYD-01.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/

 

 


Note: If the node is part of a cluster *and* if the Hyper-V Replica Broker is running on this node, an extra entry can be seen in the output of the above command, which lists the Client Access Point of the Hyper-V Replica Broker. In this example BrokerHyd is the Client Access Point of the Hyper-V Replica Broker in this cluster.

 

Server session ID: FC0000002001ED19

    Version: 2.0

    State: Active

    Properties:

        Max bandwidth: 4294967295

        Timeouts:

            Entity body timeout (secs): 120

            Drain entity body timeout (secs): 120

            Request queue timeout (secs): 120

            Idle connection timeout (secs): 120

            Header wait timeout (secs): 120

            Minimum send rate (bytes/sec): 150

    URL groups:

    URL group ID: FB0000004000000F

        State: Active

        Request queue name: Request queue is unnamed.

        Properties:

            Max bandwidth: inherited

            Max connections: inherited

            Timeouts:

                Entity body timeout (secs): 300

                Drain entity body timeout (secs): 0

                Request queue timeout (secs): 0

                Idle connection timeout (secs): 300

                Header wait timeout (secs): 0

                Minimum send rate (bytes/sec): 0

            Number of registered URLs: 2

            Registered URLs:

                HTTPS://BROKERHYD:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/

                HTTPS://BROKERHYD.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/

 


4. Ensure that the Firewall allows traffic on the configured port. In a clustered environment, if you are using Windows Firewall, issue the following command from one of the node’s in the cluster:

 

Get-ClusterNode | ForEach-Object  {Invoke-command -computername $_.name -scriptblock {Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"}}

 
The above cmdlet enables the Hyper-V Replica HTTPS Listener (TCP-In) Windows Firewall rule in *all* the nodes of the cluster. The listener port is updated automatically based on the input provided in Set-VMReplicationServer cmdlet.
 
If your Replica server is a standalone server, issue the following cmdlet:
 

Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"

 


Enabling Replication for the virtual machine

1. Repeat step (1) under "Configure Replica Server" section above.

2. Enable a replication relationship by issuing the following PowerShell cmdlet:

Set-VMReplication -VMName "<VM Name>" -ReplicaServerName "<Replica Server Name/Hyper-V Replica Broker>" -ReplicaServerPort <Port configured on the replica server> -AuthenticationType Certificate -CertificateThumbprint "<Root CA Thumbprint>" -CompressionEnabled $true

 

PS C:\Windows\system32> Set-VMReplication -VMName "ProjectVM" -ReplicaServerName "Brokerhyd.FRTEST.nttest.microsoft.com" -ReplicaServerPort 5000 -AuthenticationType Certificate -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -CompressionEnabled $true

 

 

3. To initiate “Initial-Replication” of the virtual machine, use the following cmdlet

 
 

PS C:\Windows\system32> Start-VMInitialReplication -VMName "ProjectVM"

 

 The initial replica is sent over the network at once.  Use the get-help on Start-VMInitialReplication to learn more about the different initial replication techniques and on how to schedule this operation.

 

4. The Hyper-V Manager provides useful information for the replicating virtual machine

 

You have now enabled replication using certificates! It’s also worth calling out that when the primary or replica virtual machine migrates from one clustered node to another, Hyper-V Replica will continue to send replication traffic without any manual intervention.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hello Praveen,

    Your post is excellent. It helped me a lot in configuring replication based on certificates between 2 WAN site.

    Thank you very much. I really appreciate your work and I'm looking forward for your new posts !

    Regards,

    Emmanuel

  • Thanks Emmanuel, let us know if there are any specific topics of interest.

    Praveen

  • Thanks i like your blog very much , i come back most days to find new posts like this!Good effort.I learnt it.

    Regards

    Albert Reo

    For more information visit our website <a href="www.attestation.in/.../a>.

  • Hello,

    how can I add a additionally "Registered URLs"? If I do "netsh http show servicestate" i see only under "Registered URLs": "https://computername:443/..." & and my computername with Domain "computername.domainname.local/...".

    My Problem is that my Domain is*.local and not a public Domainname. How can I add a additionally Public Domainname for my Hyper-V Replica Broker?

    Big Thanks advance

    Regards

    Jan

  • To Jan - I can't think of a straight fwd way to address your deployment question. We bring up 2 listeners - one which is identified by the short-name of the server and the other by the FQDN of the server (as seen in My Computer). If you can provide some details on how the server name looks like (under My Computer) and how you plan to connect to the replica server from the primary server (what is the server name which you plan to provide), I can suggest some solution.

    Regards

    Praveen