Information and announcements from Program Managers, Product Managers, Developers and Testers in the Microsoft Virtualization team.
Update in July 2012: This post is applicable only if you on Windows Server "8" Beta. For Windows Server 2012 RC and later, refer to the updated blog post @ http://blogs.technet.com/b/virtualization/archive/2012/07/16/hyper-v-replica-certificate-based-authentication-in-windows-server-2012-rc.aspx
In an earlier post, we have discussed the prerequisites for certificate based deployment. This blog now captures the administrator workflow to enable replication using PowerShell in Windows Server “8” Beta.
If your primary or replica server is part of a cluster, configure the Hyper-V Replica Broker before following the instructions in this blog. The PS cmdlets in the blog "Why is Hyper-V Replica Broker required” enable you to configure the broker.
PS C:\Windows\system32> cd cert:
PS Cert:\> cd .\\LocalMachine\Root
PS Cert:\LocalMachine\Root> dir
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
4BFFF00509B97C782603F1DF3AF8C0399778FD70 CN=IntRootCA
Copy the thumbprint of the certificate which has issued the Personal store certificate whose attributes match the criteria mentioned in the Prerequisites for certificate based deployment post.
In this example, IntRootCA has issued BrokerHyd which meets the prerequisite in the blog article, hence we copy the thumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70"
Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "<CertThumbprint>” -DefaultStorageLocation “<Storage Location>” -CertificateAuthenticationPort <Listenerport>
PS C:\Windows\system32> Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -DefaultStorageLocation "C:\ClusterStorage\Volume2\Replica" -CertificateAuthenticationPort 5000
PS C:\Windows\system32> Get-VMReplicationServer
RepEnabled AuthType IntAuth CertAuth AnyServer MonInterval MonStartTime
---------- -------- ------- -------- --------- ----------- ------------
True Cert 80 5000 True 12:00:00 10:00:00
PS C:\Windows\system32> netsh http show servicestate
Snapshot of HTTP service state (Server Session View):
-----------------------------------------------------
Server session ID: FF0000002001FC7F
Version: 2.0
State: Active
Properties:
Max bandwidth: 4294967295
Timeouts:
Entity body timeout (secs): 120
Drain entity body timeout (secs): 120
Request queue timeout (secs): 120
Idle connection timeout (secs): 120
Header wait timeout (secs): 120
Minimum send rate (bytes/sec): 150
URL groups:
URL group ID: FD000000400216FA
Request queue name: Request queue is unnamed.
Max bandwidth: inherited
Max connections: inherited
Entity body timeout (secs): 300
Drain entity body timeout (secs): 0
Request queue timeout (secs): 0
Idle connection timeout (secs): 300
Header wait timeout (secs): 0
Minimum send rate (bytes/sec): 0
Number of registered URLs: 2
Registered URLs:
HTTPS://TECHED-HYD-01:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
HTTPS://TECHED-HYD-01.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
Server session ID: FC0000002001ED19
URL group ID: FB0000004000000F
HTTPS://BROKERHYD:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
HTTPS://BROKERHYD.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
Get-ClusterNode | ForEach-Object {Invoke-command -computername $_.name -scriptblock {Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"}}
Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"
PS C:\Windows\system32> Set-VMReplication -VMName "ProjectVM" -ReplicaServerName "Brokerhyd.FRTEST.nttest.microsoft.com" -ReplicaServerPort 5000 -AuthenticationType Certificate -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -CompressionEnabled $true
PS C:\Windows\system32> Start-VMInitialReplication -VMName "ProjectVM"
The initial replica is sent over the network at once. Use the get-help on Start-VMInitialReplication to learn more about the different initial replication techniques and on how to schedule this operation.
You have now enabled replication using certificates! It’s also worth calling out that when the primary or replica virtual machine migrates from one clustered node to another, Hyper-V Replica will continue to send replication traffic without any manual intervention.
Hello Praveen,
Your post is excellent. It helped me a lot in configuring replication based on certificates between 2 WAN site.
Thank you very much. I really appreciate your work and I'm looking forward for your new posts !
Regards,
Emmanuel
Thanks Emmanuel, let us know if there are any specific topics of interest.
Praveen
Thanks i like your blog very much , i come back most days to find new posts like this!Good effort.I learnt it.
Regards
Albert Reo
For more information visit our website <a href="www.attestation.in/.../a>.
Hello,
how can I add a additionally "Registered URLs"? If I do "netsh http show servicestate" i see only under "Registered URLs": "https://computername:443/..." & and my computername with Domain "computername.domainname.local/...".
My Problem is that my Domain is*.local and not a public Domainname. How can I add a additionally Public Domainname for my Hyper-V Replica Broker?
Big Thanks advance
Jan
To Jan - I can't think of a straight fwd way to address your deployment question. We bring up 2 listeners - one which is identified by the short-name of the server and the other by the FQDN of the server (as seen in My Computer). If you can provide some details on how the server name looks like (under My Computer) and how you plan to connect to the replica server from the primary server (what is the server name which you plan to provide), I can suggest some solution.