Hyper-V Replication Documentation

on

 

Hyper-V Replication Documentation

Starting with Windows Server 2012 Hyper-V has a new feature that replicates VMs from one host to another for a disaster recovery scenario!
You can do this replication between two non-clustered Hyper-V site servers running the same windows server edition (preferable).

This wiki will detail how to apply replication between two non-clustered Hyper-V servers in separate sites connected through a VPN (or simple workgroup) using Certificate-Based Authentication (HTTPS). Could be extended to replicate from the cluster to one of the stand-alone Hyper-V servers in the first site, and from this one, we will configure Extended Replication
to the second non-clustered Hyper-V host from the second site. All this happens in a single forest/domain.

We can break the process into two parts

  1. Setup Hyper-V Manager to connect and authorize servers
  2. Configure Hyper-v replication to connect using Certificate-Based Authentication (HTTPS) instead of domain (Kerberos ticket)

P.S 1: we have to configure the hosts file in both windows to allow both servers to connect using FQDN:
e.g.
192.168.0.1 Ai.deltaengine.servers.com
192.168.0.2 robotics.deltaengine.servers.com

P.S 2: configure Firewall and open the required ports (80 for HTTP, 443 for SSL)

P.s 3: be sure both servers using a private network, none of them should have any public network

 

Part 1: Setup Hyper-V Manager to connect and authorize servers

Before we start, we have to agree on the names of the servers to ease understanding of the processes, for example

# Server1: host => Ai.deltaengine.servers.com
# Server2: Client => robotics.deltaengine.servers.com

  1. First be sure you are using FQDN for both machines as we mentioned above, e.g.
    * Ai.deltaengine.servers.com
    * robotics.deltaengine.servers.com
    For more information, please check this 
  2. Using PowerShell to execute the below commands in both servers:
  • Ai server:
    Enable-PSRemoting
    Enable-WSManCredSSP -Role server
    Set-Item WSMan:localhost\client\trustedhosts -value  robotics.deltaengine.servers.com
  • Robotics Server:
    Enable-PSRemoting
    Set-Item WSMan:localhost\client\trustedhosts -value  Ai.deltaengine.servers.com
    Enable-WSManCredSSP -Role client -DelegateComputer "Ai.deltaengine.servers.com"

3. Now we need to change the credential delegation settings on your PC to allow for the non-domain NTLM authentication.  Click on the Start Button, type in "gpedit.msc", and hit Enter to open the Local Group Policy Editor. then navigate through Computer Configuration,  Administrative Templates, System, Credential Delegation, and right-click on "Allow delegating fresh credentials with NTLM-only server authentication" and select Edit. Select Enabled, then click the Show button and Type in Wsman/Ai (prefer to do this in both servers by using the opposite servers name on both sides.

4. Now we are ready to connect both sites using Hyper-v as follows:

  • Start Hyper-V Manager
  • When the Hyper-V Manager loads, click the Connect to a Server item under Actions. 
  • Select Another computer and type in the name of your server. 
  • Check the "Connect as another user" box and then click Set User. 
  • Type in the username in hostename\user format.  For example, "Ai\administrator"

Part 2: Configure Hyper-v replication to connect using Certificate-Based Authentication (HTTPS):

After setup the authorization connection between two sites using Hyper-V manager, we have to configure replication to allow both points of replication to connect using a certification base following the below process

  1. it is required to generate certificates on the host server (Ai.deltaengine.servers.com) using PowerShell commands as below: 
    New-SelfSignedCertificate -DnsName "Ai.deltaengine.servers.com"  CertStoreLocation "cert:\LocalMachine\My" -TestRoot
    New-SelfSignedCertificate -DnsName "robotics.deltaengine.servers.com"  CertStoreLocation cert:\LocalMachine\My" -TestRoot

    As a result, the three certificates will be created: one for each server with the Enhanced Usage Key set to Client and Server authentication (although that was not explicitly stated!)
    and the test root CA certificate – CertReq Test Root – which by default will be placed in the Intermediate Certification Authorities,
    I’d like to stress the need for the -TestRoot parameter: you may create certificates without it but Hyper-V will not allow using self-signed certificates for replication!

    please use certlm.msc app, The two server certificates will be located in certlm.msc - Certificates (Local Computer) - Personal -> certificates
    As the CertReq Test Root certificate is NOT in the Trusted Root Certification Authorities these certificates will be untrusted:


    Note: you can use Certlm.Msc tool to generate the certificate based on your own specification

    Check these:

    https://medium.com/@pbengert/setup-2-hyper-v-2016-servers-enable-hyper-v-replica-with-self-created-certificates-and-connect-to-fceef21c8b8e

    https://www.vkernel.ro/blog/configuring-hyper-v-replica-using-certificate-based-authentication-https

  2. Moving/copying the CertReq Test Root certificate to the Trusted Root Certification Authorities the server certificates become trusted The certificates for the primary server – Ai.deltaengine.servers.com – have been configured. The next step is to export the robotics.deltaengine.servers.com certificate along with the CertReq Test Root certificate and import them into robotics.deltaengine.servers.com. to export it you can use certlm.msc tool, by clicking right, clicking on the certificate and choosing export from the task menu, and following the wizard.

  3. After all, certificates have been created we must add the following registry key on both host servers:
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication /DisableCertRevocationCheck /1 /t REG_DWORD /f

  4. It’s time to configure Hyper-V replication settings on the replica server – Ai.deltaengine.servers.com, open Hyper-V manager, and on the host server go to Hyper-V setting and from Replication Configuration enabled as a replica server enable "Enable this computer as a replicate server". 

    Then, enable "Use certificate-based authentication (HTTPS) and click on the select certificate, this will open a new popup window to select the certificate, click ok and apply.

  5. The last step in configuring replication is to enable replication of a certain virtual machine – obviously, this should be done on the primary server – Ai.deltaengine.servers.com: 
    following the below setup

  •  Specify replica server: choose the robotics.deltaengine.servers.com

  • Specify connection parameters: choose Use certificate-based authentication (https) and click on the select certificate, again this will open a new popup window to select the certificate,  click ok, and apply

  • Replication frequency: specify your preference.

  • In the next window, an administrator should choose whether there’ll be only the last recovery point available or any number of additional (<=24) recovery points (created hourly).

  • Click finish, and your replication will start immediately.

Comments

Post a Comment