- Microsoft
- 15 November 2019 at 15:28 UTC
-
- 1/2
In our previous tutorial, we explained how to automatically replicate a virtual machine from one primary Hyper-V server to another (called the replica server).
Nevertheless, this was done via the HTTP protocol. This is not secure and strongly discouraged if data must pass over an unsecured network (such as the Internet).
To secure this replication, you will need valid certificates (from a trusted certificate authority, such as Symantec SSL or GeoTrust) or a Windows Server-based certification authority.
- Create a certificate template for Hyper-V
- Generate certificates from your Hyper-V servers
- Enabling secure replication (HTTPS)
- Replicating a virtual machine via the HTTPS protocol
1. Create a certificate template for Hyper-V
For virtual machine replication under Hyper-V, you will need a certificate that has at least these application policies :
- Client Authentication
- Server Authentication
To do this, run the "Certificate Authority" program from the Windows Server welcome screen.
Then, right-click "Manage" on "Certificate Templates".
Duplicate the "Computer" model.
As you can see in the "Extensions" tab, this certificate template already provides the 2 application policies mentioned above.
In the "Request Handling" tab, check the "Allow private key to be exported" box.
Add the "Enroll" permission for domain administrators.
In the "Subject Name" tab, select "Common Name" for the subject name format.
Thus, the name of your Hyper-V server will be used for the "CN" attribute of the certificate.
Provide a name for this certificate template.
For example : Hyper-V certificate.
Then, in the "certsrv" window, right-click on "Certificate Templates", then click : New -> Certificate Template to Issue.
Select your "Hyper-V Certificate" model and click OK.
2. Generate certificates from your Hyper-V servers
Since our 2 Hyper-V servers are linked to our Active Directory, we can request certificates from them.
For this, on your Hyper-V servers, run the "mmc" console, then go to the "File -> Add / Remove snap-in" menu.
Add the "Certificates" component, then select "Computer account -> Local computer".
Then, click OK.
Right-click on "Personal" and then click : All Tasks -> Request New Certificate.
The "Certificate Enrollment" window appears.
Click Next.
Check the "Hyper-V Certificate" box and click Enrollment.
Note : if this certificate template doesn't appear and you have just installed your certification authority, simply force the update of your server's policy.
Thus, it will know that there is a corporate certification authority in your Active Directory infrastructure and it will be able to offer you the different certificate models that you can use.
Batch
gpupdate /force
Note that the server you are on must also have the "Enroll" right on the "Hyper-V Certificate" certificate template you just created.
In general, your server is already part of the "Domain Computers" group which already has the "Enroll" right for this new certificate template.
The certificate is created and automatically added to the certificate store of your Hyper-V server.
Now, we have a certificate for our Hyper-V server that has been issued by our certification authority.
Note that the computers of your network must trust your CA for this to work.
If your Hyper-V server is linked to your Active Directory domain, your enterprise CA certificate has automatically been added to its "Trusted Root Certification Authorities" certificate store.
Otherwise, use the manual or automatic method (via GPO).
Do the same on your 2nd Hyper-V server.
Share this tutorial
To see also
-
Microsoft 9/6/2019
Hyper-V (WS 2012 R2 / 2016) - Create a generation 2 VM
-
Microsoft 8/10/2019
Hyper-V (WS 2012 R2 / 2016) - Install Hyper-V and create your first VM
-
Microsoft 11/8/2019
Hyper-V (WS 2012 R2 / WS 2016) - Automatically replicate virtual machines
-
Microsoft 11/22/2019
Hyper-V (WS 2012 R2 / WS 2016) - Configure live migration
You must be logged in to post a comment