Hyper-V 3.0 (WS 2012 R2) - Automatically replicate virtual machines securely (HTTPS)

Page 1 / 2

In our previous tutorial, we explained how to automatically replicate a virtual machine from one primary Hyper-V server to another (called the replica server).
Nevertheless, this was done via the HTTP protocol. This is not secure and strongly discouraged if data must pass over an unsecured network (such as the Internet).

To secure this replication, you will need valid certificates (from a trusted certificate authority, such as Symantec SSL or GeoTrust) or a Windows Server-based certification authority.

  1. Create a certificate template for Hyper-V
  2. Generate certificates from your Hyper-V servers
  3. Enabling secure replication (HTTPS)
  4. Replicating a virtual machine via the HTTPS protocol

1. Create a certificate template for Hyper-V

For virtual machine replication under Hyper-V, you will need a certificate that has at least these application policies :

  • Client Authentication
  • Server Authentication

To do this, run the "Certificate Authority" program from the Windows Server welcome screen.

Then, right-click "Manage" on "Certificate Templates".

Duplicate the "Computer" model.

As you can see in the "Extensions" tab, this certificate template already provides the 2 application policies mentioned above.

In the "Request Handling" tab, check the "Allow private key to be exported" box.

Add the "Enroll" permission for domain administrators.

In the "Subject Name" tab, select "Common Name" for the subject name format.
Thus, the name of your Hyper-V server will be used for the "CN" attribute of the certificate.

Provide a name for this certificate template.
For example : Hyper-V certificate.

Then, in the "certsrv" window, right-click on "Certificate Templates", then click : New -> Certificate Template to Issue.

Select your "Hyper-V Certificate" model and click OK.

2. Generate certificates from your Hyper-V servers

Since our 2 Hyper-V servers are linked to our Active Directory, we can request certificates from them.

For this, on your Hyper-V servers, run the "mmc" console, then go to the "File -> Add / Remove snap-in" menu.

Add the "Certificates" component, then select "Computer account -> Local computer".
Then, click OK.

Right-click on "Personal" and then click : All Tasks -> Request New Certificate.

The "Certificate Enrollment" window appears.

Click Next.

Check the "Hyper-V Certificate" box and click Enrollment.

The certificate is created and automatically added to the certificate store of your Hyper-V server.

Now, we have a certificate for our Hyper-V server that has been issued by our certification authority.

Note that the computers of your network must trust your CA for this to work.
To do this, use the manual or automatic method (via GPO).

Do the same on your 2nd Hyper-V server.