In our previous tutorial, we explained how to automatically replicate a virtual machine from one primary Hyper-V server to another (called the replica server).
Nevertheless, this was done via the HTTP protocol. This is not secure and strongly discouraged if data must pass over an unsecured network (such as the Internet).
To secure this replication, you will need valid certificates (from a trusted certificate authority, such as Symantec SSL or GeoTrust) or a Windows Server-based certification authority.
For virtual machine replication under Hyper-V, you will need a certificate that has at least these application policies :
To do this, run the "Certificate Authority" program from the Windows Server welcome screen.
Then, right-click "Manage" on "Certificate Templates".
Duplicate the "Computer" model.
As you can see in the "Extensions" tab, this certificate template already provides the 2 application policies mentioned above.
In the "Request Handling" tab, check the "Allow private key to be exported" box.
Add the "Enroll" permission for domain administrators.
In the "Subject Name" tab, select "Common Name" for the subject name format.
Thus, the name of your Hyper-V server will be used for the "CN" attribute of the certificate.
Provide a name for this certificate template.
For example : Hyper-V certificate.
Then, in the "certsrv" window, right-click on "Certificate Templates", then click : New -> Certificate Template to Issue.
Select your "Hyper-V Certificate" model and click OK.
Since our 2 Hyper-V servers are linked to our Active Directory, we can request certificates from them.
For this, on your Hyper-V servers, run the "mmc" console, then go to the "File -> Add / Remove snap-in" menu.
Add the "Certificates" component, then select "Computer account -> Local computer".
Then, click OK.
Right-click on "Personal" and then click : All Tasks -> Request New Certificate.
The "Certificate Enrollment" window appears.
Check the "Hyper-V Certificate" box and click Enrollment.
Note : if this certificate template doesn't appear and you have just installed your certification authority, simply force the update of your server's policy.
Thus, it will know that there is a corporate certification authority in your Active Directory infrastructure and it will be able to offer you the different certificate models that you can use.
Note that the server you are on must also have the "Enroll" right on the "Hyper-V Certificate" certificate template you just created.
In general, your server is already part of the "Domain Computers" group which already has the "Enroll" right for this new certificate template.
The certificate is created and automatically added to the certificate store of your Hyper-V server.
Now, we have a certificate for our Hyper-V server that has been issued by our certification authority.
Note that the computers of your network must trust your CA for this to work.
If your Hyper-V server is linked to your Active Directory domain, your enterprise CA certificate has automatically been added to its "Trusted Root Certification Authorities" certificate store.
Otherwise, use the manual or automatic method (via GPO).
Do the same on your 2nd Hyper-V server.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.