Create a disaster recovery (DR) environment with the Hyper-V cluster replication broker service on WS 2012 R2 or WS 2016

  • Microsoft
  • 3/4

6. Generate certificates for Hyper-V clusters

If you want to secure virtual machine replication between your Hyper-V clusters, you should use the certificate-based authentication (HTTPS) method instead of the Kerberos version (HTTP).

However, if you click on the "Select Certificate" button, you will see that you will need a certificate for each of your Hyper-V clusters, as well as one for each node.

As stated in this error message, the common name (or other DNS name) of the SSL certificate should be the DNS name of the Hyper-V Replica Broker.

And each node must also have a certificate with its name.

To know the complete procedure for creating the certificate template for Hyper-V replication, refer to our tutorial : Automatically replicate virtual machines securely (HTTPS)

Note that in order to generate the certificates for your Hyper-V clusters, you will need to choose the "Supply in the request" option in the "Subject Name" tab when you create the Hyper-V certificate template.

In the "Request Handling" tab, check the "Allow private key to be exported" box to enable the export of the certificate in pfx format and import it to each node of the cluster.

Launch the certificate request from the "mmc" console where you have added the "Certificates" component and check the "Hyper-V Certificate" box.
Then, click on the link displayed : More information is required to enroll for this certificate.

Specify the DNS name of the replication broker of your 1st cluster as the common name (CN).
In our case : hv-broker-clust.informatiweb.lan

Then, click on Enroll.

The certificate is generated and installed on your server.

Do the same for the Hyper-V Replica Broker of your backup cluster.
In our case : hv-dr-broker.informatiweb.lan

In our case, we generated these certificates from our Active Directory server from the "mmc" console.
We thus find several certificates, including those for the Broker service of our 2 Hyper-V clusters.

7. Generate certificates for Hyper-V servers

To generate certificates on behalf of each Hyper-V server, you simply move your Hyper-V servers to a new organizational unit (which you name for example "Hyper-V Servers") on your Active Directory server and create a new GPO linked to it.
Then, you will need to enable the "Certificate Services Client - Auto-Enrollment" policy available in : Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies.

In the properties of this Group Policy, check these boxes :

  • Renew expired certificates, update pending certificates, and remove revoked certificates
  • Update certificates that use certificate templates

Then, force the policy update on your Hyper-V servers.

In the certificate store of your Hyper-V servers, you will automatically find a certificate with its name.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.