Hyper-V Replication base on Certificate Authentication have great advantage in terms of security, kerberos Authentication base usually put the replication server in the same Domain as the hyper-v host server, Meaning you can access the replication server and have full access with the credential of the domain. In bad scenario like the spreading of ransom virus and such, the replication server can get damaged including the files of the VM’s and they can get encrypted as the VM’s are off and the file are not locked by the hyper-visor. There for, If you treat the replication server as kind of DR or backup server, it is safer not to put the replication server as domain member but to keep it on Workgroup or on different domain.
How to create Hyper-v replication with certificate Authentication :
Lets assume the host name is Hyper-v1 and the replication server name is Replica . create root certificate on Hyper-v1:
makecert -pe -n CN=Primaryhyperv1RootCA -ss root -sr LocalMachine -sky signature -r Primaryhyperv1RootCA.cer
Create certificate From the root with both server and client authentication (Enhance Key Usage=eku) and with 2 subject names hyper-v1 and Replica:
makecert.exe -pe -n "CN=Hyper-v1,CN=Replica" -ss my -sr LocalMachine -sky exchange -eku "18.104.22.168.22.214.171.124.1,126.96.36.199.188.8.131.52.2" -in Primaryhyperv1RootCa -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 hyper-v1.cer
The command will install the certificate in the Personal store of the machine and is saved as a file locally. The certificate can be used for both Client and Server authentication
Now, import the certificates (root and cert) to both servers so the certificate’s will be on both servers !
First export the certificate with the private key from the server you running on
The certificates can be viewed by running mmc ->File->Add/Remove Snap in…->Certificates->Add->”Computer Account”->Next->Finish->Ok
You will find the Personal certificate (with the machine names) and the Root certificate (Primaryhyperv1RootCA) in the highlighted folders:
Export the Hyper-v1 server certificate with the private key.
Then import it to the Replica server :
By default, a certificate revocation check is mandatory and Self-Signed Certificates don’t support Revocation checks. To work around it, modify the following registry key on Hyper-v1 and Replica servers. Make sure that the script create right key and the value is set to 1:
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
By now you have the certificate installed on both Hyper-v server and you can select them when set the security