post from Word
Certificate Based Authentication and Powershell
Hyper-V Replica supports certificate based authentication and the digital certificates required by this product is covered in the blog post ?a href="https://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx">Prerequisites for certificate based deployment? This blog article captures the administrator workflow involved in enabling replication on certificate based authentication using Powershell in Windows Server ??Beta.
If you are using a clustered configuration on either the primary or replica sites, before proceeding any further, please ensure that the Hyper-V Replica broker is created on the cluster (primary or replica or both) using the instruction mentioned in a previous blog post ?a href="https://blogs.technet.com/b/virtualization/archive/2012/03/27/why-is-the-quot-hyper-v-replica-broker-quot-required.aspx">Why is Hyper-V Replica Broker required?
Configure Replica Server
?/span> From an elevated Powershell cmdlet, run the following commands to view the certificate thumbprint of the Trusted Root Certification Authorities
PS C:\Windows\system32> cd cert:
PS Cert:\> cd .\\LocalMachine\Root
PS Cert:\LocalMachine\Root> dir
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
4BFFF00509B97C782603F1DF3AF8C0399778FD70 CN=IntRootCA
Typically you would find many certificates listed in this store. Pick the certificate which has issued the personal store certificate whose attributes match the criteria mentioned in the Prerequisites for certificate based deployment post.
?/span> Enable Replication on the Replica server by providing the above thumbprint
Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "<CertThumbprint>?-DefaultStorageLocation ?lt;Storage Location>?-CertificateAuthenticationPort <Listenerport>
PS C:\Windows\system32> Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Certificate -ReplicationAllowedFromAnyServer $true -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -DefaultStorageLocation "C:\ClusterStorage\Volume2\Replica" -CertificateAuthenticationPort 5000
PS C:\Windows\system32> Get-VMReplicationServer
RepEnabled AuthType IntAuth CertAuth AnyServer MonInterval MonStartTime
---------- -------- ------- -------- --------- ----------- ------------
True Cert 80 5000 True 12:00:00 10:00:00
?/span> Hyper-V Replica finds a matching certificate (based on the criteria mentioned in the previous post) and brings up an https listener on port 5000.
?/span> Verify: To check if the listener is running or not, issue the following command from an elevated command/Powershell prompt:
PS C:\Windows\system32> netsh http show servicestate
Snapshot of HTTP service state (Server Session View):
-----------------------------------------------------
Server session ID: FF0000002001FC7F
Version: 2.0
State: Active
Properties:
Max bandwidth: 4294967295
Timeouts:
Entity body timeout (secs): 120
Drain entity body timeout (secs): 120
Request queue timeout (secs): 120
Idle connection timeout (secs): 120
Header wait timeout (secs): 120
Minimum send rate (bytes/sec): 150
URL groups:
URL group ID: FD000000400216FA
State: Active
Request queue name: Request queue is unnamed.
Properties:
Max bandwidth: inherited
Max connections: inherited
Timeouts:
Entity body timeout (secs): 300
Drain entity body timeout (secs): 0
Request queue timeout (secs): 0
Idle connection timeout (secs): 300
Header wait timeout (secs): 0
Minimum send rate (bytes/sec): 0
Number of registered URLs: 2
Registered URLs:
HTTPS://TECHED-HYD-01:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
HTTPS://TECHED-HYD-01.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
?/span> Verify: If the node is part of a cluster *and* if the Hyper-V Replica Broker is running on this node, an extra entry can be seen in the output of the above command, which lists the Client Access Point of the Hyper-V Replica Broker. In this example BrokerHyd is the Client Access Point of the Hyper-V Replica Broker in this cluster.
Server session ID: FC0000002001ED19
Version: 2.0
State: Active
Properties:
Max bandwidth: 4294967295
Timeouts:
Entity body timeout (secs): 120
Drain entity body timeout (secs): 120
Request queue timeout (secs): 120
Idle connection timeout (secs): 120
Header wait timeout (secs): 120
Minimum send rate (bytes/sec): 150
URL groups:
URL group ID: FB0000004000000F
State: Active
Request queue name: Request queue is unnamed.
Properties:
Max bandwidth: inherited
Max connections: inherited
Timeouts:
Entity body timeout (secs): 300
Drain entity body timeout (secs): 0
Request queue timeout (secs): 0
Idle connection timeout (secs): 300
Header wait timeout (secs): 0
Minimum send rate (bytes/sec): 0
Number of registered URLs: 2
Registered URLs:
HTTPS://BROKERHYD:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
HTTPS://BROKERHYD.FRTEST.NTTEST.MICROSOFT.COM:5000/FRVROOT_{FED10A98-8CB9-41E2-8608-264B923C2623}/
?/span> Note: Once the listener is running, ensure that the Firewall allows traffic on the configured port.
In a clustered environment, if you are using Windows Firewall, issue the following command from one of the node抯 in the cluster:
Get-ClusterNode | ForEach-Object {Invoke-command -computername $_.name -scriptblock {Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"}}
The above cmdlet would enable the Hyper-V Replica HTTPS Listener (TCP-In) Windows Firewall rule in *all* the nodes of the cluster. It抯 also worth noting that the listener port is updated automatically based on the input provided in Set-VMReplicationServer cmdlet.
If your Replica server is a standalone server, issue the following cmdlet:
Enable-Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"
Enabling Replication for the virtual machine
?/span> Ensure that a certificate which matches the criteria mentioned in the Prerequisites for certificate based deployment is available on the primary server. Get the certificate thumbprint of the Trusted Root Certification Authorities as mentioned in the Replica server step.
?/span> Enable a replication relationship by providing:
o The Replica server name if the replica server is a standalone server
o (or) Hyper-V Replica Broker Client Access Point if you are replicating to a cluster
Set-VMReplication -VMName "<VM Name>" -ReplicaServerName "<Replica Server Name/Hyper-V Replica Broker>" -ReplicaServerPort <Port configured on the replica server> -AuthenticationType Certificate -CertificateThumbprint "<Root CA Thumbprint>" -CompressionEnabled $true
PS C:\Windows\system32> Set-VMReplication -VMName "ProjectVM" -ReplicaServerName "Brokerhyd.FRTEST.nttest.microsoft.com" -ReplicaServerPort 5000 -AuthenticationType Certificate -CertificateThumbprint "4BFFF00509B97C782603F1DF3AF8C0399778FD70" -CompressionEnabled $true
?/span> To initiate 揑nitial-Replication?of the virtual machine, use the following cmdlet
PS C:\Windows\system32> Start-VMInitialReplication -VMName "ProjectVM"
The initial replica is sent over the network immediately. Use the get-help on Start-VMInitialReplication to learn more about the different initial replication techniques and on how to schedule the initial replication operation.
?/span> On the Hyper-V Manager, a bunch of useful information is available for the replicating VM
That抯 it, using the above cmdlets you have successfully enabled a cluster to receive replication traffic and enabled replication for a virtual machine.
It抯 also worth calling out that when the primary or replica virtual machine migrates from one clustered node to another, Hyper-V Replica will continue to send replication traffic without any manual intervention (till the right set of certificates are installed).