Hyper-v Replica Certificate Based with your own Root Authority #WS2012 #hyperv #HRM #DRAAS #TEE13 @MSTeched

With the new products that are available end of 2013 ( Windows 2012R2 and the system center R2 ) releases Replication will be important all the way and will be easier to create but also the environment will be more complex.  Replication on kerberos is easy to uses even shared nothing is quick and fast but what about certificate based ?

Easy to use click a certificate and use it. It is that easy or not ? well it is almost.


In this case I have My DC that hold a Enterprise Root CA and two clusters and 4 VMM servers,

Well You will only need the Root CA and Two Hyper-v server Clustered in different clusters.

yes we will do Clustered Based Certificate Based Replication ( CBCBR )



Open Certification Authority (certsrv.msc) from Administrative Tools

Right click on Certificate Template and click on Manage then we duplicate the Workstation Authentication template

image image



imageGive the Certificate a nice name like  Hyper-v Replica Authentication

That you know where the certificate is for.

There are a few things we need to change or can change

image I choose for 2012 usage only in the compatible settings Certificate recipient and authority can be set to Windows Server 2012

image The Security settings Ensure that Authenticated Users are allowed to Read and Enroll.

image imageimage

Edit Application Policies and add Server Authentication

Subject Name Change the option to Supply in the Request



Now that the Certificate template is ready we are going to import this certificate


Open Certification Authority on the server and click on Certificate Templates

Select Action and choose the New option followed by Certificate Template to Issue.

Choose the certificate template name from the pop-up box


Now that the basic is ready on our DC we can deploy the Certificate to the clusters / hyper-v server

If you try to add a cert now in the Hyper-v broker. You will see a nice error wrong or no certificate.

image A cool thing in 2012 is that you can do PowerShell in the certificate store.


go to c:windowssystem32

cd cert:

use the :


cd .\localmachineroot  then a Dir and you will see all the certificates

How cool is that !

image  Open an MMC and open the localmachine store.Requesting Hyper-V Replica Certificates from an Enterprise CA based on our current template.

image image

Next and see here is our new certificate template

image Now check the certificate and click on the blue line more information is required.

imageUse the CN = Common name  / friendly name to identify the certificate. and use the computer names to connect to the certificate but you can also use the *.domain.local for a wildcard certificate

hit apply and the next on enroll


and in the certificate store the certificate should been listed image


And that’s the process for customizing and requesting certificates. Your final step in configuring Hyper-V Replica happens back in Cluster Failover Manager.

image now check the broker Role in the cluster and do right click

Launch replication Settings and click the Select Certificate button in Replication Configuration. If you’ve done everything correctly, you’ll see your recently installed and customized certificate

image image

and I n my case I have two clusters and won’t to replicate from and to the both clusters.

there for I used the same certificate import and export with private key and put it on all the nodes remember the node name should be in the certificate FQDN !


image image In the VM you can enable replication and choose the certificate. But you can also mix one VM with Kerberos and the other with a certificate



Once It is done it is keep working unless the certificate is expired !


Next stop will be Hyper-v Replication Manager.

Posted June 18, 2013 by Robert Smit in Hyper-V, Hyper-v Recovery Manager

Tagged with

  • Tag