Hyper-V Replication between two workgroup servers
Enabling Hyper-V between two workgroup servers requires issuing self-signed certificates with makecert.exe and a registry key to bypass the revocation check.
The reason why makecert is required is because the certificate Enhanced Key Usage must support both Client and Server authentication, and the default IIS certificate CSR wizard does not include the client EKU.
Machine #1
- Generate a root cert:
makecert -pe -n CN=PrimaryTestRootCA -ss root -sr LocalMachine -sky signature -r PrimaryTestRootCA.cer - Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV2 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in PrimaryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV2.cer - Disable the revocation checking since that won’t work on self-signed certs:
- Generate a root cert:
makecert -pe -n CN=RecoveryTestRootCA -ss root -sr LocalMachine -sky signature -r RecoveryTestRootCA.cer - Generate a self-signed cert from the root cert:
makecert.exe -pe -n CN=HV1 -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in RecoveryTestRootCa -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV1.cer
(Note: even though it outputs a .cer file, it automatically inserts into the LocalMachine certificate store, so there is no additional import step) - Copy the PrimaryTestRootCA.cer from Machine #1 and then run this command: certutil -addstore -f Root “PrimaryTestRootCA.cer”
- Copy the RecoveryTestRootCA.cer from Machine 2 and then runcertutil -addstore -f Root RecoveryTestRootCA.cer
- Disable the revocation checking since that won’t work on self-signed certs:
- Now you can select the self-signed certificate in replication on both servers.
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Machine #2
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Important: if you have windows firewall enabled, create an allow rule for TCP 443 on both servers:
netsh advfirewall firewall add rule name=”Https Replica in” dir=in protocol=TCP localport=443 action=allow
Credits to these two blogs for helping me figure this out:
http://jsmcomputers.biz/wp/?p=360 (<- The only problem with his blog is the quotes “” do not work in his command-line syntax, those need to be removed otherwise you get an error “CryptCertStrToNameW failed => 0x80092023 (-2146885597)”