Our scenario is about Hyper-V Replica between two different domains, one with the stand alone Hyper-V 2012 Nodes (primary site) and the other with a Clustered Infrastructure of Hyper-V 2012 R2 (repilica site).
After a lot of trial and error with some configurations for this scenario I ended with the following config.
First of all this config is based on Certificates and not Kerberos because of the different domains between the Hyper-V Infrastructures. Bellow you will find the steps to make it work, so let's start.
1. We must create the Hyper-V Replica Broker (on the Replica site, where our cluster nodes exhists):
- Open the Failover Cluster
- Configure Role
- Select Hyper-V Replica Broker and hit "Next"
- Add the Name of the replica broker e.g replicabroker (Note: this will be translated as an fqdn and also will be add on the domain controller the a record replicabroker.domain.local)
- Add the IP for the Replica Broker (you have to add one unused IP from your local/public network (of course must be an ip from the same network as hosts and generally a routable IP) this will be a Virtual IP for the Host so you don't need to add another network interface)
- Then click "Finish"
2. We must open the Inbound Replica Broker rule on the Advanced Firewall of all Hyper-V nodes (the rule has been automatically created and named as: Hyper-V Replica HTTPS Listener (TCP-In))
3. We must create the certificates and the CAs, to do that we will use the makecert.exe tool. This tool you can download it if you don't have it from here.
4. After you install and locate the makecert.exe utility copy & paste it to the Primary site on the Primary server node you want to enable replication.
5. Run the following command from an elevated command prompt (cmd) on the primary server. This commands creates a self-signed root authority certificate. Also installs a Certificate in the root store of the local machine and is saved as a file locally to the current directory:
- In primary server run this:
1. makecert -pe -n "CN=PrimaryRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryRootCA.cer" and hit enter
2. makecert -pe -n "CN=<fqdn.of.the.primary.server>" -ss my -sr LocalMachine -sky exchange -eku 22.214.171.124.126.96.36.199.1,188.8.131.52.184.108.40.206.2 -in "PrimaryRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <PrimaryServerName>.cer (this will have to do it as times as the stand alone Hyper-V nodes we need to enable replication, the only thing we must change is the <fqdn> and the <PrimaryServerName>).
3. We run one more time the upper command with the difference instead of the <fqdn> will add *.domain.local and in the <PrimaryServerName> you add something to remembers you that is for the replica site so lets say it ReplicaSite.cer.
6. We need to export the replica site certificate that we created in step 5.1.3 so we open the MMC -> Add/Remove Snap-In -> Add Certificate -> Computer Account -> Next,Next & Finish
7. We go to Personal -> Certificates and with right-click Export the ReplicaSite Certificate. We proceed with Export including the key and the file will be as .pfx also you have to give a password for the certificate.
8. After this we copy and paste this exported certificate the certificate of the CA that we have been created at step 5.1.1 (this will be located on the current directory that you run the cmd commands) on all Hyper-V Cluster nodes of the Replica Site (a good directory is C:\).
9. We open an elevated command prompt (cmd) and we run the certutil: certutil -addstore -f Root "C:\PrimaryRootCA.cer" (this will have to do it on every Hyper-V cluster node in the Replica Site).
10. After this we have to import the ReplicaSite certificate that we have exported as .pfx from the Primary Site to the Hyper-V Cluster nodes (again we must do it on every Hyper-V Cluster node in our Replica Site). To do this we open MMC -> Add/Remove Snap-In -> Add Certificates -> Computer Account -> Next, Next & Finish
11. Then we navigate to Personal -> Certificates -> Right-click and Import -> You must give the password that you have setup on the step 7.
12. Before we proceed with the replica configuration we have to disable the Revocation Check. This we have to do it on every Hyper-V server (primary site (stand alone nodes) and replica site (cluster nodes). To do this we must run this two commands bellow from an elevated command prompt (cmd):
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
13. After we have finished with the Import of the CA certificate and the ReplicaSite certificate and also with the disable of the Revocation Check we must select it to the Replica Broker configuration. To do this follow the steps bellow:
- Open The Failover Cluster and Navigate to Roles
- Right-click on the replica broker and select "Replication Settings"
- Check the "Enable this Cluster as a Replica Server"
- Check the "Use certificate-based Authentication (HTTPS)"
- Specify the port on 443 (leave it as it is)
- Now you must select the ReplicaSite Certificate that we have created and imported it to the Hyper-V Cluster nodes
- Specify the Cluster Storage directory
- And click OK
14. Now you have to Enable Replication in a VM on the Primary Server
15. To do this following the instruction bellow:
- Right-Click on the VM you want to replicate and select Enable Replication
- Just hit "Next" on the first page with the description "Before You Begin"
- Specify the Replica Server, you must add the FQDN for the replica site (just to mention, all the Hyper-V nodes and the Replica Broker must have access to Internet and have FQDNs in the public dns servers of your Infrastructure so thay can "communicate" also they must have open the port 443 on the local firewall or if you use a dedicated appliance and NAT you must do the Network config there too) for me the FQDN is replicabroker.domain.local and hit "Next"
- After the Verification of the Replica we must specify the Connection Parameters. The only thing in that page that we must change (of course based on our scenario) is the Certificate, so we must select the Certificate with FQDN that we have been created based on the current server.
- "Next" on the Replication VHD (except we have 2 vhds and we want to replicate only one of them)
- In the Configure Recovery History you can configure whatever you want on your scenario and "Next"
- Initial Replication again whatever you want to do on your scenario "Next"
- "Finish" if all of the above is setup correct you must see the Enable Replication pop-up window and after a second (based on your network) you must see in the Hyper-V Manager on the Status, the percentage of the Replication.
That's it guys. If you need any advice or to edit something please leave a comment. Thank you a lot!