Well i have spend the best part of today trying to get Hyper-V replication working in Server 2012. Lets just say Microsoft documented it well…….
After working through trying to get KERBOS working, i gave up and resorted to using certs.
Reading through the guide here, i was struggeling on two points.
Creating the replication cert and actually using the cert.
They have gotten the commands around the wrong way when trying to create the replica cert, the real way is below.
On the Main Server
makecert -pe -n “CN=PrimaryTestRootCA” -ss root -sr LocalMachine -sky signature -r “PrimaryTestRootCA.cer”
makecert -pe -n “CN=Servername.domain.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “PrimaryTestRootCA” -is root -ir
LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimaryTestCert.cer
On the Replica Server
makecert -pe -n “CN=ReplicaTestRootCA” -ss root -sr LocalMachine -sky signature -r “ReplicaTestRootCA.cer”
makecert -pe -n “CN=Replicaserver.domain.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “ReplicaTestRootCA” -is root –
ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 ReplicaTestCert.cer
Then folow the infomation about importing the CAs into each of the servers
Copy the created CA file to the other server
On the main server
certutil -addstore -f Root “ReplicaTestRootCA.cer”
On the Replica
certutil -addstore -f Root “PrimaryTestRootCA.cer”
Then it came to the Revocation Check. They included one reg hack, but not the other one.
Run these on both servers
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Oh, and to get makecert.exe you need to run the web install of the Windows SDK from
http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx
Just select the “Tools” and you will get MakeCert.exe
Thanks for making our lives easy M$ 🙁
« Move SharePoint from one server to another Allowing the use of saved credentials – Terminal server 2008 »
thank you so much, especially for the second registry hack.
Your most welcome 🙂
I did find out my self last week that all the quote marks need to be removed and replaced with just the normal ” marks.
I like to change registry settings manually. The real problem here is that MS never documented this hack. Typos in their guide are pretty obvious, so they are not big problem…but without this hack their whole guide is useless. Thanks once again.
Thanks for this!
Just a heads-up that your quote marks are “word-ified” and have to be converted back into keyboard quotes.
I get an error when I run this command
makecert -pe -n “CN=Servername.domain.local” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “PrimaryTestRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 PrimaryTestCert.cer
the error is
Error: There are more than one matching certificate in the issuer’s root cert store
Failed
How do i solve this? Any help will be appreciated
Hi, sorry about the late reply, comments got caught in spam 🙁 i think the issues will be with the quote marks. when i post them, the blog changes them to “open and “close use notepad and do a find and replace of the two kinds of quotes.
Thank you very much !!
I have a question about importing the CAs into each of the servers… I don’t find how to do it correctly. Do you have a link ?
Thank you so much
Sorry for the late reply, comments were stuck in SPAM. Running the commands above will work. you may find the speach marks are stopping you importing them.
If you still cant get it to work, i think you should be able to manually install the certs by double clicking on the, then clicking install. If its the root certs, then they will need to go into the root certs store.