First is the creation of the certificates. Open powershell and paste this command:
New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=[root]" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "Signature" -KeyUsage "CertSign" -NotAfter (Get-Date).AddYears(20)
Where [root] is what you want to name the trusted CA. This creates a certificate to set as the root authority. When the command is completed a thumbprint will be shown. COPY IT TO THE CLIPBOARD.
Run the next command for each server that will be used for replication
New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=[server]" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -Signer "Cert:LocalMachine\My\[thumbprint]" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddYears(20)
Where [server] is the computer name of the hv server and [thumbprint] is the thumbprint that was copied from the root CA output. This will create a self-signed certificate that is valid for 20 years.
Once the cerfificates are created open the certificate management console and export the root CA and computer certificates for all other machines that are not the one you are working on. You should find them in “Personal > Certificates”
Delete all certificates except for the root CA and the machine’s certificate. Move the root CA to “Trusted Root Certification Authorities > Certificates”
Copy the exported certificates to the other machines and import the certificates by doubleclicking or using the certlm.msc gui. Root CA goes in “Trusted Root Certification Authorities > Certificates” and machine certs go in “Personal > Certificates”
Run this command in powershell for each hv server meant for replication (reboot should not be necessary):
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Windows firewall will need to be configured to allow for inbound traffic on port 443 (HTTPS) from local sources if not disabled entirely.
Enable the HV server as a replica target by right clicking on the server in the console tree and selecting “Hyper-V settings”
- Select the checkbox for “Enable this computer as a replica server”
- Use certificate-based Authentication (HTTPS) (port 443)
- Select Certificate > use the certificate that was imported to the machine.
- Allow replication from any authenticated server and specify the default location for replica files.
Enable replication by right clicking on VM and selecting “enable replication”
- Specify replica server
- Use certificate-based authentication (HTTPS) and select the certificate
- Compress the data that is transmitted over the network
- Choose the replicated VHD(X) drives (normally all)
- Configure replication frequency (normally 5 minutes)
- Maintain only the latest recovery point unless otherwise instructed
- Choose initial replication method and start time
- Review and execute