3SysAdmins.com

The Tech Blog of a Sysadmin.

Certificate Infrastructure for Hyper-V SSL Secure Replication

In this blog post I will go through the steps necessary to secure your traffic between Hyper-v servers via SSL, so that your replication traffic cannot be interpreted by a third party if intercepted. This is particularly useful where off-site replication is desirable, and can be achieved on a budget where required with your own internal Certificate Services infrastructure. This avoids the cost of purchasing a certificate from a trusted vendor, which can be quite expensive.

For the purpose of this example, we are going to assume that you already have the certificate services role installed on one of your servers with a GUI, and that if you are using Hyper-V server and not server 2012, that you have the Hyper-v management console installed on a management machine and remote management enabled on the hypervisor. There are of course other ways of generating a certificate and trusting it, but most environments will have these tools to hand. The type of certificate that you will require will not be enabled out of the box in certificate services, so our first job is to go and enable this under templates.

 

To enable this template, from your CA go to;

-   Certificate Services > Right click Templates > Manage > Right click Workstation Authentication > Select Duplicate Template

-   Give the new template a name and add client and server authentication as properties to the application policies template.

-   Change the subject name option to supply in request

-  Spin up an MMC console on the Hyper-v box and make a request

 

At this point you can go through into Hyper-v Manager and select the transport method for replication to be SSL, and your new certificate should be present in the list of available certificates for this purpose. I hope this has been informative or helpful to someone, feel free to leave me a comment with your thoughts.

 

Remote Administration of Hyper-V Server 2012R2

One of the first things you will want to do once you have installed your copy of Hyper-V Server 2012 is to disconnect the monitor and configure the rest from a workstation. This is easier said than done, but by following these few steps you should be up and running in no time. The easiest way to be able to perform the rest of the config from a workstation is to enable remote desktop. There are two steps to getting this working.

Enable RDP Connections to the Server

  •  Firstly, enable remote desktop in sconfig
  •  Run "netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes" to open up the firewall
  •  Use powershell, netsh or sconfig to apply a static IP (sconfig requiring least effort)

You should now be able to dial in. Which steps are required next now depends on whether this deployment is going to be in a domain or workgroup environment.

Enable Remote Management from a Domain Joined Computer;

  • From your windows 8 workstation or server 2012 machine add the Hyper-V Manager tools
  • Make sure the workstation and Server are registered in DNS
  • From Sconfig on the Hyper-V server run the enable remote management option
  • Run winrm quickconfig on the client machine
  • Run the command "netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes" on the client machine to open up remote managment.

Enable Remote Management from a Workgroup Joined Computer;

All the steps above need configuring as well as;

  • Run "winrm set winrm/config/client @{TrustedHosts="SERVER NAME"}" on the client changeing the Server Name to suit, this adds the server to the list of trusted hosts for remote management connections on the workstation.
  • You may need to add host files in place of DNS names as well in this scenario.

Other things I have come across in my time with Hyper-V server include checking the winrm service is running on the server side, and that is that it is entirely possible to use the tools within windows 10, but it is quite a convoluted task in a workgroup test lab environment if you already have access to windows 8 or server 2012. This is because unless you can leverage kerberos, you also need to enable https as the transport method and provide a suitable cert. All of this i intend to cover in a later post, and remember also that it is not possible to connect in remotely from the Hyper-V RSAT tools for windows 7.

I hope this has been helpful to anyone who has stumbled across the article.

 

Hyper-v Server 2012 - An Introduction

This is a piece of software that rarely seems to be given much air time, so I thought i would blog about some of it's capabilities. Firstly, do not get this confused with windows server 2012 with the hyper-v role installed, but If you're looking for a free of charge hypervisor, capable of integrating with your existing Microsoft infrastructure then this product is well worth a look to see if it fits the bill. With the advent of 2012, Microsoft have been pushing Admins back towards the shell, and if you've been following their latest certification paths then administering this shouldn't be a problem, despite it being cut down to the bare shell. 

I aim to cover getting the remote administration down via RSAT, RDP and Power Shell in a further post, so let's go over some of it's capabilities and possible use cases. Many parallels can be drawn here between it's paid for counterpart - the Hyper-v role on server 2012. Integration with servers with a GUI is possible, as is cluster support.

Other than that, you can expect pretty much anything that can be done from the paid for counterpart to be attainable on this free edition including technologies such as VLAN tagging, NIC teaming, and extended replication. I have some upcoming articles on the latter in the near future including securing your traffic with SSL and the underlying CA infrastructure (if you don't already have it in place) for some off-site replication of key services for small businesses on a budget, so check back soon for more on this. Expect to get down and dirty with some power shell in some of my follow up posts, and kudos to Microsoft for a great piece of software made available to the community.

Get instant updates via email

Simply enter your email address to subscribe for updates - 3SysAdmins will never share your details with any third parties.

FeedBurner Subscription