none
Hyper-V replica over dedicated network

    Question

  • Hi,

    I just setup a couple of Windows Server 2012 Hyper-V boxes and enabled the replica of a VM. All seems to work fine. These 2 boxes are connected to corporate LAN through a NIC and each other through a crossover cable over another NIC. As I can see, the replica trafic flows through corporate LAN. I'm trying to move it over the crossover lan, to save corporate bandwith for VMs, but I can't figure out how. I tryed to setup the replica using the IP address of the "crossed lan", but in this case the replica setup fails with a kerberos error (maybe because that lan is detected as public and not as a domain one). I've not tryed with certificate authentication, but this seems to me quite cumbersome considering that both servers are members of the same domain (Kerberos seems the smarter choice).

    Has anyone ever tryed this kind of configuration ? What's the best thing to do ?

    Thanks a lot.

    Massimo Piceni.

    mercredi 24 octobre 2012 14:03

Réponses

  • Only way to do this is to use certificate based replication, and use dns or change host file to point server1.domain.com to the secondary ip on the different ip scheme.
    • Marqué comme réponse M Piceni lundi 12 novembre 2012 07:58
    dimanche 11 novembre 2012 11:43

Toutes les réponses

  • Thanks for your reply.

    I configured a virtual switch over the "crossed" nic on both servers and with the same name, but still get 0x00002EFE error when trying to setup replica over "crossed" IP address. I don't put the IP directly because Hyper-v doesn't allow, but I manually added an A record on domain DNS with different host name. Anyway the servers can ping each other over the "crossed" lan using the FQDN i manually created, so I don't think there's a DNS problem. Also the destinations Server is detected during the replica wizard. The replica fails a while after finishing the wizard.

    In the link you cited, I see "set-up an External Replication network using the virtual switch manager. This needs to be done on both servers, with the network name being the same on each." My doubt is how can I tell virtual switch manager that the external network I'm creating is a "replication" one ? I see no checkbox regarding replication.

    something else I can check ?


    • Modifié M Piceni jeudi 25 octobre 2012 10:31
    jeudi 25 octobre 2012 10:21
  • Hi,

    > I'm trying to move it over the crossover lan, to save corporate bandwith for VMs

    What do you mean crossover lan? Is Kerberos authentication available in the network? And is there firewall between the two Hyper-V servers?

    Kerberos authentication is only available when the primary and Replica servers are members of the same domain or in mutually trusted domains. Other scenarios require certificate-based authentication.

    If there is firewall between the two Hyper-V servers, we should configure firewall to allow Hyper-V replication.

    To enable the firewall rules for Kerberos authentication

    1. Open Windows Firewall with Advance Security and click Inbound Rules.
    2. Right-click Hyper-V Replica HTTP Listener (TCP-In) and click Enable Rule.

    To enable the firewall rules for certificate-based authentication

    1. Open Windows Firewall with Advance Security and click Inbound Rules.
    2. Right-click Hyper-V Replica HTTPS Listener (TCP-In) and click Enable Rule.

    Note: The details of this step apply only to Windows Firewall. If you are using a non-Microsoft firewall, different steps may be required.

    Check that and give us feedback for further troubleshooting, for more information please refer to following MS articles:

    Prepare to Deploy Hyper-V Replica
    http://technet.microsoft.com/en-us/library/jj134153.aspx
    Demonstrate Planned Failover in Hyper-V Replica
    http://technet.microsoft.com/en-us/library/hh831759.aspx
    Hyper-V Replica–Certificate Based Authentication in Windows Server 2012
    http://blogs.technet.com/b/virtualization/archive/2012/07/16/hyper-v-replica-certificate-based-authentication-in-windows-server-2012-rc.aspx

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Lawrence

    TechNet Community Support

    mardi 30 octobre 2012 06:47
    Modérateur
  • Hi Lawrence,

    I try to explain better the situation. I've 2 servers (2012 Standard) member of the same domain with 2 NIC each:

    Server_A: NIC1 192.168.0.10/24 - NIC2 192.168.1.10/24

    Server_B: NIC1 192.168.0.20/24 - NIC2 192.168.1.20/24

    IPv6 disabled on all NICs. On both Servers, NIC1 is attached on corporate network with AD (DNS configured to AD integrated one and default gateway to router). NIC1 is also shared with the VMs (virtual switch configured).

    NIC2 of the 2 servers are directly connected via a crossover cable. No DNS or gateway configured on NIC2.

    NIC1 is detected as domain network, NIC2 as public one (as far as I can see there's no mean to change it).

    Added 2 A records to AD integrated DNS (same zone of the domain):

    Link_A A 192.168.1.10

    Link_B A 192.168.1.20

    From Server_A I can ping Server_B and Link_B over the expected network (and viceversa from Server_B). Firewall is configured correctly for replica (also tried to completely disable firewall).

    Server_B configured to accept replica from any server (I'll harden this later) with Kerberos authentication on port 80.

    On Server_A I set replica for VM1. If, in the first step of the wizard I put Server_B.mydomain.com, the replica completes correctly and the replication traffic flows through NIC1 (corporate LAN). If I put Link_B.mydomain.com, the wizard completes with error 0x00002EFE. Link_B is detected as a replica enable server, because if I put foo.mydomain.com, the wizard can't go further step 1.

    I tried both without and with a virtual switch configured on NIC2 (as suggested by VR38DETT in previous reply).

    What I'm tryng to do is having the replica traffic flowing through NIC2, and living NIC1 for VMs trafic. Also NIC2 may be used for live migration, but this is a further step.

    Thanks.

    Massimo.

    mardi 30 octobre 2012 09:10
  • Hi,

    > On Server_A I set replica for VM1. If, in the first step of the wizard I put Server_B.mydomain.com, the replica completes correctly and
    > the replication traffic flows through NIC1

    In your scenario, you configured to use Kerberos authentication for Hyper-V replica, the FQDN “Server_B.mydomain.com” point to IP address 192.168.0.20, that is NIC1. According to your description, NIC1 is domain network; it has domain connection, so Kerberos authentication is available.

    But if your specify FQDN “Link_B.mydomain.com”, this point to IP 192.168.10.20, that is NIC2. According to your description, NIC2 doesn’t have DNS, default gateway. So how datagram locate Domain Controller for Kerberos authentication through NIC2? That’s why you receive Kerberos error message.

    If you want to set replica traffic flowing through a non-domain connection network, I think you may try certificate-based authentication.

    For more information please refer to following MS articles:

    Hyper-V Replica–Certificate Based Authentication in Windows Server 2012
    http://blogs.technet.com/b/virtualization/archive/2012/07/16/hyper-v-replica-certificate-based-authentication-in-windows-server-2012-rc.aspx
    Hyper-V Replica - Prerequisites for certificate based deployments
    http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Lawrence

    TechNet Community Support

    mercredi 31 octobre 2012 06:47
    Modérateur
  • Hi,

    I would like to confirm what is the current situation? Have you resolved the problem?

    If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.


    Lawrence

    TechNet Community Support

    mardi 6 novembre 2012 05:49
    Modérateur
  • Hi Lawrence,

    I tried to setup the certificate based replica, but I got the same result. The replica works over corporate network, but not over dedicated network. This means that, if in the first step I put the real FQDN of the replica server, the replica works but flows through corporate network, if in the first step I put the DNS name I created (with the IP of the direct network connection), the replica fails with error 0x00002EFE. Exactly the same behaviour as with Kerberos based replica.

    Using a dedicated network for replica seems to me a smart solution (If you have a cable, of course, and I've one free). I can't believe that nobody tryed this before....

    Massimo.


    • Modifié M Piceni mardi 6 novembre 2012 10:30
    mardi 6 novembre 2012 10:29
  • Hi,

    Thank you for your post.

    I am trying to involve someone familiar with this topic to further look at this issue.



    Lawrence

    TechNet Community Support

    mercredi 7 novembre 2012 07:40
    Modérateur
  • Hi Aaron,

    does this mean that there's no way to do what I'm trying to do ???

    Apart the initial replica that's not a big problem (is a one time operation and can also be done overnight or in a weekend), also the regular replica trafic seems considerable if you also setup cosistent snapshots (for SQL/Exchange VMs). This may be a problem in a situation like mine, where the 2 Servers are on 2 different building connected through a copper cable uplink that serve the entire network. Using a dedicated cable make some sense. The alternative solution may be to use the spare cable to connect one Server directly to the same physical switch of the other one and avoiding trafic to share the uplink between the switches of the 2 buildings. In this condition the trafic should only engage the 2 ports and not influence the overall switch performance.

    Massimo.

    jeudi 8 novembre 2012 14:00
  • Only way to do this is to use certificate based replication, and use dns or change host file to point server1.domain.com to the secondary ip on the different ip scheme.
    • Marqué comme réponse M Piceni lundi 12 novembre 2012 07:58
    dimanche 11 novembre 2012 11:43
  • Hi Taylor,

    I thinked about setting DNS (indeed I tryed, but with different name, using native name was not possible because Servers are domain members). I completely forgot host file. I setup the host file and now it works like a charm.

    Thanks a lot.

    Massimo.

    lundi 12 novembre 2012 08:05
  • Hi Massimo,

    What kind of certificate are you using? self-signed or Cerificate from Enterprise CA.

    Please advise. Thanks

    Jingle

    samedi 17 janvier 2015 09:10
  • Thanx to Massimo. Replication over other NIC now is OK. I'm using an Enterprise CA, two computer certificates for the two hosts and modified hosts files.
    jeudi 4 juin 2015 07:05
  • Hi,

    I've done the trick before and it works like a charm.

    However, We try to implement "extended replica", but apparently this method does not work.

    Trying to register dns correctly, changing host files to point to correct extended replica servers on each host and on the extended replica server itself (pointing to replicated hosts).... and It always use the second NIC and not the dedicated.

    The replication between each host is working well, only the extended do not care of the host file and only use management network...

    Is anyone here has some idea how to make this works, I will appreciate a lot.

    Thank you.

    Regards

    mardi 15 mars 2016 01:47
  • Only way to do this is to use certificate based replication, and use dns or change host file to point server1.domain.com to the secondary ip on the different ip scheme.
    You have saved my life. Thanks, Thanks and thousand times Thanks
    lundi 30 octobre 2017 12:08
  • It works well for me if I am using the Hyper-V management network but when I try to switch them to a separate network I get the 0x00002EFE The connection was terminated abnormally. These are two Hyper-V 2016 servers, standalone, using certificate authentication. The network cards that I am using are teamed in Windows 2016 and are directly connected to each other, I can ping by IP and by FQDN using host files. I'm not sure what I am missing here because if I browse to add the replication partner in the enable replication wizard I can type in and resolve the machine name. I have added both accounts to the creatential manager on both servers, so I don't think it's an authentication issue. 443 is also open on both servers. Again if I use the management network replication works fine. 

    Any help would be greatly appreciated. 

    lundi 29 janvier 2018 16:45