none
Hyper-V Replica in a workgroup environment RRS feed

  • Question

  • I'm trying to set up Hyper-V Replica between two Windows 2012 R2 hosts.   They are not part of a domain, but they do belong to the same workgroup.

    On the secondary host, I enabled it as a Replica server and selected Kerberos for the authentication mode.  I also selected "Allow replication from any authenticated server".  I then ran the Enable Replication wizard on the primary server and went through the wizard.  After clicking Finish, I get a "Enabling replication failed" error dialog with this message:

         Hyper-V failed to enable replication.

         Hyper-V failed to authenticate using Kerberos authentication.

         Hyper-V failed to enable replication for virtual machine 'xxx': No credentials are available in the security package (0x8009030E).

        Hyper-V failed to authenticate the Replication server YYY using Kerberos authentication.  Error: No credentials are available in the security package (0x8009030E).

    The one post I found that talked about this issue in a workgroup environment, http://www.chicagotech.net/win8&2012/replicaissue1.htm, suggested making sure that Everyone and Authenticated Users have permission to "Access this computer from the network" in local policies.  Did that on both machine and that didn't help.

    Does anyone have any other suggestions?

    Thanks,

    Richard

    Thursday, April 16, 2015 7:06 PM

Answers

  • Hi Sir,

    >>FYI, I found step 5 as being somewhat vague.  It wasn't explicit as to what server name to use, so I just used the full machine's name.

    You also can  use same user name and password for two standalone server instead of step 5 ( use build-in account "Administrator" )

    In addition , please try to ping the server from another server to check if the computer name can be resolved correctly .

    Please trun off firewall on both server for troubleshooting .

    Best Regards,

    Elton Ji


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

    Thursday, May 7, 2015 6:25 AM
    Moderator

All replies

  • Are you using certificates?  Kerberos is a trusted method that relies on certificates.

    Here is a step-by-step guide that should help. http://blog.powerbiz.net.au/hyperv/how-to-set-up-hyper-v-replica-for-small-businesses/


    . : | : . : | : . tim

    Thursday, April 16, 2015 7:27 PM
  • Tim,

    No, I'm not using any certificates.  Thank you for the link to the guide.  I'll give it a try after I'm able to get couple certificates.

    Richard

    Thursday, April 16, 2015 8:14 PM
  • Hi Sir,

    How are things going ?

    In addition , here is also another link:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3e309b6-1d5d-4e52-b859-cf36bd5af47d/forum-faq-how-to-implement-hyperv-replica-in-workgroup-environment?forum=winserverhyperv

    Best Regards,

    Elton Ji


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

    Sunday, April 19, 2015 4:50 AM
    Moderator
  • Elton_Ji,

    I finally got some time to give setting up replication another try.  Did the steps in the link you provided me.  Thank you very much for that.  FYI, I found step 5 as being somewhat vague.  It wasn't explicit as to what server name to use, so I just used the full machine's name.

    I had to reboot the backup server but after doing all that, I was able to get replication enabled on it.  I was able to enable replication on the virtual machine.  But, when it actually tried to replica, I got this error dialog:

    Enable Replication

    Enabling replication failed.

    Hyper-V failed to enable replication.

    Hyper-V cannot connect to the Replica server.

    Hyper-V failed to enable replication for virtual machine 'myVirtualMachine':  The operation timed out (0x00002EE2).

    Hyper-V cannot connect to the specified Replica server 'backup'.  Error: The operation timed out (0x00002EE2).  Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.

    I double checked, I do have both "Hyper-V Replica HTTP Listener (TCP-In)" (port 80) and "Hyper-V Replica HTTPS Listener (TCP-In)" (port 443) enabled on the back up server.  Even enabled them on the host server in case that made a difference.  It didn't.

    Any suggestions as to what else to check?

    I think I'm getting close to getting it all to work...

    Richard

    Friday, April 24, 2015 8:46 PM
  • In searching Google for a solution, I did find information about the PowerShell function Test-VMReplicationConnection.  Gave that a shot, and it failed:

    PS C:\> Test-VMReplicationConnection -ReplicaServerName backup.my.local -ReplicaServerPort 443 -AuthenticationType Certificate -CertificateThumbprint B1C5C956D54705422562B9C881D94D1B528989A8

    Test-VMReplicationConnection : Hyper-V failed to test replication settings for specified Replica server 'backup.my.local'. Error: The operation timed out (0x00002EE2).
    Hyper-V cannot connect to the specified Replica server 'backup.my.local'. Error: The operation timed out (0x00002EE2). Verify that the specified server is enabled as a Replica server, allows inbound connection on port '443', and supports the same authentication scheme.

    I even tried it with the firewall on backup turned off.  Same results.

    When I go into Hyper-V settings for backup, it says "Enabled as a Replica server" under "Replication Configuration".  "Enable this computer as a Replica server" is checked.  "Use certificate-based Authentication (HTTPS)" is checked.  Port is 443.  The certificate has been selected.  "Allow replication for any authenticated server" is checked.


    • Edited by RichardR Monday, April 27, 2015 6:52 PM
    Monday, April 27, 2015 6:51 PM
  • I had a thought.  I went into replication configuration settings for the backup server, and changed the settings to "Allow replication from the specified servers". After clicking okay, I got this error dialog:

    Error applying Replication Configuration changes

    Hyper-V failed to apply the new authentication settings.

    Hyper-V failed to enable the Replica server using certificate-based authentication.

    Hyper-V failed to enable the Replica server using the new authentication settings.

    Hyper-V failed to enable the Replica server for certificate-based authentication on port '443'.  Error: A specified logon session does not exist.  It may already have been terminated.  (0x80070520).

    I rebooted the server, and when I went back into the Hyper-V settings, "Allow replication from the specified servers" is checked, and the server is listed.  So, did the settings take or not?  How do I determine that?

    I tried doing the Test-VMReplicationConnection test again, but it still failed.

    I'm thinking that Replica, for whatever reason, is not really enabled, regardless of what the Hyper-V settings is showing.  But, I don't know how to actually determine that, and if so, how to get it enabled.  Anyone have any ideas?

    Richard

    Monday, April 27, 2015 7:07 PM
  • Hi Sir,

    >>FYI, I found step 5 as being somewhat vague.  It wasn't explicit as to what server name to use, so I just used the full machine's name.

    You also can  use same user name and password for two standalone server instead of step 5 ( use build-in account "Administrator" )

    In addition , please try to ping the server from another server to check if the computer name can be resolved correctly .

    Please trun off firewall on both server for troubleshooting .

    Best Regards,

    Elton Ji


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

    Thursday, May 7, 2015 6:25 AM
    Moderator
  • Hi Sir,

    How are things going ?

    Best Regards,

    Elton Ji


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

    Wednesday, May 13, 2015 1:47 AM
    Moderator
  • Elton,

    Sorry for the delay in responding.  I've tried it with the firewalls turned off.  Same results.  I have shares on both machines and the two machines can access the file shares on the other machines.  So, they definitely can see each other and talk to each other.  The only issue is getting Hyper-V talking.

    Richard

    Thursday, May 14, 2015 9:44 PM
  • Here is a better answer for anyone who stumbles upon this.  Bottom line, if you don't have domain level trust between the 2 servers, you must use certificates for the authentication (and select the HTTPS certificate option).  But you DO NOT need to purchase certificates for the servers, rather use the "makecert" utility to create your own Root certificate that you install on the servers.  I have done this for 60+ HyperV host servers.  I'll give the quick rundown here and hopefully with the help of Google, anyone else who stumbles across this will be able to make it work.

    1. Download the "makecert" utility that you will use to create both root and standard certificates on both the source and destination server. (I just put in c:\makecert and do all my work from a cmd prompt in that folder, all the certificates you create will then appear in this folder)
    https://docs.microsoft.com/en-us/windows/win32/seccrypto/makecert

    2. Run this reg command on each server to allow self signed certificates (all on one line)
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

    3. Create source ROOT certificate with the following makecert command
    makecert -pe -n "CN=SourceRootCA" -ss root -sr LocalMachine -sky signature -r "SourceRootCA.cer"

    4. Create the source SERVER certificate, authenticated by the ROOT cert you just created (all on one line)
    makecert -pe -n "CN=SourceServerName" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "SourceRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 SourceServerName.cer

    ** Make sure SourceServerName = the actual server name, and if part of a domain, use the fqdn

    5. Create destination ROOT certificate with the following makecert command (make sure all cert names are unique)
    makecert -pe -n "CN=DestinationRootCA" -ss root -sr LocalMachine -sky signature -r "DestinationRootCA.cer"

    6. Create the destination SERVER certificate, authenticated by its ROOT cert you just created (all on one line)
    makecert -pe -n "CN=DestinationServerName" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "DestinationRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 DestinationServerName.cer

    ** Make sure DestinationServerName = the actual server name, and if part of a domain, use the fqdn

    7. Copy the Source ROOT certificate to the DESTINATION Server.  Also copy the Destination ROOT certificate to the SOURCE server.  I always place these in the C:\Makecert folder that I'm working in.

    8. On the Source server, install the destination root certificate you just copied over with the following command -
    certutil -addstore -f Root "DestinationRootCA.cer"

    9. On the Destination server install the source root certificate you just copied over with the following command -
    certutil -addstore -f Root "SourceRootCA.cer"

    10. On the destination server, HyperV settings, make sure to enable the HTTPS Certificate based replication and select your certificate that pops up when you click the "select" button.

    You will now be able to enable replication on the source server, and when you select the certificate based replication, you will choose your certificate which will authenticate you against the destination server.  I have used this procedure with both Server 2012 R2 and Server 2016, and I assume it will work for Server 2019.

    -Brad

    • Proposed as answer by bgrorud Friday, September 27, 2019 12:58 PM
    Sunday, July 21, 2019 3:12 AM
  • All I can say is wow. Your directions are spot on. I really want to thank you for sharing this. I have two hyper-v servers. One contains a domain controller vm and an SQL VM and the other is the hot standby. Neither of the hyper-v hosts are joined to the domain as I want to avoid the chicken or the egg issue.

    -Dave

    Friday, September 27, 2019 2:18 AM
  • All I can say is wow. Your directions are spot on. I really want to thank you for sharing this. I have two hyper-v servers. One contains a domain controller vm and an SQL VM and the other is the hot standby. Neither of the hyper-v hosts are joined to the domain as I want to avoid the chicken or the egg issue.

    -Dave

    You're welcome.  Glad I typed them up accurately.  If you or others who stumble across this find this works, mark that post to "propose as answer" to make sure people can find it.

    Cheers!

    -Brad

    Friday, September 27, 2019 1:02 PM