My thanks to my Microsoft contacts for supplying an answer to this.
Situation: Windows 8 Server Beta: Hyper-V replication between two servers that are in workgroup mode (non-domain bound). When configuring using the Understand_and_Troubleshoot_Guide_Hyper-V_Replica_in_Windows_Server_8_Beta documentation I ran into a problem when trying to use the certificate generated in the appendix.
==========================================================================
Error 0x00002F89 which states the corticated chosen was not correct due to: not having a corresponding certificate in the computer personal store, terminating at root certificate, including private key, having the server extended feature, and / or correct CN.
==========================================================================
I tried a lot of things but just could not make this work. The following is an addition to the guild which basically tells the replication service to ignor checking of the self-signed certificate:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
Lab Setup:
Two Machines in workgroup mode: Win8Acer and Win8Black
On both systems:
1) Configure the advanced setting to add a FQDN to the name of the server (I used Test.Lab)
2) In the hosts file specify the replication network address of the server as the FQDN and add the other servers replication network address as well
Step 1.
Server1 (Win8Acer) – Primary Server
Open a CMD as Admin
: Change locatation to my temp directory where MakeCert.Exe is stored
CD C:\MakeCert\
:
makecert -pe -n "CN=PrimaryTestRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryTestRootCA.cer"
:
makecert -pe -n "CN=Win8Acer.Test.Lab" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "PrimaryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 PrimaryTestCert.cer
:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
:
:Copy the root certificate to the replication server
Copy PrimaryTestCert.cer \\Win8Black\c$\MakeCert\
Step 2.
Server2 (Win8Black) – Replication Server
Open a CMD as Admin
CD C:\MakeCert\
:
makecert -pe -n "CN=RecoveryTestRootCA" -ss root -sr LocalMachine -sky signature -r "RecoveryTestRootCA.cer"
:
makecert -pe -n "CN=Win8Black.Test.Lab" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "RecoveryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 RecoveryTestCert.cer
:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
:
:Copy the root certificate to the replication server
Copy RecoveryTestRootCA.cer \\Win8Acer\c$\MakeCert\
:
: Import Root Certificate of the Primary CA - Server 1 (copied in previous step)
certutil -addstore -f Root "PrimaryTestRootCA.cer"
Step 3.
Server1 (Win8Acer) – Primary Server
Open a CMD as Admin
: Change locatation to my temp directory where MakeCert.Exe is stored
CD C:\MakeCert\
: Import Root Certificate of the Recovery CA - Server 2 (copied in previous step)
certutil -addstore -f Root " RecoveryTestRootCA.cer "
Step 4.
On both servers:
Following the Hyper-V Guild configure Hyper-V to use the ROOT CERTIFICATE (Server1 = PrimaryTestRootCA.cer, Server 2 = RecoveryTestRootCA.cer) when configuring the certificate used for the replication service and when you do each replication wizard for the individual vm.