Tuesday, 22 August 2017

VMware to Hyper-V migration with Veeam


Okay, so here’s the problem. You want to migrate VMs from VMware vSphere 5 or 6 or whatever to Hyper-V 2016 but you can’t find a tool to use because you want near-zero downtime. You search around and find some options:

Sysinternals Disk2Vhd

Great tool and free! The problem is that you need a lot of downtime because it converts the entire disk and you cannot sync changes after the conversion is done so you need downtime from the time you start the conversion.

Microsoft Virtual Machine Converter

Another good tool but no longer supports the later versions of vSphere or Hyper-V. In fact, the tool itself is not supported as of June 3rd 2017. See more here. However, even if you do use it, you still cannot do the incremental sync that you need.

Third party tools to migrate VMware to Hyper-V

There’s some very useful tools that you can use but these come at a cost but will literally do near-zero downtime conversions. Have a look at Quest, Double-Take or PlateSpin.


So, I found a neat little workaround for this. Basically, use Veeam. Now, you need both Veeam Agent for Windows and Veeam Backup and Replication (and you can get free trials for both). The steps are below:
  1. Install Veeam Agent for Windows on your VM
  2. Install Veeam Backup and Replication on a backup server
  3. Add your host into Veeam Backup and Replication
  4. Create a backup repository in Veeam Backup and Replication
  5. Back up your VM to a Veeam Repository on the backup server using Veeam Agent for Windows
  6. Prevent users accessing the server to make changes
  7. Do an incremental backup of your VM and shut it down
  8. Use Veeam Backup and Replication to rescan the repository
  9. Use Veeam Backup and Replication to do an Instant Restore of your VM onto a Hyper-V host and select to power on the VM
  10. Re-enable user access
  11. Use Veeam Backup and Replication to migrate the VM onto production storage (using the Instant Restore wizard)
The advantages of doing this are that you minimize downtime by doing incremental backups and then doing an instant restore. If you’re not familiar with this, Veeam Backup and Replication creates dummy VHD and VM configuration files on the Hyper-V storage which actually reference the backup server storage and the VM runs off the backup server storage. To improve performance, you may want to add faster disks and use 10Gb networking on your backup servers.
If you are a hosting provider then you really don’t want tenant VMs with access to the backup server so you can use the Veeam Cloud Connect Gateway (part of the Veeam Cloud Connect suite). This only requires a single port to be open from the tenant network - it’s generally used to back up VMs over the internet so it was designed with that security in mind.
I hope this helps people out as it looks like MS aren’t really providing a solution to do this just yet.

Saturday, 4 March 2017

Enable key archival in Server 2012 R2


So, you get an escalated call from the helpdesk saying someone’s lost their private key. So, we only had one copy of that. Now what?
Well, here’s where key archival comes into play. You configure your CA to enable key archival and then you specify that your certificate templates have key archival enabled and now your private keys are copied to your CA so you can recover them when needed!

How to enable key archival

Identify a user to serve as the key recovery agent. In this case, we'll use the account LITWARE\Administrator.

Open your Certification Authority snap-in, right click Certificate Templates and click Manage. You now see a list of certificate templates:


Duplicate the Key Recovery Agent certificate template and give it a name: Key Recovery Agent 2


Configure the key recovery agent certificate template with Read and Enroll permissions for the key recovery agent (LITWARE\Administrator). You do this on the Security tab:


Now we need to configure the CA to use issue the new certificate template. Right click Certificate Templates, click New then click Certificate Templates to Issue


Select your new Key Recovery Agent 2 certificate and click OK


Now we need to enroll the Administrator account for the Key Recovery Agent 2 certificate. To do this, open up certmgr.msc and click on Personal

Click on Action > All Tasks > Request New Certificate


Click next


Click to select the Key Recovery Agent 2 certificate and then click Enroll to finish the wizard:



Note that it didn't issue the certificate - the status is Enrollment pending. Now, go back to your CA snap-in and click on Pending Requests. You should see a pending request for the certificate you just enrolled.


Right click the certificate, click on All Tasks and then Issue. The certificate is now issued.
Now, right click the CA and go to Properties and select the Recovery Agents tab. Select Archive the key, select the Number of recovery agents to use (one in our case):


Click Add and select the certificate which was issued to your chosen user:


Click OK twice and you're then prompted to restart the AD CS services so go ahead and click Yes


So, we've now created our Key Recovery Agent certificate template, issued it to our Key Recovery Agent and configured the CA to use a Key Recovery Agent. We're not protected against key loss just yet because the certificate templates that are issued out need to have key archival enabled.
Right click on a certificate template which you need to enable key archival for, duplicate it, give it a name, go to Properties and then to the Request Handling tab. Tick Archive subject's encryption private key:


On the Superseded Templates tab, add all the certificate templates that you want to be replaced by your new one then click OK:


This doesn't protect against loss of private keys for certificates which have already been issued so in this case, you need to get the clients to reenroll these. Right click on your original certificate and select Reenroll All Certificate Holders:


Go for an 8hr coffee break or just sit and stare at the screen…….

Go to Issued Certificates in the CA snap-in and add the Archived Key column. Eventually, you should start to see new certificates issued and you can see that the key is archived:


So, there you have it. That’s how you enable key archival in AD CS!

If you need to recover a key then see here.

Recover lost private key (Key Archival)


If you have Key Archival enabled then you can recover private keys. If you don’t have Key Archival enabled then click here for instructions.
In this post, I’ll demonstrate how to recover a lost private key

How to recover a lost private key

You need to be logged in with one of your Key Recovery Agents that you specified when you configured Key Archival.
Firstly, locate your certificate in the Issued Certificates section using the CA snap-in:
You then need to get the serial number so you can just double click it, go to details and select Serial Number:
Remove the spaces from the Serial Number:
Use certutil to get the key:
certutil -getkey 1a00000042af62922b38431f48000100000042 C:\Temp\key.key
You then use certutil again to recover the private key:
certutil -recoverkey C:\Temp\key.key c:\temp\cert.pfx
You now have a .pfx file and you can import this back onto your client using certmgr.msc

How to enable certificate autoenrollment


Welcome back! In this post, we’ll do a quick demo of how you can enable certificate autoenrollment for a computer certificate. This means that the computer (or server) will get its own certificate……eventually……and you don’t (really) need to do anything.

How to enable certificate autoenrollment

Okay, so you have to do something! The first step is to open the Certification Authority snap-in on your CA or management computer, right click on Certificate Templates and click Manage.
You should now see a list of certificate templates you can configure:
Right click the Computer certificate template and duplicate it. Call your new certificate Computer 2 and change any settings you need to change (e.g. validity period)
Click on the Security tab and grant Enroll and Autoenroll permissions for Domain Computers (or whatever group of computers you need to configure autoenrollment for)
Create a Group Policy Object which is linked to the domain and go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment. Select Enable and tick Renew expired certificates and tick Update certificates that use templates. Although we link the GPO to the domain, we are in fact only allowing the group with permissions on the computer certificate to actually autoenroll and get the certificate
Now, to get your clients to actually autoenroll for a certificate, you can either wait a while or restart or run force the clients to autoenroll immediately with certutil /pulse.
This creates a certificate in the Local Machine personal store:
………and it has a common name which matches the FQDN of the client (litcli01.litware.com in our case):

Saturday, 11 February 2017

Offline standalone root CA install, Server 2012 R2 - Part 1


In this post, we’ll look at how to set up an offline standalone root CA in Windows Server 2012 R2. This is the most secure way to set up your CA because it means you can set up subordinate issuing CAs and power off the root CA when not required to issue subordinate CA certificates.
Having a powered off server means you cannot possibly have it compromised (unless someone has physical access to it or you decide to store the CA private key on an unencrypted USB key and gave it to a friend to get some movies but that’s beside the point!).

How to install an offline standalone root CA

Before we start, make sure you have a clean build of Windows Server 2012 R2 without any other roles installed. Make sure your server is not joined to a domain. The server in this example is called LITCA01 (our root CA in the Litware organization).
  • Install AD CS role and select Certificate Authority role service:
    • Either user Powershell
    Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority
    • Or use the GUI:
  • Select Active Directory Certificate Services
  • Click next
  • Click next
  • Select Certificate Authority
  • Click next
  • Configure CA and select standalone CA:
  • After installation, the wizard prompts you to configure the CA. If you used PowerShell then you can continue CA configuration by opening up Server Manager.
  • Click through the wizard and select defaults and then when prompted, for a CA type, select root CA:
  • Create certificate or use an existing one (if you have one already). In our case, we don't already have one so we create a new one.
  • Accept defaults and complete the wizard. You now have a standalone Certificate Authority.



Your standalone CA is now set up. So, that’s great! How do I make sure things will work when it’s offline? How do you get a certificate from an offline CA? How will domain joined clients autoenroll certificates? Well, we’ll need a subordinate CA but first we need to configure our CA and prepare it for a subordinate CA. We’ll go through this in part 2.

Offline standalone root CA install, Server 2012 R2 - Part 2


So, in part 1, we installed our offline root CA called LITCA01. In this part, we’ll configure the AIA and CDP settings so that we can create a subordinate CA which will be used to issue certificates to clients and be joined to the domain.

What is a CDP?

First of all, what is a CDP and what is AIA? Yes, good question!
CDP stands for CRL Distribution Point. CRL stands for Certificate Revocation List. Let’s say you issue a certificate to a web server. Your client then connects to the web server and downloads the certificate (public key). It needs to know if this web server certificate has been revoked or not so to do this, it looks at the certificate extensions (properties on the certificate) and looks for the CDP locations. Usually this is an LDAP or HTTP URL and the client can connect to download the CRL and then work out if the web server certificate has been revoked or not.

What is AIA?

The Authority Information Access (AIA) locations are configured on a CA and they are stamped onto certificates issued by the CA. This information is used by an application or service to get the issuing CA certificate to validate the certificate path.

How to configure an offline standalone root CA CDP and AIA extensions

  • Install IIS and the management tools:
Install-WindowsFeature web-server,web-mgmt-console
  • Make a directory in the default website: C:\inetpub\wwwroot\CertEnroll
  • Open up the Certification Authority console
  • Right click on your CA (LITCA01-CA in our case) and click on properties
  • Click on the extensions tab and click on Add to add a new CDP:
  • Enable Publish CRLs to this location and Publish Delta CRLs to this location
  • Run certutil -crl to create a new CRL and ensure this appears in the folder with the name: C:\inetpub\wwwroot\CertEnroll\LITCA01-CA.crl (your CA name will be different)
  • Configure the http CDP by enabling Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
  • Now, click on Select extension and choose Authority Information Access (AIA):
    • Add an AIA location:
  • Enable http AIA by ticking Include in the AIA extension of issued certificates
  • Click OK
  • Copy C:\Windows\System32\CertSrv\CertEnroll\litca01_LITCA01-CA.crt to C:\inetpub\wwwroot\CertEnroll\litca01_LITCA01-CA.crt (your CA name will be different so copy the .crt file for your CA)


We’ve now configured a CDP and AIA location for our offline root CA. These will only be needed for our subordinate CAs when they need to renew or reissue their CA certificates. In the next post, we’ll go through how to set up a subordinate enterprise CA which our domain joined clients can use for certificate requests.