Getting Started with Azure Site Recovery: On-Premises to On-Premises Protection
Use Azure Site Recovery to protect virtual machines running on Hyper-V hosts located in System Center Virtual Machine Manager (VMM) clouds. You can configure:
- On-premises to on-premises protection—Replicate virtual machines located on Hyper-V host servers in VMM clouds from one on-premises site to another. You configure and enable protection settings in Azure Site Recovery vaults. Virtual machine data is replicated from one on-premises Hyper-V server to another. Azure Site Recovery simply orchestrates the process.
- On-premises to Azure protection—Replicate on-premise virtual machines located on Hyper-V host servers in VMM clouds to Azure. You configure and enable protection settings in Azure Site Recovery vaults. Virtual machine data is replicated from the on-premises Hyper-V server to Azure storage. Learn about this scenario in Getting Started with Azure Site Recovery: On-Premises to Azure Protection.
About this tutorial
This tutorial is intended to help you deploy Azure Site Recovery for a quick proof-of-concept. It uses the quickest path and default settings where possible. Including steps to:
- Set up an Azure Site Recovery vault—Get a certificate uploaded to the vault and set up on the source VMM server, and generate a vault key.
- Set up VMM servers—Install the Azure Site Recovery Provider on the source and target VMM server.
- Configure the VMM clouds—Configure protection settings for VMM clouds.
- Enable virtual machines—Enable protection for virtual machines.
- Run a failover—Create a recovery plan and run a test failover.
For information about a full deployment read:
If you run into problems during this tutorial, review the wiki article Azure Site Recovery: Common Error Scenarios and Resolutions, or post your questions on the Azure Recovery Services Forum.
Before you begin
Before you start this tutorial check the prerequisites.
- Azure account—You'll need an Azure account. If you don't have one, see Azure free trial. Get pricing information at Azure Site Recovery Manager Pricing Details.
- Certificate—You'll need to upload a management certificate (.cer) with a public key to the vault. You'll export this certificate as a .pfx file (with private key) and import it on each VMM server you want to register in the vault. For this tutorial you'll use a self-signed certificate. For a full deployment you can use a valid SSL certificate that complies with the conditions described in the planning guide.
- VMM server—At least one VMM server running on System Center 2012 SP1 or System Center 2012 R2.
- VMM clouds—At least one cloud on the source VMM server you want to protect, and one cloud on the target VMM server. If you're running one VMM server it'll need two clouds configured. The primary cloud you want to protect must contain the following:
- One or more VMM host groups
- One or more Hyper-V host servers or clusters in each host group.
- One or more virtual machines located on the source Hyper-V server in the cloud.
After verifying the prerequisites, do the following:
Step 1: Obtain and configure certificates
Obtain and configure certificates as follows:
- Obtain a self-signed certificate for the walkthrough—Obtain a certificate using the MakeCert tool.
- Export the certificate in .pfx format—On the server on which you created the certificate, export the .cer file as a .pfx file (with the private key).
- Import the .pfx certificate to VMM servers—After export, import the .pfx file into the Personal folder of the Local Computer store on the VMM servers that you want to register with the vault.
Obtain a self-signed certificate (.cer)
Create a .cer x.509 certificate that complies with all certificate requirements:
- On the computer on which you want to run MakeCert, download the latest version of the Windows SDK. You won't need to install the entire SDK.
- On the Specify Location page, select Install the Windows Software Development Kit for Windows 8.1 to this computer.
- On the Select the Features you Want to Install page, clear all options except Windows Software Development Kit.
- After the installation is complete, verify that makecert.exe appears in the folder C:\ProgramFiles (x86)\Windows Kits\WindowsVersion\bin\x64.
- Open a command prompt (cmd.exe) with Administrator privileges and navigate to the makecert.exe folder.
- Run the following command to create your self-signed certificate. Replace CertificateName with the name you want to use for the certificate, and specify the actual expiration date of your certificate after -e:
makecert.exe -r -pe -n CN=CertificateName -ss my -sr localmachine -eku 18.104.22.168.22.214.171.124.2 -len 2048 -e 01/01/2016 CertificateName.cer
A succeeded status indicates that the certificate has been created. It's stored in the same folder as makecert.exe. You might want to move it to a more accessible location for export.
Export the certificate in .pfx format
Complete the steps in this procedure to export the .cer file in .pfx format.
- A succeeded status indicates that the certificate has been created. It's stored in the same folder as makecert.exe. You might want to move it to a more accessible location for export.
- In the details pane, click the certificate you want to manage.
- On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
- On the Export Private Key page, click Yes to export the private key. Click Next. Note that this is only required if you want to export the private key to other servers after the installation.
- On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
- On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.
- Follow the pages of the wizard to export the certificate in .pfx format.
Import the .pfx certificate to VMM servers
AfAfter export copy the .pfx to the VMM servers, and then import it. Note that if you ran MakeCert.exe on a VMM server, you don't need to import the certificate on that server.
- Copy the private-key (.pfx) certificate files to a location on the local server.
- In the Certificates MMC snap-in select Computer account and then click Next.
- Select Local Computer, and click Finish.
- In the MMC, expand Certificates, right-click Personal, point to All Tasks, and then click Import to start the Certificate Import Wizard.
- On the File to Import page, click Browse and locate the folder that contains the .pfx certificate file that contains the certificate that you want to import. Select the appropriate file, and then click Open.
- On the Password page, in the Password box, type the password for the private key .pfx file and click Next.
- On the Certificate Store page, select Place all certificates in the following store, click Browse, select the Personal store, click OK, and then click Next. Complete the wizard.
After you complete these steps, you'll be able to choose the .cer certificate for upload when you configure the vault, and to select the .pfx certificate when you register a VMM server during Provider installation.
Step 2: Create a vault
Sign in to the Management Portal.
Expand Data Services, expand Recovery Services, and click Site Recovery Vault.
Click Create New and then click Quick Create.
In Name, enter a friendly name to identify the vault.
In Region, select the geographic region for the vault. Available geographic regions include East Asia, West Europe, West US, East US, North Europe, Southeast Asia.
Click Create vault.
Check the status bar to confirm that the vault was successfully created. The vault will be listed as Active on the main Recovery Services page.
Step 3: Configure the vault
In the Recovery Services page, click the vault to open the Quick Start page. Quick Start can also be opened at any time using the icon.
In the Setup Recovery dropdown list, select Between two on-premises sites.
To upload the certificate (.cer) to the vault, click Manage Certificate.
In the Manage Certificate dialog box, click Browse for file and select the .cer file.
To generate a key for the vault, click Get the vault key. The key is generated automatically. If you regenerate a key it overwrites the previous key. Note that you'll need this key later when you install the Azure Site Recovery Provider on the VMM server.
Step 4: Install the Azure Site Recovery Provider
On the Quick Start page, click Download Provider to obtain the latest version of the Provider installation file.
Run this file on the source and target VMM servers.
After the Provider is installed, continue Setup to register the server in the vault.
On the Internet Connection page specify how the Provider running on the VMM server connects to the Internet. Click Next to use the default Internet connection settings configured on the server.
On the Vault Registration page, do the following:
- Select the private key (.pfx) that you imported to the VMM server.
- Select the vault in which you want to register the server.
- Specify in the vault key. This is the vault key you generated earlier. Cut and paste the key value from the Quick Start page.
On the Data Encryption page, you specify whether you want to allow the option to encrypt data during replication for a specific cloud. If you select this option, an SSL certificate will be automatically generated. When you run a failover, you’ll need to select this certificate. After you enable this setting, you can enable or disable data encryption for a cloud in the Azure Site Recovery portal. For this tutorial leave the default setting and click Next.
On the VMM Server page, do the following:
- Specify a friendly name for the VMM server. This name is used to identify the server in the Azure Site Recovery console.
- Select Synchronize cloud metadata with the vault to synchronize information about VMM clouds with Azure Site Recovery vault. This action only needs to happen once on each server. If you don't want to synchronize all clouds, you can publish each cloud individually to synchronize it, before you configure cloud protection settings.
Click Register to complete the process.
After a server has been successfully registered its friendly name will be displayed on the Resources tab on the Servers page in the vault.
Step 5: Configure cloud protection settings
After VMM servers are registered, you can configure cloud protection settings. You enabled the option Synchronize cloud data with the vault when you installed the Provider so all clouds on the VMM server will appear in the Protected Items tab in the vault.
- On the Quick Start page, click Set up protection for VMM clouds.
On the Protected Items tab, select the cloud that you want to configure and go to the Configuration tab. Note that:
In Target, select VMM.
In Target location, select the on-site VMM server that manages the cloud you want to use for recovery.
In Target cloud, select the target cloud you want to use for failover of virtual machines in the source cloud. Note that:
- We recommend that you select a target cloud that meets recovery requirements for the virtual machines you'll protect.
- A cloud can only belong to a single cloud pair — either as a primary or a target cloud.
In Copy frequency leave the default setting. This value specifies how frequently data should be synchronized between source and target locations. It's only relevant when the Hyper-V host is running Windows Server 2012 R2. For other servers a default setting of five minutes is used.
In Additional recovery points, leave the default setting. This value specifies whether you want to create addition recovery points.The default zero value specifies that only the latest recovery point for a primary virtual machine is stored on a replica host server.
In Frequency of application-consistent snapshots, leave the default setting. This value specifies how often to create snapshots. Snapshots use Volume Shadow Copy Service (VSS) to ensure that applications are in a consistent state when the snapshot is taken. If you do want to set this value for the tutorial walkthrough, ensure that it is set to less than the number of additional recovery points you configure.
In Data transfer compressed, specify whether replicated data that is transferred should be compressed.
In Authentication, specify how traffic is authenticated between the primary and recovery Hyper-V host servers. For the purpose of this walkthrough select HTTPS unless you have a working Kerberos environment configured. Azure Site Recovery will automatically configure certificates for HTTPS authentication. No manual configuration is required. Note that this setting is only relevant for Hyper-V host servers running on Windows Server 2012 R2.
In Port, leave the default setting. This value sets the port number on which the source and target Hyper-V host computers listen for replication traffic.
In Replication method, specify how the initial replication of data from source to target locations will be handled, before regular replication starts.
- Over network—Copying data over the network can be time-consuming and resource-intensive. We recommend that you use this option if the cloud contains virtual machines with relatively small virtual hard disks, and if the primary VMM server is connected to the secondary VMM server over a connection with wide bandwidth. You can specify that the copy should start immediately, or select a time. If you use network replication, we recommend that you schedule it during off-peak hours.
- Offline—This method specifies that the initial replication will be performed using external media. It's useful if you want to avoid degradation in network performance, or for geographically remote locations. To use this method you specify the export location on the source cloud, and the import location on the target cloud. When you enable protection for a virtual machine, the virtual hard disk is copied to the specified export location. You send it to the target site, and copy it to the import location. The system copies the imported information to the replica virtual machines. For a complete list of offline replication prerequisites, see Step 3: Configure protection settings for VMM clouds in the Deployment Guide.
After you save the settings a job will be created and can be monitored on the Jobs tab. All Hyper-V host servers in the VMM source cloud will be configured for replication. Cloud settings can be modified on the Configure tab. If you want to modify the target location or target cloud you must remove the cloud configuration, and then reconfigure the cloud.
Step 6: Configure network mapping
This tutorial describes the simplest path to deploy Azure Site Recovery in a test environment. If you do want to configure network mapping as part of this tutorial, read Prepare for network mapping in the Planning Guide. To configure mapping follow the steps to Configure network mapping in the deployment guide.
Step 7: Configure storage mapping
This tutorial describes the simplest path to deploy Azure Site Recovery in a test environment. If you do want to configure storage mapping as part of this tutorial, follow the steps to Configure storage mapping in the deployment guide.
Step 8: Enable virtual machine protection
After servers, clouds, and networks are configured correctly, you can enable protection for virtual machines in the cloud.
- On the Virtual Machines tab in the cloud in which the virtual machine is located, click Enable protection and then select Add virtual machines.
- From the list of virtual machines in the cloud, select the one you want to protect.
After protection is enabled two jobs are created. The Enable Protection job runs. Then after the initial replication is completed the Finalize Protection job runs. The virtual machine is only ready for failover after these jobs have finished successfully. You can monitor progress on the Jobs tab.
Step 7: Configure and run a recovery plan
A recovery plan gathers virtual machines into groups so that they can fail over as a single unit. To create a recovery plan, do the following:
- On the Recovery Plans tab, click Create.
On the Specify the Recovery Page Name and Target page, select the source VMM server and Azure as the target.
On the Select Virtual Machines page, select virtual machines to add to the recovery plan. Only virtual machines with protection enabled are shown. The virtual machines are added to the recovery plan in default group (Group 1).
Click the check mark to create the recovery plan.
Test a failover
Recovery plans can run as part of a proactive test or planned failover, or during an unplanned failover. This walkthrough describes how to run a test failover to verify that your failover strategy is working as expected. Test failover simulates your failover and recovery mechanism in an isolated network. Note the following:
- When a test failover is triggered, you are requested to specify how test virtual machines should be connected to networks after the failover.
- If you want to use an existing network we recommend that you create a separate logical network that is not used in production for this purpose.
- If you select the option to automatically create a test VM network, the temporary networks and test virtual machines are cleaned up automatically after the test failover is complete.
- If you are using a virtual LAN (VLAN) based logical network, ensure that the network sites you add to the logical network are isolated.
- If you are using a Windows Network Virtualization-based logical network, Azure Site Recovery will automatically create isolated VM networks.
Run the failover
Run a test failover for a recovery plan as follows:
- On the Recovery Plans tab, select the required recovery plan.
- To initiate the failover, click the Test Failover button.
- On the Confirm Test Failover page, specify how virtual machines should be connected to networks after the test failover, as follows:
- None—Select this setting to specify that VM networks should not be used in the test failover. Use this option if you want to test individual virtual machines rather than your network configuration. It also provides a quick glance of how test failover functionality works. Test virtual machines will not be connected to networks after a failover.
- Use existing—Use this option if you have already created and isolated a VM network to use for test failover. After the failover all test virtual machines used in the test failover will be connected to the network specified in VM Network.
- Create automatically—Select this setting to specify that Azure Site Recovery should automatically create a VM network based on the setting you specify in Logical Network, and its related network sites. Use this option if the recovery plan uses more than one VM network. In the case of Windows Network Virtualization networks, this option can be used to automatically create VM networks with the same settings (subnets and IP address pools) of those in the network of the replica virtual machine. These VM networks are cleaned up automatically after the test failover is complete.
On the Confirm Test Failover page, details of the VMM server on which the test virtual machines will be created are displayed. You can follow the progress of test failover jobs on the Jobs tab. After the test failover is complete, do the following:
- Verify that the virtual machines start successfully.
- After verifying that virtual machines start successfully, complete the test failover to clean up the isolated environment. If you selected to automatically create VM networks, clean up deletes all the test virtual machines and test networks.
- Click Notes to record and save any observations associated with the test failover.
- In addition to details on the Jobs tab, when you run a test failover for a recovery plan the process is displayed on the recovery plan details page. You can view failover steps and status, and view or create notes for the test failover.
- You can export a job in the failover list into an Excel spreadsheet.
You can use the Jobs tab and Dashboard to view and monitor the main jobs performed by the Azure Site Recovery vault, including configuring protection for a cloud, enabling and disabling protection for a virtual machine, running a failover (planned, unplanned, or test), and committing an unplanned failover.
From the Jobs tab you view jobs, drill down into job details and errors, run job queries to retrieve jobs that match specific criteria, export jobs to Excel, and restart failed jobs.
From the Dashboard you can download the latest versions of Provider and Agent installation files, get configuration information for the vault, see the number of virtual machines that have protection managed by the vault, see recent jobs, manage the vault certificate, and resynchronize virtual machines.
For more information about interacting with jobs and the dashboard, see the Operations and Monitoring Guide.