Situation: 2 servers as standalone Hyper-V hosts (workgroup, not domain joined). One is Windows Server 2012, the other Windows Server 2012 R2. Both Datacenter edition. Successfully established Hyper-V Replication using Certificate authentication on Port 443. Had to build a PKI infrastructure, itself a useful learning process. Replication works fine for existing VMs.
Problem: Whenever I tried to enable replication for a new VM, I continually got the dreaded 0x00002EFE error: "Hyper-V failed to enable replication for virtual machine ' VM Name': The connection with the server was terminated abnormally (0x00002EFE)." Was using the GUI most of the time.
Existing machines continue to replicate just fine. Failover test worked on one of them. Just couldn't replicate the new VM, which was the last one to do before upgrading the old 2012 server to R2.
Diagnosis: Read all articles so far. Double check all settings, certificates, CRL distribution points, Event Logs. Nothing found. Capture network traffic with Network Monitor 3.4. Found one packet where the 2012 R2 replica server was sending a TCP RESET in response to SSL Client Hello for SSL handshake for new replica request.
Analysis: Started to get suspicious about the server certificates when I noticed the GUI was always converting the server hostname to a FQDN by adding a domain name. Both servers were registered in an internal AD based DNS server even though they are not domain joined. Checked the certificates again and confirmed they both only had single level names (I thought I had generated SAN certificates, but not so). The GUI would not let me use a single level name any more, although it used it to set the earlier replicas up.
Solution: Used PowerShell and specified a single level server name that was on the certificate. Sequence is:
cd cert:\localmachine\my
dir | FL
<manually copy Thumbrint data 97531ABCDEF2468DE7434767DDEEFF22567C521E
Enable-VMReplication <VMName> -ReplicaServerName ReplicaR2 -AuthenticationType Certificate -CertificateThumbprint 97531ABCDEF2468DE7434767DDEEFF22567C521E -ReplicaServerPort 443
Start-VMInitialReplication <VMName>
TIPS:
1: Hyper-V Certificate Replication REQUIRES access to a CDP for any internally generated certificates. Simply omitting one in the certificate generation process is not enough, you have to supply a reachable CDP.
2: Include all names that your servers can have in the certificates you generate, both single level and fqdn. I was using http://blogs.technet.com/b/virtualization/archive/2012/07/02/requesting-certificates-for-hyper-v-replica-from-cas.aspx as a guide and trying to modify it to generate a SAN certificate using a dedicated Microsoft CA machine. Still got to get that bit right.