管理向 Azure 进行的群集注册Manage cluster registration with Azure

适用于 Azure Stack HCI 版本 20H2Applies to Azure Stack HCI version 20H2

创建 Azure Stack HCI 群集后,必须向 Azure 注册 Windows Admin Center,然后向 Azure 注册群集After you've created an Azure Stack HCI cluster, you must register Windows Admin Center with Azure and then register the cluster with Azure. 群集注册后,会定期在本地群集和云之间同步信息。After the cluster is registered, it periodically syncs information between the on-premises cluster and the cloud.

本文介绍如何查看注册状态、授予 Azure Active Directory (Azure AD) 权限,以及如何在可解除群集授权时注销群集。This article explains how to view your registration status, grant Azure Active Directory (Azure AD) permissions, and unregister your cluster when you're ready to decommission it.

在 Windows Admin Center 中查看注册状态View registration status in Windows Admin Center

使用 Windows Admin Center 连接到群集时,你会看到仪表板中显示了 Azure 连接状态。When you connect to a cluster by using Windows Admin Center, you'll see the dashboard, which displays the Azure connection status. “已连接”表示群集已向 Azure 注册并在最后一天内成功同步到云。Connected means that the cluster is already registered with Azure and has successfully synced to the cloud within the last day.

显示 Windows Admin Center 仪表板上群集连接状态的屏幕截图。

可在左侧“工具”菜单的底部选择“设置”,然后选择“Azure Stack HCI 注册”来获取详细信息 。You can get more information by selecting Settings at the bottom of the Tools menu on the left, and then selecting Azure Stack HCI registration.

显示用于获取 Azure Stack HCI 注册信息的选项的屏幕截图。

在 PowerShell 中查看注册状态View registration status in PowerShell

若要使用 Windows PowerShell 查看注册状态,请使用 Get-AzureStackHCI PowerShell cmdlet 以及 ClusterStatusRegistrationStatusConnectionStatus 属性。To view registration status by using Windows PowerShell, use the Get-AzureStackHCI PowerShell cmdlet and the ClusterStatus, RegistrationStatus, and ConnectionStatus properties.

例如,在安装 Azure Stack HCI 操作系统后,但在创建或联接群集之前,ClusterStatus 属性会显示 NotYet 状态:For example, after you install the Azure Stack HCI operating system, but before you create or join a cluster, the ClusterStatus property shows a NotYet status:

显示群集创建之前的 Azure 注册状态的屏幕截图。

创建群集后,只有 RegistrationStatus 显示 NotYet 状态:After the cluster is created, only RegistrationStatus shows a NotYet status:

显示群集创建后的 Azure 注册状态的屏幕截图。

按照 Azure 在线服务条款中的规定,必须在安装后的 30 天内注册 Azure Stack HCI 群集。You must register an Azure Stack HCI cluster within 30 days of installation, as defined in the Azure Online Services Terms. 如果在 30 天后仍未创建或联接群集,ClusterStatus 会显示 OutOfPolicyIf you haven't created or joined a cluster after 30 days, ClusterStatus will show OutOfPolicy. 如果在 30 天后仍未注册群集,RegistrationStatus 会显示 OutOfPolicyIf you haven't registered the cluster after 30 days, RegistrationStatus will show OutOfPolicy.

注册群集后,可看到 ConnectionStatusLastConnected 时间。After the cluster is registered, you can see ConnectionStatus and the LastConnected time. LastConnected 时间通常在最后一天内,除非群集暂时与 Internet 断开连接。The LastConnected time is usually within the last day unless the cluster is temporarily disconnected from the internet. Azure Stack HCI 群集最多可以连续 30 天完全脱机运行。An Azure Stack HCI cluster can operate fully offline for up to 30 consecutive days.

显示注册后的 Azure 注册状态的屏幕截图。

如果超过了脱机操作的最长时间,ConnectionStatus 将显示 OutOfPolicyIf you exceed the maximum period of offline operation, ConnectionStatus will show OutOfPolicy.

分配 Azure AD 应用权限Assign Azure AD app permissions

除了在订阅中创建 Azure 资源外,注册 Azure Stack HCI 还会在 Azure AD 租户中创建一个应用标识。In addition to creating an Azure resource in your subscription, registering Azure Stack HCI creates an app identity in your Azure AD tenant. 此标识在概念上类似于用户。This identity is conceptually similar to a user. 应用标识会继承群集名称。The app identity inherits the cluster name. 此标识代表订阅中的 Azure Stack HCI 云服务(如果适用)执行操作。This identity acts on behalf on the Azure Stack HCI cloud service, as appropriate, within your subscription.

如果注册群集的用户是 Azure AD 管理员或有足够的权限,那么这一切会自动发生。If the user who registers the cluster is an Azure AD administrator or has sufficient permissions, this all happens automatically. 无需执行其他操作。No additional action is required. 否则,你可能需要 Azure AD 管理员的批准才能完成注册。Otherwise, you might need approval from your Azure AD administrator to complete registration. 你的管理员可以向应用显式授予同意,也可以委派权限,使你可以向应用授予同意:Your administrator can either explicitly grant consent to the app, or they can delegate permissions so that you can grant consent to the app:

显示 Azure Active Directory 权限和标识的关系图。

若要授予同意,请打开 portal.azure.cn,并使用在 Azure AD 中具有足够权限的 Azure 帐户进行登录。To grant consent, open portal.azure.cn and sign in with an Azure account that has sufficient permissions in Azure AD. 转到“Azure Active Directory” > “应用注册”。 Go to Azure Active Directory > App registrations. 选择以你的群集命名的应用标识,然后转到“API 权限”。Select the app identity named after your cluster, and go to API permissions.

对于 Azure Stack HCI 的正式发布 (GA) 版本,该应用要求具有以下权限。For the general availability (GA) release of Azure Stack HCI, the app requires the following permissions. 它们与公共预览版中要求的应用权限不同。They're different from the app permissions that were required in public preview.

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Cluster.ReadWrite

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.Read

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.ClusterNode.ReadWrite

对于公共预览版,应用权限(现已弃用)包括:For public preview, the app permissions (now deprecated) were:

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Census.Sync

https://azurestackhci-usage.trafficmanager.net/AzureStackHCI.Billing.Sync

向 Azure AD 管理员寻求批准可能需要一些时间,因此 Register-AzStackHCI cmdlet 会退出,并将注册状态保持为 pending admin consent(部分注册)状态。Seeking approval from your Azure AD administrator might take some time, so the Register-AzStackHCI cmdlet will exit and leave the registration in a pending admin consent (partially completed) status. 授予同意后,重新运行 Register-AzStackHCI 以完成注册。After consent is granted, rerun Register-AzStackHCI to complete registration.

分配 Azure AD 用户权限Assign Azure AD user permissions

运行 Register-AzStackHCI 的用户需要以下方面的 Azure AD 权限:The user who runs Register-AzStackHCI needs Azure AD permissions to:

  • 创建 (New-Remove-AzureADApplication)、获取 (Get-Remove-AzureADApplication)、设置 (Set-Remove-AzureADApplication) 或删除 (Remove-AzureADApplication) Azure AD 应用程序。Create (New-Remove-AzureADApplication), get (Get-Remove-AzureADApplication), set (Set-Remove-AzureADApplication), or remove (Remove-AzureADApplication) Azure AD applications.
  • 创建 (New-Get-AzureADServicePrincipal) 或获取 (Get-AzureADServicePrincipal) Azure AD 服务主体。Create (New-Get-AzureADServicePrincipal) or get (Get-AzureADServicePrincipal) the Azure AD service principal.
  • 管理 Active Directory 应用程序机密(New-Remove-AzureADApplicationKeyCredentialGet-Remove-AzureADApplicationKeyCredentialRemove-AzureADApplicationKeyCredential)。Manage Active Directory application secrets (New-Remove-AzureADApplicationKeyCredential, Get-Remove-AzureADApplicationKeyCredential, or Remove-AzureADApplicationKeyCredential).
  • 授予同意以使用特定应用程序权限(New-AzureADApplicationKeyCredentialGet-AzureADApplicationKeyCredentialRemove-AzureADServiceAppRoleAssignments)。Grant consent to use specific application permissions (New-AzureADApplicationKeyCredential, Get-AzureADApplicationKeyCredential, or Remove-AzureADServiceAppRoleAssignments).

有 3 种方法可分配这些权限。There are three ways to assign these permissions.

选项 1:允许任何用户注册应用程序Option 1: Allow any user to register applications

在 Azure Active Directory 中,转到“用户设置” > “应用注册” 。In Azure Active Directory, go to User settings > App registrations. 在“用户可以注册应用程序”下,选择“是” 。Under Users can register applications, select Yes.

借助此选项,任何用户都可注册应用程序。This option allows any user to register applications. 但是,用户在群集注册期间仍需要 Azure AD 管理员授予同意。However, the user still needs the Azure AD admin to grant consent during cluster registration.

备注

此选项是租户级别设置,因此可能不适用于大型企业客户。This option is a tenant-level setting, so it might not be suitable for large enterprise customers.

选项 2:分配云应用程序管理角色Option 2: Assign the Cloud Application Administration role

向用户分配名为“云应用程序管理”的内置 Azure AD 角色。Assign the built-in Cloud Application Administration Azure AD role to the user. 此分配使用户能够注册和注销群集,而无需额外的 Active Directory 管理员同意。This assignment will allow the user to register and unregister clusters without the need for additional Active Directory admin consent.

最严格的选项是创建具有自定义同意策略的自定义 Active Directory 角色,该策略将针对所需权限的租户范围的管理员同意委托给 Azure Stack HCI 服务。The most restrictive option is to create a custom Active Directory role with a custom consent policy that delegates tenant-wide admin consent for required permissions to the Azure Stack HCI service. 将此自定义角色分配给用户后,用户能够注册和授予同意,而无需 Active Directory 管理员额外同意。When you assign this custom role to users, they can both register and grant consent without the need for additional Active Directory admin consent.

备注

此选项需要 Azure AD Premium 许可证。This option requires an Azure AD Premium license. 它使用自定义 Active Directory 角色和自定义同意策略功能(现为公共预览版)。It uses custom Active Directory roles and custom consent policy features that are now in public preview.

  1. 连接到 Azure AD:Connect to Azure AD:

    Connect-AzureAD -EnvironmentName AzureChinaCloud
    
  2. 创建自定义同意策略:Create a custom consent policy:

    New-AzureADMSPermissionGrantPolicy -Id "AzSHCI-registration-consent-policy" -DisplayName "Azure Stack HCI registration admin app consent policy" -Description "Azure Stack HCI registration admin app consent policy"
    
  3. 添加一个条件,其中包括 Azure Stack HCI 服务所需的应用权限(应用 ID 为 1322e676-dee7-41ee-a874-ac923822781c)。Add a condition that includes required app permissions for the Azure Stack HCI service, which carries the app ID 1322e676-dee7-41ee-a874-ac923822781c.

    备注

    以下权限适用于 Azure Stack HCI 的 GA 版本。The following permissions are for the GA release of Azure Stack HCI. 这些权限不适用于公共预览版,除非已将 2020 年 11 月 23 日预览版更新 (KB4586852) 应用于群集中的每台服务器,并且下载了 Az.StackHCI 模块版本 0.4.1 或更高版本。They won't work with public preview unless you have applied the November 23, 2020, preview update (KB4586852) to every server in your cluster and have downloaded Az.StackHCI module version 0.4.1 or later.

    New-AzureADMSPermissionGrantConditionSet -PolicyId "AzSHCI-registration-consent-policy" -ConditionSetType "includes" -PermissionType "application" -ResourceApplication "1322e676-dee7-41ee-a874-ac923822781c" -Permissions "bbe8afc9-f3ba-4955-bb5f-1cfb6960b242","8fa5445e-80fb-4c71-a3b1-9a16a81a1966","493bd689-9082-40db-a506-11f40b68128f","2344a320-6a09-4530-bed7-c90485b5e5e2"
    
  4. 授予权限以允许注册 Azure Stack HCI,请注意在步骤 2 中创建的自定义同意策略:Grant permissions to allow registering Azure Stack HCI, noting the custom consent policy that you created in step 2:

    $displayName = "Azure Stack HCI Registration Administrator "
    $description = "Custom AD role to allow registering Azure Stack HCI "
    $templateId = (New-Guid).Guid
    $allowedResourceAction =
    @(
           "microsoft.directory/applications/createAsOwner",
           "microsoft.directory/applications/delete",
           "microsoft.directory/applications/standard/read",
           "microsoft.directory/applications/credentials/update",
           "microsoft.directory/applications/permissions/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
           "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
           "microsoft.directory/servicePrincipals/appRoleAssignments/read",
           "microsoft.directory/servicePrincipals/createAsOwner",
           "microsoft.directory/servicePrincipals/credentials/update",
           "microsoft.directory/servicePrincipals/permissions/update",
           "microsoft.directory/servicePrincipals/standard/read",
           "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy"
    )
    $rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}
    
  5. 创建新的自定义 Active Directory 角色:Create the new custom Active Directory role:

    $customADRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true
    
  6. 按照这些说明将新的自定义 Active Directory 角色分配给将向 Azure 注册 Azure Stack HCI 群集的用户。Follow these instructions to assign the new custom Active Directory role to the user who will register the Azure Stack HCI cluster with Azure.

使用 Windows Admin Center 注销 Azure Stack HCIUnregister Azure Stack HCI by using Windows Admin Center

当你准备好解除 Azure Stack HCI 集群授权时,可使用 Windows Admin Center 连接到集群。When you're ready to decommission your Azure Stack HCI cluster, connect to the cluster by using Windows Admin Center. 在左侧“工具”菜单的底部选择“设置” 。Select Settings at the bottom of the Tools menu on the left. 然后选择“Azure Stack HCI 注册”,并选择“注销”按钮 。Then select Azure Stack HCI registration, and select the Unregister button.

注销过程会自动清理表示群集的 Azure 资源、Azure 资源组(如果组是在注册期间创建,并且不包含任何其他资源)和 Azure AD 应用标识。The unregistration process automatically cleans up the Azure resource that represents the cluster, the Azure resource group (if the group was creating during registration and doesn't contain any other resources), and the Azure AD app identity. 此清理过程会停止通过 Azure Arc 进行的所有监视、支持和计费功能。This cleanup stops all monitoring, support, and billing functionality through Azure Arc.

备注

需要由 Azure AD 管理员或有足够权限的其他用户来注销 Azure Stack HCI 群集。Unregistering an Azure Stack HCI cluster requires an Azure AD administrator or another user who has sufficient permissions.

如果 Windows Admin Center 网关注册到的 Azure Active Directory(租户)ID 与最初用于注册群集的 ID 不同,则在尝试使用 Windows Admin Center 注销群集时可能会遇到问题。If your Windows Admin Center gateway is registered to a different Azure Active Directory (tenant) ID than was used to initially register the cluster, you might encounter problems when you try to unregister the cluster by using Windows Admin Center. 如果发生这种情况,请按照以下 PowerShell 说明操作。If this happens, use the following PowerShell instructions.

使用 PowerShell 注销 Azure Stack HCIUnregister Azure Stack HCI by using PowerShell

还可以使用 Unregister-AzStackHCI cmdlet 注销 Azure Stack HCI 群集。You can also use the Unregister-AzStackHCI cmdlet to unregister an Azure Stack HCI cluster. 可以在群集节点上或从管理 PC 运行 cmdlet。You can run the cmdlet either on a cluster node or from a management PC.

可能需要安装最新版本的 Az.StackHCI 模块。You might need to install the latest version of the Az.StackHCI module. 如果系统提示 Are you sure you want to install the modules from 'PSGallery'?,请回答是 (Y)。If you're prompted with Are you sure you want to install the modules from 'PSGallery'?, answer yes (Y).

Install-Module -Name Az.StackHCI

从群集节点注销Unregister from a cluster node

如果在群集中的服务器上运行 Unregister-AzStackHCI cmdlet,请使用以下语法。If you're running the Unregister-AzStackHCI cmdlet on a server in the cluster, use the following syntax. 指定你的 Azure 订阅 ID 以及要注销的 Azure Stack HCI 群集的资源名称。Specify your Azure subscription ID and the resource name of the Azure Stack HCI cluster that you want unregister.

Unregister-AzStackHCI -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

系统会提示你在另一台设备(例如电脑或手机)上访问 microsoft.com/deviceloginchina。You're prompted to visit microsoft.com/deviceloginchina on another device (like your PC or phone). 输入代码,然后登录来向 Azure 进行身份验证。Enter the code, and sign in there to authenticate with Azure.

从管理 PC 注销Unregister from a management PC

如果是从管理电脑运行 cmdlet,则还需要指定群集中服务器的名称:If you're running the cmdlet from a management PC, you also need to specify the name of a server in the cluster:

Unregister-AzStackHCI -ComputerName ClusterNode1 -SubscriptionId "e569b8af-6ecc-47fd-a7d5-2ac7f23d8bfe" -ResourceName HCI001

这会显示一个交互式 Azure 登录窗口。An interactive Azure login window appears. 显示的确切提示将因安全设置(例如双因素身份验证)而异。The exact prompts that you see will vary depending on your security settings (for example, two-factor authentication). 按提示登录。Follow the prompts to sign in.

清理未正确注销的群集Clean up after a cluster that was not properly unregistered

如果用户在未注销的情况下销毁 Azure Stack HCI 群集(例如对主机服务器重置映像或删除虚拟群集节点),则项目会保留在 Azure 中。If a user destroys an Azure Stack HCI cluster without unregistering it, such as by reimaging the host servers or deleting virtual cluster nodes, then artifacts will be left over in Azure. 这些项目无害,且不会产生账单或使用资源,但会使 Azure 门户杂乱无章。These artifacts are harmless and won't incur billing or use resources, but they can clutter the Azure portal. 若要清理它们,可以手动删除。To clean them up, you can manually delete them.

若要删除 Azure Stack HCI 资源,请在 Azure 门户中转到其页面,然后从顶部的操作栏中选择“删除”。To delete the Azure Stack HCI resource, go to its page in the Azure portal and select Delete from the action bar at the top. 输入资源名称以确认删除,然后选择“删除”。Enter the name of the resource to confirm the deletion, and then select Delete.

若要删除 Azure AD 应用标识,请转到“Azure AD” > “应用注册” > “所有应用程序” 。To delete the Azure AD app identity, go to Azure AD > App Registrations > All Applications. 选择“删除”并确认。Select Delete and confirm.

还可使用 PowerShell 删除 Azure Stack HCI 资源:You can also delete the Azure Stack HCI resource by using PowerShell:

Remove-AzResource -ResourceId "HCI001"

可能需要安装 Az.Resources 模块:You might need to install the Az.Resources module:

Install-Module -Name Az.Resources

如果资源组是在注册期间创建的,而且不包含任何其他资源,则也可将它删除:If the resource group was created during registration and doesn't contain any other resources, you can delete it too:

Remove-AzResourceGroup -Name "HCI001-rg"

后续步骤Next steps

如需相关信息,请参阅:For related information, see: