将 AD FS 标识与 Azure Stack 数据中心集成Integrate AD FS identity with your Azure Stack datacenter

可以使用 Azure Active Directory (Azure AD) 或 Active Directory 联合身份验证服务 (AD FS) 作为标识提供者来部署 Azure Stack。You can deploy Azure Stack using Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS) as the identity provider. 必须在部署 Azure Stack 之前做出选择。You must make the choice before you deploy Azure Stack. 在连接的情况下,可以选择 Azure AD 或 AD FS。In a connected scenario, you can choose Azure AD or AD FS. 在断开连接的情况下,只支持 AD FS。For a disconnected scenario, only AD FS is supported. 本文介绍如何将 Azure Stack AD FS 与数据中心 AD FS 集成。This article shows how to integrate Azure Stack AD FS with your datacenter AD FS.

Important

如果不重新部署整个 Azure Stack 解决方案,则无法切换标识提供者。You can't switch the identity provider without redeploying the entire Azure Stack solution.

Active Directory 联合身份验证服务和 GraphActive Directory Federation Services and Graph

使用 AD FS 进行部署可让现有 Active Directory 林中的标识对 Azure Stack 中的资源进行身份验证。Deploying with AD FS allows identities in an existing Active Directory forest to authenticate with resources in Azure Stack. 此现有 Active Directory 林需要 AD FS 的部署,以便能够创建 AD FS 联合信任。This existing Active Directory forest requires a deployment of AD FS to allow the creation of an AD FS federation trust.

身份验证是标识的一部分。Authentication is one part of identity. 若要在 Azure Stack 中管理基于角色的访问控制 (RBAC),必须配置 Graph 组件。To manage role-based access control (RBAC) in Azure Stack, the Graph component must be configured. 委托资源的访问权限后,Graph 组件使用 LDAP 协议来查找现有 Active Directory 林中的用户帐户。When access to a resource is delegated, the Graph component looks up the user account in the existing Active Directory forest using the LDAP protocol.

Azure Stack AD FS 体系结构

现有 AD FS 是将声明发送到 Azure Stack AD FS(资源 STS)的帐户安全令牌服务 (STS)。The existing AD FS is the account security token service (STS) that sends claims to the Azure Stack AD FS (the resource STS). 在 Azure Stack 中,自动化功能将与现有 AD FS 的元数据终结点建立声明提供程序信任关系。In Azure Stack, automation creates the claims provider trust with the metadata endpoint for the existing AD FS.

在现有 AD FS 中,必须配置信赖方信任。At the existing AD FS, a relying party trust must be configured. 此步骤不是由自动化执行的,而必须由操作员配置。This step isn't done by the automation, and must be configured by the operator. 可以使用 https://adfs.<Region>.<ExternalFQDN>/ 模式创建适用于 AD FS 的 Azure Stack VIP 终结点。The Azure Stack VIP endpoint for AD FS can be created by using the pattern https://adfs.<Region>.<ExternalFQDN>/.

配置信赖方信任还需要配置 Azure 提供的声明转换规则。The relying party trust configuration also requires you to configure the claim transformation rules that are provided by Azure.

对于 Graph 配置,必须提供在现有 Active Directory 中拥有“读取”权限的服务帐户。For the Graph configuration, a service account must be provided that has read permission in the existing Active Directory. 自动化需要使用此帐户作为输入来启用 RBAC 方案。This account is required as input for the automation to enable RBAC scenarios.

在最后一个步骤中,将为默认提供商订阅配置新的所有者。For the last step, a new owner is configured for the default provider subscription. 登录到 Azure Stack 管理员门户时,此帐户对所有资源拥有完全访问权限。This account has full access to all resources when signed in to the Azure Stack administrator portal.

要求:Requirements:

组件Component 要求Requirement
GraphGraph Microsoft Active Directory 2012/2012 R2/2016Microsoft Active Directory 2012/2012 R2/2016
AD FSAD FS Windows Server 2012/2012 R2/2016Windows Server 2012/2012 R2/2016

设置 Graph 集成Setting up Graph integration

Graph 仅支持与单个 Active Directory 林集成。Graph only supports integration with a single Active Directory forest. 如果存在多个林,则仅使用配置中指定的林来提取用户和组。If multiple forests exist, only the forest specified in the configuration will be used to fetch users and groups.

需要使用以下信息作为自动化参数的输入:The following information is required as inputs for the automation parameters:

参数Parameter 部署工作表参数Deployment Worksheet Parameter 说明Description 示例Example
CustomADGlobalCatalog AD FS 林 FQDNAD FS Forest FQDN 要与之集成的目标 Active Directory 林的 FQDNFQDN of the target Active Directory forest that you want to integrate with Contoso.comContoso.com
CustomADAdminCredentials 拥有 LDAP“读取”权限的用户A user with LDAP Read permission YOURDOMAIN\graphserviceYOURDOMAIN\graphservice

配置 Active Directory 站点Configure Active Directory Sites

如果 Active Directory 部署包含多个站点,请配置最靠近 Azure Stack 部署的 Active Directory 站点。For Active Directory deployments having multiple sites, configure the closest Active Directory Site to your Azure Stack deployment. 这种配置可以避免让 Azure Stack Graph 服务使用全局目录服务器从远程站点解析查询。The configuration avoids having the Azure Stack Graph service resolve queries using a Global Catalog Server from a remote site.

将 Azure Stack 公共 VIP 网络子网添加到最靠近 Azure Stack 的 Active Directory 站点。Add the Azure Stack Public VIP network subnet to the Active Directory Site closest to Azure Stack. 例如,假设 Active Directory 包含两个站点:Seattle 和 Redmond。For example, let's say your Active Directory has two sites: Seattle and Redmond. 如果 Azure Stack 部署在 Seattle 站点,则你可以将 Azure Stack 公共 VIP 网络子网添加到 Seattle 的 Active Directory 站点。If Azure Stack is deployed at the Seattle site, you would add the Azure Stack Public VIP network subnet to the Active Directory site for Seattle.

有关 Active Directory 站点的详细信息,请参阅设计站点拓扑For more information on Active Directory Sites, see Designing the site topology.

Note

如果 Active Directory 只有一个站点,则可以跳过此步骤。If your Active Directory consist of a single site, you can skip this step. 如果配置了全方位的子网,请验证 Azure Stack 公共 VIP 网络子网是否不属于该子网。If you have a catch-all subnet configured, validate that the Azure Stack Public VIP network subnet isn't part of it.

在现有 Active Directory 中创建用户帐户(可选)Create user account in the existing Active Directory (optional)

可以选择性地在现有 Active Directory 中创建 Graph 服务的帐户。Optionally, you can create an account for the Graph service in the existing Active Directory. 如果没有可用的帐户,请执行此步骤。Do this step if you don't already have an account that you want to use.

  1. 在现有 Active Directory 中创建以下用户帐户(建议):In the existing Active Directory, create the following user account (recommendation):

    • 用户名:graphserviceUsername: graphservice
    • 密码:使用强密码并将密码配置为永不过期。Password: Use a strong password and configure the password to never expire.

    无需任何特殊权限或成员身份。No special permissions or membership is required.

触发自动化来配置 GraphTrigger automation to configure graph

对于此过程,请使用能够与 Azure Stack 中的特权终结点通信的数据中心网络中的计算机。For this procedure, use a computer in your datacenter network that can communicate with the privileged endpoint in Azure Stack.

  1. 打开提升了权限的 Windows PowerShell 会话(以管理员身份运行),连接到特权终结点的 IP 地址。Open an elevated Windows PowerShell session (run as administrator), and connect to the IP address of the privileged endpoint. 使用 CloudAdmin 的凭据进行身份验证。Use the credentials for CloudAdmin to authenticate.

    $creds = Get-Credential
    Enter-PSSession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $creds
    
  2. 连接到特权终结点后,运行以下命令:Now that you're connected to the privileged endpoint, run the following command:

    Register-DirectoryService -CustomADGlobalCatalog contoso.com
    

    出现提示时,请指定用于 Graph 服务的用户帐户(例如 graphservice)的凭据。When prompted, specify the credential for the user account that you want to use for the Graph service (such as graphservice). Register-DirectoryService cmdlet 的输入必须是林名称/林中的根域,而不是林中的任何其他域。The input for the Register-DirectoryService cmdlet must be the forest name / root domain in the forest rather than any other domain in the forest.

    Important

    等待凭据弹出(特权终结点不支持 Get-Credential),然后输入 Graph 服务帐户凭据。Wait for the credentials pop-up (Get-Credential isn't supported in the privileged endpoint) and enter the Graph Service Account credentials.

  3. Register-DirectoryService cmdlet 具有可选参数,你可以在现有 Active Directory 验证失败的某些情况下使用这些参数。The Register-DirectoryService cmdlet has optional parameters that you can use in certain scenarios where the existing Active Directory validation fails. 执行此 cmdlet 时,它将验证提供的域是否为根域,是否可以访问全局目录服务器,并且提供的帐户授予读取访问权限。When this cmdlet is executed, it validates that the provided domain is the root domain, a global catalog server can be reached, and that the provided account is granted read access.

    参数Parameter 说明Description
    -SkipRootDomainValidation 指定必须使用子域,而不是建议的根域。Specifies that a child domain must be used instead of the recommended root domain.
    -Force 绕过所有验证检查。Bypasses all validation checks.

Graph 协议和端口Graph protocols and ports

Azure Stack 中的 Graph 服务使用以下协议和端口与可写入的全局编录服务器 (GC) 和密钥发行中心 (KDC) 进行通信,该中心可以处理目标 Active Directory 林中的登录请求。Graph service in Azure Stack uses the following protocols and ports to communicate with a writeable Global Catalog Server (GC) and Key Distribution Center (KDC) that can process login requests in the target Active Directory forest.

Azure Stack 中的 Graph 服务使用以下协议和端口来与目标 Active Directory 通信:Graph service in Azure Stack uses the following protocols and ports to communicate with the target Active Directory:

类型Type 端口Port 协议Protocol
LDAPLDAP 389389 TCP 和 UDPTCP & UDP
LDAP SSLLDAP SSL 636636 TCPTCP
LDAP GCLDAP GC 32683268 TCPTCP
LDAP GC SSLLDAP GC SSL 32693269 TCPTCP

通过下载联合元数据来设置 AD FS 集成Setting up AD FS integration by downloading federation metadata

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 部署工作表参数Deployment Worksheet Parameter 说明Description 示例Example
CustomAdfsNameCustomAdfsName AD FS 提供程序名称AD FS Provider Name 声明提供程序的名称。Name of the claims provider.
AD FS 登录页上会显示此名称。It appears that way on the AD FS landing page.
ContosoContoso
CustomADCustomAD
FSFederationMetadataEndpointUriFSFederationMetadataEndpointUri
AD FS 元数据 URIAD FS Metadata URI 联合元数据链接。Federation metadata link. https://ad01.contoso.com/federationmetadata/2007-06/federationmetadata.xmlhttps://ad01.contoso.com/federationmetadata/2007-06/federationmetadata.xml
SigningCertificateRevocationCheckSigningCertificateRevocationCheck 不可用NA 用于跳过 CRL 检查的可选参数。Optional Parameter to skip CRL checking. None

触发自动化以便在 Azure Stack 中配置声明提供程序信任Trigger automation to configure claims provider trust in Azure Stack

对于此过程,请使用能够与 Azure Stack 中特权终结点通信的计算机。For this procedure, use a computer that can communicate with the privileged endpoint in Azure Stack. Azure Stack 应会信任帐户 STS AD FS 使用的证书。It's expected that the certificate used by the account STS AD FS is trusted by Azure Stack.

  1. 打开权限提升的 Windows PowerShell 会话并连接到特权终结点。Open an elevated Windows PowerShell session and connect to the privileged endpoint.

    $creds = Get-Credential
    Enter-PSSession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $creds
    
  2. 连接到特权终结点之后,使用适用于环境的参数运行以下命令:Now that you're connected to the privileged endpoint, run the following command using the parameters appropriate for your environment:

    Register-CustomAdfs -CustomAdfsName Contoso -CustomADFSFederationMetadataEndpointUri https://win-SQOOJN70SGL.contoso.com/federationmetadata/2007-06/federationmetadata.xml
    
  3. 使用适用于环境的参数运行以下命令,更新默认提供商订阅的所有者:Run the following command to update the owner of the default provider subscription using the parameters appropriate for your environment:

    Set-ServiceAdminOwner -ServiceAdminOwnerUpn "administrator@contoso.com"
    

通过提供联合元数据文件来设置 AD FS 集成Setting up AD FS integration by providing federation metadata file

从版本 1807 开始,如果符合以下任一条件,则可以使用此方法:Beginning with version 1807, use this method if the either of the following conditions are true:

  • AD FS 的证书链不同于 Azure Stack 中的其他所有终结点。The certificate chain is different for AD FS compared to all other endpoints in Azure Stack.
  • 未在 Azure Stack 的 AD FS 实例与现有 AD FS 服务器之间建立网络连接。There's no network connectivity to the existing AD FS server from Azure Stack's AD FS instance.

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
CustomAdfsNameCustomAdfsName 声明提供程序的名称。Name of the claims provider. AD FS 登录页上会显示此名称。It appears that way on the AD FS landing page. ContosoContoso
CustomADFSFederationMetadataFileContentCustomADFSFederationMetadataFileContent 元数据内容。Metadata content. $using:federationMetadataFileContent$using:federationMetadataFileContent

创建联合元数据文件Create federation metadata file

对于以下过程,必须使用与现有 AD FS 部署建立了网络连接的计算机,该计算机将成为帐户 STS。For the following procedure, you must use a computer that has network connectivity to the existing AD FS deployment, which becomes the account STS. 此外,必须安装所需的证书。The necessary certificates must also be installed.

  1. 打开权限提升的 Windows PowerShell 会话,并使用适用于环境的参数运行以下命令:Open an elevated Windows PowerShell session, and run the following command using the parameters appropriate for your environment:

     $url = "https://win-SQOOJN70SGL.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
     $webclient = New-Object System.Net.WebClient
     $webclient.Encoding = [System.Text.Encoding]::UTF8
     $metadataAsString = $webclient.DownloadString($url)
     Set-Content -Path c:\metadata.xml -Encoding UTF8 -Value $metadataAsString
    
  2. 将元数据文件复制到可以与特权终结点通信的计算机。Copy the metadata file to a computer that can communicate with the privileged endpoint.

触发自动化以便在 Azure Stack 中配置声明提供程序信任Trigger automation to configure claims provider trust in Azure Stack

对于此过程,请使用可以与 Azure Stack 中的特权终结点进行通信的计算机,并且该计算机可以访问在上一步中创建的元数据文件。For this procedure, use a computer that can communicate with the privileged endpoint in Azure Stack and has access to the metadata file you created in a previous step.

  1. 打开权限提升的 Windows PowerShell 会话并连接到特权终结点。Open an elevated Windows PowerShell session and connect to the privileged endpoint.

    $federationMetadataFileContent = get-content c:\metadata.xml
    $creds=Get-Credential
    Enter-PSSession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $creds
    
  2. 连接到特权终结点之后,使用适用于环境的参数运行以下命令:Now that you're connected to the privileged endpoint, run the following command using the parameters appropriate for your environment:

    Register-CustomAdfs -CustomAdfsName Contoso -CustomADFSFederationMetadataFileContent $using:federationMetadataFileContent
    
  3. 运行以下命令以更新默认提供程序订阅的所有者。Run the following command to update the owner of the default provider subscription. 使用适合环境的参数。Use the parameters appropriate for your environment.

    Set-ServiceAdminOwner -ServiceAdminOwnerUpn "administrator@contoso.com"
    

    Note

    在现有的 AD FS(帐户 STS)中轮换证书时,必须重新设置 AD FS 集成。When you rotate the certificate on the existing AD FS (account STS), you must set up the AD FS integration again. 即使元数据终结点可访问,或已通过提供元数据文件进行配置,也需要设置集成。You must set up the integration even if the metadata endpoint is reachable or it was configured by providing the metadata file.

在现有 AD FS 部署上配置信赖方(帐户 STS)Configure relying party on existing AD FS deployment (account STS)

Microsoft 提供了用于配置信赖方信任(包括声明转换规则)的脚本。Microsoft provides a script that configures the relying party trust, including the claim transformation rules. 不一定要使用此脚本,也可以手动运行命令。Using the script is optional as you can run the commands manually.

可以从 GitHub 上的 Azure Stack 工具下载帮助器脚本。You can download the helper script from Azure Stack Tools on GitHub.

如果确定要手动运行命令,请遵循以下步骤:If you decide to manually run the commands, follow these steps:

  1. 将以下内容复制到数据中心的 AD FS 实例或场成员上的 .txt 文件中(例如,保存为 c:\ClaimRules.txt):Copy the following content into a .txt file (for example, saved as c:\ClaimRules.txt) on your datacenter's AD FS instance or farm member:

    @RuleTemplate = "LdapClaims"
    @RuleName = "Name claim"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";userPrincipalName;{0}", param = c.Value);
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "UPN claim"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);
    
    @RuleTemplate = "LdapClaims"
    @RuleName = "ObjectID claim"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
    => issue(Type = "http://schemas.microsoft.com/identity/claims/objectidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
    
    @RuleName = "Family Name and Given claim"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sn,givenName;{0}", param = c.Value);
    
    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass through all Group SID claims"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
    => issue(claim = c);
    
    @RuleTemplate = "PassThroughClaims"
    @RuleName = "Pass through all windows account name claims"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
    => issue(claim = c);
    
  2. 验证是否已启用基于 Windows 窗体的 Extranet 和 Intranet 身份验证。Validate that Windows Forms-based authentication for extranet and intranet is enabled. 可以运行以下 cmdlet 来检查它是否已启用:You can check if its already enabled by running the following cmdlet:

    Get-AdfsAuthenticationProvider | where-object { $_.name -eq "FormsAuthentication" } | select Name, AllowedForPrimaryExtranet, AllowedForPrimaryIntranet
    

    Note

    Windows 集成身份验证 (WIA) 支持的用户代理字符串对于你的 AD FS 部署而言可能已过时,需要更新才能支持最新的客户端。The Windows Integrated Authentication (WIA) supported user agent strings may be outdated for your AD FS deployment and may require an update to support the latest clients. 可以在为不支持 WIA 的设备配置基于 Intranet 窗体的身份验证一文中阅读有关更新 WIA 支持的用户代理字符串的更多信息。You can read more about updating the WIA supported user agent strings in the article Configuring intranet forms-based authentication for devices that don't support WIA.

    有关启用基于窗体的身份验证策略的步骤,请参阅配置身份验证策略For steps to enable Form-based authentication policy, see Configure Authentication Policies.

  3. 若要添加信赖方信任,请在 AD FS 实例或场成员上运行以下 Windows PowerShell 命令。To add the relying party trust, run the following Windows PowerShell command on your AD FS instance or a farm member. 请务必更新 AD FS 终结点,并指向步骤 1 中创建的文件。Make sure to update the AD FS endpoint and point to the file created in Step 1.

    对于 AD FS 2016For AD FS 2016

    Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl "https://YourAzureStackADFSEndpoint/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true -AccessControlPolicyName "Permit everyone" -TokenLifeTime 1440
    

    对于 AD FS 2012/2012 R2For AD FS 2012/2012 R2

    Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl "https://YourAzureStackADFSEndpoint/FederationMetadata/2007-06/FederationMetadata.xml" -IssuanceTransformRulesFile "C:\ClaimIssuanceRules.txt" -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true -TokenLifeTime 1440
    

    Important

    使用 Windows Server 2012 或 2012 R2 AD FS 时,必须使用 AD FS MMC 管理单元来配置颁发授权规则。You must use the AD FS MMC snap-in to configure the Issuance Authorization Rules when using Windows Server 2012 or 2012 R2 AD FS.

  4. 使用 Internet Explorer 或 Microsoft Edge 浏览器访问 Azure Stack 时,必须忽略令牌绑定。When you use Internet Explorer or the Microsoft Edge browser to access Azure Stack, you must ignore token bindings. 否则登录尝试会失败。Otherwise, the sign-in attempts fail. 在 AD FS 实例或场成员上运行以下命令:On your AD FS instance or a farm member, run the following command:

    Note

    使用 Windows Server 2012 或 2012 R2 AD FS 时,此步骤不适用。This step isn't applicable when using Windows Server 2012 or 2012 R2 AD FS. 在这种情况下,可以放心跳过此命令并继续集成。In that case, it's safe to skip this command and continue with the integration.

    Set-AdfsProperties -IgnoreTokenBinding $true
    

创建 SPNSPN creation

在许多情况下,需要使用服务主体名称 (SPN) 进行身份验证。There are many scenarios that require the use of a service principal name (SPN) for authentication. 下面是一些示例:The following are some examples:

  • 使用 CLI 在 Azure Stack 中部署 AD FS。CLI usage with AD FS deployment of Azure Stack.
  • 使用 AD FS 部署时的 System Center Management Pack for Azure Stack。System Center Management Pack for Azure Stack when deployed with AD FS.
  • 使用 AD FS 部署时 Azure Stack 中的资源提供程序。Resource providers in Azure Stack when deployed with AD FS.
  • 各种应用。Various apps.
  • 需要非交互式登录。You require a non-interactive sign-in.

Important

AD FS 仅支持交互式登录会话。AD FS only supports interactive sign-in sessions. 如果需要对自动化场景进行非交互式登录,则必须使用 SPN。If you require a non-interactive sign-in for an automated scenario, you must use a SPN.

有关创建 SPN 的详细信息,请参阅为 AD FS 创建服务主体For more information on creating an SPN, see Create service principal for AD FS.

故障排除Troubleshooting

配置回滚Configuration Rollback

如果发生错误,导致不再能够在环境中进行身份验证,可以使用回滚选项。If an error occurs that leaves the environment in a state where you can no longer authenticate, a rollback option is available.

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下命令:Open an elevated Windows PowerShell session and run the following commands:

    $creds = Get-Credential
    Enter-PSSession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $creds
    
  2. 然后运行以下 cmdlet:Then run the following cmdlet:

    Reset-DatacenterIntegrationConfiguration
    

    运行回滚操作后,所有配置更改都会回滚。After running the rollback action, all configuration changes are rolled back. 只能使用内置的 CloudAdmin 用户身份进行身份验证。Only authentication with the built-in CloudAdmin user is possible.

    Important

    必须配置默认提供商订阅的原始所有者。You must configure the original owner of the default provider subscription.

    Set-ServiceAdminOwner -ServiceAdminOwnerUpn "azurestackadmin@[Internal Domain]"
    

收集其他日志Collecting additional logs

如果任一 cmdlet 失败,可以使用 Get-Azurestacklogs cmdlet 来收集其他日志。If any of the cmdlets fail, you can collect additional logs by using the Get-Azurestacklogs cmdlet.

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下命令:Open an elevated Windows PowerShell session and run the following commands:

    $creds = Get-Credential
    Enter-pssession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $creds
    
  2. 然后运行以下 cmdlet:Then run the following cmdlet:

    Get-AzureStackLog -OutputPath \\myworkstation\AzureStackLogs -FilterByRole ECE
    

后续步骤Next steps

集成外部监视解决方案Integrate external monitoring solutions