验证 Azure Stack Hub 的图形集成Validate graph integration for Azure Stack Hub

使用 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker) 来验证环境是否已准备好将 Azure Stack Hub 与图形集成。Use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to validate that your environment is ready for graph integration with Azure Stack Hub. 在开始数据中心集成或 Azure Stack Hub 部署之前,请先验证图形集成。Validate graph integration before you begin datacenter integration or before an Azure Stack Hub deployment.

就绪性检查器会验证下列项:The readiness checker validates:

  • 为 Graph 集成创建的服务帐户的凭据具有相应的权限,可以查询 Active Directory。The credentials to the service account created for graph integration have appropriate rights to query Active Directory.
  • 全局目录可以解析并可访问。 The global catalog can be resolved and is contactable.
  • KDC 可以解析并可访问。The KDC can be resolved and is contactable.
  • 已建立必要的网络连接。Necessary network connectivity is in place.

有关 Azure Stack Hub 数据中心集成的详细信息,请参阅 Azure Stack Hub 数据中心集成 - 标识For more information about Azure Stack Hub datacenter integration, see Azure Stack Hub datacenter integration - Identity.

获取就绪性检查器工具Get the readiness checker tool

PowerShell 库下载最新版本的 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker)。Download the latest version of the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) from the PowerShell Gallery.

先决条件Prerequisites

必须满足以下先决条件。The following prerequisites must be in place.

运行该工具的计算机:The computer where the tool runs:

  • 已建立域连接的 Windows 10 或 Windows Server 2016。Windows 10 or Windows Server 2016 with domain connectivity.
  • PowerShell 5.1 或更高版本。PowerShell 5.1 or later. 若要检查版本,请运行以下 PowerShell 命令,然后查看主要版本和次要版本: To check your version, run the following PowerShell command and then review the Major version and Minor versions:
    $PSVersionTable.PSVersion
    
  • Active Directory PowerShell 模块。Active Directory PowerShell module.
  • 最新版本的 Microsoft Azure Stack Hub 就绪性检查器工具。Latest version of the Microsoft Azure Stack Hub Readiness Checker tool.

Active Directory 环境:Active Directory environment:

  • 确定现有 Active Directory 实例中 Graph 服务帐户的用户名和密码。Identify the username and password for an account for the graph service in the existing Active Directory instance.
  • 确定 Active Directory 林根 FQDN。Identify the Active Directory forest root FQDN.

验证 Graph 服务Validate the graph service

  1. 在满足先决条件的计算机上,打开一个管理 PowerShell 提示符,然后运行以下命令来安装 AzsReadinessChecker:On a computer that meets the prerequisites, open an administrative PowerShell prompt and then run the following command to install the AzsReadinessChecker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 在 PowerShell 提示符下,运行以下命令以将 $graphCredential 变量设置为 Graph 帐户。From the PowerShell prompt, run the following command to set the $graphCredential variable to the graph account. 请将 contoso\graphservice 替换为你的帐户(使用 domain\username 格式)。Replace contoso\graphservice with your account by using the domain\username format.

    $graphCredential = Get-Credential contoso\graphservice -Message "Enter Credentials for the Graph Service Account"
    
  3. 在 PowerShell 提示符下,运行以下命令开始验证 Graph 服务。From the PowerShell prompt, run the following command to start validation for the graph service. 指定 -ForestFQDN 的值作为林根的 FQDN。Specify the value for -ForestFQDN as the FQDN for the forest root.

    Invoke-AzsGraphValidation -ForestFQDN contoso.com -Credential $graphCredential
    
  4. 运行该工具后,查看输出。After the tool runs, review the output. 确认状态是否为 OK(表示符合 Graph 集成要求)。Confirm that the status is OK for graph integration requirements. 验证成功时会显示类似于以下示例的输出:A successful validation is similar to the following example:

    Testing Graph Integration (v1.0)
            Test Forest Root:            OK
            Test Graph Credential:       OK
            Test Global Catalog:         OK
            Test KDC:                    OK
            Test LDAP Search:            OK
            Test Network Connectivity:   OK
    
    Details:
    
    [-] In standalone mode, some tests should not be considered fully indicative of connectivity or readiness the Azure Stack Hub Stamp requires prior to Datacenter Integration.
    
    Additional help URL: https://aka.ms/AzsGraphIntegration
    
    AzsReadinessChecker Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    
    AzsReadinessChecker Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    
    Invoke-AzsGraphValidation Completed
    

在生产环境中,从操作员工作站测试网络连接无法完全指示 Azure Stack Hub 可用的连接。In production environments, testing network connectivity from an operator's workstation isn't fully indicative of the connectivity available to Azure Stack Hub. Azure Stack Hub 标记的公共 VIP 网络需要 LDAP 流量的连接才能执行标识集成。The Azure Stack Hub stamp's public VIP network needs the connectivity for LDAP traffic to perform identity integration.

报表和日志文件Report and log file

每次运行验证时,它都会将结果记录到 AzsReadinessChecker.logAzsReadinessCheckerReport.json 中。Each time validation runs, it logs results to AzsReadinessChecker.log and AzsReadinessCheckerReport.json. 这些文件的位置会随验证结果一起显示在 PowerShell 中。The location of these files appears with the validation results in PowerShell.

验证文件可以帮助你在部署 Azure Stack Hub 之前共享状态,或者调查验证问题。The validation files can help you share status before you deploy Azure Stack Hub or investigate validation problems. 这两个文件都会持久保留每个后续验证检查的结果。Both files persist the results of each subsequent validation check. 报告将向部署团队提供标识配置确认。The report gives your deployment team confirmation of the identity configuration. 日志文件可以帮助你的部署或支持团队调查验证问题。The log file can help your deployment or support team investigate validation issues.

这两个文件默认写入到 C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\By default, both files are written to C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\.

使用:Use:

  • -OutputPath:在 run 命令的末尾使用 path 参数可以指定不同的报告位置。-OutputPath: The path parameter at the end of the run command to specify a different report location.
  • -CleanReport:在 run 命令的末尾使用该参数可以清除先前报告信息的 AzsReadinessCheckerReport.json-CleanReport: The parameter at the end of the run command to clear AzsReadinessCheckerReport.json of previous report information. 有关详细信息,请参阅 Azure Stack Hub 验证报告For more information, see Azure Stack Hub validation report.

验证失败Validation failures

如果验证检查失败,则有关失败的详细信息将显示在 PowerShell 窗口中。If a validation check fails, details about the failure appear in the PowerShell window. 该工具还会将信息记录到 AzsGraphIntegration.log 中。The tool also logs information to AzsGraphIntegration.log.

后续步骤Next steps

查看就绪性报表View the readiness report
有关 Azure Stack Hub 集成的一般注意事项General Azure Stack Hub integration considerations