验证 Azure 注册Validate Azure registration

开始 Azure Stack 部署之前,使用 Azure Stack 就绪性检查器工具 (AzsReadinessChecker) 验证 Azure 订阅是否已准备好与 Azure Stack 配合使用。Use the Azure Stack Readiness Checker tool (AzsReadinessChecker) to validate that your Azure subscription is ready to use with Azure Stack before you begin an Azure Stack deployment. 就绪性检查器会验证下列项:The readiness checker validates that:

  • 你使用的 Azure 订阅是受支持的类型。The Azure subscription you use is a supported type. 订阅必须是云解决方案提供商 (CSP) 或企业协议 (EA)。Subscriptions must be a Cloud Solution Provider (CSP) or Enterprise Agreement (EA).
  • 用来向 Azure 注册订阅的帐户可以登录到 Azure 并且是订阅所有者。The account you use to register your subscription with Azure can sign in to Azure and is a subscription owner.

有关 Azure Stack 注册的详细信息,请参阅向 Azure 注册 Azure StackFor more information about Azure Stack registration, see Register Azure Stack with Azure.

获取就绪性检查器工具Get the readiness checker tool

PowerShell 库下载最新版本的 AzsReadinessCheckerDownload the latest version of AzsReadinessChecker from the PowerShell Gallery.

先决条件Prerequisites

以下系统必备组件是必需的:The following prerequisites are required:

运行该工具的计算机The computer on which the tool runs

Azure Active Directory 环境Azure Active Directory environment

  • 标识将与 Azure Stack 配合使用的帐户的用户名和密码,该帐户必须是 Azure 订阅所有者。Identify the username and password for an account that is an owner for the Azure subscription you will use with Azure Stack.
  • 标识将使用的 Azure 订阅的订阅 ID。Identify the subscription ID for the Azure subscription you will use.
  • 标识将使用的 AzureEnvironmentIdentify the AzureEnvironment you will use. 环境名称参数支持的值是 AzureChinaCloud,具体取决于所使用的 Azure 订阅。Supported values for the environment name parameter is AzureChinaCloud depending on which Azure subscription you are using.

验证 Azure 注册的步骤Steps to validate the Azure registration

  1. 在满足先决条件的计算机上,打开一个提升的 PowerShell 提示符,然后运行以下命令来安装 AzsReadinessCheckerOn a computer that meets the prerequisites, open an elevated PowerShell prompt, and then run the following command to install AzsReadinessChecker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 在 PowerShell 提示符下运行以下命令,将 $registrationCredential 设置为身为订阅所有者的帐户。From the PowerShell prompt, run the following command to set $registrationCredential as the account that is the subscription owner. subscriptionowner@contoso.partner.onmschina.cn 替换为你的帐户和租户名称:Replace subscriptionowner@contoso.partner.onmschina.cn with your account and tenant name:

    $registrationCredential = Get-Credential subscriptionowner@contoso.partner.onmschina.cn -Message "Enter Credentials for Subscription Owner"
    

    Note

    作为 CSP,在使用共享服务或 IUR 订阅时,你必须提供来自相应 Azure AD 的用户的凭据。As a CSP, when using a shared services or IUR subscription, you must provide the credentials of a user from that respective Azure AD. 通常这将类似于 subscriptionowner@iurcontoso.partner.onmschina.cnUsually this will be similar to subscriptionowner@iurcontoso.partner.onmschina.cn. 该用户必须具有相应的凭据,如上一步所述。That user must have the appropriate credentials, as described in the previous step.

  3. 在 PowerShell 提示符下运行以下命令,将 $subscriptionID 设置为要使用的 Azure 订阅。From the PowerShell prompt, run the following to set $subscriptionID as the Azure subscription to use. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 替换为你自己的订阅 ID:Replace xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with your own subscription ID:

    $subscriptionID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    
  4. 在 PowerShell 提示符下运行以下命令,开始验证订阅:From the PowerShell prompt, run the following command to start validation of your subscription:

    • 将 AzureEnvironment 的值指定为 AzureChinaCloudSpecify the value for AzureEnvironment as AzureChinaCloud.

    • 提供 Azure Active Directory 管理员用户名和 Azure Active Directory 租户名称。Provide your Azure Active Directory administrator and your Azure Active Directory tenant name.

      Invoke-AzsRegistrationValidation -RegistrationAccount $registrationCredential -AzureEnvironment AzureChinaCloud -RegistrationSubscriptionID $subscriptionID
      
  5. 运行该工具后,查看输出。After the tool runs, review the output. 确认状态是否符合登录和注册要求。Confirm the status is correct for both sign-in and the registration requirements. 验证成功时会显示类似于以下示例的输出:Successful validation output appears similar to the following example:

    Invoke-AzsRegistrationValidation v1.1809.1005.1 started.
    Checking Registration Requirements: OK
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsRegistrationValidation Completed
    

报表和日志文件Report and log file

每次运行验证时,它都会将结果记录到 AzsReadinessChecker.logAzsReadinessCheckerReport.json 中。Each time validation runs, it logs results to AzsReadinessChecker.log and AzsReadinessCheckerReport.json. 这些文件的位置会随验证结果一起显示在 PowerShell 中。The location of these files displays along with the validation results in PowerShell.

这些文件可以帮助你在部署 Azure Stack 之前共享验证状态,或者调查验证问题。These files can help you share validation status before you deploy Azure Stack or investigate validation problems. 这两个文件都会持久保留每个后续验证检查的结果。Both files persist the results of each subsequent validation check. 报表向你的部署团队提供标识配置确认。The report provides your deployment team confirmation of the identity configuration. 日志文件可以帮助你的部署或支持团队调查验证问题。The log file can help your deployment or support team investigate validation issues.

默认情况下,这两个文件都写入到 C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.jsonBy default, both files are written to C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json.

  • 在运行命令行的末尾使用 -OutputPath <path> 参数来指定不同的报表位置。Use the -OutputPath <path> parameter at the end of the run command line to specify a different report location.
  • 在运行命令的末尾使用 -CleanReport 参数从 AzsReadinessCheckerReport.json 中清除有关以前运行此工具的相关信息。Use the -CleanReport parameter at the end of the run command to clear information about previous runs of the tool from AzsReadinessCheckerReport.json.

有关详细信息,请参阅 Azure Stack 验证报告For more information, see Azure Stack validation report.

验证失败Validation failures

如果验证检查失败,则有关失败的详细信息将显示在 PowerShell 窗口中。If a validation check fails, details about the failure display in the PowerShell window. 该工具还会将信息记录到 AzsReadinessChecker.log 文件中。The tool also logs information to the AzsReadinessChecker.log file.

以下示例提供了有关常见验证失败的更多信息。The following examples provide more information about common validation failures.

用户必须是订阅所有者User must be an owner of the subscription

Invoke-AzsRegistrationValidation v1.1809.1005.1 started.
Checking Registration Requirements: Fail
Error Details for registration account admin@contoso.partner.onmschina.cn:
The user admin@contoso.partner.onmschina.cn is role(s) Reader for subscription 3f961d1c-d1fb-40c3-99ba-44524b56df2d. User must be an owner of the subscription to be used for registration.
Additional help URL https://aka.ms/AzsRemediateRegistration

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsRegistrationValidation Completed

原因 - 帐户不是 Azure 订阅的管理员。Cause - The account is not an administrator of the Azure subscription.

解决方法 - 使用要根据 Azure Stack 部署中的资源使用量而被收费的 Azure 订阅的管理员帐户。Resolution - Use an account that is an administrator of the Azure subscription that will be billed for usage from the Azure Stack deployment.

过期的或临时密码Expired or temporary password

Invoke-AzsRegistrationValidation v1.1809.1005.1 started.
Checking Registration Requirements: Fail
Error Details for registration account admin@contoso.partner.onmschina.cn:
Checking Registration failed with: Retrieving TenantId for subscription [subscription ID] using account admin@contoso.partner.onmschina.cn failed with AADSTS50055: Force Change Password.
Trace ID: [Trace ID]
Correlation ID: [Correlation ID]
Timestamp: 2018-10-22 11:16:56Z: The remote server returned an error: (401) Unauthorized.

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsRegistrationValidation Completed

原因 - 因为密码已过期或者是临时的,所以帐户无法登录。Cause - The account cannot sign in, because the password is either expired or is temporary.

解决方法 - 在 PowerShell 中运行以下命令,然后根据提示来重置密码。Resolution - In PowerShell, run the following command and follow the prompts to reset the password.

Login-AzureRMAccount -EnvironmentName AzureChinaCloud

或者,以帐户所有者身份登录到 Azure 门户,强制用户更改密码。Alternatively, sign in to the Azure portal as the account owner, and the user will be forced to change the password.

未知用户类型Unknown user type

Invoke-AzsRegistrationValidation v1.1809.1005.1 started.
Checking Registration Requirements: Fail
Error Details for registration account admin@contoso.partner.onmschina.cn:
Checking Registration failed with: Retrieving TenantId for subscription <subscription ID> using <account> failed with unknown_user_type: Unknown User Type

Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
Invoke-AzsRegistrationValidation Completed

原因 - 帐户无法登录到指定的 Azure Active Directory 环境。Cause - The account cannot sign in to the specified Azure Active Directory environment. 在本例中,将 AzureChinaCloud 指定为了 AzureEnvironmentIn this example, AzureChinaCloud is specified as the AzureEnvironment.

解决方法 - 确认帐户对指定的 Azure 环境有效。Resolution - Confirm that the account is valid for the specified Azure environment. 在 PowerShell 中运行以下命令,验证帐户对特定环境是否有效:In PowerShell, run the following command to verify the account is valid for a specific environment:

Login-AzureRmAccount -EnvironmentName AzureChinaCloud

后续步骤Next Steps