在 Windows 中使用 Azure 文件共享Use an Azure file share with Windows

Azure 文件是易于使用的云文件系统。Azure Files is an easy-to-use cloud file system. 可以在 Windows 和 Windows Server 中无缝使用 Azure 文件共享。Azure file shares can be seamlessly used in Windows and Windows Server. 本文介绍在 Windows 和 Windows Server 中使用 Azure 文件共享时的注意事项。This article discusses the considerations for using an Azure file share with Windows and Windows Server.

若要在某个 Azure 文件共享的托管 Azure 区域(例如本地或其他 Azure 区域)外部使用该文件共享,OS 必须支持 SMB 3.0。In order to use an Azure file share outside of the Azure region it is hosted in, such as on-premises or in a different Azure region, the OS must support SMB 3.0.

可在 Azure VM 或本地运行的 Windows 安装中使用 Azure 文件共享。You can use Azure file shares on a Windows installation that is running either in an Azure VM or on-premises. 下表说明了哪些 OS 版本支持在哪个环境中访问文件共享:The following table illustrates which OS versions support accessing file shares in which environment:

Windows 版本Windows version SMB 版本SMB version 可以在 Azure VM 中装载Mountable in Azure VM 可以在本地装载Mountable on-premises
Windows Server 2019Windows Server 2019 SMB 3.0SMB 3.0 Yes Yes
Windows 101Windows 101 SMB 3.0SMB 3.0 Yes Yes
Windows Server 半年通道2Windows Server semi-annual channel2 SMB 3.0SMB 3.0 Yes Yes
Windows Server 2016Windows Server 2016 SMB 3.0SMB 3.0 Yes Yes
Windows 8.1Windows 8.1 SMB 3.0SMB 3.0 Yes Yes
Windows Server 2012 R2Windows Server 2012 R2 SMB 3.0SMB 3.0 Yes Yes
Windows Server 2012Windows Server 2012 SMB 3.0SMB 3.0 Yes Yes
Windows 73Windows 73 SMB 2.1SMB 2.1 Yes No
Windows Server 2008 R23Windows Server 2008 R23 SMB 2.1SMB 2.1 Yes No

1Windows 10 版本 1507、1607、1709、1803、1809、1903 和 1909。1Windows 10, versions 1507, 1607, 1709, 1803, 1809, 1903, and 1909.
2Windows Server 版本 1809、1903 和 1909。2Windows Server, versions 1809, 1903, and 1909.
3Microsoft 对 Windows 7 和 Windows Server 2008 R2 的常规支持已结束。3Regular Microsoft support for Windows 7 and Windows Server 2008 R2 has ended. 只有通过扩展安全更新 (ESU) 程序才能购买对安全更新的附加支持。It is possible to purchase additional support for security updates only through the Extended Security Update (ESU) program. 我们强烈建议从这些操作系统中迁移。We strongly recommend migrating off of these operating systems.

备注

我们始终建议使用相对于 Windows 版本来说最新的 KB。We always recommend taking the most recent KB for your version of Windows.

先决条件Prerequisites

确保端口 445 处于打开状态:SMB 协议要求 TCP 端口 445 处于打开状态;如果端口 445 已被阻止,连接将会失败。Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked. 可以使用 Test-NetConnection cmdlet 检查防火墙是否正在阻止端口 445。You can check if your firewall is blocking port 445 with the Test-NetConnection cmdlet. 若要了解如何解决 445 端口被阻止的问题,请参阅 Windows 故障排除指南的原因 1:端口 445 被阻止部分。To learn about ways to work around a blocked 445 port, see the Cause 1: Port 445 is blocked section of our Windows troubleshooting guide.

在 Windows 中使用 Azure 文件共享Using an Azure file share with Windows

若要在 Windows 中使用某个 Azure 文件共享,必须装载该文件共享(为其分配驱动器号或装载点路径),或通过其 UNC 路径来访问它。To use an Azure file share with Windows, you must either mount it, which means assigning it a drive letter or mount point path, or access it via its UNC path.

本文使用存储帐户密钥来访问文件共享。This article uses the storage account key to access the file share. 存储帐户密钥是存储帐户的管理员密钥,包括对所要访问的文件共享中的所有文件和文件夹的管理员权限,以及对存储帐户中包含的所有文件共享和其他存储资源(Blob、队列、表等)的管理员权限。A storage account key is an administrator key for a storage account, including administrator permissions to all files and folders within the file share you're accessing, and for all file shares and other storage resources (blobs, queues, tables, etc.) contained within your storage account.

将预期需要 SMB 文件共享的业务线 (LOB) 应用程序直接迁移到 Azure 的常见模式是使用 Azure 文件共享,而不是在 Azure VM 中运行专用的 Windows 文件服务器。A common pattern for lifting and shifting line-of-business (LOB) applications that expect an SMB file share to Azure is to use an Azure file share as an alternative for running a dedicated Windows file server in an Azure VM. 成功迁移业务线应用程序以使用 Azure 文件共享的一个重要注意事项是,许多业务线应用程序在具有有限系统权限的专用服务帐户的上下文中运行,而不是在 VM 的管理帐户下运行。One important consideration for successfully migrating a line-of-business application to use an Azure file share is that many line-of-business applications run under the context of a dedicated service account with limited system permissions rather than the VM's administrative account. 因此,必须确保装载/保存服务帐户上下文(而不是管理帐户)中 Azure 文件共享的凭据。Therefore, you must ensure that you mount/save the credentials for the Azure file share from the context of the service account rather than your administrative account.

装载 Azure 文件共享Mount the Azure file share

Azure 门户为你提供了一个脚本,你可以使用该脚本将文件共享直接装载到主机。The Azure portal provides you with a script that you can use to mount your file share directly to a host. 我们建议使用这个提供的脚本。We recommend using this provided script.

若要获取此脚本,请执行以下操作:To get this script:

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 导航到包含要装载的文件共享的存储帐户。Navigate to the storage account that contains the file share you'd like to mount.

  3. 选择“文件共享”。Select File shares.

  4. 选择要装载的文件共享。Select the file share you'd like to mount.

    示例

  5. 选择“连接” 。Select Connect.

    文件共享的“连接”图标的屏幕截图。

  6. 选择要将共享装载到的驱动器号。Select the drive letter to mount the share to.

  7. 复制所提供的脚本。Copy the provided script.

    示例文本

  8. 将脚本粘贴到你要将文件共享装载到的主机上的 shell 中,然后运行该脚本。Paste the script into a shell on the host you'd like to mount the file share to, and run it.

现已装载 Azure 文件共享。You have now mounted your Azure file share.

使用文件资源管理器装载 Azure 文件共享Mount the Azure file share with File Explorer

备注

请注意,以下说明是在 Windows 10 上显示的,在较旧的版本上可能稍有不同。Note that the following instructions are shown on Windows 10 and may differ slightly on older releases.

  1. 打开文件资源管理器。Open File Explorer. 可以从“开始”菜单打开,也可以按 Win+E 快捷键打开文件资源管理器。This can be done by opening from the Start Menu, or by pressing Win+E shortcut.

  2. 导航到窗口左侧的“此电脑”。Navigate to This PC on the left-hand side of the window. 这样会更改功能区中的可用菜单。This will change the menus available in the ribbon. 在“计算机”菜单中,选择“映射网络驱动器”。Under the Computer menu, select Map network drive.

    “映射网络驱动器”下拉菜单的屏幕截图

  3. 选择驱动器号并输入 UNC 路径,UNC 路径格式为 \\<storageAccountName>.file.core.chinacloudapi.cn\<fileShareName>Select the drive letter and enter the UNC path, the UNC path format is \\<storageAccountName>.file.core.chinacloudapi.cn\<fileShareName>. 例如:\\anexampleaccountname.file.core.chinacloudapi.cn\example-share-nameFor example: \\anexampleaccountname.file.core.chinacloudapi.cn\example-share-name.

    “映射网络驱动器”对话框的屏幕截图

  4. 使用带 AZURE\ 前缀的存储帐户名称作为用户名,使用存储帐户密钥作为密码。Use the storage account name prepended with AZURE\ as the username and a storage account key as the password.

    网络凭据对话框的屏幕快照

  5. 根据需要使用 Azure 文件共享。Use Azure file share as desired.

    Azure 文件共享现已装载

  6. 做好卸载 Azure 文件共享的准备后,可在文件资源管理器中右键单击“网络位置”下对应于共享的条目,并选择“断开连接”。 When you are ready to dismount the Azure file share, you can do so by right-clicking on the entry for the share under the Network locations in File Explorer and selecting Disconnect.

从 Windows 访问共享快照Accessing share snapshots from Windows

如果已手动或通过脚本或 Azure 备份等服务自动获取共享快照,则可以从 Windows 上的文件共享查看以前版本的共享、目录或特定文件。If you have taken a share snapshot, either manually or automatically through a script or service like Azure Backup, you can view previous versions of a share, a directory, or a particular file from file share on Windows. 可以使用 Azure PowerShellAzure CLIAzure 门户创建共享快照。You can take a share snapshot using Azure PowerShell, Azure CLI, or the Azure portal.

列出以前版本List previous versions

浏览到需要还原的项或父项。Browse to the item or parent item that needs to be restored. 通过双击转到所需的目录。Double-click to go to the desired directory. 右键单击,然后从菜单中选择“属性”。Right-click and select Properties from the menu.

所选目录的右键单击菜单

选择"以前版本”,以查看此目录的共享快照列表。Select Previous Versions to see the list of share snapshots for this directory. 列表可能需要几秒钟才能加载,具体要取决于网速和目录中共享快照的数量。The list might take a few seconds to load, depending on the network speed and the number of share snapshots in the directory.

“以前版本”选项卡

可以选择“打开”以打开特定快照。You can select Open to open a particular snapshot.

打开的快照

从以前版本还原Restore from a previous version

选择“还原”,以递归方式将整个目录在共享快照创建时包含的内容复制到原始位置。Select Restore to copy the contents of the entire directory recursively at the share snapshot creation time to the original location.

警告消息中的“还原”按钮

保护 Windows/Windows ServerSecuring Windows/Windows Server

若要在 Windows 上装载 Azure 文件共享,端口 445 必须可访问。In order to mount an Azure file share on Windows, port 445 must be accessible. 由于 SMB 1 固有的安全风险,许多组织会阻止端口 445。Many organizations block port 445 because of the security risks inherent with SMB 1. SMB 1(也称为通用 Internet 文件系统,简称 CIFS)是 Windows 和 Windows Server 中随附的一个传统文件系统协议。SMB 1, also known as CIFS (Common Internet File System), is a legacy file system protocol included with Windows and Windows Server. SMB 1 是一个已过时的低效协议,最重要的是,它不安全。SMB 1 is an outdated, inefficient, and most importantly insecure protocol. 好消息是 Azure 文件不支持 SMB 1,所有支持的 Windows 和 Windows Server 版本允许删除或禁用 SMB 1。The good news is that Azure Files does not support SMB 1, and all supported versions of Windows and Windows Server make it possible to remove or disable SMB 1. 我们始终强烈建议在生产环境中使用 Azure 文件共享之前,删除或禁用 Windows 中的 SMB 1 客户端和服务器。We always strongly recommend removing or disabling the SMB 1 client and server in Windows before using Azure file shares in production.

下表提供了有关每个 Windows 版本上 SMB 1 状态的详细信息:The following table provides detailed information on the status of SMB 1 each version of Windows:

Windows 版本Windows version SMB 1 默认状态SMB 1 default status 禁用/删除方法Disable/Remove method
Windows Server 2019Windows Server 2019 已禁用Disabled 使用 Windows 功能删除Remove with Windows feature
Windows Server 版本 1709+Windows Server, versions 1709+ 已禁用Disabled 使用 Windows 功能删除Remove with Windows feature
Windows 10 版本 1709+Windows 10, versions 1709+ 已禁用Disabled 使用 Windows 功能删除Remove with Windows feature
Windows Server 2016Windows Server 2016 EnabledEnabled 使用 Windows 功能删除Remove with Windows feature
Windows 10 版本 1507、1607 和 1703Windows 10, versions 1507, 1607, and 1703 EnabledEnabled 使用 Windows 功能删除Remove with Windows feature
Windows Server 2012 R2Windows Server 2012 R2 EnabledEnabled 使用 Windows 功能删除Remove with Windows feature
Windows 8.1Windows 8.1 EnabledEnabled 使用 Windows 功能删除Remove with Windows feature
Windows Server 2012Windows Server 2012 EnabledEnabled 使用注册表禁用Disable with Registry
Windows Server 2008 R2Windows Server 2008 R2 EnabledEnabled 使用注册表禁用Disable with Registry
Windows 7Windows 7 EnabledEnabled 使用注册表禁用Disable with Registry

审核 SMB 1 使用情况Auditing SMB 1 usage

适用于 Windows Server 2019、Windows Server 半年通道(版本 1709 和 1803)、Windows Server 2016、Windows 10(版本 1507、1607、1703、1709 和 1803)、Windows Server 2012 R2 和 Windows 8.1Applies to Windows Server 2019, Windows Server semi-annual channel (versions 1709 and 1803), Windows Server 2016, Windows 10 (versions 1507, 1607, 1703, 1709, and 1803), Windows Server 2012 R2, and Windows 8.1

在环境中删除 SMB 1 之前,可以审核 SMB 1 使用情况,以确定所做的更改是否会中断任何客户端。Before removing SMB 1 in your environment, you may wish to audit SMB 1 usage to see if any clients will be broken by the change. 如果针对使用 SMB 1 的 SMB 共享发出了任何请求,将在事件日志中的 Applications and Services Logs > Microsoft > Windows > SMBServer > Audit 下面记录一个审核事件。If any requests are made against SMB shares with SMB 1, an audit event will be logged in the event log under Applications and Services Logs > Microsoft > Windows > SMBServer > Audit.

备注

若要在 Windows Server 2012 R2 和 Windows 8.1 上启用审核支持,至少应安装 KB4022720To enable auditing support on Windows Server 2012 R2 and Windows 8.1, install at least KB4022720.

若要启用审核,请在权限提升的 PowerShell 会话中执行以下 cmdlet:To enable auditing, execute the following cmdlet from an elevated PowerShell session:

Set-SmbServerConfiguration –AuditSmb1Access $true

从 Windows Server 中删除 SMB 1Removing SMB 1 from Windows Server

适用于 Windows Server 2019、Windows Server 半年通道(版本 1709 和 1803)、Windows Server 2016、Windows Server 2012 R2Applies to Windows Server 2019, Windows Server semi-annual channel (versions 1709 and 1803), Windows Server 2016, Windows Server 2012 R2

若要从 Windows Server 实例中删除 SMB 1,请在权限提升的 PowerShell 会话中执行以下 cmdlet:To remove SMB 1 from a Windows Server instance, execute the following cmdlet from an elevated PowerShell session:

Remove-WindowsFeature -Name FS-SMB1

若要完成删除过程,请重启服务器。To complete the removal process, restart your server.

备注

从 Windows 10 和 Windows Server 版本 1709 开始,默认不会安装 SMB 1,SMB 1 客户端和 SMB 1 服务器有独立的 Windows 功能。Starting with Windows 10 and Windows Server version 1709, SMB 1 is not installed by default and has separate Windows features for the SMB 1 client and SMB 1 server. 我们始终建议保持卸载 SMB 1 服务器 (FS-SMB1-SERVER) 和 SMB 1 客户端 (FS-SMB1-CLIENT)。We always recommend leaving both the SMB 1 server (FS-SMB1-SERVER) and the SMB 1 client (FS-SMB1-CLIENT) uninstalled.

从 Windows 客户端中删除 SMB 1Removing SMB 1 from Windows client

适用于 Windows 10(版本 1507、1607、1703、1709 和 1803)和 Windows 8.1Applies to Windows 10 (versions 1507, 1607, 1703, 1709, and 1803) and Windows 8.1

若要从 Windows 客户端中删除 SMB 1,请在权限提升的 PowerShell 会话中执行以下 cmdlet:To remove SMB 1 from your Windows client, execute the following cmdlet from an elevated PowerShell session:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

若要完成删除过程,请重启电脑。To complete the removal process, restart your PC.

在早期版本的 Windows/Windows Server 上禁用 SMB 1Disabling SMB 1 on legacy versions of Windows/Windows Server

适用于 Windows Server 2012、Windows Server 2008 R2 和 Windows 7Applies to Windows Server 2012, Windows Server 2008 R2, and Windows 7

无法在早期版本的 Windows/Windows Server 上完全删除 SMB 1,但可以通过注册表将其禁用。SMB 1 cannot be completely removed on legacy versions of Windows/Windows Server, but it can be disabled through the Registry. 若要禁用 SMB 1,请创建 DWORD 类型的新注册表项 SMB1,并在 HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanmanServer > Parameters 下面添加值 0To disable SMB 1, create a new registry key SMB1 of type DWORD with a value of 0 under HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanmanServer > Parameters.

也可以使用以下 PowerShell cmdlet 轻松实现此目的:You can easily accomplish this with the following PowerShell cmdlet as well:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

创建此注册表项以后,必须重启服务器才能禁用 SMB 1。After creating this registry key, you must restart your server to disable SMB 1.

SMB 资源SMB resources

后续步骤Next steps

请参阅以下链接,获取有关 Azure 文件的更多信息:See these links for more information about Azure Files: