在 Windows 中排查 Azure 文件问题Troubleshoot Azure Files problems in Windows

本文列出了从 Windows 客户端连接时与 Azure 文件相关的常见问题,This article lists common problems that are related to Azure Files when you connect from Windows clients. 并提供了这些问题的可能原因和解决方法。It also provides possible causes and resolutions for these problems. 除本文中的疑难解答步骤之外,还可使用 AzFileDiagnostics ,以确保 Windows 客户端环境满足正确的先决条件。In addition to the troubleshooting steps in this article, you can also use AzFileDiagnostics to ensure that the Windows client environment has correct prerequisites. AzFileDiagnostics 会自动检测本文中提及的大多数症状,并帮助设置环境以获得最佳性能。AzFileDiagnostics automates detection of most of the symptoms mentioned in this article and helps set up your environment to get optimal performance. 还可在 Azure 文件共享疑难解答中找到这些信息,该疑难解答提供相关步骤来帮助解决连接/映射/装载 Azure 文件共享时遇到的问题。You can also find this information in the Azure Files shares Troubleshooter that provides steps to assist you with problems connecting/mapping/mounting Azure Files shares.

装载 Azure 文件共享时出现错误 5Error 5 when you mount an Azure file share

尝试装载文件共享时,可能会收到以下错误:When you try to mount a file share, you might receive the following error:

  • 发生系统错误 5。System error 5 has occurred. 访问被拒绝。Access is denied.

原因 1:通信通道未加密Cause 1: Unencrypted communication channel

出于安全原因,如果信道未加密,且未从 Azure 文件共享所在的数据中心尝试连接,则到 Azure 文件共享的连接将受阻。For security reasons, connections to Azure file shares are blocked if the communication channel isn't encrypted and if the connection attempt isn't made from the same datacenter where the Azure file shares reside. 如果在存储帐户中启用需要安全传输设置,则还可以阻止同一数据中心中未加密的连接。Unencrypted connections within the same datacenter can also be blocked if the Secure transfer required setting is enabled on the storage account. 仅当用户的客户端 OS 支持 SMB 加密时,才提供加密的信道。An encrypted communication channel is provided only if the user's client OS supports SMB encryption.

Windows 8、Windows Server 2012 及更高版本的每次系统协商均要求其包含支持加密的 SMB 3.0。Windows 8, Windows Server 2012, and later versions of each system negotiate requests that include SMB 3.0, which supports encryption.

原因 1 的解决方案Solution for cause 1

  1. 从支持 SMB 加密的客户端(Windows 8、Windows Server 2012 或更高版本)进行连接,或者从用于 Azure 文件共享的 Azure 存储帐户所在数据中心内的虚拟机进行连接。Connect from a client that supports SMB encryption (Windows 8, Windows Server 2012 or later) or connect from a virtual machine in the same datacenter as the Azure storage account that is used for the Azure file share.
  2. 如果客户端不支持 SMB 加密,请验证是否已在存储帐户上禁用需要安全传输设置。Verify the Secure transfer required setting is disabled on the storage account if the client does not support SMB encryption.

原因 2:在存储帐户上启用了虚拟网络或防火墙规则Cause 2: Virtual network or firewall rules are enabled on the storage account

如果在存储帐户上配置了虚拟网络 (VNET) 和防火墙规则,则将拒绝访问网络流量,除非允许客户端 IP 地址或虚拟网络访问。If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access.

原因 2 的解决方案Solution for cause 2

验证是否已在存储帐户上正确配置虚拟网络和防火墙规则。Verify virtual network and firewall rules are configured properly on the storage account. 若要测试虚拟网络或防火墙规则是否导致此问题,请将存储帐户上的设置临时更改为“允许来自所有网络的访问” 。To test if virtual network or firewall rules is causing the issue, temporarily change the setting on the storage account to Allow access from all networks. 若要了解详细信息,请参阅配置 Azure 存储防火墙和虚拟网络To learn more, see Configure Azure Storage firewalls and virtual networks.

装载或卸载 Azure 文件共享时出现“错误 53”、“错误 67”或“错误 87”Error 53, Error 67, or Error 87 when you mount or unmount an Azure file share

尝试从本地或其他数据中心装载文件共享时,可能会出现以下错误:When you try to mount a file share from on-premises or from a different datacenter, you might receive the following errors:

  • 发生系统错误 53。System error 53 has occurred. 找不到网络路径。The network path was not found.
  • 发生系统错误 67。System error 67 has occurred. 找不到网络名称。The network name cannot be found.
  • 发生系统错误 87。System error 87 has occurred. 参数不正确。The parameter is incorrect.

原因 1:端口 445 被阻止Cause 1: Port 445 is blocked

如果端口 445 到 Azure 文件数据中心的出站通信受阻,可能会发生系统错误 53 或 67。System error 53 or system error 67 can occur if port 445 outbound communication to an Azure Files datacenter is blocked. 如需大致了解允许或禁止从端口 445 进行访问的 ISP,请访问 TechNetTo see the summary of ISPs that allow or disallow access from port 445, go to TechNet.

若要检查防火墙或 ISP 是否阻止端口 445,请使用 AzFileDiagnostics 工具或 Test-NetConnection cmdlet。To check if your firewall or ISP is blocking port 445, use the AzFileDiagnostics tool or Test-NetConnection cmdlet.

若要使用 Test-NetConnection cmdlet,则必须安装 Azure PowerShell 模块。有关详细信息,请参阅安装 Azure PowerShell 模块To use the Test-NetConnection cmdlet, the Azure PowerShell module must be installed, see Install Azure PowerShell module for more information. 请记得将 <your-storage-account-name><your-resource-group-name> 替换为存储帐户的相关名称。Remember to replace <your-storage-account-name> and <your-resource-group-name> with the relevant names for your storage account.

$resourceGroupName = "<your-resource-group-name>"
$storageAccountName = "<your-storage-account-name>"

# This command requires you to be logged into your Azure account, run Login-AzAccount -Environment AzureChinaCloud if you haven't
# already logged in.
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName

# The ComputerName, or host, is <storage-account>.file.core.chinacloudapi.cn for Azure China Regions.
Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

如果连接成功,应会看到以下输出:If the connection was successful, you should see the following output:

ComputerName     : <your-storage-account-name>
RemoteAddress    : <storage-account-ip-address>
RemotePort       : 445
InterfaceAlias   : <your-network-interface>
SourceAddress    : <your-ip-address>
TcpTestSucceeded : True

Note

以上命令返回存储帐户的当前 IP 地址。The above command returns the current IP address of the storage account. 无法保证此 IP 地址相同,它随时可能更改。This IP address is not guaranteed to remain the same, and may change at any time. 不要在任何脚本或防火墙配置中对此 IP 地址进行硬编码。Do not hardcode this IP address into any scripts, or into a firewall configuration.

原因 1 的解决方案Solution for cause 1

解决方案 1 - 在 ISP/IT 管理员的帮助下取消阻止端口 445Solution 1 - Unblock port 445 with help of your ISP/IT Admin

与 IT 部门或 ISP 配合,向 Azure IP 范围开放端口 445 出站通信。Work with your IT department or ISP to open port 445 outbound to Azure IP ranges.

解决方案 2 - 使用基于 REST API 的工具,例如存储资源管理器/PowershellSolution 2 - Use REST API based tools like Storage Explorer/Powershell

除了 SMB,Azure 文件存储还支持 REST。Azure Files also supports REST in addition to SMB. REST 访问可以通过端口 443 进行(标准 tcp)。REST access works over port 443 (standard tcp). 有许多工具是用 REST API 编写的,可以给用户带来丰富的 UI 体验。There are various tools that are written using REST API which enable rich UI experience. 存储资源管理器是其中之一。Storage Explorer is one of them. 下载并安装存储资源管理器,然后将其连接到 Azure 文件存储支持的文件共享。Download and Install Storage Explorer and connect to your file share backed by Azure Files. 也可使用 PowerShell,此工具也使用 REST API。You can also use PowerShell which also user REST API.

原因 2:NTLMv1 已启用Cause 2: NTLMv1 is enabled

如果在客户端上启用 NTLMv1 通信,则可能发生系统错误 53 或系统错误 87。System error 53 or system error 87 can occur if NTLMv1 communication is enabled on the client. Azure 文件仅支持 NTLMv2 身份验证。Azure Files supports only NTLMv2 authentication. 启用 NTLMv1 会降低客户端的安全性。Having NTLMv1 enabled creates a less-secure client. 因此,Azure 文件的通信受阻。Therefore, communication is blocked for Azure Files.

若要确定这是否是错误原因,请验证以下注册表子项是否设为值 3:To determine whether this is the cause of the error, verify that the following registry subkey is set to a value of 3:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa > LmCompatibilityLevelHKLM\SYSTEM\CurrentControlSet\Control\Lsa > LmCompatibilityLevel

有关详细信息,请参阅 TechNet 上的 LmCompatibilityLevel 主题。For more information, see the LmCompatibilityLevel topic on TechNet.

原因 2 的解决方案Solution for cause 2

在下述注册表子项中将 LmCompatibilityLevel 值还原为默认值 3:Revert the LmCompatibilityLevel value to the default value of 3 in the following registry subkey:

HKLM\SYSTEM\CurrentControlSet\Control\LsaHKLM\SYSTEM\CurrentControlSet\Control\Lsa

复制到 Azure 文件共享时出现错误 1816“处理此命令时没有足够的配额可用”Error 1816 "Not enough quota is available to process this command" when you copy to an Azure file share

原因Cause

达到并发开放句柄数的上限时,会发生错误 1816。在计算机中装载文件共享时,会为计算机中的文件启用开放句柄。Error 1816 happens when you reach the upper limit of concurrent open handles that are allowed for a file on the computer where the file share is being mounted.

解决方案Solution

关闭一些句柄,减少并发打开句柄的数量,再重试。Reduce the number of concurrent open handles by closing some handles, and then retry. 有关详细信息,请参阅 Azure 存储性能和可伸缩性核对清单For more information, see Azure Storage performance and scalability checklist.

若要查看文件共享、目录或文件的打开句柄,请使用 Get-AzStorageFileHandle PowerShell cmdlet。To view open handles for a file share, directory or file, use the Get-AzStorageFileHandle PowerShell cmdlet.

若要关闭文件共享、目录或文件的打开句柄,请使用 Close-AzStorageFileHandle PowerShell cmdlet。To close open handles for a file share, directory or file, use the Close-AzStorageFileHandle PowerShell cmdlet.

Note

Get-AzStorageFileHandle 和 Close-AzStorageFileHandle cmdlet 包括在 Az PowerShell 模块 2.4 或更高版本中。The Get-AzStorageFileHandle and Close-AzStorageFileHandle cmdlets are included in Az PowerShell module version 2.4 or later. 若要安装最新 Az PowerShell 模块,请参阅安装 Azure PowerShell 模块To install the latest Az PowerShell module, see Install the Azure PowerShell module.

尝试访问或删除 Azure 文件共享时出现错误“无访问权限”Error "No access" when you try to access or delete an Azure File Share

尝试访问或删除门户中的 Azure 文件共享时,可能会收到以下错误:When you try to access or delete an Azure file share in the portal, you may receive the following error:

无访问权限No access
错误代码:403Error code: 403

原因 1:在存储帐户上启用了虚拟网络或防火墙规则Cause 1: Virtual network or firewall rules are enabled on the storage account

原因 1 的解决方案Solution for cause 1

验证是否已在存储帐户上正确配置虚拟网络和防火墙规则。Verify virtual network and firewall rules are configured properly on the storage account. 若要测试虚拟网络或防火墙规则是否导致此问题,请将存储帐户上的设置临时更改为“允许来自所有网络的访问” 。To test if virtual network or firewall rules is causing the issue, temporarily change the setting on the storage account to Allow access from all networks. 若要了解详细信息,请参阅配置 Azure 存储防火墙和虚拟网络To learn more, see Configure Azure Storage firewalls and virtual networks.

原因 2:你的用户帐户无权访问该存储帐户Cause 2: Your user account does not have access to the storage account

原因 2 的解决方案Solution for cause 2

浏览到Azure文件共享所在的存储帐户,单击“访问控制(IAM)”,确保你的用户帐户有权访问该存储帐户 。Browse to the storage account where the Azure file share is located, click Access control (IAM) and verify your user account has access to the storage account. 若要了解详细信息,请参阅如何使用基于角色的访问控制 (RBAC) 来保护存储帐户To learn more, see How to secure your storage account with Role-Based Access Control (RBAC).

无法删除 Azure 文件共享中的文件或目录Unable to delete a file or directory in an Azure file share

尝试删除文件时,可能会收到以下错误:When you try to delete a file, you may receive the following error:

SMB 客户端已将指定的资源标记为删除。The specified resource is marked for deletion by an SMB client.

原因Cause

如果该文件或目录有一个打开的句柄,通常会出现此问题。This issue typically occurs if the file or directory has an open handle.

解决方案Solution

如果 SMB 客户端关闭了所有打开的句柄,但问题仍然出现,请执行以下操作:If the SMB clients have closed all open handles and the issue continues to occur, perform the following:

Note

Get-AzStorageFileHandle 和 Close-AzStorageFileHandle cmdlet 包括在 Az PowerShell 模块 2.4 或更高版本中。The Get-AzStorageFileHandle and Close-AzStorageFileHandle cmdlets are included in Az PowerShell module version 2.4 or later. 若要安装最新 Az PowerShell 模块,请参阅安装 Azure PowerShell 模块To install the latest Az PowerShell module, see Install the Azure PowerShell module.

在 Windows 中将文件复制到 Azure 文件以及从中复制文件时速度缓慢Slow file copying to and from Azure Files in Windows

尝试将文件传输到 Azure 文件服务时,可能会出现性能下降的情况。You might see slow performance when you try to transfer files to the Azure File service.

  • 如果你没有特定的 I/O 大小下限要求,我们建议使用 1 MiB 的 I/O 大小以获得最佳性能。If you don't have a specific minimum I/O size requirement, we recommend that you use 1 MiB as the I/O size for optimal performance.
  • 如果知道要通过写入进行扩展的文件的最终大小,并且软件在文件上未写入的尾部包含零时尚未出现兼容性问题,请提前设置文件大小,而不是使每次写入都成为扩展写入。If you know the final size of a file that you are extending with writes, and your software doesn't have compatibility problems when the unwritten tail on the file contains zeros, then set the file size in advance instead of making every write an extending write.
  • 使用正确的复制方法:Use the right copy method:
    • 为两个文件共享之间的任何传输使用 AzCopyUse AzCopy for any transfer between two file shares.
    • 在本地计算机上的文件共享之间使用 RobocopyUse Robocopy between file shares on an on-premises computer.

Windows 8.1 或 Windows Server 2012 R2 的注意事项Considerations for Windows 8.1 or Windows Server 2012 R2

对于运行 Windows 8.1 或 Windows Server 2012 R2 的客户端,请确保安装有 KB3114025 修补程序。For clients that are running Windows 8.1 or Windows Server 2012 R2, make sure that the KB3114025 hotfix is installed. 该修补程序可提升创建和关闭句柄时的性能。This hotfix improves the performance of create and close handles.

可运行以下脚本,检查是否安装了该修补程序:You can run the following script to check whether the hotfix has been installed:

reg query HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\Policies

如果已安装,显示以下输出:If hotfix is installed, the following output is displayed:

HKEY_Local_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\Policies {96c345ef-3cac-477b-8fcd-bea1a564241c} REG_DWORD 0x1

Note

自 2015 年 12 月起,Azure 市场中的 Windows Server 2012 R2 映像将默认安装修补程序 KB3114025。Windows Server 2012 R2 images in Azure Marketplace have hotfix KB3114025 installed by default, starting in December 2015.

“我的电脑”或“这台电脑”中没有带驱动器号的文件夹No folder with a drive letter in "My Computer" or "This PC"

如果以管理员身份使用 net use 来映射 Azure 文件共享,则会缺失共享。If you map an Azure file share as an administrator by using net use, the share appears to be missing.

原因Cause

默认情况下,Windows 文件资源管理器不以管理员身份运行。By default, Windows File Explorer does not run as an administrator. 如果通过管理性命令提示符运行 net use,则可以管理员身份映射网络驱动器。If you run net use from an administrative command prompt, you map the network drive as an administrator. 由于映射的驱动器以用户为中心,如果在其他用户帐户上安装了这些驱动器,则登录的用户帐户不会显示它们。Because mapped drives are user-centric, the user account that is logged in does not display the drives if they are mounted under a different user account.

解决方案Solution

通过非管理员命令行中装载共享。Mount the share from a non-administrator command line. 或者,可按照此 TechNet 主题配置 EnableLinkedConnections 注册表值。Alternatively, you can follow this TechNet topic to configure the EnableLinkedConnections registry value.

如果存储帐户包含正斜杠,则 net use 命令会失败Net use command fails if the storage account contains a forward slash

原因Cause

net use 命令将正斜杠 (/) 解释为命令行选项。The net use command interprets a forward slash (/) as a command-line option. 如果用户帐户名称以正斜杠开头,则驱动器映射会失败。If your user account name starts with a forward slash, the drive mapping fails.

解决方案Solution

可使用下述某个步骤解决此问题:You can use either of the following steps to work around the problem:

  • 运行以下 PowerShell 命令:Run the following PowerShell command:

    New-SmbMapping -LocalPath y: -RemotePath \\server\share -UserName accountName -Password "password can contain / and \ etc"

    可以在批处理文件中通过以下方式运行该命令:From a batch file, you can run the command this way:

    Echo new-smbMapping ... | powershell -command -

  • 将密钥用双引号括起以解决此问题(除非第一个字符是正斜杠)。Put double quotation marks around the key to work around this problem--unless the forward slash is the first character. 如果是,可使用交互模式并单独输入密码,或者重新生成密钥来获取不以正斜杠开头的密钥。If it is, either use the interactive mode and enter your password separately or regenerate your keys to get a key that doesn't start with a forward slash.

应用程序或服务无法访问装载的 Azure 文件驱动器Application or service cannot access a mounted Azure Files drive

原因Cause

根据用户装载驱动器。Drives are mounted per user. 如果在运行应用程序或服务时,所使用的用户帐户不同于装载驱动器的帐户,则应用程序看不到该驱动器。If your application or service is running under a different user account than the one that mounted the drive, the application will not see the drive.

解决方案Solution

请使用以下解决方案之一:Use one of the following solutions:

  • 使用应用程序所在的同一用户帐户装载驱动器。Mount the drive from the same user account that contains the application. 可以使用 PsExec 之类的工具。You can use a tool such as PsExec.

  • 传递 net use 命令的用户名和密码参数中的存储帐户名和密钥。Pass the storage account name and key in the user name and password parameters of the net use command.

  • 使用 cmdkey 命令将凭据添加到凭据管理器中。Use the cmdkey command to add the credentials into Credential Manager. 通过交互式登录或使用 runas,在服务帐户上下文中从命令行执行此操作。Perform this from a command line under the service account context, either through an interactive login or by using runas.

    cmdkey /add:<storage-account-name>.file.core.chinacloudapi.cn /user:AZURE\<storage-account-name> /pass:<storage-account-key>

  • 不使用映射驱动器号直接映射共享。Map the share directly without using a mapped drive letter. 某些应用程序可能无法正确地重新连接到驱动器号,因此使用完整的 UNC 路径可能会更可靠。Some applications may not reconnect to the drive letter properly, so using the full UNC path may be more reliable.

    net use * \\storage-account-name.file.core.chinacloudapi.cn\share

按这些说明操作以后,可能会在为系统/网络服务帐户运行 net use 时出现以下错误消息:“发生系统错误 1312。After you follow these instructions, you might receive the following error message when you run net use for the system/network service account: "System error 1312 has occurred. 指定的登录会话不存在。A specified logon session does not exist. 可能已终止该会话。”It may already have been terminated." 若发生此情况,请确保传递到 net use 的用户名包括域信息(例如“[storage account name].file.core.chinacloudapi.cn”)。If this occurs, make sure that the username that is passed to net use includes domain information (for example: "[storage account name].file.core.chinacloudapi.cn").

“正在将文件复制到不支持加密的目标”错误Error "You are copying a file to a destination that does not support encryption"

通过网络复制文件时,会在源计算机上解密该文件,以明文形式进行传输,然后在目标计算机上重新加密该文件。When a file is copied over the network, the file is decrypted on the source computer, transmitted in plaintext, and re-encrypted at the destination. 但是,尝试复制加密的文件时可能会看到以下错误:“正在将文件复制到不支持加密的目标。”However, you might see the following error when you're trying to copy an encrypted file: "You are copying the file to a destination that does not support encryption."

原因Cause

如果你使用的是加密文件系统 (EFS),则可能会出现此问题。This problem can occur if you are using Encrypting File System (EFS). 可将 BitLocker 加密的文件复制到 Azure 文件。BitLocker-encrypted files can be copied to Azure Files. 不过,Azure 文件不支持 NTFS EFS。However, Azure Files does not support NTFS EFS.

解决方法Workaround

若要通过网络复制文件,必须先解密该文件。To copy a file over the network, you must first decrypt it. 使用以下方法之一:Use one of the following methods:

  • 使用 copy /d 命令。Use the copy /d command. 该命令可以在目标计算机上将加密的文件另存为解密的文件。It allows the encrypted files to be saved as decrypted files at the destination.
  • 设置以下注册表项:Set the following registry key:
    • 路径 = HKLM\Software\Policies\Microsoft\Windows\SystemPath = HKLM\Software\Policies\Microsoft\Windows\System
    • 值类型 = DWORDValue type = DWORD
    • 名称= CopyFileAllowDecryptedRemoteDestinationName = CopyFileAllowDecryptedRemoteDestination
    • 值= 1Value = 1

请注意,设置注册表项会影响所有针对网络共享进行的复制操作。Be aware that setting the registry key affects all copy operations that are made to network shares.

文件和文件夹的枚举速度变慢Slow enumeration of files and folders

原因Cause

如果客户端计算机上用于大型目录的缓存不足,则可能会出现此问题。This problem can occur if there is no enough cache on client machine for large directories.

解决方案Solution

若要解决此问题,请调整 DirectoryCacheEntrySizeMax 注册表值以允许在客户端计算机上缓存较大的目录列表 :To resolve this problem, adjusting the DirectoryCacheEntrySizeMax registry value to allow caching of larger directory listings in the client machine:

  • 位置:HKLM\System\CCS\Services\Lanmanworkstation\ParametersLocation: HKLM\System\CCS\Services\Lanmanworkstation\Parameters
  • 值名称:DirectoryCacheEntrySizeMaxValue mane: DirectoryCacheEntrySizeMax
  • 值类型:DWORDValue type:DWORD

例如,可将其设置为 0x100000,并查看性能是否有所提高。For example, you can set it to 0x100000 and see if the performance become better.

需要帮助?Need help? 请联系支持人员。Contact support.

如果仍需帮助,请联系支持人员,以快速解决问题。If you still need help, contact support to get your problem resolved quickly.