在强制隧道方案中,Windows 激活失败Windows activation fails in forced tunneling scenario

本文介绍如何在站点到站点 VPN 连接或 ExpressRoute 方案中启用了强制隧道时,解决可能遇到的 KMS 激活问题。This article describes how to resolve the KMS activation problem that you might experience when you enable forced tunneling in site-to-site VPN connection or ExpressRoute scenarios.

症状Symptom

在 Azure 虚拟网络子网上启用强制隧道,以将所有 Internet 绑定的流量定向回本地网络。You enable forced tunneling on Azure virtual network subnets to direct all Internet-bound traffic back to your on-premises network. 在此方案中,运行 Windows 的 Azure 虚拟机 (VM) 无法激活 Windows。In this scenario, the Azure virtual machines (VMs) that run Windows fail to activate Windows.

原因Cause

Azure Windows VM 需要连接到 Azure KMS 服务器才能激活 Windows。The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. 激活要求激活请求来自 Azure 公共 IP 地址。The activation requires that the activation request come from an Azure public IP address. 在强制隧道方案中,激活失败,因为激活请求来自本地网络而不是来自 Azure 公共 IP 地址。In the forced tunneling scenario, the activation fails because the activation request comes from your on-premises network instead of from an Azure public IP address.

解决方案Solution

若要解决此问题,请使用 Azure 自定义路由,将激活流量路由到 Azure KMS 服务器。To resolve this problem, use the Azure custom route to route activation traffic to the Azure KMS server.

Azure 中国云的 KMS 服务器的 IP 地址为 42.159.7.249。The IP address of the KMS server for the Azure China cloud is 42.159.7.249 . 其 DNS 名称为 kms.core.chinacloudapi.cn。Its DNS name is kms.core.chinacloudapi.cn . 如果使用其他 Azure 平台,则必须使用相应 KMS 服务器的 IP 地址。If you use other Azure platforms, you must use the IP address of the corresponding KMS server. 有关详细信息,请参阅下表:For more information, see the following table:

平台Platform KMS DNSKMS DNS KMS IPKMS IP
Azure 全球Azure Global kms.core.windows.netkms.core.windows.net 23.102.135.24623.102.135.246
Azure 德国Azure Germany kms.core.cloudapi.dekms.core.cloudapi.de 51.4.143.24851.4.143.248
Azure 美国政府版Azure US Government kms.core.usgovcloudapi.netkms.core.usgovcloudapi.net 23.97.0.1323.97.0.13
Azure 中国世纪互联Azure China 21Vianet kms.core.chinacloudapi.cnkms.core.chinacloudapi.cn 42.159.7.24942.159.7.249

若要添加自定义路由,请执行以下步骤:To add the custom route, follow these steps:

对于资源管理器 VMFor Resource Manager VMs

Note

激活使用公共 IP 地址,并将受标准 SKU 负载均衡器配置的影响。Activation uses public IP addresses and will be affected by a Standard SKU Load Balancer configuration. 请仔细查看 Azure 中的出站连接以了解要求。Carefully review Outbound connections in Azure to learn about the requirements.

  1. 打开 Azure PowerShell,然后登录到 Azure 订阅Open Azure PowerShell, and then sign in to your Azure subscription.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 运行以下命令:Run the following commands:

    # First, get the virtual network that hosts the VMs that have activation problems. In this case, we get virtual network ArmVNet-DM in Resource Group ArmVNet-DM:
    
    $vnet = Get-AzVirtualNetwork -ResourceGroupName "ArmVNet-DM" -Name "ArmVNet-DM"
    
    # Next, create a route table and specify that traffic bound to the KMS IP (42.159.7.249) will go directly out:
    
    $RouteTable = New-AzRouteTable -Name "ArmVNet-DM-KmsDirectRoute" -ResourceGroupName "ArmVNet-DM" -Location "chinaeast"
    
    Add-AzRouteConfig -Name "DirectRouteToKMS" -AddressPrefix 42.159.7.249/32 -NextHopType Internet -RouteTable $RouteTable
    
    Set-AzRouteTable -RouteTable $RouteTable
    
    # Next, attach the route table to the subnet that hosts the VMs
    
    Set-AzVirtualNetworkSubnetConfig -Name "Subnet01" -VirtualNetwork $vnet -AddressPrefix "10.0.0.0/24" -RouteTable $RouteTable
    
    Set-AzVirtualNetwork -VirtualNetwork $vnet
    
  3. 请转到存在激活问题的 VM。Go to the VM that has activation problems. 使用 PsPing 测试其是否能够访问 KMS 服务器:Use PsPing to test if it can reach the KMS server:

     psping kms.core.chinacloudapi.cn:1688
    
  4. 尝试激活 Windows 并查看问题是否得以解决。Try to activate Windows, and see if the problem is resolved.

对于经典 VMFor Classic VMs

Important

经典 VM 将于 2023 年 3 月 1 日停用。Classic VMs will be retired on March 1, 2023.

如果从 ASM 使用 IaaS 资源,请在 2023 年 3 月 1 日之前完成迁移。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我们建议你尽快进行切换,以利用 Azure 资源管理器中的许多增强功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

有关详细信息,请参阅在 2023 年 3 月 1 日之前将 IaaS 资源迁移到 Azure 资源管理器For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

  1. 打开 Azure PowerShell,然后登录到 Azure 订阅Open Azure PowerShell, and then sign in to your Azure subscription.

  2. 运行以下命令:Run the following commands:

    # First, create a new route table:
    New-AzureRouteTable -Name "VNet-DM-KmsRouteGroup" -Label "Route table for KMS" -Location "China North"
    
    # Next, get the route table that was created:
    $rt = Get-AzureRouteTable -Name "VNet-DM-KmsRouteTable"
    
    # Next, create a route:
    Set-AzureRoute -RouteTable $rt -RouteName "AzureKMS" -AddressPrefix "42.159.7.249/32" -NextHopType Internet
    
    # Apply the KMS route table to the subnet that hosts the problem VMs (in this case, we apply it to the subnet that's named Subnet-1):
    Set-AzureSubnetRouteTable -VirtualNetworkName "VNet-DM" -SubnetName "Subnet-1" 
    -RouteTableName "VNet-DM-KmsRouteTable"
    
  3. 请转到存在激活问题的 VM。Go to the VM that has activation problems. 使用 PsPing 测试其是否能够访问 KMS 服务器:Use PsPing to test if it can reach the KMS server:

     psping kms.core.chinacloudapi.cn:1688
    
  4. 尝试激活 Windows 并查看问题是否得以解决。Try to activate Windows, and see if the problem is resolved.

后续步骤Next steps