使用远程工具排查 Azure VM 问题Use remote tools to troubleshoot Azure VM issues

排查 Azure 虚拟机 (VM) 的问题时,可以使用本文所述的远程工具而不是远程桌面协议 (RDP) 连接到 VM。When you troubleshoot issues on an Azure virtual machine (VM), you can connect to the VM by using the remote tools that are discussed in this article instead of using the Remote Desktop Protocol (RDP).

远程 CMDRemote CMD

下载 PsExecDownload PsExec. 运行以下命令连接到 VM:Connect to the VM by running the following command:

psexec \\<computer> -u user -s cmd

备注

  • 必须在位于同一虚拟网络中的计算机上运行该命令。The command must be run on a computer that's in the same virtual network.
  • 可以使用 DIP 或主机名来替换 <computer>。DIP or HostName can be used to replace <computer>.
  • -s 参数确保使用系统帐户(管理员权限)调用命令。The -s parameter makes sure that the command is invoked by using System Account (administrator permission).
  • PsExec 使用 TCP 端口 135 和 445。PsExec uses TCP ports 135 and 445. 因此,需要在防火墙中打开这两个端口。As a result, the two ports have to be open on the firewall.

运行命令Run command

有关如何使用“运行命令”功能在 VM 上运行脚本的详细信息,请参阅使用“运行命令”在 Windows VM 中运行 PowerShell 脚本For more information about how to use the run command feature to run scripts on the VM, see Run PowerShell scripts in your Windows VM with run command.

自定义脚本扩展Custom Script Extension

可以使用“自定义脚本扩展”功能在目标 VM 上运行自定义脚本。You can use the Custom Script Extension feature to run a custom script on the target VM. 若要使用此功能,必须符合以下条件:To use this feature, the following conditions must be met:

  • VM 已建立连接。The VM has connectivity.

  • 已在 VM 上安装 Azure 虚拟机代理,并且该代理正在按预期方式运行。Azure Virtual Machine Agent is installed and is working as expected on the VM.

  • 未事先在 VM 上安装该扩展。The extension wasn't previously installed on the VM.

    该扩展仅在首次使用时才注入脚本。The extension injects the script only the first time that it's used. 如果以后再使用此功能,该扩展会意识到它已被用过,因此不会上传新脚本。If you use this feature later, the extension recognizes that it was already used and doesn't upload the new script.

将脚本上传到一个存储帐户,并生成其自己的容器。Upload your script to a storage account, and generate its own container. 然后,在已连接到 VM 的计算机上的 Azure PowerShell 中运行以下脚本。Then, run the following script in Azure PowerShell on a computer that has connectivity to the VM.

对于经典部署模型 VMFor classic deployment model VMs

重要

经典 VM 将于 2023 年 3 月 1 日停用。Classic VMs will be retired on March 1, 2023.

如果从 ASM 使用 IaaS 资源,请在 2023 年 3 月 1 日之前完成迁移。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我们建议你尽快进行切换,以利用 Azure 资源管理器中的许多增强功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

有关详细信息,请参阅在 2023 年 3 月 1 日之前将 IaaS 资源迁移到 Azure 资源管理器For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

#Set up the basic variables.
$subscriptionID = "<<SUBSCRIPTION ID>>" 
$storageAccount = "<<STORAGE ACCOUNT>>" 
$localScript = "<<FULL PATH OF THE PS1 FILE TO EXECUTE ON THE VM>>" 
$blobName = "file.ps1" #Name you want for the blob in the storage.
$vmName = "<<VM NAME>>" 
$vmCloudService = "<<CLOUD SERVICE>>" #Resource group or cloud service where the VM is hosted. For example, for "demo305.chinacloudapp.cn" the cloud service is going to be demo305.

#Set up the Azure PowerShell module, and ensure the access to the subscription.
Import-Module Azure
Add-AzureAccount -Environment AzureChinaCloud  #Ensure login with the account associated with the subscription ID.
Get-AzureSubscription -SubscriptionId $subscriptionID | Select-AzureSubscription

#Set up the access to the storage account, and upload the script.
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -Environment AzureChinaCloud -StorageAccountName $storageAccount -StorageAccountKey $storageKey
$container = "cse" + (Get-Date -Format yyyyMMddhhmmss)<
New-AzureStorageContainer -Name $container -Permission Off -Context $context
Set-AzureStorageBlobContent -File $localScript -Container $container -Blob $blobName  -Context $context

#Push the script into the VM.
$vm = Get-AzureVM -ServiceName $vmCloudService -Name $vmName
Set-AzureVMCustomScriptExtension "CustomScriptExtension" -VM $vm -StorageAccountName $storageAccount -StorageAccountKey $storagekey -ContainerName $container -FileName $blobName -Run $blobName | Update-AzureVM

对于 Azure 资源管理器 VMFor Azure Resource Manager VMs

#Set up the basic variables.
$subscriptionID = "<<SUBSCRIPTION ID>>"
$storageAccount = "<<STORAGE ACCOUNT>>"
$storageRG = "<<RESOURCE GROUP OF THE STORAGE ACCOUNT>>" 
$localScript = "<<FULL PATH OF THE PS1 FILE TO EXECUTE ON THE VM>>" 
$blobName = "file.ps1" #Name you want for the blob in the storage.
$vmName = "<<VM NAME>>" 
$vmResourceGroup = "<<RESOURCE GROUP>>"
$vmLocation = "<<DATACENTER>>" 

#Set up the Azure PowerShell module, and ensure the access to the subscription.
Connect-AzAccount -Environment AzureChinaCloud #Ensure login with the account associated with the subscription ID.
Get-AzSubscription -SubscriptionId $subscriptionID | Select-AzSubscription

#Set up the access to the storage account, and upload the script.
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageRG -Name $storageAccount).Value[0]
$context = New-AzureStorageContext -Environment AzureChinaCloud -StorageAccountName $storageAccount -StorageAccountKey $storageKey
$container = "cse" + (Get-Date -Format yyyyMMddhhmmss)
New-AzureStorageContainer -Name $container -Permission Off -Context $context
Set-AzureStorageBlobContent -File $localScript -Container $container -Blob $blobName  -Context $context

#Push the script into the VM.
Set-AzVMCustomScriptExtension -Name "CustomScriptExtension" -ResourceGroupName $vmResourceGroup -VMName $vmName -Location $vmLocation -StorageAccountName $storageAccount -StorageAccountKey $storagekey -ContainerName $container -FileName $blobName -Run $blobName

远程 PowerShellRemote PowerShell

备注

必须打开 TCP 端口 5986 (HTTPS),以便能够使用此选项。TCP Port 5986 (HTTPS) must be open so that you can use this option.

对于 Azure 资源管理器 VM,必须在网络安全组 (NSG) 上打开端口 5986。For Azure Resource Manager VMs, you must open port 5986 on the network security group (NSG). 有关详细信息,请参阅“安全组”。For more information, see Security groups.

对于 RDFE VM,必须有一个配备专用端口 (5986) 和公共端口的终结点。For RDFE VMs, you must have an endpoint that has a private port (5986) and a public port. 然后,还必须在 NSG 中打开该公共端口。Then, you also have to open that public-facing port on the NSG.

设置客户端计算机Set up the client computer

若要使用 PowerShell 远程连接到 VM,首先需要设置客户端计算机,以允许建立连接。To use PowerShell to connect to the VM remotely, you first have to set up the client computer to allow the connection. 为此,请相应地运行以下命令,将 VM 添加到 PowerShell 信任的主机列表。To do this, add the VM to the PowerShell trusted hosts list by running the following command, as appropriate.

若要将一个 VM 添加到受信任主机列表,请运行:To add one VM to the trusted hosts list:

Set-Item wsman:\localhost\Client\TrustedHosts -value <ComputerName>

若要将多个 VM 添加到受信任主机列表,请运行:To add multiple VMs to the trusted hosts list:

Set-Item wsman:\localhost\Client\TrustedHosts -value <ComputerName1>,<ComputerName2>

将所有计算机添加到信任的主机列表:To add all computers to the trusted hosts list:

Set-Item wsman:\localhost\Client\TrustedHosts -value *

在 VM 上启用 RemotePSEnable RemotePS on the VM

对于使用经典部署模型创建的 VM,请使用自定义脚本扩展来运行以下脚本:For VMs created using the classic deployment model, use the Custom Script Extension to run the following script:

Enable-PSRemoting -Force
New-NetFirewallRule -Name "Allow WinRM HTTPS" -DisplayName "WinRM HTTPS" -Enabled True -Profile Any -Action Allow -Direction Inbound -LocalPort 5986 -Protocol TCP
$thumbprint = (New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
$command = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=""$env:computername""; CertificateThumbprint=""$thumbprint""}"
cmd.exe /C $command

对于 Azure 资源管理器 VM,请从门户中使用运行命令来运行 EnableRemotePS 脚本:For Azure Resource Manager VMs, use run commands from the portal to run the EnableRemotePS script:

运行命令

连接到 VMConnect to the VM

根据客户端计算机的位置运行以下命令:Run the following command based on the client computer location:

  • 在虚拟网络或部署之外Outside the virtual network or deployment

    • 对于使用经典部署模型创建的 VM,请运行以下命令:For a VM created using the classic deployment model, run the following command:

      $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Enter-PSSession -ComputerName  "<<CLOUDSERVICENAME.chinacloudapp.cn>>" -port "<<PUBLIC PORT NUMBER>>" -Credential (Get-Credential) -useSSL -SessionOption $Skip
      
    • 对于 Azure 资源管理器 VM,请先为公共 IP 地址添加 DNS 名称。For an Azure Resource Manager VM, first add a DNS name to the public IP address. 有关详细步骤,请参阅在 Azure 门户中创建 Windows VM 的完全限定域名For detailed steps, see Create a fully qualified domain name in the Azure portal for a Windows VM. 然后,运行以下命令:Then, run the following command:

      $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Enter-PSSession -ComputerName "<<DNSname.DataCenter.cloudapp.chinacloudapi.cn>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
      
  • 在虚拟网络或部署之内,请运行以下命令:Inside the virtual network or deployment, run the following command:

    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
    Enter-PSSession -ComputerName  "<<HOSTNAME>>" -port 5986 -Credential (Get-Credential) -useSSL -SessionOption $Skip
    

备注

如果设置 SkipCaCheck 标志,则启动会话时无需将证书导入 VM。Setting the SkipCaCheck flag bypasses the requirement to import a certificate to the VM when you start the session.

也可以使用 Invoke-Command cmdlet 在 VM 上远程运行脚本。You can also use the Invoke-Command cmdlet to run a script on the VM remotely.

Invoke-Command -ComputerName "<<COMPUTERNAME>" -ScriptBlock {"<<SCRIPT BLOCK>>"}

远程注册表Remote Registry

备注

必须打开 TCP 端口 135 或 445 才能使用此选项。TCP port 135 or 445 must be open in order to use this option.

对于 Azure 资源管理器 VM,必须在 NSG 上打开端口 5986。For Azure Resource Manager VMs, you have to open port 5986 on the NSG. 有关详细信息,请参阅“安全组”。For more information, see Security groups.

对于 RDFE VM,必须有一个配备专用端口 5986 和公共端口的终结点。For RDFE VMs, you must have an endpoint that has a private port 5986 and a public port. 还必须在 NSG 中打开该公共端口。You also have to open that public-facing port on the NSG.

  1. 在同一虚拟网络中的另一个 VM 上,打开注册表编辑器 (regedit.exe)。From another VM on the same virtual network, open the registry editor (regedit.exe).

  2. 选择“文件” > “连接网络注册表”。 Select File > Connect Network Registry.

    注册表编辑器

  3. 在“输入要选择的对象名称”框中输入目标 VM 的主机名或动态 IP(首选),以找到该 VM。 Locate the target VM by host name or dynamic IP (preferable) by entering it in the Enter the object name to select box.

    “输入要选择的对象名称”框

  4. 输入目标 VM 的凭据。Enter the credentials for the target VM.

  5. 进行任何必要的注册表更改。Make any necessary registry changes.

远程服务控制台Remote services console

备注

必须打开 TCP 端口 135 或 445 才能使用此选项。TCP ports 135 or 445 must be open in order to use this option.

对于 Azure 资源管理器 VM,必须在 NSG 上打开端口 5986。For Azure Resource Manager VMs, you have to open port 5986 on the NSG. 有关详细信息,请参阅“安全组”。For more information, see Security groups.

对于 RDFE VM,必须有一个配备专用端口 5986 和公共端口的终结点。For RDFE VMs, you must have an endpoint that has a private port 5986 and a public port. 还必须在 NSG 中打开该公共端口。You also have to open that public-facing port on the NSG.

  1. 在同一虚拟网络中的另一个 VM 上,打开 Services.msc 的一个实例。From another VM on the same virtual network, open an instance of Services.msc.

  2. 右键单击“服务(本地)”。 Right-click Services (Local).

  3. 选择“连接到另一台计算机”。 Select Connect to another computer.

    远程服务

  4. 输入目标 VM 的动态 IP。Enter the dynamic IP of the target VM.

    输入动态 IP

  5. 对服务进行任何必要的更改。Make any necessary changes to the services.

后续步骤Next steps