Set up a cluster witness
Applies to: Azure Stack HCI, versions 21H2 and 20H2; Windows Server 2022, Windows Server 2019
Setting up a witness resource is highly recommended for all clusters, and should be set up right after you create a cluster. Two-node clusters need a witness so that either server going offline does not cause the other node to become unavailable as well. Three and higher-node clusters need a witness to be able to withstand two servers failing or being offline.
You can either use an SMB file share as a witness or an Azure cloud witness. An Azure cloud witness is recommended, provided all server nodes in the cluster have a reliable internet connection. This article covers creating a cloud witness.
Cloud witness uses the HTTPS default port 443 to establish outbound communication with the Azure blob service. Ensure that the HTTPS port is accessible.
Before you begin
Before you can create a cloud witness, you must have an Azure account and subscription, and register your Azure Stack HCI cluster with Azure. See the following articles for more information:
- Create an Azure account
- If applicable, create an additional Azure subscription
- Connect Azure Stack HCI to Azure
- Make sure DNS is available for the cluster
For file share witnesses, there are requirements for the file server. See System requirements for more information.
Create an Azure storage account
This section describes how to create an Azure storage account. This account is used to store an Azure blob file used for arbitration for a specific cluster. You can use the same Azure storage account to configure a cloud witness for multiple clusters.
Sign in to the Azure portal.
On the Azure portal home menu, under Azure services, select Storage accounts. If this icon is missing, select Create a resource to create a Storage accounts resource first.
On the Storage accounts page, select New.
On the Create storage account page, complete the following:
- Select the Azure Subscription to apply the storage account to.
- Select the Azure Resource group to apply the storage account to.
- Enter a Storage account name.
Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. This name must also be unique within Azure.
- Select a Location that is closest to you physically.
- For Performance, select Standard.
- For Account kind, select Storage general purpose.
- For Replication, select Locally-redundant storage (LRS).
- When finished, click Review + create.
Ensure that the storage account passes validation and then review account settings. When finished, click Create.
It may take a few seconds for account deployment to occur in Azure. When deployment is complete, click Go to resource.
Copy the access key and endpoint URL
When you create an Azure storage account, the process automatically generates two access keys, a primary key (key1) and a secondary key (key2). For the first time creation of a cloud witness, key1 is used. The endpoint URL is also generated automatically.
An Azure cloud witness uses a blob file for storage, with an endpoint generated of the form storage_account_name.blob.core.windows.net as the endpoint.
An Azure cloud witness uses HTTPS (default port 443) to establish communication with the Azure blob service. Ensure that the HTTPS port is accessible.
Copy the account name and access key
In the Azure portal, under Settings, select Access keys.
Select Show keys to display key information.
Click the copy-and-paste icon to the right of the Storage account name and key1 fields and paste each text string to Notepad or other text editor.
Copy the endpoint URL (optional)
The endpoint URL is optional and may not be needed for a cloud witness.
In the Azure portal, select Properties.
Select Show keys to display endpoint information.
Under Blob service, click the copy-and-paste icon to the right of the Blob service field and paste the text string to Notepad or other text editor.
Create a cloud witness using Windows Admin Center
Now you are ready to create a witness instance for your cluster using Windows Admin Center.
In Windows Admin Center, select Cluster Manager from the top drop-down arrow.
Under Cluster connections, select the cluster.
Under Tools, select Settings.
In the right pane, select Witness.
For Witness type, select one of the following:
- Cloud witness - enter your Azure storage account name, access key, and endpoint URL, as described previously
- File share witness - enter the file share path "(//server/share)"
For a cloud witness, for the following fields, paste the text strings you copied previously for:
- Azure storage account name
- Azure storage access key
- Azure service endpoint
When finished, click Save. It might take a bit for the information to propagate to Azure.
The third option, Disk witness, is not suitable for use in stretched clusters.
Create a cloud witness using Windows PowerShell
Alternatively, you can create a witness instance for your cluster using PowerShell.
Use the following cmdlet to create an Azure cloud witness. Enter the Azure storage account name and access key information as described previously:
Set-ClusterQuorum –Cluster "Cluster1" -CloudWitness -AccountName "AzureStorageAccountName" -AccessKey "AzureStorageAccountAccessKey"
Use the following cmdlet to create a file share witness. Enter the path to the file server share:
Set-ClusterQuorum -FileShareWitness "\\fileserver\share" -Credential (Get-Credential)
For more information on cluster quorum, see Understanding cluster and pool quorum on Azure Stack HCI.
For more information about creating and managing Azure Storage Accounts, see Create a storage account.