更新 Azure Stack HCI 群集Update Azure Stack HCI clusters

适用于:Azure Stack HCI 版本 20H2;Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

更新 Azure Stack HCI 群集时,目标是通过一次仅更新群集中的一个服务器来保持可用性。When updating Azure Stack HCI clusters, the goal is to maintain availability by updating only one server in the cluster at a time. 许多操作系统更新需要使服务器脱机,例如需要重新启动或更新软件(如网络堆栈)。Many operating system updates require taking the server offline, for example to do a restart or to update software such as the network stack. 建议使用群集感知更新 (CAU),这项功能使你可以在保持应用程序运行的同时,轻松地在群集中的每个服务器上安装更新。We recommend using Cluster-Aware Updating (CAU), a feature that makes it easy to install updates on every server in your cluster while keeping your applications running. 群集感知更新可在安装更新并重启服务器(如有必要)时自动使服务器进入和退出维护模式。Cluster-Aware Updating automates taking the server in and out of maintenance mode while installing updates and restarting the server, if necessary. 群集感知更新是 Windows Admin Center 使用的默认更新方法,还可以使用 PowerShell 来启动。Cluster-Aware Updating is the default updating method used by Windows Admin Center and can also be initiated using PowerShell.

本主题重点介绍操作系统更新和软件更新。This topic focuses on operating system and software updates. 如果需要使服务器脱机以对硬件执行维护,请参阅使服务器脱机以进行维护If you need to take a server offline to perform maintenance on the hardware, see Take a server offline for maintenance.

使用 Windows Admin Center 更新群集Update a cluster using Windows Admin Center

Windows Admin Center 利用简单的用户界面,简化了更新群集和应用操作系统和解决方案更新的过程。Windows Admin Center makes it easy to update a cluster and apply operating system and solution updates using a simple user interface. 如果你已从 Microsoft 硬件合作伙伴处购买了集成系统,则通过安装合适的合作伙伴更新扩展插件,可直接从 Windows Admin Center 轻松获取最新的驱动程序、固件和其他更新。If you've purchased an integrated system from a Microsoft hardware partner, it’s easy to get the latest drivers, firmware, and other updates directly from Windows Admin Center by installing the appropriate partner update extension(s). 如果你的硬件不是作为集成系统购买的,则可能需要按照硬件供应商的建议单独更新固件和驱动程序。If your hardware was not purchased as an integrated system, firmware and driver updates may need to be performed separately, following the hardware vendor's recommendations.

Windows 管理中心将检查群集是否已正确配置为 Cluster-Aware 更新运行,如果需要,将询问你是否希望 Windows 管理中心为你配置 CAU,包括安装 CAU 群集角色和启用所需的防火墙规则。Windows Admin Center will check if the cluster is properly configured to run Cluster-Aware Updating, and if needed, will ask if you’d like Windows Admin Center to configure CAU for you, including installing the CAU cluster role and enabling the required firewall rules.

  1. 在连接到群集时,如果一个或多个服务器已准备好安装更新,Windows Admin Center 仪表板会向你发出提醒,并提供立即更新的链接。When you connect to a cluster, the Windows Admin Center dashboard will alert you if one or more servers have updates ready to be installed, and provide a link to update now. 或者,你可以从左侧的“工具”菜单中选择“更新” 。Alternatively, you can select Updates from the Tools menu at the left.
  2. 若要在 Windows Admin Center 中使用群集感知更新工具,必须启用凭据安全服务提供程序 (CredSSP) 并提供显式凭据。To use the Cluster-Aware updating tool in Windows Admin Center, you must enable Credential Security Service Provider (CredSSP) and provide explicit credentials. 当系统询问是否启用 CredSSP 时,单击“是”。When asked if CredSSP should be enabled, click Yes.
  3. 指定用户名和密码,单击“继续”。Specify your username and password, and click Continue.
  4. 将显示所有可用的更新;单击“检查可用更新”刷新列表。Any available updates will be displayed; click Check Available Updates to refresh the list.
  5. 选择要安装的更新,然后单击“应用所有更新”。Select the updates you wish to install and click Apply All Updates. 这将在群集中的每个服务器上安装更新。This will install the updates on every server in the cluster. 如果需要重新启动,会先将群集角色(如虚拟机)转移到另一个服务器,以防止出现中断。If a restart is needed, cluster roles such as virtual machines will be moved to another server first to prevent any disruption.
  6. 若要提高安全性,请在安装完更新后立即禁用 CredSSP:To improve security, disable CredSSP as soon as you're finished installing the updates:
    • 在 Windows Admin Center 中的“所有连接”下,选择群集中的第一个服务器,然后选择“连接” 。In Windows Admin Center, under All connections, select the first server in your cluster, and then select Connect.
    • 在“概述”页上,选择“禁用 CredSSP”,然后在“禁用 CredSSP”弹出窗口中,选择“是” 。On the Overview page, select Disable CredSSP, and then on the Disable CredSSP pop-up window, select Yes.

使用 PowerShell 更新群集Update a cluster using PowerShell

在使用“群集感知更新”功能更新群集之前,需要先安装“故障转移群集工具”,它是“远程服务器管理工具 (RSAT)”的一部分,并包含群集感知更新软件 。Before you can update a cluster using Cluster-Aware Updating, you first need to install the Failover Clustering Tools, which are part of the Remote Server Administration Tools (RSAT) and include the Cluster-Aware Updating software. 若要更新现有群集,则可能已经安装了这些工具。If you're updating an existing cluster, these tools may already be installed.

若要测试故障转移群集是否已正确设置为使用“群集感知更新”功能应用软件更新,请运行“Test-CauSetup”PowerShell cmdlet,该 cmdlet 将对故障转移群集和网络环境执行最佳实践分析程序 (BPA) 扫描,并发送相关警告或错误消息:To test whether a failover cluster is properly set up to apply software updates using Cluster-Aware Updating, run the Test-CauSetup PowerShell cmdlet, which performs a Best Practices Analyzer (BPA) scan of the failover cluster and network environment and alerts you of any warnings or errors:

Test-CauSetup -ClusterName Cluster1

如果需要安装功能、工具或角色,请参阅后续几节。If you need to install features, tools, or roles, see the next sections. 否则,请直接跳到使用 PowerShell 检查更新Otherwise, skip ahead to Check for updates with PowerShell.

使用 PowerShell 安装“故障转移群集”和“故障转移群集工具”Install Failover Clustering and Failover Clustering Tools using PowerShell

若要检查群集或服务器是否已安装“故障转移群集”功能和“故障转移群集工具”,请从管理 PC 发出 Get-WindowsFeature PowerShell cmdlet(或直接在群集或服务器上运行,并忽略 -ComputerName 参数):To check if a cluster or server has the Failover Clustering feature and Failover Clustering Tools already installed, issue the Get-WindowsFeature PowerShell cmdlet from your management PC (or run it directly on the cluster or server, omitting the -ComputerName parameter):

Get-WindowsFeature -Name Failover*, RSAT-Clustering* -ComputerName Server1

请确保“安装状态”显示为“已安装”,且故障转移群集和 Windows PowerShell 的故障转移群集模块之前都出现了 X:Make sure "Install State" says Installed and that an X appears before both Failover Clustering and Failover Cluster Module for Windows PowerShell:

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[X] Failover Clustering                                 Failover-Clustering            Installed
        [X] Failover Clustering Tools                   RSAT-Clustering                Installed
            [X] Failover Cluster Module for Windows ... RSAT-Clustering-Powe...        Installed
            [ ] Failover Cluster Automation Server      RSAT-Clustering-Auto...        Available
            [ ] Failover Cluster Command Interface      RSAT-Clustering-CmdI...        Available

如果未安装故障转移群集功能,请使用 Install-WindowsFeature cmdlet 以及 -IncludeAllSubFeature 和 -IncludeManagementTools 参数,将其安装到群集中的每个服务器上:If the Failover Clustering feature is not installed, install it on each server in the cluster with the Install-WindowsFeature cmdlet, using the -IncludeAllSubFeature and -IncludeManagementTools parameters:

Install-WindowsFeature –Name Failover-Clustering -IncludeAllSubFeature –IncludeManagementTools -ComputerName Server1

此命令还将安装 PowerShell 的故障转移群集模块,该模块包括用于管理故障转移群集的 PowerShell cmdlet,以及用于在故障转移群集上安装软件更新的 PowerShell 群集感知更新模块。This command will also install the Failover Cluster Module for PowerShell, which includes PowerShell cmdlets for managing failover clusters, and the Cluster-Aware Updating module for PowerShell, for installing software updates on failover clusters.

如果已安装故障转移群集功能,但尚未安装 Windows PowerShell 的故障转移群集模块,只需使用“Install-WindowsFeature”cmdlet 将其安装到群集中的每个服务器上:If the Failover Clustering feature is already installed but the Failover Cluster Module for Windows PowerShell is not, simply install it on each server in the cluster with the Install-WindowsFeature cmdlet:

Install-WindowsFeature –Name RSAT-Clustering-PowerShell -ComputerName Server1

选择更新模式Choose an updating mode

群集感知更新可以在两种模式下协调完成完整的群集更新操作:Cluster-Aware Updating can coordinate the complete cluster updating operation in two modes:

  • 自我更新模式:在此模式下,群集感知更新群集角色配置为要更新的故障转移群集上的工作负载,并定义了关联的更新计划。Self-updating mode For this mode, the Cluster-Aware Updating clustered role is configured as a workload on the failover cluster that is to be updated, and an associated update schedule is defined. 群集通过使用默认的或自定义的“更新运行配置文件”,在计划的时间进行自我更新。The cluster updates itself at scheduled times by using a default or custom updating run profile. 在更新运行期间,将在当前拥有群集感知更新群集角色的节点上启动“群集感知更新”更新协调器进程,该进程会依次在每个群集节点上执行更新。During the updating run, the Cluster-Aware Updating Update Coordinator process starts on the node that currently owns the Cluster-Aware Updating clustered role, and the process sequentially performs updates on each cluster node. 若要更新当前群集节点,群集感知更新群集角色将故障转移到另一个群集节点,并且该节点上的一个新更新协调器进程将接管并继续控制更新运行。To update the current cluster node, the Cluster-Aware Updating clustered role fails over to another cluster node, and a new Update Coordinator process on that node assumes control of the updating run. 在自我更新模式下,群集感知更新功能可以使用完全自动化的端到端更新过程来更新故障转移群集。In self-updating mode, Cluster-Aware Updating can update the failover cluster by using a fully automated, end-to-end updating process. 管理员也可以在此模式中按需激活更新,或在需要时直接使用远程更新方法。An administrator can also trigger updates on-demand in this mode, or simply use the remote-updating approach if desired.

  • 远程更新模式:在此模式下,将使用“故障转移群集工具”配置与故障转移群集之间有网络连接但不是故障转移群集成员的远程管理计算机(通常是 Windows 10 PC)。Remote updating mode For this mode, a remote management computer (usually a Windows 10 PC) that has network connectivity to the failover cluster but is not a member of the failover cluster is configured with the Failover Clustering Tools. 从该远程管理计算机(称为更新协调器)中,管理员使用默认或自定义更新运行配置文件触发按需更新运行。From the remote management computer, called the Update Coordinator, the administrator triggers an on-demand updating run by using a default or custom updating run profile. 远程更新模式对于监视更新运行期间的实时进度以及在服务器核心安装上运行的群集非常有用。Remote updating mode is useful for monitoring real-time progress during the updating run, and for clusters that are running on Server Core installations.

备注

从 Windows 10 的 2018 年 10 月版更新开始,RSAT 作为 Windows 10 中的一组“按需功能”提供。Starting with Windows 10 October 2018 Update, RSAT is included as a set of "Features on Demand" right from Windows 10. 只需转到“设置”>“应用”>“应用和功能”>“可选功能”>“添加功能”>“RSAT:故障转移群集工具”并选择“安装”即可。Simply go to Settings > Apps > Apps & features > Optional features > Add a feature > RSAT: Failover Clustering Tools, and select Install. 若要查看安装进度,请单击“上一步”按钮以查看“管理可选功能”页上的状态。To see installation progress, click the Back button to view status on the "Manage optional features" page. 安装的功能会保留在 Windows 10 升级版中。The installed feature will persist across Windows 10 version upgrades. 若要为 2018 年 10 月更新版本之前的 Windows 10 安装 RSAT,请下载 RSAT 程序包To install RSAT for Windows 10 prior to the October 2018 Update, download an RSAT package.

将 CAU 群集角色添加到群集Add CAU cluster role to the cluster

自我更新模式需要使用群集感知更新群集角色。The Cluster-Aware Updating cluster role is required for self-updating mode. 如果使用 Windows Admin Center 执行更新,会自动添加群集角色。If you're using Windows Admin Center to perform the updates, the cluster role will automatically be added.

Get-CauClusterRole cmdlet 显示指定群集上群集感知更新群集角色的配置属性。The Get-CauClusterRole cmdlet displays the configuration properties of the Cluster-Aware Updating cluster role on the specified cluster.

Get-CauClusterRole -ClusterName Cluster1

如果尚未在群集上配置角色,你将看到以下错误消息:If the role is not yet configured on the cluster, you will see the following error message:

Get-CauClusterRole : The current cluster is not configured with a Cluster-Aware Updating clustered role.

若要使用 PowerShell 为自我更新模式添加群集感知更新群集角色,请使用 Add-CauClusterRole cmdlet 并提供合适的 参数,如下面的示例所示:To add the Cluster-Aware Updating cluster role for self-updating mode using PowerShell, use the Add-CauClusterRole cmdlet and supply the appropriate parameters, as in the following example:

Add-CauClusterRole -ClusterName Cluster1 -MaxFailedNodes 0 -RequireAllNodesOnline -EnableFirewallRules -VirtualComputerObjectName Cluster1-CAU -Force -CauPluginName Microsoft.WindowsUpdatePlugin -MaxRetriesPerNode 3 -CauPluginArguments @{ 'IncludeRecommendedUpdates' = 'False' } -StartDate "3/2/2020 3:00:00 AM" -DaysOfWeek 4 -WeeksOfMonth @(3) -verbose

备注

上面的命令必须从管理 PC 或域控制器运行。The above command must be run from a management PC or domain controller.

启用防火墙规则以允许远程重启Enable firewall rules to allow remote restarts

需要允许服务器在更新过程中远程重新启动。You'll need to allow the servers to restart remotely during the update process. 如果你正在使用 Windows Admin Center 执行更新,则 Windows 防火墙规则将在每个服务器上自动更新,以允许远程重启。If you're using Windows Admin Center to perform the updates, Windows Firewall rules will automatically be updated on each server to allow remote restarts. 如果要使用 PowerShell 进行更新,请在 Windows 防火墙中启用“远程关闭”防火墙规则组,或者将 -EnableFirewallRules 参数传递给 cmdlet,如上面的示例所示。If you're updating with PowerShell, either enable the Remote Shutdown firewall rule group in Windows Firewall, or pass the -EnableFirewallRules parameter to the cmdlet such as in the example above.

使用 PowerShell 检查更新Check for updates with PowerShell

你可以使用 Invoke-CAUScan cmdlet 扫描服务器以查找适用的更新,并获取应用于指定群集中每个服务器的初始更新集的列表:You can use the Invoke-CAUScan cmdlet to scan servers for applicable updates and get a list of the initial set of updates that are applied to each server in a specified cluster:

Invoke-CauScan -ClusterName Cluster1 -CauPluginName Microsoft.WindowsUpdatePlugin -Verbose

生成列表可能需要几分钟才能完成。Generation of the list can take a few minutes to complete. 预览列表只包含一组初始更新;它不包括安装初始更新后可能适用的更新。The preview list includes only an initial set of updates; it does not include updates that might become applicable after the initial updates are installed.

使用 PowerShell 安装更新Install updates with PowerShell

要扫描服务器以查找适用的更新并在指定群集上执行完全更新运行,请使用 Invoke-CAURun cmdlet:To scan servers for applicable updates and perform a full updating run on the specified cluster, use the Invoke-CAURun cmdlet:

Invoke-CauRun -ClusterName Cluster1 -CauPluginName Microsoft.WindowsUpdatePlugin -MaxFailedNodes 1 -MaxRetriesPerNode 3 -RequireAllNodesOnline -EnableFirewallRules -Force

此命令在名为 Cluster1 的集群上执行扫描和完全更新运行。This command performs a scan and a full updating run on the cluster named Cluster1. 此 cmdlet 使用 Microsoft.WindowsUpdatePlugin 插件并要求所有群集节点在运行此 cmdlet 之前处于联机状态。This cmdlet uses the Microsoft.WindowsUpdatePlugin plug-in and requires that all cluster nodes be online before running this cmdlet. 此外,此 cmdlet 允许每个节点在将节点标记为失败之前重试不超过三次,并且在将整个更新运行标记为失败之前,只允许最多一个节点失败。In addition, this cmdlet allows no more than three retries per node before marking the node as failed, and allows no more than one node to fail before marking the entire updating run as failed. 它还能使防火墙规则允许服务器远程重启。It also enables firewall rules to allow the servers to restart remotely. 由于命令指定了 Force 参数,因此 cmdlet 运行时不显示确认提示。Because the command specifies the Force parameter, the cmdlet runs without displaying confirmation prompts.

更新运行过程包括以下内容:The updating run process includes the following:

  • 在群集中的每个服务器上扫描并下载适用的更新Scanning for and downloading applicable updates on each server in the cluster
  • 将当前正在运行的群集角色从每个服务器上转移走Moving currently running clustered roles off each server
  • 在每个服务器上安装更新Installing the updates on each server
  • 如果已安装的更新需要重新启动服务器,请执行Restarting the server if required by the installed updates
  • 将群集角色移回原始服务器Moving the clustered roles back to the original server

更新运行过程还包括确保保持仲裁、查找仅在安装了初始更新集之后才能安装的其他更新,以及保存所采取的操作的报告。The updating run process also includes ensuring that quorum is maintained, checking for additional updates that can only be installed after the initial set of updates are installed, and saving a report of the actions taken.

检查更新运行状态Check on the status of an updating run

管理员可以通过运行 Get-CauRun cmdlet 来获取有关正在进行的更新运行的摘要信息:An administrator can get summary information about an updating run in progress by running the Get-CauRun cmdlet:

Get-CauRun -ClusterName Cluster1

下面是一些示例输出:Here's some sample output:

RunId                   : 834dd11e-584b-41f2-8d22-4c9c0471dbad 
RunStartTime            : 10/13/2019 1:35:39 PM 
CurrentOrchestrator     : NODE1 
NodeStatusNotifications : { 
Node      : NODE1 
Status    : Waiting 
Timestamp : 10/13/2019 1:35:49 PM 
} 
NodeResults             : { 
Node                     : NODE2 
Status                   : Succeeded 
ErrorRecordData          : 
NumberOfSucceededUpdates : 0 
NumberOfFailedUpdates    : 0 
InstallResults           : Microsoft.ClusterAwareUpdating.UpdateInstallResult[] 
}

对群集中的所有服务器执行快速的脱机更新Perform a fast, offline update of all servers in a cluster

此方法使你可以立即关闭群集中的所有服务器,并同时更新所有服务器。This method allows you to take all the servers in a cluster down at once and update them all at the same time. 这样可以节省更新过程中的时间,但是要权衡的是托管资源的停机时间。This saves time during the updating process, but the trade-off is downtime for the hosted resources.

如果有重要的安全更新程序需要快速应用,或者需要确保更新在维护时段内完成,则可以使用此方法。If there is a critical security update that you need to apply quickly, or you need to ensure that updates complete within your maintenance window, this method may be for you. 此过程会关闭 Azure Stack HCI 群集,更新服务器,然后再次将其重启。This process brings down the Azure Stack HCI cluster, updates the servers, and brings it all up again.

  1. 规划维护时段。Plan your maintenance window.

  2. 使虚拟磁盘脱机。Take the virtual disks offline.

  3. 停止群集以使存储池脱机。Stop the cluster to take the storage pool offline. 运行 Stop-Cluster cmdlet 或使用 Windows Admin Center 停止群集。Run the Stop-Cluster cmdlet or use Windows Admin Center to stop the cluster.

  4. 在每个服务器上的 Services.msc 中将群集服务设置为“禁用”。Set the cluster service to Disabled in Services.msc on each server. 这会阻止群集服务在更新时启动。This prevents the cluster service from starting up while being updated.

  5. 将 Windows Server 累积更新和任何所需的服务堆栈更新应用于所有服务器。Apply the Windows Server Cumulative Update and any required Servicing Stack Updates to all servers. 可以同时更新所有服务器,因为群集已关闭,无需等待。You can update all servers at the same time - there's no need to wait, because the cluster is down.

  6. 重启服务器,并确保一切正常。Restart the servers, and ensure everything looks good.

  7. 在每个服务器上将群集服务重新设置为“自动”。Set the cluster service back to Automatic on each server.

  8. 启动群集。Start the cluster. 运行 Start-Cluster cmdlet 或使用 Windows Admin Center。Run the Start-Cluster cmdlet or use Windows Admin Center.

    稍等几分钟。Give it a few minutes. 请确保存储池处于正常状态。Make sure the storage pool is healthy.

  9. 使虚拟磁盘恢复联机状态。Bring the virtual disks back online.

  10. 通过运行 Get-Volume 和 Get-VirtualDisk cmdlet 来监视虚拟磁盘的状态。Monitor the status of the virtual disks by running the Get-Volume and Get-VirtualDisk cmdlets.

后续步骤Next steps

如需相关信息,另请参阅:For related information, see also: