部署故障转移群集的云见证Deploy a Cloud Witness for a Failover Cluster

适用于:Windows Server 2019,Windows Server 2016 中,Windows Server (半年频道)Applies to: Windows Server 2019, Windows Server 2016, Windows Server (Semi-Annual Channel)

云见证是一种类型的使用 Microsoft Azure 提供在群集仲裁投票的故障转移群集仲裁见证。Cloud Witness is a type of Failover Cluster quorum witness that uses Microsoft Azure to provide a vote on cluster quorum. 本主题概述了云见证服务器功能,它支持的方案和有关如何配置云见证服务器故障转移群集的说明。This topic provides an overview of the Cloud Witness feature, the scenarios that it supports, and instructions about how to configure a cloud witness for a Failover Cluster.

云见证服务器概述Cloud Witness overview

图 1 说明了多站点延伸故障转移群集仲裁配置 Windows Server 2016。Figure 1 illustrates a multi-site stretched Failover Cluster quorum configuration with Windows Server 2016. 在此示例配置 (图 1),2 个数据中心 (也称为站点) 中有 2 个节点。In this example configuration (figure 1), there are 2 nodes in 2 datacenters (referred to as Sites). 请注意,很可能跨多个 2 个数据中心的群集。Note, it is possible for a cluster to span more than 2 datacenters. 此外,每个数据中心可以有 2 个以上的节点。Also, each datacenter can have more than 2 nodes. 在此安装程序 (自动故障转移的 SLA) 中的典型的群集仲裁配置为每个节点提供了一票。A typical cluster quorum configuration in this setup (automatic failover SLA) gives each node a vote. 一个额外的投票提供给仲裁见证,以允许群集保留的数据中心运行甚至如果一个遇到断电。One extra vote is given to the quorum witness to allow cluster to keep running even if either one of the datacenter experiences a power outage. 数学计算很简单-有 5 个总投票,您需要 3 个投票的群集,以使其运行。The math is simple - there are 5 total votes and you need 3 votes for the cluster to keep it running.

在第三个单独的文件共享见证站点 2 中的 2 个节点与其他站点File Share Witness in a third separate site with 2 nodes in 2 other sites
图 1:使用文件共享见证的仲裁见证服务器Figure 1: Using a File Share Witness as a quorum witness

发生在数据中心中的电源中断时,为群集中其他数据中心,以使其保持运行,以便平等的机会建议来托管两个数据中心之外的某个位置中的仲裁见证服务器。In case of power outage in one datacenter, to give equal opportunity for the cluster in other datacenter to keep it running, it is recommended to host the quorum witness in a location other than the two datacenters. 这通常意味着需要第三个单独的数据中心 (站点) 来承载文件服务器的备份文件共享用作仲裁见证服务器 (文件共享见证)。This typically means requiring a third separate datacenter (site) to host a File Server that is backing the File Share which is used as the quorum witness (File Share Witness).

大多数组织没有第三个单独的数据中心将承载文件服务器备份文件共享见证。Most organizations do not have a third separate datacenter that will host File Server backing the File Share Witness. 这意味着组织主要托管两个数据中心,这通过扩展,使该数据中心的主数据中心之一中的文件服务器。This means organizations primarily host the File Server in one of the two datacenters, which by extension, makes that datacenter the primary datacenter. 在方案中主数据中心中的电源中断,如另一个数据中心仅将具有 2 个投票这低于所需的 3 个投票仲裁大多数,群集会向下转。In a scenario where there is power outage in the primary datacenter, the cluster would go down as the other datacenter would only have 2 votes which is below the quorum majority of 3 votes needed. 对于具有第三个单独的数据中心,以托管文件服务器的客户,它是一个开销保持高度可用文件服务器备份文件共享见证。For the customers that have third separate datacenter to host the File Server, it is an overhead to maintain the highly available File Server backing the File Share Witness. 承载在公有云中的虚拟机具有针对来宾 OS 中运行的文件共享见证的文件服务器是在安装和维护方面很大的开销。Hosting virtual machines in the public cloud that have the File Server for File Share Witness running in Guest OS is a significant overhead in terms of both setup & maintenance.

云见证是一种新型的故障转移群集仲裁见证服务器,可利用 Microsoft Azure 作为仲裁点 (图 2)。Cloud Witness is a new type of Failover Cluster quorum witness that leverages Microsoft Azure as the arbitration point (figure 2). 它使用 Azure Blob 存储来读/写的 blob 文件,然后用来作为仲裁点发生裂脑解析时。It uses Azure Blob Storage to read/write a blob file which is then used as an arbitration point in case of split-brain resolution.

有重大权益的这种方法:There are significant benefits which this approach:

  1. 利用 Microsoft Azure (无需第三个单独的数据中心)。Leverages Microsoft Azure (no need for third separate datacenter).
  2. 使用标准的可用 Azure Blob 存储 (托管在公有云中的虚拟机没有额外的维护开销)。Uses standard available Azure Blob Storage (no extra maintenance overhead of virtual machines hosted in public cloud).
  3. 同一个 Azure 存储帐户可以用于多个群集 (每个群集的一个 blob 文件; 群集用作 blob 文件名称的唯一 id)。Same Azure Storage Account can be used for multiple clusters (one blob file per cluster; cluster unique id used as blob file name).
  4. 非常低正在 $cost 到存储帐户 (写入每个 blob 文件,仅当群集节点的状态发生更改后更新的 blob 文件非常小数据)。Very low on-going $cost to the Storage Account (very small data written per blob file, blob file updated only once when cluster nodes' state changes).
  5. 内置的云见证资源类型。Built-in Cloud Witness resource type.

说明使用云见证的仲裁见证服务器的多站点延伸的群集的关系图Diagram illustrating a multi-site stretched cluster with Cloud Witness as a quorum witness
图 2:使用云见证的仲裁见证服务器的多站点外延式的群集Figure 2: Multi-site stretched clusters with Cloud Witness as a quorum witness

图 2 中所示,没有任何第三个单独的站点所需的。As shown in figure 2, there is no third separate site that is required. 云见证服务器,像任何其他仲裁见证获取投票,并且可以参与仲裁计算。Cloud Witness, like any other quorum witness, gets a vote and can participate in quorum calculations.

云见证:单个见证服务器类型的支持的方案Cloud Witness: Supported scenarios for single witness type

如果有一个故障转移群集部署,其中的所有节点可以都连接到互联网 (通过 Azure 的扩展),建议将云见证服务器配置为仲裁见证资源。If you have a Failover Cluster deployment, where all nodes can reach the internet (by extension of Azure), it is recommended that you configure a Cloud Witness as your quorum witness resource.

在某些情形下支持使用云见证服务器的因为仲裁见证服务器,如下所示:Some of the scenarios that are supported use of Cloud Witness as a quorum witness are as follows:

  • 灾难恢复拉伸多站点群集 (见图 2)。Disaster recovery stretched multi-site clusters (see figure 2).
  • 故障转移群集而不使用共享存储 (SQL 始终上等)。Failover Clusters without shared storage (SQL Always On etc.).
  • 在托管在 Microsoft Azure 虚拟机角色 (或任何其他公有云) 中的来宾 OS 内运行故障转移群集。Failover Clusters running inside Guest OS hosted in Microsoft Azure Virtual Machine Role (or any other public cloud).
  • 运行在来宾 OS 的虚拟机托管在私有云中的故障转移群集。Failover Clusters running inside Guest OS of Virtual Machines hosted in private clouds.
  • 存储群集使用或不共享存储,如横向扩展文件服务器群集。Storage clusters with or without shared storage, such as Scale-out File Server clusters.
  • 小型分支机构群集 (甚至 2 节点群集)Small branch-office clusters (even 2-node clusters)

从 Windows Server 2012 R2 开始,建议始终作为群集自动管理见证投票和节点投票的动态仲裁配置见证服务器。Starting with Windows Server 2012 R2, it is recommended to always configure a witness as the cluster automatically manages the witness vote and the nodes vote with Dynamic Quorum.

设置群集的云见证服务器Set up a Cloud Witness for a cluster

若要将设置云见证服务器群集仲裁见证,请完成以下步骤:To set up a Cloud Witness as a quorum witness for your cluster, complete the following steps:

  1. 创建用于将云见证服务器的 Azure 存储帐户Create an Azure Storage Account to use as a Cloud Witness
  2. 将云见证服务器配置为群集的仲裁见证。Configure the Cloud Witness as a quorum witness for your cluster.

创建用于将云见证服务器的 Azure 存储帐户Create an Azure Storage Account to use as a Cloud Witness

本部分介绍如何创建存储帐户并查看和复制终结点 Url 和该帐户的访问密钥。This section describes how to create a storage account and view and copy endpoint URLs and access keys for that account.

若要配置云见证服务器,必须具有一个有效的 Azure 存储帐户用于存储 blob 文件 (用于约束性仲裁)。To configure Cloud Witness, you must have a valid Azure Storage Account which can be used to store the blob file (used for arbitration). 云见证服务器创建的已知容器msft 云见证Microsoft 存储帐户下。Cloud Witness creates a well-known Container msft-cloud-witness under the Microsoft Storage Account. 云见证服务器写入单个 blob 文件相对应的群集的唯一 ID 用作依据此 blob 文件的文件名msft 云见证容器。Cloud Witness writes a single blob file with corresponding cluster's unique ID used as the file name of the blob file under this msft-cloud-witness container. 这意味着您可以使用相同 Microsoft Azure 存储帐户来配置云见证服务器的多个不同的群集。This means that you can use the same Microsoft Azure Storage Account to configure a Cloud Witness for multiple different clusters.

配置云见证服务器的多个不同使用相同的 Azure 存储帐户时的群集,请将单个msft 云见证容器会自动创建。When you use the same Azure Storage Account for configuring Cloud Witness for multiple different clusters, a single msft-cloud-witness container gets created automatically. 此容器将包含每个群集的一个 blob 文件。This container will contain one-blob file per cluster.

若要创建 Azure 存储帐户To create an Azure storage account

  1. 登录到Azure 门户Sign in to the Azure Portal.
  2. 在中心菜单上,选择新-> 数据 + 存储-> 存储帐户。On the Hub menu, select New -> Data + Storage -> Storage account.
  3. 在创建存储帐户页中,执行以下步骤:In the Create a storage account page, do the following:

    1. 输入你的存储帐户的名称。Enter a name for your storage account.
      存储帐户名称必须为 3 到 24 个字符,并且只能包含数字和小写字母。Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. 存储帐户名称还必须在 Azure 中唯一。The storage account name must also be unique within Azure.

    2. 有关帐户类型,选择常规用途For Account kind, select General purpose.
      Blob 存储帐户不能用于云见证。You can't use a Blob storage account for a Cloud Witness.

    3. 有关性能,选择标准For Performance, select Standard.
      Azure 高级存储不能用于云见证。You can't use Azure Premium Storage for a Cloud Witness.
    4. 有关复制,选择本地冗余存储 (LRS)For Replication, select Locally-redundant storage (LRS) .
      故障转移群集作为仲裁点,这需要一些一致性保证读取数据时使用的 blob 文件。Failover Clustering uses the blob file as the arbitration point, which requires some consistency guarantees when reading the data. 因此您必须选择本地冗余存储有关复制类型。Therefore you must select Locally-redundant storage for Replication type.

查看和复制存储访问密钥的 Azure 存储帐户View and copy storage access keys for your Azure Storage Account

创建 Microsoft Azure 存储帐户,请时,与两个访问密钥的自动生成的主访问密钥和辅助访问密钥相关联。When you create a Microsoft Azure Storage Account, it is associated with two Access Keys that are automatically generated - Primary Access key and Secondary Access key. 对于云见证服务器的第一次创建,使用主访问密钥For a first-time creation of Cloud Witness, use the Primary Access Key. 没有任何限制有关要用于云见证服务器的密钥。There is no restriction regarding which key to use for Cloud Witness.

若要查看和复制存储访问密钥To view and copy storage access keys

在 Azure 门户中,导航到你的存储帐户,单击的所有设置,然后单击访问密钥若要查看、 复制和重新生成帐户访问密钥。In the Azure Portal, navigate to your storage account, click All settings and then click Access Keys to view, copy, and regenerate your account access keys. 在访问密钥边栏选项卡还包括使用主要和辅助密钥,你可以复制 (请参阅图 4) 在应用程序中使用的预配置的连接字符串。The Access Keys blade also includes pre-configured connection strings using your primary and secondary keys that you can copy to use in your applications (see figure 4).

Microsoft Azure 中的管理访问密钥对话框的快照Snapshot of the Manage Access Keys dialog in Microsoft Azure
图 4:存储访问密钥Figure 4: Storage Access Keys

当你创建存储帐户时,请使用格式生成以下 Url: https://<Storage Account Name>.<Storage Type>.<Endpoint>When you create a Storage Account, the following URLs are generated using the format: https://<Storage Account Name>.<Storage Type>.<Endpoint>

始终使用云见证Blob作为存储类型。Cloud Witness always uses Blob as the storage type. Azure 使用 。 core.windows.net 组合在一起作为终结点。Azure uses .core.windows.net as the Endpoint. 在配置云见证服务器时,就可以配置它与不同的终结点根据你的方案 (例如在中国的 Microsoft Azure 数据中心有一个不同的终结点)。When configuring Cloud Witness, it is possible that you configure it with a different endpoint as per your scenario (for example the Microsoft Azure datacenter in China has a different endpoint).

备注

云见证资源的自动生成的终结点 URL,并且没有 URL 所需的配置的任何额外的步骤。The endpoint URL is generated automatically by Cloud Witness resource and there is no extra step of configuration necessary for the URL.

在 Azure 门户中,导航到你的存储帐户,单击的所有设置,然后单击属性若要查看和复制终结点 Url (请参阅图 5)。In the Azure Portal, navigate to your storage account, click All settings and then click Properties to view and copy your endpoint URLs (see figure 5).

云见证服务器终结点链接的快照Snapshot of the Cloud Witness endpoint links
图 5:云见证服务器终结点的 URL 链接Figure 5: Cloud Witness endpoint URL links

有关创建和管理 Azure 存储帐户的详细信息,请参阅关于 Azure 存储帐户For more information about creating and managing Azure Storage Accounts, see About Azure Storage Accounts

作为群集的仲裁见证配置云见证Configure Cloud Witness as a quorum witness for your cluster

云见证服务器配置为生成到故障转移群集管理器中现有的仲裁配置向导中良好地集成。Cloud Witness configuration is well-integrated within the existing Quorum Configuration Wizard built into the Failover Cluster Manager.

若要将云见证服务器配置为仲裁见证To configure Cloud Witness as a Quorum Witness

  1. 启动故障转移群集管理器。Launch Failover Cluster Manager.
  2. 右键单击群集->更多操作 -> 配置群集仲裁设置(见图 6)。Right-click the cluster -> More Actions -> Configure Cluster Quorum Settings (see figure 6). 这将启动配置群集仲裁向导。This launches the Configure Cluster Quorum wizard.
    配置群集仲裁设置故障转移群集管理器 UI 中的菜单路径的快照图 6。群集仲裁设置Snapshot of the menu path to Configue Cluster Quorum Settings in the Failover Cluster Manager UI Figure 6. Cluster Quorum Settings

  3. 选择的仲裁配置页上,选择选择仲裁见证(请参阅图 7)。On the Select Quorum Configurations page, select Select the quorum witness (see figure 7).

    快照的 select quotrum 见证服务器单选按钮在群集仲裁向导Snapshot of the 'select the quotrum witness' radio button in the Cluster Quorum wizard
    图 7。选择的仲裁配置Figure 7. Select the Quorum Configuration

  4. 选择仲裁见证页上,选择配置云见证(见图 8)。On the Select Quorum Witness page, select Configure a cloud witness (see figure 8).

    相应的单选按钮以选择云见证服务器的快照Snapshot of the appropriate radio button to select a cloud witness
    图 8。选择的仲裁见证服务器Figure 8. Select the Quorum Witness

  5. 配置云见证页上,输入以下信息:On the Configure Cloud Witness page, enter the following information:

    1. (所需的参数)Azure 存储帐户名称。(Required parameter) Azure Storage Account Name.
    2. (所需的参数)对应于存储帐户访问密钥。(Required parameter) Access Key corresponding to the Storage Account.
      1. 当第一次创建,请使用主访问密钥 (请参阅图 5)When creating for the first time, use Primary Access Key (see figure 5)
      2. 在轮换主访问密钥时,使用辅助访问密钥 (请参阅图 5)When rotating the Primary Access Key, use Secondary Access Key (see figure 5)
    3. (可选参数)如果你想要使用不同的 Azure 服务终结点 (例如中国的 Microsoft Azure 服务),然后更新终结点服务器名称。(Optional parameter) If you intend to use a different Azure service endpoint (for example the Microsoft Azure service in China), then update the endpoint server name.

      群集仲裁向导中云见证配置窗格的快照Snapshot of the Cloud Witness configuration pane in the Cluster Quorum wizard
      图 9:配置云见证Figure 9: Configure your Cloud Witness

  6. 后成功配置了云见证服务器,您可以查看新创建的见证资源在故障转移群集管理器管理单元中 (请参阅图 10)。Upon successful configuration of Cloud Witness, you can view the newly created witness resource in the Failover Cluster Manager snap-in (see figure 10).

    成功配置云见证Successful configuration of Cloud Witness
    图 10:成功配置云见证Figure 10: Successful configuration of Cloud Witness

使用 PowerShell 配置云见证Configuring Cloud Witness using PowerShell

现有 Set-clusterquorum PowerShell 命令具有与云见证服务器相对应的新附加参数。The existing Set-ClusterQuorum PowerShell command has new additional parameters corresponding to Cloud Witness.

您可以使用云见证配置 Set-ClusterQuorum 以下 PowerShell 命令:You can configure Cloud Witness using the Set-ClusterQuorum following PowerShell command:

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

如果您需要使用不同的终结点 (极少见的):In case you need to use a different endpoint (rare):

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey> -Endpoint <servername>  

使用云见证服务器的 azure 存储帐户注意事项Azure Storage Account considerations with Cloud Witness

在配置云见证服务器作为故障转移群集仲裁见证服务器时,考虑以下方面:When configuring a Cloud Witness as a quorum witness for your Failover Cluster, consider the following:

  • 而不是存储访问密钥,在故障转移群集将生成并安全地存储共享访问安全 (SAS) 令牌。Instead of storing the Access Key, your Failover Cluster will generate and securely store a Shared Access Security (SAS) token.
  • 只要访问密钥保持有效,生成的 SAS 令牌的有效期。The generated SAS token is valid as long as the Access Key remains valid. 在轮换主访问密钥时,务必首先在重新生成主访问密钥之前使用辅助访问密钥更新云见证服务器 (所有在群集上使用该存储帐户)。When rotating the Primary Access Key, it is important to first update the Cloud Witness (on all your clusters that are using that Storage Account) with the Secondary Access Key before regenerating the Primary Access Key.
  • 云见证服务器使用 Azure 存储帐户服务的 HTTPS REST 的接口。Cloud Witness uses HTTPS REST interface of the Azure Storage Account service. 这意味着它需要要在所有群集节点上打开的 HTTPS 端口。This means it requires the HTTPS port to be open on all cluster nodes.

使用云见证服务器的代理服务器注意事项Proxy considerations with Cloud Witness

云见证使用 HTTPS (默认端口 443) 建立与 Azure blob 服务的通信。Cloud Witness uses HTTPS (default port 443) to establish communication with Azure blob service. 确保 HTTPS 端口通过网络代理可访问。Ensure that HTTPS port is accessible via network Proxy.

请参阅See Also