部署故障转移群集的云见证Deploy a Cloud Witness for a Failover Cluster

适用于:Windows Server 2019、Windows Server 2016Applies to: Windows Server 2019, Windows Server 2016

Cloud 见证是一种故障转移群集仲裁见证,使用 Microsoft Azure 在群集仲裁上提供投票。Cloud Witness is a type of Failover Cluster quorum witness that uses Microsoft Azure to provide a vote on cluster quorum. 本主题概述了云见证功能、它支持的方案,以及有关如何为故障转移群集配置云见证的说明。This topic provides an overview of the Cloud Witness feature, the scenarios that it supports, and instructions about how to configure a cloud witness for a Failover Cluster.

云见证概述Cloud Witness overview

图1说明了 Windows Server 2016 中的多站点延伸故障转移群集仲裁配置。Figure 1 illustrates a multi-site stretched Failover Cluster quorum configuration with Windows Server 2016. 在此示例配置(图1)中,有2个数据中心(称为站点)中有2个节点。In this example configuration (figure 1), there are 2 nodes in 2 datacenters (referred to as Sites). 请注意,群集有可能跨越2个以上的数据中心。Note, it is possible for a cluster to span more than 2 datacenters. 此外,每个数据中心还可以有2个以上的节点。Also, each datacenter can have more than 2 nodes. 此设置中的典型群集仲裁配置(自动故障转移 SLA)为每个节点提供投票。A typical cluster quorum configuration in this setup (automatic failover SLA) gives each node a vote. 向仲裁见证提供一项额外的投票,以允许群集继续运行,即使其中一个数据中心遇到电源中断也是如此。One extra vote is given to the quorum witness to allow cluster to keep running even if either one of the datacenter experiences a power outage. 数学计算非常简单-有5个投票,并且需要3个投票才能使群集保持运行。The math is simple - there are 5 total votes and you need 3 votes for the cluster to keep it running.

第三个站点中有2个节点的文件共享见证File Share Witness in a third separate site with 2 nodes in 2 other sites
**图 1:使用文件共享见证作为仲裁见证服务器 @ no__t-0Figure 1: Using a File Share Witness as a quorum witness

如果某个数据中心发生断电,为其他数据中心的群集提供平等的机会来使其保持运行状态,则建议在两个数据中心以外的位置托管仲裁见证。In case of power outage in one datacenter, to give equal opportunity for the cluster in other datacenter to keep it running, it is recommended to host the quorum witness in a location other than the two datacenters. 这通常意味着需要第三个单独的数据中心(站点)来承载一个文件服务器,该文件服务器将作为仲裁见证(文件共享见证)使用的文件共享。This typically means requiring a third separate datacenter (site) to host a File Server that is backing the File Share which is used as the quorum witness (File Share Witness).

大多数组织没有第三个单独的数据中心,它将承载支持文件共享见证的文件服务器。Most organizations do not have a third separate datacenter that will host File Server backing the File Share Witness. 这意味着,组织主要将文件服务器托管在两个数据中心中的一个数据中心,该数据中心通过扩展将数据中心作为主数据中心。This means organizations primarily host the File Server in one of the two datacenters, which by extension, makes that datacenter the primary datacenter. 在主数据中心发生电源中断的情况下,群集将会关闭,因为另一数据中心只有2个投票,这是所需的仲裁大多数投票。In a scenario where there is power outage in the primary datacenter, the cluster would go down as the other datacenter would only have 2 votes which is below the quorum majority of 3 votes needed. 对于具有第三个单独数据中心以托管文件服务器的客户,维护支持文件共享见证的高可用文件服务器的开销会很大。For the customers that have third separate datacenter to host the File Server, it is an overhead to maintain the highly available File Server backing the File Share Witness. 如果在公有云中托管的虚拟机的文件服务器适用于在来宾 OS 中运行的文件共享见证,则在安装 & 维护的同时,将会产生很大的开销。Hosting virtual machines in the public cloud that have the File Server for File Share Witness running in Guest OS is a significant overhead in terms of both setup & maintenance.

Cloud 见证是一种新的故障转移群集仲裁见证,它利用 Microsoft Azure 作为仲裁点(图2)。Cloud Witness is a new type of Failover Cluster quorum witness that leverages Microsoft Azure as the arbitration point (figure 2). 它使用 Azure Blob 存储来读取/写入 Blob 文件,该文件随后用作拆分分辨率的仲裁点。It uses Azure Blob Storage to read/write a blob file which is then used as an arbitration point in case of split-brain resolution.

这种方法有很多好处:There are significant benefits which this approach:

  1. 利用 Microsoft Azure (无需第三个单独的数据中心)。Leverages Microsoft Azure (no need for third separate datacenter).
  2. 使用标准可用的 Azure Blob 存储(公有云中托管的虚拟机无额外的维护开销)。Uses standard available Azure Blob Storage (no extra maintenance overhead of virtual machines hosted in public cloud).
  3. 同一 Azure 存储帐户可用于多个群集(每个群集一个 blob 文件; 用作 blob 文件名的群集唯一 id)。Same Azure Storage Account can be used for multiple clusters (one blob file per cluster; cluster unique id used as blob file name).
  4. $Cost 存储帐户(每个 blob 文件写入非常小的数据,仅当群集节点的状态发生更改时才更新 blob 文件)。Very low on-going $cost to the Storage Account (very small data written per blob file, blob file updated only once when cluster nodes' state changes).
  5. 内置的云见证资源类型。Built-in Cloud Witness resource type.

@no__t 0Diagram 将云见证作为仲裁见证服务器的多站点拉伸群集(no__t)Diagram illustrating a multi-site stretched cluster with Cloud Witness as a quorum witness
**图 2:使用云见证作为仲裁见证服务器的多站点延伸群集 @ no__t-0Figure 2: Multi-site stretched clusters with Cloud Witness as a quorum witness

如图2所示,没有需要的第三个单独的站点。As shown in figure 2, there is no third separate site that is required. 与任何其他仲裁见证一样,云见证会获得投票,并且可以参与仲裁计算。Cloud Witness, like any other quorum witness, gets a vote and can participate in quorum calculations.

云见证:单个见证服务器的支持方案Cloud Witness: Supported scenarios for single witness type

如果你有一个故障转移群集部署(其中所有节点都可以访问 internet),则建议你将云见证配置为仲裁见证资源。If you have a Failover Cluster deployment, where all nodes can reach the internet (by extension of Azure), it is recommended that you configure a Cloud Witness as your quorum witness resource.

支持使用云见证作为仲裁见证的某些方案如下:Some of the scenarios that are supported use of Cloud Witness as a quorum witness are as follows:

  • 灾难恢复延伸的多站点群集(参见图2)。Disaster recovery stretched multi-site clusters (see figure 2).
  • 无共享存储的故障转移群集(SQL Always On 等)。Failover Clusters without shared storage (SQL Always On etc.).
  • 在来宾 OS 内运行的故障转移群集 Microsoft Azure 虚拟机角色(或任何其他公有云)。Failover Clusters running inside Guest OS hosted in Microsoft Azure Virtual Machine Role (or any other public cloud).
  • 在私有云中托管的虚拟机的来宾 OS 内运行的故障转移群集。Failover Clusters running inside Guest OS of Virtual Machines hosted in private clouds.
  • 具有或不具有共享存储的存储群集,如横向扩展文件服务器群集。Storage clusters with or without shared storage, such as Scale-out File Server clusters.
  • 小型分支-办公室群集(甚至2个节点的群集)Small branch-office clusters (even 2-node clusters)

从 Windows Server 2012 R2 开始,建议始终配置见证服务器,因为群集会自动管理见证服务器投票,并使用动态仲裁来投票节点。Starting with Windows Server 2012 R2, it is recommended to always configure a witness as the cluster automatically manages the witness vote and the nodes vote with Dynamic Quorum.

为群集设置云见证Set up a Cloud Witness for a cluster

若要将云见证设置为群集的仲裁见证,请完成以下步骤:To set up a Cloud Witness as a quorum witness for your cluster, complete the following steps:

  1. 创建要用作云见证的 Azure 存储帐户Create an Azure Storage Account to use as a Cloud Witness
  2. 将云见证配置为群集的仲裁见证。Configure the Cloud Witness as a quorum witness for your cluster.

创建要用作云见证的 Azure 存储帐户Create an Azure Storage Account to use as a Cloud Witness

本部分介绍如何创建存储帐户并查看和复制该帐户的终结点 Url 和访问密钥。This section describes how to create a storage account and view and copy endpoint URLs and access keys for that account.

若要配置云见证,你必须有一个有效的 Azure 存储帐户,该帐户可用于存储 blob 文件(用于仲裁)。To configure Cloud Witness, you must have a valid Azure Storage Account which can be used to store the blob file (used for arbitration). Cloud 见证在 Microsoft 存储帐户下创建一个众所周知的容器msft-见证服务器。Cloud Witness creates a well-known Container msft-cloud-witness under the Microsoft Storage Account. 云见证会写入一个 blob 文件,其中包含对应群集的唯一 ID,该 ID 用作此msft-云-见证容器下的 blob 文件的文件名。Cloud Witness writes a single blob file with corresponding cluster's unique ID used as the file name of the blob file under this msft-cloud-witness container. 这意味着,你可以使用同一个 Microsoft Azure 存储帐户为多个不同的群集配置云见证。This means that you can use the same Microsoft Azure Storage Account to configure a Cloud Witness for multiple different clusters.

当你使用相同的 Azure 存储帐户为多个不同的群集配置云见证时,会自动创建一个msft-云-见证容器。When you use the same Azure Storage Account for configuring Cloud Witness for multiple different clusters, a single msft-cloud-witness container gets created automatically. 此容器将包含每个群集一个 blob 文件。This container will contain one-blob file per cluster.

创建 Azure 存储帐户To create an Azure storage account

  1. 登录到Azure 门户Sign in to the Azure Portal.
  2. 在 "中心" 菜单上,选择 "> 数据 + 存储-> 存储帐户"。On the Hub menu, select New -> Data + Storage -> Storage account.
  3. 在 "创建存储帐户" 页中,执行以下操作:In the Create a storage account page, do the following:
    1. 输入存储帐户的名称。Enter a name for your storage account.
      存储帐户名称必须为 3 到 24 个字符,并且只能包含数字和小写字母。Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. 存储帐户名称在 Azure 中也必须是唯一的。The storage account name must also be unique within Azure.

    2. 对于 "帐户类型",选择 "常规用途"。For Account kind, select General purpose.
      不能将 Blob 存储帐户用于云见证。You can't use a Blob storage account for a Cloud Witness.

    3. 对于 "性能", 请选择 "标准"。For Performance, select Standard.
      不能将 Azure 高级存储用于云见证。You can't use Azure Premium Storage for a Cloud Witness.

    4. 对于复制,请选择 "本地冗余存储(LRS) "。For Replication, select Locally-redundant storage (LRS) .
      故障转移群集使用 blob 文件作为仲裁点,这在读取数据时需要一些一致性保证。Failover Clustering uses the blob file as the arbitration point, which requires some consistency guarantees when reading the data. 因此,你必须为复制类型选择 "本地冗余存储"。Therefore you must select Locally-redundant storage for Replication type.

查看和复制 Azure 存储帐户的存储访问密钥View and copy storage access keys for your Azure Storage Account

创建 Microsoft Azure 存储帐户时,它会与自动生成的两个访问密钥关联-主访问密钥和辅助访问密钥。When you create a Microsoft Azure Storage Account, it is associated with two Access Keys that are automatically generated - Primary Access key and Secondary Access key. 对于首次创建云见证服务器,请使用主访问密钥For a first-time creation of Cloud Witness, use the Primary Access Key. 对于要用于云见证的密钥没有任何限制。There is no restriction regarding which key to use for Cloud Witness.

查看和复制存储访问密钥To view and copy storage access keys

在 Azure 门户中,导航到存储帐户,单击 "所有设置",然后单击 "访问密钥" 查看、复制和重新生成帐户访问密钥。In the Azure Portal, navigate to your storage account, click All settings and then click Access Keys to view, copy, and regenerate your account access keys. "访问密钥" 边栏选项卡还包含使用主密钥和辅助密钥预配置的连接字符串,你可以复制这些字符串,以便在应用程序中使用(请参阅图4)。The Access Keys blade also includes pre-configured connection strings using your primary and secondary keys that you can copy to use in your applications (see figure 4).

![Snapshot Microsoft Azure @ no__t 中的 "管理访问密钥" 对话框Snapshot of the Manage Access Keys dialog in Microsoft Azure
**图4:存储访问密钥 @ no__t-0Figure 4: Storage Access Keys

创建存储帐户时,将使用以下格式生成以下 Url: https://<Storage Account Name>.<Storage Type>.<Endpoint>When you create a Storage Account, the following URLs are generated using the format: https://<Storage Account Name>.<Storage Type>.<Endpoint>

云见证始终使用Blob作为存储类型。Cloud Witness always uses Blob as the storage type. Azure 使用core.windows.net作为终结点。Azure uses .core.windows.net as the Endpoint. 配置云见证时,可以根据方案将其配置为不同的终结点(例如,中国的 Microsoft Azure datacenter 具有不同的终结点)。When configuring Cloud Witness, it is possible that you configure it with a different endpoint as per your scenario (for example the Microsoft Azure datacenter in China has a different endpoint).


此终结点 URL 由云见证资源自动生成,并且该 URL 无需额外的配置步骤。The endpoint URL is generated automatically by Cloud Witness resource and there is no extra step of configuration necessary for the URL.

在 Azure 门户中,导航到存储帐户,单击 "所有设置",然后单击 "属性" 以查看和复制终结点 url (参见图5)。In the Azure Portal, navigate to your storage account, click All settings and then click Properties to view and copy your endpoint URLs (see figure 5).

@no__t 云见证终结点链接 @ no__t-1 的0SnapshotSnapshot of the Cloud Witness endpoint links
**图5:Cloud 见证终结点 URL 链接 @ no__t-0Figure 5: Cloud Witness endpoint URL links

有关创建和管理 Azure 存储帐户的详细信息,请参阅关于 Azure 存储帐户For more information about creating and managing Azure Storage Accounts, see About Azure Storage Accounts

将云见证配置为群集的仲裁见证Configure Cloud Witness as a quorum witness for your cluster

云见证配置在内置于故障转移群集管理器中的现有仲裁配置向导中进行了良好的集成。Cloud Witness configuration is well-integrated within the existing Quorum Configuration Wizard built into the Failover Cluster Manager.

将云见证配置为仲裁见证To configure Cloud Witness as a Quorum Witness

  1. 启动故障转移群集管理器。Launch Failover Cluster Manager.

  2. 右键单击群集->更多操作 -> 配置群集仲裁设置(见图6)。Right-click the cluster -> More Actions -> Configure Cluster Quorum Settings (see figure 6). 这会启动 "配置群集仲裁向导"。This launches the Configure Cluster Quorum wizard.
    ![Snapshot 故障转移群集管理器 UI @ no__t 中的配置群集仲裁设置 **Figure 6。群集仲裁设置 @ no__t-0Snapshot of the menu path to Configue Cluster Quorum Settings in the Failover Cluster Manager UI Figure 6. Cluster Quorum Settings

  3. 在 "选择仲裁配置" 页上,选择 "选择仲裁见证" (参见图7)。On the Select Quorum Configurations page, select Select the quorum witness (see figure 7).

    群集仲裁向导中的 "选择 quotrum 见证" 单选按钮的 @no__t 0Snapshot @ no__t-1Snapshot of the 'select the quotrum witness' radio button in the Cluster Quorum wizard
    **Figure 7。选择仲裁配置 @ no__t-0Figure 7. Select the Quorum Configuration

  4. 在 "选择仲裁见证" 页上,选择 "配置云见证" (参见图8)。On the Select Quorum Witness page, select Configure a cloud witness (see figure 8).

    用于选择云见证 @ no__t 的适当单选按钮 @no__t 0Snapshot)Snapshot of the appropriate radio button to select a cloud witness
    **Figure 8。选择仲裁见证 @ no__t-0Figure 8. Select the Quorum Witness

  5. 在 "配置云见证" 页上,输入以下信息:On the Configure Cloud Witness page, enter the following information:

    1. (必选参数)Azure 存储帐户名称。(Required parameter) Azure Storage Account Name.

    2. (必选参数)与存储帐户相对应的访问密钥。(Required parameter) Access Key corresponding to the Storage Account.

      1. 第一次创建时,使用主访问密钥(请参阅图5)When creating for the first time, use Primary Access Key (see figure 5)
      2. 旋转主访问密钥时,请使用辅助访问密钥(请参阅图5)When rotating the Primary Access Key, use Secondary Access Key (see figure 5)
    3. (可选参数)如果要使用不同的 Azure 服务终结点(例如,中国中的 Microsoft Azure 服务),请更新终结点服务器名称。(Optional parameter) If you intend to use a different Azure service endpoint (for example the Microsoft Azure service in China), then update the endpoint server name.

      群集仲裁向导中的 "云见证配置" 窗格的 @no__t 0Snapshot @ no__t-1Snapshot of the Cloud Witness configuration pane in the Cluster Quorum wizard
      **Figure 9:配置云见证 @ no__t-0Figure 9: Configure your Cloud Witness

  6. 成功配置云见证后,可以在故障转移群集管理器管理单元中查看新创建的见证服务器资源(请参阅图10)。Upon successful configuration of Cloud Witness, you can view the newly created witness resource in the Failover Cluster Manager snap-in (see figure 10).

    Cloud 见证 @ no__t 的 @no__t 0Successful 配置Successful configuration of Cloud Witness
    **Figure 10:成功配置云见证 @ no__t-0Figure 10: Successful configuration of Cloud Witness

使用 PowerShell 配置云见证Configuring Cloud Witness using PowerShell

现有的 Set-clusterquorum PowerShell 命令具有与云见证相对应的新附加参数。The existing Set-ClusterQuorum PowerShell command has new additional parameters corresponding to Cloud Witness.

你可以使用以下 PowerShell 命令Set-ClusterQuorum配置云见证:You can configure Cloud Witness using the Set-ClusterQuorum following PowerShell command:

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

如果需要使用不同的终结点(极少):In case you need to use a different endpoint (rare):

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey> -Endpoint <servername>  

云见证的 Azure 存储帐户注意事项Azure Storage Account considerations with Cloud Witness

将云见证配置为故障转移群集的仲裁见证时,请考虑以下事项:When configuring a Cloud Witness as a quorum witness for your Failover Cluster, consider the following:

  • 你的故障转移群集将生成并安全地存储共享访问安全(SAS)令牌,而不是存储访问密钥。Instead of storing the Access Key, your Failover Cluster will generate and securely store a Shared Access Security (SAS) token.
  • 只要访问密钥保持有效,生成的 SAS 令牌就有效。The generated SAS token is valid as long as the Access Key remains valid. 旋转主访问密钥时,必须先使用辅助访问密钥更新云见证(在所有使用该存储帐户的群集上),然后再重新生成主访问密钥。When rotating the Primary Access Key, it is important to first update the Cloud Witness (on all your clusters that are using that Storage Account) with the Secondary Access Key before regenerating the Primary Access Key.
  • 云见证使用 Azure 存储帐户服务的 HTTPS REST 接口。Cloud Witness uses HTTPS REST interface of the Azure Storage Account service. 这意味着需要在所有群集节点上打开 HTTPS 端口。This means it requires the HTTPS port to be open on all cluster nodes.

云见证的代理注意事项Proxy considerations with Cloud Witness

Cloud 见证使用 HTTPS (默认端口443)来与 Azure blob 服务建立通信。Cloud Witness uses HTTPS (default port 443) to establish communication with Azure blob service. 确保可通过网络代理访问 HTTPS 端口。Ensure that HTTPS port is accessible via network Proxy.

请参阅See Also