使用新的专用林中的密钥模式初始化 HGS 群集 (默认值) Initialize the HGS cluster using key mode in a new dedicated forest (default)

适用于:Windows Server(半年频道)、Windows Server 2019、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016

  1. 通过使用故障转移群集分布式的网络名称 (DNN),客户端可以轻松地联系 HGS 的任何节点。Clients can easily contact any HGS node by using the failover clustering distributed network name (DNN). 你将需要选择 DNN。You'll need to choose a DNN. 此名称将 HGS DNS 服务中注册。This name will be registered in the HGS DNS service. 例如,如果有 3 个 HGS 节点具有主机名 HGS01、 HGS02 和 HGS03,您可能决定为 DNN 中选择"hgs"或"HgsCluster"。As an example, if you have 3 HGS nodes with hostnames HGS01, HGS02, and HGS03, you might decide to choose "hgs" or "HgsCluster" for the DNN.

  2. 找到 HGS 保护者证书。Locate your HGS guardian certificates. 你将需要一个签名证书和加密证书以初始化 HGS 群集。You will need one signing certificate and one encryption certificate to intitialize the HGS cluster. 向 HGS 提供证书的最简单方法是创建受密码保护的 PFX 文件为每个证书,其中包含公钥和私钥的密钥。The easiest way to provide certificates to HGS is to create a password-protected PFX file for each certificate which contains both the public and private keys. 如果使用由 HSM 支持的密钥或其他非可导出的证书,请确保在继续之前的证书安装到本地计算机证书存储。If you are using HSM-backed keys or other non-exportable certificates, make sure the certificate is installed into the local machine's certificate store before continuing. 若要使用的证书的详细信息,请参阅获取证书的 HGSFor more information about which certificates to use, see Obtain certificates for HGS.

  3. 在已提升权限的 PowerShell 窗口中,在第一个 HGS 节点上运行HgsServerRun Initialize-HgsServer in an elevated PowerShell window on the first HGS node. 此 cmdlet 的语法支持多种不同的输入,但最常见的两个调用如下:The syntax of this cmdlet supports many different inputs, but the 2 most common invocations are below:

    • 如果使用 PFX 文件进行签名和加密证书,请运行以下命令:If you are using PFX files for your signing and encryption certificates, run the following commands:

      $signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password"
      $encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"
      
      Initialize-HgsServer -HgsServiceName 'MyHgsDNN' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signingCertPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustHostkey
      
    • 如果你使用的是本地证书存储中安装的不可导出的证书,请运行以下命令。If you are using non-exportable certificates that are installed in the local certificate store, run the following command. 如果你不知道证书的指纹,可以通过运行来列出可用的证书 Get-ChildItem Cert:\LocalMachine\MyIf you do not know the thumbprints of your certificates, you can list available certificates by running Get-ChildItem Cert:\LocalMachine\My.

      Initialize-HgsServer -HgsServiceName 'MyHgsDNN' -SigningCertificateThumbprint '1A2B3C4D5E6F...' -EncryptionCertificateThumbprint '0F9E8D7C6B5A...' --TrustHostKey
      
  4. 如果你提供任何证书到 HGS 使用指纹,将指示您授予对那些证书的私钥的 HGS 读取访问权限。If you provided any certificates to HGS using thumbprints, you will be instructed to grant HGS read access to the private key of those certificates. 在服务器上安装桌面体验,请完成以下步骤:On a server with Desktop Experience installed, complete the following steps:

    1. 打开本地计算机证书管理器 (certlm.msc)Open the local computer certificate manager (certlm.msc)
    2. 查找证书 > 右键单击 > 所有任务 > 管理私钥Find the certificate(s) > right-click > all tasks > manage private keys
    3. 单击“添加”。Click Add
    4. 在对象选取器窗口中,单击对象类型,并启用服务帐户In the object picker window, click Object types and enable service accounts
    5. 输入中的警告文本中提到的服务帐户的名称 Initialize-HgsServerEnter the name of the service account mentioned in the warning text from Initialize-HgsServer
    6. 请确保 gMSA 具有"读取"访问权限的私钥。Ensure the gMSA has "Read" access to the private key.

    在 server core 上将需要下载 PowerShell 模块,以帮助设置专用密钥的权限。On server core, you will need to download a PowerShell module to assist in setting the private key permissions.

    1. 运行Install-Module GuardedFabricToolsHGS 服务器,如果它具有 Internet 连接或运行上Save-Module GuardedFabricTools另一台计算机和复制到 HGS 服务器通过模块上。Run Install-Module GuardedFabricTools on the HGS server if it has Internet connectivity, or run Save-Module GuardedFabricTools on another computer and copy the module over to the HGS server.

    2. 运行 Import-Module GuardedFabricToolsRun Import-Module GuardedFabricTools. 这将添加其他属性在 PowerShell 中找到的证书对象。This will add additional properties to certificate objects found in PowerShell.

    3. 在 PowerShell 中查找你的证书指纹 Get-ChildItem Cert:\LocalMachine\MyFind your certificate thumbprint in PowerShell with Get-ChildItem Cert:\LocalMachine\My

    4. 更新 ACL,请将用您自己的指纹和以下代码中使用的帐户的 gMSA 帐户的警告文本中列出Initialize-HgsServerUpdate the ACL, replacing the thumbprint with your own and the gMSA account in the code below with the account listed in the warning text of Initialize-HgsServer.

      $certificate = Get-Item "Cert:\LocalMachine\1A2B3C..."
      $certificate.Acl = $certificate.Acl | Add-AccessRule "HgsSvc_1A2B3C" Read Allow
      

    如果您正在使用、 由 HSM 支持证书或证书存储在第三方密钥存储提供程序,这些步骤可能不适用于您。If you are using HSM-backed certificates, or certificates stored in a third party key storage provider, these steps may not apply to you. 请查阅密钥存储提供程序的文档,了解如何管理您的私钥的权限。Consult your key storage provider's documentation to learn how to manage permissions on your private key. 在某些情况下,没有授权,或安装证书时,授权提供给整个计算机。In some cases, there is no authorization, or authorization is provided to the entire computer when the certificate is installed.

  5. 大功告成。That's it! 在生产环境中,应继续将其他 HGS 节点添加到群集In a production environment, you should continue to add additional HGS nodes to your cluster.

后续步骤Next step