在现有堡垒林中使用 TPM 模式初始化 HGS 群集Initialize the HGS cluster using TPM mode in an existing bastion forest

适用于: Windows Server 2019、Windows Server (半年频道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

Active Directory 域服务将安装在计算机上,但应保留未配置。Active Directory Domain Services will be installed on the machine, but should remain unconfigured.

找到 HGS 保护者证书。Locate your HGS guardian certificates. 你将需要一个签名证书和加密证书以初始化 HGS 群集。You will need one signing certificate and one encryption certificate to intitialize the HGS cluster. 向 HGS 提供证书的最简单方法是创建受密码保护的 PFX 文件为每个证书,其中包含公钥和私钥的密钥。The easiest way to provide certificates to HGS is to create a password-protected PFX file for each certificate which contains both the public and private keys. 如果使用由 HSM 支持的密钥或其他非可导出的证书,请确保在继续之前的证书安装到本地计算机证书存储。If you are using HSM-backed keys or other non-exportable certificates, make sure the certificate is installed into the local machine's certificate store before continuing. 若要使用的证书的详细信息,请参阅获取证书的 HGSFor more information about which certificates to use, see Obtain certificates for HGS.

继续之前,请确保已为主机保护者服务预留群集对象,并授予已登录的用户对 Active Directory 中的 VCO 和 CNO 对象的完全控制权限。Before you continue, ensure that you have prestaged your cluster objects for the Host Guardian Service and granted the logged in user Full Control over the VCO and CNO objects in Active Directory. 需要将虚拟计算机对象名称传递给 -HgsServiceName 参数,并将群集名称传递给 -ClusterName 参数。The virtual computer object name needs to be passed to the -HgsServiceName parameter, and the cluster name to the -ClusterName parameter.

提示

请仔细检查 AD 域控制器,确保群集对象已复制到所有 Dc,然后再继续。Double check your AD Domain Controllers to ensure your cluster objects have replicated to all DCs before continuing.

如果使用的是基于 PFX 的证书,请在 HGS 服务器上运行以下命令:If you are using PFX-based certificates, run the following commands on the HGS server:

$signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password"
$encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"

Install-ADServiceAccount -Identity 'HGSgMSA'

Initialize-HgsServer -UseExistingDomain -ServiceAccount 'HGSgMSA' -JeaReviewersGroup 'HgsJeaReviewers' -JeaAdministratorsGroup 'HgsJeaAdmins' -HgsServiceName 'HgsService' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustTpm

如果使用本地计算机上安装的证书 (例如 HSM 支持的证书和不可导出的证书) ,请 -SigningCertificateThumbprint -EncryptionCertificateThumbprint 改用和参数。If you are using certificates installed on the local machine (such as HSM-backed certificates and non-exportable certificates), use the -SigningCertificateThumbprint and -EncryptionCertificateThumbprint parameters instead.

后续步骤Next step