使用受保护的构造诊断工具进行故障排除Troubleshooting Using the Guarded Fabric Diagnostic Tool

适用于: Windows Server 2019、Windows Server (半年频道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍如何使用受保护的结构诊断工具来确定和修正受保护的结构基础结构的部署、配置和日常操作中的常见故障。This topic describes the use of the Guarded Fabric Diagnostic Tool to identify and remediate common failures in the deployment, configuration, and on-going operation of guarded fabric infrastructure. 这包括主机保护者服务 (HGS) 、所有受保护的主机以及 DNS 和 Active Directory 等服务。This includes the Host Guardian Service (HGS), all guarded hosts, and supporting services such as DNS and Active Directory. 诊断工具可用于执行对失败的受保护结构的会审中的第一步,为管理员提供解决中断和标识配置错误的资产的起点。The diagnostic tool can be used to perform a first-pass at triaging a failing guarded fabric, providing administrators with a starting point for resolving outages and identifying misconfigured assets. 该工具不能取代对受保护的构造进行操作的声音,只是为了快速验证日常操作过程中遇到的最常见问题。The tool is not a replacement for a sound grasp of operating a guarded fabric and only serves to rapidly verify the most common issues encountered during day-to-day operations.

有关本文中使用的 cmdlet 的完整文档,请参阅HgsDiagnostics 模块参考Full documentation of the cmdlets used in this article can be found in the HgsDiagnostics module reference.

备注

运行受保护的结构诊断工具 (Get-HgsTrace -RunDiagnostics) 时可能会返回不正确的状态,声明 HTTPS 配置已损坏,而其实际上并未损坏或未使用。When running the Guarded Fabric diagnostics tool (Get-HgsTrace -RunDiagnostics), incorrect status may be returned claiming that the HTTPS configuration is broken when it is, in fact, not broken or not being used. 无论 HGS 的证明模式如何,都可以返回此错误。This error can be returned regardless of HGS' attestation mode. 根本原因可能是:The possible root-causes are as follows:

  • HTTPS 确实未正确配置/已损坏HTTPS is indeed improperly configured/broken
  • 你使用的是管理员信任的证明,并且信任关系已损坏You're using admin-trusted attestation and the trust relationship is broken
        -这与 HTTPS 配置正确、错误或根本不相同无关。    - This is irrespective of whether HTTPS is configured properly, improperly, or not in use at all.

请注意,诊断仅在面向 Hyper-V 主机时返回此不正确的状态。Note that the diagnostics will only return this incorrect status when targeting a Hyper-V host. 如果诊断面向主机保护者服务服务,将返回正确的状态。If the diagnostics are targeting the Host Guardian Service, the status returned will be correct.

快速启动Quick Start

您可以通过使用具有本地管理员权限的 Windows PowerShell 会话调用以下内容来诊断受保护的主机或 HGS 节点:You can diagnose either a guarded host or an HGS node by calling the following from a Windows PowerShell session with local administrator privileges:

Get-HgsTrace -RunDiagnostics -Detailed

这会自动检测当前主机的角色,并诊断可以自动检测到的任何相关问题。This will automatically detect the role of the current host and diagnose any relevant issues that can be automatically detected. 在此过程中生成的所有结果都是由于存在开关而显示的 -DetailedAll of the results generated during this process are displayed due to the presence of the -Detailed switch.

本主题的其余部分将提供有关的高级用法的详细演练, Get-HgsTrace 如一次诊断多个主机和检测复杂的跨节点错误配置。The remainder of this topic will provide a detailed walkthrough on the advanced usage of Get-HgsTrace for doing things like diagnosing multiple hosts at once and detecting complex cross-node misconfiguration.

诊断概述Diagnostics Overview

受保护的结构诊断在安装了与虚拟机相关的工具和功能的任何主机上可用,包括运行服务器核心的主机。Guarded fabric diagnostics are available on any host with shielded virtual machine related tools and features installed, including hosts running Server Core. 目前,诊断包含在以下功能/包中:Presently, diagnostics are included with the following features/packages:

  1. 主机保护者服务角色Host Guardian Service Role
  2. 主机保护者 Hyper-V 支持Host Guardian Hyper-V Support
  3. 用于结构管理的 VM 防护工具VM Shielding Tools for Fabric Management
  4. 远程服务器管理工具 (RSAT)Remote Server Administration Tools (RSAT)

这意味着,可以在所有受保护的主机、HGS 节点、特定的构造管理服务器以及安装了RSAT的任何 Windows 10 工作站上使用诊断工具。This means that diagnostic tools will be available on all guarded hosts, HGS nodes, certain fabric management servers, and any Windows 10 workstations with RSAT installed. 可以从上述任一计算机调用诊断,并在受保护的构造中诊断任何受保护的主机或 HGS 节点;使用远程跟踪目标时,诊断可以查找并连接到运行诊断的计算机以外的其他主机。Diagnostics can be invoked from any of the above machines with the intent of diagnosing any guarded host or HGS node in a guarded fabric; using remote trace targets, diagnostics can locate and connect to hosts other than the machine running diagnostics.

诊断目标的每个主机称为 "跟踪目标"。Every host targeted by diagnostics is referred to as a "trace target." 跟踪目标由其主机名和角色标识。Trace targets are identified by their hostnames and roles. 角色描述给定跟踪目标在受保护的构造中执行的函数。Roles describe the function a given trace target performs in a guarded fabric. 目前,trace 目标支持 HostGuardianServiceGuardedHost 角色。Presently, trace targets support HostGuardianService and GuardedHost roles. 请注意,主机可以同时占用多个角色,诊断也支持这种情况,但不应在生产环境中执行此操作。Note it is possible for a host to occupy multiple roles at once and this is also supported by diagnostics, however this should not be done in production environments. HGS 主机和 Hyper-v 主机应始终保持独立和不同。The HGS and Hyper-V hosts should be kept separate and distinct at all times.

管理员可以通过运行来开始任何诊断任务 Get-HgsTraceAdministrators can begin any diagnostic tasks by running Get-HgsTrace. 此命令基于运行时提供的开关执行两个不同的功能:跟踪收集和诊断。This command performs two distinct functions based on the switches provided at runtime: trace collection and diagnosis. 这两者共同构成了受保护的结构诊断工具。These two combined make up the entirety of the Guarded Fabric Diagnostic Tool. 尽管没有明确要求,但最有用的诊断需要跟踪,这些跟踪只能在跟踪目标上通过管理员凭据收集。Though not explicitly required, most useful diagnostics require traces that can only be collected with administrator credentials on the trace target. 如果用户执行跟踪集合所持有的权限不足,则需要提升的跟踪将会失败,而其他的跟踪将会失败。If insufficient privileges are held by the user executing trace collection, traces requiring elevation will fail while all others will pass. 这允许在有权限的操作员执行会审的情况下进行部分诊断。This allows partial diagnosis in the event an under-privileged operator is performing triage.

跟踪集合Trace collection

默认情况下, Get-HgsTrace 将只收集跟踪并将其保存到临时文件夹中。By default, Get-HgsTrace will only collect traces and save them to a temporary folder. 跟踪采用名为的文件夹的形式,在目标主机后以特殊格式的文件进行填充,这些文件描述了如何配置主机。Traces take the form of a folder, named after the targeted host, filled with specially formatted files that describe how the host is configured. 跟踪还包含元数据,用于描述如何调用诊断以收集跟踪。The traces also contain metadata that describe how the diagnostics were invoked to collect the traces. 在执行手动诊断时,诊断将使用此数据来解除冻结有关主机的信息。This data is used by diagnostics to rehydrate information about the host when performing manual diagnosis.

如有必要,可以手动查看跟踪。If necessary, traces can be manually reviewed. 所有格式都是用户可读的 (XML) ,也可以使用标准工具 (,例如 X509 证书和 Windows 加密外壳扩展) 。All formats are either human-readable (XML) or may be readily inspected using standard tools (e.g. X509 certificates and the Windows Crypto Shell Extensions). 但请注意,跟踪并不是针对手动诊断设计的,并且通过诊断功能处理跟踪始终更为有效 Get-HgsTraceNote however that traces are not designed for manual diagnosis and it is always more effective to process the traces with the diagnosis facilities of Get-HgsTrace.

运行跟踪收集的结果不会指示给定主机的运行状况。The results of running trace collection do not make any indication as to the health of a given host. 它们只是指示已成功收集跟踪。They simply indicate that traces were collected successfully. 需要使用诊断工具 Get-HgsTrace 来确定跟踪是否指示出现故障的环境。It is necessary to use the diagnosis facilities of Get-HgsTrace to determine if the traces indicate a failing environment.

使用 -Diagnostic 参数,你可以将跟踪集合限制为仅限操作指定诊断所需的跟踪。Using the -Diagnostic parameter, you can restrict trace collection to only those traces required to operate the specified diagnostics. 这会减少收集的数据量,以及调用诊断所需的权限。This reduces the amount of data collected as well as the permissions required to invoke diagnostics.

诊断Diagnosis

可以通过 Get-HgsTrace 参数提供跟踪的位置 -Path 并指定开关来诊断收集的跟踪 -RunDiagnosticsCollected traces can be diagnosed by provided Get-HgsTrace the location of the traces via the -Path parameter and specifying the -RunDiagnostics switch. 此外,还 Get-HgsTrace 可以通过提供 -RunDiagnostics 开关和跟踪目标列表在单个传递中执行收集和诊断。Additionally, Get-HgsTrace can perform collection and diagnosis in a single pass by providing the -RunDiagnostics switch and a list of trace targets. 如果未提供任何跟踪目标,则将当前计算机用作隐式目标,其角色通过检查已安装的 Windows PowerShell 模块来推断。If no trace targets are provided, the current machine is used as an implicit target, with its role inferred by inspecting the installed Windows PowerShell modules.

诊断将提供分层格式的结果,显示哪些跟踪目标、诊断集和个别诊断负责特定故障。Diagnosis will provide results in a hierarchical format showing which trace targets, diagnostic sets, and individual diagnostics are responsible for a particular failure. 如果可以根据接下来应执行的操作进行确定,则故障包括修正和解决建议。Failures include remediation and resolution recommendations if a determination can be made as to what action should be taken next. 默认情况下,将隐藏传递和不相关的结果。By default, passing and irrelevant results are hidden. 若要查看诊断测试的所有内容,请指定 -Detailed 开关。To see everything tested by diagnostics, specify the -Detailed switch. 这将导致显示所有结果,而不考虑它们的状态。This will cause all results to appear regardless of their status.

可以使用参数限制运行的诊断集 -DiagnosticIt is possible to restrict the set of diagnostics that are run using the -Diagnostic parameter. 这允许您指定应针对跟踪目标运行的诊断类,并禁止所有其他类。This allows you to specify which classes of diagnostic should be run against the trace targets, and suppressing all others. 可用诊断类的示例包括网络、最佳做法和客户端硬件。Examples of available diagnostic classes include networking, best practices, and client hardware. 有关可用诊断的最新列表,请参阅cmdlet 文档Consult the cmdlet documentation to find an up-to-date list of available diagnostics.

警告

诊断不能代替强大的监视和事件响应管道。Diagnostics are not a replacement for a strong monitoring and incident response pipeline. 有一个 System Center Operations Manager 包可用于监视受保护的构造,还提供了各种事件日志通道,可以监视这些通道以便及早检测问题。There is a System Center Operations Manager package available for monitoring guarded fabrics, as well as various event log channels that can be monitored to detect issues early. 然后,可以使用诊断快速诊断这些故障,并建立一系列操作。Diagnostics can then be used to quickly triage these failures and establish a course of action.

面向诊断Targeting Diagnostics

Get-HgsTrace针对跟踪目标进行操作。Get-HgsTrace operates against trace targets. 跟踪目标是与某个 HGS 节点或受保护的构造中的受保护主机相对应的对象。A trace target is an object that corresponds to an HGS node or a guarded host inside a guarded fabric. 可以将它视为一个扩展, PSSession 其中包含只有诊断(如构造中的主机角色)所需的信息。It can be thought of as an extension to a PSSession which includes information required only by diagnostics such as the role of the host in the fabric. 目标可以隐式生成 (例如本地或手动诊断) 或用命令显式生成 New-HgsTraceTargetTargets can be generated implicitly (e.g. local or manual diagnosis) or explicitly with the New-HgsTraceTarget command.

本地诊断Local Diagnosis

默认情况下, Get-HgsTrace 将以本地主机为目标 (即) 调用 cmdlet 的位置。By default, Get-HgsTrace will target the localhost (i.e. where the cmdlet is being invoked). 这称为隐式本地目标。This is referred as the implicit local target. 仅当参数中未提供任何目标且在中找不到预先存在的跟踪时,才使用隐式本地目标 -Target -PathThe implicit local target is only used when no targets are provided in the -Target parameter and no pre-existing traces are found in the -Path.

隐式本地目标使用角色推理来确定当前主机在受保护的构造中所扮演的角色。The implicit local target uses role inference to determine what role the current host plays in the guarded fabric. 这取决于已安装的 Windows PowerShell 模块,这些模块大致对应于系统上已安装的功能。This is based on the installed Windows PowerShell modules which roughly correspond to what features have been installed on the system. 此模块的状态 HgsServer 将导致跟踪目标承担角色并且该模块的 HostGuardianService 状态 HgsClient 将导致跟踪目标承担该角色 GuardedHostThe presence of the HgsServer module will cause the trace target to take the role HostGuardianService and the presence of the HgsClient module will cause the trace target to take the role GuardedHost. 给定主机可以同时出现这两种模块,在这种情况下,它将被视为 HostGuardianServiceGuardedHostIt is possible for a given host to have both modules present in which case it will be treated as both a HostGuardianService and a GuardedHost.

因此,默认情况下,诊断在本地收集跟踪:Therefore, the default invocation of diagnostics for collecting traces locally:

Get-HgsTrace

...等效于以下内容:...is equivalent to the following:

New-HgsTraceTarget -Local | Get-HgsTrace

提示

Get-HgsTrace可以通过管道或直接通过参数来接受目标 -TargetGet-HgsTrace can accept targets via the pipeline or directly via the -Target parameter. 这两个操作之间没有区别。There is no difference between the two operationally.

使用跟踪目标的远程诊断Remote Diagnosis Using Trace Targets

可以通过使用远程连接信息生成跟踪目标来远程诊断主机。It is possible to remotely diagnose a host by generating trace targets with remote connection information. 所有所需的都是主机名和一组可以使用 Windows PowerShell 远程处理进行连接的凭据。All that is required is the hostname and a set of credentials capable of connecting using Windows PowerShell remoting.

$server = New-HgsTraceTarget -HostName "hgs-01.secure.contoso.com" -Role HostGuardianService -Credential (Enter-Credential)
Get-HgsTrace -RunDiagnostics -Target $server

此示例将生成一个提示,收集远程用户凭据,然后将使用远程主机在上运行诊断, hgs-01.secure.contoso.com 以完成跟踪收集。This example will generate a prompt to collect the remote user credentials, and then diagnostics will run using the remote host at hgs-01.secure.contoso.com to complete trace collection. 生成的跟踪将下载到 localhost,然后进行诊断。The resulting traces are downloaded to the localhost and then diagnosed. 诊断结果与执行本地诊断时的结果相同。The results of diagnosis are presented the same as when performing local diagnosis. 同样,不需要指定角色,因为它可以根据远程系统上安装的 Windows PowerShell 模块进行推断。Similarly, it is not necessary to specify a role as it can be inferred based on the Windows PowerShell modules installed on the remote system.

远程诊断利用 Windows PowerShell 远程处理来访问远程主机。Remote diagnosis utilizes Windows PowerShell remoting for all accesses to the remote host. 因此,跟踪目标是启用 Windows PowerShell 远程处理的先决条件 (参阅Enable enable-psremoting) ,并正确配置了 localhost 以启动与目标的连接。Therefore it is a prerequisite that the trace target have Windows PowerShell remoting enabled (see Enable PSRemoting) and that the localhost is properly configured for launching connections to the target.

备注

在大多数情况下,只需将 localhost 作为同一个 Active Directory 林的一部分,并使用有效的 DNS 主机名。In most cases, it is only necessary that the localhost be a part of the same Active Directory forest and that a valid DNS hostname is used. 如果你的环境使用更复杂的联合身份验证模型或者你希望使用直接 IP 地址进行连接,则可能需要执行其他配置,例如设置 WinRM受信任的主机If your environment utilizes a more complicated federation model or you wish to use direct IP addresses for connectivity, you may need to perform additional configuration such as setting the WinRM trusted hosts.

可以通过使用 cmdlet 验证跟踪目标是否已正确实例化并配置为接受连接 Test-HgsTraceTargetYou can verify that a trace target is properly instantiated and configured for accepting connections by using the Test-HgsTraceTarget cmdlet:

$server = New-HgsTraceTarget -HostName "hgs-01.secure.contoso.com" -Role HostGuardianService -Credential (Enter-Credential)
$server | Test-HgsTraceTarget

$True当且仅当 Get-HgsTrace 能够与跟踪目标建立远程诊断会话时,此命令将返回。This command will return $True if and only if Get-HgsTrace would be able to establish a remote diagnostic session with the trace target. 如果失败,此 cmdlet 将返回相关的状态信息,以便进一步排查 Windows PowerShell 远程处理连接问题。Upon failure, this cmdlet will return relevant status information for further troubleshooting of the Windows PowerShell remoting connection.

隐式凭据Implicit Credentials

从具有足够权限的用户执行远程诊断以远程连接到跟踪目标时,无需向提供凭据 New-HgsTraceTargetWhen performing remote diagnosis from a user with sufficient privileges to connect remotely to the trace target, it is not necessary to supply credentials to New-HgsTraceTarget. Get-HgsTrace当打开连接时,cmdlet 将自动重复使用调用该 cmdlet 的用户的凭据。The Get-HgsTrace cmdlet will automatically reuse the credentials of the user that invoked the cmdlet when opening a connection.

警告

某些限制适用于重用凭据,特别是在执行所谓的 "第二跃点" 时。Some restrictions apply to reusing credentials, particularly when performing what is known as a "second hop." 当尝试将凭据从远程会话内部重新使用到另一台计算机时,会发生这种情况。This occurs when attempting to reuse credentials from inside a remote session to another machine. 需要设置 CredSSP以支持此方案,但这不在受保护的结构管理和故障排除范围内。It is necessary to setup CredSSP to support this scenario, but this is outside of the scope of guarded fabric management and troubleshooting.

使用 Windows PowerShell 的管理 (JEA) 和诊断Using Windows PowerShell Just Enough Administration (JEA) and Diagnostics

远程诊断支持使用 JEA 约束的 Windows PowerShell 终结点。Remote diagnosis supports the use of JEA-constrained Windows PowerShell endpoints. 默认情况下,远程跟踪目标将使用默认 microsoft.powershell 终结点进行连接。By default, remote trace targets will connect using the default microsoft.powershell endpoint. 如果跟踪目标具有 HostGuardianService 角色,它还将尝试使用在 microsoft.windows.hgs 安装 HGS 时配置的终结点。If the trace target has the HostGuardianService role, it will also attempt to use the microsoft.windows.hgs endpoint which is configured when HGS is installed.

如果要使用自定义终结点,则在使用参数构造跟踪目标时必须指定会话配置名称,如下所示 -PSSessionConfigurationNameIf you want to use a custom endpoint, you must specify the session configuration name while constructing the trace target using the -PSSessionConfigurationName parameter, such as below:

New-HgsTraceTarget -HostName "hgs-01.secure.contoso.com" -Role HostGuardianService -Credential (Enter-Credential) -PSSessionConfigurationName "microsoft.windows.hgs"

诊断多个主机Diagnosing Multiple Hosts

可以一次传递多个跟踪目标 Get-HgsTraceYou can pass multiple trace targets to Get-HgsTrace at once. 这包括本地和远程目标的混合。This includes a mix of local and remote targets. 每个目标将依次跟踪,然后将同时诊断每个目标的跟踪。Each target will be traced in turn and then traces from every target will be diagnosed simultaneously. 诊断工具可以使用部署的更多知识来识别不能检测到的复杂跨节点错误配置。The diagnostic tool can use the increased knowledge of your deployment to identify complex cross-node misconfigurations that would not otherwise be detectable. 使用此功能只需要在手动诊断) 的情况下,同时从多个主机提供跟踪 (,或在 Get-HgsTrace 远程诊断) 的情况下调用 (时以多个主机为目标提供跟踪。Using this feature only requires providing traces from multiple hosts simultaneously (in the case of manual diagnosis) or by targeting multiple hosts when calling Get-HgsTrace (in the case of remote diagnosis).

下面的示例使用远程诊断来对由两个 HGS 节点和两个受保护的主机(其中一个受保护的主机用于启动)组成的构造进行会审 Get-HgsTraceHere is an example of using remote diagnosis to triage a fabric composed of two HGS nodes and two guarded hosts, where one of the guarded hosts is being used to launch Get-HgsTrace.

$hgs01 = New-HgsTraceTarget -HostName "hgs-01.secure.contoso.com" -Credential (Enter-Credential)
$hgs02 = New-HgsTraceTarget -HostName "hgs-02.secure.contoso.com" -Credential (Enter-Credential)
$gh01 = New-HgsTraceTarget -Local
$gh02 = New-HgsTraceTarget -HostName "guardedhost-02.contoso.com"
Get-HgsTrace -Target $hgs01,$hgs02,$gh01,$gh02 -RunDiagnostics

备注

诊断多个节点时,无需诊断整个受保护的构造。You do not need to diagnose your entire guarded fabric when diagnosing multiple nodes. 在许多情况下,足以包含可能涉及到给定故障条件的所有节点。In many cases it is sufficient to include all nodes that may be involved in a given failure condition. 这通常是受保护的主机的一个子集和一个来自 HGS 群集的多个节点。This is usually a subset of the guarded hosts, and some number of nodes from the HGS cluster.

使用保存的跟踪进行手动诊断Manual Diagnosis Using Saved Traces

有时,你可能想要重新运行诊断而不重新收集跟踪,或者你可能不具有用于远程诊断构造中的所有主机的必要凭据。Sometimes you may want to re-run diagnostics without collecting traces again, or you may not have the necessary credentials to remotely diagnose all of the hosts in your fabric simultaneously. 手动诊断是一种机制,通过该机制,你仍可以使用执行整个结构分类 Get-HgsTrace ,但不使用远程跟踪集合。Manual diagnosis is a mechanism by which you can still perform a whole-fabric triage using Get-HgsTrace, but without using remote trace collection.

在执行手动诊断之前,你将需要确保构造中将要会审的每个主机的管理员都已准备就绪,并愿意以你的名义执行命令。Before performing manual diagnosis, you will need to ensure the administrators of each host in the fabric that will be triaged are ready and willing to execute commands on your behalf. 诊断跟踪输出不公开通常被视为敏感信息的任何信息,但用户有权确定是否可以安全地向他人公开此信息。Diagnostic trace output does not expose any information that is generally viewed as sensitive, however it is incumbent on the user to determine if it is safe to expose this information to others.

备注

跟踪不匿名和显示网络配置、PKI 设置以及有时被视为专用信息的其他配置。Traces are not anonymized and reveal network configuration, PKI settings, and other configuration that is sometimes considered private information. 因此,跟踪只应传输到组织内的受信任实体,而永远不会公开发布。Therefore, traces should only be transmitted to trusted entities within an organization and never posted publicly.

执行手动诊断的步骤如下所示:Steps to performing a manual diagnosis are as follows:

  1. 请求每个主机管理员 Get-HgsTrace 指定一个已知的 -Path ,并请求您要针对生成的跟踪运行的诊断列表。Request that each host administrator run Get-HgsTrace specifying a known -Path and the list of diagnostics you intend to run against the resulting traces. 例如:For example:

    Get-HgsTrace -Path C:\Traces -Diagnostic Networking,BestPractices
    
  2. 请求每个主机管理员将生成的跟踪文件夹打包,并将其发送给您。Request that each host administrator package the resulting traces folder and send it to you. 此过程可通过电子邮件、文件共享或任何其他机制(基于组织建立的操作策略和过程)驱动。This process can be driven over e-mail, via file shares, or any other mechanism based on the operating policies and procedures established by your organization.

  3. 将所有接收的跟踪合并到一个文件夹中,无其他内容或文件夹。Merge all received traces into a single folder, with no other contents or folders.

    • 例如,假设你已将管理员从名为 HGS-01、HGS-02、RR1N2608 和 RR1N2608 的四台计算机发送跟踪。For example, assume you had your administrators send you traces collected from four machines named HGS-01, HGS-02, RR1N2608-12, and RR1N2608-13. 每个管理员都将使用相同的名称向您发送文件夹。Each administrator would have sent you a folder by the same name. 将显示如下所示的目录结构:You would assemble a directory structure that appears as follows:

      FabricTraces
      |- HGS-01
      |  |- TargetMetadata.xml
      |  |- Metadata.xml
      |  |- [any other trace files for this host]
      |- HGS-02
      |  |- [...]
      |- RR1N2608-12
      |  |- [...]
      |- RR1N2608-13
         |- [..]
      
  4. 执行诊断,提供参数上已汇编的跟踪文件夹的路径, -Path 并指定 -RunDiagnostics 开关以及您要求管理员收集跟踪的诊断信息。Execute diagnostics, providing the path to the assembled trace folder on the -Path parameter and specifying the -RunDiagnostics switch as well as those diagnostics for which you asked your administrators to collect traces. 诊断将假定它无法访问在路径中找到的主机,因此将尝试仅使用预先收集的跟踪。Diagnostics will assume it cannot access the hosts found inside the path and will therefore attempt to use only the pre-collected traces. 如果任何跟踪丢失或损坏,诊断将仅失败受影响的测试并正常运行。If any traces are missing or damaged, diagnostics will fail only the affected tests and proceed normally. 例如:For example:

    Get-HgsTrace -RunDiagnostics -Diagnostic Networking,BestPractices -Path ".\FabricTraces"
    

将保存的跟踪与其他目标混合Mixing Saved Traces with Additional Targets

在某些情况下,你可能会有一组预先收集的跟踪,你希望使用其他主机跟踪来补充这些跟踪。In some cases, you may have a set of pre-collected traces that you wish to augment with additional host traces. 可以将预先收集的跟踪与其他目标混合,这些目标将在一次诊断调用中进行跟踪和诊断。It is possible to mix pre-collected traces with additional targets that will be traced and diagnosed in a single call of diagnostics.

按照说明收集并组装上面指定的跟踪文件夹, Get-HgsTrace 使用在预收集的跟踪文件夹中找不到的附加跟踪目标调用:Following the instructions to collect and assemble a trace folder specified above, call Get-HgsTrace with additional trace targets not found in the pre-collected trace folder:

$hgs03 = New-HgsTraceTarget -HostName "hgs-03.secure.contoso.com" -Credential (Enter-Credential)
Get-HgsTrace -RunDiagnostics -Target $hgs03 -Path .\FabricTraces

诊断 cmdlet 将标识所有预收集的主机,以及仍需要跟踪并执行必要跟踪的其他主机。The diagnostic cmdlet will identify all pre-collected hosts, and the one additional host that still needs to be traced and will perform the necessary tracing. 然后,将诊断所有预先收集和刚收集的跟踪的总和。The sum of all pre-collected and freshly gathered traces will then be diagnosed. 生成的 trace 文件夹将包含新跟踪和新跟踪。The resulting trace folder will contain both the old and new traces.

已知问题Known issues

当在 Windows Server 2019 或 Windows 10、版本1809和更高版本的操作系统上运行时,受保护的结构诊断模块具有已知的限制。The guarded fabric diagnostics module has known limitations when run on Windows Server 2019 or Windows 10, version 1809 and newer OS versions. 使用以下功能可能导致错误的结果:Use of the following features may cause erroneous results:

  • 主机密钥证明Host key attestation
  • 仅证明 (适用于 SQL Server Always Encrypted 方案的 HGS 配置) Attestation-only HGS configuration (for SQL Server Always Encrypted scenarios)
  • 在其证明策略默认为 v2 的 HGS 服务器上使用 v1 策略项目Use of v1 policy artifacts on a HGS server where the attestation policy default is v2

Get-HgsTrace使用这些功能时出现故障,不一定表示 HGS 服务器或受保护的主机配置错误。A failure in Get-HgsTrace when using these features does not necessarily indicate the HGS server or guarded host is misconfigured. 使用 Get-HgsClientConfiguration 受保护主机上的其他诊断工具来测试主机是否已通过证明。Use other diagnostic tools like Get-HgsClientConfiguration on a guarded host to test if a host has passed attestation.