在 VMM 中設定 HGS 後援 URLConfigure HGS fallback URLs in VMM

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

本文描述如何在 System Center - Virtual Machine Manager (VMM) 全域設定中定義後援主機守護者服務 (HGS) URL。This article describes how to define the fallback Host Guardian Service (HGS) URLs in System Center - Virtual Machine Manager (VMM) global settings. 如需受防護網狀架構的相關資訊,請參閱這篇文章For information about guarded fabrics, see this article.

主機守護者服務 (HGS) 是提供證明與金鑰保護服務,以在 Hyper-V 主機上執行受防護 VM 的核心,因此即使在發生災害的情況下,它仍應該要能夠持續運作。Being at the heart of providing attestation and key protection services to run shielded VMs on Hyper-V hosts, the host guardian service (HGS) should operate even in situations of disaster.

透過 VMM 中的後援 HGS 設定功能,使用者可以為受防護主機設定一組主要和次要 HGS URL (證明與金鑰保護 URI)。With fallback HGS configuration feature in VMM, a guarded host can be configured with a primary and secondary pair of HGS URLS (an attestation and key protection URI). 此功能將能啟用針對災害復原目的而跨越兩個資料中心部署受防護網狀架構、作為受防護 VM 執行的 HGS 之類的案例。This capability will enable scenarios such as guarded fabric deployments spanning two data centers for disaster recovery purposes, HGS running as shielded VMs etc.

系統一律會優先使用主要 HGS URL。The primary HGS URLs will always be used in favor of the secondary. 如果主要 HGS 在經過適當的逾時和重試計數之後仍無法回應,系統將會針對次要 HGS 重新嘗試該作業。If the primary HGS fails to respond after the appropriate timeout and retry count, the operation will be reattempted against the secondary. 後續作業仍一律會優先使用主要 HGS URL。只有在主要 HGS URL 失敗時,才使用次要的 HGS URL。Subsequent operations will always favor the primary; the secondary will only be used when the primary fails.

在您開始使用 Intune 之前Before you start

請確定您已部署並設定主機守護者服務,再繼續進行。Ensure you have deployed and configured the Host Guardian Service before proceeding. 深入了解設定 HGS (英文)。Learn more about configuring HGS.

設定後援 HGSConfigure fallback HGS

請使用下列步驟Use the following steps:

  1. 瀏覽至 [VMM 設定] > [一般設定] > [主機守護者服務設定] 。Navigate to VMM Settings > General Settings > Host Guardian Service settings.

  2. 開啟 [主機守護者服務設定]。Open the Host Guardian Service settings. 您應該會看到 [後援設定] 區段。You should see a section for Fallback Configurations.

  3. 定義主要和後援 HGS URL,然後按一下 [完成] 。Define the primary and fallback HGS URLs and click Finish.

    後援 hgs

  4. 若要啟用後援 URL,請瀏覽到 [主機內容] > [主機守護者服務] > 選取 [啟用主機防護 Hyper-V 支援功能],並使用 VMM 中設定為通用設定的 URL,然後按一下 [確定]。Enable the fallback URLs on the host by navigating to Host Properties > Host Guardian Service > select Enable host Guardian Hyper-V support and use the URLs as configured as global settings in VMM and click OK.

    注意

    在此步驟之後,VMM 服務會使用主要和後援 HGS URL 來設定受支援的主機。After this step, VMM service configures the supported hosts with primary and fallback HGS URLs. 只有執行 Windows Server 1709 和更新版本的主機才支援後援 HGS URL。Only hosts on and above Windows Server 1709 support fallback HGS URLs.

PowerShell 命令更新PowerShell command updates

  1. 已將下列兩個參數新增至現有的 Set-SCVMHost PowerShell 命令:The following two parameters are added to the existing Set-SCVMHost PowerShell command:

    • AttestationFallbackServerUrlAttestationFallbackServerUrl
    • KeyProtectionFallbackServerUrlKeyProtectionFallbackServerUrl

    以下是範例語法。Here is the sample syntax.

    
    Set-SCVMHost [-VMHost] <Host> [-ApplyLatestCodeIntegrityPolicy] [-AttestationServerUrl <String>]        [-AttestationFallbackServerUrl <String>]
    [-AvailableForPlacement <Boolean>] [-BMCAddress <String>]
    [-BMCCustomConfigurationProvider <ConfigurationProvider>] [-BMCPort <UInt32>]
    [-BMCProtocol <OutOfBandManagementType>] [-BMCRunAsAccount <RunAsAccount>] [-BaseDiskPaths <String>]
    [-BypassMaintenanceModeCheck] [-CPUPercentageReserve <UInt16>] [-CodeIntegrityPolicy <CodeIntegrityPolicy>]
    [-Custom1 <String>] [-Custom10 <String>] [-Custom2 <String>] [-Custom3 <String>] [-Custom4 <String>]
    [-Custom5 <String>] [-Custom6 <String>] [-Custom7 <String>] [-Custom8 <String>] [-Custom9 <String>]
    [-Description <String>] [-DiskSpaceReserveMB <UInt64>] [-EnableLiveMigration <Boolean>]
    [-FibreChannelWorldWideNodeName <String>] [-FibreChannelWorldWidePortNameMaximum <String>]
    [-FibreChannelWorldWidePortNameMinimum <String>] [-IsDedicatedToNetworkVirtualizationGateway <Boolean>]
    [-JobGroup <Guid>] [-JobVariable <String>] [-KeyProtectionServerUrl <String>] [-KeyProtectionFallbackServerUrl <String>] [-LiveMigrationMaximum <UInt32>]
    [-LiveStorageMigrationMaximum <UInt32>] [-MaintenanceHost <Boolean>] [-ManagementAdapterMACAddress <String>]
    [-MaxDiskIOReservation <UInt64>] [-MemoryReserveMB <UInt64>]
    [-MigrationAuthProtocol <MigrationAuthProtocolType>]
    [-MigrationPerformanceOption <MigrationPerformanceOptionType>] [-MigrationSubnet <String[]>]
    [-NetworkPercentageReserve <UInt16>] [-NumaSpanningEnabled <Boolean>] [-OverrideHostGroupReserves <Boolean>]
    [-PROTipID <Guid>] [-RemoteConnectCertificatePath <String>] [-RemoteConnectEnabled <Boolean>]
    [-RemoteConnectPort <UInt32>] [-RemoveRemoteConnectCertificate] [-RunAsynchronously] [-SMBiosGuid <Guid>]
    [-SecureRemoteConnectEnabled <Boolean>] [-UseAnyMigrationSubnet <Boolean >]
    [-VMHostManagementCredential <VMMCredential>] [-VMPaths <String>] [<CommonParameters>]
    
  2. 已將下列參數新增至 Get-SCGuardianConfiguration,以讓使用者指定要從哪一個 HGS 擷取中繼資料。The following parameter is added to Get-SCGuardianConfiguration to let the user specify from which HGS the metadata be fetched.

    [-Guardian {Primary | Fallback}][-Guardian {Primary | Fallback}]

    語法Syntax

    Get-SCGuardianConfiguration [-Guardian {Primary | Fallback}] [-OnBehalfOfUser <String>] [-OnBehalfOfUserRole <UserRole>] [-VMMServer <ServerConnection>] [<CommonParameters>]
    

後續步驟Next steps