部署容錯移轉叢集的雲端見證Deploy a Cloud Witness for a Failover Cluster

適用於:Windows Server 2019、Windows Server 2016Applies to: Windows Server 2019, Windows Server 2016

雲端見證是一種容錯移轉叢集仲裁見證類型,使用 Microsoft Azure 提供叢集仲裁投票功能。Cloud Witness is a type of Failover Cluster quorum witness that uses Microsoft Azure to provide a vote on cluster quorum. 本主題概要說明雲端見證功能、其支援的案例,以及如何設定容錯移轉叢集的雲端見證的指示。This topic provides an overview of the Cloud Witness feature, the scenarios that it supports, and instructions about how to configure a cloud witness for a Failover Cluster.

雲端見證總覽Cloud Witness overview

[圖 1] 說明 Windows Server 2016 的多重網站延展容錯移轉叢集仲裁設定。Figure 1 illustrates a multi-site stretched Failover Cluster quorum configuration with Windows Server 2016. 在此範例設定中 (圖 1) ,2個資料中心內有2個節點 (稱為「網站) 」。In this example configuration (figure 1), there are 2 nodes in 2 datacenters (referred to as Sites). 請注意,叢集有可能跨越2個以上的資料中心。Note, it is possible for a cluster to span more than 2 datacenters. 此外,每個資料中心都可以有2個以上的節點。Also, each datacenter can have more than 2 nodes. 此安裝程式中的典型叢集仲裁設定 (自動容錯移轉 SLA) 為每個節點提供投票。A typical cluster quorum configuration in this setup (automatic failover SLA) gives each node a vote. 仲裁見證會提供一個額外的投票,讓叢集即使在其中一個資料中心發生電源中斷時,仍可繼續執行。One extra vote is given to the quorum witness to allow cluster to keep running even if either one of the datacenter experiences a power outage. 數學運算很簡單-總共有5個投票,而您需要3個投票來讓叢集保持運作。The math is simple - there are 5 total votes and you need 3 votes for the cluster to keep it running.

第三個網站中有2個節點 的第三個不同網站中的檔案共用見證 圖1:使用檔案共用見證作為仲裁見證File Share Witness in a third separate site with 2 nodes in 2 other sites Figure 1: Using a File Share Witness as a quorum witness

如果某個資料中心的電源中斷,為了讓其他資料中心的叢集有相當的機會讓它繼續執行,建議您在兩個資料中心以外的位置裝載仲裁見證。In case of power outage in one datacenter, to give equal opportunity for the cluster in other datacenter to keep it running, it is recommended to host the quorum witness in a location other than the two datacenters. 這通常表示需要第三個不同的資料中心 (網站) 來裝載正在支援檔案共用的檔案伺服器,而該檔案共用會用來作為仲裁見證 (檔案共用見證) 。This typically means requiring a third separate datacenter (site) to host a File Server that is backing the File Share which is used as the quorum witness (File Share Witness).

大部分的組織都沒有第三個不同的資料中心,可裝載檔案伺服器以支援檔案共用見證。Most organizations do not have a third separate datacenter that will host File Server backing the File Share Witness. 這表示組織主要是在兩個資料中心(依擴充功能)中裝載檔案伺服器,使該資料中心成為主要資料中心。This means organizations primarily host the File Server in one of the two datacenters, which by extension, makes that datacenter the primary datacenter. 在主要資料中心發生電源中斷的情況下,叢集將會關閉,因為另一個資料中心只會有2個投票,其低於所需的3個投票的仲裁。In a scenario where there is power outage in the primary datacenter, the cluster would go down as the other datacenter would only have 2 votes which is below the quorum majority of 3 votes needed. 如果客戶有第三個不同的資料中心來裝載檔案伺服器,則維護支援檔案共用見證的高可用性檔案伺服器會有額外負荷。For the customers that have third separate datacenter to host the File Server, it is an overhead to maintain the highly available File Server backing the File Share Witness. 在公用雲端中裝載虛擬機器,而在來賓 OS 中執行檔案共用見證的檔案伺服器,在安裝 & 維護方面,會有很大的負擔。Hosting virtual machines in the public cloud that have the File Server for File Share Witness running in Guest OS is a significant overhead in terms of both setup & maintenance.

雲端見證是一種新的容錯移轉叢集仲裁見證,其利用 Microsoft Azure 作為仲裁點 ([圖 2]) 。Cloud Witness is a new type of Failover Cluster quorum witness that leverages Microsoft Azure as the arbitration point (figure 2). 它會使用 Azure Blob 儲存體來讀取/寫入 Blob 檔案,然後在分裂解析度時作為仲裁點使用。It uses Azure Blob Storage to read/write a blob file which is then used as an arbitration point in case of split-brain resolution.

這種方法有很大的好處:There are significant benefits which this approach:

  1. 利用 Microsoft Azure (不需要第三個不同的資料中心) 。Leverages Microsoft Azure (no need for third separate datacenter).
  2. 使用標準可用 Azure Blob 儲存體 (公用雲端) 中裝載的虛擬機器沒有額外的維護負擔。Uses standard available Azure Blob Storage (no extra maintenance overhead of virtual machines hosted in public cloud).
  3. 您可以針對多個叢集使用相同的 Azure 儲存體帳戶, (每個叢集一個 blob 檔案;用來作為 blob 檔案名) 的叢集唯一識別碼。Same Azure Storage Account can be used for multiple clusters (one blob file per cluster; cluster unique id used as blob file name).
  4. 儲存體帳戶的 $cost 非常低, (每個 blob 檔案寫入的極小資料,只要叢集節點的狀態變更) ,blob 檔案就會更新一次。Very low on-going $cost to the Storage Account (very small data written per blob file, blob file updated only once when cluster nodes' state changes).
  5. 內建的雲端見證資源類型。Built-in Cloud Witness resource type.

此圖說明以雲端見證作為仲裁見證的多重網站延展叢集 圖2:以雲端見證作為仲裁見證的多網站延伸 叢集Diagram illustrating a multi-site stretched cluster with Cloud Witness as a quorum witness Figure 2: Multi-site stretched clusters with Cloud Witness as a quorum witness

如 [圖 2] 所示,不需要第三個不同的網站。As shown in figure 2, there is no third separate site that is required. 如同其他任何仲裁見證,雲端見證會進行投票,而且可以參與仲裁計算。Cloud Witness, like any other quorum witness, gets a vote and can participate in quorum calculations.

雲端見證:單一見證類型的支援案例Cloud Witness: Supported scenarios for single witness type

如果您有容錯移轉叢集部署,其中所有節點都可以透過 Azure) 的延伸模組連線到網際網路 (,建議您將雲端見證設定為仲裁見證資源。If you have a Failover Cluster deployment, where all nodes can reach the internet (by extension of Azure), it is recommended that you configure a Cloud Witness as your quorum witness resource.

某些支援使用雲端見證作為仲裁見證的案例如下:Some of the scenarios that are supported use of Cloud Witness as a quorum witness are as follows:

  • 嚴重損壞修復延伸的多網站叢集 (請參閱 [圖 2]) 。Disaster recovery stretched multi-site clusters (see figure 2).
  • 不含共用儲存體的容錯移轉叢集 (SQL Always On 等 ) 。Failover Clusters without shared storage (SQL Always On etc.).
  • 在裝載于 Microsoft Azure 虛擬機器角色 (或任何其他公用雲端) 的虛擬機器中執行的容錯移轉叢集。Failover Clusters running inside Guest OS hosted in Microsoft Azure Virtual Machine Role (or any other public cloud).
  • 在私人雲端中裝載之虛擬機器的客體作業系統內執行的容錯移轉叢集。Failover Clusters running inside Guest OS of Virtual Machines hosted in private clouds.
  • 具有或不具有共用存放裝置的儲存體叢集,例如擴充檔案伺服器叢集。Storage clusters with or without shared storage, such as Scale-out File Server clusters.
  • 小型分支-辦公室叢集 (甚至是2個節點的叢集) Small branch-office clusters (even 2-node clusters)

從 Windows Server 2012 R2 開始,建議一律設定見證,因為叢集會自動管理見證投票,而節點則會使用動態仲裁來投票。Starting with Windows Server 2012 R2, it is recommended to always configure a witness as the cluster automatically manages the witness vote and the nodes vote with Dynamic Quorum.

設定叢集的雲端見證Set up a Cloud Witness for a cluster

若要為您的叢集設定雲端見證作為仲裁見證,請完成下列步驟:To set up a Cloud Witness as a quorum witness for your cluster, complete the following steps:

  1. 建立用來作為雲端見證的 Azure 儲存體帳戶Create an Azure Storage Account to use as a Cloud Witness
  2. 將雲端見證設定為叢集的仲裁見證。Configure the Cloud Witness as a quorum witness for your cluster.

建立用來作為雲端見證的 Azure 儲存體帳戶Create an Azure Storage Account to use as a Cloud Witness

本節說明如何建立儲存體帳戶,並查看並複製該帳戶的端點 Url 和存取金鑰。This section describes how to create a storage account and view and copy endpoint URLs and access keys for that account.

若要設定雲端見證,您必須具有有效的 Azure 儲存體帳戶,可用來儲存 blob 檔案 (用於仲裁) 。To configure Cloud Witness, you must have a valid Azure Storage Account which can be used to store the blob file (used for arbitration). Cloud 見證會在 Microsoft 儲存體帳戶下建立知名的容器 msft-雲端見證Cloud Witness creates a well-known Container msft-cloud-witness under the Microsoft Storage Account. 雲端見證會寫入單一 blob 檔案,其中包含對應叢集的唯一識別碼,用來作為此 msft-雲端見證 容器下的 blob 檔案名。Cloud Witness writes a single blob file with corresponding cluster's unique ID used as the file name of the blob file under this msft-cloud-witness container. 這表示您可以使用相同的 Microsoft Azure 儲存體帳戶來設定多個不同叢集的雲端見證。This means that you can use the same Microsoft Azure Storage Account to configure a Cloud Witness for multiple different clusters.

當您使用相同的 Azure 儲存體帳戶來設定多個不同叢集的雲端見證時,系統會自動建立單一的 msft-雲端見證 容器。When you use the same Azure Storage Account for configuring Cloud Witness for multiple different clusters, a single msft-cloud-witness container gets created automatically. 此容器會在每個叢集包含一個 blob 檔案。This container will contain one-blob file per cluster.

若要建立 Azure 儲存體帳戶To create an Azure storage account

  1. 登入 Azure 入口網站Sign in to the Azure Portal.
  2. 在 [集線器] 功能表中,選擇 [新增] -> [資料 + 儲存體] -> [儲存體帳戶]。On the Hub menu, select New -> Data + Storage -> Storage account.
  3. 在 [建立儲存體帳戶] 頁面中,執行下列動作:In the Create a storage account page, do the following:
    1. 輸入儲存體帳戶的名稱。Enter a name for your storage account.
      儲存體帳戶名稱必須介於 3 到 24 個字元的長度,而且只能包含數字和小寫字母。Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. 儲存體帳戶名稱在 Azure 內也必須是唯一的。The storage account name must also be unique within Azure.

    2. 針對 [ 帳戶類型],選取 [一般用途]。For Account kind, select General purpose.
      您無法將 Blob 儲存體帳戶用於雲端見證。You can't use a Blob storage account for a Cloud Witness.

    3. 針對 [效能],請選取 [標準]。For Performance, select Standard.
      您無法將 Azure 進階儲存體用於雲端見證。You can't use Azure Premium Storage for a Cloud Witness.

    4. 針對 複寫,請選取 [ 本機-多餘的儲存體] (LRS)For Replication, select Locally-redundant storage (LRS) .
      「容錯移轉叢集」會使用 blob 檔案作為仲裁點,在讀取資料時需要一些一致性保證。Failover Clustering uses the blob file as the arbitration point, which requires some consistency guarantees when reading the data. 因此,您 必須針對複寫 類型選取 本機-多餘的儲存體Therefore you must select Locally-redundant storage for Replication type.

查看並複製您 Azure 儲存體帳戶的儲存體存取金鑰View and copy storage access keys for your Azure Storage Account

當您建立 Microsoft Azure 儲存體帳戶時,它會與自動產生的兩個存取金鑰(主要存取金鑰和次要存取金鑰)相關聯。When you create a Microsoft Azure Storage Account, it is associated with two Access Keys that are automatically generated - Primary Access key and Secondary Access key. 如果是第一次建立雲端見證,請使用 主要存取金鑰For a first-time creation of Cloud Witness, use the Primary Access Key. 對於要用於雲端見證的金鑰,沒有任何相關限制。There is no restriction regarding which key to use for Cloud Witness.

若要查看及複製儲存體存取金鑰To view and copy storage access keys

在 Azure 入口網站中,流覽至您的儲存體帳戶,按一下 [ 所有設定 ],然後按一下 [ 存取金鑰 ],以查看、複製及重新產生您的帳戶存取金鑰。In the Azure Portal, navigate to your storage account, click All settings and then click Access Keys to view, copy, and regenerate your account access keys. 存取金鑰分頁也包含預先設定的連接字串,其使用您可以複製以在應用程式中使用的主要和次要金鑰 (請參閱 [圖 4]) 。The Access Keys blade also includes pre-configured connection strings using your primary and secondary keys that you can copy to use in your applications (see figure 4).

[管理存取金鑰] 對話方塊的快照 Microsoft Azure 圖4:儲存體存取金鑰Snapshot of the Manage Access Keys dialog in Microsoft Azure Figure 4: Storage Access Keys

當您建立儲存體帳戶時,會使用下列格式產生下列 Url: https://<Storage Account Name>.<Storage Type>.<Endpoint>When you create a Storage Account, the following URLs are generated using the format: https://<Storage Account Name>.<Storage Type>.<Endpoint>

雲端見證一律使用 Blob 作為儲存體類型。Cloud Witness always uses Blob as the storage type. Azure 會使用 core.windows.net 作為端點。Azure uses .core.windows.net as the Endpoint. 設定雲端見證時,您可能會根據您的案例使用不同的端點進行設定 (例如,中國的 Microsoft Azure datacenter 有不同的端點) 。When configuring Cloud Witness, it is possible that you configure it with a different endpoint as per your scenario (for example the Microsoft Azure datacenter in China has a different endpoint).

注意

端點 URL 是由雲端見證資源自動產生的,而且不需要額外的 URL 設定步驟。The endpoint URL is generated automatically by Cloud Witness resource and there is no extra step of configuration necessary for the URL.

在 Azure 入口網站中,流覽至您的儲存體帳戶,按一下 [ 所有設定 ],然後按一下 [ 屬性 ] 以查看並複製您的端點 url (請參閱 [圖 5]) 。In the Azure Portal, navigate to your storage account, click All settings and then click Properties to view and copy your endpoint URLs (see figure 5).

雲端見證端點的快照連結 圖5:雲端見證端點 URL 連結Snapshot of the Cloud Witness endpoint links Figure 5: Cloud Witness endpoint URL links

如需有關建立和管理 Azure 儲存體帳戶的詳細資訊,請參閱 關於 Azure 儲存體帳戶For more information about creating and managing Azure Storage Accounts, see About Azure Storage Accounts

將雲端見證設定為叢集的仲裁見證Configure Cloud Witness as a quorum witness for your cluster

雲端見證設定在容錯移轉叢集管理員內建的現有仲裁設定 Wizard 內已妥善整合。Cloud Witness configuration is well-integrated within the existing Quorum Configuration Wizard built into the Failover Cluster Manager.

設定雲端見證作為仲裁見證To configure Cloud Witness as a Quorum Witness

  1. 啟動容錯移轉叢集管理員。Launch Failover Cluster Manager.

  2. 以滑鼠右鍵按一下叢集->更多動作 -> 設定叢集仲裁設定 (請參閱圖 6) 。Right-click the cluster -> More Actions -> Configure Cluster Quorum Settings (see figure 6). 這會啟動「設定叢集仲裁嚮導」。This launches the Configure Cluster Quorum wizard.

    在容錯移轉叢集管理員 UI 圖6中,用來設定叢集仲裁設定之功能表路徑的快照 。叢集仲裁設定Snapshot of the menu path to Configure Cluster Quorum Settings in the Failover Cluster Manager UI Figure 6. Cluster Quorum Settings

  3. 在 [ 選取仲裁 設定] 頁面上,選取 [選取仲裁見證 (查看 [圖 7]) 。On the Select Quorum Configurations page, select Select the quorum witness (see figure 7).

    叢集仲裁嚮導 [圖 7] 中 [選取仲裁見證] 選項按鈕的快照 。選取仲裁 設定Snapshot of the 'select the quorum witness' radio button in the Cluster Quorum wizard Figure 7. Select the Quorum Configuration

  4. 在 [ 選取仲裁見證 ] 頁面上,選取 [ 設定雲端見證 (查看 [圖 8]) 。On the Select Quorum Witness page, select Configure a cloud witness (see figure 8).

    適當選項按鈕的快照集,以選取雲端見證 圖8。選取仲裁見證Snapshot of the appropriate radio button to select a cloud witness Figure 8. Select the Quorum Witness

  5. 在 [ 設定雲端見證 ] 頁面上,輸入下列資訊:On the Configure Cloud Witness page, enter the following information:

    1. Azure 儲存體帳戶名稱) (必要參數。(Required parameter) Azure Storage Account Name.

    2. (必要參數) 存取金鑰組應至儲存體帳戶。(Required parameter) Access Key corresponding to the Storage Account.

      1. 第一次建立時,請使用主要存取金鑰 (請參閱 [圖 5]) When creating for the first time, use Primary Access Key (see figure 5)
      2. 輪替主要存取金鑰時,請使用次要存取金鑰 (請參閱 [圖 5]) When rotating the Primary Access Key, use Secondary Access Key (see figure 5)
    3. (選擇性參數) 如果您打算使用不同的 Azure 服務端點 (例如中國) 的 Microsoft Azure 服務,則更新端點伺服器名稱。(Optional parameter) If you intend to use a different Azure service endpoint (for example the Microsoft Azure service in China), then update the endpoint server name.

      叢集仲裁 wizard 中的 [雲端見證設定] 窗格的快照 圖9:設定您的雲端見證Snapshot of the Cloud Witness configuration pane in the Cluster Quorum wizard Figure 9: Configure your Cloud Witness

  6. 成功設定雲端見證之後,您可以在容錯移轉叢集管理員嵌入式管理單元中查看新建立的見證資源 (請參閱 [圖 10]) 。Upon successful configuration of Cloud Witness, you can view the newly created witness resource in the Failover Cluster Manager snap-in (see figure 10).

    成功設定 Cloud 見證 圖10:成功設定雲端見證Successful configuration of Cloud Witness Figure 10: Successful configuration of Cloud Witness

使用 PowerShell 設定雲端見證Configuring Cloud Witness using PowerShell

現有的 Set-ClusterQuorum PowerShell 命令具有對應至雲端見證的新額外參數。The existing Set-ClusterQuorum PowerShell command has new additional parameters corresponding to Cloud Witness.

您可以 Set-ClusterQuorum 使用下列 PowerShell 命令,以 Cmdlet 設定 Cloud 見證:You can configure Cloud Witness with the cmdlet Set-ClusterQuorum using the following PowerShell command:

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

如果您需要使用不同的端點 (罕見的) :In case you need to use a different endpoint (rare):

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey> -Endpoint <servername>

雲端見證 Azure 儲存體帳戶考慮Azure Storage Account considerations with Cloud Witness

將雲端見證設定為容錯移轉叢集的仲裁見證時,請考慮下列事項:When configuring a Cloud Witness as a quorum witness for your Failover Cluster, consider the following:

  • 您的容錯移轉叢集會產生並安全地將共用存取安全性儲存 (SAS) 權杖,而不是儲存存取金鑰。Instead of storing the Access Key, your Failover Cluster will generate and securely store a Shared Access Security (SAS) token.
  • 只要存取金鑰仍有效,產生的 SAS 權杖就會有效。The generated SAS token is valid as long as the Access Key remains valid. 輪替主要存取金鑰時,請務必先更新所有使用該儲存體帳戶的叢集上的雲端見證 (,) 搭配次要存取金鑰,然後再重新產生主要存取金鑰。When rotating the Primary Access Key, it is important to first update the Cloud Witness (on all your clusters that are using that Storage Account) with the Secondary Access Key before regenerating the Primary Access Key.
  • 雲端見證使用 Azure 儲存體帳戶服務的 HTTPS REST 介面。Cloud Witness uses HTTPS REST interface of the Azure Storage Account service. 這表示它需要在所有叢集節點上開啟 HTTPS 埠。This means it requires the HTTPS port to be open on all cluster nodes.

雲端見證的 Proxy 考慮Proxy considerations with Cloud Witness

雲端見證使用 HTTPS (預設埠 443) 來建立與 Azure blob 服務的通訊。Cloud Witness uses HTTPS (default port 443) to establish communication with Azure blob service. 確定可以透過網路 Proxy 存取 HTTPS 埠。Ensure that HTTPS port is accessible via network Proxy.

另請參閱See Also