Azure HCI
Azure HCI
Introduction
Welcome to today’s session! This event is designed
to provide an in-depth understanding of Azure Stack
HCI and offer direct access to our experts to address
your queries.
Agenda:
• Overview of Azure Stack HCI
• Deployment and Configuration
• Advanced Scenarios and Use Cases
• Performance Optimization
• Security and Compliance
Matthew Bratschun Islam Gomaa
Senior Customer Engineer Senior Customer Engineer
Microsoft Microsoft Today’s content is designed for IT Professionals,
System Architects, and Technical Decision Makers.
Retail, manufacturing, Shift workers, healthcare, Secure your Windows Server and
branch offices education, computer-aided design SQL Server estate on-premises
Azure Resource
Manager
Identity
RBAC
Network
1. New Configuration
Select this option if this is the first time you deploy an HCI Cluster from the portal and
you don’t have an existing template. Through the deployment flow steps you will
define all the parameters manually
2. Template Spec
Select this option if you already deployed an HCI Cluster and you stored a template in
your Subscription Library. Once the template is loaded, the parameters over the next
steps will be automatically populated with the template values. You will still be
required to create a new Azure Storage Account to store the Cloud Witness Secrets.
3. QuickStart template
Select this option if you already deployed an HCI Cluster and you stored a template in
the QuickStart library. Once the template is loaded, the parameters will be
automatically populated through the next steps of the deployment flow. You will still
be required to create a new Azure Storage Account to store the Cloud Witness
Secrets
North
South
What if you have only 2 ports?
Converged Network
storage 1
Host vNIC
storage 2
Host vNIC SET VM Switch
10GB 10GB
Hyper-V Host Hyper-V Host
Physical NIC Physical NIC
Storage Switchless
SMB1-10GB
SMB2-10GB
storage
SET VM Switch
SMB1 SMB2
Converged Network
Deployment
Storage (E-W) is directly connected Node to Node
(iWarp Recommended)
No need to configure Data-Center Bridging (DCB)Features
Options Practicable for HCI Clusters with 2-3 Physical Nodes
Hybrid
Supported using
Three nodes deployment ARM/Bicep Supported
templates
Microsoft Confidential
Proxy Deployment
Proxy Deployment
• https://youtu.be/qRnh5-jelXI
• Configure proxy settings for Azure Stack HCI, version 23H2 - Azure
Stack HCI | Microsoft Learn
1. Configure proxy settings for WinInet
2. Configure proxy settings for WinHTTP
3. Configure proxy settings for Environment Variables
Proxy Deployment
$proxyServer = "192.168.1.254:3128" #e.g. proxy.contoso.com:8080
$BypassList = "localhost,127.0.0.1,*.svc,01-HCI-1,01-HCI-2,hci01nested,192.168.1.2,192.168.1.3,*.HCI01.org,192.168.1.11" # 192.168.1.* can use * for IP range of the HCI cluster.
# ip each node, netbios node & cluster, ARB IP
# IP address of each cluster member server.
# Netbios name of each server.
# Netbios cluster name.
# *.contoso.com.
# Second IP address of the infrastructure pool. (ARB IP) -> 192.168.1.11 (e.g. when specifying 192.168.1.10 - 192.168.1.30) -> .10 (= cluster), .11 (= ARB IP)
#WinInet
Set-WinInetProxy -ProxySettingsPerUser 0 -ProxyServer $proxyServer -ProxyBypass $BypassList # use '*' for domains and whole subnets
#Environment variables
[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://$proxyServer", "Machine") #must be http! (no 's' !!!)
$env:HTTPS_PROXY = [System.Environment]::GetEnvironmentVariable("HTTPS_PROXY", "Machine")
#WinHTTP
netsh winhttp set proxy $proxyServer bypass-list=$BypassList # use '*' for domains and whole subnets
#endregion
#Test WebRequest
Invoke-WebRequest -Uri www.microsoft.com -UseBasicParsing
Cluster provisioning – Management Tab
1. Azure Custom Location
a. You can leave this option in blank or use your own custom location for Arc services.
b. If you leave the option in blank the deployment will use the default name as:
2. Storage account for the Cloud Witness
a. Only 2 nodes require a Cloud Witness that uses a storage account from Azure. However,
the portal will always require a storage account even with other configurations to ensure
that it exists if needed in the future.
3. Active Directory details
a. Enter the fully qualified domain name of the AD where you are creating the HCI cluster.
It must be the same used during the AD preparation step.
b. Enter the AD prefix (also known as OU) that you defined during AD preparation step.
c. Enter the OU path created during AD preparation.
4. AD user account
a. Enter the username and password you created during the AD preparation step. The
password must meet the complexity requirements as explained previously in this guide.
5. Local Administrator
a. Enter the local administrator’s account of the nodes. The password must be the same
across the nodes of the same cluster and must meet the complexity requirements as
explained previously in this guide.
1. You can disable some or all the security settings if required for your deployment
Define the Tags you want for your HCI Cluster resource
• During Validation
• C:\CloudDeployment\Logs\EnvironmentValidatorFull*
• When initially starting the deployment, and the config is loaded into ECEEngine
• C:\MASLogs\LCMECELiteLogs
Log File Locations: Deployment
• During the Deployment as a first point of reference, there will be multiple as a new file is created after
reach reboot during the deployment
• C:\CloudDeployment\Logs\CloudDeployment* (on the seed node)
• C:\Windows\Cluster\Reports
• C:\ClusterStorage\Infrastructure_1\ArcHci\ubercrud.log
Troubleshooting Case #1: Blocked URL during Arc Onboarding
Troubleshooting Case #1: Deployment Failed At Create Cluster
• C:\Users\asLocalAdmin\.AzStackHci\AzStackHciArcIntegration.log
Troubleshooting Case #1: Deployment Failed At Create Cluster
Reason:
• Allow URL via proxy or firewall
Next Step:
Re-run the Invoke-AzStackHCIArcInitiialization command
Troubleshooting Case #2: Incorrect Local Credentials
Troubleshooting Case #2: Incorrect Local Credentials
• C:\MASLogs\LCMECELiteLogs\InvokeEnvironmentChecker%timestamp%.log
Troubleshooting Case #2: Incorrect Local Credentials
Reason:
• The enviroment check is attempting to initiate the enviroment checked
for validation but the credentials are incorrect
Next Step:
• At this point the node is not connect to the domain, so must be the
local admin user
• Confirm the credentials which are within the KeyVault under the
“LocalAdminCredential”, this can be viewed with the following command
• $base64 = ""
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))
• If the credentials need to be updated then move back through the portal
wizard, update and re-run, or re-run the ARM Template with the updated
credentials
Troubleshooting Case #3: Incorrect LCM User Credentials/Incorrect
Domain name
Troubleshooting Case #3: Incorrect LCM User
Credentials/Incorrect Domain name
• C:\MASLogs\LCMECELiteLogs\InvokeEnvironmentChecker%timestamp%.log
Troubleshooting Case #3: Incorrect LCM User
Credentials/Incorrect Domain name
Reason:
• The enviroment check is attempting connect to the domain but the credentials are
not accepted
Next Step:
• Confirm the credentials which are within the KeyVault under the
“AzureStackLCMUserCredential”, this can be viewed with the following command
• $base64 = ""
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))
Next Step:
• Check the domain name is correct in the unattended.json file
(C:\CloudDeployment\DeploymentData\Unattended.json)
• Ensure the OU exists and the permissions have been set correctly
• If the credentials or domain name need to be updated then move back
through the portal wizard, update and re-run, or re-run the ARM Template
with the updated credentials
Troubleshooting Case #5: RDMA Misconfiguration
Troubleshooting Case #5: RDMA Misconfiguration
• C:\CloudDeployment\Logs\EnvironmentValidatorFull%timestamp%.log
Troubleshooting Case #5: RDMA Misconfiguration
Reason:
• The RDMA check was failing, RDMA was enabled on the management
intent but the NIC did not support this
Next Step:
• Check RDMA configuration of the switch port, resolve issues
• Confirm if RDMA is actually required (it is for storage intents)
• If the config needs to be changed to disable this then move back through
the portal wizard, update and re-run, or re-run the ARM Template with the
updated credentials
Troubleshooting Case #6: Deployment Failed At Create Cluster
Troubleshooting Case #6: Deployment Failed At Create Cluster
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #6: Deployment Failed At Create Cluster
Reason:
• Storage VLAN 711 not allowed on switch
Next Step:
• Update switch configuration for VLANs on the storage ports
• Resume deployment from portal
Troubleshooting Case #7: Deployment Failed At Create Cluster
Troubleshooting Case #7: Deployment Failed At Create Cluster
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #7: Deployment Failed At Create Cluster
Troubleshooting Case #7: Deployment Failed At Create Cluster
Reason:
• IPv6 was enabled on the interfaces
Next Step:
• Disable IPv6 of all interface
• Resume deployment from portal
Troubleshooting Case #8: Failed Cluster Registration with Azure
Troubleshooting Case #8: Failed Cluster Registration with Azure
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #8: Failed Cluster Registration with Azure
• C:\CloudContent\RegisterHCI_%timestamp%.log
Troubleshooting Case #8: Failed Cluster Registration with Azure
Reason:
• This was a difficult one to identify but it was down to the TPM
being disabled in the BIOS, the TPM is used when creating the
certifcates for the registration
Next Step:
• Disable IPv6 of all interface
• Resume deployment from portal
How to open a support case is needed
• Ensure that you have ran send-diagnosticdata (with the from and to time at least 1 hour
either side of the failure) and have the output from this ready to provide to the support
highlighted below to the support engineer
How to Check Arc Agent Status
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe show
How to check Arc Agent Connectivity
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe check
How to Check Arc Agent Connectivity (Pre
onboarding)
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe check –l westeurope
How to Remove Arc Integration
$SubscriptionID = ""
$RG = ""
$Region = ""
$Tenant = ""
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant –DeviceCode
Get the Access Token for the registration
$ARMtoken = (Get-AzAccessToken).Token
Get the Account ID for the registration
$id = (Get-AzContext).Account.Id
Remove-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup
$RG -TenantID $Tenant -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -
AccountID $id
How to Remove Extension
$SubscriptionID = ""
$RG = ""
$name = $env:computername
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant –DeviceCode
Remove-AzConnectedMachineExtension -MachineName $name -Name " ExtensionName" -ResourceGroupName
$RG -SubscriptionId $Subscription –NoWait