L400 Technical Deep Dive Azure Stack HCI:

Introduction
Welcome to today’s session! This event is designed
to provide an in-depth understanding of Azure Stack
HCI and offer direct access to our experts to address
your queries.

Agenda:
• Overview of Azure Stack HCI
• Deployment and Configuration
• Advanced Scenarios and Use Cases
• Performance Optimization
• Security and Compliance
Matthew Bratschun Islam Gomaa
Senior Customer Engineer Senior Customer Engineer
Microsoft Microsoft Today’s content is designed for IT Professionals,
System Architects, and Technical Decision Makers.

Note: Content will be recorded and available for registrants only.

What is Azure Stack HCI
 What is Azure Stack HCI

Hyperconverged Familiar for IT to

infrastructure stack manage and operate
 What is Azure Stack HCI

Hyperconverged Delivered as an Azure

infrastructure stack hybrid service
 Azure Stack portfolio

Azure Stack Edge Azure Stack HCI Azure Stack Hub

Cloud-managed appliance Hyperconverged infrastructure Cloud-native integrated system
focused on accelerated AI with hybrid management / services integration focused on autonomous and
inferencing and storage gateway and support for a variety of form factors disconnected scenarios
Traditional vs Hyperconverged

©Microsoft Corporation Azure

Specialized host operating system

Latest Azure hypervisor with built-in software-defined storage and networking

Optimized for virtualization with reduced composition

Minimal local user interface, designed for remote management

 When to use Azure Stack HCI

Distributed Virtual desktop Windows & SQL

edge sites infrastructure lift-and-shift

Retail, manufacturing, Shift workers, healthcare, Secure your Windows Server and
branch offices education, computer-aided design SQL Server estate on-premises

MICROSOFT CONFIDENTIAL - Shared under NDA

Design Principals
Simplify user experience
Ready to run workload when deployed
Make the process predictable & repeatable
Enable Azure tooling ecosystem
Validate configuration to drive success
Secure by default - mindset

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 Four steps

PREPARE AD INSTALL OS REGISTER WITH CREATE CLUSTER

ARC FROM AZURE

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 Four steps

PREPARE AD INSTALL OS REGISTER WITH CREATE CLUSTER

ARC FROM AZURE

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Prepare AD
Prepare Active Directory for new Azure Stack HCI, version 23H2 deployment -
Azure Stack HCI | Microsoft Learn
Active Directory requirements for Azure Stack HCI include:
• A dedicated Organization Unit (OU).
• Group policy inheritance that is blocked for the applicable Group Policy Object
(GPO).
• A user account that has all rights to the OU in the Active Directory.
• Machines must not be joined to Active Directory before deployment.

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Prepare AD - Notes
• Do not delete the existing OU - it holds BitLocker recovery keys. (when
encryption is used: default)
• Don‘t use special characters in OU path - So e.g. ‚hot&cool‘ is not a good OU
• Can do manual but creation is done much easier with corresponding
PowerShell Module:
Install-Module AsHciADArtifactsPreCreationTool -Repository PSGallery
-Force
• Make sure installation users password is complex enough.
• Make sure OU is properly replicated to all other sites - in case your
HCI is located in another site.
• No domain join of hosts before!

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 Four steps

PREPARE AD INSTALL OS REGISTER WITH CREATE CLUSTER

ARC FROM AZURE

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Install OS
• Systems are either preinstalled OEM or download the .iso from portal
• Download Azure Stack HCI, version 23H2 software - Azure Stack HCI |
Microsoft Learn
• Install the latest drivers and firmware as per the instructions provided by
your hardware manufacturer
• Prepare 1 management network
• IP, DNS, Gateway
• Disable IPv6
• VLANID, Proxy, FW?
• Change computer name
• May change NIC names (disable unused ones))
• Set time server (NTP)
• NO Domain join yet!
• NO Windows Update yet!
MICROSOFT CONFIDENTIAL – SHARED UNDER NDA
 Four steps

PREPARE AD INSTALL OS REGISTER WITH CREATE CLUSTER

ARC FROM AZURE

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Register with ARC and assign permissions for
deployment
• Register your Azure Stack HCI servers with Azure Arc and assign permissions for
deployment - Azure Stack HCI | Microsoft Learn
• When using proxies you need to configure this
• For deployment You need to have following role assignments (RG):
• Azure Stack HCI Administrator
• Reader
• Key Vault Data Access Administrator
• Key Vault Secrets Officer
• Key Vault Contributor
• Storage Account Contributor
• The Cloud Application Administrator permission is temporarily needed (in case of using
the portal)to create the service principal. After deployment, this permission can be
removed. (subscription)....
• The Cloud Application Administrator permission is not required when deploying using
the ARM template.

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 Azure Device

Azure Resource
Manager

Identity

RBAC
Network

Policy Azure HCI Storage

RP Arc extensions 6
Cluster
1. Onboarding of Arc Agent triggers Diagnostic &
Groups Telemetry extension
install of other extensions Azure Arc
2. Send server inventory to HCI RP server RP Arc LCM extension
Remote Support
Etc.. extension
2 Arc Device management
extension

Azure Arc server Allow collecting logs and

agent enable Remote Support
for Microsoft Support
HCI 23H2 OS
*Supporting component

*Core component MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 Four steps

PREPARE AD INSTALL OS REGISTER WITH CREATE CLUSTER

ARC FROM AZURE

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

 User Azure Device
experience
Kubernetes
Azure Resource
LCM services
Manager Virtual Machines
Azure Portal HCI Orchestrator
Azure Resource
Identity Storage Bridge HCI Update service
Azure CLI
Lifecycle Manager HCI Download Service
RBAC Key Vault 6
3
Azure SDK Network HCI Health Service

Policy Azure HCI Storage

RP Arc extensions 6
Cluster
1. Onboarding of Arc Agent triggers Diagnostic &
Groups 4 Telemetry extension
install of other extensions Azure Arc
2. Send server inventory to HCI RP server RP Arc LCM extension 5
Remote Support
3. Deployment request send to HCI Etc.. extension
RP 2 Arc Device management
4. HCI RP send deployment extension
information to Arc LCM extension
5. Arc LCM extension downloads all Azure Arc server Allow collecting logs and
content on demand. Arc LCM agent enable Remote Support
extension orchestrates deployment for Microsoft Support
of the cluster, storage, network HCI 23H2 OS
*Supporting component
and LCM.
6. Lifecycle Manager deploys Azure
Resource Bridge which enables
Arc VMs & AKS
*Core component MICROSOFT CONFIDENTIAL – SHARED UNDER NDA
Cluster provisioning – Basics Tab
1. Select Subscription
2. Select Resource Group where you plan to deploy you Azure Stack HCI
Cluster
3. Enter the new Cluster name. This name should be the same used during
AD preparation step.
4. Select the Azure region where you want to deploy the new Cluster.
a. For Private Preview only East Us is supported.
5. Create a new dedicated Azure Key Vault for the HCI Cluster. This KV will
store the following secrets.
a. Domain User used by LCM for the deployment.
b. Local Administrator
c. Witness Storage Account secret for the Cluster Witness.
i. This is only required for 2 Nodes deployment, but the portal will
always capture this input in case it is eventually needed.
d. ARB SPN secrets required for ARB registration and deployment.
6. Select the Arc registered nodes you want to add to the HCI Cluster
7. Click on Validate selected servers button.
a. The portal will validate the Server Model, OS version, Arc Extensions
and NIC names, drivers and componentId are symmetrical across the
selected nodes.

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Configuration Tab
Select one of three deployment options for new HCI Clusters

1. New Configuration
Select this option if this is the first time you deploy an HCI Cluster from the portal and
you don’t have an existing template. Through the deployment flow steps you will
define all the parameters manually
2. Template Spec
Select this option if you already deployed an HCI Cluster and you stored a template in
your Subscription Library. Once the template is loaded, the parameters over the next
steps will be automatically populated with the template values. You will still be
required to create a new Azure Storage Account to store the Cloud Witness Secrets.

3. QuickStart template
Select this option if you already deployed an HCI Cluster and you stored a template in
the QuickStart library. Once the template is loaded, the parameters will be
automatically populated through the next steps of the deployment flow. You will still
be required to create a new Azure Storage Account to store the Cloud Witness
Secrets

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Networking Tab 1/5

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Network ATC

Network ATC is a service that simplifies the deployment of a network

topology.
Users specify NICs and their "intent" (expected use-case) and ATC internally
generates a network configuration that it configures the settings and
periodically checks for drift.
Three Types of Core Networks

Management Compute Storage

• Part of North-South • Part of North-South • East-West Only
Network Network • Needs RDMA
• Used for Host • Virtual Machine • 10GB+
Communication Traffic • Can host Live
• May need SR-IOV, Migration
RDMA
Network traffic types

Storage Traffic (SMB1) e.g. 10.71.1.X/24 – VLAN 711 (Default)

Storage Traffic (SMB2) 10.71.2.X/24 – VLAN 712 (Default)

Node 1 Node 2 Node 3 Node 4

Management (MGMT) 192.168.x.0/24 – VLAN 100

Compute Traffic (VMs) a.b.c.d/X – VLAN v1,v2,v3,…
NIC Terminology Refresher

 pNIC = Physical NIC on the

Host

 vNIC = Host Hyper-V

Virtual Network Adapter

 vmNIC = Virtual Machine

Hyper-V Virtual Network
Adapter
Traffic in HCI
Cluster Heartbeats & Inter-Node comms
• [SMB] Storage Bus Layer
• [SMB] Cluster Shared Volume East West
• [SMB] Storage Rebuild
• [SMB, possibly] Live Migrations
Generally RDMA Traffic
Traffic in S2D
External (to the S2D cluster)
• Cluster to fabric (AD, DNS, Updates,
MGMT...)
• VM Tenant traffic

Could be any protocol

North

South
What if you have only 2 ports?
Converged Network

VM1 VM2 VM3

MGMT
Host vNIC

storage 1
Host vNIC

storage 2
Host vNIC SET VM Switch

10GB 10GB
Hyper-V Host Hyper-V Host
Physical NIC Physical NIC
Storage Switchless

Top of Rack Switch

SMB1-10GB
SMB2-10GB

storage

SET vSwitch SET vSwitch

Hybrid

Top of Rack Switch MGMT VM1 VM2 VM3

Host vNIC

Top of Rack Switch

SET VM Switch

10GB 10GB 10GB 10GB

Hyper-V Host Hyper-V Host Hyper-V Host Hyper-V Host
Physical NIC Physical NIC Physical NIC Physical NIC

SMB1 SMB2
 Converged Network

Combining Multiple Network Intents (MGMT, Compute, Storage)

Best if deploying 3+ Physical Nodes
Connect pNics to Top-Of-Rack Switches
RDMA Required; Either iWarp or RoCEv2

Switchless (for storage)

Cluster Network North-South Communication is a Team, combining Compute and

Management Networks

Deployment
Storage (E-W) is directly connected Node to Node
(iWarp Recommended)
No need to configure Data-Center Bridging (DCB)Features
Options Practicable for HCI Clusters with 2-3 Physical Nodes

Hybrid

Best of both, easy deployment of Compute/Mgmt on North-South

Separate Storage Nics into separate adapters, not teamed
iWarp (might) | ROCEv2 requires switch config
(DCB Config not required for iWarp, but highly recommended. )
 Cluste Supported Network Configuration

Azure Stack HCI Clusters

No switch for storage Network switch for storage

Single node deployment By default Supported

Two nodes deployment Supported Supported

Supported using
Three nodes deployment ARM/Bicep Supported
templates

4-16 nodes deployment Not Supported Supported

Microsoft Confidential
Proxy Deployment
Proxy Deployment
• https://youtu.be/qRnh5-jelXI
• Configure proxy settings for Azure Stack HCI, version 23H2 - Azure
Stack HCI | Microsoft Learn
1. Configure proxy settings for WinInet
2. Configure proxy settings for WinHTTP
3. Configure proxy settings for Environment Variables
Proxy Deployment
$proxyServer = "192.168.1.254:3128" #e.g. proxy.contoso.com:8080
$BypassList = "localhost,127.0.0.1,*.svc,01-HCI-1,01-HCI-2,hci01nested,192.168.1.2,192.168.1.3,*.HCI01.org,192.168.1.11" # 192.168.1.* can use * for IP range of the HCI cluster.
# ip each node, netbios node & cluster, ARB IP
# IP address of each cluster member server.
# Netbios name of each server.
# Netbios cluster name.
# *.contoso.com.
# Second IP address of the infrastructure pool. (ARB IP) -> 192.168.1.11 (e.g. when specifying 192.168.1.10 - 192.168.1.30) -> .10 (= cluster), .11 (= ARB IP)

#region Proxy settings

#WinInet
Set-WinInetProxy -ProxySettingsPerUser 0 -ProxyServer $proxyServer -ProxyBypass $BypassList # use '*' for domains and whole subnets
#Environment variables
[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://$proxyServer", "Machine") #must be http! (no 's' !!!)
$env:HTTPS_PROXY = [System.Environment]::GetEnvironmentVariable("HTTPS_PROXY", "Machine")

[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://$proxyServer", "Machine")

$env:HTTP_PROXY = [System.Environment]::GetEnvironmentVariable("HTTP_PROXY", "Machine")

$no_proxy_bypassList = "localhost,127.0.0.1,.svc,192.168.1.0/24,.HCI01.org,01-HCI-1,01-HCI-2,hci01nested" # no * for domains and use CIDR for subnets

[Environment]::SetEnvironmentVariable("NO_PROXY", $no_proxy_bypassList, "Machine")
$env:NO_PROXY = [System.Environment]::GetEnvironmentVariable("NO_PROXY", "Machine")

#WinHTTP
netsh winhttp set proxy $proxyServer bypass-list=$BypassList # use '*' for domains and whole subnets
#endregion

#Test WebRequest
Invoke-WebRequest -Uri www.microsoft.com -UseBasicParsing
Cluster provisioning – Management Tab
1. Azure Custom Location
a. You can leave this option in blank or use your own custom location for Arc services.
b. If you leave the option in blank the deployment will use the default name as:
2. Storage account for the Cloud Witness
a. Only 2 nodes require a Cloud Witness that uses a storage account from Azure. However,
the portal will always require a storage account even with other configurations to ensure
that it exists if needed in the future.
3. Active Directory details
a. Enter the fully qualified domain name of the AD where you are creating the HCI cluster.
It must be the same used during the AD preparation step.
b. Enter the AD prefix (also known as OU) that you defined during AD preparation step.
c. Enter the OU path created during AD preparation.
4. AD user account
a. Enter the username and password you created during the AD preparation step. The
password must meet the complexity requirements as explained previously in this guide.
5. Local Administrator
a. Enter the local administrator’s account of the nodes. The password must be the same
across the nodes of the same cluster and must meet the complexity requirements as
explained previously in this guide.

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Security Tab

1. Recommended security settings

1. The default and recommended security settings is certification aligned with drift
control and includes:
1. Data-in-transit protection with SMB signing.
2. Windows Defender Application control
3. Exclusions for MS Defender Anti-Virus
4. FIPS mode enabled
5. Encryption and Data Protection – BitLocker and self-encrypting drives
6. Silicon & Hardware partner – Secured-core features

2. Customized security settings

1. You can disable some or all the security settings if required for your deployment

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Advanced Tab

This tab will only include volumes options.

Observability, Location and Privacy Settings will be removed

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Tags Tab

Define the Tags you want for your HCI Cluster resource

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Validation Tab

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Review + Create Tab

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Cluster provisioning – Deployment tracking

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Advanced Scenarios: 3 node switchless
• Deployment must be executed with ARM/Bicep/TF
• Portal does not expose manual IP configuration option yet
• Templates and sample parameter files can be found in Azure Quickstart Templates repo
• enableStorageAutoIP: FALSE
• storageConnectivitySwitchless: TRUE
• storageNetworks parameter specifies storage IP configs for each storage network

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Advanced Scenarios: Multi-room and Stretch
• Stretch support beyond 22H2
• Multi-room
• Use case
• Requirements

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Deployment Troubleshooting: Avoiding Trouble
• Follow the current documentation, using a consistent process
between nodes and clusters.
• Be aware of the known issues in the release notes Azure Local,
version 23H2 release information, the Azure Local Supportability
repo, and hardware partner SBE details
• If an issue seems “random”, tighten your process (and check NIC
team members, DNS servers, and AD DCs!)
• On failures, open a support case
• You break it, you rebuild it!

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Deployment Troubleshooting Deployment Phases:
1. Validation
2. Deployment

• Mindset: Deployments succeed in “greenfield” environments, so 95%

of problems are caused by:
• Invalid input parameters (deployment configuration)
• Customer environment issues, usually networking, proxy, security,
or AD
• Hardware configuration issues such as NICs, cabling, storage,
BIOS settings
• Inconsistent process and not following documentation
• Deployment settings/parameters can be changed during
validation but are immutable once deployment starts
MICROSOFT CONFIDENTIAL – SHARED UNDER NDA
Deployment Troubleshooting – Diagnosis
• Review failed step details in the Portal
• Consider the context in which the error was generated. Usually, this is on
the seed node
• Check local logs on the seed node for more context and clearer formatting
• Look for root cause, not symptoms – check above the final failure event,
often the issue is described in the logs precede the error log.

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Deployment Troubleshooting: Demo Local Logs

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Deployment Troubleshooting: Remediation
• Be methodical, take notes
• Avoid destructive or irreversible changes
• Don’t modify scripts outside testing or labs
• Keep nodes consistent
• Consider downstream effects, such as to update or add node operations
• Use support when the root cause appears to be internal to HCI (not
an external customer environmental factor)

MICROSOFT CONFIDENTIAL – SHARED UNDER NDA

Log File Locations: Arc Onboarding
• Extension Installation C:\ProgramData\GuestConfig\extension_logs\
• DeviceManagementExtension.*.log
• EdgeDevice.txt
• Extension program files and utilities: C:\Packages\Plugins
• Arc initialization: C:\users\<executing
user>\.AzStackHci\AzStackHciArcIntegration.log
Log File Locations: Validation
• Confirm parameters passed for the deployment
• C:\CloudDeployment\DeploymentData\Unattended.json

• Viewing credentials from KeyVault, if validation does not start

$base64 = “<keyVaultSecretValue>"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))

• During Validation
• C:\CloudDeployment\Logs\EnvironmentValidatorFull*

• When initially starting the deployment, and the config is loaded into ECEEngine
• C:\MASLogs\LCMECELiteLogs
Log File Locations: Deployment
• During the Deployment as a first point of reference, there will be multiple as a new file is created after
reach reboot during the deployment
• C:\CloudDeployment\Logs\CloudDeployment* (on the seed node)

• Both of these location for cluster validation reports

• C:\Windows\Temp

• C:\Windows\Cluster\Reports

• For Powershell transcript file generated as part of the deployment

• C:\CloudContent\MASLogs

• During the “Deploy Arc infrastructure components” stage

• C:\ProgramData\kva\kva.log

• C:\ClusterStorage\Infrastructure_1\ArcHci\ubercrud.log
Troubleshooting Case #1: Blocked URL during Arc Onboarding
Troubleshooting Case #1: Deployment Failed At Create Cluster
• C:\Users\asLocalAdmin\.AzStackHci\AzStackHciArcIntegration.log
Troubleshooting Case #1: Deployment Failed At Create Cluster
Reason:
• Allow URL via proxy or firewall

Next Step:
Re-run the Invoke-AzStackHCIArcInitiialization command
Troubleshooting Case #2: Incorrect Local Credentials
Troubleshooting Case #2: Incorrect Local Credentials
• C:\MASLogs\LCMECELiteLogs\InvokeEnvironmentChecker%timestamp%.log
Troubleshooting Case #2: Incorrect Local Credentials
Reason:
• The enviroment check is attempting to initiate the enviroment checked
for validation but the credentials are incorrect

Next Step:
• At this point the node is not connect to the domain, so must be the
local admin user
• Confirm the credentials which are within the KeyVault under the
“LocalAdminCredential”, this can be viewed with the following command
• $base64 = ""
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))

• If the credentials need to be updated then move back through the portal
wizard, update and re-run, or re-run the ARM Template with the updated
credentials
Troubleshooting Case #3: Incorrect LCM User Credentials/Incorrect
Domain name
Troubleshooting Case #3: Incorrect LCM User
Credentials/Incorrect Domain name
• C:\MASLogs\LCMECELiteLogs\InvokeEnvironmentChecker%timestamp%.log
 Troubleshooting Case #3: Incorrect LCM User
Credentials/Incorrect Domain name
Reason:
• The enviroment check is attempting connect to the domain but the credentials are
not accepted

Next Step:
• Confirm the credentials which are within the KeyVault under the
“AzureStackLCMUserCredential”, this can be viewed with the following command
• $base64 = ""
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))

• Check the domain name is correct in the unattended.json file

(C:\CloudDeployment\DeploymentData\Unattended.json)
• If the credentials or domain name need to be updated then move back through the portal
wizard, update and re-run, or re-run the ARM Template with the updated credentials
Troubleshooting Case #4: Incorrect OU Path
Troubleshooting Case #4: Incorrect OU Path
• C:\CloudDeployment\Logs\EnvironmentValidatorFull%timestamp%.log
Troubleshooting Case #4: Incorrect OU Path
Reason:
• The enviroment check is attempting OU exists and its permissions or
correct

Next Step:
• Check the domain name is correct in the unattended.json file
(C:\CloudDeployment\DeploymentData\Unattended.json)
• Ensure the OU exists and the permissions have been set correctly
• If the credentials or domain name need to be updated then move back
through the portal wizard, update and re-run, or re-run the ARM Template
with the updated credentials
Troubleshooting Case #5: RDMA Misconfiguration
Troubleshooting Case #5: RDMA Misconfiguration
• C:\CloudDeployment\Logs\EnvironmentValidatorFull%timestamp%.log
Troubleshooting Case #5: RDMA Misconfiguration
Reason:
• The RDMA check was failing, RDMA was enabled on the management
intent but the NIC did not support this

Next Step:
• Check RDMA configuration of the switch port, resolve issues
• Confirm if RDMA is actually required (it is for storage intents)
• If the config needs to be changed to disable this then move back through
the portal wizard, update and re-run, or re-run the ARM Template with the
updated credentials
Troubleshooting Case #6: Deployment Failed At Create Cluster
Troubleshooting Case #6: Deployment Failed At Create Cluster
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #6: Deployment Failed At Create Cluster
Reason:
• Storage VLAN 711 not allowed on switch

Next Step:
• Update switch configuration for VLANs on the storage ports
• Resume deployment from portal
Troubleshooting Case #7: Deployment Failed At Create Cluster
Troubleshooting Case #7: Deployment Failed At Create Cluster
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #7: Deployment Failed At Create Cluster
Troubleshooting Case #7: Deployment Failed At Create Cluster

Reason:
• IPv6 was enabled on the interfaces

Next Step:
• Disable IPv6 of all interface
• Resume deployment from portal
Troubleshooting Case #8: Failed Cluster Registration with Azure
Troubleshooting Case #8: Failed Cluster Registration with Azure
• C:\clouddeployment\logs...CloudDeployment.2024%timestamp%.log
Troubleshooting Case #8: Failed Cluster Registration with Azure
• C:\CloudContent\RegisterHCI_%timestamp%.log
Troubleshooting Case #8: Failed Cluster Registration with Azure
Reason:
• This was a difficult one to identify but it was down to the TPM
being disabled in the BIOS, the TPM is used when creating the
certifcates for the registration

Next Step:
• Disable IPv6 of all interface
• Resume deployment from portal
How to open a support case is needed
• Ensure that you have ran send-diagnosticdata (with the from and to time at least 1 hour
either side of the failure) and have the output from this ready to provide to the support
highlighted below to the support engineer
How to Check Arc Agent Status
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe show
How to check Arc Agent Connectivity
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe check
How to Check Arc Agent Connectivity (Pre
onboarding)
• Change directory to C:\Program Files\AzureConnectedMachineAgent
.\azcmagent.exe check –l westeurope
How to Remove Arc Integration
$SubscriptionID = ""
$RG = ""
$Region = ""
$Tenant = ""
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant –DeviceCode
Get the Access Token for the registration
$ARMtoken = (Get-AzAccessToken).Token
Get the Account ID for the registration
$id = (Get-AzContext).Account.Id
Remove-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup
$RG -TenantID $Tenant -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -
AccountID $id
How to Remove Extension
$SubscriptionID = ""
$RG = ""
$name = $env:computername
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant –DeviceCode
Remove-AzConnectedMachineExtension -MachineName $name -Name " ExtensionName" -ResourceGroupName
$RG -SubscriptionId $Subscription –NoWait

Extension Name Publisher Extension Type

AzureEdgeTelemetryAndDiagnostics Microsoft.AzureStack.Observability TelemetryAndDiagnostics
AzureEdgeDeviceManagement Microsoft.Edge DeviceManagementExtension
AzureEdgeLifecycleManager Microsoft.AzureStack.Orchestration LcmController
AzureEdgeRemoteSupport Microsoft.AzureStack.Observability EdgeRemoteSupport
How to Install Extension
$SubscriptionID = ""
$RG = ""
$region = ""
$name = $env:computername
Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant –DeviceCode
New-AzConnectedMachineExtension -MachineName $name -Name “Extension Name" -ResourceGroupName $RG -
SubscriptionId $Subscription -Location $region -Publisher “Publisher" -ExtensionType “Extension Type" -NoWait

Extension Name Publisher Extension Type

AzureEdgeTelemetryAndDiagnostics Microsoft.AzureStack.Observability TelemetryAndDiagnostics
AzureEdgeDeviceManagement Microsoft.Edge DeviceManagementExtension
AzureEdgeLifecycleManager Microsoft.AzureStack.Orchestration LcmController
AzureEdgeRemoteSupport Microsoft.AzureStack.Observability EdgeRemoteSupport
How to Refresh Hardware Changes Pre-
Deployment
If something has changes with the node post Arc On-Boarding but pre deployment and these
settings are not reflected in the wizard for the deployment then this can be attempted to be
force refreshed using the following command
Restart-Service DeviceManagementService
How to Gather Bitlocker Keys Post
Deployment

Manage BitLocker encryption on Azure Stack HCI, version 23H2 -

Azure Stack HCI | Microsoft Learn
• Get-AsRecoveryKeyInfo | ft ComputerName, PasswordID,
RecoveryKey
• Via AD Users and Computers with the Bitlocker Admin Tools Installed
• Each node will have the key for the OS disk AND any volume which was
owned by that node when the volume was encrypted
• DO NOT DELETE the OU as this is here the keys are stored
How to Check Storage
• Get-Volume – to check the status of the volume, this will show is any
volumes are degraded due to not being at the require resiliency level
• Get-Storagejob – to check the status of any repair or optimize jobs. If jobs
are running then tasks such as draining nodes or rebooting nodes should not
be complete
How to : General Commands
• Enable-ASRemoteDesktop – this will be enabled RDP to the node,
this is disabled post deployment
• Rotate Secrets such as LCM User and Service Principles Change
deployment user password on Azure Stack HCI, version 23H2 -
Azure Stack HCI | Microsoft Learn
• Toggle Security Settings - Manage security defaults on Azure Stack
HCI, version 23H2 - Azure Stack HCI | Microsoft Learn