Deploying Azure Local (Stack) HCI

These deployment steps are now out of date as some parts are no longer required however leaving post intact for reference but will be replaced with a V2 post coming soon

With the changes in EUC Azure Stack HCI (now Azure Local) has become a popular option and even more so now that it supports the deployment of Azure Virtual Desktop (AVD) in this post we will share our documented deployment steps for Azure stack including solutions to common errors along the way. Errors will also be shared on individual posts for ease of finding \ reading.

High Level Steps

1. Prepare Servers

• Install Network cards, TPM modules and Storage.

• Upgrade Firmware

• Install HCI OS

• Configure IP/Name

• Enable RDP

• Cluster Validation Tests

• Enable Hyper-V Role

• BitLocker Key Backup

2. Prepare AD

• Configure On-Prem AD

3. Configure Azure

• Enable Resource Providers

• Register nodes wit Azure ARC

• Create HCI Cluster

• Create Storage Volumes

• Create Logical Network

• Create Monitoring Alerts

4. Post Deployment Steps

   
   

This particular example is a 2 node cluster in switchless storage configuration deployed in the Auxilium Lab environment. You can have a maximum of 3 nodes in a switchless storage configuration before requiring a Top of Rack Switch (TOR) preferably dedicated to storage and running at 25GB

1. Prepare Servers

Pay attention to the hardware requirements and ensure you are running the latest supported firmware prior to starting. Hardware must have RDMA supported Network cards and also a trusted platform module, ensure this is also enabled in the BIOS along with secure boot.

HCI OS can be downloaded from the Azure Portal by searching for Azure Stack HCI which will soon be renamed. When you install the HCI OS configure the IP address \ DNS etc and also enable RDP to make pasting Powershell commands easier.

DO NOT Domain Join it otherwise it will fail at the deployment stage as domain join happens later.

https://learn.microsoft.com/en-us/azure/azure-local/concepts/system-requirements?tabs=azure-public

Download Install the Vendor Network Drivers as in box drivers are not supported and validation will fail. To verify what drivers are in use on the NIC run the following Powershell commands

Get-NetworkAdapter

get-netadapter -name "Embedded LOM 1 Port 1" | select Driver*

If the provider is Microsoft the Inbox driver is being used and validation will fail.

From Powershell on the node run get-netadapterrdma to confirm it’s enabled and operational

Run Cluster Validation from the node(s)

Run the Environment Checker to identify potential issues. If using a proxy check the link for the command to set proxy.

https://learn.microsoft.com/en-us/azure/azure-local/manage/use-environment-checker?tabs=connectivity

Installing the modules

Install-Module PowerShellGet -AllowClobber -Force

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Install-Module -Name AzStackHci.EnvironmentChecker

Run the connectivity checker

Invoke-AzStackHciConnectivityValidation

Run the Hardware Checker

Invoke-AzStackHciHardwareValidation

Install hyper V on all nodes

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Ensure you back up the Bitlocker key as it will be required when firmware updates are completed on the node and not having keys will likely result in data loss

Get-AsRecoveryKeyInfo | ft ComputerName, PasswordID, RecoveryKey 

Disable DCBX willing

QOS should be disabled for switchless storage mode. DCBX is enabled by default. This recommendation is not documented by Microsoft and was a recommendation after a call around storage performance.

Set-NetQoSDCBXSetting -Willing $false -Confirm:$false

2. Prepare AD

   
   

Install the HCI PS module on a DC or PC with RSAT

Install-Module -Name AsHciADArtifactsPreCreationTool

Run the command to create the OU and Deployment account

New-HciAdObjectsPreCreation -AzureStackLCMUserCredential (Get-Credential) -AsHciOUName "OU=<OU>,OU=<OU>,DC=<Domain>,DC=<domain>"

You will be prompted for a new user account, give it a name and secure password.

NOTE Password must comply with Azure policy

You should now see the OU and Deployment account in AD

3. Configure Azure

Now that the AD prep is complete and the Nodes are passing connectivity checks its time to register the nodes with ARC and create the cluster to complete the initial build

You can find the documentation for ARC registration here

https://learn.microsoft.com/en-us/azure/azure-local/deploy/deployment-arc-register-server-permissions?tabs=powershell

Please be aware of the Supported regions for Azure Stack HCI

Enable the following Resource Providers on your Azure subscription that will have HCI Stack deployed

Microsoft.Compute

Microsoft.GuestConfiguration

Microsoft.AzureStackHCI

Microsoft.HybridCompute

Install the required modules

The following steps must be done for each node

#Register PSGallery as a trusted repo

Register-PSRepository -Default -InstallationPolicy Trusted

#Install required PowerShell modules in your node for registration

Install-Module Az.Accounts -RequiredVersion 2.13.2

Install-Module Az.Resources -RequiredVersion 6.12.0

Install-Module Az.ConnectedMachine -RequiredVersion 0.5.2

#Install Arc registration script from PSGallery

Install-Module AzsHCI.ARCinstaller

#Update AZ Modules

Update-module az*

Define Variables

#Define the subscription where you want to register your server as Arc device

$Subscription = "SubscriptionID"

#Define the resource group where you want to register your server as Arc device

$RG = "RGName"

#Define the region you will use to register your server as Arc device

$Region = "West Europe"

#Define the tenant you will use to register your server as Arc device

$Tenant = "TenantID"

Connect to Azure

#Connect to your Azure account and Subscription

Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode

#Get the Access Token for the registration

$ARMtoken = (Get-AzAccessToken).Token

#Get the Account ID for the registration

$id = (Get-AzContext).Account.Id

Note: if you get the error Get-AzAccessToken : Authentication failed against tenant run the following command and try again

Update-AzConfig -EnableLoginByWam $false

Register with ARC

#Invoke the registration script. Use a supported region.

Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id

*Repeat steps for each node

If you configure the stack against the wrong zone/RG you will need to unregister your server(s)

Command to Undo the registration

Remove-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id

You will now see your node(s) registered in Azure ARC. Give it 10 minutes or so before creating the cluster as the LCM extension may take some time to register.

You can now create the Cluster from the Azure portal

Basics

Subscription: Select Subscription

Resource Group: Select RG previously defined

Cluster Name: Set cluster name

Region: Select previously defined region

Key vault Name (use Existing or create new)

Add Machines - Select the machines you want to add to the cluser then select Validate Servers

If you receive the following error when doing validaiton it means the LCM extension installation has not completed ad requires more time

Exception [Arc extensions installed on Arc Machine [/subscriptions/3b0bdc2b-3dd1-4dfc-a34e-1e7a11d7aa45/resourceGroups/new/providers/Microsoft.HybridCompute/machines/HCI_Node_A] are [TelemetryAndDiagnostics, DeviceManagementExtension, EdgeRemoteSupport] while required list of mandatory arc extensions are [TelemetryAndDiagnostics, DeviceManagementExtension, LcmController]. Mandatory extensions not yet installed are [LcmController]] occured while fetching Arc extensions for Arc Machine [/subscriptions/3b0bdc2b-3dd1-4dfc-a34e-1e7a11d7aa45/resourceGroups/new/providers/Microsoft.HybridCompute/machines/HCI_Node_A]

Configuration

Source* New configuration

You can create deployment templates ideal for environments that will have multiple stack deployments

Networking

Network section allows you to configure the traffic on your nodes and what adapters are used for certain traffic as well as allowing you to team adapters. Unless you are deploying a single node you may want to separate storage traffic from management traffic.

In this section you will also need to reserve some IP addresses that are used for roles within the cluster then validate the subnet before proceeding.

Management

This is the section where you provide information created in previous steps. if passwords are incorrect the deployment will fail within a couple minutes.

Security

Recommended security settings or custom if you need to make changes.

Advanced

This section will specify how volumes are initially created. Create the required infrastructure volumes only and then review the volumes section of the documentation here to choose the appropriate configuration for your workload.

Please see blog for what not to do when creating a volume

Tags

self explanatory

Validation

at this point you will run the final validation before creating the cluster. if you receive and error relating to External Active Directory it is likely permissions on the OU which can be resolved by following instructions below;

https://learn.microsoft.com/en-us/answers/questions/1608897/azure-stack-hci-23h2-cluster-deployment-validation

If your validation fails at the disk section then you may need to clean the drives

https://learn.microsoft.com/en-us/windows-server/storage/storage-spaces/deploy-storage-spaces-direct#step-31-clean-drives

Find out the disk numbers for the disks to be used as cluster storage using  Get-disk

Run the following commands against the disks and then reboot, run the invoke-azstackhcihardwarevalidation and it should now work fine.

set-disk -number 0 -isoffline $false

set-disk -number 1 -isoffline $false

set-disk -number 2 -isoffline $false

set-disk -number 3 -isoffline $false

set-disk -number 4 -isoffline $false

set-disk -number 5 -isoffline $false

set-disk -number 6 -isoffline $false

set-disk -number 7 -isoffline $false

set-disk -number 0 -isreadonly $false

set-disk -number 1 -isreadonly $false

set-disk -number 2 -isreadonly $false

set-disk -number 3 -isreadonly $false

set-disk -number 4 -isreadonly $false

set-disk -number 5 -isreadonly $false

set-disk -number 6 -isreadonly $false

set-disk -number 7 -isreadonly $false

Clear-Disk -number 0 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 1 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 2 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 3 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 4 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 5 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 6 -RemoveData -RemoveOEM -Confirm:$false

Clear-Disk -number 7 -RemoveData -RemoveOEM -Confirm:$false

Set-Disk -number 0 -isreadonly:$true

Set-Disk -number 1 -isreadonly:$true

Set-Disk -number 2 -isreadonly:$true

Set-Disk -number 3 -isreadonly:$true

Set-Disk -number 4 -isreadonly:$true

Set-Disk -number 5 -isreadonly:$true

Set-Disk -number 6 -isreadonly:$true

Set-Disk -number 7 -isreadonly:$true

Set-Disk -number 0 -isoffline:$true

Set-Disk -number 1 -isoffline:$true

Set-Disk -number 2 -isoffline:$true

Set-Disk -number 3 -isoffline:$true

Set-Disk -number 4 -isoffline:$true

Set-Disk -number 5 -isoffline:$true

Set-Disk -number 6 -isoffline:$true

Set-Disk -number 7 -isoffline:$true

Final Validation should now look like the screenshot below you can now go ahead to the summary screen and create your Azure Local cluster

Once created you are ready to go and deploy workloads onto your Azure Local cluster.