Set up a cluster witness

Applies to: Azure Stack HCI, versions 22H2 and 21H2; Windows Server 2022, Windows Server 2019

Important

Azure Stack HCI is now part of Azure Local. Product documentation renaming is in progress. However, older versions of Azure Stack HCI, for example 22H2 will continue to reference Azure Stack HCI and won't reflect the name change. Learn more.

Warning

The deployment instructions provided in this article apply to an older version, Azure Stack HCI, version 22H2. For new deployments, we recommend that you use the latest generally available version, Azure Stack HCI, version 23H2. For deployment instructions, see About Azure Stack HCI, version 23H2 deployment.

This article describes how to set up an Azure Stack HCI or Windows Server cluster with a cluster witness in Azure (known as a cloud witness).

We recommend setting up a cluster witness for clusters with two, three, or four nodes. The witness helps the cluster determine which nodes have the most up-to-date cluster data if some nodes can't communicate with the rest of the cluster. You can host the cluster witness on a file share located on another server, or use a cloud witness.

To learn more about cluster witnesses and quorum, see Understanding cluster and pool quorum on Azure Stack HCI. To manage the witness, including setting a file share witness, see Change cluster settings.

Before you begin

Before you can create a cloud witness, you must have an Azure account and subscription, and register your Azure Stack HCI cluster with Azure. See the following articles for more information:

Create an Azure storage account

This section describes how to create an Azure storage account. This account is used to store an Azure blob file used for arbitration for a specific cluster. You can use the same Azure storage account to configure a cloud witness for multiple clusters.

  1. Sign in to the Azure portal.

  2. On the Azure portal home menu, under Azure services, select Storage accounts. If this icon is missing, select Create a resource to create a Storage accounts resource first.

    Azure portal home screen

  3. On the Storage accounts page, select New.

    Azure new storage account

  4. On the Create storage account page, complete the following:

    1. Select the Azure Subscription to apply the storage account to.
    2. Select the Azure Resource group to apply the storage account to.
    3. Enter a Storage account name.
      Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. This name must also be unique within Azure.
    4. Select a Location that is closest to you physically.
    5. For Performance, select Standard.
    6. For Account kind, select Storage general purpose.
    7. For Replication, select Locally-redundant storage (LRS).
    8. When finished, click Review + create.

    Azure create storage account

  5. Ensure that the storage account passes validation and then review account settings. When finished, click Create.

    Azure storage account validation

  6. It may take a few seconds for account deployment to occur in Azure. When deployment is complete, click Go to resource.

    Azure storage account deployment

Copy the access key and endpoint URL

When you create an Azure storage account, the process automatically generates two access keys, a primary key (key1) and a secondary key (key2). For the first time creation of a cloud witness, key1 is used. The endpoint URL is also generated automatically.

An Azure cloud witness uses a blob file for storage, with an endpoint generated of the form storage_account_name.blob.core.windows.net as the endpoint.

Note

An Azure cloud witness uses HTTPS (default port 443) to establish communication with the Azure blob service. Ensure that the HTTPS port is accessible.

Copy the account name and access key

  1. In the Azure portal, under Settings, select Access keys.

  2. Select Show keys to display key information.

  3. Click the copy-and-paste icon to the right of the Storage account name and key1 fields and paste each text string to Notepad or other text editor.

    Azure storage account access keys

Copy the endpoint URL (optional)

The endpoint URL is optional and may not be needed for a cloud witness.

  1. In the Azure portal, select Properties.

  2. Select Show keys to display endpoint information.

  3. Under Blob service, click the copy-and-paste icon to the right of the Blob service field and paste the text string to Notepad or other text editor.

    Azure blob endpoint

Create a cloud witness using Windows Admin Center

Now you are ready to create a witness instance for your cluster using Windows Admin Center.

  1. In Windows Admin Center, select Cluster Manager from the top drop-down arrow.

  2. Under Cluster connections, select the cluster.

  3. Under Tools, select Settings.

  4. In the right pane, select Witness.

  5. For Witness type, select one of the following:

    • Cloud witness - enter your Azure storage account name, access key, and endpoint URL, as described previously
    • File share witness - enter the file share path "(//server/share)"
  6. For a cloud witness, for the following fields, paste the text strings you copied previously for:

    1. Azure storage account name
    2. Azure storage access key
    3. Azure service endpoint

    Cloud Witness access keys

  7. When finished, click Save. It might take a bit for the information to propagate to Azure.

Note

The third option, Disk witness, is not suitable for use in stretched clusters.

Create a cloud witness using Windows PowerShell

Alternatively, you can create a witness instance for your cluster using PowerShell.

Use the following cmdlet to create an Azure cloud witness. Enter the Azure storage account name and access key information as described previously:

Set-ClusterQuorum –Cluster "Cluster1" -CloudWitness -AccountName "AzureStorageAccountName" -AccessKey "AzureStorageAccountAccessKey"

Use the following cmdlet to create a file share witness. Enter the path to the file server share:

Set-ClusterQuorum -FileShareWitness "\\fileserver\share" -Credential (Get-Credential)

Next steps

To perform the next management task related to this article, see: