Редактиране

Споделяне чрез


Connect machines at scale using Group Policy

You can onboard Active Directory–joined Windows machines to Azure Arc-enabled servers at scale using Group Policy.

You'll first need to set up a local remote share with the Connected Machine agent and modify a script specifying the Arc-enabled server's landing zone within Azure. You'll then run a script that generates a Group Policy Object (GPO) to onboard a group of machines to Azure Arc-enabled servers. This Group Policy Object can be applied to the site, domain, or organizational level. Assignment can also use Access Control List (ACL) and other security filtering native to Group Policy. Machines in the scope of the Group Policy will be onboarded to Azure Arc-enabled servers. Scope your GPO to only include machines that you want to onboard to Azure Arc.

Before you get started, be sure to review the prerequisites and verify that your subscription and resources meet the requirements. For information about supported regions and other related considerations, see supported Azure regions. Also review our at-scale planning guide to understand the design and deployment criteria, as well as our management and monitoring recommendations.

If you don't have an Azure subscription, create a free account before you begin.

Automatic connection for SQL Server

When you connect a Windows or Linux server to Azure Arc that also has Microsoft SQL Server installed, the SQL Server instances will automatically be connected to Azure Arc as well. SQL Server enabled by Azure Arc provides a detailed inventory and additional management capabilities for your SQL Server instances and databases. As part of the connection process, an extension is deployed to your Azure Arc-enabled server and new roles will be applied to your SQL Server and databases. If you don't want to automatically connect your SQL Servers to Azure Arc, you can opt out by adding a tag to the Windows or Linux server with the name ArcSQLServerExtensionDeployment and value Disabled when it's connected to Azure Arc.

For more information, see Manage automatic connection for SQL Server enabled by Azure Arc.

Prepare a remote share and create a service principal

The Group Policy Object, which is used to onboard Azure Arc-enabled servers, requires a remote share with the Connected Machine agent. You will need to:

  1. Prepare a remote share to host the Azure Connected Machine agent package for Windows and the configuration file. You need to be able to add files to the distributed location. The network share should provide Domain Controllers, and Domain Computers with Change permissions, and Domain Admins with Full Control permissions.

  2. Follow the steps to create a service principal for onboarding at scale.

    • Assign the Azure Connected Machine Onboarding role to your service principal and limit the scope of the role to the target Azure landing zone.
    • Make a note of the Service Principal Secret; you'll need this value later.
  3. Download and unzip the folder ArcEnabledServersGroupPolicy_vX.X.X from https://github.com/Azure/ArcEnabledServersGroupPolicy/releases/latest/. This folder contains the ArcGPO project structure with the scripts EnableAzureArc.ps1, DeployGPO.ps1, and AzureArcDeployment.psm1. These assets will be used for onboarding the machine to Azure Arc-enabled servers.

  4. Download the latest version of the Azure Connected Machine agent Windows Installer package from the Microsoft Download Center and save it to the remote share.

  5. Execute the deployment script DeployGPO.ps1, modifying the run parameters for the DomainFQDN, ReportServerFQDN, ArcRemoteShare, Service Principal secret, Service Principal Client ID, Subscription ID, Resource Group, Region, Tenant, and AgentProxy (if applicable):

    .\DeployGPO.ps1 -DomainFQDN contoso.com -ReportServerFQDN Server.contoso.com -ArcRemoteShare AzureArcOnBoard -ServicePrincipalSecret $ServicePrincipalSecret -ServicePrincipalClientId $ServicePrincipalClientId -SubscriptionId $SubscriptionId -ResourceGroup $ResourceGroup -Location $Location -TenantId $TenantId [-AgentProxy $AgentProxy]
    

Apply the Group Policy Object

On the Group Policy Management Console (GPMC), right-click on the desired Organizational Unit and link the GPO named [MSFT] Azure Arc Servers (datetime). This is the Group Policy Object which has the Scheduled Task to onboard the machines. After 10 or 20 minutes, the Group Policy Object will be replicated to the respective domain controllers. Learn more about creating and managing group policy in Microsoft Entra Domain Services.

After you have successfully installed the agent and configured it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the servers in your Organizational Unit have successfully connected. View your machines in the Azure portal.

Important

Once you've confirmed that your servers have successfully onboarded to Arc, disable the Group Policy Object. This will prevent the same Powershell commands in the scheduled tasks from executing when the system reboots or when the group policy is updated.

Next steps