Configure additional HGS nodes
Applies To: Windows Server 2016
In production environments, HGS should be set up in a high availability cluster to ensure that shielded VMs can be powered on even if an HGS node goes down. For test environments, secondary HGS nodes are not required.
The following steps will add a node to the HGS cluster. The computer should not be joined to any domain before you perform these steps.
To add the Host Guardian Service role to the computer, run the following command in an elevated Windows PowerShell console:
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart
Note If you are adding HGS to an existing domain not created with Install-HgsServer, you may skip to step 5.
Configure at least one NIC on this machine to use the DNS server on your first HGS server for name resolution. This is necessary to enable the machine to resolve and join the HGS domain and cluster in the next step.
Install the Host Guardian Service by running the command below. Substitute the IP addresses and names as appropriate for your environment:
$adSafeModePassword = ConvertTo-SecureString -AsPlainText '<password>' -Force $cred = Get-Credential 'relecloud\Administrator' Install-HgsServer -HgsDomainName 'relecloud.com' -HgsDomainCredential $cred -SafeModeAdministratorPassword $adSafeModePassword -Restart
Wait for the server to restart, then sign in with the HGS domain administrator credentials.
Run the commands below to finish adding the new node to the HGS cluster. Substitute the IP addresses and names as appropriate for your environment:
$cred = Get-Credential 'relecloud\Administrator' Initialize-HgsServer -HgsServerIPAddress <IP address of first HGS Server>
Allow up to 10 minutes for the encryption and signing certificates from the first HGS server to replicate to this node.
If you used HSM-backed certificates, you will need to install the driver for your HSM on this machine and grant the machine access to the private keys of the encryption and signing certificates per your HSM manufacturer's instructions. For both PKI-issued and HSM-backed certificates, you must manually grant the HGS service access to the private keys of the certificate per the instructions in Use my own certificates with an HSM.