description | title | ms.topic | manager | author | ms.author | ms.date |
---|---|---|---|---|---|---|
Learn more about: Initialize the HGS cluster using TPM mode in an existing bastion forest |
Initialize the HGS cluster using TPM mode in a bastion forest |
article |
dongill |
IngridAtMicrosoft |
inhenkel |
08/29/2018 |
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
To initialize the HGS cluster using TPM mode in an existing bastion forest, follow the steps below. Active Directory Domain Services will be installed on the machine, but should remain unconfigured.
[!INCLUDE Obtain certificates for HGS]
Before you continue, ensure that you have prestaged your cluster objects for the Host Guardian Service and granted the logged in user Full Control over the VCO and CNO objects in Active Directory.
The virtual computer object name needs to be passed to the -HgsServiceName
parameter, and the cluster name to the -ClusterName
parameter.
Tip
Double check your AD Domain Controllers to ensure your cluster objects have replicated to all DCs before continuing.
If you are using PFX-based certificates, run the following commands on the HGS server:
$signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password"
$encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"
Install-ADServiceAccount -Identity 'HGSgMSA'
Initialize-HgsServer -UseExistingDomain -ServiceAccount 'HGSgMSA' -JeaReviewersGroup 'HgsJeaReviewers' -JeaAdministratorsGroup 'HgsJeaAdmins' -HgsServiceName 'HgsService' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustTpm
If you are using certificates installed on the local machine (such as HSM-backed certificates and non-exportable certificates), use the -SigningCertificateThumbprint
and -EncryptionCertificateThumbprint
parameters instead.
In a production environment, you should continue to add additional HGS nodes to your cluster.
[!div class="nextstepaction"] Install TPM root certs