Azure Active Directory 域服务中有关用户帐户、密码和管理的管理概念Management concepts for user accounts, passwords, and administration in Azure Active Directory Domain Services

当你创建并运行 Azure Active Directory 域服务 (AD DS) 托管域时,与传统的本地 AD DS 环境相比,行为存在一些差异。When you create and run an Azure Active Directory Domain Services (AD DS) managed domain, there are some differences in behavior compared to a traditional on-premises AD DS environment. 在 Azure AD DS 中使用的管理工具与自托管域中的相同,但你无法直接访问域控制器 (DC)。You use the same administrative tools in Azure AD DS as a self-managed domain, but you can't directly access the domain controllers (DC). 密码策略和密码哈希的行为也存在一些差异,具体取决于创建用户帐户的源。There's also some differences in behavior for password policies and password hashes depending on the source of the user account creation.

这篇概念性文章详细介绍了如何管理托管域,以及用户帐户的不同行为(具体取决于创建方式)。This conceptual article details how to administer a managed domain and the different behavior of user accounts depending on the way they're created.

域管理Domain management

托管域是一个 DNS 命名空间和匹配目录。A managed domain is a DNS namespace and matching directory. 在托管域中,包含所有资源(例如用户和组、凭据和策略)的域控制器 (DC) 是托管服务的一部分。In a managed domain, the domain controllers (DCs) that contain all the resources like users and groups, credentials, and policies are part of the managed service. 为实现冗余,将创建两个 DC 作为托管域的一部分。For redundancy, two DCs are created as part of a managed domain. 你无法登录到这些 DC 来执行管理任务,You can't sign in to these DCs to perform management tasks. 而只能创建一个加入到托管域的管理 VM,然后安装你的常规 AD DS 管理工具。Instead, you create a management VM that's joined to the managed domain, then install your regular AD DS management tools. 例如,你可以使用 Active Directory 管理中心或 Microsoft 管理控制台 (MMC) 管理单元(例如 DNS 或组策略对象)。You can use the Active Directory Administrative Center or Microsoft Management Console (MMC) snap-ins like DNS or Group Policy objects, for example.

创建用户帐户User account creation

可以通过多种方式在托管域中创建用户帐户。User accounts can be created in a managed domain in multiple ways. 大多数用户帐户是从 Azure AD 同步进来的,而后者可能也包括从本地 AD DS 环境同步的用户帐户。Most user accounts are synchronized in from Azure AD, which can also include user account synchronized from an on-premises AD DS environment. 你还可以直接在托管域中手动创建帐户。You can also manually create accounts directly in the managed domain. 某些功能(例如初始密码同步或密码策略)的行为方式不同,具体取决于创建用户帐户的方式和位置。Some features, like initial password synchronization or password policy, behave differently depending on how and where user accounts are created.

  • 可以将用户帐户从 Azure AD 同步进来。The user account can be synchronized in from Azure AD. 这包括直接在 Azure AD 中创建的纯云用户帐户,以及使用 Azure AD Connect 从本地 AD DS 环境同步的混合用户帐户。This includes cloud-only user accounts created directly in Azure AD, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect.
    • 托管域中的大部分用户帐户是通过同步过程从 Azure AD 创建的。The majority of user accounts in a managed domain are created through the synchronization process from Azure AD.
  • 对于 Azure AD 中不存在的用户帐户,可以在托管域中手动创建该帐户。The user account can be manually created in a managed domain, and doesn't exist in Azure AD.
    • 如果需要为仅在托管域中运行的应用程序创建服务帐户,你可以在托管域中手动创建它们。If you need to create service accounts for applications that only run in the managed domain, you can manually create them in the managed domain. 由于同步是从 Azure AD 单向进行的,因此在托管域中创建的用户帐户不会同步回 Azure AD。As synchronization is one way from Azure AD, user accounts created in the managed domain aren't synchronized back to Azure AD.

密码策略Password policy

Azure AD DS 包括一个默认的密码策略,该策略定义了帐户锁定、最长密码期限和密码复杂性等内容的设置。Azure AD DS includes a default password policy that defines settings for things like account lockout, maximum password age, and password complexity. 帐户锁定策略等设置应用于托管域中的所有用户,与上一部分中概述的用户创建方式无关。Settings like account lockout policy apply to all users in a managed domain, regardless of how the user was created as outlined in the previous section. 一些设置(例如最小密码长度和密码复杂性)仅应用于直接在托管域中创建的用户。A few settings, like minimum password length and password complexity, only apply to users created directly in a managed domain.

你可以创建自己的自定义密码策略来替代托管域中的默认策略。You can create your own custom password policies to override the default policy in a managed domain. 然后,可以根据需要将这些自定义策略应用于特定的用户组。These custom policies can then be applied to specific groups of users as needed.

若要详细了解如何根据创建用户的源以不同的方式应用密码策略,请参阅托管域中的密码和帐户锁定策略For more information on the differences in how password policies are applied depending on the source of user creation, see Password and account lockout policies on managed domains.

密码哈希Password hashes

若要对托管域上的用户进行身份验证,Azure AD DS 需要密码哈希,其格式适用于 NT LAN Manager (NTLM) 和 Kerberos 身份验证。To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. 除非为租户启用了 Azure AD DS,否则 Azure AD 不会以 NTLM 或 Kerberos 身份验证所需的格式生成或存储密码哈希。Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. 出于安全考虑,Azure AD 也不以明文形式存储任何密码凭据。For security reasons, Azure AD also doesn't store any password credentials in clear-text form. 因此,Azure AD 无法基于用户的现有凭据自动生成这些 NTLM 或 Kerberos 密码哈希。Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

对于纯云用户帐户,用户必须更改其密码才能使用托管域。For cloud-only user accounts, users must change their passwords before they can use the managed domain. 此密码更改过程会导致在 Azure AD 中生成并存储用于 Kerberos 和 NTLM 身份验证的密码哈希。This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. 在更改密码之前,帐户不会从 Azure AD 同步到 Azure AD DS。The account isn't synchronized from Azure AD to Azure AD DS until the password is changed.

对于使用 Azure AD Connect 从本地 AD DS 环境同步的用户,请启用密码哈希同步For users synchronized from an on-premises AD DS environment using Azure AD Connect, enable synchronization of password hashes.

重要

仅当你为 Azure AD 租户启用了 Azure AD DS 时,Azure AD Connect 才会同步旧式密码哈希。Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant. 如果仅使用 Azure AD Connect 将本地 AD DS 环境与 Azure AD 同步,则不会使用旧式密码哈希。Legacy password hashes aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment with Azure AD.

如果旧式应用程序不使用 NTLM 身份验证或 LDAP 简单绑定,则建议你为 Azure AD DS 禁用 NTLM 密码哈希同步。If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. 有关详细信息,请参阅禁用弱密码套件和 NTLM 凭据哈希同步For more information, see Disable weak cipher suites and NTLM credential hash synchronization.

经过适当的配置后,可用的密码哈希将存储在托管域中。Once appropriately configured, the usable password hashes are stored in the managed domain. 删除托管域也会删除其中存储的所有密码哈希。If you delete the managed domain, any password hashes stored at that point are also deleted. 如果以后创建其他托管域,则 Azure AD 中已同步的凭据信息不可重复使用 - 必须重新配置密码哈希同步,以再次存储密码哈希。Synchronized credential information in Azure AD can't be reused if you later create another managed domain - you must reconfigure the password hash synchronization to store the password hashes again. 以前加入域的 VM 或用户无法立即进行身份验证 - Azure AD 需要在新的托管域中生成并存储密码哈希。Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new managed domain. 有关详细信息,请参阅 Azure AD DS 和 Azure AD Connect 的密码哈希同步过程For more information, see Password hash sync process for Azure AD DS and Azure AD Connect.

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

林和信任Forests and trusts

林是 Active Directory 域服务 (AD DS) 用来对一个或多个域进行分组的逻辑构造 。A forest is a logical construct used by Active Directory Domain Services (AD DS) to group one or more domains. 域随后会存储用户或组的对象,并提供身份验证服务。The domains then store objects for user or groups, and provide authentication services.

在 Azure AD DS 中,林只包含一个域。In Azure AD DS, the forest only contains one domain. 本地 AD DS 林通常包含许多域。On-premises AD DS forests often contain many domains. 在大型组织中,特别是在合并和收购之后,最终可能会得到多个本地林,每个林又包含多个域。In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains.

默认情况下,托管域是作为用户林创建的。By default, a managed domain is created as a user forest. 此类林可同步 Azure AD 中的所有对象,包括在本地 AD DS 环境中创建的所有用户帐户。This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. 用户帐户可以直接通过托管域进行身份验证,以便执行相关操作,例如登录到已加入域的 VM。User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. 当可以同步密码哈希,并且用户不使用独占登录方法(如智能卡身份验证)时,用户林可发挥作用。A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication.

在 Azure AD DS 资源林中,用户从本地 AD DS 通过单向林信任进行身份验证 。In an Azure AD DS resource forest, users authenticate over a one-way forest trust from their on-premises AD DS. 采用此方法时,用户对象和密码哈希不会同步到 Azure AD DS。With this approach, the user objects and password hashes aren't synchronized to Azure AD DS. 用户对象和凭据仅存在于本地 AD DS 中。The user objects and credentials only exist in the on-premises AD DS. 此方法使企业可以在 Azure 中托管依赖于经典身份验证(如 LDAPS、Kerberos 或 NTLM)的资源和应用程序平台,不过可消除任何身份验证问题或疑虑。This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed.

有关 Azure AD DS 中的林类型的详细信息,请参阅什么是资源林?林信任在 Azure AD DS 中的工作原理是什么?For more information about forest types in Azure AD DS, see What are resource forests? and How do forest trusts work in Azure AD DS?

Azure AD DS SKUAzure AD DS SKUs

在 Azure AD DS 中,可用的性能和功能取决于 SKU。In Azure AD DS, the available performance and features are based on the SKU. 在创建托管域时,你将选择一个 SKU;在部署托管域后,你可以根据业务需求的变化切换 SKU。You select a SKU when you create the managed domain, and you can switch SKUs as your business requirements change after the managed domain has been deployed. 下表概述了可用的 SKU 以及它们之间的差异:The following table outlines the available SKUs and the differences between them:

SKU 名称SKU name 最大对象计数Maximum object count 备份频率Backup frequency 最大出站林信任数量Maximum number of outbound forest trusts
标准Standard 无限制Unlimited 每 5 天Every 5 days 00
EnterpriseEnterprise 无限制Unlimited 每 3 天Every 3 days 55
高级Premium 无限制Unlimited 每日Daily 1010

在这些 Azure AD DS SKU 之前,使用的是基于托管域中的对象(用户和计算机帐户)数量的计费模型。Before these Azure AD DS SKUs, a billing model based on the number of objects (user and computer accounts) in the managed domain was used. 不再提供基于托管域中的对象数量的可变定价。There is no longer variable pricing based on the number of objects in the managed domain.

有关详细信息,请参阅 Azure AD DS 定价页For more information, see the Azure AD DS pricing page.

托管域性能Managed domain performance

域性能因应用程序的身份验证实现方式而异。Domain performance varies based on how authentication is implemented for an application. 额外的计算资源可能有助于改善查询响应时间,并缩短同步操作所用的时间。Additional compute resources may help improve query response time and reduce time spent in sync operations. 当 SKU 级别提高时,可供托管域使用的计算资源将增加。As the SKU level increases, the compute resources available to the managed domain is increased. 监视应用程序的性能并规划所需的资源。Monitor the performance of your applications and plan for the required resources.

如果你的业务或应用程序需求发生变化,并且你的托管域需要额外的计算能力,则可以切换到其他 SKU。If your business or application demands change and you need additional compute power for your managed domain, you can switch to a different SKU.

备份频率Backup frequency

备份频率决定了托管域快照的创建频率。The backup frequency determines how often a snapshot of the managed domain is taken. 备份是由 Azure 平台管理的自动化过程。Backups are an automated process managed by the Azure platform. 当你的托管域出现问题时,Azure 支持人员可以帮助你从备份进行还原。In the event of an issue with your managed domain, Azure support can assist you in restoring from backup. 由于同步仅从 Azure AD 单向进行,因此,托管域中的任何问题都不会影响 Azure AD 或本地 AD DS 环境和功能。As synchronization only occurs one way from Azure AD, any issues in a managed domain won't impact Azure AD or on-premises AD DS environments and functionality.

随着 SKU 级别的提高,这些备份快照的频率也会提高。As the SKU level increases, the frequency of those backup snapshots increases. 请查看你的业务需求和恢复点目标 (RPO),以确定托管域所需的备份频率。Review your business requirements and recovery point objective (RPO) to determine the required backup frequency for your managed domain. 如果你的业务或应用程序需求发生变化,并且你需要更频繁的备份,则可以切换到其他 SKU。If your business or application requirements change and you need more frequent backups, you can switch to a different SKU.

出站林信任Outbound forest trusts

上一部分详细介绍了从托管域到本地 AD DS 环境的单向出站林信任。The previous section detailed one-way outbound forest trusts from a managed domain to an on-premises AD DS environment. SKU 决定了可以为托管域创建的林信任的最大数量。The SKU determines the maximum number of forest trusts you can create for a managed domain. 查看你的业务和应用程序需求,确定你实际需要的信任数量,并选取适当的 Azure AD DS SKU。Review your business and application requirements to determine how many trusts you actually need, and pick the appropriate Azure AD DS SKU. 同样,如果你的业务需求发生了变化,并且你需要创建额外的林信任,则可以切换到其他 SKU。Again, if your business requirements change and you need to create additional forest trusts, you can switch to a different SKU.

后续步骤Next steps

若要开始,请创建一个 Azure AD DS 托管域To get started, create an Azure AD DS managed domain.