自我管理型 Azure Active Directory 域服务、Azure Active Directory 和托管型 Azure Active Directory 域服务的比较Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services

若要为应用程序、服务或设备提供对中心标识的访问权限,可通过三种常用方式使用 Azure 中基于 Active Directory 的服务。To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. 标识解决方案的多样性可让你灵活使用最符合组织需求的目录。This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization's needs. 例如,如果主要工作是管理运行移动设备的仅限云的用户,那么生成并运行自己的 Active Directory 域服务 (AD DS) 标识解决方案可能没有意义。For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services (AD DS) identity solution. 只需使用 Azure Active Directory 即可解决需求。Instead, you could just use Azure Active Directory.

尽管这三个基于 Active Directory 的标识解决方案采用相同的名称部分和技术,但它们旨在提供满足不同客户需求的服务。Although the three Active Directory-based identity solutions share a common name and technology, they're designed to provide services that meet different customer demands. 从较高层面讲,这些标识解决方案和功能集包括:At high level, these identity solutions and feature sets are:

  • Active Directory 域服务 (AD DS) - 随时可在企业中部署的轻型目录访问协议 (LDAP) 服务器,提供标识和身份验证、计算机对象管理、组策略和信任等关键功能。Active Directory Domain Services (AD DS) - Enterprise-ready lightweight directory access protocol (LDAP) server that provides key features such as identity and authentication, computer object management, group policy, and trusts.
  • Azure Active Directory (Azure AD) - 基于云的标识和移动设备管理,为 Office 365、Azure 门户或 SaaS 应用程序等资源提供用户帐户和身份验证服务。Azure Active Directory (Azure AD) - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Office 365, the Azure portal, or SaaS applications.
    • Azure AD 可与本地 AD DS 环境同步,以便为原本就在云中工作的用户提供单个标识。Azure AD can be synchronized with an on-premises AD DS environment to provide a single identity to users that works natively in the cloud.
    • 有关 Azure AD 的详细信息,请参阅什么是 Azure Active Directory?For more information about Azure AD, see What is Azure Active Directory?
  • Azure Active Directory 域服务 (Azure AD DS) - 为托管域服务提供一部分完全兼容的传统 AD DS 功能,例如域加入、组策略、LDAP 和 Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) - Provides managed domain services with a subset of fully-compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.
    • Azure AD DS 与 Azure AD 集成,后者本身可与本地 AD DS 环境同步。Azure AD DS integrates with Azure AD, which itself can synchronize with an on-premises AD DS environment. 此功能通过直接迁移策略将中心标识用例扩展到在 Azure 中运行的传统 Web 应用程序。This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy.
    • 若要详细了解与 Azure AD 和本地的同步,请参阅如何在托管域中同步对象和凭据To learn more about synchronization with Azure AD and on-premises, see How objects and credentials are synchronized in a managed domain.

本概述文章将这些标识解决方案根据组织需求相互配合工作或者独立工作时的情况做了对比。This overview article compares and contrasts how these identity solutions can work together, or would be used independently, depending on the needs of your organization.

Azure AD DS 和自我管理型 AD DSAzure AD DS and self-managed AD DS

如果应用程序和服务需要访问 Kerberos 或 NTLM 等传统身份验证机制,可以通过两种方式在云中提供 Active Directory 域服务:If you have applications and services that need access to traditional authentication mechanisms such as Kerberos or NTLM, there are two ways to provide Active Directory Domain Services in the cloud:

  • 使用 Azure Active Directory 域服务 (Azure AD DS) 创建的托管域。A managed domain that you create using Azure Active Directory Domain Services (Azure AD DS). Microsoft 将创建并管理所需的资源。Microsoft creates and manages the required resources.
  • 使用虚拟机 (VM)、Windows Server 来宾 OS 和 Active Directory 域服务等传统资源创建和配置的自我管理域。A self-managed domain that you create and configure using traditional resources such as virtual machines (VMs), Windows Server guest OS, and Active Directory Domain Services (AD DS). 然后,你需要继续管理这些资源。You then continue to administer these resources.

使用 Azure AD DS 时,Microsoft 将为你部署和维护核心服务组件(托管域体验)。With Azure AD DS, the core service components are deployed and maintained for you by Microsoft as a managed domain experience. 你无需部署、管理、修补和保护 VM、Windows Server OS 或域控制器 (DC) 等组件的 AD DS 基础结构。You don't deploy, manage, patch, and secure the AD DS infrastructure for components like the VMs, Windows Server OS, or domain controllers (DCs).

Azure AD DS 提供传统自我管理型 AD DS 环境的一小部分功能,这在一定程度上可以减轻设计和管理复杂性。Azure AD DS provides a smaller subset of features to traditional self-managed AD DS environment, which reduces some of the design and management complexity. 例如,无需设计和维护 AD 林、域、站点和复制链接。For example, there are no AD forests, domain, sites, and replication links to design and maintain. 你仍可以在 Azure AD DS 和本地环境之间创建林信任You can still create forest trusts between Azure AD DS and on-premises environments.

对于在云中运行的、需要访问 Kerberos 或 NTLM 等传统身份验证机制的应用程序和服务,Azure AD DS 以极少量的管理开销提供托管域体验。For applications and services that run in the cloud and need access to traditional authentication mechanisms such as Kerberos or NTLM, Azure AD DS provides a managed domain experience with the minimal amount of administrative overhead. 有关详细信息,请参阅 Azure AD DS 中用户帐户、密码和管理的管理概念For more information, see Management concepts for user accounts, passwords, and administration in Azure AD DS.

部署和运行自我管理型 AD DS 环境时,必须维护所有关联的基础结构和目录组件。When you deploy and run a self-managed AD DS environment, you have to maintain all of the associated infrastructure and directory components. 自行管理型 AD DS 环境会产生额外的维护开销,但你可以执行更多的任务,例如扩展架构或创建林信任。There's additional maintenance overhead with a self-managed AD DS environment, but you're then able to do additional tasks such as extend the schema or create forest trusts.

为云中的应用程序和服务提供标识的自我管理型 AD DS 环境的常见部署模型包括:Common deployment models for a self-managed AD DS environment that provides identity to applications and services in the cloud include the following:

  • 独立的仅限云 AD DS - 将 Azure VM 配置为域控制器,并创建独立的仅限云的 AD DS 环境。Standalone cloud-only AD DS - Azure VMs are configured as domain controllers and a separate, cloud-only AD DS environment is created. 此 AD DS 环境不会与本地 AD DS 环境集成。This AD DS environment doesn't integrate with an on-premises AD DS environment. 使用一组不同的凭据来登录和管理云中的 VM。A different set of credentials is used to sign in and administer VMs in the cloud.
  • 资源林部署 - 将 Azure VM 配置为域控制器,并创建一个 AD DS 域作为现有林的一部分。Resource forest deployment - Azure VMs are configured as domain controllers and an AD DS domain that's part of an existing forest is created. 然后,配置与本地 AD DS 环境之间的信任关系。A trust relationship is then configured to an on-premises AD DS environment. 其他 Azure VM 可通过域加入添加到云中的此资源林。Other Azure VMs can domain-join to this resource forest in the cloud. 用户身份验证通过与本地 AD DS 环境建立的 VPN/ExpressRoute 连接运行。User authentication runs over a VPN / ExpressRoute connection to the on-premises AD DS environment.
  • 将本地域扩展到 Azure - 使用 VPN/ExpressRoute 连接将 Azure 虚拟网络连接到本地网络。Extend on-premises domain to Azure - An Azure virtual network connects to an on-premises network using a VPN / ExpressRoute connection. Azure VM 将连接到此 Azure 虚拟网络,因此可通过域加入添加到本地 AD DS 环境。Azure VMs connect to this Azure virtual network, which lets them domain-join to the on-premises AD DS environment.
    • 一种替代方法是创建 Azure VM, 并从本地 AD DS 域将其提升为副本域控制器。An alternative is to create Azure VMs and promote them as replica domain controllers from the on-premises AD DS domain. 这些域控制器通过与本地 AD DS 环境建立的 VPN/ExpressRoute 连接复制。These domain controllers replicate over a VPN / ExpressRoute connection to the on-premises AD DS environment. 本地 AD DS 域将有效地扩展到 Azure 中。The on-premises AD DS domain is effectively extended into Azure.

下表概述了组织可能需要的某些功能,以及托管型 Azure AD DS 域与自我管理型 AD DS 域之间的差异:The following table outlines some of the features you may need for your organization, and the differences between a managed Azure AD DS domain or a self-managed AD DS domain:

功能Feature Azure AD DSAzure AD DS 自我管理型 AD DSSelf-managed AD DS
托管服务Managed service
安全部署Secure deployments 管理员保护部署Administrator secures the deployment
DNS 服务器DNS server (托管服务) (managed service)
域或企业管理员特权Domain or Enterprise administrator privileges
域加入Domain join
使用 NTLM 和 Kerberos 进行域身份验证Domain authentication using NTLM and Kerberos
Kerberos 约束委派Kerberos constrained delegation 基于资源Resource-based 基于资源和基于帐户Resource-based & account-based
自定义 OU 结构Custom OU structure
组策略Group Policy
架构扩展Schema extensions
AD 域/林信任AD domain / forest trusts (仅单向出站林信任) (one-way outbound forest trusts only)
安全 LDAP (LDAPS)Secure LDAP (LDAPS)
LDAP 读取LDAP read
LDAP 写入LDAP write (在托管域中) (within the managed domain)
地理分布式部署Geo-distributed deployments

Azure AD DS 和 Azure ADAzure AD DS and Azure AD

使用 Azure AD 可以管理组织所用的设备标识,以及控制这些设备对企业资源的访问。Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. 用户还可将其个人设备(自带 (BYO) 模式)注册到 Azure AD,后者为设备提供一个标识。Users can also register their personal device (a bring-your-own (BYO) model) with Azure AD, which provides the device with an identity. 然后,当用户登录到 Azure AD 并使用设备访问受保护的资源时,Azure AD 会对该设备进行身份验证。Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. 可以使用 Microsoft Intune 等移动设备管理 (MDM) 软件来管理设备。The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. 使用此管理功能可以限制受管且符合策略的设备对敏感资源的访问。This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices.

传统计算机和便携式计算机也可以加入 Azure AD。Traditional computers and laptops can also join to Azure AD. 此机制提供将个人设备注册到 Azure AD 所能得到的相同优势,例如,允许用户使用其企业凭据登录到设备。This mechanism offers the same benefits of registering a personal device with Azure AD, such as to allow users to sign in to the device using their corporate credentials.

已加入 Azure AD 的设备提供以下优势:Azure AD joined devices give you the following benefits:

  • 单一登录 (SSO) 到 Azure AD 保护的应用程序。Single-sign-on (SSO) to applications secured by Azure AD.
  • 在不同的设备之间以符合企业策略的方式漫游用户设置。Enterprise policy-compliant roaming of user settings across devices.
  • 使用企业凭据访问 Windows Store for Business。Access to the Windows Store for Business using corporate credentials.
  • Windows Hello for Business。Windows Hello for Business.
  • 限制从符合企业策略的设备对应用和资源的访问。Restricted access to apps and resources from devices compliant with corporate policy.

设备可以加入到包含本地 AD DS 环境的、使用或不使用混合部署的 Azure AD。Devices can be joined to Azure AD with or without a hybrid deployment that includes an on-premises AD DS environment. 下表概述了常见的设备所有权模型,以及它们在一般情况下如何加入域:The following table outlines common device ownership models and how they would typically be joined to a domain:

设备类型Type of device 设备平台Device platforms 机制Mechanism
个人设备Personal devices Windows 10、iOS、Android、macOSWindows 10, iOS, Android, macOS 已注册 Azure ADAzure AD registered
组织拥有的未加入本地 AD DS 的设备Organization-owned device not joined to on-premises AD DS Windows 10Windows 10 已加入 Azure ADAzure AD joined
组织拥有的已加入本地 AD DS 的设备Organization-owned device joined to an on-premises AD DS Windows 10Windows 10 已加入混合 Azure ADHybrid Azure AD joined

在已加入或已注册 Azure AD 的设备上,使用基于 OAuth/OpenID Connect 的新式协议执行用户身份验证。On an Azure AD-joined or registered device, user authentication happens using modern OAuth / OpenID Connect based protocols. 这些协议设计为通过 Internet 工作,因此非常适合用于移动方案,可让用户从任何位置访问企业资源。These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere.

借助已加入 Azure AD DS 的设备,应用程序可以使用 Kerberos 和 NTLM 协议进行身份验证,因此支持在执行直接迁移策略过程中迁移的、在 Azure VM 上运行的传统应用程序。With Azure AD DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy. 下表概述了设备的表示方式以及针对目录进行身份验证的差异:The following table outlines differences in how the devices are represented and can authenticate themselves against the directory:

方面Aspect 已加入 Azure ADAzure AD-joined 已加入 Azure AD DSAzure AD DS-joined
设备控制方Device controlled by Azure ADAzure AD Azure AD DS 托管域Azure AD DS managed domain
在目录中的表示形式Representation in the directory Azure AD 目录中的设备对象Device objects in the Azure AD directory Azure AD DS 托管域中的计算机对象Computer objects in the Azure AD DS managed domain
身份验证Authentication 基于 OAuth/OpenID Connect 的协议OAuth / OpenID Connect based protocols Kerberos 和 NTLM 协议Kerberos and NTLM protocols
管理Management Intune 等移动设备管理 (MDM) 软件Mobile Device Management (MDM) software like Intune 组策略Group Policy
网络Networking 通过 Internet 工作Works over the internet 必须连接到部署管理域的虚拟网络或与其对等互连Must be connected to, or peered with, the virtual network where the managed domain is deployed
非常适合用于...Great for... 最终用户移动设备或台式机设备End-user mobile or desktop devices 在 Azure 中部署的服务器 VMServer VMs deployed in Azure

后续步骤Next steps

若要开始使用 Azure AD DS,请使用 Azure 门户创建一个 Azure AD DS 托管域To get started with using Azure AD DS, create an Azure AD DS managed domain using the Azure portal.

你还可以详细了解 Azure AD DS 中用户帐户、密码和管理的管理概念以及如何在托管域中同步对象和凭据You can also learn more about management concepts for user accounts, passwords, and administration in Azure AD DS and how objects and credentials are synchronized in a managed domain.