Azure Active Directory 的资源林概念和功能Resource forest concepts and features for Azure Active Directory Domain Services

Azure Active Directory 域服务 (Azure AD DS) 为旧的本地业务线应用程序提供登录体验。Azure Active Directory Domain Services (Azure AD DS) provides a sign-in experience for legacy, on-premises, line-of-business applications. 本地和云用户的用户、组和密码哈希会同步到 Azure AD DS 托管域。Users, groups, and password hashes of on-premises and cloud users are synchronized to the Azure AD DS managed domain. 这些同步密码哈希可为用户提供一组可用于本地 AD DS、Microsoft 365 和 Azure Active Directory 的凭据。These synchronized password hashes are what gives users a single set of credentials they can use for the on-premises AD DS, Microsoft 365, and Azure Active Directory.

尽管安全并提供额外的安全好处,但某些组织无法将这些用户密码哈希同步到 Azure AD 或 Azure AD DS。Although secure and provides additional security benefits, some organizations can't synchronize those user passwords hashes to Azure AD or Azure AD DS. 组织中的用户可能不知道其密码,因为他们只使用智能卡身份验证。Users in an organization may not know their password because they only use smart card authentication. 这些限制可防止某些组织使用 Azure AD DS 将本地经典应用程序直接迁移到 Azure。These limitations prevent some organizations from using Azure AD DS to lift and shift on-premises classic applications to Azure.

若有满足这些需求和限制,可以创建使用资源林的托管域。To address these needs and restrictions, you can create a managed domain that uses a resource forest. 本文介绍什么是林,以及它们如何信任其他资源来提供安全的身份验证方法。This conceptual article explains what forests are, and how they trust other resources to provide a secure authentication method.

什么是林?What are forests?

林是 Active Directory 域服务 (AD DS) 用来对一个或多个域进行分组的逻辑构造 。A forest is a logical construct used by Active Directory Domain Services (AD DS) to group one or more domains . 域随后会存储用户或组的对象,并提供身份验证服务。The domains then store objects for user or groups, and provide authentication services.

在 Azure AD DS 托管域中,林只包含一个域。In an Azure AD DS managed domain, the forest only contains one domain. 本地 AD DS 林通常包含许多域。On-premises AD DS forests often contain many domains. 在大型组织中,特别是在合并和收购之后,最终可能会得到多个本地林,每个林又包含多个域。In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains.

默认情况下,托管域是作为用户林创建的。By default, a managed domain is created as a user forest. 此类林可同步 Azure AD 中的所有对象,包括在本地 AD DS 环境中创建的所有用户帐户。This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. 用户帐户可以直接通过托管域进行身份验证,以便执行相关操作,例如登录到已加入域的 VM。User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. 当可以同步密码哈希,并且用户不使用独占登录方法(如智能卡身份验证)时,用户林可发挥作用。A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication.

在托管域资源林中,用户从本地 AD DS 通过单向林信任进行身份验证 。In a managed domain resource forest, users authenticate over a one-way forest trust from their on-premises AD DS. 采用此方法时,用户对象和密码哈希不会同步到托管域。With this approach, the user objects and password hashes aren't synchronized to the managed domain. 用户对象和凭据仅存在于本地 AD DS 中。The user objects and credentials only exist in the on-premises AD DS. 此方法使企业可以在 Azure 中托管依赖于经典身份验证(如 LDAPS、Kerberos 或 NTLM)的资源和应用程序平台,不过可消除任何身份验证问题或疑虑。This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed.

资源林还提供一次一个组件地直接迁移应用程序的功能。Resource forests also provide the capability to lift-and-shift your applications one component at a time. 许多旧的本地应用程序是多层的,通常使用 Web 服务器或前端以及许多数据库相关组件。Many legacy on-premises applications are multi-tiered, often using a web server or front end and many database-related components. 这些层使得难以在一步中将整个应用程序直接迁移到云。These tiers make it hard to lift-and-shift the entire application to the cloud in one step. 利用资源林,可以分阶段地将应用程序提升到云,这样可以更轻松地将应用程序移动到 Azure。With resource forests, you can lift your application to the cloud in phased approach, which makes it easier to move your application to Azure.

什么是信任?What are trusts?

具有多个域的组织通常需要用户可访问另一个域中的共享资源。Organizations that have more than one domain often need users to access shared resources in a different domain. 访问这些共享资源需要一个域中的用户向另一个域进行身份验证。Access to these shared resources requires that users in one domain authenticate to another domain. 若要在不同域中的客户端与服务器之间提供这些身份验证和授权功能,两个域之间必须存在信任。To provide these authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains.

对于域信任,每个域的身份验证机制信任来自其他域的身份验证。With domain trusts, the authentication mechanisms for each domain trust the authentications coming from the other domain. 信任通过验证传入的身份验证请求是否来自受信任的机构(受信任的域),来帮助提供对资源域(信任域)中共享资源的受控访问 。Trusts help provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). 信任充当桥梁,只允许经验证的身份验证请求在域之间传输。Trusts act as bridges that only allow validated authentication requests to travel between domains.

信任传递身份验证请求的方式取决于其配置方式。How a trust passes authentication requests depends on how it's configured. 信任可以使用下列方法之一进行配置:Trusts can be configured in one of the following ways:

  • 单向 - 提供从受信任的域到信任域中资源中的访问的权限权限。One-way - provides access from the trusted domain to resources in the trusting domain.
  • 双向 - 提供从每个域到其他域中的资源的访问权限。Two-way - provides access from each domain to resources in the other domain.

还可以通过以下方式之一配置信任,以处理其他信任关系:Trusts are also be configured to handle additional trust relationships in one of the following ways:

  • 不可传递 - 信任仅存在于两个信任合作伙伴域之间。Nontransitive - The trust exists only between the two trust partner domains.
  • 可传递 - 信任自动扩展到任一合作伙伴所信任的任何其他域。Transitive - Trust automatically extends to any other domains that either of the partners trusts.

在某些情况下,创建域时会自动建立信任关系。In some cases, trust relationships are automatically established when domains are created. 在其他情况下,必须选择一种信任类型并显式建立适当的关系。Other times, you must choose a type of trust and explicitly establish the appropriate relationships. 使用的特定信任类型和这些信任关系的结构取决于 AD DS 目录的组织方式,以及网络上是否有不同版本的 Windows 共存。The specific types of trusts used and the structure of those trust relationships depend on how the AD DS directory is organized, and whether different versions of Windows coexist on the network.

两个林之间的信任Trusts between two forests

通过手动创建单向或双向林信任,可以将单个林中的域信任扩展到其他林。You can extend domain trusts within a single forest to another forest by manually creating a one-way or two-way forest trust. 林信任是仅存在于林根域与辅助林根域之间的可传递信任。A forest trust is a transitive trust that exists only between a forest root domain and a second forest root domain.

  • 单向林信任允许一个林中的所有用户信任另一个林中的所有域。A one-way forest trust allows all users in one forest to trust all domains in the other forest.
  • 双向林信任在两个林中的每个域之间组成可传递信任关系。A two-way forest trust forms a transitive trust relationship between every domain in both forests.

林信任的传递性仅限于两个林合作伙伴。The transitivity of forest trusts is limited to the two forest partners. 林信任不会扩展到任一合作伙伴所信任的附加林。The forest trust doesn't extend to additional forests trusted by either of the partners.

从 Azure AD DS 到本地 AD DS 的林信任关系图

可以根据组织的 AD DS 结构创建不同的域和林信任配置。You can create different domain and forest trust configurations depending on the AD DS structure of the organization. Azure AD DS 仅支持单向林信任。Azure AD DS only supports a one-way forest trust. 在此配置中,托管域中的资源可以信任本地林中的所有域。In this configuration, resources in the managed domain can trust all domains in an on-premises forest.

适用于信任的支持技术Supporting technology for trusts

信任使用各种服务和功能(如 DNS,用于定位合作林中的域控制器)。Trusts use various services and features, such as DNS to locate domain controllers in partnering forests. 信任还依赖于 NTLM 和 Kerberos 身份验证协议以及基于 Windows 的授权和访问控制机制,以帮助跨 AD DS 域和林提供安全的通信基础结构。Trusts also depend on NTLM and Kerberos authentication protocols and on Windows-based authorization and access control mechanisms to help provide a secured communications infrastructure across AD DS domains and forests. 以下服务和功能可帮助支持成功的信任关系。The following services and features help support successful trust relationships.


AD DS 需要将 DNS 用于域控制器 (DC) 定位和命名。AD DS needs DNS for domain controller (DC) location and naming. 为了使 AD DS 成功工作,提供了来自 DNS 的以下支持:The following support from DNS is provided for AD DS to work successfully:

  • 名称解析服务,使网络主机和服务可以定位 DC。A name resolution service that lets network hosts and services to locate DCs.
  • 命名结构,使企业可以在其目录服务域的名称中反映其组织结构。A naming structure that enables an enterprise to reflect its organizational structure in the names of its directory service domains.

通常会部署镜像 AD DS 域命名空间的 DNS 域命名空间。A DNS domain namespace is usually deployed that mirrors the AD DS domain namespace. 如果在进行 AD DS 部署之前有现有的 DNS 命名空间,则通常会针对 AD DS 对 DNS 命名空间分区,并创建用于 AD DS 林根的 DNS 子域和委派。If there's an existing DNS namespace before the AD DS deployment, the DNS namespace is typically partitioned for AD DS, and a DNS subdomain and delegation for the AD DS forest root is created. 随后为每个 AD DS 子域添加附加 DNS 域名。Additional DNS domain names are then added for each AD DS child domain.

DNS 还用于支持 AD DS DC 的定位。DNS is also used to support the location of AD DS DCs. DNS 区域使用 DNS 资源记录进行填充,这些记录使网络主机和服务可以定位 AD DS DC。The DNS zones are populated with DNS resource records that enable network hosts and services to locate AD DS DCs.

应用程序和网络登录Applications and Net Logon

应用程序和网络登录服务都是 Windows 分布式安全通道模型的组件。Both applications and the Net Logon service are components of the Windows distributed security channel model. 与 Windows Server 和 AD DS 集成的应用程序使用身份验证协议与网络登录服务进行通信,以便可以建立可用于进行身份验证的安全路径。Applications integrated with Windows Server and AD DS use authentication protocols to communicate with the Net Logon service so that a secured path can be established over which authentication can occur.

身份验证协议Authentication Protocols

AD DS DC 使用以下协议之一对用户和应用程序进行身份验证:AD DS DCs authenticate users and applications using one of the following protocols:

  • Kerberos 版本 5 身份验证协议Kerberos version 5 authentication protocol

    • Kerberos 版本 5 协议是运行 Windows 并支持第三方操作系统的本地计算机所使用的默认身份验证协议。The Kerberos version 5 protocol is the default authentication protocol used by on-premises computers running Windows and supporting third-party operating systems. 此协议在 RFC 1510 中指定,与 AD DS、服务器消息块 (SMB)、HTTP 和远程过程调用 (RPC) 以及使用这些协议的客户端和服务器应用程序完全集成。This protocol is specified in RFC 1510 and is fully integrated with AD DS, server message block (SMB), HTTP, and remote procedure call (RPC), as well as the client and server applications that use these protocols.
    • 使用 Kerberos 协议时,服务器不必联系 DC。When the Kerberos protocol is used, the server doesn't have to contact the DC. 相反,客户端会通过从服务器帐户域中的 DC 请求票证来获取用于服务器的票证。Instead, the client gets a ticket for a server by requesting one from a DC in the server account domain. 服务器随后会验证票证,而不会咨询任何其他颁发机构。The server then validates the ticket without consulting any other authority.
    • 如果事务中涉及的任何计算机都不支持 Kerberos 版本 5 协议,则使用 NTLM 协议。If any computer involved in a transaction doesn't support the Kerberos version 5 protocol, the NTLM protocol is used.
  • NTLM 身份验证协议NTLM authentication protocol

    • NTLM 协议是较早操作系统所使用的经典网络身份验证协议。The NTLM protocol is a classic network authentication protocol used by older operating systems. 出于兼容性原因,AD DS 域使用它处理的网络身份验证请求来自为基于较早 Windows 的客户端和服务器以及第三方操作系统而设计的应用程序。For compatibility reasons, it's used by AD DS domains to process network authentication requests that come from applications designed for earlier Windows-based clients and servers, and third-party operating systems.
    • 当在客户端与服务器之间使用 NTLM 协议时,服务器必须联系 DC 上的域身份验证服务以验证客户端凭据。When the NTLM protocol is used between a client and a server, the server must contact a domain authentication service on a DC to verify the client credentials. 服务器通过将客户端凭据转发到客户端帐户域中的 DC 来对客户端进行身份验证。The server authenticates the client by forwarding the client credentials to a DC in the client account domain.
    • 当两个 AD DS 域或林通过信任进行连接时,可以路由使用这些协议发出的身份验证请求,以提供对这两个林中的资源的访问。When two AD DS domains or forests are connected by a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests.

授权和访问控制Authorization and access control

授权和信任技术共同提供跨 AD DS 域或林的安全通信基础结构。Authorization and trust technologies work together to provide a secured communications infrastructure across AD DS domains or forests. 授权确定用户对域中的资源所拥有的访问权限级别。Authorization determines what level of access a user has to resources in a domain. 信任可帮助进行用户的跨域授权,具体方法是提供用于在其他域中对用户进行身份验证的路径,以便可以授权用户对这些域中的共享资源的请求。Trusts facilitate cross-domain authorization of users by providing a path for authenticating users in other domains so their requests to shared resources in those domains can be authorized.

当信任域中发出的身份验证请求经过受信任的域验证时,它会传递到目标资源。When an authentication request made in a trusting domain is validated by the trusted domain, it's passed to the target resource. 目标资源随后会根据其访问控制配置来确定是否对受信任的域中的用户、服务或计算机发出的特定请求授权。The target resource then determines whether to authorize the specific request made by the user, service, or computer in the trusted domain based on its access control configuration.

信任提供此机制来验证传递到信任域的身份验证请求。Trusts provide this mechanism to validate authentication requests that are passed to a trusting domain. 资源计算机上的访问控制机制确定向受信任的域中的请求者授予的最终访问权限级别。Access control mechanisms on the resource computer determine the final level of access granted to the requestor in the trusted domain.

后续步骤Next steps

若要了解有关信任的详细信息,请参阅林信任如何在 Azure AD DS 中发挥作用?To learn more about trusts, see How do forest trusts work in Azure AD DS?

若要开始使用资源林创建托管域,请参阅创建和配置 Azure AD DS 托管域To get started with creating a managed domain with a resource forest, see Create and configure an Azure AD DS managed domain. 随后可以创建到本地域的出站林信任You can then Create an outbound forest trust to an on-premises domain.