适用于 Azure 云解决方案提供商的 Azure Active Directory 域服务部署和管理Azure Active Directory Domain Services deployment and management for Azure Cloud Solution Providers

Azure 云解决方案提供商 (CSP) 是面向 Microsoft 合作伙伴的一项计划,为各项 Azure 云服务提供许可通道。Azure Cloud Solution Providers (CSP) is a program for Microsoft Partners and provides a license channel for various Azure cloud services. 通过 Azure CSP,合作伙伴可以管理销售、打理自己的账单关系、提供技术和计费支持以及成为客户的单一联系点。Azure CSP enables partners to manage sales, own the billing relationship, provide technical and billing support, and be the customer's single point of contact. 此外,Azure CSP 还会提供一套完整的工具,包括自助服务门户和相应的 API。In addition, Azure CSP provides a full set of tools, including a self-service portal and accompanying APIs. 这些工具使 CSP 合作伙伴可以轻松地预配和管理 Azure 资源,并提供针对客户及其订阅的计费。These tools enable CSP partners to easily provision and manage Azure resources, and provide billing for customers and their subscriptions.

合作伙伴中心门户是所有 Azure CSP 合作伙伴的入口点,它提供了丰富的客户管理功能、自动化处理和其他功能。The Partner Center portal is the entry point for all Azure CSP partners, and provides rich customer management capabilities, automated processing, and more. Azure CSP 合作伙伴可以通过多种方式使用合作伙伴中心功能,包括基于 Web 的 UI、PowerShell 及多种 API 调用。Azure CSP partners can use Partner Center capabilities by using a web-based UI or by using PowerShell and various API calls.

下图概括说明了 CSP 模型的工作原理。The following diagram illustrates how the CSP model works at a high level. 此处,Contoso 有一个 Azure Active Directory (Azure AD) 租户。Here, Contoso has an Azure Active Directory (Azure AD) tenant. 他们与一个 CSP 之间有合作伙伴关系,该 CSP 在其 Azure CSP 订阅中部署和管理资源。They have a partnership with a CSP, who deploys and manages resources in their Azure CSP subscription. Contoso 还可能拥有常规(直接)Azure 订阅,由 Contoso 直接支付费用。Contoso may also have regular (direct) Azure subscriptions, which are billed directly to Contoso.

CSP 模型概述

CSP 合作伙伴的租户有三个特殊的代理组 - 管理代理、支持人员代理和销售代理。 The CSP partner's tenant has three special agent groups - Admin agents, Helpdesk agents, and Sales agents.

管理代理组会分配给 Contoso 的 Azure AD 租户中的租户管理员角色。The Admin agents group is assigned to the tenant administrator role in Contoso's Azure AD tenant. 因此,CSP 合作伙伴管理代理组中的用户在 Contoso 的 Azure AD 租户中具有租户管理权限。As a result, a user belonging to the CSP partner's admin agents group has tenant admin privileges in Contoso's Azure AD tenant.

当 CSP 合作伙伴为 Contoso 预配 Azure CSP 订阅时,其管理代理组会分配给该订阅的所有者角色。When the CSP partner provisions an Azure CSP subscription for Contoso, their admin agents group is assigned to the owner role for that subscription. 因此,CSP 合作伙伴的管理代理具有代表 Contoso 预配虚拟机、虚拟网络和 Azure AD 域服务等 Azure 资源所需的权限。As a result, the CSP partner's admin agents have the required privileges to provision Azure resources such as virtual machines, virtual networks, and Azure AD Domain Services on behalf of Contoso.

有关详细信息,请参阅 Azure CSP overview(Azure CSP 概述)For more information, see the Azure CSP overview

使用 Azure CSP 订阅中的 Azure AD DS 的优势Benefits of using Azure AD DS in an Azure CSP subscription

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 域服务完全兼容的托管域服务,例如域加入、组策略、LDAP、Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory Domain Services. 过去几十年出现了众多使用此类功能在 AD 基础上运行的应用程序。Over the decades, many applications have been built to work against AD using these capabilities. 许多独立软件供应商 (ISV) 已在客户本地生成和部署应用程序。Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. 为这些应用程序提供支持非常困难,因为这通常需要访问部署了这些应用程序的不同环境。These applications are hard to support since you often require access to the different environments where the applications are deployed. 利用 Azure CSP 订阅,借助 Azure 的规模和灵活性,解决这个问题变得简单多了。With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure.

Azure AD DS 支持 Azure CSP 订阅。Azure AD DS supports Azure CSP subscriptions. 你可以在关联到客户的 Azure AD 租户的 Azure CSP 订阅中部署应用程序。You can deploy your application in an Azure CSP subscription tied to your customer's Azure AD tenant. 因此,员工(支持人员)可以使用组织的企业凭据控制、管理和维护部署了应用程序的 VM。As a result, your employees (support staff) can manage, administer, and service the VMs on which your application is deployed using your organization's corporate credentials.

你还可以在客户的 Azure AD 租户中部署 Azure AD DS 托管域。You can also deploy an Azure AD DS managed domain in your customer's Azure AD tenant. 你的应用程序然后将连接到客户的托管域。Your application is then connected to your customer's managed domain. 应用程序内依赖于 Kerberos/NTLM、LDAP 或 System.DirectoryServices API 的功能可针对客户的域无缝地工作。Capabilities within your application that rely on Kerberos / NTLM, LDAP, or the System.DirectoryServices API work seamlessly against your customer's domain. 最终客户将应用程序作为服务使用,不需要担心如何维护部署应用程序的基础结构,因此将从中受益。End customers benefit from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on.

用户将为其在该订阅中使用的 Azure 资源(包括 Azure AD DS)付费。All billing for Azure resources you consume in that subscription, including Azure AD DS, is charged back to you. 在销售、计费、技术支持等方面,你可保持对客户关系的完全控制。借助 Azure CSP 平台的灵活性,少量的支持代理可为大量已部署应用程序实例的客户提供服务。You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed.

Azure AD DS 的 CSP 部署模型CSP deployment models for Azure AD DS

有两种方法可将 Azure AD DS 与 Azure CSP 订阅结合使用。There are two ways in which you can use Azure AD DS with an Azure CSP subscription. 请根据客户的安全性和简易性考虑因素,选择一种合适的方法。Pick the right one based on the security and simplicity considerations your customers have.

直接部署模型Direct deployment model

在此部署模型下,Azure AD DS 在属于 Azure CSP 订阅的虚拟网络中启用。In this deployment model, Azure AD DS is enabled within a virtual network that belongs to the Azure CSP subscription. CSP 合作伙伴的管理代理具有以下特权:The CSP partner's admin agents have the following privileges:

  • 客户的 Azure AD 租户中的全局管理员特权。Global administrator privileges in the customer's Azure AD tenant.
  • 对 Azure CSP 订阅的订阅所有者特权。Subscription owner privileges on the Azure CSP subscription.

直接部署模型

在这种部署模型下,CSP 提供商的管理代理可以管理客户的标识。In this deployment model, the CSP provider's admin agents can administer identities for the customer. 这些管理代理可以在客户的 Azure AD 租户中执行预配新用户或组或者添加应用程序之类的任务。These admin agents can perform tasks like provision new users or groups, or add applications within the customer's Azure AD tenant.

此部署模型可能适用于没有专门的标识管理员或更愿意由 CSP 合作伙伴代表其管理标识的小型组织。This deployment model may be suited for smaller organizations that don't have a dedicated identity administrator or prefer for the CSP partner to administer identities on their behalf.

对等部署模型Peered deployment model

在此部署模型下,Azure AD DS 在属于客户的虚拟网络(客户付费的直接 Azure 订阅)中启用。In this deployment model, Azure AD DS is enabled within a virtual network belonging to the customer - a direct Azure subscription paid for by the customer. CSP 合作伙伴可在属于客户的 CSP 订阅的虚拟网络中部署应用程序。The CSP partner can deploy applications within a virtual network belonging to the customer's CSP subscription. 然后可使用虚拟网络对等互连连接虚拟网络。The virtual networks can then be connected using Azure virtual network peering.

使用此部署,由 Azure CSP 订阅中的 CSP 合作伙伴部署的工作负载或应用程序可连接到在客户的直接 Azure 订阅中预配的客户托管域。With this deployment, the workloads or applications deployed by the CSP partner in the Azure CSP subscription can connect to the customer's managed domain provisioned in the customer's direct Azure subscription.

对等部署模型

此部署模型提供对特权的隔离,并使 CSP 合作伙伴的支持人员代理能够管理 Azure 订阅,并在其中部署和管理资源。This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. 但是,CSP 合作伙伴的支持人员代理不需要对客户的 Azure AD 目录拥有全局管理员特权。However, the CSP partner's helpdesk agents don't need to have global administrator privileges on the customer's Azure AD directory. 客户的标识管理员可继续管理其组织的标识。The customer's identity administrators can continue to manage identities for their organization.

此部署模型可能适用于以下情况:ISV 提供本地应用程序的托管版本,该版本也需要连接到客户的 Azure AD。This deployment model may be suited to scenarios where an ISV provides a hosted version of their on-premises application, which also needs to connect to the customer's Azure AD.

管理 CSP 订阅中的 Azure AD DSAdminister Azure AD DS in CSP subscriptions

在 Azure CSP 订阅中管理托管域时,请注意以下注意事项:The following important considerations apply when administering a managed domain in an Azure CSP subscription:

  • CSP 管理代理可以使用其凭据预配托管域: Azure AD DS 支持 Azure CSP 订阅。CSP admin agents can provision a managed domain using their credentials: Azure AD DS supports Azure CSP subscriptions. CSP 合作伙伴的管理代理组中的用户可以预配新的托管域。Users belonging to a CSP partner's admin agents group can provision a new managed domain.

  • CSP 可以使用 PowerShell 为其客户编写新的托管域创建脚本: 有关详细信息,请参阅如何使用 PowerShell 启用 Azure AD DSCSPs can script creation of new managed domains for their customers using PowerShell: See how to enable Azure AD DS using PowerShell for details.

  • CSP 管理代理不能使用其凭据在托管域上执行日常管理任务: CSP 管理员用户不能使用其凭据在托管域中执行日常管理任务。CSP admin agents can't perform ongoing management tasks on the managed domain using their credentials: CSP admin users can't perform routine management tasks within the managed domain using their credentials. 这些用户不在客户的 Azure AD 租户中,并且其凭据在客户的 Azure AD 租户中不可用。These users are external to the customer's Azure AD tenant and their credentials aren't available within the customer's Azure AD tenant. Azure AD DS 无权访问这些用户的 Kerberos 和 NTLM 密码哈希,因此无法在托管域上对这些用户进行身份验证。Azure AD DS doesn't have access to the Kerberos and NTLM password hashes for these users, so users can't be authenticated on managed domains.

    警告

    必须在客户的目录中创建用户帐户,从而对托管域执行日常管理任务。You must create a user account within the customer's directory to perform ongoing administration tasks on the managed domain.

    无法使用 CSP 管理员用户的凭据登录到托管域。You can't sign in to the managed domain using a CSP admin user's credentials. 请使用客户 Azure AD 租户中的用户帐户的凭据进行登录。Use the credentials of a user account belonging to the customer's Azure AD tenant to do so. 对于将 VM 加入到托管域、管理 DNS、管理组策略之类的任务,这些凭据是必需的。You need these credentials for tasks such as joining VMs to the managed domain, administering DNS, or administering Group Policy.

  • 必须将为日常管理创建的用户帐户添加到“AAD DC 管理员”组: “AAD DC 管理员”组有权在托管域上执行某些委托的管理任务。The user account created for ongoing administration must be added to the AAD DC Administrators group: The AAD DC Administrators group has privileges to perform certain delegated administration tasks on the managed domain. 这些任务包括配置 DNS、创建组织单位,以及管理组策略。These tasks include configuring DNS, creating organizational units, and administering group policy.

    为使 CSP 合作伙伴能够在托管域上执行这些任务,必须在客户的 Azure AD 租户中创建用户帐户。For a CSP partner to perform these tasks on a managed domain, a user account must be created within the customer's Azure AD tenant. 此帐户的凭据必须与 CSP 合作伙伴的管理代理共享。The credentials for this account must be shared with the CSP partner's admin agents. 此外,此用户帐户必须添加到“AAD DC 管理员”组,从而在托管域上启用要使用此用户帐户执行的配置任务。Also, this user account must be added to the AAD DC Administrators group to enable configuration tasks on the managed domain to be performed using this user account.

后续步骤Next steps

若要开始使用,请在 Azure CSP 计划中注册To get started, enroll in the Azure CSP program. 然后,你可以使用 Azure 门户Azure PowerShell 启用 Azure AD 域服务。You can then enable Azure AD Domain Services using the Azure portal or Azure PowerShell.