配置 Azure Active Directory 域服务以支持 SharePoint Server 的用户配置文件同步Configure Azure Active Directory Domain Services to support user profile synchronization for SharePoint Server

SharePoint Server 包括同步用户配置文件的服务。SharePoint Server includes a service to synchronize user profiles. 此功能允许将用户配置文件存储在一个中心位置,并跨多个 SharePoint 站点和场访问它们。This feature allows user profiles to be stored in a central location and accessible across multiple SharePoint sites and farms. 若要配置 SharePoint Server 用户配置文件服务,必须在 Azure Active Directory 域服务 (Azure AD DS) 托管域中授予适当的权限。To configure the SharePoint Server user profile service, the appropriate permissions must be granted in an Azure Active Directory Domain Services (Azure AD DS) managed domain. 有关更多详细信息,请参阅 SharePoint Server 中的用户配置文件同步For more information, see user profile synchronization in SharePoint Server.

本文介绍如何配置 Azure AD DS 以允许 SharePoint Server 用户配置文件同步服务。This article shows you how to configure Azure AD DS to allow the SharePoint Server user profile sync service.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

服务帐户概述Service accounts overview

在托管域中,名为“AAD DC服务帐户”的安全组作为“用户”组织单位 (OU) 的一部分存在。In a managed domain, a security group named AAD DC Service Accounts exists as part of the Users organizational unit (OU). 此安全组的成员具有以下委托权限:Members of this security group are delegated the following privileges:

  • 根 DSE 具有“复制目录更改”特权。Replicate Directory Changes privilege on the root DSE.
  • 对“配置”命名上下文(cn=configuration 容器)具有”复制目录更改”特权。Replicate Directory Changes privilege on the Configuration naming context (cn=configuration container).

“AAD DC服务帐户”安全组也是内置组“Pre-Windows 2000 Compatible Access”的成员 。The AAD DC Service Accounts security group is also a member of the built-in group Pre-Windows 2000 Compatible Access.

添加到此安全组后,将向 SharePoint Server 用户配置文件同步服务的服务帐户授予所需的特权,使其能够正常工作。When added to this security group, the service account for SharePoint Server user profile synchronization service is granted the required privileges to work correctly.

启用对 SharePoint Server 用户配置文件同步的支持Enable support for SharePoint Server user profile sync

SharePoint Server 的服务帐户需要足够的特权,才能将更改复制到目录,并使 SharePoint Server 用户配置文件同步正常工作。The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. 若要提供这些特权,请将用于 SharePoint 用户配置文件同步的服务帐户添加到“AAD DC 服务帐户”组中。To provide these privileges, add the service account used for SharePoint user profile synchronization to the AAD DC Service Accounts group.

在 Azure AD DS 管理 VM 中,完成以下步骤:From your Azure AD DS management VM, complete the following steps:

备注

要在托管域中编辑组成员身份,必须登录到“AAD DC Administrators”组成员的用户帐户。To edit group membership in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. 在“开始”屏幕中选择“管理工具”。From the Start screen, select Administrative Tools. 其中显示了可用管理工具列表,这些工具是在教程创建管理 VM 中安装的。A list of available management tools is shown that were installed in the tutorial to create a management VM.

  2. 若要管理组成员身份,请从管理工具列表中选择“Active Directory 管理中心”。To manage group membership, select Active Directory Administrative Center from the list of administrative tools.

  3. 在左窗格中,选择托管域,例如 aaddscontoso.com。In the left pane, choose your managed domain, such as aaddscontoso.com. 显示现有的 OU 和资源的列表。A list of existing OUs and resources is shown.

  4. 选择“用户”OU,然后选择“AAD DC服务帐户”安全组。Select the Users OU, then choose the AAD DC Service Accounts security group.

  5. 选择“成员”,然后选择“添加...” 。Select Members, then choose Add....

  6. 输入 SharePoint 服务帐户的名称,然后选择“确定”。Enter the name of the SharePoint service account, then select OK. 在以下示例中,SharePoint 服务帐户的名称为“spadmin”:In the following example, the SharePoint service account is named spadmin:

    将 SharePoint 服务帐户添加到 AAD DC 服务帐户安全组

后续步骤Next steps

有关详细信息,请参阅在 SharePoint Server 中管理用户配置文件同步For more information, see Manage user profile synchronization in SharePoint Server.