教程:将 Windows Server 虚拟机加入到 Azure Active Directory 域服务托管域Tutorial: Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、LDAP、Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. 借助 Azure AD DS 托管域,可向 Azure 中的虚拟机 (VM) 提供域加入功能和管理。With an Azure AD DS managed domain, you can provide domain join features and management to virtual machines (VMs) in Azure. 本教程演示如何创建 Windows Server VM,然后将其加入托管域。This tutorial shows you how to create a Windows Server VM then join it to a managed domain.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 创建 Windows Server VMCreate a Windows Server VM
  • 将 Windows Server VM 连接到 Azure 虚拟网络Connect the Windows Server VM to an Azure virtual network
  • 将 VM 加入托管域Join the VM to the managed domain

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

若要完成本教程,需要以下各资源:To complete this tutorial, you need the following resources:

如果已有要加入域的 VM,请跳到将 VM 加入托管域部分。If you already have a VM that you want to domain-join, skip to the section to join the VM to the managed domain.

登录到 Azure 门户Sign in to the Azure portal

在本教程中,将创建一个 Windows Server VM,以使用 Azure 门户加入托管域。In this tutorial, you create a Windows Server VM to join to your managed domain using the Azure portal. 若要开始操作,请登录到 Azure 门户To get started, first sign in to the Azure portal.

创建 Windows Server 虚拟机Create a Windows Server virtual machine

若要查看如何将计算机加入托管域,请创建 Windows Server VM。To see how to join a computer to a managed domain, let's create a Windows Server VM. 此 VM 会连接到 Azure 虚拟网络,该网络提供与托管域的连接。This VM is connected to an Azure virtual network that provides connectivity to the managed domain. 加入托管域的过程与加入常规本地 Active Directory 域服务域的过程相同。The process to join a managed domain is the same as joining a regular on-premises Active Directory Domain Services domain.

如果已有要加入域的 VM,请跳到将 VM 加入托管域部分。If you already have a VM that you want to domain-join, skip to the section to join the VM to the managed domain.

  1. 从 Azure 门户菜单或“主页”页面,选择“创建资源” 。From the Azure portal menu or from the Home page, select Create a resource.

  2. 从“入门”中选择“Windows Server 2016 Datacenter” 。From Get started, choose Windows Server 2016 Datacenter.

    选择在 Azure 门户中创建 Windows Server 2016 Datacenter VM

  3. 在“基本信息”窗口中,配置虚拟机的核心设置。In the Basics window, configure the core settings for the virtual machine. 保留“可用性选项”、“映像”和“大小”的默认值 。Leave the defaults for Availability options, Image, and Size.

    参数Parameter 建议的值Suggested value
    资源组Resource group 选择或创建资源组,如 myResourceGroupSelect or create a resource group, such as myResourceGroup
    虚拟机名称Virtual machine name 输入 VM 的名称,如 myVMEnter a name for the VM, such as myVM
    区域Region 选择要在其中创建 VM 的区域,如“中国北部 2”Choose the region to create your VM in, such as China North 2
    用户名Username 输入要在 VM 上创建的本地管理员帐户的用户名,如 azureuserEnter a username for the local administrator account to create on the VM, such as azureuser
    密码Password 输入,然后确认要在 VM 上创建的本地管理员的安全密码。Enter, and then confirm, a secure password for the local administrator to create on the VM. 请不要指定域用户帐户的凭据。Don't specify a domain user account's credentials.
  4. 默认情况下,可以使用 RDP 从 Internet 访问在 Azure 中创建的 VM。By default, VMs created in Azure are accessible from the Internet using RDP. 启用 RDP 后,可能会发生自动登录攻击,这可能会因为多次连续登录尝试失败而禁用具有通用名称(例如“admin”或“administrator”)的帐户 。When RDP is enabled, automated sign-in attacks are likely to occur, which may disable accounts with common names such as admin or administrator due to multiple failed successive sign-in attempts.

    应仅在需要时启用 RDP,并将其限制为一组已授权 IP 范围。RDP should only be enabled when required, and limited to a set of authorized IP ranges. 此配置有助于提高 VM 的安全性并减小潜在攻击的范围。This configuration helps improve the security of the VM and reduces the area for potential attack. 或者,创建并使用 Azure Bastion 主机,以便仅允许在 Azure 门户中通过 TLS 进行访问。Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. 在本教程的下一步,我们使用 Azure Bastion 主机安全地连接到 VM。In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.

    在“公共入站端口”下,选择“无”。Under Public inbound ports, select None.

  5. 完成后,选择“下一步: 磁盘”When done, select Next: Disks.

  6. 从“OS 磁盘类型”的下拉菜单中,选择“标准 SSD”,然后选择“下一步: 网络”。From the drop-down menu for OS disk type, choose Standard SSD, then select Next: Networking.

  7. VM 必须连接到 Azure 虚拟网络子网,该子网可与其中部署托管域的子网通信。Your VM must connect to an Azure virtual network subnet that can communicate with the subnet your managed domain is deployed into. 建议将托管域部署到其自己的专用子网中。We recommend that a managed domain is deployed into its own dedicated subnet. 请不要将 VM 部署在与托管域相同的子网中。Don't deploy your VM in the same subnet as your managed domain.

    可以通过两种主要方法来部署 VM 并连接到相应的虚拟网络子网:There are two main ways to deploy your VM and connect to an appropriate virtual network subnet:

    • 在部署托管域的同一虚拟网络中创建子网或选择现有子网。Create a, or select an existing, subnet in the same the virtual network as your managed domain is deployed.
    • 在 Azure 虚拟网络中的选择一个子网,该子网使用 Azure 虚拟网络对等互连与之连接。Select a subnet in an Azure virtual network that is connected to it using Azure virtual network peering.

    如果为托管域选择一个没有连接到子网的虚拟网络子网,则无法将 VM 加入托管域。If you select a virtual network subnet that isn't connected to the subnet for your managed domain, you can't join the VM to the managed domain. 在本教程中,将在 Azure 虚拟网络中创建一个新的子网。For this tutorial, let's create a new subnet in the Azure virtual network.

    在“网络”窗格中,选择在其中部署托管域的虚拟网络,如 aaads-vnetIn the Networking pane, select the virtual network in which your managed domain is deployed, such as aaads-vnet

  8. 在此示例中,显示了现有的 aaads-subnet,其中显示托管域已连接到该子网。In this example, the existing aaads-subnet is shown that the managed domain is connected to. 请不要将 VM 连接到此子网。Don't connect your VM to this subnet. 若要为 VM 创建子网,请选择“管理子网配置”。To create a subnet for the VM, select Manage subnet configuration.

    在 Azure 门户中选择管理子网配置

  9. 在虚拟网络窗口的左侧菜单中,选择“地址空间”。In the left-hand menu of the virtual network window, select Address space. 随即会创建带有单个地址空间 10.0.2.0/24(由默认子网使用)的虚拟网络。The virtual network is created with a single address space of 10.0.2.0/24, which is used by the default subnet. 其他子网(例如用于工作负载的子网)或 Azure Bastion 也可能已存在。Other subnets, such as for workloads or Azure Bastion may also already exist.

    将额外的 IP 地址范围添加到该虚拟网络。Add an additional IP address range to the virtual network. 此地址范围的大小以及要使用的实际 IP 地址范围取决于已部署的其他网络资源。The size of this address range and the actual IP address range to use depends on other network resources already deployed. 该 IP 地址范围不应与 Azure 或本地环境中的任何现有地址范围重叠。The IP address range shouldn't overlap with any existing address ranges in your Azure or on-premises environment. 请确保该 IP 地址范围足够大,能够与要部署到子网中的 VM 数量相适应。Make sure that you size the IP address range large enough for the number of VMs you expect to deploy into the subnet.

    在以下示例中,添加了额外的 IP 地址范围 10.0.5.0/24In the following example, an additional IP address range of 10.0.5.0/24 is added. 准备就绪后,选择“保存”。When ready, select Save.

    在 Azure 门户中添加额外的虚拟网络 IP 地址范围

  10. 接下来,在虚拟网络窗口的左侧菜单中选择“子网”,然后选择“+ 子网”以添加子网。Next, in the left-hand menu of the virtual network window, select Subnets, then choose + Subnet to add a subnet.

  11. 选择“+ 子网”,然后输入子网名,如 management。Select + Subnet, then enter a name for the subnet, such as management. 提供“地址范围(CIDR 块)”,如 10.0.5.0/24。Provide an Address range (CIDR block), such as 10.0.5.0/24. 请确保此 IP 地址范围与任何其他现有的 Azure 或本地地址范围不重叠。Make sure that this IP address range doesn't overlap with any other existing Azure or on-premises address ranges. 将其他选项保留默认值,然后选择“确定”。Leave the other options as their default values, then select OK.

    在 Azure 门户中创建子网配置

  12. 创建子网需要几秒钟的时间。It takes a few seconds to create the subnet. 创建后,请选择“X”关闭子网窗口。Once it's created, select the X to close the subnet window.

  13. 返回到“网络”窗格以创建 VM,从下拉菜单中选择所创建的子网,如 management。Back in the Networking pane to create a VM, choose the subnet you created from the drop-down menu, such as management. 同样,请确保选择了正确的子网,并且不要将 VM 部署在与托管域相同的子网中。Again, make sure you choose the correct subnet and don't deploy your VM in the same subnet as your managed domain.

  14. 对于“公共 IP”,请从下拉菜单中选择“无”。For Public IP, select None from the drop-down menu. 在本教程中使用 Azure Bastion 连接到管理时,无需为 VM 分配公共 IP 地址。As you use Azure Bastion in this tutorial to connect to the management, you don't need a public IP address assigned to the VM.

  15. 将其他选项保留默认值,然后选择“管理”。Leave the other options as their default values, then select Management.

  16. 将“启动诊断”设置为“关”。Set Boot diagnostics to Off. 将其他选项保留默认值,然后选择“查看 + 创建”。Leave the other options as their default values, then select Review + create.

  17. 查看 VM 设置,然后选择“创建”。Review the VM settings, then select Create.

创建 VM 需要几分钟时间。It takes a few minutes to create the VM. Azure 门户显示部署的状态。The Azure portal shows the status of the deployment. VM 准备就绪后,请选择“转到资源”。Once the VM is ready, select Go to resource.

成功创建后,请转到 Azure 门户中的 VM 资源

连接到 Windows Server VMConnect to the Windows Server VM

若要安全地连接到 VM,请使用 Azure Bastion 主机。To securely connect to your VMs, use an Azure Bastion host. 使用 Azure Bastion 时,托管主机部署到虚拟网络中,并提供到 VM 的基于 Web 的 RDP 或 SSH 连接。With Azure Bastion, a managed host is deployed into your virtual network and provides web-based RDP or SSH connections to VMs. 不需要为 VM 使用公共 IP 地址,也不需要为外部远程流量打开网络安全组规则。No public IP addresses are required for the VMs, and you don't need to open network security group rules for external remote traffic. 我们在 Web 浏览器中使用 Azure 门户连接到 VM。You connect to VMs using the Azure portal from your web browser. 根据需要创建 Azure Bastion 主机If needed, create an Azure Bastion host.

若要使用 Bastion 主机连接到 VM,请完成以下步骤:To use a Bastion host to connect to your VM, complete the following steps:

  1. 在 VM 的“概览”窗格中选择“连接”,然后选择“Bastion”。In the Overview pane for your VM, select Connect, then Bastion.

    在 Azure 门户中使用 Bastion 连接到 Windows 虚拟机

  2. 输入在上一部分指定的 VM 的凭据,然后选择“连接”。Enter the credentials for your VM that you specified in the previous section, then select Connect.

    在 Azure 门户中通过 Bastion 主机进行连接

在需要的情况下,允许 Web 浏览器打开要显示的 Bastion 连接的弹出窗口。If needed, allow your web browser to open pop-ups for the Bastion connection to be displayed. 连接到 VM 需要几秒钟的时间。It takes a few seconds to make the connection to your VM.

将 VM 加入托管域Join the VM to the managed domain

使用 Azure Bastion 创建 VM 并建立基于 Web 的 RDP 连接后,接下来将 Windows Server 虚拟机加入托管域。With the VM created and a web-based RDP connection established using Azure Bastion, now let's join the Windows Server virtual machine to the managed domain. 此过程与连接到常规本地 Active Directory 域服务域的计算机相同。This process is the same as a computer connecting to a regular on-premises Active Directory Domain Services domain.

  1. 如果在登录 VM 时服务器管理器默认情况下未打开,请选择“开始”菜单,然后选择“服务器管理器”。If Server Manager doesn't open by default when you sign in to the VM, select the Start menu, then choose Server Manager.

  2. 在“服务器管理器”窗口的左窗格中选择“本地服务器”。In the left pane of the Server Manager window, select Local Server. 在右侧窗格的“属性”下选择“工作组” 。Under Properties on the right pane, choose Workgroup.

    在 VM 上打开“服务器管理器”,并编辑工作组属性

  3. 在“系统属性”属性页中,选择“更改”以加入托管域 。In the System Properties window, select Change to join the managed domain.

    选择更改工作组或域属性

  4. 在“域”框中指定托管域的名称(如 aaddscontoso.com),然后选择“确定”。In the Domain box, specify the name of your managed domain, such as aaddscontoso.com, then select OK.

    指定要加入的托管域

  5. 输入域凭据以加入域。Enter domain credentials to join the domain. 提供属于托管域的用户的凭据。Provide credentials for a user that's a part of the managed domain. 此帐户必须属于托管域或 Azure AD 租户 - 与 Azure AD 租户关联的外部目录的帐户无法在加入域的过程中正确进行身份验证。The account must be part of the managed domain or Azure AD tenant - accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process.

    可以通过以下某种方式指定帐户凭据:Account credentials can be specified in one of the following ways:

    • UPN 格式(推荐)- 输入在 Azure AD 中为用户帐户配置的用户主体名称 (UPN) 后缀。UPN format (recommended) - Enter the user principal name (UPN) suffix for the user account, as configured in Azure AD. 例如,用户 contosoadmin 的 UPN 后缀为 contosoadmin@aaddscontoso.partner.onmschina.cnFor example, the UPN suffix of the user contosoadmin would be contosoadmin@aaddscontoso.partner.onmschina.cn. 有几种常见的用例,可以可靠地使用 UPN 格式登录到域而不是使用 SAMAccountName 格式:There are a couple of common use-cases where the UPN format can be used reliably to sign in to the domain rather than the SAMAccountName format:
      • 如果用户的 UPN 前缀过长(如 deehasareallylongname),服务可能会自动生成 SAMAccountName 。If a user's UPN prefix is long, such as deehasareallylongname, the SAMAccountName may be autogenerated.
      • 如果 Azure AD 租户中有多个用户具有相同的 UPN 前缀(如 dee),服务可能会自动生成其 SAMAccountName 格式 。If multiple users have the same UPN prefix in your Azure AD tenant, such as dee, their SAMAccountName format might be autogenerated.
    • SAMAccountName 格式 - 以 SAMAccountName 格式输入帐户名。SAMAccountName format - Enter the account name in the SAMAccountName format. 例如,用户 contosoadmin 的 SAMAccountName 将为 AADDSCONTOSO\contosoadminFor example, the SAMAccountName of user contosoadmin would be AADDSCONTOSO\contosoadmin.
  6. 加入托管域需要几秒钟时间。It takes a few seconds to join to the managed domain. 完成后,将出现以下消息欢迎你访问该域:When complete, the following message welcomes you to the domain:

    欢迎加入域

    选择“确定”以继续。Select OK to continue.

  7. 若要完成加入托管域的过程,请重启 VM。To complete the process to join to the managed domain, restart the VM.

提示

可以通过 PowerShell 使用 Add-Computer cmdlet 将 VM 加入域。You can domain-join a VM using PowerShell with the Add-Computer cmdlet. 以下示例加入 AADDSCONTOSO 域,然后重启 VM。The following example joins the AADDSCONTOSO domain and then restarts the VM. 出现提示时,输入属于托管域的用户的凭据:When prompted, enter the credentials for a user that's a part of the managed domain:

Add-Computer -DomainName AADDSCONTOSO -Restart

若要在不连接到 VM 并手动配置连接的情况下将 VM 加入域,可以使用 Set-AzVmAdDomainExtension Azure PowerShell cmdlet。To domain-join a VM without connecting to it and manually configuring the connection, you can use the Set-AzVmAdDomainExtension Azure PowerShell cmdlet.

重启 Windows Server VM 后,托管域中应用的所有策略都将推送到 VM。Once the Windows Server VM has restarted, any policies applied in the managed domain are pushed to the VM. 现在还可以使用适当的域凭据登录到 Windows Server VM。You can also now sign in to the Windows Server VM using appropriate domain credentials.

清理资源Clean up resources

在下一个教程中,你将使用此 Windows Server VM 安装管理工具来管理托管域。In the next tutorial, you use this Windows Server VM to install the management tools that let you administer the managed domain. 如果不想继续学习本系列教程,请查看以下清理步骤,以便删除 VMIf you don't want to continue in this tutorial series, review the following clean up steps to delete the VM. 否则,请继续学习下一个教程Otherwise, continue to the next tutorial.

从托管域删除 VMUnjoin the VM from the managed domain

若要从托管域中删除 VM,请再次执行将 VM 加入域的步骤。To remove the VM from the managed domain, follow through the steps again to join the VM to a domain. 不要加入托管域,而是选择加入工作组,例如默认的 WORKGROUP。Instead of joining the managed domain, choose to join a workgroup, such as the default WORKGROUP. VM 重新启动后,将从托管域中删除计算机对象。After the VM has rebooted, the computer object is removed from the managed domain.

如果你删除 VM 而未取消加入域,则 Azure AD DS 中将保留一个孤立的计算机对象。If you delete the VM without unjoining from the domain, an orphaned computer object is left in Azure AD DS.

删除 VMDelete the VM

如果不打算使用此 Windows Server VM,请使用以下步骤删除 VM:If you're not going use this Windows Server VM, delete the VM using the following steps:

  1. 从左侧菜单中,选择“资源组”From the left-hand menu, select Resource groups
  2. 选择资源组,如 myResourceGroup。Choose your resource group, such as myResourceGroup.
  3. 选择 VM(如 myVM),然后选择“删除”。Choose your VM, such as myVM, then select Delete. 选择“是”以确认删除资源。Select Yes to confirm the resource deletion. 删除 VM 需要几秒钟的时间。It takes a few minutes to delete the VM.
  4. 删除 VM 后,选择操作系统磁盘、网络接口卡以及具有 myVM- 前缀的任何其他资源并将其删除。When the VM is deleted, select the OS disk, network interface card, and any other resources with the myVM- prefix and delete them.

排除域加入问题Troubleshoot domain-join issues

Windows Server VM 应成功加入托管域,加入方式与常规本地计算机加入 Active Directory 域服务域的方式相同。The Windows Server VM should successfully join to the managed domain, the same way as a regular on-premises computer would join an Active Directory Domain Services domain. 如果 Windows Server VM 无法加入托管域,则表明存在与连接或凭据相关的问题。If the Windows Server VM can't join the managed domain, that indicates there's a connectivity or credentials-related issue. 请查看以下故障排除部分以成功加入托管域。Review the following troubleshooting sections to successfully join the managed domain.

连接问题Connectivity issues

如果你没有收到要求使用凭据加入域的提示,则存在连接问题。If you don't receive a prompt that asks for credentials to join the domain, there's a connectivity problem. VM 无法访问虚拟网络上的托管域。The VM can't reach the managed domain on the virtual network.

请尝试执行每个故障排除步骤后,再次将 Windows Server VM 加入托管域。After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again.

  • 请验证 VM 是否已连接到启用 Azure AD DS 的同一虚拟网络,或者是否具有对等网络连接。Verify the VM is connected to the same virtual network that Azure AD DS is enabled in, or has a peered network connection.
  • 请尝试 ping 托管域的 DNS 域名,例如 ping aaddscontoso.comTry to ping the DNS domain name of the managed domain, such as ping aaddscontoso.com.
    • 如果 ping 请求失败,请尝试 ping 托管域的 IP 地址,例如 ping 10.0.0.4If the ping request fails, try to ping the IP addresses for the managed domain, such as ping 10.0.0.4. 从 Azure 资源列表中选择托管域时,环境的 IP 地址将显示在“属性”页面上。The IP address for your environment is displayed on the Properties page when you select the managed domain from your list of Azure resources.
    • 如果能够 ping 通该 IP 地址,但无法 ping 通域,则表示 DNS 的配置可能不正确。If you can ping the IP address but not the domain, DNS may be incorrectly configured. 确认已将托管域的 IP 地址配置为虚拟网络的 DNS 服务器。Confirm that the IP addresses of the managed domain are configured as DNS servers for the virtual network.
  • 请尝试使用 ipconfig /flushdns 命令刷新虚拟机上的 DNS 解析程序缓存。Try to flush the DNS resolver cache on the virtual machine using the ipconfig /flushdns command.

如果你收到提示要求使用凭据来加入域,但在输入这些凭据后出现错误,那么 VM 仍可连接到托管域。If you receive a prompt that asks for credentials to join the domain, but then an error after you enter those credentials, the VM is able to connect to the managed domain. 你提供的凭据不会让 VM 加入托管域。The credentials you provided don't then let the VM join the managed domain.

请尝试执行每个故障排除步骤后,再次将 Windows Server VM 加入托管域。After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again.

  • 确保指定的用户帐户属于托管域。Make sure that the user account you specify belongs to the managed domain.
  • 确认该帐户属于托管域或 Azure AD 租户。Confirm that the account is part of the managed domain or Azure AD tenant. 与 Azure AD 租户关联的外部目录的帐户无法在加入域的过程中正确进行身份验证。Accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process.
  • 请尝试使用 UPN 格式指定凭据。例如 contosoadmin@aaddscontoso.partner.onmschina.cnTry using the UPN format to specify credentials, such as contosoadmin@aaddscontoso.partner.onmschina.cn. 如果租户中有多个用户具有相同的 UPN 前缀,或者 UPN 前缀过长,系统可能会自动生成帐户的 SAMAccountName。If there are many users with the same UPN prefix in your tenant or if your UPN prefix is overly long, the SAMAccountName for your account may be autogenerated. 在这些情况下,帐户的 SAMAccountName 格式可能不同于所需的格式或者在本地域中使用的格式。In these cases, the SAMAccountName format for your account may be different from what you expect or use in your on-premises domain.
  • 检查托管域是否已启用密码同步Check that you have enabled password synchronization to your managed domain. 如果没有此配置步骤,托管域中将不会出现所需的密码哈希,因此无法正确验证登录尝试。Without this configuration step, the required password hashes won't be present in the managed domain to correctly authenticate your sign-in attempt.
  • 等待密码同步完成。Wait for password synchronization to be completed. 更改用户帐户的密码后,Azure AD 的自动后台同步将更新 Azure AD DS 中的密码。When a user account's password is changed, an automatic background synchronization from Azure AD updates the password in Azure AD DS. 密码需要一段时间才能用于加入域。It takes some time for the password to be available for domain-join use.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 创建 Windows Server VMCreate a Windows Server VM
  • 连接到 Azure 虚拟网络的 Windows Server VMConnect to the Windows Server VM to an Azure virtual network
  • 将 VM 加入托管域Join the VM to the managed domain

若要管理托管域,请使用 Active Directory 管理中心 (ADAC) 配置管理 VM。To administer your managed domain, configure a management VM using the Active Directory Administrative Center (ADAC).