将 Azure Active Directory 域服务从经典虚拟网络模型迁移到资源管理器Migrate Azure Active Directory Domain Services from the Classic virtual network model to Resource Manager

Azure Active Directory 域服务 (Azure AD DS) 支持当前使用经典虚拟网络模型的客户一次性迁移到资源管理器虚拟网络模型。Azure Active Directory Domain Services (Azure AD DS) supports a one-time move for customers currently using the Classic virtual network model to the Resource Manager virtual network model. 使用资源管理器部署模型的 Azure AD DS 托管域提供了更多功能,例如,细化的密码策略、审核日志和帐户锁定保护。Azure AD DS managed domains that use the Resource Manager deployment model provide additional features such as fine-grained password policy, audit logs, and account lockout protection.

本文概述了迁移注意事项,以及成功迁移现有托管域需要执行的步骤。This article outlines considerations for migration, then the required steps to successfully migrate an existing managed domain. 请参阅在 Azure AD DS 中从经典部署模型迁移到资源管理器部署模型的优点,了解部分优点。For some of the benefits, see Benefits of migration from the Classic to Resource Manager deployment model in Azure AD DS.

备注

在 2017 年,Azure AD 域服务变得可以承载在 Azure 资源管理器网络中。In 2017, Azure AD Domain Services became available to host in an Azure Resource Manager network. 自那时起,我们就能够使用 Azure 资源管理器的新式功能构建更安全的服务。Since then, we have been able to build a more secure service using the Azure Resource Manager's modern capabilities. 由于 Azure 资源管理器部署完全取代了经典部署,因此 Azure AD DS 经典虚拟网络部署将于 2023 年 3 月 1 日停用。Because Azure Resource Manager deployments fully replace classic deployments, Azure AD DS classic virtual network deployments will be retired on March 1, 2023.

有关详细信息,请查看正式的弃用通知For more information, see the official deprecation notice.

迁移过程概述Overview of the migration process

迁移过程接受在经典虚拟网络中运行的现有托管域将其移到现有的资源管理器虚拟网络。The migration process takes an existing managed domain that runs in a Classic virtual network and moves it to an existing Resource Manager virtual network. 迁移是使用 PowerShell 执行的,有两个主要的执行阶段:“准备”阶段和“迁移”阶段。The migration is performed using PowerShell, and has two main stages of execution: preparation and migration.

Azure AD DS 的迁移过程概述

在“准备”阶段,Azure AD DS 会执行域备份,以将用户、组和密码的最新快照同步到托管域。In the preparation stage, Azure AD DS takes a backup of the domain to get the latest snapshot of users, groups, and passwords synchronized to the managed domain. 然后会禁用同步,并删除用于承载托管域的云服务。Synchronization is then disabled, and the cloud service that hosts the managed domain is deleted. 在准备阶段,托管域无法对用户进行身份验证。During the preparation stage, the managed domain is unable to authenticate users.

Azure AD DS 迁移的“准备”阶段

在“迁移”阶段,会将经典托管域的域控制器的底层虚拟磁盘进行复制,以便使用资源管理器部署模型创建 VM。In the migration stage, the underlying virtual disks for the domain controllers from the Classic managed domain are copied to create the VMs using the Resource Manager deployment model. 然后将重新创建托管域,其中包括 LDAPS 和 DNS 配置。The managed domain is then recreated, which includes the LDAPS and DNS configuration. 重启到 Azure AD 的同步,并还原 LDAP 证书。Synchronization to Azure AD is restarted, and LDAP certificates are restored. 无需将任何计算机重新加入托管域 - 它们可以继续加入托管域,无需更改即可运行。There's no need to rejoin any machines to a managed domain - they continue to be joined to the managed domain and run without changes.

迁移 Azure AD DS

迁移方案示例Example scenarios for migration

迁移托管域的一些常用方案包括以下示例。Some common scenarios for migrating a managed domain include the following examples.

备注

在确认迁移成功之前,请不要转换经典虚拟网络。Don't convert the Classic virtual network until you have confirmed a successful migration. 如果在迁移和验证阶段出现任何问题,则转换虚拟网络会删除回退或还原托管域的选项。Converting the virtual network removes the option to roll back or restore the managed domain if there are any problems during the migration and verification stages.

一种常见情况是,你已将其他现有的经典资源移到资源管理器部署模型和虚拟网络。A common scenario is where you've already moved other existing Classic resources to a Resource Manager deployment model and virtual network. 然后使用对等互连从资源管理器虚拟网络连接到继续运行 Azure AD DS 的经典虚拟网络。Peering is then used from the Resource Manager virtual network to the Classic virtual network that continues to run Azure AD DS. 此方法允许资源管理器应用程序和服务使用经典虚拟网络中的托管域的身份验证和管理功能。This approach lets the Resource Manager applications and services use the authentication and management functionality of the managed domain in the Classic virtual network. 迁移后,所有资源都使用资源管理器部署模型和虚拟网络运行。Once migrated, all resources run using the Resource Manager deployment model and virtual network.

将 Azure AD DS 迁移到现有的资源管理器虚拟网络

此示例迁移方案中涉及的大致步骤包括:High-level steps involved in this example migration scenario include the following parts:

  1. 删除在经典虚拟网络上配置的现有 VPN 网关或虚拟网络对等互连。Remove existing VPN gateways or virtual network peering configured on the Classic virtual network.
  2. 使用本文中概述的步骤迁移托管域。Migrate the managed domain using the steps outlined in this article.
  3. 测试并确认迁移是否成功,然后删除经典虚拟网络。Test and confirm a successful migration, then delete the Classic virtual network.

迁移多个资源,包括 Azure AD DSMigrate multiple resources including Azure AD DS

在此示例方案中,你将 Azure AD DS 和其他关联资源从经典部署模型迁移到资源管理器部署模型。In this example scenario, you migrate Azure AD DS and other associated resources from the Classic deployment model to the Resource Manager deployment model. 如果某些资源与托管域一起继续在经典虚拟网络中运行,则迁移到资源管理器部署模型后,它们都可以受益。If some resources continued to run in the Classic virtual network alongside the managed domain, they can all benefit from migrating to the Resource Manager deployment model.

将多个资源迁移到资源管理器部署模型

此示例迁移方案中涉及的大致步骤包括:High-level steps involved in this example migration scenario include the following parts:

  1. 删除在经典虚拟网络上配置的现有 VPN 网关或虚拟网络对等互连。Remove existing VPN gateways or virtual network peering configured on the Classic virtual network.
  2. 使用本文中概述的步骤迁移托管域。Migrate the managed domain using the steps outlined in this article.
  3. 在经典虚拟网络与资源管理器网络之间设置虚拟网络对等互连。Set up virtual network peering between the Classic virtual network and Resource Manager network.
  4. 测试并确认迁移是否成功。Test and confirm a successful migration.
  5. 移动 VM 之类的其他经典资源Move additional Classic resources like VMs.

迁移 Azure AD DS,但将其他资源保留在经典虚拟网络上Migrate Azure AD DS but keep other resources on the Classic virtual network

使用此示例方案时,单个会话中的停机时间最短。With this example scenario, you have the minimum amount of downtime in one session. 仅将 Azure AD DS 迁移到资源管理器虚拟网络,将现有资源保留在经典部署模型和虚拟网络上。You only migrate Azure AD DS to a Resource Manager virtual network, and keep existing resources on the Classic deployment model and virtual network. 在以下维护期内,你可以根据需要从经典部署模型和虚拟网络迁移其他资源。In a following maintenance period, you can migrate the additional resources from the Classic deployment model and virtual network as desired.

仅将 Azure AD DS 迁移到资源管理器部署模型

此示例迁移方案中涉及的大致步骤包括:High-level steps involved in this example migration scenario include the following parts:

  1. 删除在经典虚拟网络上配置的现有 VPN 网关或虚拟网络对等互连。Remove existing VPN gateways or virtual network peering configured on the Classic virtual network.
  2. 使用本文中概述的步骤迁移托管域。Migrate the managed domain using the steps outlined in this article.
  3. 在经典虚拟网络和新的资源管理器虚拟网络之间设置虚拟网络对等互连。Set up virtual network peering between the Classic virtual network and the new Resource Manager virtual network.
  4. 稍后,根据需要从经典虚拟网络迁移其他资源Later, migrate the additional resources from the Classic virtual network as needed.

准备阶段Before you begin

在准备和迁移托管域时,有一些有关身份验证和管理服务的可用性的注意事项。As you prepare and then migrate a managed domain, there are some considerations around the availability of authentication and management services. 在迁移过程中,托管域会有一段时间不可用。The managed domain is unavailable for a period of time during migration. 在迁移过程中,依赖于 Azure AD DS 的应用程序和服务会遭遇停机。Applications and services that rely on Azure AD DS experience downtime during migration.

重要

在开始迁移过程之前,请阅读此迁移文章和指南的所有内容。Read all of this migration article and guidance before you start the migration process. 迁移过程会影响 Azure AD DS 域控制器在一段时间内的可用性。The migration process affects the availability of the Azure AD DS domain controllers for periods of time. 在迁移过程中,用户、服务和应用程序无法通过托管域进行身份验证。Users, services, and applications can't authenticate against the managed domain during the migration process.

IP 地址IP addresses

托管域的域控制器 IP 地址在迁移后会更改。The domain controller IP addresses for a managed domain change after migration. 此更改包括安全 LDAP 终结点的公共 IP 地址。This change includes the public IP address for the secure LDAP endpoint. 新的 IP 地址位于资源管理器虚拟网络中的新子网的地址范围内。The new IP addresses are inside the address range for the new subnet in the Resource Manager virtual network.

如果需要回退,则回退之后的 IP 地址可能会更改。If you need to roll back, the IP addresses may change after rolling back.

Azure AD DS 通常使用地址范围内的前两个可用 IP 地址,但不是一定使用。Azure AD DS typically uses the first two available IP addresses in the address range, but this isn't guaranteed. 目前无法指定在迁移后要使用的 IP 地址。You can't currently specify the IP addresses to use after migration.

故障时间Downtime

在迁移过程中,域控制器会有一段时间处于脱机状态。The migration process involves the domain controllers being offline for a period of time. 将 Azure AD DS 迁移到资源管理器部署模型和虚拟网络时,无法访问域控制器。Domain controllers are inaccessible while Azure AD DS is migrated to the Resource Manager deployment model and virtual network.

平均而言,停机时间大约为 1 到 3 小时。On average, the downtime is around 1 to 3 hours. 此时间段是指从域控制器脱机那一刻到第一个域控制器恢复联机那一刻之间的时间。This time period is from when the domain controllers are taken offline to the moment the first domain controller comes back online. 此平均值不包括复制第二个域控制器所需的时间,也不包括将其他资源迁移到资源管理器部署模型所需的时间。This average doesn't include the time it takes for the second domain controller to replicate, or the time it may take to migrate additional resources to the Resource Manager deployment model.

帐户锁定Account lockout

在经典虚拟网络上运行的托管域没有实施 AD 帐户锁定策略。Managed domains that run on Classic virtual networks don't have AD account lockout policies in place. 如果 VM 向 Internet 公开,攻击者可能会利用密码喷射方法来强行使用帐户。If VMs are exposed to the internet, attackers could use password-spray methods to brute-force their way into accounts. 没有可停止这些尝试的帐户锁定策略。There's no account lockout policy to stop those attempts. 对于使用资源管理器部署模型和虚拟网络的托管域,AD 帐户锁定策略可防范这些密码喷射攻击。For managed domains that use the Resource Manager deployment model and virtual networks, AD account lockout policies protect against these password-spray attacks.

默认情况下,如果用户在 2 分钟内有 5 次密码尝试错误,则系统会将帐户锁定 30 分钟。By default, 5 bad password attempts in 2 minutes lock out an account for 30 minutes.

锁定的帐户不能用于登录,这可能会影响对帐户所管理的托管域或应用程序进行管理的能力。A locked out account can't be used to sign in, which may interfere with the ability to manage the managed domain or applications managed by the account. 迁移托管域后,帐户可能会遭遇感觉像因登录尝试反复失败而被永久锁定的情况。After a managed domain is migrated, accounts can experience what feels like a permanent lockout due to repeated failed attempts to sign in. 迁移后的两种常见场景包括:Two common scenarios after migration include the following:

  • 服务帐户使用过期的密码。A service account that's using an expired password.
    • 服务帐户反复尝试使用过期的密码登录,这会锁定帐户。The service account repeatedly tries to sign in with an expired password, which locks out the account. 若要解决此问题,请找到凭据已过期的应用程序或 VM,并更新密码。To fix this, locate the application or VM with expired credentials and update the password.
  • 恶意实体尝试通过暴力破解方式登录帐户。A malicious entity is using brute-force attempts to sign in to accounts.
    • 当 VM 向 Internet 公开时,攻击者通常会尝试使用常见的用户名和密码组合来登录。When VMs are exposed to the internet, attackers often try common username and password combinations as they attempt to sign. 如果这些登录尝试反复失败,系统可能会锁定相关帐户。These repeated failed sign-in attempts can lock out the accounts. 建议不要使用名称常见的管理员帐户(例如,admin 或 administrator 之类的帐户),以便将管理帐户被锁定的概率降到最低。It's not recommended to use administrator accounts with generic names such as admin or administrator, for example, to minimize administrative accounts from being locked out.
    • 尽量减少向 Internet 公开的 VM 数量。Minimize the number of VMs that are exposed to the internet. 可以通过 Azure 门户使用 Azure Bastion 安全地连接到 VM。You can use Azure Bastion to securely connect to VMs using the Azure portal.

如果担心某些帐户在迁移后被锁定,可以参阅最终的迁移步骤,其中概述了如何启用审核或更改细化的密码策略设置。If you suspect that some accounts may be locked out after migration, the final migration steps outline how to enable auditing or change the fine-grained password policy settings.

回退和还原Roll back and restore

如果迁移未成功,可以通过相关过程回退或还原托管域。If the migration isn't successful, there's process to roll back or restore a managed domain. 回退是一个自助服务选项,可以让托管域立即回到尝试迁移之前的状态。Rollback is a self-service option to immediately return the state of the managed domain to before the migration attempt. Azure 支持工程师还可以从备份中还原托管域,这是迫不得已才会采用的手段。Azure support engineers can also restore a managed domain from backup as a last resort. 有关详细信息,请参阅如何从失败的迁移回退或还原For more information, see how to roll back or restore from a failed migration.

对可用虚拟网络的限制Restrictions on available virtual networks

托管域可以迁移到的虚拟网络存在一些限制。There are some restrictions on the virtual networks that a managed domain can be migrated to. 目标资源管理器虚拟网络必须满足以下要求:The destination Resource Manager virtual network must meet the following requirements:

  • 资源管理器虚拟网络必须与当前部署了 Azure AD DS 的经典虚拟网络位于同一 Azure 订阅中。The Resource Manager virtual network must be in the same Azure subscription as the Classic virtual network that Azure AD DS is currently deployed in.
  • 资源管理器虚拟网络必须与当前部署了 Azure AD DS 的经典虚拟网络位于同一区域中。The Resource Manager virtual network must be in the same region as the Classic virtual network that Azure AD DS is currently deployed in.
  • 资源管理器虚拟网络的子网应至少有 3-5 个可用的 IP 地址。The Resource Manager virtual network's subnet should have at least 3-5 available IP addresses.
  • 资源管理器虚拟网络的子网应该是 Azure AD DS 的专用子网,不应承载任何其他工作负荷。The Resource Manager virtual network's subnet should be a dedicated subnet for Azure AD DS, and shouldn't host any other workloads.

有关虚拟网络要求的详细信息,请参阅虚拟网络设计注意事项和配置选项For more information on virtual network requirements, see Virtual network design considerations and configuration options.

迁移步骤Migration steps

迁移到资源管理器部署模型和虚拟网络的过程可拆分为 5 个主要步骤:The migration to the Resource Manager deployment model and virtual network is split into 5 main steps:

步骤Step 执行方式Performed through 估计时间Estimated time 故障时间Downtime 回退/还原?Roll back/Restore?
步骤 1 - 更新并找到新的虚拟网络Step 1 - Update and locate the new virtual network Azure 门户Azure portal 15 分钟15 minutes 无需停机No downtime required 空值N/A
步骤 2 - 准备要迁移的托管域Step 2 - Prepare the managed domain for migration PowerShellPowerShell 平均 15 - 30 分钟15 - 30 minutes on average 此命令完成后,Azure AD DS 开始停机。Downtime of Azure AD DS starts after this command is completed. 回退和还原功能可用。Roll back and restore available.
步骤 3 - 将托管域移到现有虚拟网络Step 3 - Move the managed domain to an existing virtual network PowerShellPowerShell 平均 1 - 3 小时1 - 3 hours on average 完成此命令后,一个域控制器将可用,停机结束。One domain controller is available once this command is completed, downtime ends. 出现故障时,回退(自助服务)和还原功能都可用。On failure, both rollback (self-service) and restore are available.
步骤 4 - 测试并等待副本域控制器Step 4 - Test and wait for the replica domain controller PowerShell 和 Azure 门户PowerShell and Azure portal 1 小时或更长时间,具体取决于测试数量1 hour or more, depending on the number of tests 两个域控制器都可用并应正常运行。Both domain controllers are available and should function normally. 不适用。N/A. 成功迁移第一个 VM 后,就不会有回退或还原选项。Once the first VM is successfully migrated, there's no option for rollback or restore.
步骤 5 - 可选配置步骤Step 5 - Optional configuration steps Azure 门户和 VMAzure portal and VMs 空值N/A 无需停机No downtime required 空值N/A

重要

若要避免额外的停机时间,请在开始迁移过程之前,阅读此迁移文章和指南的所有内容。To avoid additional downtime, read all of this migration article and guidance before you start the migration process. 迁移过程会影响 Azure AD DS 域控制器在一段时间内的可用性。The migration process affects the availability of the Azure AD DS domain controllers for a period of time. 在迁移过程中,用户、服务和应用程序无法通过托管域进行身份验证。Users, services, and applications can't authenticate against the managed domain during the migration process.

更新和验证虚拟网络设置Update and verify virtual network settings

在开始迁移过程之前,请完成以下初始检查和更新。Before you begin the migration process, complete the following initial checks and updates. 这些步骤可以在迁移之前的任何时间执行,不影响托管域的运行。These steps can happen at any time before the migration and don't affect the operation of the managed domain.

  1. 将本地 Azure PowerShell 环境更新到最新版本。Update your local Azure PowerShell environment to the latest version. 若要完成迁移步骤,至少需要版本 2.3.2。To complete the migration steps, you need at least version 2.3.2.

    若要了解如何检查和更新 PowerShell 版本,请参阅 Azure PowerShell 概述For information on how to check and update your PowerShell version, see Azure PowerShell overview.

  2. 创建或选择现有的资源管理器虚拟网络。Create, or choose an existing, Resource Manager virtual network.

    请确保网络设置不会阻止 Azure AD DS 所需的端口。Make sure that network settings don't block necessary ports required for Azure AD DS. 必须在经典虚拟网络和资源管理器虚拟网络上打开端口。Ports must be open on both the Classic virtual network and the Resource Manager virtual network. 这些设置包括路由表(虽然不建议使用路由表)和网络安全组。These settings include route tables (although it's not recommended to use route tables) and network security groups.

    若要查看必需的端口,请参阅网络安全组和必需端口To view the ports required, see Network security groups and required ports. 若要最大程度地减少网络通信问题,建议在迁移成功完成后先等待一下,然后再为资源管理器虚拟网络应用网络安全组或路由表。To minimize network communication problems, it's recommended to wait and apply a network security group or route table to the Resource Manager virtual network after the migration successfully completed.

    请记下此目标资源组、目标虚拟网络和目标虚拟网络子网。Make a note of this target resource group, target virtual network, and target virtual network subnet. 在迁移过程中将使用这些资源名称。These resource names are used during the migration process.

  3. 在 Azure 门户中检查托管域的运行状况。Check the managed domain health in the Azure portal. 如果存在关于托管域的任何警报,请在开始迁移过程之前解决它们。If you have any alerts for the managed domain, resolve them before you start the migration process.

  4. (可选)如果你计划将其他资源移到资源管理器部署模型和虚拟网络,请确认这些资源可以迁移。Optionally, if you plan to move other resources to the Resource Manager deployment model and virtual network, confirm that those resources can be migrated. 有关详细信息,请参阅平台支持的从经典部署模型到资源管理器部署模型的 IaaS 资源迁移For more information, see Platform-supported migration of IaaS resources from Classic to Resource Manager.

    备注

    请勿将经典虚拟网络转换为资源管理器虚拟网络。Don't convert the Classic virtual network to a Resource Manager virtual network. 如果这样做,则没有回退或还原托管域的选项。If you do, there's no option to roll back or restore the managed domain.

准备要迁移的托管域Prepare the managed domain for migration

可使用 Azure PowerShell 准备要迁移的托管域。Azure PowerShell is used to prepare the managed domain for migration. 这些步骤包括执行备份、暂停同步,以及删除承载 Azure AD DS 的云服务。These steps include taking a backup, pausing synchronization, and deleting the cloud service that hosts Azure AD DS. 此步骤完成后,Azure AD DS 会在一段时间内处于脱机状态。When this step completes, Azure AD DS is taken offline for a period of time. 如果准备步骤失败,可以回退到上一状态If the preparation step fails, you can roll back to the previous state.

若要准备要迁移的托管域,请完成以下步骤:To prepare the managed domain for migration, complete the following steps:

  1. PowerShell 库安装 Migrate-Aaads 脚本。Install the Migrate-Aaads script from the PowerShell Gallery. 此 PowerShell 迁移脚本由 Azure AD 工程团队进行数字签名。This PowerShell migration script is a digitally signed by the Azure AD engineering team.

    Install-Script -Name Migrate-Aadds
    
  2. 通过迁移脚本使用 Get-Credential cmdlet 创建一个用于保存凭据的变量。Create a variable to hold the credentials for by the migration script using the Get-Credential cmdlet.

    指定的用户帐户需要在 Azure AD 租户中具有全局管理员权限以启用 Azure AD DS,需要在 Azure 订阅中具有参与者权限以创建所需的 Azure AD DS 资源。The user account you specify needs global administrator privileges in your Azure AD tenant to enable Azure AD DS and then Contributor privileges in your Azure subscription to create the required Azure AD DS resources.

    出现提示时,请输入相应的用户帐户和密码:When prompted, enter an appropriate user account and password:

    $creds = Get-Credential
    
  3. 定义 Azure 订阅 ID 的变量。Define a variable for your Azure subscription ID. 如果需要,可以使用 Get-AzSubscription cmdlet 来列出和查看订阅 ID。If needed, you can use the Get-AzSubscription cmdlet to list and view your subscription IDs. 在以下命令中提供自己的订阅 ID:Provide your own subscription ID in the following command:

    $subscriptionId = 'yourSubscriptionId'
    
  4. 现在使用 -Prepare 参数运行 Migrate-Aadds cmdlet。Now run the Migrate-Aadds cmdlet using the -Prepare parameter. 提供你自己的托管域的 -ManagedDomainFqdn,例如 aaddscontoso.com:Provide the -ManagedDomainFqdn for your own managed domain, such as aaddscontoso.com:

    Migrate-Aadds `
        -Prepare `
        -ManagedDomainFqdn aaddscontoso.com `
        -Credentials $creds `
        -SubscriptionId $subscriptionId
    

迁移托管域Migrate the managed domain

准备并备份托管域后,可以迁移该域。With the managed domain prepared and backed up, the domain can be migrated. 此步骤使用资源管理器部署模型重新创建 Azure AD DS 域控制器 VM。This step recreates the Azure AD DS domain controller VMs using the Resource Manager deployment model. 此步骤可能需要 1 到 3 小时才能完成。This step can take 1 to 3 hours to complete.

使用 -Commit 参数运行 Migrate-Aadds cmdlet。Run the Migrate-Aadds cmdlet using the -Commit parameter. 提供你在上一部分中准备的托管域的 -ManagedDomainFqdn,例如 aaddscontoso.com:Provide the -ManagedDomainFqdn for your own managed domain prepared in the previous section, such as aaddscontoso.com:

指定你要将 Azure AD DS 迁移到的虚拟网络所在的目标资源组,例如 myResourceGroup。Specify the target resource group that contains the virtual network you want to migrate Azure AD DS to, such as myResourceGroup. 提供目标虚拟网络(例如 myVnet)和子网(例如 DomainServices)。Provide the target virtual network, such as myVnet, and the subnet, such as DomainServices.

运行此命令后,将无法回退:After this command runs, you can't then roll back:

Migrate-Aadds `
    -Commit `
    -ManagedDomainFqdn aaddscontoso.com `
    -VirtualNetworkResourceGroupName myResourceGroup `
    -VirtualNetworkName myVnet `
    -VirtualSubnetName DomainServices `
    -Credentials $creds `
    -SubscriptionId $subscriptionId

在脚本验证托管域已准备好进行迁移后,输入 Y 开始迁移过程。After the script validates the managed domain is prepared for migration, enter Y to start the migration process.

重要

在迁移过程中,请勿将经典虚拟网络转换为资源管理器虚拟网络。Don't convert the Classic virtual network to a Resource Manager virtual network during the migration process. 如果转换虚拟网络,则无法回退或还原托管域,因为原始虚拟网络将不再存在。If you convert the virtual network, you can't then rollback or restore the managed domain as the original virtual network won't exist anymore.

在迁移过程中,进度指示器每两分钟报告一次当前状态,如以下示例输出所示:Every two minutes during the migration process, a progress indicator reports the current status, as shown in the following example output:

Azure AD DS 迁移的进度指示器

即使关闭了 PowerShell 脚本,迁移过程也会继续运行。The migration process continues to run, even if you close out the PowerShell script. 在 Azure 门户中,托管域的状态报告为“正在迁移”。In the Azure portal, the status of the managed domain reports as Migrating.

成功完成迁移后,可以通过 Azure 门户或 Azure PowerShell 查看第一个域控制器的 IP 地址。When the migration successfully completes, you can view your first domain controller's IP address in the Azure portal or through Azure PowerShell. 还可以查看第二个域控制器可用的时间(估计)。A time estimate on the second domain controller being available is also shown.

在此阶段,你可以选择移动经典部署模型和虚拟网络中的其他现有资源。At this stage, you can optionally move other existing resources from the Classic deployment model and virtual network. 也可以在 Azure AD DS 迁移完成后将资源保留在经典部署模型中,然后将虚拟网络对等互连。Or, you can keep the resources on the Classic deployment model and peer the virtual networks to each other after the Azure AD DS migration is complete.

迁移后测试并验证连接性Test and verify connectivity after the migration

第二个域控制器可能需要一些时间才能部署成功并用于托管域。It can take some time for the second domain controller to successfully deploy and be available for use in the managed domain.

使用资源管理器部署模型时,托管域的网络资源将显示在 Azure 门户或 Azure PowerShell 中。With the Resource Manager deployment model, the network resources for the managed domain are shown in the Azure portal or Azure PowerShell. 若要详细了解这些网络资源是什么以及有什么作用,请参阅 Azure AD DS 使用的网络资源To learn more about what these network resources are and do, see Network resources used by Azure AD DS.

如果至少有一个域控制器可用,请完成以下配置步骤,以使用 VM 进行网络连接:When at least one domain controller is available, complete the following configuration steps for network connectivity with VMs:

  • 更新 DNS 服务器设置 为了让资源管理器虚拟网络上的其他资源能够解析并使用托管域,请使用新的域控制器的 IP 地址更新 DNS 设置。Update DNS server settings To let other resources on the Resource Manager virtual network resolve and use the managed domain, update the DNS settings with the IP addresses of the new domain controllers. Azure 门户可以自动为你配置这些设置。The Azure portal can automatically configure these settings for you.

    若要详细了解如何配置资源管理器虚拟网络,请参阅更新 Azure 虚拟网络的 DNS 设置To learn more about how to configure the Resource Manager virtual network, see Update DNS settings for the Azure virtual network.

  • 重启已加入域的 VM - 因为 Azure AD DS 域控制器的 DNS 服务器 IP 地址发生更改,请重启任何已加入域的 VM,以便它们使用新的 DNS 服务器设置。Restart domain-joined VMs - As the DNS server IP addresses for the Azure AD DS domain controllers change, restart any domain-joined VMs so they then use the new DNS server settings. 如果应用程序或 VM 具有手动配置的 DNS 设置,请使用 Azure 门户中显示的域控制器的新 DNS 服务器 IP 地址手动更新它们。If applications or VMs have manually configured DNS settings, manually update them with the new DNS server IP addresses of the domain controllers that are shown in the Azure portal.

现在,请测试虚拟网络连接和名称解析。Now test the virtual network connection and name resolution. 在已连接到资源管理器虚拟网络或已对等互连到该虚拟网络的 VM 上,尝试以下网络通信测试:On a VM that's connected to the Resource Manager virtual network, or peered to it, try the following network communication tests:

  1. 检查是否可以对其中一个域控制器的 IP 地址进行 ping 操作,例如 ping 10.1.0.4Check if you can ping the IP address of one of the domain controllers, such as ping 10.1.0.4
    • 域控制器的 IP 地址显示在 Azure 门户中托管域的“属性”页上。The IP addresses of the domain controllers are shown on the Properties page for the managed domain in the Azure portal.
  2. 验证托管域的名称解析,例如 nslookup aaddscontoso.comVerify name resolution of the managed domain, such as nslookup aaddscontoso.com
    • 指定你自己的托管域的 DNS 名称,以验证 DNS 设置是否正确以及是否可以解析。Specify the DNS name for your own managed domain to verify that the DNS settings are correct and resolves.

该迁移 cmdlet 完成后,第二个域控制器应在 1-2 小时内可用。The second domain controller should be available 1-2 hours after the migration cmdlet finishes. 若要查看第二个域控制器是否可用,请在 Azure 门户中查看该托管域的“属性”页。To check if the second domain controller is available, look at the Properties page for the managed domain in the Azure portal. 如果显示了两个 IP 地址,则表明第二个域控制器已准备就绪。If two IP addresses shown, the second domain controller is ready.

可选的迁移后配置步骤Optional post-migration configuration steps

成功完成迁移过程后,可以执行一些可选的配置步骤,其中包括启用审核日志或电子邮件通知,或者更新细化的密码策略。When the migration process is successfully complete, some optional configuration steps include enabling audit logs or e-mail notifications, or updating the fine-grained password policy.

使用 Azure Monitor 订阅审核日志Subscribe to audit logs using Azure Monitor

Azure AD DS 公开了审核日志,方便用户排查和查看域控制器上的事件。Azure AD DS exposes audit logs to help troubleshoot and view events on the domain controllers. 有关详细信息,请参阅启用和使用审核日志For more information, see Enable and use audit logs.

可以使用模板来监视日志中公开的重要信息。You can use templates to monitor important information exposed in the logs. 例如,审核日志工作簿模板可以监视托管域上可能存在的帐户锁定。For example, the audit log workbook template can monitor possible account lockouts on the managed domain.

配置电子邮件通知Configure email notifications

如果希望在托管域上检测到问题时收到通知,请在 Azure 门户中更新电子邮件通知设置。To be notified when a problem is detected on the managed domain, update the email notification settings in the Azure portal. 有关详细信息,请参阅配置通知设置For more information, see Configure notification settings.

更新细化的密码策略Update fine-grained password policy

如果需要,你可以更新细化的密码策略以使其限制性低于默认配置。If needed, you can update the fine-grained password policy to be less restrictive than the default configuration. 可以使用审核日志来确定限制性较低的设置是否合理,然后根据需要配置策略。You can use the audit logs to determine if a less restrictive setting makes sense, then configure the policy as needed. 使用以下大致步骤查看和更新在迁移后反复锁定的帐户的策略设置:Use the following high-level steps to review and update the policy settings for accounts that are repeatedly locked out after migration:

  1. 配置密码策略,以便减少对托管域的限制,并观察审核日志中的事件。Configure password policy for fewer restrictions on the managed domain and observe the events in the audit logs.
  2. 如果任何服务帐户使用了审核日志中识别为过期的密码,请使用正确的密码更新这些帐户。If any service accounts are using expired passwords as identified in the audit logs, update those accounts with the correct password.
  3. 如果向 Internet 公开了某个 VM,请查看你是否使用了攻击者进行登录尝试时通常会使用的常规帐户名称,例如 administrator、user 或 guest。If a VM is exposed to the internet, review for generic account names like administrator, user, or guest with high sign-in attempts. 请尽可能更新这些 VM,以使用具有不常用名称的帐户。Where possible, update those VMs to use less generically named accounts.
  4. 使用 VM 上的网络跟踪来查找攻击源,阻止这些 IP 地址进行登录尝试。Use a network trace on the VM to locate the source of the attacks and block those IP addresses from being able to attempt sign-ins.
  5. 尽量减少锁定问题后,根据需要更新细化的密码策略,使其尽量严格。When there are minimal lockout issues, update the fine-grained password policy to be as restrictive as necessary.

创建网络安全组Creating a network security group

Azure AD DS 需要使用网络安全组来保护托管域所需的端口,阻止所有其他的传入流量。Azure AD DS needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. 此网络安全组充当一层额外的保护措施,用于锁定对托管域的访问,但它不会自动创建。This network security group acts as an extra layer of protection to lock down access to the managed domain, and isn't automatically created. 若要创建网络安全组并打开所需的端口,请查看以下步骤:To create the network security group and open the required ports, review the following steps:

  1. 在 Azure 门户中选择你的 Azure AD DS 资源。In the Azure portal, select your Azure AD DS resource. 在概览页上,如果没有任何与 Azure AD 域服务相关联的项,则会显示一个用于创建网络安全组的按钮。On the overview page, a button is displayed to create a network security group if there's none associated with Azure AD Domain Services.
  2. 如果使用安全 LDAP,请向网络安全组添加规则,以允许 TCP 端口 636 的传入流量。If you use secure LDAP, add a rule to the network security group to allow incoming traffic for TCP port 636. 有关详细信息,请参阅配置安全 LDAPFor more information, see Configure secure LDAP.

从迁移回退和还原Roll back and restore from migration

可以选择将托管域回退或还原到迁移过程中的某个时间点。Up to a certain point in the migration process, you can choose to roll back or restore the managed domain.

回退Roll back

如果在步骤 2 中运行 PowerShell cmdlet 以进行迁移准备时出现错误,或者在步骤 3 中迁移本身出现错误,则托管域可以回退到原始配置。If there's an error when you run the PowerShell cmdlet to prepare for migration in step 2 or for the migration itself in step 3, the managed domain can roll back to the original configuration. 此回退需要原始的经典虚拟网络。This roll back requires the original Classic virtual network. 回退之后的 IP 地址仍然可能会更改。The IP addresses may still change after rollback.

使用 -Abort 参数运行 Migrate-Aadds cmdlet。Run the Migrate-Aadds cmdlet using the -Abort parameter. 提供在上一部分中准备的托管域的 -ManagedDomainFqdn(如 aaddscontoso.com),并提供经典虚拟网络名称(如 myClassicVnet):Provide the -ManagedDomainFqdn for your own managed domain prepared in a previous section, such as aaddscontoso.com, and the Classic virtual network name, such as myClassicVnet:

Migrate-Aadds `
    -Abort `
    -ManagedDomainFqdn aaddscontoso.com `
    -ClassicVirtualNetworkName myClassicVnet `
    -Credentials $creds `
    -SubscriptionId $subscriptionId

还原Restore

可以从最后的可用备份中还原 Azure AD 域服务,这是迫不得已才会采用的手段。As a last resort, Azure AD Domain Services can be restored from the last available backup. 在迁移的步骤 1 中执行备份,以确保可以使用最新的备份。A backup is taken in step 1 of the migration to make sure that the most current backup is available. 此备份存储 30 天。This backup is stored for 30 days.

若要从备份中还原托管域,请使用 Azure 门户创建支持案例票证To restore the managed domain from backup, open a support case ticket using the Azure portal. 提供与还原相关的目录 ID、域名和原因。Provide your directory ID, domain name, and reason for restore. 支持和还原过程可能需要多日才能完成。The support and restore process may take multiple days to complete.

故障排除Troubleshooting

如果迁移到资源管理器部署模型后遇到问题,请查看下面一些常见故障排除方面的内容:If you have problems after migration to the Resource Manager deployment model, review some of the following common troubleshooting areas:

后续步骤Next steps

将托管域迁移到资源管理器部署模型后,请创建 Windows VM 并将其加入域,然后安装管理工具With your managed domain migrated to the Resource Manager deployment model, create and domain-join a Windows VM and then install management tools.