什么是 Azure Active Directory 域服务?What is Azure Active Directory Domain Services?

Azure Active Directory 域服务 (AD DS) 提供托管域服务,例如域加入、组策略、轻型目录访问协议 (LDAP) 和 Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. 无需在云中部署、管理和修补域控制器 (DC) 即可使用这些域服务。You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

Azure AD DS 托管域使你能够在云中或你不希望目录查找始终返回到本地 AD DS 环境的位置,运行无法使用现代身份验证方法的旧版应用程序。An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. 你可以将这些旧版应用程序从本地环境直接迁移到托管域,而无需在云中管理 AD DS 环境。You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Azure AD DS 与现有的 Azure AD 租户集成。Azure AD DS integrates with your existing Azure AD tenant. 通过此集成,用户可以使用其现有凭据登录到与托管域相连的服务和应用程序。This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. 还可以使用现有组和用户帐户来保护对资源的访问。You can also use existing groups and user accounts to secure access to resources. 这些功能可更顺畅地将本地资源直接迁移到 Azure。These features provide a smoother lift-and-shift of on-premises resources to Azure.

Azure AD DS 如何工作?How does Azure AD DS work?

创建 Azure AD DS 托管域时,需定义唯一的命名空间。When you create an Azure AD DS managed domain, you define a unique namespace. 该命名空间为域名,例如“aaddscontoso.com”。This namespace is the domain name, such as aaddscontoso.com. 两个 Windows Server 域控制器 (DC) 随即部署到选定的 Azure 区域中。Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. DC 的这种部署称为副本集。This deployment of DCs is known as a replica set.

你不需要管理、配置或更新这些 DC。You don't need to manage, configure, or update these DCs. Azure 平台将这些 DC 作为托管域的一部分进行处理,包括使用 Azure 磁盘加密的静态备份和静态加密。The Azure platform handles the DCs as part of the managed domain, including backups and encryption at rest using Azure Disk Encryption.

托管域配置为从 Azure AD 执行单向同步,以提供对一组集中用户、组和凭据的访问。A managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. 你可以直接在托管域中创建资源,但它们不会同步回 Azure AD。You can create resources directly in the managed domain, but they aren't synchronized back to Azure AD. 然后,Azure 中连接到该托管域的应用程序、服务和 VM 便可使用常见 AD DS 功能,如域加入、组策略、LDAP 和 Kerberos/NTLM 身份验证。Applications, services, and VMs in Azure that connect to the managed domain can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication.

在具有本地 AD DS 环境的混合环境中,Azure AD Connect 会将标识信息与 Azure AD 同步,后者随后将同步到托管域。In a hybrid environment with an on-premises AD DS environment, Azure AD Connect synchronizes identity information with Azure AD, which is then synchronized to the managed domain.

使用 AD Connect 将 Azure AD 域服务与 Azure AD 和本地 AD DS 同步

Azure AD DS 从 Azure AD 中复制标识信息,因此,它适用于仅限云的 Azure AD 租户,或与本地 AD DS 环境同步的租户。Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. 对于这两种环境,都存在相同的一组 Azure AD DS 功能。The same set of Azure AD DS features exists for both environments.

  • 如果有现有的本地 AD DS 环境,则可以同步用户帐户信息,为用户提供一致的标识。If you have an existing on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users. 若要了解详细信息,请参阅如何在托管域中同步对象和凭据To learn more, see How objects and credentials are synchronized in a managed domain.
  • 对于仅限云的环境,则不需要传统的本地 AD DS 环境来使用 Azure AD DS 的集中标识服务。For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Azure AD DS.

可以扩展托管域,使每个 Azure AD 租户具有多个副本集。You can expand a managed domain to have more than one replica set per Azure AD tenant. 可以将副本集添加到任何支持 Azure AD DS 的 Azure 区域中的任何对等互连虚拟网络。Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD DS. 如果某个 Azure 区域处于离线状态,则不同 Azure 区域中的其他副本集可为旧版应用程序提供地理灾难恢复。Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. 副本集目前处于预览状态。Replica sets are currently in preview. 有关详细信息,请参阅托管域的副本集概念和功能For more information, see Replica sets concepts and features for managed domains.

若要查看运行中的 Azure AD DS 部署方案,你可以探索以下示例:To see Azure AD DS deployment scenarios in action, you can explore the following examples:

Azure AD DS 功能和优点Azure AD DS features and benefits

为了向云中的应用程序和 VM 提供标识服务,Azure AD DS 与域加入、安全 LDAP (LDAPS)、组策略、DNS 管理以及 LDAP 绑定和读取支持等操作的传统 AD DS 环境完全兼容。To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP 写入支持适用于在托管域中创建的对象,但不适用于从 Azure AD 同步的资源。LDAP write support is available for objects created in the managed domain, but not resources synchronized from Azure AD.

若要了解有关标识选项的详细信息,请将 Azure AD DS 与 Azure AD、Azure VM 上的 AD DS 和本地 AD DS 进行比较To learn more about your identity options, compare Azure AD DS with Azure AD, AD DS on Azure VMs, and AD DS on-premises.

Azure AD DS 的以下功能简化了部署和管理操作:The following features of Azure AD DS simplify deployment and management operations:

  • 简化的部署体验: 在 Azure 门户中使用单个向导为 Azure AD 租户启用 Azure AD DS。Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
  • 与 Azure AD 集成: 可从 Azure AD 租户自动获得用户帐户、组成员身份和凭据。Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. 新用户、组或者对 Azure AD 租户或本地 AD DS 环境中的属性所做的更改会自动同步到 Azure AD DS。New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
    • 链接到 Azure AD 的外部目录中的帐户不可用于 Azure AD DS。Accounts in external directories linked to your Azure AD aren't available in Azure AD DS. 凭据不可用于这些外部目录,因此无法同步到托管域。Credentials aren't available for those external directories, so can't be synchronized into a managed domain.
  • 使用企业凭据/密码: Azure AD DS 中的用户密码与 Azure AD 租户中的用户密码相同。Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. 用户可以使用其企业凭据将计算机加入域,以交互方式或通过远程桌面登录,以及针对托管域进行身份验证。Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.
  • NTLM 和 Kerberos 身份验证: 借助对 NTLM 和 Kerberos 身份验证的支持,可以部署依赖于 Windows 集成身份验证的应用程序。NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
  • 高可用性: Azure AD DS 包括多个域控制器,这些域控制器为托管域提供高可用性。High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. 这种高可用性保证了服务运行时间和故障恢复能力。This high availability guarantees service uptime and resilience to failures.
    • 在支持 Azure 可用性区域的区域中,这些域控制器也跨区域分布,以提升复原能力。In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.
    • 如果某个 Azure 区域处于离线状态,则副本集也可为旧版应用程序提供地理灾难恢复。Replica sets can also be used to provide geographical disaster recovery for legacy applications if an Azure region goes offline.

托管域的一些关键方面包括:Some key aspects of a managed domain include the following:

  • 托管域是独立的域。The managed domain is a stand-alone domain. 它不是本地域的扩展。It isn't an extension of an on-premises domain.
  • 你的 IT 团队无需管理、修补或监视此托管域的域控制器。Your IT team doesn't need to manage, patch, or monitor domain controllers for this managed domain.

对于运行本地 AD DS 的混合环境,无需管理到托管域的 AD 复制。For hybrid environments that run AD DS on-premises, you don't need to manage AD replication to the managed domain. 本地目录中的用户帐户、组成员身份和凭据通过 Azure AD Connect 同步到 Azure AD。User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via Azure AD Connect. 这些用户帐户、组成员身份和凭据在托管域中自动可用。These user accounts, group memberships, and credentials are automatically available within the managed domain.

后续步骤Next steps

若要详细了解 Azure AD DS 与其他标识解决方案以及同步的工作原理,请参阅以下文章:To learn more about Azure AD DS compares with other identity solutions and how synchronization works, see the following articles:

若要开始操作,请使用 Azure 门户创建托管域To get started, create a managed domain using the Azure portal.