使用 PowerShell 启用 Azure Active Directory 域服务Enable Azure Active Directory Domain Services using PowerShell

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、LDAP、Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. 使用这些域服务就无需自行部署、管理和修补域控制器。You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS 与现有的 Azure AD 租户集成。Azure AD DS integrates with your existing Azure AD tenant. 这种集成可让用户使用其企业凭据登录,而你可以使用现有的组和用户帐户来保护对资源的访问。This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

本文介绍如何使用 PowerShell 启用 Azure AD DS。This article shows you how to enable Azure AD DS using PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要完成本文,需准备好以下资源:To complete this article, you need the following resources:

创建所需的 Azure AD 资源Create required Azure AD resources

Azure AD DS 需要一个服务主体和一个 Azure AD 组。Azure AD DS requires a service principal and an Azure AD group. 这些资源使 Azure AD DS 托管域能够同步数据,并定义哪些用户在托管域中拥有管理权限。These resources let the Azure AD DS managed domain synchronize data, and define which users have administrative permissions in the managed domain.

首先创建一个 Azure AD 服务主体,使 Azure AD DS 能够通信并对自身进行身份验证。First, create an Azure AD service principal for Azure AD DS to communicate and authenticate itself. 使用名称为“域控制器服务”的特定应用程序 ID 6ba9a5d4-8456-4118-b521-9c5ca10cdf84 。A specific application ID is used named Domain Controller Services with an ID of 6ba9a5d4-8456-4118-b521-9c5ca10cdf84. 请不要更改此应用程序 ID。Don't change this application ID.

使用 Get-AzureADServicePrincipal cmdlet 创建 Azure AD 服务主体:Create an Azure AD service principal using the New-AzureADServicePrincipal cmdlet:

New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84"

现在,请创建名为“AAD DC 管理员”的 Azure AD 组。Now create an Azure AD group named AAD DC Administrators. 然后,添加到此组的用户会被授予在托管域上执行管理任务的权限。Users added to this group are then granted permissions to perform administration tasks on the managed domain.

首先,请使用 Get-AzureADGroup cmdlet 创建“AAD DC 管理员”组对象 ID。First, get the AAD DC Administrators group object ID using the Get-AzureADGroup cmdlet. 如果不存在该组,请使用 New-AzureADGroup cmdlet 通过“AAD DC 管理员”组来创建它:If the group doesn't exist, create it with the AAD DC Administrators group using the New-AzureADGroup cmdlet:

# First, retrieve the object ID of the 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
  -Filter "DisplayName eq 'AAD DC Administrators'" | `
  Select-Object ObjectId

# If the group doesn't exist, create it
if (!$GroupObjectId) {
  $GroupObjectId = New-AzureADGroup -DisplayName "AAD DC Administrators" `
    -Description "Delegated group to administer Azure AD Domain Services" `
    -SecurityEnabled $true `
    -MailEnabled $false `
    -MailNickName "AADDCAdministrators"
  }
else {
  Write-Output "Admin group already exists."
}

通过所创建的“AAD DC 管理员”组,使用 Get-AzureADUser cmdlet 获取所需用户的对象 ID,然后使用 Add-AzureADGroupMember cmdlet 将该用户添加到组中。With the AAD DC Administrators group created, get the desired user's object ID using the Get-AzureADUser cmdlet, then add the user to the group using the Add-AzureADGroupMember cmdlet..

以下示例显示了 UPN 为 admin@contoso.partner.onmschina.cn 的帐户的用户对象 ID。In the following example, the user object ID for the account with a UPN of admin@contoso.partner.onmschina.cn. 请将此用户帐户替换为要添加到“AAD DC 管理员”组的用户的 UPN:Replace this user account with the UPN of the user you wish to add to the AAD DC Administrators group:

# Retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
  -Filter "UserPrincipalName eq 'admin@contoso.partner.onmschina.cn'" | `
  Select-Object ObjectId

# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId

创建网络资源Create network resources

首先,使用 Register-AzResourceProvider cmdlet 注册 Azure AD 域服务资源提供程序:First, register the Azure AD Domain Services resource provider using the Register-AzResourceProvider cmdlet:

Register-AzResourceProvider -ProviderNamespace Microsoft.AAD

接下来,使用 New-AzResourceGroup cmdlet 创建一个资源组。Next, create a resource group using the New-AzResourceGroup cmdlet. 在以下示例中,资源组被命名为 myResourceGroup,并且是在 chinanorth 区域中创建的 。In the following example, the resource group is named myResourceGroup and is created in the chinanorth region. 使用自己的名称和所需区域:Use your own name and desired region:

$ResourceGroupName = "myResourceGroup"
$AzureLocation = "chinanorth2"

# Create the resource group.
New-AzResourceGroup `
  -Name $ResourceGroupName `
  -Location $AzureLocation

为 Azure AD 域服务创建虚拟网络和子网。Create the virtual network and subnets for Azure AD Domain Services. 创建两个子网 - 一个用于“DomainServices”,另一个用于“Workloads”。Two subnets are created - one for DomainServices, and one for Workloads. Azure AD DS 将部署到专用的“DomainServices”子网中。Azure AD DS is deployed into the dedicated DomainServices subnet. 请不要将其他应用程序或工作负载部署到此子网中。Don't deploy other applications or workloads into this subnet. 对剩余的 VM 使用单独的“Workloads”子网或其他子网。Use the separate Workloads or other subnets for the rest of your VMs.

使用 New-AzVirtualNetworkSubnetConfig cmdlet 创建子网,然后使用 New-AzVirtualNetwork cmdlet 创建虚拟网络。Create the subnets using the New-AzVirtualNetworkSubnetConfig cmdlet, then create the virtual network using the New-AzVirtualNetwork cmdlet.

$VnetName = "myVnet"

# Create the dedicated subnet for Azure AD Domain Services.
$SubnetName = "DomainServices"
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name $SubnetName `
  -AddressPrefix 10.0.0.0/24

# Create an additional subnet for your own VM workloads
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name Workloads `
  -AddressPrefix 10.0.1.0/24

# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet= New-AzVirtualNetwork `
  -ResourceGroupName $ResourceGroupName `
  -Location chinanorth2 `
  -Name $VnetName `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $AaddsSubnet,$WorkloadSubnet

创建网络安全组Create a network security group

Azure AD DS 需要使用网络安全组来保护托管域所需的端口,阻止所有其他的传入流量。Azure AD DS needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. 网络安全组 (NSG) 包含一系列规则,这些规则可以允许或拒绝网络流量在 Azure 虚拟网络中流动。A network security group (NSG) contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. 在 Azure AD DS 中,网络安全组充当一个额外的保护层,以锁定对托管域的访问。In Azure AD DS, the network security group acts as an extra layer of protection to lock down access to the managed domain. 若要查看必需的端口,请参阅网络安全组和必需端口To view the ports required, see Network security groups and required ports.

以下 PowerShell cmdlet 使用 New-AzNetworkSecurityRuleConfig 创建规则,然后使用 New-AzNetworkSecurityGroup 创建网络安全组。The following PowerShell cmdlets use New-AzNetworkSecurityRuleConfig to create the rules, then New-AzNetworkSecurityGroup to create the network security group. 然后,使用 Set-AzVirtualNetworkSubnetConfig cmdlet 将网络安全组和规则与虚拟网络子网相关联。The network security group and rules are then associated with the virtual network subnet using the Set-AzVirtualNetworkSubnetConfig cmdlet.

$NSGName = "aaddsNSG"

# Create a rule to allow inbound TCP port 443 traffic for synchronization with Azure AD
$nsg101 = New-AzNetworkSecurityRuleConfig `
    -Name AllowSyncWithAzureAD `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 101 `
    -SourceAddressPrefix AzureActiveDirectoryDomainServices `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 443

# Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
$nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 201 `
    -SourceAddressPrefix CorpNetSaw `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 3389

# Create a rule to allow TCP port 5986 traffic for PowerShell remote management
$nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 301 `
    -SourceAddressPrefix AzureActiveDirectoryDomainServices `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 5986

# Create the network security group and rules
$nsg = New-AzNetworkSecurityGroup -Name $NSGName `
    -ResourceGroupName $ResourceGroupName `
    -Location $AzureLocation `
    -SecurityRules $nsg101,$nsg201,$nsg301

# Get the existing virtual network resource objects and information
$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
$addressPrefix = $subnet.AddressPrefix

# Associate the network security group with the virtual network subnet
Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
    -VirtualNetwork $vnet `
    -AddressPrefix $addressPrefix `
    -NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork

创建托管域Create a managed domain

现在,让我们创建托管域。Now let's create a managed domain. 设置 Azure 订阅 ID,然后提供托管域的名称,例如 aaddscontoso.com。Set your Azure subscription ID, and then provide a name for the managed domain, such as aaddscontoso.com. 可以使用 Get-AzSubscription cmdlet 获取订阅 ID。You can get your subscription ID using the Get-AzSubscription cmdlet.

如果选择支持可用性区域的区域,则 Azure AD DS 资源会跨区域分布以实现额外的冗余。If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.

可用性区域是 Azure 区域中独特的物理位置。Availability Zones are unique physical locations within an Azure region. 每个区域由一个或多个数据中心组成,这些数据中心配置了独立电源、冷却和网络。Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. 为确保能够进行复原,所有已启用的地区中都必须至少有三个单独的区域。To ensure resiliency, there's a minimum of three separate zones in all enabled regions.

对于要跨区域分布 Azure AD DS,无需进行任何配置。There's nothing for you to configure for Azure AD DS to be distributed across zones. Azure 平台会自动处理资源的区域分配。The Azure platform automatically handles the zone distribution of resources.

$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "aaddscontoso.com"

# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
  -ApiVersion "2017-06-01" `
  -Location $AzureLocation `
  -Properties @{"DomainName"=$ManagedDomainName; `
    "SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
  -Force -Verbose

创建资源并将控制权返回给 PowerShell 提示符需要花费几分钟时间。It takes a few minutes to create the resource and return control to the PowerShell prompt. 托管域将在后台继续预配,完成部署最长可能需要一小时。The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. 在 Azure 门户中,托管域的“概览”页会显示整个部署阶段的当前状态。In the Azure portal, the Overview page for your managed domain shows the current status throughout this deployment stage.

当 Azure 门户显示托管域已完成预配时,需要完成以下任务:When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

  • 为虚拟网络更新 DNS 设置,以使虚拟机能够找到用于域加入或身份验证的托管域。Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
    • 若要配置 DNS,请在门户中选择你的托管域。To configure DNS, select your managed domain in the portal. 在“概览”窗口中,系统会提示你自动配置这些 DNS 设置。On the Overview window, you are prompted to automatically configure these DNS settings.
  • 启用 Azure AD DS 的密码同步,使最终用户能够使用其企业凭据登录到托管域。Enable password synchronization to Azure AD DS so end users can sign in to the managed domain using their corporate credentials.

完整的 PowerShell 脚本Complete PowerShell script

下述完整的 PowerShell 脚本结合了本文中所述的所有任务。The following complete PowerShell script combines all of the tasks shown in this article. 请复制该脚本,并将其保存到扩展名为 .ps1 的文件中。Copy the script and save it to a file with a .ps1 extension. 在本地 PowerShell 控制台中运行该脚本。Run the script in a local PowerShell console.

备注

只有 Azure AD 租户的全局管理员才能启用 Azure AD DS。To enable Azure AD DS, you must be a global administrator for the Azure AD tenant. 此外,该管理员需要在 Azure 订阅中至少拥有“参与者”特权。You also need at least Contributor privileges in the Azure subscription.

# Change the following values to match your deployment.
$AaddsAdminUserUpn = "admin@contoso.partner.onmschina.cn"
$ResourceGroupName = "myResourceGroup"
$VnetName = "myVnet"
$AzureLocation = "chinanorth2"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "aaddscontoso.com"

# Connect to your Azure AD directory.
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

# Login to your Azure subscription.
Connect-AzAccount -Environment AzureChinaCloud

# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84"

# First, retrieve the object ID of the 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
  -Filter "DisplayName eq 'AAD DC Administrators'" | `
  Select-Object ObjectId

# Create the delegated administration group for Azure AD Domain Services if it doesn't already exist.
if (!$GroupObjectId) {
  $GroupObjectId = New-AzureADGroup -DisplayName "AAD DC Administrators" `
    -Description "Delegated group to administer Azure AD Domain Services" `
    -SecurityEnabled $true `
    -MailEnabled $false `
    -MailNickName "AADDCAdministrators"
  }
else {
  Write-Output "Admin group already exists."
}

# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
  -Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
  Select-Object ObjectId

# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId

# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD

# Create the resource group.
New-AzResourceGroup `
  -Name $ResourceGroupName `
  -Location $AzureLocation

# Create the dedicated subnet for AAD Domain Services.
$SubnetName = "DomainServices"
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name DomainServices `
  -AddressPrefix 10.0.0.0/24

$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name Workloads `
  -AddressPrefix 10.0.1.0/24

# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
  -ResourceGroupName $ResourceGroupName `
  -Location $AzureLocation `
  -Name $VnetName `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $AaddsSubnet,$WorkloadSubnet
  
$NSGName = "aaddsNSG"

# Create a rule to allow inbound TCP port 443 traffic for synchronization with Azure AD
$nsg101 = New-AzNetworkSecurityRuleConfig `
    -Name AllowSyncWithAzureAD `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 101 `
    -SourceAddressPrefix AzureActiveDirectoryDomainServices `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 443

# Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
$nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 201 `
    -SourceAddressPrefix CorpNetSaw `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 3389

# Create a rule to allow TCP port 5986 traffic for PowerShell remote management
$nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 301 `
    -SourceAddressPrefix AzureActiveDirectoryDomainServices `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 5986

# Create the network security group and rules
$nsg = New-AzNetworkSecurityGroup -Name $NSGName `
    -ResourceGroupName $ResourceGroupName `
    -Location $AzureLocation `
    -SecurityRules $nsg101,$nsg201,$nsg301

# Get the existing virtual network resource objects and information
$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
$addressPrefix = $subnet.AddressPrefix

# Associate the network security group with the virtual network subnet
Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
    -VirtualNetwork $vnet `
    -AddressPrefix $addressPrefix `
    -NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork

# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
  -ApiVersion "2017-06-01" `
  -Location $AzureLocation `
  -Properties @{"DomainName"=$ManagedDomainName; `
    "SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
  -Force -Verbose

创建资源并将控制权返回给 PowerShell 提示符需要花费几分钟时间。It takes a few minutes to create the resource and return control to the PowerShell prompt. 托管域将在后台继续预配,完成部署最长可能需要一小时。The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. 在 Azure 门户中,托管域的“概览”页会显示整个部署阶段的当前状态。In the Azure portal, the Overview page for your managed domain shows the current status throughout this deployment stage.

当 Azure 门户显示托管域已完成预配时,需要完成以下任务:When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

  • 为虚拟网络更新 DNS 设置,以使虚拟机能够找到用于域加入或身份验证的托管域。Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
    • 若要配置 DNS,请在门户中选择你的托管域。To configure DNS, select your managed domain in the portal. 在“概览”窗口中,系统会提示你自动配置这些 DNS 设置。On the Overview window, you are prompted to automatically configure these DNS settings.
  • 启用 Azure AD DS 的密码同步,使最终用户能够使用其企业凭据登录到托管域。Enable password synchronization to Azure AD DS so end users can sign in to the managed domain using their corporate credentials.

后续步骤Next steps

若要查看托管域的运作方式,可将某个 Windows VM 加入域配置安全 LDAP,并配置密码哈希同步To see the managed domain in action, you can domain-join a Windows VM, configure secure LDAP, and configure password hash sync.