Azure Active Directory 域服务的常见用例和场景Common use-cases and scenarios for Azure Active Directory Domain Services

Azure Active Directory 域服务 (Azure AD DS) 提供托管域服务,例如域加入、组策略、轻型目录访问协议 (LDAP) 和 Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. Azure AD DS 与现有 Azure AD 租户集成,因此用户可使用其现有凭据登录。Azure AD DS integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials. 可以使用这些域服务,而无需在云中部署、管理和修补域控制器,从而更顺畅地将本地资源直接迁移到 Azure。You use these domain services without the need to deploy, manage, and patch domain controllers in the cloud, which provides a smoother lift-and-shift of on-premises resources to Azure.

本文概述 Azure AD DS 提供价值并满足这些需求的一些常见业务场景。This article outlines some common business scenarios where Azure AD DS provides value and meets those needs.

在云中提供标识解决方案的常见方法Common ways to provide identity solutions in the cloud

将现有工作负载迁移到云时,目录感知的应用程序可以使用 LDAP 对本地 AD DS 目录进行读取或写入访问。When you migrate existing workloads to the cloud, directory-aware applications may use LDAP for read or write access to an on-premises AD DS directory. Windows Server 上运行的应用程序通常部署在已加入域的虚拟机 (VM) 上,因此可以使用组策略安全地对其进行管理。Applications that run on Windows Server are typically deployed on domain-joined virtual machines (VMs) so they can be managed securely using Group Policy. 若要对最终用户进行身份验证,应用程序还可能依赖于 Windows 集成的身份验证,如 Kerberos 或 NTLM 身份验证。To authenticate end users, the applications may also rely on Windows-integrated authentication, such as Kerberos or NTLM authentication.

IT 管理员通常使用以下某一解决方案为 Azure 中运行的应用程序提供标识服务:IT administrators often use one of the following solutions to provide an identity service to applications that run in Azure:

  • 在 Azure 中运行的工作负载与本地 AD DS 环境之间配置站点到站点 VPN 连接。Configure a site-to-site VPN connection between workloads that run in Azure and an on-premises AD DS environment.
    • 然后,本地域控制器通过 VPN 连接提供身份验证。The on-premises domain controllers then provide authentication via the VPN connection.
  • 使用 Azure 虚拟机 (VM) 创建副本域控制器来从本地扩展 AD DS 域/林。Create replica domain controllers using Azure virtual machines (VMs) to extend the AD DS domain / forest from on-premises.
    • 在 Azure VM 上运行的域控制器提供身份验证,并在本地 AD DS 环境之间复制目录信息。The domain controllers that run on Azure VMs provide authentication, and replicate directory information between the on-premises AD DS environment.
  • 使用 Azure VM 上运行的域控制器在 Azure 中部署独立的 AD DS 环境。Deploy a standalone AD DS environment in Azure using domain controllers that run on Azure VMs.
    • 在 Azure VM 上运行的域控制器提供身份验证,但是没有复制自本地 AD DS 环境的目录信息。The domain controllers that run on Azure VMs provide authentication, but there's no directory information replicated from an on-premises AD DS environment.

借助这些方法,与本地目录的 VPN 连接使得应用程序容易发生暂时性网络问题或中断。With these approaches, VPN connections to the on-premises directory make applications vulnerable to transient network glitches or outages. 如果使用 Azure 中的 VM 部署域控制器,IT 团队必须管理 VM,然后对其进行保护、修补、监视、备份和故障排除。If you deploy domain controllers using VMs in Azure, the IT team must manage the VMs, then secure, patch, monitor, backup, and troubleshoot them.

Azure AD DS 提供了替代方法,由此能够创建返回到本地 AD DS 环境的 VPN 连接,或在 Azure 中运行和管理 VM 以提供标识服务。Azure AD DS offers alternatives to the need to create VPN connections back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. 作为托管服务,Azure AD DS 降低了为混合环境和仅限云环境创建集成标识解决方案的复杂性。As a managed service, Azure AD DS reduces the complexity to create an integrated identity solution for both hybrid and cloud-only environments.

混合组织的 Azure AD DSAzure AD DS for hybrid organizations

许多组织都运行有一个包含云和本地应用程序工作负载的混合基础结构。Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. 按照直接迁移策略迁移到 Azure 的旧版应用程序可能使用传统的 LDAP 连接来提供标识信息。Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. 若要支持此混合基础结构,可以将本地 AD DS 环境中的标识信息同步到 Azure AD 租户。To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to an Azure AD tenant. 然后,Azure AD DS 使用标识源在 Azure 中提供这些旧版应用程序,而无需配置和管理应用程序与本地目录服务的连接。Azure AD DS then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services.

让我们看一个 Litware Corporation 的示例,这是一个同时运行本地和 Azure 资源的混合组织:Let's look at an example for Litware Corporation, a hybrid organization that runs both on-premises and Azure resources:

适用于包含本地同步的混合组织的 Azure Active Directory 域服务

  • 需要域服务的应用程序和服务器工作负载部署在 Azure 的虚拟网络中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
    • 这可能包括迁移到 Azure(作为直接迁移策略的一部分)的旧版应用程序。This may include legacy applications migrated to Azure as part of a lift and shift strategy.
  • 为了将标识信息从其本地目录同步到其 Azure AD 租户,Litware Corporation 部署了 Azure AD ConnectTo synchronize identity information from their on-premises directory to their Azure AD tenant, Litware Corporation deploys Azure AD Connect.
    • 同步的标识信息包括用户帐户和组成员身份。Identity information that is synchronized includes user accounts and group memberships.
  • Litware 的 IT 团队在此虚拟网络中或在对等互连的虚拟网络中为其 Azure AD 租户启用 Azure AD DS。Litware's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 然后,在 Azure 虚拟网络中部署的应用程序和 VM 便可使用 Azure AD DS 功能,如域加入、LDAP 读取、LDAP 绑定、NTLM、Kerberos 身份验证以及组策略等。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

仅限云的组织的 Azure AD DSAzure AD DS for cloud-only organizations

仅限云的 Azure AD 租户没有本地标识源。A cloud-only Azure AD tenant doesn't have an on-premises identity source. 例如,用户帐户和组成员身份是直接在 Azure AD 中创建和管理的。User accounts and group memberships, for example, are created and managed directly in Azure AD.

现在,让我们看看 Contoso 的一个示例,这是一个使用 Azure AD 来管理标识的纯云组织。Now let's look at an example for Contoso, a cloud-only organization that uses Azure AD for identity. 所有用户标识、其凭据和组成员身份都在 Azure AD 中进行创建和管理。All user identities, their credentials, and group memberships are created and managed in Azure AD. Azure AD Connect 未配置任何其他内容来同步本地目录中的任何标识信息。There is no additional configuration of Azure AD Connect to synchronize any identity information from an on-premises directory.

仅限云的组织的 Azure Active Directory 域服务(无本地同步)

  • 需要域服务的应用程序和服务器工作负载部署在 Azure 的虚拟网络中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
  • Contoso 的 IT 团队在此虚拟网络中或在对等互连的虚拟网络中为其 Azure AD 租户启用 Azure AD DS。Contoso's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 然后,在 Azure 虚拟网络中部署的应用程序和 VM 便可使用 Azure AD DS 功能,如域加入、LDAP 读取、LDAP 绑定、NTLM、Kerberos 身份验证以及组策略等。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

安全管理 Azure 虚拟机Secure administration of Azure virtual machines

为了使你能够使用一组 AD 凭据,可以将 Azure 虚拟机 (VM) 加入 Azure AD DS 托管域。To let you use a single set of AD credentials, Azure virtual machines (VMs) can be joined to an Azure AD DS managed domain. 此方法可减少凭据管理问题,例如维护每个 VM 上的本地管理员帐户或环境之间的帐户和密码。This approach reduces credential management issues such as maintaining local administrator accounts on each VM or separate accounts and passwords between environments.

还可以使用组策略来管理和保护已加入托管域的 VM。VMs that are joined to a managed domain can also be administered and secured using group policy. 可将所需的安全基准应用到 VM,根据企业安全指导原则锁定这些 VM。Required security baselines can be applied to VMs to lock them down in accordance with corporate security guidelines. 例如,可以使用组策略管理功能来限制可在 VM 上启动的应用程序类型。For example, you can use group policy management capabilities to restrict the types of applications that can be launched on the VM.

以简化的方式管理 Azure 虚拟机

我们来看一下常见示例场景。Let's look at a common example scenario. 由于服务器和其他基础结构已达到生命周期,Contoso 想要将目前托管在本地的应用程序迁移到云中。As servers and other infrastructure reaches end-of-life, Contoso wants to move applications currently hosted on premises to the cloud. 他们当前的 IT 标准强制要求托管企业应用程序的服务器必须加入域,并使用组策略进行管理。Their current IT standard mandates that servers hosting corporate applications must be domain-joined and managed using group policy.

Contoso 的 IT 管理员更希望将 Azure 中部署的 VM 加入域,这样用户随后便可使用其企业凭据登录,从而使管理更轻松。Contoso's IT administrator would prefer to domain join VMs deployed in Azure to make administration easier as users can then sign in using their corporate credentials. 加入域时,还可以根据所需的安全基准,使用组策略对象 (GPO) 配置 VM。When domain-joined, VMs can also be configured to comply with required security baselines using group policy objects (GPOs). Contoso 不希望在 Azure 中部署、监视和管理自己的域控制器。Contoso would prefer not to deploy, monitor, and manage their own domain controllers in Azure.

Azure AD DS 非常适合这种情况。Azure AD DS is a great fit for this use-case. 通过托管域,你可以将 VM 加入域、使用一组凭据并应用组策略。A managed domain lets you domain-join VMs, use a single set of credentials, and apply group policy. 因为它是托管域,因此无需配置和维护自己的域控制器。And because it's a managed domain, you don't have to configure and maintain the domain controllers yourself.

部署注意事项Deployment notes

以下部署注意事项适用于此示例用例:The following deployment considerations apply to this example use case:

  • 默认情况下,托管域使用单个平面组织单位 (OU) 结构。Managed domains use a single, flat Organizational Unit (OU) structure by default. 所有已加入域的 VM 均位于单个 OU 中。All domain-joined VMs are in a single OU. 如果需要,可以创建自定义 OUIf desired, you can create custom OUs.
  • Azure AD DS 使用分别适用于用户和计算机容器的内置 GPO。Azure AD DS uses a built-in GPO each for the users and computers containers. 若要进行其他控制,可以创建自定义 GPO,并将其目标设为自定义 OU。For additional control, you can create custom GPOs and target them to custom OUs.
  • Azure AD DS 支持基本 AD 计算机对象架构。Azure AD DS supports the base AD computer object schema. 无法扩展计算机对象的架构。You can't extend the computer object's schema.

直接迁移使用 LDAP 绑定身份验证的本地应用程序Lift-and-shift on-premises applications that use LDAP bind authentication

有一个示例场景,多年前,Contoso 从一家 ISV 采购了一个本地应用程序。As a sample scenario, Contoso has an on-premises application that was purchased from an ISV many years ago. 该应用程序目前已被 ISV 置于维护模式,请求对该应用程序进行更改将代价不菲,让人难以负担。The application is currently in maintenance mode by the ISV and requesting changes to the application is prohibitively expensive. 此应用程序有一个基于 Web 的前端,该前端使用 Web 表单收集用户凭据,并向本地 AD DS 环境执行 LDAP 绑定来验证用户的身份。This application has a web-based frontend that collects user credentials using a web form and then authenticates users by performing an LDAP bind to the on-premises AD DS environment.

LDAP 绑定

Contoso 希望将此应用程序迁移到 Azure。Contoso would like to migrate this application to Azure. 此应用程序应继续照常工作,无需进行任何更改。The application should continue to works as-is, with no changes needed. 此外,用户应该能够使用其现有的企业凭据进行身份验证,且无需其他培训。Additionally, users should be able to authenticate using their existing corporate credentials and without additional training. 应用程序运行的位置应向最终用户公开。It should be transparent to end users where the application is running.

对于这种情况,Azure AD DS 允许应用程序在身份验证过程中执行 LDAP 绑定。For this scenario, Azure AD DS lets applications perform LDAP binds as part of the authentication process. 旧版本地应用程序可以直接迁移到 Azure,并继续无缝验证用户身份,而无需更改任何配置或用户体验。Legacy on-premises applications can lift-and-shift into Azure and continue to seamlessly authenticate users without any change in configuration or user experience.

部署注意事项Deployment notes

以下部署注意事项适用于此示例用例:The following deployment considerations apply to this example use case:

  • 确保应用程序无需在目录中修改/写入数据。Make sure that the application doesn't need to modify/write to the directory. 不支持对托管域进行 LDAP 写入访问。LDAP write access to a managed domain isn't supported.
  • 无法直接针对托管域更改密码。You can't change passwords directly against a managed domain. 最终用户可以使用 Azure AD 的自助密码更改机制或针对本地目录更改其密码。End users can change their password either using Azure AD's self-service password change mechanism or against the on-premises directory. 随后这些更改会自动同步,并出现在托管域中。These changes are then automatically synchronized and available in the managed domain.

直接迁移使用 LDAP 读取访问目录的本地应用程序Lift-and-shift on-premises applications that use LDAP read to access the directory

与上一个示例场景一样,我们假设大约十年前,Contoso 开发了一个本地业务线 (LOB) 应用程序。Like the previous example scenario, let's assume Contoso has an on-premises line-of-business (LOB) application that was developed almost a decade ago. 此应用程序可识别目录,并旨在使用 LDAP 从 AD DS 读取有关用户的信息/属性。This application is directory aware and was designed to use LDAP to read information/attributes about users from AD DS. 该应用程序不会修改属性,也不会在目录中写入数据。The application doesn't modify attributes or otherwise write to the directory.

Contoso 想要将此应用程序迁移到 Azure,并淘汰目前托管此应用程序的已过时本地硬件。Contoso wants to migrate this application to Azure and retire the aging on-premises hardware currently hosting this application. 无法重新编写该应用程序,让其使用现代目录 API,例如基于 REST 的 Microsoft 图形 API。The application can't be rewritten to use modern directory APIs such as the REST-based Microsoft Graph API. 直接迁移选项可以满足需要,因为它可以在不修改代码或重新编写应用程序的情况下,将应用程序迁移到云中运行。A lift-and-shift option is desired where the application can be migrated to run in the cloud, without modifying code or rewriting the application.

为对这种场景提供帮助,Azure AD DS 允许应用程序针对托管域执行 LDAP 读取,以获取所需的属性信息。To help with this scenario, Azure AD DS lets applications perform LDAP reads against the managed domain to get the attribute information it needs. 无需重新编写应用程序,通过直接迁移到 Azure,用户可以继续使用该应用,而不会意识到其运行位置发生了变化。The application doesn't need to be rewritten, so a lift-and-shift into Azure lets users continue to use the app without realizing there's a change in where it runs.

部署注意事项Deployment notes

以下部署注意事项适用于此示例用例:The following deployment considerations apply to this example use case:

  • 确保应用程序无需在目录中修改/写入数据。Make sure that the application doesn't need to modify/write to the directory. 不支持对托管域进行 LDAP 写入访问。LDAP write access to a managed domain isn't supported.
  • 确保应用程序不需要自定义/扩展的 Active Directory 架构。Make sure that the application doesn't need a custom/extended Active Directory schema. Azure AD DS 不支持架构扩展。Schema extensions aren't supported in Azure AD DS.

将本地服务或守护程序应用程序迁移到 AzureMigrate an on-premises service or daemon application to Azure

某些应用程序包含多个层,其中有一个层需要对后端层(如数据库)执行经身份验证的调用。Some applications include multiple tiers, where one of the tiers needs to perform authenticated calls to a backend tier, such as a database. 在这些情况下,通常会使用 AD 服务帐户。AD service accounts are commonly used in these scenarios. 将应用程序直接迁移到 Azure 时,通过 Azure AD DS,你能够以相同的方式继续使用服务帐户。When you lift-and-shift applications into Azure, Azure AD DS lets you continue to use service accounts in the same way. 可以选择使用已从本地目录同步到 Azure AD 的相同服务帐户,也可以创建自定义 OU,然后在该 OU 中创建一个单独的服务帐户。You can choose to use the same service account that is synchronized from your on-premises directory to Azure AD or create a custom OU and then create a separate service account in that OU. 使用其中任意一种方法,应用程序都将继续以相同的方式对其他层和服务进行经身份验证的调用。With either approach, applications continue to function the same way to make authenticated calls to other tiers and services.

使用 WIA 的服务帐户

在此示例场景中,Contoso 有一个定制的软件保管库应用程序,其中包含 Web 前端、SQL 服务器和后端 FTP 服务器。In this example scenario, Contoso has a custom-built software vault application that includes a web front end, a SQL server, and a backend FTP server. 使用服务帐户的 Windows 集成身份验证在 FTP 服务器中对 Web 前端进行身份验证。Windows-integrated authentication using service accounts authenticates the web front end to the FTP server. 该 Web 前端设置为以服务帐户的身份运行。The web front end is set up to run as a service account. 后端服务器配置为通过服务帐户授权访问 Web 前端。The backend server is configured to authorize access from the service account for the web front end. Contoso 不希望在云中部署和管理自己的域控制器 VM,从而将此应用程序迁移到 Azure。Contoso doesn't want to deploy and manage their own domain controller VMs in the cloud to move this application to Azure.

对于此场景,托管 Web 前端的服务器、SQL 服务器和 FTP 服务器的服务器可以迁移到 Azure VM 并加入托管域。For this scenario, the servers hosting the web front end, SQL server, and the FTP server can be migrated to Azure VMs and joined to a managed domain. 然后,这些 VM 可以使用其本地目录中的相同服务帐户,以对应用进行身份验证,这将通过 Azure AD 使用 Azure AD Connect 进行同步。The VMs can then use the same service account in their on-premises directory for the app's authentication purposes, which is synchronized through Azure AD using Azure AD Connect.

部署注意事项Deployment notes

以下部署注意事项适用于此示例用例:The following deployment considerations apply to this example use case:

  • 确保应用程序使用用户名和密码进行身份验证。Make sure that the applications use a username and password for authentication. Azure AD DS 不支持基于证书或智能卡的身份验证。Certificate or smartcard-based authentication isn't supported by Azure AD DS.
  • 无法直接针对托管域更改密码。You can't change passwords directly against a managed domain. 最终用户可以使用 Azure AD 的自助密码更改机制或针对本地目录更改其密码。End users can change their password either using Azure AD's self-service password change mechanism or against the on-premises directory. 随后这些更改会自动同步,并出现在托管域中。These changes are then automatically synchronized and available in the managed domain.

Azure 中的 Windows Server 远程桌面服务部署Windows Server remote desktop services deployments in Azure

可以使用 Azure AD DS 向 Azure 中部署的远程桌面服务器提供托管域服务。You can use Azure AD DS to provide managed domain services to remote desktop servers deployed in Azure.

有关此部署场景的详细信息,请参阅如何将 Azure AD 域服务与 RDS 部署集成For more information about this deployment scenario, see how to integrate Azure AD Domain Services with your RDS deployment.

已加入域的 HDInsight 群集Domain-joined HDInsight clusters

可以设置已加入启用了 Apache Ranger 的托管域的 Azure HDInsight 群集。You can set up an Azure HDInsight cluster that is joined to a managed domain with Apache Ranger enabled. 可以通过 Apache Ranger 创建并应用 Hive 策略,并允许数据科学家等用户使用基于 ODBC 的工具(如 Excel、Tableau)连接到 Hive。You can create and apply Hive policies through Apache Ranger, and allow users, such as data scientists, to connect to Hive using ODBC-based tools like Excel or Tableau. 我们会继续努力将其他工作负载(如 HBase、Spark 和 Storm)添加到已加入域的 HDInsight。We continue to work to add other workloads, such as HBase, Spark, and Storm to domain-joined HDInsight.

有关此部署方案的详细信息,请参阅如何配置已加入域的 HDInsight 群集For more information about this deployment scenario, see how to configure domain-joined HDInsight clusters

后续步骤Next steps

若要开始使用,请创建并配置 Azure Active Directory 域服务托管域To get started, Create and configure an Azure Active Directory Domain Services managed domain.