如何在 Azure Active Directory 域服务托管域中同步对象和凭据How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain

可在域中本地创建 Azure Active Directory 域服务 (Azure AD DS) 托管域中的对象和凭据,或从 Azure Active Directory (Azure AD) 租户进行同步。Objects and credentials in an Azure Active Directory Domain Services (Azure AD DS) managed domain can either be created locally within the domain, or synchronized from an Azure Active Directory (Azure AD) tenant. 首次部署 Azure AD DS 时,将配置并启动自动单向同步,以从 Azure AD 中复制对象。When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. 此单向同步将继续在后台运行,以使 Azure AD DS 托管域与 Azure AD 中的任何更改保持同步。This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD. 不会发生从 Azure AD DS 到 Azure AD 的逆向同步。No synchronization occurs from Azure AD DS back to Azure AD.

在混合环境中,可使用 Azure AD Connect 将本地 AD DS 域中的对象和凭据同步到 Azure AD。In a hybrid environment, objects and credentials from an on-premises AD DS domain can be synchronized to Azure AD using Azure AD Connect. 一旦这些对象成功同步到 Azure AD,自动后台同步就会将这些对象和凭据提供给使用托管域的应用程序。Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.

如果使用 ADFS 将本地 AD DS 和 Azure AD 配置为联合身份验证,则 Azure DS 中没有可用的(当前/有效)密码哈希。If on-prem AD DS and Azure AD are configured for federated authentication using ADFS then there is no (current/valid) password hash available in Azure DS. 在实施联合身份验证之前创建的 Azure AD 用户帐户可能有旧密码哈希,但这可能与其本地密码的哈希不匹配。Azure AD user accounts created before fed auth was implemented might have an old password hash but this likely doesn't match a hash of their on-prem password. 因此,Azure AD DS 将无法验证用户凭据。Hence Azure AD DS won't be able to validate the users credentials.

下图演示了 Azure AD DS、Azure AD 和可选本地 AD DS 环境之间的同步原理:The following diagram illustrates how synchronization works between Azure AD DS, Azure AD, and an optional on-premises AD DS environment:

在 Azure Active Directory 域服务托管域中的同步概述

从 Azure AD 到 Azure AD DS 的同步Synchronization from Azure AD to Azure AD DS

用户帐户、组成员身份和凭据哈希从 Azure AD 单向同步到 Azure AD DS。User accounts, group memberships, and credential hashes are synchronized one way from Azure AD to Azure AD DS. 此同步过程是自动的。This synchronization process is automatic. 不需要配置、监视或管理此同步过程。You don't need to configure, monitor, or manage this synchronization process. 初始同步可能需要几个小时到几天的时间,具体取决于 Azure AD 目录中的对象数。The initial synchronization may take a few hours to a couple of days, depending on the number of objects in the Azure AD directory. 初始同步完成后,在 Azure AD 中进行的更改(如密码或属性更改)将自动同步到 Azure AD DS。After the initial synchronization is complete, changes that are made in Azure AD, such as password or attribute changes, are then automatically synchronized to Azure AD DS.

在 Azure AD 中创建用户后,这些用户在 Azure AD 中更改其密码之前不会同步到 Azure AD DS。When a user is created in Azure AD, they're not synchronized to Azure AD DS until they change their password in Azure AD. 此密码更改过程会导致在 Azure AD 中生成并存储用于 Kerberos 和 NTLM 身份验证的密码哈希。This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. 需要使用密码哈希才能在 Azure AD DS 中成功进行用户身份验证。The password hashes are needed to successfully authenticate a user in Azure AD DS.

同步过程设计为单向的。The synchronization process is one way / unidirectional by design. Azure AD DS 中的更改不会逆向同步回 Azure AD。There's no reverse synchronization of changes from Azure AD DS back to Azure AD. 托管域在很大程度上是只读的,但你可以创建的自定义 OU 除外。A managed domain is largely read-only except for custom OUs that you can create. 无法对托管域中的用户属性、用户密码或组成员身份进行更改。You can't make changes to user attributes, user passwords, or group memberships within a managed domain.

属性同步和映射到 Azure AD DSAttribute synchronization and mapping to Azure AD DS

下表列出了一些常见的属性,以及如何将它们同步到 Azure AD DS。The following table lists some common attributes and how they're synchronized to Azure AD DS.

Azure AD DS 中的属性Attribute in Azure AD DS SourceSource 注释Notes
UPNUPN Azure AD 租户中用户的“UPN”属性User's UPN attribute in Azure AD tenant Azure AD 租户中的 UPN 属性是按原样同步到 Azure AD DS 的。The UPN attribute from the Azure AD tenant is synchronized as-is to Azure AD DS. 登录到托管域的最可靠方法是使用 UPN。The most reliable way to sign in to a managed domain is using the UPN.
SAMAccountNameSAMAccountName Azure AD 租户中的或自动生成的用户的“mailNickname”属性User's mailNickname attribute in Azure AD tenant or autogenerated “SAMAccountName”属性源自 Azure AD 租户中的“mailNickname”属性 。The SAMAccountName attribute is sourced from the mailNickname attribute in the Azure AD tenant. 如果多个用户帐户具有相同的“mailNickname”属性,会自动生成“SAMAccountName” 。If multiple user accounts have the same mailNickname attribute, the SAMAccountName is autogenerated. 如果用户的“mailNickname”或“UPN”前缀长度超过 20 个字符,会自动生成“SAMAccountName”,以满足“SAMAccountName”属性不超过 20 个字符的限制 。If the user's mailNickname or UPN prefix is longer than 20 characters, the SAMAccountName is autogenerated to meet the 20 character limit on SAMAccountName attributes.
密码Passwords 从 Azure AD 租户同步用户的密码User's password from the Azure AD tenant NTLM 或 Kerberos 身份验证所需的旧密码哈希将从 Azure AD 租户同步。Legacy password hashes required for NTLM or Kerberos authentication are synchronized from the Azure AD tenant. 如果为使用 Azure AD Connect 混合同步配置了 Azure AD 租户,则这些密码哈希源自本地 AD DS 环境。If the Azure AD tenant is configured for hybrid synchronization using Azure AD Connect, these password hashes are sourced from the on-premises AD DS environment.
主用户/组 SIDPrimary user/group SID 自动生成Autogenerated 用户/组帐户的主 SID 是在 Azure AD DS 中自动生成的。The primary SID for user/group accounts is autogenerated in Azure AD DS. 此属性与本地 AD DS 环境中对象的主用户/组 SID 不匹配。This attribute doesn't match the primary user/group SID of the object in an on-premises AD DS environment. 之所以不匹配,是因为托管域的 SID 命名空间不同于本地 AD DS 域。This mismatch is because the managed domain has a different SID namespace than the on-premises AD DS domain.
用户和组的 SID 历史记录SID history for users and groups 本地主用户和组 SIDOn-premises primary user and group SID Azure AD DS 中用户和组的“SidHistory”属性已设置为与本地 AD DS 环境中相应的主用户或组 SID 相匹配。The SidHistory attribute for users and groups in Azure AD DS is set to match the corresponding primary user or group SID in an on-premises AD DS environment. 借助此功能可以更方便地将本地应用程序直接迁移到 Azure AD DS,因为不需要重新 ACL 资源。This feature helps make lift-and-shift of on-premises applications to Azure AD DS easier as you don't need to re-ACL resources.

提示

“使用 UPN 格式登录到托管域”。可以针对托管域中的某些用户帐户自动生成“SAMAccountName”属性(例如 AADDSCONTOSO\driley)。Sign in to the managed domain using the UPN format The SAMAccountName attribute, such as AADDSCONTOSO\driley, may be auto-generated for some user accounts in a managed domain. 用户的自动生成的“SAMAccountName”可能不同于其 UPN 前缀,因此用它登录并不总是可靠的。Users' auto-generated SAMAccountName may differ from their UPN prefix, so isn't always a reliable way to sign in.

例如,如果多个用户具有相同的“mailNickname”属性或者用户具有很长的 UPN 前缀,可能会自动生成这些用户的“SAMAccountName” 。For example, if multiple users have the same mailNickname attribute or users have overly long UPN prefixes, the SAMAccountName for these users may be auto-generated. 使用 UPN 格式(例如 driley@aaddscontoso.com)可靠地登录到托管域。Use the UPN format, such as driley@aaddscontoso.com, to reliably sign in to a managed domain.

用户帐户的属性映射Attribute mapping for user accounts

下表演示了 Azure AD 中用户对象的特定属性如何同步到 Azure AD DS 中的相应属性。The following table illustrates how specific attributes for user objects in Azure AD are synchronized to corresponding attributes in Azure AD DS.

Azure AD 中的用户属性User attribute in Azure AD Azure AD DS 中的用户属性User attribute in Azure AD DS
accountEnabledaccountEnabled userAccountControl(设置或清除 ACCOUNT_DISABLED 位)userAccountControl (sets or clears the ACCOUNT_DISABLED bit)
citycity ll
countrycountry coco
departmentdepartment departmentdepartment
displayNamedisplayName displayNamedisplayName
employeedIdemployeedId employeeIdemployeeId
facsimileTelephoneNumberfacsimileTelephoneNumber facsimileTelephoneNumberfacsimileTelephoneNumber
givenNamegivenName givenNamegivenName
jobTitlejobTitle titletitle
mailmail mailmail
mailNicknamemailNickname msDS-AzureADMailNicknamemsDS-AzureADMailNickname
mailNicknamemailNickname SAMAccountName(有时可能自动生成)SAMAccountName (may sometimes be autogenerated)
managermanager managermanager
mobilemobile mobilemobile
objectidobjectid msDS-AzureADObjectIdmsDS-AzureADObjectId
onPremiseSecurityIdentifieronPremiseSecurityIdentifier sidHistorysidHistory
passwordPoliciespasswordPolicies userAccountControl(设置或清除 DONT_EXPIRE_PASSWORD 位)userAccountControl (sets or clears the DONT_EXPIRE_PASSWORD bit)
physicalDeliveryOfficeNamephysicalDeliveryOfficeName physicalDeliveryOfficeNamephysicalDeliveryOfficeName
postalCodepostalCode postalCodepostalCode
preferredLanguagepreferredLanguage preferredLanguagepreferredLanguage
ProxyAddressesproxyAddresses ProxyAddressesproxyAddresses
statestate stst
streetAddressstreetAddress streetAddressstreetAddress
surnamesurname snsn
telephoneNumbertelephoneNumber telephoneNumbertelephoneNumber
userPrincipalNameuserPrincipalName userPrincipalNameuserPrincipalName

组的属性映射Attribute mapping for groups

下表演示了 Azure AD 中组对象的特定属性如何同步到 Azure AD DS 中的相应属性。The following table illustrates how specific attributes for group objects in Azure AD are synchronized to corresponding attributes in Azure AD DS.

Azure AD 中的组属性Group attribute in Azure AD Azure AD DS 中的组属性Group attribute in Azure AD DS
displayNamedisplayName displayNamedisplayName
displayNamedisplayName SAMAccountName(有时可能自动生成)SAMAccountName (may sometimes be autogenerated)
mailmail mailmail
mailNicknamemailNickname msDS-AzureADMailNicknamemsDS-AzureADMailNickname
objectidobjectid msDS-AzureADObjectIdmsDS-AzureADObjectId
onPremiseSecurityIdentifieronPremiseSecurityIdentifier sidHistorysidHistory
ProxyAddressesproxyAddresses ProxyAddressesproxyAddresses
securityEnabledsecurityEnabled groupTypegroupType

从本地 AD DS 到 Azure AD 和 Azure AD DS 的同步Synchronization from on-premises AD DS to Azure AD and Azure AD DS

Azure AD Connect 用于将用户帐户、组成员身份和凭据哈希从本地 AD DS 环境同步到 Azure AD。Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. 将同步用户帐户的属性,例如 UPN 和本地安全标识符 (SID)。Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized. 若要使用 Azure AD DS 登录,,则 NTLM 和 Kerberos 身份验证所需的旧凭据哈希也会同步到 Azure AD。To sign in using Azure AD DS, legacy password hashes required for NTLM and Kerberos authentication are also synchronized to Azure AD.

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

如果配置了写回,则会将 Azure AD 中的更改同步回本地 AD DS 环境。If you configure write-back, changes from Azure AD are synchronized back to the on-premises AD DS environment. 例如,如果用户使用 Azure AD 的自助密码管理更改了密码,则更改的密码会更新回本地 AD DS 环境。For example, if a user changes their password using Azure AD self-service password management, the password is updated back in the on-premises AD DS environment.

备注

请始终使用最新版本的 Azure AD Connect,确保获得所有已知 Bug 的修复程序。Always use the latest version of Azure AD Connect to ensure you have fixes for all known bugs.

从多林本地环境同步Synchronization from a multi-forest on-premises environment

许多组织都拥有包含多个林的相当复杂的本地 AD DS 环境。Many organizations have a fairly complex on-premises AD DS environment that includes multiple forests. Azure AD Connect 支持将用户、组和凭据哈希从多林环境同步到 Azure AD。Azure AD Connect supports synchronizing users, groups, and credential hashes from multi-forest environments to Azure AD.

Azure AD 具有更简单的平面命名空间。Azure AD has a much simpler and flat namespace. 为了使用户能够可靠地访问 Azure AD 保护的应用程序,需要解决不同林中用户帐户的 UPN 冲突。To enable users to reliably access applications secured by Azure AD, resolve UPN conflicts across user accounts in different forests. 和 Azure AD 类似,托管域使用平面 OU 结构。Managed domains use a flat OU structure, similar to Azure AD. 即使你在本地配置了分层 OU 结构,所有用户帐户和组也都存储在“AADDC 用户”容器中,尽管它们从不同的本地域或林同步。All user accounts and groups are stored in the AADDC Users container, despite being synchronized from different on-premises domains or forests, even if you've configured a hierarchical OU structure on-premises. 托管域会平展任何分层 OU 结构。The managed domain flattens any hierarchical OU structures.

如前文所述,不会从 Azure AD DS 同步回 Azure AD。As previously detailed, there's no synchronization from Azure AD DS back to Azure AD. 可在 Azure AD DS 中创建自定义组织单位 (OU),然后在这些自定义 OU 中创建用户、组或服务帐户。You can create a custom Organizational Unit (OU) in Azure AD DS and then users, groups, or service accounts within those custom OUs. 在自定义 OU 中创建的对象都不会同步回 Azure AD。None of the objects created in custom OUs are synchronized back to Azure AD. 这些对象仅在托管域中可用,不能使用 Azure AD PowerShell cmdlet、Microsoft Graph API 或 Azure AD 管理 UI 来显示它们。These objects are available only within the managed domain, and aren't visible using Azure AD PowerShell cmdlets, Microsoft Graph API, or using the Azure AD management UI.

哪些信息不会同步到 Azure AD DSWhat isn't synchronized to Azure AD DS

下列对象或属性不会从本地 AD DS 环境同步到 Azure AD 或 Azure AD DS:The following objects or attributes aren't synchronized from an on-premises AD DS environment to Azure AD or Azure AD DS:

  • 排除的属性: 使用 Azure AD Connect 从本地 AD DS 环境同步到 Azure AD 时,可以选择排除某些属性。Excluded attributes: You can choose to exclude certain attributes from synchronizing to Azure AD from an on-premises AD DS environment using Azure AD Connect. 这些排除的属性在 Azure AD DS 中不可用。These excluded attributes aren't then available in Azure AD DS.
  • 组策略: 本地 AD DS 环境中配置的组策略不会同步到 Azure AD DS。Group Policies: Group Policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS.
  • Sysvol 文件夹: 本地 AD DS 环境中 Sysvol 文件夹的内容不会同步到 Azure AD DS。Sysvol folder: The contents of the Sysvol folder in an on-premises AD DS environment aren't synchronized to Azure AD DS.
  • 计算机对象: 加入本地 AD DS 环境中的计算机,其计算机对象不会同步到 Azure AD DS。Computer objects: Computer objects for computers joined to an on-premises AD DS environment aren't synchronized to Azure AD DS. 这些计算机未与托管域建立信任关系,它们仅属于本地 AD DS 环境。These computers don't have a trust relationship with the managed domain and only belong to the on-premises AD DS environment. 在 Azure AD DS 中,仅显示已显式域加入该托管域的计算机的计算机对象。In Azure AD DS, only computer objects for computers that have explicitly domain-joined to the managed domain are shown.
  • 用户和组的 SidHistory 属性: 本地 AD DS 环境中的主用户和主组 SID 将同步到 Azure AD DS。SidHistory attributes for users and groups: The primary user and primary group SIDs from an on-premises AD DS environment are synchronized to Azure AD DS. 但是,用户和组的现有“SidHistory”属性不会从本地 AD DS 环境同步到 Azure AD DS。However, existing SidHistory attributes for users and groups aren't synchronized from the on-premises AD DS environment to Azure AD DS.
  • 组织单位 (OU) 结构: 在本地 AD DS 环境中定义的组织单位不会同步到 Azure AD DS。Organization Units (OU) structures: Organizational Units defined in an on-premises AD DS environment don't synchronize to Azure AD DS. Azure AD DS 中有两个内置 OU - 一个用于用户,另一个用于计算机。There are two built-in OUs in Azure AD DS - one for users, and one for computers. 托管域具有平面 OU 结构。The managed domain has a flat OU structure. 可以选择在托管域中创建自定义 OUYou can choose to create a custom OU in your managed domain.

密码哈希同步和安全注意事项Password hash synchronization and security considerations

启用 Azure AD DS 时,需要使用 NTLM + Kerberos 身份验证的旧密码哈希。When you enable Azure AD DS, legacy password hashes for NTLM + Kerberos authentication are required. Azure AD 不存储明文密码,因此不能为现有用户帐户自动生成这些哈希。Azure AD doesn't store clear-text passwords, so these hashes can't be automatically generated for existing user accounts. 一旦生成和存储,与 NTLM 和 Kerberos 兼容的密码哈希始终以加密形式存储在 Azure AD 中。Once generated and stored, NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Azure AD.

每个 Azure AD 租户的加密密钥是唯一的。The encryption keys are unique to each Azure AD tenant. 这些哈希会进行加密,只有 Azure AD DS 才有权访问解密密钥。These hashes are encrypted such that only Azure AD DS has access to the decryption keys. Azure AD 中没有其他服务或组件有权访问解密密钥。No other service or component in Azure AD has access to the decryption keys.

然后,旧密码哈希将从 Azure AD 同步到托管域的域控制器。Legacy password hashes are then synchronized from Azure AD into the domain controllers for a managed domain. Azure AD DS 中这些托管域控制器的磁盘会进行静态加密。The disks for these managed domain controllers in Azure AD DS are encrypted at rest. 会在这些域控制器上存储并保护这些密码哈希,其方式类似于在本地 AD DS 环境中存储并保护密码。These password hashes are stored and secured on these domain controllers similar to how passwords are stored and secured in an on-premises AD DS environment.

对于仅云 Azure AD 环境,用户必须重置/更改其密码以便生成所必需的密码哈希并将其存储在 Azure AD 中。For cloud-only Azure AD environments, users must reset/change their password in order for the required password hashes to be generated and stored in Azure AD. 对于启用 Azure AD 域服务后在 Azure AD 中创建的任何云用户帐户,会生成密码哈希并采用与 NTLM 和 Kerberos 兼容的格式进行存储。For any cloud user account created in Azure AD after enabling Azure AD Domain Services, the password hashes are generated and stored in the NTLM and Kerberos compatible formats. 所有云用户帐户在同步到 Azure AD DS 之前都必须更改其密码。All cloud user accounts must change their password before they're synchronized to Azure AD DS.

对于使用 Azure AD Connect 从本地 AD DS 环境同步的混合用户帐户,必须配置 Azure AD Connect 以同步采用与 NTLM 和 Kerberos 兼容的格式的密码哈希For hybrid user accounts synced from on-premises AD DS environment using Azure AD Connect, you must configure Azure AD Connect to synchronize password hashes in the NTLM and Kerberos compatible formats.

后续步骤Next steps

有关密码哈希同步具体细节的详细信息,请参阅使用 Azure AD Connect 进行密码哈希同步的工作原理For more information on the specifics of password synchronization, see How password hash synchronization works with Azure AD Connect.

若要开始使用 Azure AD DS,请创建托管域To get started with Azure AD DS, create a managed domain.