使用 Azure 资源管理器模板创建 Azure Active Directory 域服务托管域Create an Azure Active Directory Domain Services managed domain using an Azure Resource Manager template

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、LDAP、Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. 使用这些域服务就无需自行部署、管理和修补域控制器。You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS 与现有的 Azure AD 租户集成。Azure AD DS integrates with your existing Azure AD tenant. 这种集成可让用户使用其企业凭据登录,而你可以使用现有的组和用户帐户来保护对资源的访问。This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

本文介绍如何使用 Azure 资源管理器模板创建托管域。This article shows you how to create a managed domain using an Azure Resource Manager template. 支持性资源是使用 Azure PowerShell 创建的。Supporting resources are created using Azure PowerShell.

先决条件Prerequisites

若要完成本文,需准备好以下资源:To complete this article, you need the following resources:

DNS 命名要求DNS naming requirements

创建 Azure AD DS 托管域时,请指定 DNS 名称。When you create an Azure AD DS managed domain, you specify a DNS name. 选择此 DNS 名称时请注意以下事项:There are some considerations when you choose this DNS name:

  • 内置域名: 默认将使用目录的内置域名(带 .partner.onmschina.cn 后缀)。Built-in domain name: By default, the built-in domain name of the directory is used (a .partner.onmschina.cn suffix). 若要启用通过 Internet 对托管域进行安全 LDAP 访问,则不能创建数字证书来保护与此默认域建立的连接。If you wish to enable secure LDAP access to the managed domain over the internet, you can't create a digital certificate to secure the connection with this default domain. Microsoft 拥有 .partner.onmschina.cn 域,因此,证书颁发机构 (CA) 不会颁发证书。Microsoft owns the .partner.onmschina.cn domain, so a Certificate Authority (CA) won't issue a certificate.
  • 自定义域名: 最常见的方法是指定自定义域名,通常是你已拥有且可路由的域名。Custom domain names: The most common approach is to specify a custom domain name, typically one that you already own and is routable. 使用可路由的自定义域时,流量可根据需要正确传送,以支持你的应用程序。When you use a routable, custom domain, traffic can correctly flow as needed to support your applications.
  • 不可路由的域后缀: 一般情况下,我们建议避免使用不可路由的域名后缀,例如 contoso.localNon-routable domain suffixes: We generally recommend that you avoid a non-routable domain name suffix, such as contoso.local. .local 后缀不可路由,并可能导致 DNS 解析出现问题。The .local suffix isn't routable and can cause issues with DNS resolution.

提示

如果创建自定义域名,请注意现有的 DNS 命名空间。If you create a custom domain name, take care with existing DNS namespaces. 建议使用独立于任何现有 Azure 或本地 DNS 命名空间的域名。It's recommended to use a domain name separate from any existing Azure or on-premises DNS name space.

例如,如果现有的 DNS 命名空间为 contoso.com,则使用自定义域名 aaddscontoso.com 创建托管域 。For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of aaddscontoso.com. 如果需要使用安全 LDAP,则必须注册并拥有此自定义域名才能生成所需的证书。If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.

可能需要为环境中的其他服务或环境中现有 DNS 名称空间之间的条件 DNS 转发器创建一些其他的 DNS 记录。You may need to create some additional DNS records for other services in your environment, or conditional DNS forwarders between existing DNS name spaces in your environment. 例如,如果运行使用根 DNS 名称托管站点的 Web 服务器,则可能存在命名冲突,从而需要其他 DNS 条目。For example, if you run a webserver that hosts a site using the root DNS name, there can be naming conflicts that require additional DNS entries.

在此示例和这些操作指南文章中,使用自定义域 aaddscontoso.com 作为简短示例。In this sample and how-to articles, the custom domain of aaddscontoso.com is used as a short example. 在所有命令中,指定你自己的域名。In all commands, specify your own domain name.

还存在以下 DNS 名称限制:The following DNS name restrictions also apply:

  • 域前缀限制: 不能创建前缀长度超过 15 个字符的托管域。Domain prefix restrictions: You can't create a managed domain with a prefix longer than 15 characters. 指定域名的前缀(例如 aaddscontoso.com 域名中的 aaddscontoso)所包含的字符不得超过 15 个。The prefix of your specified domain name (such as aaddscontoso in the aaddscontoso.com domain name) must contain 15 or fewer characters.
  • 网络名称冲突: 托管域的 DNS 域名不能已存在于虚拟网络中。Network name conflicts: The DNS domain name for your managed domain shouldn't already exist in the virtual network. 具体而言,请检查可能导致名称冲突的以下情况:Specifically, check for the following scenarios that would lead to a name conflict:
    • Azure 虚拟网络中是否已存在具有相同 DNS 域名的 Active Directory 域。If you already have an Active Directory domain with the same DNS domain name on the Azure virtual network.
    • 计划在其中启用托管域的虚拟网络是否与本地网络建立了 VPN 连接。If the virtual network where you plan to enable the managed domain has a VPN connection with your on-premises network. 在此方案中,确保在本地网络上没有具有相同 DNS 域名的域。In this scenario, ensure you don't have a domain with the same DNS domain name on your on-premises network.
    • 虚拟网络中是否存在具有该名称的 Azure 云服务。If you have an existing Azure cloud service with that name on the Azure virtual network.

创建所需的 Azure AD 资源Create required Azure AD resources

Azure AD DS 需要一个服务主体和一个 Azure AD 组。Azure AD DS requires a service principal and an Azure AD group. 这些资源使托管域能够同步数据,并定义哪些用户在托管域中拥有管理权限。These resources let the managed domain synchronize data, and define which users have administrative permissions in the managed domain.

首先,使用 Register-AzResourceProvider cmdlet 注册 Azure AD 域服务资源提供程序:First, register the Azure AD Domain Services resource provider using the Register-AzResourceProvider cmdlet:

Register-AzResourceProvider -ProviderNamespace Microsoft.AAD

使用 New-AzureADServicePrincipal cmdlet 创建一个 Azure AD 服务主体,以供 Azure AD DS 通信和验证自身身份。Create an Azure AD service principal using the New-AzureADServicePrincipal cmdlet for Azure AD DS to communicate and authenticate itself. 使用名称为“域控制器服务”的特定应用程序 ID 2565bd9d-da50-47d4-8b85-4c97f669dc36。A specific application ID is used named Domain Controller Services with an ID of 2565bd9d-da50-47d4-8b85-4c97f669dc36. 请不要更改此应用程序 ID。Don't change this application ID.

New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"

现在,使用 New-AzureADGroup cmdlet 创建名为“AAD DC 管理员”的 Azure AD 组。Now create an Azure AD group named AAD DC Administrators using the New-AzureADGroup cmdlet. 然后,添加到此组的用户会被授予在托管域上执行管理任务的权限。Users added to this group are then granted permissions to perform administration tasks on the managed domain.

New-AzureADGroup -DisplayName "AAD DC Administrators" `
  -Description "Delegated group to administer Azure AD Domain Services" `
  -SecurityEnabled $true -MailEnabled $false `
  -MailNickName "AADDCAdministrators"

创建“AAD DC 管理员”组后,使用 Add-AzureADGroupMember cmdlet 将一个用户添加到该组。With the AAD DC Administrators group created, add a user to the group using the Add-AzureADGroupMember cmdlet. 首先使用 Get-AzureADGroup cmdlet 获取“AAD DC 管理员”组对象 ID,然后使用 Get-AzureADUser cmdlet 获取所需用户的对象 ID。You first get the AAD DC Administrators group object ID using the Get-AzureADGroup cmdlet, then the desired user's object ID using the Get-AzureADUser cmdlet.

以下示例显示了 UPN 为 admin@contoso.partner.onmschina.cn 的帐户的用户对象 ID。In the following example, the user object ID for the account with a UPN of admin@contoso.partner.onmschina.cn. 请将此用户帐户替换为要添加到“AAD DC 管理员”组的用户的 UPN:Replace this user account with the UPN of the user you wish to add to the AAD DC Administrators group:

# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
  -Filter "DisplayName eq 'AAD DC Administrators'" | `
  Select-Object ObjectId

# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
  -Filter "UserPrincipalName eq 'admin@contoso.partner.onmschina.cn'" | `
  Select-Object ObjectId

# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId

最后,使用 New-AzResourceGroup cmdlet 创建一个资源组。Finally, create a resource group using the New-AzResourceGroup cmdlet. 在以下示例中,资源组被命名为 myResourceGroup,并且是在 chinanorth2 区域中创建的 。In the following example, the resource group is named myResourceGroup and is created in the chinanorth2 region. 使用自己的名称和所需区域:Use your own name and desired region:

New-AzResourceGroup `
  -Name "myResourceGroup" `
  -Location "ChinaNorth2"

如果选择支持可用性区域的区域,则 Azure AD DS 资源会跨区域分布以实现额外的冗余。If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy. 可用性区域是 Azure 区域中独特的物理位置。Availability Zones are unique physical locations within an Azure region. 每个区域由一个或多个数据中心组成,这些数据中心配置了独立电源、冷却和网络。Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. 为确保能够进行复原,所有已启用的地区中都必须至少有三个单独的区域。To ensure resiliency, there's a minimum of three separate zones in all enabled regions.

对于要跨区域分布 Azure AD DS,无需进行任何配置。There's nothing for you to configure for Azure AD DS to be distributed across zones. Azure 平台会自动处理资源的区域分配。The Azure platform automatically handles the zone distribution of resources.

Azure AD DS 的资源定义Resource definition for Azure AD DS

作为资源管理器资源定义的一部分,以下配置参数是必需的:As part of the Resource Manager resource definition, the following configuration parameters are required:

参数Parameter Value
domainNamedomainName 托管域的 DNS 域名,填写此参数时,请考虑到前面提到的有关命名前缀和冲突的要点。The DNS domain name for your managed domain, taking into consideration the previous points on naming prefixes and conflicts.
filteredSyncfilteredSync Azure AD DS 允许同步 Azure AD 中的所有用户和组,或者仅按范围同步特定的组。Azure AD DS lets you synchronize all users and groups available in Azure AD, or a scoped synchronization of only specific groups.

有关按范围同步的详细信息,请参阅 Azure AD 域服务的按范围同步For more information about scoped synchronization, see Azure AD Domain Services scoped synchronization.
notificationSettingsnotificationSettings 如果托管域中生成了任何警报,可以发出电子邮件通知。If there are any alerts generated in the managed domain, email notifications can be sent out.

可为 Azure 租户的“全局管理员”以及“AAD DC 管理员”组的成员启用这些通知。Global administrators of the Azure tenant and members of the AAD DC Administrators group can be Enabled for these notifications.

如果需要,可以添加更多收件人来接收在有需要关注的警报时发出的通知。If desired, you can add additional recipients for notifications when there are alerts that require attention.
domainConfigurationTypedomainConfigurationType 默认情况下,托管域作为用户林创建。By default, a managed domain is created as a User forest. 此类林可同步 Azure AD 中的所有对象,包括在本地 AD DS 环境中创建的所有用户帐户。This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. 无需指定 domainConfiguration 值即可创建用户林。You don't need to specify a domainConfiguration value to create a user forest.

资源林仅同步直接在 Azure AD 中创建的用户和组。A Resource forest only synchronizes users and groups created directly in Azure AD. 将值设置为 ResourceTrusting 可创建资源林。Set the value to ResourceTrusting to create a resource forest.

以下精简参数定义演示了这些值的声明方式。The following condensed parameters definition shows how these values are declared. 将创建名为 aaddscontoso.com 的用户林,其中包含已从 Azure AD 同步到托管域的所有用户:A user forest named aaddscontoso.com is created with all users from Azure AD synchronized to the managed domain:

"parameters": {
    "domainName": {
        "value": "aaddscontoso.com"
    },
    "filteredSync": {
        "value": "Disabled"
    },
    "notificationSettings": {
        "value": {
            "notifyGlobalAdmins": "Enabled",
            "notifyDcAdmins": "Enabled",
            "additionalRecipients": []
        }
    },
    [...]
}

然后,以下精简资源管理器模板资源类型将用来定义和创建托管域。The following condensed Resource Manager template resource type is then used to define and create the managed domain. 一个 Azure 虚拟网络和子网必须已存在,或者作为资源管理器模板的一部分创建。An Azure virtual network and subnet must already exist, or be created as part of Resource Manager template. 托管域已连接到此子网。The managed domain is connected to this subnet.

"resources": [
    {
        "apiVersion": "2017-06-01",
        "type": "Microsoft.AAD/DomainServices",
        "name": "[parameters('domainName')]",
        "location": "[parameters('location')]",
        "dependsOn": [
            "[concat('Microsoft.Network/virtualNetworks/', parameters('vnetName'))]"
        ],
        "properties": {
            "domainName": "[parameters('domainName')]",
            "subnetId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/', parameters('vnetName'), '/subnets/', parameters('subnetName'))]",
            "filteredSync": "[parameters('filteredSync')]",
            "notificationSettings": "[parameters('notificationSettings')]"
        }
    },
    [...]
]

可以使用这些参数和资源类型作为更宽泛资源管理器模板的一部分来部署托管域,如以下部分中所示。These parameters and resource type can be used as part of a wider Resource Manager template to deploy a managed domain, as shown in the following section.

使用示例模板创建托管域Create a managed domain using sample template

以下完整资源管理器示例模板将创建托管域以及支持性的虚拟网络、子网和网络安全组规则。The following complete Resource Manager sample template creates a managed domain and the supporting virtual network, subnet, and network security group rules. 需要使用网络安全组规则来保护托管域并确保流量可以正常流动。The network security group rules are required to secure the managed domain and make sure traffic can flow correctly. 将创建 DNS 名称为 aaddscontoso.com 的用户林,其中包含已从 Azure AD 同步的所有用户:A user forest with the DNS name of aaddscontoso.com is created, with all users synchronized from Azure AD:

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "apiVersion": {
            "value": "2017-06-01"
        },
        "domainConfigurationType": {
            "value": "FullySynced"
        },
        "domainName": {
            "value": "aaddscontoso.com"
        },
        "filteredSync": {
            "value": "Disabled"
        },
        "location": {
            "value": "chinanorth2"
        },
        "notificationSettings": {
            "value": {
                "notifyGlobalAdmins": "Enabled",
                "notifyDcAdmins": "Enabled",
                "additionalRecipients": []
            }
        },
        "subnetName": {
            "value": "aadds-subnet"
        },
        "vnetName": {
            "value": "aadds-vnet"
        },
        "vnetAddressPrefixes": {
            "value": [
                "10.1.0.0/24"
            ]
        },
        "subnetAddressPrefix": {
            "value": "10.1.0.0/24"
        },
        "nsgName": {
            "value": "aadds-nsg"
        }
    },
    "resources": [
        {
            "apiVersion": "2017-06-01",
            "type": "Microsoft.AAD/DomainServices",
            "name": "[parameters('domainName')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/virtualNetworks/', parameters('vnetName'))]"
            ],
            "properties": {
                "domainName": "[parameters('domainName')]",
                "subnetId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/', parameters('vnetName'), '/subnets/', parameters('subnetName'))]",
                "filteredSync": "[parameters('filteredSync')]",
                "domainConfigurationType": "[parameters('domainConfigurationType')]",
                "notificationSettings": "[parameters('notificationSettings')]"
            }
        },
        {
            "type": "Microsoft.Network/NetworkSecurityGroups",
            "name": "[parameters('nsgName')]",
            "location": "[parameters('location')]",
            "properties": {
                "securityRules": [
                    {
                        "name": "AllowSyncWithAzureAD",
                        "properties": {
                            "access": "Allow",
                            "priority": 101,
                            "direction": "Inbound",
                            "protocol": "Tcp",
                            "sourceAddressPrefix": "AzureActiveDirectoryDomainServices",
                            "sourcePortRange": "*",
                            "destinationAddressPrefix": "*",
                            "destinationPortRange": "443"
                        }
                    },
                    {
                        "name": "AllowPSRemoting",
                        "properties": {
                            "access": "Allow",
                            "priority": 301,
                            "direction": "Inbound",
                            "protocol": "Tcp",
                            "sourceAddressPrefix": "AzureActiveDirectoryDomainServices",
                            "sourcePortRange": "*",
                            "destinationAddressPrefix": "*",
                            "destinationPortRange": "5986"
                        }
                    },
                    {
                        "name": "AllowRD",
                        "properties": {
                            "access": "Allow",
                            "priority": 201,
                            "direction": "Inbound",
                            "protocol": "Tcp",
                            "sourceAddressPrefix": "CorpNetSaw",
                            "sourcePortRange": "*",
                            "destinationAddressPrefix": "*",
                            "destinationPortRange": "3389"
                        }
                    }
                ]
            },
            "apiVersion": "2018-04-01"
        },
        {
            "type": "Microsoft.Network/virtualNetworks",
            "name": "[parameters('vnetName')]",
            "location": "[parameters('location')]",
            "apiVersion": "2018-04-01",
            "dependsOn": [
                "[concat('Microsoft.Network/NetworkSecurityGroups/', parameters('nsgName'))]"
            ],
            "properties": {
                "addressSpace": {
                    "addressPrefixes": "[parameters('vnetAddressPrefixes')]"
                },
                "subnets": [
                    {
                        "name": "[parameters('subnetName')]",
                        "properties": {
                            "addressPrefix": "[parameters('subnetAddressPrefix')]",
                            "networkSecurityGroup": {
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/NetworkSecurityGroups/', parameters('nsgName'))]"
                            }
                        }
                    }
                ]
            }
        }
    ],
    "outputs": {}
}

可以使用首选的部署方法(例如 Azure 门户Azure PowerShell 或 CI/CD 管道)部署此模板。This template can be deployed using your preferred deployment method, such as the Azure portal, Azure PowerShell, or a CI/CD pipeline. 以下示例使用 New-AzResourceGroupDeployment cmdlet。The following example uses the New-AzResourceGroupDeployment cmdlet. 指定自己的资源组名称和模板文件名:Specify your own resource group name and template filename:

New-AzResourceGroupDeployment -ResourceGroupName "myResourceGroup" -TemplateFile <path-to-template>

创建资源并将控制权返回给 PowerShell 提示符需要花费几分钟时间。It takes a few minutes to create the resource and return control to the PowerShell prompt. 托管域将在后台继续预配,完成部署最长可能需要一小时。The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. 在 Azure 门户中,托管域的“概览”页会显示整个部署阶段的当前状态。In the Azure portal, the Overview page for your managed domain shows the current status throughout this deployment stage.

当 Azure 门户显示托管域已完成预配时,需要完成以下任务:When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

  • 为虚拟网络更新 DNS 设置,以使虚拟机能够找到用于域加入或身份验证的托管域。Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
    • 若要配置 DNS,请在门户中选择你的托管域。To configure DNS, select your managed domain in the portal. 在“概览”窗口中,系统会提示你自动配置这些 DNS 设置。On the Overview window, you are prompted to automatically configure these DNS settings.
  • 启用 Azure AD DS 的密码同步,使最终用户能够使用其企业凭据登录到托管域。Enable password synchronization to Azure AD DS so end users can sign in to the managed domain using their corporate credentials.

后续步骤Next steps

若要查看托管域的运作方式,可将某个 Windows VM 加入域配置安全 LDAP,并配置密码哈希同步To see the managed domain in action, you can domain-join a Windows VM, configure secure LDAP, and configure password hash sync.