排查 Azure Active Directory 域服务托管域的帐户登录问题Troubleshoot account sign-in problems with an Azure Active Directory Domain Services managed domain

用户帐户无法登录到 Azure Active Directory 域服务 (Azure AD DS) 托管域的最常见原因包括以下情形:The most common reasons for a user account that can't sign in to an Azure Active Directory Domain Services (Azure AD DS) managed domain include the following scenarios:

提示

Azure AD DS 无法使用 Azure AD 租户之外帐户的凭据进行同步。Azure AD DS can't synchronize in credentials for accounts that are external to the Azure AD tenant. 外部用户无法登录到 Azure AD DS 托管域。External users can't sign in to the Azure AD DS managed domain.

帐户尚未同步到 Azure AD DS 中Account isn't synchronized into Azure AD DS yet

根据目录的大小,可能需要一段时间之后才可在托管域中使用用户帐户和凭据哈希。Depending on the size of your directory, it may take a while for user accounts and credential hashes to be available in a managed domain. 对于大型目录,从 Azure AD 进行这样一次初始单向同步可能需要几个小时,最多可能会需要一两天时间。For large directories, this initial one-way sync from Azure AD can take few hours, and up to a day or two. 请确保重试身份验证之前等待足够长的时间。Make sure that you wait long enough before retrying authentication.

对于使用 Azure AD Connect 将本地目录数据同步到 Azure AD 中的混合环境,请确保运行最新版本的 Azure AD Connect 并且已将 Azure AD Connect 配置为在启用 Azure AD DS 之后执行完全同步For hybrid environments that user Azure AD Connect to synchronize on-premises directory data into Azure AD, make sure that you run the latest version of Azure AD Connect and have configured Azure AD Connect to perform a full synchronization after enabling Azure AD DS. 如果禁用 Azure AD DS 后再重新启用,则必须再次执行这些步骤。If you disable Azure AD DS and then re-enable, you have to follow these steps again.

如果未通过 Azure AD Connect 同步的帐户仍然存在问题,请重启 Azure AD Sync 服务。If you continue to have issues with accounts not synchronizing through Azure AD Connect, restart the Azure AD Sync Service. 在安装了 Azure AD Connect 的计算机上,打开命令提示符窗口,然后运行以下命令:From the computer with Azure AD Connect installed, open a command prompt window, then run the following commands:

net stop 'Microsoft Azure AD Sync'
net start 'Microsoft Azure AD Sync'

Azure AD DS 没有密码哈希Azure AD DS doesn't have the password hashes

除非为租户启用了 Azure AD DS,否则 Azure AD 不会以 NTLM 或 Kerberos 身份验证所需的格式生成或存储密码哈希。Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. 出于安全考虑,Azure AD 也不以明文形式存储任何密码凭据。For security reasons, Azure AD also doesn't store any password credentials in clear-text form. 因此,Azure AD 无法基于用户的现有凭据自动生成这些 NTLM 或 Kerberos 密码哈希。Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

使用本地同步的混合环境Hybrid environments with on-premises synchronization

对于使用 Azure AD Connect 从本地 AD DS 环境同步的混合环境,可以在本地生成所需 NTLM 或 Kerberos 密码哈希并将其同步到 Azure AD 中。For hybrid environments using Azure AD Connect to synchronize from an on-premises AD DS environment, you can locally generate and synchronize the required NTLM or Kerberos password hashes into Azure AD. 在创建托管域后,针对 Azure Active Directory 域服务启用密码哈希同步After you create your managed domain, enable password hash synchronization to Azure Active Directory Domain Services. 如果没有完成此密码哈希同步步骤,则无法使用托管域登录到帐户。Without completing this password hash synchronization step, you can't sign in to an account using the managed domain. 如果禁用 Azure AD DS 后再重新启用,必须再次执行那些步骤。If you disable Azure AD DS and then re-enable, you have to follow those steps again.

有关详细信息,请参阅如何针对 Azure AD DS 进行密码哈希同步For more information, see How password hash synchronization works for Azure AD DS.

不使用本地同步的“仅限云”环境Cloud-only environments with no on-premises synchronization

不使用本地同步的托管域(仅限 Azure AD 中的帐户)也需要生成所需的 NTLM 或 Kerberos 密码哈希。Managed domains with no on-premises synchronization, only accounts in Azure AD, also need to generate the required NTLM or Kerberos password hashes. 如果“仅限云”帐户无法登录,是否在启用 Azure AD DS 后成功完成了该帐户的密码更改过程?If a cloud-only account can't sign in, has a password change process successfully completed for the account after enabling Azure AD DS?

  • 否,尚未更改密码。No, the password has not been changed.
    • 更改该帐户的密码以生成所需密码哈希,然后等待 15 分钟后再次尝试登录。Change the password for the account to generate the required password hashes, then wait for 15 minutes before you try to sign in again.
    • 如果禁用 Azure AD DS 后重新启用,每个帐户都必须再次执行这些步骤,以更改其密码并生成所需密码哈希。If you disable Azure AD DS and then re-enable, each account must follow the steps again to change their password and generate the required password hashes.
  • 是,已更改了密码。Yes, the password has been changed.
    • 请尝试使用 driley@aaddscontoso.com 等 UPN 格式(而不是 AADDSCONTOSO\deeriley 等 SAMAccountName 格式 )登录。Try to sign in using the UPN format, such as driley@aaddscontoso.com, instead of the SAMAccountName format like AADDSCONTOSO\deeriley.
    • 对于其 UPN 前缀过长或与托管域上另一用户相同的用户,系统可能会自动生成 SAMAccountName。The SAMAccountName may be automatically generated for users whose UPN prefix is overly long or is the same as another user on the managed domain. UPN 格式在 Azure AD 租户中保证是唯一的。The UPN format is guaranteed to be unique within an Azure AD tenant.

该帐户已被锁定The account is locked out

达到为登录尝试失败定义的阈值时,会锁定托管域中的用户帐户。A user account in a managed domain is locked out when a defined threshold for unsuccessful sign-in attempts has been met. 此帐户锁定行为的设计意图是为了防止反复尝试暴力登录,而反复尝试暴力登录可能表示存在自动化数字攻击。This account lockout behavior is designed to protect you from repeated brute-force sign-in attempts that may indicate an automated digital attack.

默认情况下,如果 2 分钟内有 5 次错误的密码尝试,该帐户就会被锁定 30 分钟。By default, if there are 5 bad password attempts in 2 minutes, the account is locked out for 30 minutes.

有关详细信息以及如何解决帐户锁定问题,请参阅排查 Azure AD DS 中的帐户锁定问题For more information and how to resolve account lockout issues, see Troubleshoot account lockout problems in Azure AD DS.

后续步骤Next steps

如果在将 VM 加入托管域时仍有问题,请查找帮助,并为 Azure Active Directory 创建支持票证If you still have problems joining your VM to the managed domain, find help and open a support ticket for Azure Active Directory.