教程:在混合环境的 Azure Active Directory 域服务中启用密码同步Tutorial: Enable password synchronization in Azure Active Directory Domain Services for hybrid environments

对于混合环境,可以配置一个 Azure Active Directory (Azure AD) 租户,以使用 Azure AD Connect 来与本地 Active Directory 域服务 (AD DS) 环境保持同步。For hybrid environments, an Azure Active Directory (Azure AD) tenant can be configured to synchronize with an on-premises Active Directory Domain Services (AD DS) environment using Azure AD Connect. 默认情况下,Azure AD Connect 不会同步 Azure Active Directory 域服务 (Azure AD DS) 所需的旧 NT LAN 管理器 (NTLM) 和 Kerberos 密码哈希。By default, Azure AD Connect doesn't synchronize legacy NT LAN Manager (NTLM) and Kerberos password hashes that are needed for Azure Active Directory Domain Services (Azure AD DS).

若要将 Azure AD DS 与从本地 AD DS 环境同步的帐户配合使用,需要将 Azure AD Connect 配置为同步 NTLM 和 Kerberos 身份验证所需的密码哈希。To use Azure AD DS with accounts synchronized from an on-premises AD DS environment, you need to configure Azure AD Connect to synchronize those password hashes required for NTLM and Kerberos authentication. 配置 Azure AD Connect 之后,本地帐户创建或密码更改事件也会将旧密码哈希同步到 Azure AD。After Azure AD Connect is configured, an on-premises account creation or password change event also then synchronizes the legacy password hashes to Azure AD.

如果使用仅限云的帐户且不使用本地 AD DS 环境,或是如果使用资源林,则无需执行这些步骤。You don't need to perform these steps if you use cloud-only accounts with no on-premises AD DS environment, or if you use a resource forest. 对于使用资源林的托管域,本地密码哈希从不会进行同步。For managed domains that use a resource forest, on-premises password hashes are never synchronized. 本地帐户的身份验证使用返回到你自己的 AD DS 域控制器的林信任。Authentication for on-premises accounts use the forest trust(s) back to your own AD DS domain controllers.

在本教程中,学习以下内容:In this tutorial, you learn:

  • 为何需要旧 NTLM 和 Kerberos 密码哈希Why legacy NTLM and Kerberos password hashes are needed
  • 如何为 Azure AD Connect 配置旧密码哈希同步How to configure legacy password hash synchronization for Azure AD Connect

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

若要完成本教程,需要以下各资源:To complete this tutorial, you need the following resources:

使用 Azure AD Connect 实现密码哈希同步Password hash synchronization using Azure AD Connect

使用 Azure AD Connect 可将用户帐户和组等对象从本地 AD DS 环境同步到 Azure AD 租户。Azure AD Connect is used to synchronize objects like user accounts and groups from an on-premises AD DS environment into an Azure AD tenant. 在此过程中,密码哈希同步允许帐户在本地 AD DS 环境和 Azure AD 中使用相同的密码。As part of the process, password hash synchronization enables accounts to use the same password in the on-prem AD DS environment and Azure AD.

若要对托管域上的用户进行身份验证,Azure AD DS 需要密码哈希,其格式适用于 NTLM 和 Kerberos 身份验证。To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NTLM and Kerberos authentication. 除非为租户启用了 Azure AD DS,否则 Azure AD 不会以 NTLM 或 Kerberos 身份验证所需的格式存储密码哈希。Azure AD doesn't store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. 出于安全考虑,Azure AD 也不以明文形式存储任何密码凭据。For security reasons, Azure AD also doesn't store any password credentials in clear-text form. 因此,Azure AD 无法基于用户的现有凭据自动生成这些 NTLM 或 Kerberos 密码哈希。Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

可将 Azure AD Connect 配置为同步 Azure AD DS 所需的 NTLM 或 Kerberos 密码哈希。Azure AD Connect can be configured to synchronize the required NTLM or Kerberos password hashes for Azure AD DS. 确保已完成为密码哈希同步启用 Azure AD Connect 的步骤。Make sure that you have completed the steps to enable Azure AD Connect for password hash synchronization. 如果你有 Azure AD Connect 的现有实例,请下载并更新到最新版本,以确保可以同步 NTLM 和 Kerberos 的旧密码哈希。If you had an existing instance of Azure AD Connect, download and update to the latest version to make sure you can synchronize the legacy password hashes for NTLM and Kerberos. 此功能不可用于早期的 Azure AD Connect 版本或旧式 DirSync 工具。This functionality isn't available in early releases of Azure AD Connect or with the legacy DirSync tool. 需要 Azure AD Connect 1.1.614.0 或更高版本。Azure AD Connect version 1.1.614.0 or later is required.

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在 Azure AD DS 托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in an Azure AD DS managed domain to synchronize objects back to Azure AD.

启用密码哈希同步Enable synchronization of password hashes

安装 Azure AD Connect 并将其配置为与 Azure AD 同步后,接下来请配置 NTLM 和 Kerberos 的旧密码哈希同步。With Azure AD Connect installed and configured to synchronize with Azure AD, now configure the legacy password hash sync for NTLM and Kerberos. 可以使用一个 PowerShell 脚本来配置所需的设置,然后启动与 Azure AD 的完全密码同步。A PowerShell script is used to configure the required settings and then start a full password synchronization to Azure AD. Azure AD Connect 密码哈希同步过程完成后,用户可以通过 Azure AD DS 登录到使用旧 NTLM 或 Kerberos 密码哈希的应用程序。When that Azure AD Connect password hash synchronization process is complete, users can sign in to applications through Azure AD DS that use legacy NTLM or Kerberos password hashes.

  1. 在安装了 Azure AD Connect 的计算机上,通过“开始”菜单打开“Azure AD Connect”>“同步服务”。On the computer with Azure AD Connect installed, from the Start menu, open the Azure AD Connect > Synchronization Service.

  2. 选择“连接器”选项卡。此时会列出用于在本地 AD DS 环境与 Azure AD 之间建立同步的连接信息。Select the Connectors tab. The connection information used to establish the synchronization between the on-premises AD DS environment and Azure AD are listed.

    “类型”中会列出“Azure Active Directory (Microsoft)”(适用于 Azure AD 连接器)或“Active Directory 域服务”(适用于本地 AD DS 连接器) 。The Type indicates either Azure Active Directory (Microsoft) for the Azure AD connector or Active Directory Domain Services for the on-premises AD DS connector. 请记下连接器名称,以便在下一步骤所述的 PowerShell 脚本中使用。Make a note of the connector names to use in the PowerShell script in the next step.

    在同步服务管理器中列出连接器名称

    此示例屏幕截图中使用了以下连接器:In this example screenshot, the following connectors are used:

    • Azure AD 连接器名为“contoso.partner.onmschina.cn - AAD”The Azure AD connector is named contoso.partner.onmschina.cn - AAD
    • 本地 AD DS 连接器名为 onprem.contoso.comThe on-premises AD DS connector is named onprem.contoso.com
  3. 将以下 PowerShell 脚本复制并粘贴到安装了 Azure AD Connect 的计算机上。Copy and paste the following PowerShell script to the computer with Azure AD Connect installed. 该脚本触发完全密码同步(包括旧密码哈希)。The script triggers a full password sync that includes legacy password hashes. 使用上一步骤中的连接器名称更新 $azureadConnector$adConnector 变量。Update the $azureadConnector and $adConnector variables with the connector names from the previous step.

    在每个 AD 林中运行此脚本,以将本地帐户 NTLM 和 Kerberos 密码哈希同步到 Azure AD。Run this script on each AD forest to synchronize on-premises account NTLM and Kerberos password hashes to Azure AD.

    # Define the Azure AD Connect connector names and import the required PowerShell module
    $azureadConnector = "<CASE SENSITIVE AZURE AD CONNECTOR NAME>"
    $adConnector = "<CASE SENSITIVE AD DS CONNECTOR NAME>"
    
    Import-Module "C:\Program Files\Azure AD Sync\Bin\ADSync\ADSync.psd1"
    Import-Module "C:\Program Files\Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
    
    # Create a new ForceFullPasswordSync configuration parameter object then
    # update the existing connector with this new configuration
    $c = Get-ADSyncConnector -Name $adConnector
    $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
    $p.Value = 1
    $c.GlobalParameters.Remove($p.Name)
    $c.GlobalParameters.Add($p)
    $c = Add-ADSyncConnector -Connector $c
    
    # Disable and re-enable Azure AD Connect to force a full password synchronization
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
    Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
    

    将旧密码哈希同步到 Azure AD 可能需要一段时间,具体时间取决于目录的大小(根据帐户和组的数目度量)。Depending on the size of your directory in terms of number of accounts and groups, synchronization of the legacy password hashes to Azure AD may take some time. 密码在同步到 Azure AD 之后,将同步到托管域。The passwords are then synchronized to the managed domain after they've synchronized to Azure AD.

后续步骤Next steps

本教程介绍了以下内容:In this tutorial, you learned:

  • 为何需要旧 NTLM 和 Kerberos 密码哈希Why legacy NTLM and Kerberos password hashes are needed
  • 如何为 Azure AD Connect 配置旧密码哈希同步How to configure legacy password hash synchronization for Azure AD Connect