教程:在 Azure Active Directory 域服务中创建到本地域的出站林信任Tutorial: Create an outbound forest trust to an on-premises domain in Azure Active Directory Domain Services

在无法同步密码哈希的环境中,或者用户只使用智能卡登录,因此他们不知道密码的情况下,你可以在 Azure Active Directory 域服务 (Azure AD DS) 中使用资源林。In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can use a resource forest in Azure Active Directory Domain Services (Azure AD DS). 资源林使用从 Azure AD DS 到一个或多个本地 AD DS 环境的单向出站信任。A resource forest uses a one-way outbound trust from Azure AD DS to one or more on-premises AD DS environments. 这种信任关系可让用户、应用程序和计算机通过 Azure AD DS 托管域向本地域进行身份验证。This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. 在资源林中,本地密码哈希永远不会同步。In a resource forest, on-premises password hashes are never synchronized.

从 Azure AD DS 到本地 AD DS 的林信任关系图

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 在本地 AD DS 环境中配置 DNS 以支持 Azure AD DS 连接Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • 在本地 AD DS 环境中创建单向入站林信任Create a one-way inbound forest trust in an on-premises AD DS environment
  • 在 Azure AD DS 中创建单向出站林信任Create a one-way outbound forest trust in Azure AD DS
  • 测试并验证用于身份验证和资源访问的信任关系Test and validate the trust relationship for authentication and resource access

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

登录到 Azure 门户Sign in to the Azure portal

在本教程中,你将使用 Azure 门户从 Azure AD DS 创建并配置出站林信任。In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. 若要开始操作,请登录到 Azure 门户To get started, first sign in to the Azure portal.

网络注意事项Networking considerations

托管 Azure AD DS 资源林的虚拟网络需要与本地 Active Directory 建立网络连接。The virtual network that hosts the Azure AD DS resource forest needs network connectivity to your on-premises Active Directory. 应用程序和服务也需要与托管 Azure AD DS 资源林的虚拟网络建立网络连接。Applications and services also need network connectivity to the virtual network hosting the Azure AD DS resource forest. 与 Azure AD DS 资源林建立的网络连接必须始终保持连通且稳定,否则用户可能无法进行身份验证或访问资源。Network connectivity to the Azure AD DS resource forest must be always on and stable otherwise users may fail to authenticate or access resources.

在 Azure AD DS 中配置林信任之前,请确保 Azure 与本地环境之间的网络符合以下要求:Before you configure a forest trust in Azure AD DS, make sure your networking between Azure and on-premises environment meets the following requirements:

  • 使用专用 IP 地址。Use private IP addresses. 不要依赖 DHCP 进行动态 IP 地址分配。Don't rely on DHCP with dynamic IP address assignment.
  • 避免 IP 地址空间重叠,使虚拟网络对等互连和路由能够在 Azure 与本地之间成功通信。Avoid overlapping IP address spaces to allow virtual network peering and routing to successfully communicate between Azure and on-premises.
  • Azure 虚拟网络需要通过一个网关子网来配置 Azure 站点到站点 (S2S) VPNExpressRoute 连接An Azure virtual network needs a gateway subnet to configure an Azure site-to-site (S2S) VPN or ExpressRoute connection
  • 使用足够的 IP 地址创建子网,以支持你的方案。Create subnets with enough IP addresses to support your scenario.
  • 确保 Azure AD DS 具有自己的子网,且不要与应用程序 VM 和服务共享此虚拟网络子网。Make sure Azure AD DS has its own subnet, don't share this virtual network subnet with application VMs and services.
  • 对等互连的虚拟网络不是中转性的。Peered virtual networks are NOT transitive.
    • 必须在你要在其中使用对本地 AD DS 环境的 Azure AD DS 资源林信任的所有虚拟网络之间创建 Azure 虚拟网络对等互连。Azure virtual network peerings must be created between all virtual networks you want to use the Azure AD DS resource forest trust to the on-premises AD DS environment.
  • 与本地 Active Directory 林建立持续的网络连接。Provide continuous network connectivity to your on-premises Active Directory forest. 不要使用按需连接。Don't use on-demand connections.
  • 确保 Azure AD DS 资源林名称与本地 Active Directory 林名称之间存在持续的名称解析 (DNS)。Make sure there's continuous name resolution (DNS) between your Azure AD DS resource forest name and your on-premises Active Directory forest name.

在本地域中配置 DNSConfigure DNS in the on-premises domain

若要从本地环境正确解析托管域,可能需要向现有 DNS 服务器添加转发器。To correctly resolve the managed domain from the on-premises environment, you may need to add forwarders to the existing DNS servers. 如果尚未将本地环境配置为与托管域通信,请从管理工作站为本地 AD DS 域完成以下步骤:If you haven't configured the on-premises environment to communicate with the managed domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. 选择“开始”|“管理工具”|“DNS”Select Start | Administrative Tools | DNS
  2. 右键单击 DNS 服务器(例如“myAD01”),然后选择“属性”Right-select DNS server, such as myAD01, then select Properties
  3. 选择“转发器”,然后选择“编辑”以添加更多转发器。 Choose Forwarders, then Edit to add additional forwarders.
  4. 添加托管域的 IP 地址,例如 10.0.2.4 和 10.0.2.5 。Add the IP addresses of the managed domain, such as 10.0.2.4 and 10.0.2.5.

在本地域中创建入站林信任Create inbound forest trust in the on-premises domain

本地 AD DS 域需要托管域的传入林信任。The on-premises AD DS domain needs an incoming forest trust for the managed domain. 必须手动在本地 AD DS 域中创建此信任,而不能在 Azure 门户中创建。This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

若要在本地 AD DS 域上配置入站信任,请在管理工作站中针对本地 AD DS 域完成以下步骤:To configure inbound trust on the on-premises AD DS domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. 选择“开始”|“管理工具”|“Active Directory 域和信任”Select Start | Administrative Tools | Active Directory Domains and Trusts
  2. 右键单击域(例如“onprem.contoso.com”),然后选择“属性”Right-select domain, such as onprem.contoso.com, then select Properties
  3. 依次选择“信任”选项卡、“新建信任” Choose Trusts tab, then New Trust
  4. 在 Azure AD DS 域名中输入名称(例如“aaddscontoso.com”),然后选择“下一步”Enter the name for Azure AD DS domain name, such as aaddscontoso.com, then select Next
  5. 选择创建“林信任”的选项,然后选择创建“单向: 传入”信任的选项。 Select the option to create a Forest trust, then to create a One way: incoming trust.
  6. 选择创建“仅限此域”的信任。Choose to create the trust for This domain only. 在下一步骤中,你将在 Azure 门户中为托管域创建信任。In the next step, you create the trust in the Azure portal for the managed domain.
  7. 选择使用“全林性身份验证”,然后输入并确认信任密码。Choose to use Forest-wide authentication, then enter and confirm a trust password. 在下一部分中,也要在 Azure 门户中输入同一密码。This same password is also entered in the Azure portal in the next section.
  8. 在接下来的几个窗口中使用默认选项完成每个步骤,然后选择选项“否,不要确认传出信任”。Step through the next few windows with default options, then choose the option for No, do not confirm the outgoing trust.
  9. 选择“完成”Select Finish

在 Azure AD DS 中创建出站林信任Create outbound forest trust in Azure AD DS

配置本地 AD DS 域以解析托管域并创建入站林信任后,现在请创建出站林信任。With the on-premises AD DS domain configured to resolve the managed domain and an inbound forest trust created, now create the outbound forest trust. 此出站林信任完成本地 AD DS 域与托管域之间的信任关系。This outbound forest trust completes the trust relationship between the on-premises AD DS domain and the managed domain.

若要在 Azure 门户中为托管域创建出站信任,请完成以下步骤:To create the outbound trust for the managed domain in the Azure portal, complete the following steps:

  1. 在 Azure 门户中,搜索并选择“Azure AD 域服务”,然后选择你的托管域,例如 aaddscontoso.comIn the Azure portal, search for and select Azure AD Domain Services, then select your managed domain, such as aaddscontoso.com

  2. 从托管域左侧的菜单中选择“信任”,然后选择“+ 添加”以添加信任 。From the menu on the left-hand side of the managed domain, select Trusts, then choose to + Add a trust.

    备注

    如果看不到“信任”菜单选项,请在“属性”下检查“林类型”。 If you don't see the Trusts menu option, check under Properties for the Forest type. 只有资源林才能创建信任。Only resource forests can create trusts. 如果林类型是“用户”,则无法创建信任。If the forest type is User, you can't create trusts. 目前没有任何办法可以更改托管域的林类型。There's currently no way to change the forest type of a managed domain. 需要删除托管域,然后重新创建资源林形式的托管域。You need to delete and recreate the managed domain as a resource forest.

  3. 输入用于标识信任的显示名称,然后输入本地受信任林的 DNS 名称,例如 onprem.contoso.comEnter a display name that identifies your trust, then the on-premises trusted forest DNS name, such as onprem.contoso.com

  4. 提供在上一部分为本地 AD DS 域配置入站林信任时使用的同一信任密码。Provide the same trust password that was used when configuring the inbound forest trust for the on-premises AD DS domain in the previous section.

  5. 为本地 AD DS 域提供至少两个 DNS 服务器,例如 10.1.1.4 和 10.1.1.5 Provide at least two DNS servers for the on-premises AD DS domain, such as 10.1.1.4 and 10.1.1.5

  6. 准备就绪后,保存出站林信任When ready, Save the outbound forest trust

    在 Azure 门户中创建出站林信任

验证资源身份验证Validate resource authentication

可以使用以下常用方案来验证林信任是否正确对用户进行身份验证以及是否正确访问资源:The following common scenarios let you validate that forest trust correctly authenticates users and access to resources:

从 Azure AD DS 资源林进行本地用户身份验证On-premises user authentication from the Azure AD DS resource forest

应事先将 Windows Server 虚拟机加入托管域。You should have Windows Server virtual machine joined to the managed domain. 使用此虚拟机来测试本地用户是否可在虚拟机上进行身份验证。Use this virtual machine to test your on-premises user can authenticate on a virtual machine. 如果需要,请创建 Windows VM,并将其加入托管域If needed, create a Windows VM and join it to the managed domain.

  1. 使用 Azure Bastion 和 Azure AD DS 管理员凭据连接到已加入 Azure AD DS 资源林的 Windows Server VM。Connect to the Windows Server VM joined to the Azure AD DS resource forest using Azure Bastion and your Azure AD DS administrator credentials.

  2. 打开命令提示符,使用 whoami 命令显示当前已通过身份验证的用户的可分辨名称:Open a command prompt and use the whoami command to show the distinguished name of the currently authenticated user:

    whoami /fqdn
    
  3. 以本地域中的用户身份使用 runas 命令进行身份验证。Use the runas command to authenticate as a user from the on-premises domain. 在以下命令中,请将 userUpn@trusteddomain.com 替换为受信任本地域中某个用户的 UPN。In the following command, replace userUpn@trusteddomain.com with the UPN of a user from the trusted on-premises domain. 该命令会提示你输入用户密码:The command prompts you for the user's password:

    Runas /u:userUpn@trusteddomain.com cmd.exe
    
  4. 如果身份验证成功,则会打开一个新的命令提示符。If the authentication is a successful, a new command prompt opens. 新命令提示符的标题包含 running as userUpn@trusteddomain.comThe title of the new command prompt includes running as userUpn@trusteddomain.com.

  5. 在新命令提示符下使用 whoami /fqdn 查看本地 Active Directory 中已通过身份验证的用户的可分辨名称。Use whoami /fqdn in the new command prompt to view the distinguished name of the authenticated user from the on-premises Active Directory.

使用本地用户访问 Azure AD DS 资源林中的资源Access resources in the Azure AD DS resource forest using on-premises user

使用已加入 Azure AD DS 资源林的 Windows Server VM,可以测试当用户以本地域中的用户身份从本地域中的计算机进行身份验证时,是否可以访问资源林中托管的资源。Using the Windows Server VM joined to the Azure AD DS resource forest, you can test the scenario where users can access resources hosted in the resource forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. 以下示例展示了如何创建并测试各种常用方案。The following examples show you how to create and test various common scenarios.

启用文件和打印机共享Enable file and printer sharing

  1. 使用 Azure Bastion 和 Azure AD DS 管理员凭据连接到已加入 Azure AD DS 资源林的 Windows Server VM。Connect to the Windows Server VM joined to the Azure AD DS resource forest using Azure Bastion and your Azure AD DS administrator credentials.

  2. 打开“Windows 设置”,然后搜索并选择“网络和共享中心”。 Open Windows Settings, then search for and select Network and Sharing Center.

  3. 选择“更改高级共享设置”的选项。Choose the option for Change advanced sharing settings.

  4. 在“域配置文件”下,依次选择“启用文件和打印机共享”、“保存更改”。 Under the Domain Profile, select Turn on file and printer sharing and then Save changes.

  5. 选择“网络和共享中心”。Close Network and Sharing Center.

创建安全组并添加成员Create a security group and add members

  1. 打开“Active Directory 用户和计算机”。Open Active Directory Users and Computers.

  2. 右键单击域名,然后依次选择“新建”、“组织单位”。 Right-select the domain name, choose New, and then select Organizational Unit.

  3. 在名称框中键入“LocalObjects”,然后选择“确定”。In the name box, type LocalObjects, then select OK.

  4. 在导航窗格中选择并右键单击“LocalObjects”。Select and right-click LocalObjects in the navigation pane. 依次选择“新建”、“组”。 Select New and then Group.

  5. 在“组名称”框中键入“FileServerAccess”。Type FileServerAccess in the Group name box. 对于“组作用域”,选择“域本地”,然后选择“确定”。 For the Group Scope, select Domain local, then choose OK.

  6. 在内容窗格中,双击“FileServerAccess”。In the content pane, double-click FileServerAccess. 依次选择“成员”、“添加”、“位置”。 Select Members, choose to Add, then select Locations.

  7. 从“位置”视图中选择你的本地 Active Directory,然后选择“确定”。 Select your on-premises Active Directory from the Location view, then choose OK.

  8. 在“输入要选择的对象名称”框中键入“域用户”。Type Domain Users in the Enter the object names to select box. 选择“检查名称”,提供本地 Active Directory 的凭据,然后选择“确定”。 Select Check Names, provide credentials for the on-premises Active Directory, then select OK.

    备注

    必须提供凭据,因为信任关系只是单向的。You must provide credentials because the trust relationship is only one way. 这意味着,Azure AD DS 托管域中的用户无法访问资源或搜索受信任的(本地)域中的用户或组。This means users from the Azure AD DS managed domain can't access resources or search for users or groups in the trusted (on-premises) domain.

  9. 本地 Active Directory 中的“域用户”组应是“FileServerAccess”组的成员。 The Domain Users group from your on-premises Active Directory should be a member of the FileServerAccess group. 选择“确定”以保存该组并关闭窗口。Select OK to save the group and close the window.

创建文件共享用于跨林访问Create a file share for cross-forest access

  1. 在已加入 Azure AD DS 资源林的 Windows Server VM 上,创建一个文件夹并提供名称(例如 CrossForestShare)。On the Windows Server VM joined to the Azure AD DS resource forest, create a folder and provide name such as CrossForestShare.
  2. 右键单击该文件夹并选择“属性”。Right-select the folder and choose Properties.
  3. 依次选择“安全性”选项卡、“编辑”。 Select the Security tab, then choose Edit.
  4. 在“CrossForestShare 的权限”对话框中,选择“添加”。In the Permissions for CrossForestShare dialog box, select Add.
  5. 在“输入要选择的对象名称”中键入“FileServerAccess”,然后选择“确定”。 Type FileServerAccess in Enter the object names to select, then select OK.
  6. 从“组或用户名称”列表中选择“FileServerAccess”。Select FileServerAccess from the Groups or user names list. 在“FileServerAccess 的权限”列表中,对“修改”和“写入”权限选择“允许”,然后选择“确定”。 In the Permissions for FileServerAccess list, choose Allow for the Modify and Write permissions, then select OK.
  7. 依次选择“共享”选项卡、“高级共享...”。 Select the Sharing tab, then choose Advanced Sharing…
  8. 选择“共享此文件夹”,然后在“共享名称”中为该文件共享输入一个易记的名称,例如“CrossForestShare”。 Choose Share this folder, then enter a memorable name for the file share in Share name such as CrossForestShare.
  9. 选择“权限”。Select Permissions. 在“每个人的权限”列表中,对“更改”权限选择“允许”。 In the Permissions for Everyone list, choose Allow for the Change permission.
  10. 选择“确定”两次,然后选择“关闭”。 Select OK two times and then Close.

验证向资源进行的跨林身份验证Validate cross-forest authentication to a resource

  1. 使用本地 Active Directory 中的用户帐户登录到已加入本地 Active Directory 的 Windows 计算机。Sign in a Windows computer joined to your on-premises Active Directory using a user account from your on-premises Active Directory.

  2. 使用完全限定的主机名和共享名称(例如 \\fs1.aaddscontoso.com\CrossforestShare)通过“Windows 资源管理器”连接到你创建的共享。Using Windows Explorer, connect to the share you created using the fully qualified host name and the share such as \\fs1.aaddscontoso.com\CrossforestShare.

  3. 若要验证写入权限,请在文件夹中单击右键,然后依次选择“新建”、“文本文档”。 To validate the write permission, right-select in the folder, choose New, then select Text Document. 使用默认名称“新建文本文档”。Use the default name New Text Document.

    如果正确设置了写入权限,则会创建一个新的文本文档。If the write permissions are set correctly, a new text document is created. 然后,可以使用以下步骤相应地打开、编辑和删除文件。The following steps will then open, edit, and delete the file as appropriate.

  4. 若要验证读取权限,请打开“新建文本文档”。To validate the read permission, open New Text Document.

  5. 若要验证修改权限,请在文件中添加文本,然后关闭“记事本”。To validate the modify permission, add text to the file and close Notepad. 当系统提示是否保存更改时,请选择“保存”。When prompted to save changes, choose Save.

  6. 若要验证删除权限,请右键单击“新建文本文档”并选择“删除”。 To validate the delete permission, right-select New Text Document and choose Delete. 选择“是”以确认删除文件。Choose Yes to confirm file deletion.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 在本地 AD DS 环境中配置 DNS 以支持 Azure AD DS 连接Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • 在本地 AD DS 环境中创建单向入站林信任Create a one-way inbound forest trust in an on-premises AD DS environment
  • 在 Azure AD DS 中创建单向出站林信任Create a one-way outbound forest trust in Azure AD DS
  • 测试并验证用于身份验证和资源访问的信任关系Test and validate the trust relationship for authentication and resource access

有关 Azure AD DS 中的林类型的更多概念信息,请参阅林信任在 Azure AD DS 中的工作原理是什么?For more conceptual information about forest types in Azure AD DS, see How do forest trusts work in Azure AD DS?