教程:使用高级配置选项创建和配置 Azure Active Directory 域服务托管域Tutorial: Create and configure an Azure Active Directory Domain Services managed domain with advanced configuration options

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、LDAP、Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. 使用这些域服务就无需自行部署、管理和修补域控制器。You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS 与现有的 Azure AD 租户集成。Azure AD DS integrates with your existing Azure AD tenant. 这种集成可让用户使用其企业凭据登录,而你可以使用现有的组和用户帐户来保护对资源的访问。This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

可以使用默认配置选项创建托管域以实现联网和同步,也可以手动定义这些设置。You can create a managed domain using default configuration options for networking and synchronization, or manually define these settings. 本教程介绍如何定义这些高级配置选项,以便使用 Azure 门户来创建和配置 Azure AD DS 托管域。This tutorial shows you how to define those advanced configuration options to create and configure an Azure AD DS managed domain using the Azure portal.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 为托管域配置 DNS 和虚拟网络设置Configure DNS and virtual network settings for a managed domain
  • 创建托管域Create a managed domain
  • 将管理用户添加到域管理Add administrative users to domain management
  • 启用密码哈希同步Enable password hash synchronization

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

尽管 Azure AD DS 不需要,但建议为 Azure AD 租户配置自助式密码重置 (SSPR)Although not required for Azure AD DS, it's recommended to configure self-service password reset (SSPR) for the Azure AD tenant. 用户可以在没有 SSPR 的情况下更改其密码,但如果用户忘记其密码并需要重置密码,SSPR 会有所帮助。Users can change their password without SSPR, but SSPR helps if they forget their password and need to reset it.

重要

创建托管域后,无法将托管域移到其他资源组、虚拟网络、订阅等。部署托管域时,请注意选择最合适的订阅、资源组、区域和虚拟网络。After you create a managed domain, you can't then move the managed domain to a different resource group, virtual network, subscription, etc. Take care to select the most appropriate subscription, resource group, region, and virtual network when you deploy the managed domain.

登录到 Azure 门户Sign in to the Azure portal

在本教程中,你将使用 Azure 门户来创建并配置托管域。In this tutorial, you create and configure the managed domain using the Azure portal. 若要开始操作,请登录到 Azure 门户To get started, first sign in to the Azure portal.

创建托管域并配置基本设置Create a managed domain and configure basic settings

若要启动“启用 Azure AD 域服务”向导,请完成以下步骤:To launch the Enable Azure AD Domain Services wizard, complete the following steps:

  1. 在 Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.
  2. 在搜索栏中输入“域服务”,然后从搜索建议中选择“Azure AD 域服务”。Enter Domain Services into the search bar, then choose Azure AD Domain Services from the search suggestions.
  3. 在“Azure AD 域服务”页上选择“创建”。On the Azure AD Domain Services page, select Create. “启用 Azure AD 域服务”向导随即启动。The Enable Azure AD Domain Services wizard is launched.
  4. 选择要在其中创建托管域的 Azure“订阅”。Select the Azure Subscription in which you would like to create the managed domain.
  5. 选择托管域应属于的“资源组”。Select the Resource group to which the managed domain should belong. 选择“新建”,或选择现有的资源组。Choose to Create new or select an existing resource group.

创建托管域时,请指定 DNS 名称。When you create a managed domain, you specify a DNS name. 选择此 DNS 名称时请注意以下事项:There are some considerations when you choose this DNS name:

  • 内置域名: 默认将使用目录的内置域名(带 .partner.onmschina.cn 后缀)。Built-in domain name: By default, the built-in domain name of the directory is used (a .partner.onmschina.cn suffix). 若要启用通过 Internet 对托管域进行安全 LDAP 访问,则不能创建数字证书来保护与此默认域建立的连接。If you wish to enable secure LDAP access to the managed domain over the internet, you can't create a digital certificate to secure the connection with this default domain. Microsoft 拥有 .partner.onmschina.cn 域,因此,证书颁发机构 (CA) 不会颁发证书。Microsoft owns the .partner.onmschina.cn domain, so a Certificate Authority (CA) won't issue a certificate.
  • 自定义域名: 最常见的方法是指定自定义域名,通常是你已拥有且可路由的域名。Custom domain names: The most common approach is to specify a custom domain name, typically one that you already own and is routable. 使用可路由的自定义域时,流量可根据需要正确传送,以支持你的应用程序。When you use a routable, custom domain, traffic can correctly flow as needed to support your applications.
  • 不可路由的域后缀: 一般情况下,我们建议避免使用不可路由的域名后缀,例如 contoso.localNon-routable domain suffixes: We generally recommend that you avoid a non-routable domain name suffix, such as contoso.local. .local 后缀不可路由,并可能导致 DNS 解析出现问题。The .local suffix isn't routable and can cause issues with DNS resolution.

提示

如果创建自定义域名,请注意现有的 DNS 命名空间。If you create a custom domain name, take care with existing DNS namespaces. 建议使用独立于任何现有 Azure 或本地 DNS 命名空间的域名。It's recommended to use a domain name separate from any existing Azure or on-premises DNS name space.

例如,如果现有的 DNS 命名空间为 contoso.com,则使用自定义域名 aaddscontoso.com 创建托管域 。For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of aaddscontoso.com. 如果需要使用安全 LDAP,则必须注册并拥有此自定义域名才能生成所需的证书。If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.

可能需要为环境中的其他服务或环境中现有 DNS 名称空间之间的条件 DNS 转发器创建一些其他的 DNS 记录。You may need to create some additional DNS records for other services in your environment, or conditional DNS forwarders between existing DNS name spaces in your environment. 例如,如果运行使用根 DNS 名称托管站点的 Web 服务器,则可能存在命名冲突,从而需要其他 DNS 条目。For example, if you run a webserver that hosts a site using the root DNS name, there can be naming conflicts that require additional DNS entries.

在这些教程和操作指南文章中,我们使用自定义域 aaddscontoso.com 作为简短示例。In these tutorials and how-to articles, the custom domain of aaddscontoso.com is used as a short example. 在所有命令中,指定你自己的域名。In all commands, specify your own domain name.

还存在以下 DNS 名称限制:The following DNS name restrictions also apply:

  • 域前缀限制: 不能创建前缀长度超过 15 个字符的托管域。Domain prefix restrictions: You can't create a managed domain with a prefix longer than 15 characters. 指定域名的前缀(例如 aaddscontoso.com 域名中的 aaddscontoso)所包含的字符不得超过 15 个。The prefix of your specified domain name (such as aaddscontoso in the aaddscontoso.com domain name) must contain 15 or fewer characters.
  • 网络名称冲突: 托管域的 DNS 域名不能已存在于虚拟网络中。Network name conflicts: The DNS domain name for your managed domain shouldn't already exist in the virtual network. 具体而言,请检查可能导致名称冲突的以下情况:Specifically, check for the following scenarios that would lead to a name conflict:
    • Azure 虚拟网络中是否已存在具有相同 DNS 域名的 Active Directory 域。If you already have an Active Directory domain with the same DNS domain name on the Azure virtual network.
    • 计划在其中启用托管域的虚拟网络是否与本地网络建立了 VPN 连接。If the virtual network where you plan to enable the managed domain has a VPN connection with your on-premises network. 在此方案中,确保在本地网络上没有具有相同 DNS 域名的域。In this scenario, ensure you don't have a domain with the same DNS domain name on your on-premises network.
    • 虚拟网络中是否存在具有该名称的 Azure 云服务。If you have an existing Azure cloud service with that name on the Azure virtual network.

填写 Azure 门户的“基本信息”窗口中的字段,以创建托管域:Complete the fields in the Basics window of the Azure portal to create a managed domain:

  1. 输入托管域的 DNS 域名,并注意前面所述的问题。Enter a DNS domain name for your managed domain, taking into consideration the previous points.

  2. 选择应在其中创建托管域的 Azure“位置”。Choose the Azure Location in which the managed domain should be created. 如果选择支持可用性区域的区域,则 Azure AD DS 资源会跨区域分布以实现额外的冗余。If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.

    提示

    可用性区域是 Azure 区域中独特的物理位置。Availability Zones are unique physical locations within an Azure region. 每个区域由一个或多个数据中心组成,这些数据中心配置了独立电源、冷却和网络。Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. 为确保能够进行复原,所有已启用的地区中都必须至少有三个单独的区域。To ensure resiliency, there's a minimum of three separate zones in all enabled regions.

    对于要跨区域分布 Azure AD DS,无需进行任何配置。There's nothing for you to configure for Azure AD DS to be distributed across zones. Azure 平台会自动处理资源的区域分配。The Azure platform automatically handles the zone distribution of resources.

  3. SKU 确定可以创建的林信任的性能、备份频率和最大数量。The SKU determines the performance, backup frequency, and maximum number of forest trusts you can create. 如果业务需求或要求发生变化,可以在创建托管域后更改 SKU。You can change the SKU after the managed domain has been created if your business demands or requirements change. 有关详细信息,请参阅 Azure AD DS SKU 概念For more information, see Azure AD DS SKU concepts.

    对于本教程,请选择“标准”SKU。For this tutorial, select the Standard SKU.

  4. 林是 Active Directory 域服务用来对一个或多个域进行分组的逻辑构造。A forest is a logical construct used by Active Directory Domain Services to group one or more domains. 默认情况下,托管域作为用户林创建。By default, a managed domain is created as a User forest. 此类林可同步 Azure AD 中的所有对象,包括在本地 AD DS 环境中创建的所有用户帐户。This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment.

    资源林仅同步直接在 Azure AD 中创建的用户和组。A Resource forest only synchronizes users and groups created directly in Azure AD. 创建资源林时,本地用户的密码哈希从不同步到托管域中。Password hashes for on-premises users are never synchronized into a managed domain when you create a resource forest.

    对于本教程,请选择创建用户林。For this tutorial, choose to create a User forest.

    为 Azure AD 域服务托管域配置基本设置

  5. 若要手动配置其他选项,请选择“下一步 - 网络”。To manually configure additional options, choose Next - Networking. 否则,请选择“查看 + 创建”以接受默认的配置选项,然后跳到用于部署托管域的部分。Otherwise, select Review + create to accept the default configuration options, then skip to the section to Deploy your managed domain. 选择此创建选项时,会配置以下默认设置:The following defaults are configured when you choose this create option:

    • 创建名为 aadds-vnet 的虚拟网络,该网络使用的 IP 地址范围为 10.0.1.0/24Creates a virtual network named aadds-vnet that uses the IP address range of 10.0.1.0/24.
    • 创建名为 aadds-vnet 的子网,该子网使用的 IP 地址范围为 10.0.1.0/24Creates a subnet named aadds-subnet using the IP address range of 10.0.1.0/24.
    • 将所有用户从 Azure AD 同步到托管域。Synchronizes All users from Azure AD into the managed domain.

创建并配置虚拟网络Create and configure the virtual network

若要提供连接,需要创建 Azure 虚拟网络和专用子网。To provide connectivity, an Azure virtual network and a dedicated subnet are needed. Azure AD DS 将在此虚拟网络子网中启用。Azure AD DS is enabled in this virtual network subnet. 在本教程中,你将创建一个虚拟网络,不过,也可以选择使用现有的虚拟网络。In this tutorial, you create a virtual network, though you could instead choose to use an existing virtual network. 无论使用哪种方法,都必须创建一个专用子网供 Azure AD DS 使用。In either approach, you must create a dedicated subnet for use by Azure AD DS.

此专用虚拟网络子网的一些注意事项包括:Some considerations for this dedicated virtual network subnet include the following areas:

  • 该子网的地址范围中必须至少包含 3-5 个可用 IP 地址才能支持 Azure AD DS 资源。The subnet must have at least 3-5 available IP addresses in its address range to support the Azure AD DS resources.
  • 请不要选择“网关”子网来部署 Azure AD DS。Don't select the Gateway subnet for deploying Azure AD DS. 不支持将 Azure AD DS 部署到“网关”子网。It's not supported to deploy Azure AD DS into a Gateway subnet.
  • 不要将任何其他虚拟机部署到该子网。Don't deploy any other virtual machines to the subnet. 应用程序和 VM 通常使用网络安全组来保护连接。Applications and VMs often use network security groups to secure connectivity. 在单独的子网中运行这些工作负荷可以在不中断与托管域的连接的情况下应用这些网络安全组。Running these workloads in a separate subnet lets you apply those network security groups without disrupting connectivity to your managed domain.
  • 启用 Azure AD DS 后,无法将托管域迁移到其他虚拟网络。You can't move your managed domain to a different virtual network after you enable Azure AD DS.

有关如何规划和配置虚拟网络的详细信息,请参阅 Azure Active Directory 域服务的网络注意事项For more information on how to plan and configure the virtual network, see networking considerations for Azure Active Directory Domain Services.

按如下所示填写“网络”窗口中的字段:Complete the fields in the Network window as follows:

  1. 在“网络”页上,从下拉菜单选择要将 Azure AD DS 部署到其中的虚拟网络,或者选择“新建”。On the Network page, choose a virtual network to deploy Azure AD DS into from the drop-down menu, or select Create new.

    1. 如果选择创建虚拟网络,请输入虚拟网络的名称(例如 myVnet),然后提供地址范围(例如 10.0.1.0/24)。If you choose to create a virtual network, enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.0.1.0/24.
    2. 创建具有明确名称的专用子网,例如 DomainServicesCreate a dedicated subnet with a clear name, such as DomainServices. 提供地址范围,例如 10.0.1.0/24Provide an address range, such as 10.0.1.0/24.

    创建用于 Azure AD 域服务的虚拟网络和子网 Create a virtual network and subnet for use with Azure AD Domain Services

    请确保选择专用 IP 地址范围内的某个地址范围。Make sure to pick an address range that is within your private IP address range. 选择公共地址空间中你不拥有的 IP 地址范围会导致 Azure AD DS 出错。IP address ranges you don't own that are in the public address space cause errors within Azure AD DS.

  2. 选择一个虚拟网络子网,例如 DomainServicesSelect a virtual network subnet, such as DomainServices.

  3. 准备就绪后,选择“下一步 - 管理”。When ready, choose Next - Administration.

配置管理组Configure an administrative group

名为“AAD DC 管理员”的特殊管理组用于管理 Azure AD DS 域。A special administrative group named AAD DC Administrators is used for management of the Azure AD DS domain. 此组的成员在已加入托管域的 VM 上拥有管理权限。Members of this group are granted administrative permissions on VMs that are domain-joined to the managed domain. 在加入域的 VM 上,此组将添加到本地管理员组。On domain-joined VMs, this group is added to the local administrators group. 此组的成员还可以使用远程桌面远程连接到已加入域的 VM。Members of this group can also use Remote Desktop to connect remotely to domain-joined VMs.

重要

你在使用 Azure AD DS 的托管域上不拥有“域管理员”或“企业管理员”权限。You don't have Domain Administrator or Enterprise Administrator permissions on a managed domain using Azure AD DS. 这些权限由服务保留,不会提供给租户中的用户使用。These permissions are reserved by the service and aren't made available to users within the tenant.

“AAD DC 管理员”组允许执行某些特权操作。Instead, the AAD DC Administrators group lets you perform some privileged operations. 这些操作包括将用户添加到已加入域的 VM 上的管理组,以及配置组策略。These operations include belonging to the administration group on domain-joined VMs, and configuring Group Policy.

向导会自动在 Azure AD 目录中创建“AAD DC 管理员”组。The wizard automatically creates the AAD DC Administrators group in your Azure AD directory. 如果在 Azure AD 目录中拥有具有此名称的现有组,则向导会选择此组。If you have an existing group with this name in your Azure AD directory, the wizard selects this group. 在部署过程中,可以视需要将更多用户添加到此“AAD DC 管理员”组。You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process. 稍后可以完成这些步骤。These steps can be completed later.

  1. 若要将更多用户添加到“AAD DC 管理员”组,请选择“管理组成员身份”。To add additional users to this AAD DC Administrators group, select Manage group membership.

    配置“AAD DC 管理员”组的组成员身份

  2. 选择“添加成员”按钮,然后搜索并选择 Azure AD 目录中的用户。Select the Add members button, then search for and select users from your Azure AD directory. 例如,搜索自己的帐户,并将其添加到“AAD DC 管理员”组。For example, search for your own account, and add it to the AAD DC Administrators group.

  3. 如果在托管域中存在需要注意的警报,则根据需要更改通知的接收者或添加更多的接收者。If desired, change or add additional recipients for notifications when there are alerts in the managed domain that require attention.

  4. 准备就绪后,选择“下一步 - 同步”。When ready, choose Next - Synchronization.

配置同步Configure synchronization

Azure AD DS 允许同步 Azure AD 中的所有用户和组,或者仅按范围同步特定的组。Azure AD DS lets you synchronize all users and groups available in Azure AD, or a scoped synchronization of only specific groups. 现在可以更改同步范围,或在部署托管域后更改。You can change the synchronize scope now, or once the managed domain is deployed. 有关详细信息,请参阅 Azure AD 域服务的按范围同步For more information, see Azure AD Domain Services scoped synchronization.

  1. 本教程选择了同步所有用户和组。For this tutorial, choose to synchronize All users and groups. 这是默认的同步选项。This synchronization choice is the default option.

    对 Azure AD 中的用户和组执行完全同步

  2. 选择“查看 + 创建”。Select Review + create.

部署托管域Deploy the managed domain

在向导的“摘要”页上,检查托管域的配置设置。On the Summary page of the wizard, review the configuration settings for your managed domain. 可以后退到向导中的任何步骤进行更改。You can go back to any step of the wizard to make changes. 若要通过这些配置选项采用一致的方式将托管域重新部署到另一 Azure AD 租户,也可下载用于自动化操作的模板。To redeploy a managed domain to a different Azure AD tenant in a consistent way using these configuration options, you can also Download a template for automation.

  1. 若要创建托管域,请选择“创建”。To create the managed domain, select Create. 系统会显示一个通知,指出在创建 Azure AD DS 托管域后,某些配置选项(例如 DNS 名称或虚拟网络)不能更改。A note is displayed that certain configuration options like DNS name or virtual network can't be changed once the Azure AD DS managed has been created. 若要继续操作,请选择“确定”。To continue, select OK.

  2. 预配托管域的过程可能最多需要一小时。The process of provisioning your managed domain can take up to an hour. 门户中会显示一条通知,其中显示了 Azure AD DS 部署的进度。A notification is displayed in the portal that shows the progress of your Azure AD DS deployment. 选择该通知可查看部署的详细进度。Select the notification to see detailed progress for the deployment.

    Azure 门户中显示的“正在部署”通知

  3. 选择资源组(例如 myResourceGroup),然后从 Azure 资源列表中选择托管域,例如 aaddscontoso.com 。Select your resource group, such as myResourceGroup, then choose your managed domain from the list of Azure resources, such as aaddscontoso.com. “概述”选项卡显示了当前“正在部署”的托管域。The Overview tab shows that the managed domain is currently Deploying. 在完全预配托管域之前无法对其进行配置。You can't configure the managed domain until it's fully provisioned.

    预配期间的域服务状态

  4. 托管域完全预配之后,“概览” 选项卡会将域状态显示为“正在运行” 。When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.

    成功预配后的域服务状态

重要

托管域与 Azure AD 租户相关联。The managed domain is associated with your Azure AD tenant. 在预配过程中,Azure AD DS 会在 Azure AD 租户中创建名为 Domain Controller Services 和 AzureActiveDirectoryDomainControllerServices 的两个企业应用程序。During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in the Azure AD tenant. 需要这些企业应用程序来为托管域提供服务。These Enterprise Applications are needed to service your managed domain. 不要删除这些应用程序。Don't delete these applications.

更新 Azure 虚拟网络的 DNS 设置Update DNS settings for the Azure virtual network

成功部署 Azure AD DS 后,请配置虚拟网络,以允许其他连接的 VM 和应用程序使用托管域。With Azure AD DS successfully deployed, now configure the virtual network to allow other connected VMs and applications to use the managed domain. 若要提供此连接,请更新虚拟网络的 DNS 服务器设置,以指向部署托管域的两个 IP 地址。To provide this connectivity, update the DNS server settings for your virtual network to point to the two IP addresses where the managed domain is deployed.

  1. 托管域的“概述”选项卡显示了一些“必需的配置步骤”。The Overview tab for your managed domain shows some Required configuration steps. 第一个配置步骤是更新虚拟网络的 DNS 服务器设置。The first configuration step is to update DNS server settings for your virtual network. 正确配置 DNS 设置后,不再会显示此步骤。Once the DNS settings are correctly configured, this step is no longer shown.

    列出的地址是在虚拟网络中使用的域控制器。The addresses listed are the domain controllers for use in the virtual network. 在本示例中,这些地址为 10.0.1.410.0.1.5In this example, those addresses are 10.0.1.4 and 10.0.1.5. 稍后可在“属性”选项卡上找到这些 IP 地址。You can later find these IP addresses on the Properties tab.

    使用 Azure AD 域服务 IP 地址配置虚拟网络的 DNS 设置

  2. 若要更新虚拟网络的 DNS 服务器设置,请选择“配置”按钮。To update the DNS server settings for the virtual network, select the Configure button. 系统会自动为虚拟网络配置 DNS 设置。The DNS settings are automatically configured for your virtual network.

提示

如果在前面的步骤中选择了现有的虚拟网络,连接到该网络的任何 VM 只会在重启后才能获取新的 DNS 设置。If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. 可以使用 Azure 门户、Azure PowerShell 或 Azure CLI 来重启 VM。You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

启用 Azure AD DS 的用户帐户Enable user accounts for Azure AD DS

若要对托管域上的用户进行身份验证,Azure AD DS 需要密码哈希,其格式适用于 NT LAN Manager (NTLM) 和 Kerberos 身份验证。To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. 除非为租户启用了 Azure AD DS,否则 Azure AD 不会以 NTLM 或 Kerberos 身份验证所需的格式生成或存储密码哈希。Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. 出于安全考虑,Azure AD 也不以明文形式存储任何密码凭据。For security reasons, Azure AD also doesn't store any password credentials in clear-text form. 因此,Azure AD 无法基于用户的现有凭据自动生成这些 NTLM 或 Kerberos 密码哈希。Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

备注

经过适当的配置后,可用的密码哈希将存储在托管域中。Once appropriately configured, the usable password hashes are stored in the managed domain. 删除托管域也会删除其中存储的所有密码哈希。If you delete the managed domain, any password hashes stored at that point are also deleted.

如果以后创建托管域,Azure AD 中已同步的凭据信息不可重复使用 - 必须重新配置密码哈希同步,以再次存储密码哈希。Synchronized credential information in Azure AD can't be re-used if you later create a managed domain - you must reconfigure the password hash synchronization to store the password hashes again. 以前加入域的 VM 或用户无法立即进行身份验证 - Azure AD 需要在新的托管域中生成并存储密码哈希。Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new managed domain.

有关详细信息,请参阅 Azure AD DS 和 Azure AD Connect 的密码哈希同步过程For more information, see Password hash sync process for Azure AD DS and Azure AD Connect.

对于在 Azure AD 中创建的仅限云的用户帐户而言,生成和存储这些密码哈希的步骤不同于使用 Azure AD Connect 从本地目录同步的用户帐户。The steps to generate and store these password hashes are different for cloud-only user accounts created in Azure AD versus user accounts that are synchronized from your on-premises directory using Azure AD Connect.

仅限云的用户帐户是在 Azure AD 目录中使用 Azure 门户或 Azure AD PowerShell cmdlet 创建的帐户。A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. 这些用户帐户不是从本地目录同步的。These user accounts aren't synchronized from an on-premises directory.

本教程使用一个基本的仅限云的用户帐户。In this tutorial, let's work with a basic cloud-only user account. 有关使用 Azure AD Connect 所需的其他步骤的详细信息,请参阅将从本地 AD 同步的用户帐户的密码哈希同步到托管域For more information on the additional steps required to use Azure AD Connect, see Synchronize password hashes for user accounts synced from your on-premises AD to your managed domain.

提示

如果 Azure AD 租户既有仅限云的用户,又有来自本地 AD 的用户,则需完成两组步骤。If your Azure AD tenant has a combination of cloud-only users and users from your on-premises AD, you need to complete both sets of steps.

对于仅限云的用户帐户,用户必须更改其密码才能使用 Azure AD DS。For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. 此密码更改过程会导致在 Azure AD 中生成并存储用于 Kerberos 和 NTLM 身份验证的密码哈希。This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. 在更改密码之前,帐户不会从 Azure AD 同步到 Azure AD DS。The account isn't synchronized from Azure AD to Azure AD DS until the password is changed. 对于租户中所有需要使用 Azure AD DS 的云用户,可以使其密码过期,以强制他们在下次登录时更改密码,或指示他们手动更改密码。Either expire the passwords for all cloud users in the tenant who need to use Azure AD DS, which forces a password change on next sign-in, or instruct cloud users to manually change their passwords. 对于本教程,我们将手动更改用户密码。For this tutorial, let's manually change a user password.

只有在 Azure AD 租户中配置自助式密码重置后,用户才能重置其密码。Before a user can reset their password, the Azure AD tenant must be configured for self-service password reset.

若要更改仅限云的用户的密码,用户必须完成以下步骤:To change the password for a cloud-only user, the user must complete the following steps:

  1. 转到 Azure AD 访问面板页 (https://account.activedirectory.windowsazure.cn/r#/applications)。Go to the Azure AD Access Panel page at https://account.activedirectory.windowsazure.cn/r#/applications.

  2. 在右上角选择自己的姓名,然后从下拉菜单中选择“个人资料”。In the top-right corner, select your name, then choose Profile from the drop-down menu.

    选择配置文件

  3. 在“个人资料”页上,选择“更改密码”。On the Profile page, select Change password.

  4. 在“更改密码”页上输入现有(旧)密码,然后输入并确认新密码。On the Change password page, enter your existing (old) password, then enter and confirm a new password.

  5. 选择“提交”。Select Submit.

更改密码后,需要几分钟才能在 Azure AD DS 中使用新密码,并成功登录已加入托管域的计算机。It takes a few minutes after you've changed your password for the new password to be usable in Azure AD DS and to successfully sign in to computers joined to the managed domain.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 为托管域配置 DNS 和虚拟网络设置Configure DNS and virtual network settings for a managed domain
  • 创建托管域Create a managed domain
  • 将管理用户添加到域管理Add administrative users to domain management
  • 启用 Azure AD DS 的用户帐户并生成密码哈希Enable user accounts for Azure AD DS and generate password hashes

若要了解此托管域的运作情况,请创建一个虚拟机并将其加入域。To see this managed domain in action, create and join a virtual machine to the domain.