教程:创建一个管理 VM 用于配置和管理 Azure Active Directory 域服务托管域Tutorial: Create a management VM to configure and administer an Azure Active Directory Domain Services managed domain

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、LDAP 和 Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. 可以使用对本地 Active Directory 域服务域所用的相同远程服务器管理工具 (RSAT) 来管理此托管域。You administer this managed domain using the same Remote Server Administration Tools (RSAT) as with an on-premises Active Directory Domain Services domain. 由于 Azure AD DS 是一种托管服务,因此有些管理任务无法执行,例如,使用远程桌面协议 (RDP) 连接到域控制器。As Azure AD DS is a managed service, there are some administrative tasks that you can't perform, such as using remote desktop protocol (RDP) to connect to the domain controllers.

本教程介绍如何在 Azure 中配置 Windows Server VM,并安装所需的工具来管理 Azure AD DS 托管域。This tutorial shows you how to configure a Windows Server VM in Azure and install the required tools to administer an Azure AD DS managed domain.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 了解可在托管域中执行的管理任务Understand the available administrative tasks in a managed domain
  • 在 Windows Server VM 上安装 Active Directory 管理工具Install the Active Directory administrative tools on a Windows Server VM
  • 使用 Active Directory 管理中心执行常见任务Use the Active Directory Administrative Center to perform common tasks

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

登录到 Azure 门户Sign in to the Azure portal

在本教程中,你将使用 Azure 门户来创建并配置一个管理 VM。In this tutorial, you create and configure a management VM using the Azure portal. 若要开始操作,请登录到 Azure 门户To get started, first sign in to the Azure portal.

可在 Azure AD DS 中执行的管理任务Available administrative tasks in Azure AD DS

Azure AD DS 为用户、应用程序和服务提供一个托管域供其使用。Azure AD DS provides a managed domain for your users, applications, and services to consume. 这种方法改变了可以执行的某些管理任务,以及你在托管域中拥有的特权。This approach changes some of the available management tasks you can do, and what privileges you have within the managed domain. 这些任务和权限可能与普通本地 Active Directory 域服务环境中的体验不同。These tasks and permissions may be different than what you experience with a regular on-premises Active Directory Domain Services environment. 此外,无法使用远程桌面连接到托管域上的域控制器。You also can't connect to domain controllers on the managed domain using Remote Desktop.

可以在托管域上执行的管理任务Administrative tasks you can perform on a managed domain

“AAD DC 管理员”组的成员被授予托管域上的相应权限,可以执行以下任务:Members of the AAD DC Administrators group are granted privileges on the managed domain that enables them to do tasks such as:

  • 配置托管域中“AADDC 计算机”和“AADDC 用户”容器的内置组策略对象 (GPO)。 Configure the built-in group policy object (GPO) for the AADDC Computers and AADDC Users containers in the managed domain.
  • 管理托管域上的 DNS。Administer DNS on the managed domain.
  • 创建和管理托管域上的自定义组织单位 (OU)。Create and administer custom organizational units (OUs) on the managed domain.
  • 获取对已加入托管域的计算机的管理访问权限。Gain administrative access to computers joined to the managed domain.

在托管域上不拥有的管理特权Administrative privileges you don't have on a managed domain

托管域处于锁定状态,因此你不拥有在该域上执行某些管理任务的特权。The managed domain is locked down, so you don't have privileges to do certain administrative tasks on the domain. 下面是无法执行的任务示例:Some of the following examples are tasks you can't do:

  • 扩展托管域的架构。Extend the schema of the managed domain.
  • 使用远程桌面连接到托管域的域控制器。Connect to domain controllers for the managed domain using Remote Desktop.
  • 将域控制器添加到托管域。Add domain controllers to the managed domain.
  • 你不拥有托管域的“域管理员”或“企业管理员”特权。 You don't have Domain Administrator or Enterprise Administrator privileges for the managed domain.

登录到 Windows Server VMSign in to the Windows Server VM

上一篇教程已创建一个 Windows Server VM 并将其加入托管域。In the previous tutorial, a Windows Server VM was created and joined to the managed domain. 使用该 VM 安装管理工具。Use that VM to install the management tools. 如果需要,请遵循该教程中的步骤创建 Windows Server VM 并将其加入托管域If needed, follow the steps in the tutorial to create and join a Windows Server VM to a managed domain.

备注

在本教程中,你将使用 Azure 中已加入托管域的 Windows Server VM。In this tutorial, you use a Windows Server VM in Azure that is joined to the managed domain. 也可以使用已加入托管域的 Windows 客户端,例如 Windows 10。You can also use a Windows client, such as Windows 10, that is joined to the managed domain.

有关如何在 Windows 客户端上安装管理工具的详细信息,请参阅安装远程服务器管理工具 (RSAT)For more information on how to install the administrative tools on a Windows client, see install Remote Server Administration Tools (RSAT)

若要开始,请按如下所述连接到该 Windows Server VM:To get started, connect to the Windows Server VM as follows:

  1. 在 Azure 门户的左侧选择“资源组”。In the Azure portal, select Resource groups on the left-hand side. 选择在其中创建了该 VM 的资源组(例如 myResourceGroup),然后选择该 VM(例如 myVM)。Choose the resource group where your VM was created, such as myResourceGroup, then select the VM, such as myVM.

  2. 在 VM 的“概览”窗格中选择“连接”,然后选择“Bastion”。In the Overview pane for your VM, select Connect, then Bastion.

    在 Azure 门户中使用 Bastion 连接到 Windows 虚拟机

  3. 输入 VM 的凭据,然后选择“连接”。Enter the credentials for your VM, then select Connect.

    在 Azure 门户中通过 Bastion 主机进行连接

在需要的情况下,允许 Web 浏览器打开要显示的 Bastion 连接的弹出窗口。If needed, allow your web browser to open pop-ups for the Bastion connection to be displayed. 连接到 VM 需要几秒钟的时间。It takes a few seconds to make the connection to your VM.

安装 Active Directory 管理工具Install Active Directory administrative tools

在托管域中使用与本地 AD DS 环境中相同的管理工具,如 Active Directory 管理中心 (ADAC) 或 AD PowerShell。You use the same administrative tools in a managed domain as on-premises AD DS environments, such as the Active Directory Administrative Center (ADAC) or AD PowerShell. 可将这些工具作为远程服务器管理工具 (RSAT) 功能的一部分安装到 Windows Server 和客户端计算机上。These tools can be installed as part of the Remote Server Administration Tools (RSAT) feature on Windows Server and client computers. 然后,“AAD DC 管理员”组的成员可以在已加入托管域的计算机中使用这些 AD 管理工具来远程管理托管域。Members of the AAD DC Administrators group can then administer managed domains remotely using these AD administrative tools from a computer that is joined to the managed domain.

若要在已加入域的 VM 上安装 Active Directory 管理工具,请完成以下步骤:To install the Active Directory Administration tools on a domain-joined VM, complete the following steps:

  1. 如果在登录 VM 时服务器管理器默认情况下未打开,请选择“开始”菜单,然后选择“服务器管理器”。If Server Manager doesn't open by default when you sign in to the VM, select the Start menu, then choose Server Manager.

  2. 在“服务器管理器”窗口的“仪表板”窗格中,选择“添加角色和功能”。 In the Dashboard pane of the Server Manager window, select Add Roles and Features.

  3. 在“添加角色和功能向导”的“准备工作”页上,选择“下一步”。On the Before You Begin page of the Add Roles and Features Wizard, select Next.

  4. 对于“安装类型”,请保留选中“基于角色或基于功能的安装”选项,然后选择“下一步”。 For the Installation Type, leave the Role-based or feature-based installation option checked and select Next.

  5. 在“服务器选择”页上,从服务器池中选择当前的 VM(例如 myvm.aaddscontoso.com),然后选择“下一步”。 On the Server Selection page, choose the current VM from the server pool, such as myvm.aaddscontoso.com, then select Next.

  6. 在“服务器角色”页上,单击“下一步”。On the Server Roles page, click Next.

  7. 在“功能”页上,依次展开“远程服务器管理工具”节点和“角色管理工具”节点。 On the Features page, expand the Remote Server Administration Tools node, then expand the Role Administration Tools node.

    从角色管理工具列表中选择“AD DS 和 AD LDS 工具”功能,然后选择“下一步”。 Choose AD DS and AD LDS Tools feature from the list of role administration tools, then select Next.

    从“功能”页安装“AD DS 和 AD LDS 工具”

  8. 在“确认”页上选择“安装”。 On the Confirmation page, select Install. 安装管理工具可能需要一两分钟时间。It may take a minute or two to install the administrative tools.

  9. 功能安装完成后,选择“关闭”退出“添加角色和功能”向导。 When feature installation is complete, select Close to exit the Add Roles and Features wizard.

使用 Active Directory 管理工具Use Active Directory administrative tools

安装管理工具后,让我们了解如何使用它们来管理托管域。With the administrative tools installed, let's see how to use them to administer the managed domain. 请确保已使用属于“AAD DC 管理员”组成员的用户帐户登录到 VM。Make sure that you're signed in to the VM with a user account that's a member of the AAD DC Administrators group.

  1. 从“开始”菜单中选择“Windows 管理工具”。 From the Start menu, select Windows Administrative Tools. 此时会列出在上一步骤中安装的 AD 管理工具。The AD administrative tools installed in the previous step are listed.

    在服务器上安装的管理工具列表

  2. 选择“Active Directory 管理中心”。Select Active Directory Administrative Center.

  3. 若要浏览托管域,请在左窗格中选择域名,例如 aaddscontoso。To explore the managed domain, choose the domain name in the left pane, such as aaddscontoso. 列表顶部显示了名为“AADDC 计算机”和“AADDC 用户”的两个容器。 Two containers named AADDC Computers and AADDC Users are at the top of the list.

    列出托管域的可用容器部分

  4. 若要查看属于托管域的用户和组,请选择“AADDC 用户”容器。To see the users and groups that belong to the managed domain, select the AADDC Users container. 来自 Azure AD 租户的用户帐户和组将列在此容器中。The user accounts and groups from your Azure AD tenant are listed in this container.

    在以下示例输出中,名为 Contoso Admin 的用户帐户和“AAD DC 管理员”组已在此容器中显示 。In the following example output, a user account named Contoso Admin and a group for AAD DC Administrators are shown in this container.

    在 Active Directory 管理中心查看 Azure AD DS 域用户列表

  5. 若要查看已加入托管域的计算机,请选择“AADDC 计算机”容器。To see the computers that are joined to the managed domain, select the AADDC Computers container. 此时会列出当前虚拟机的条目,例如 myVMAn entry for the current virtual machine, such as myVM, is listed. 已加入托管域的所有设备的计算机帐户存储在此“AADDC 计算机”容器中。Computer accounts for all devices that are joined to the managed domain are stored in this AADDC Computers container.

可以执行常见的 Active Directory 管理中心操作,例如重置用户帐户密码,或管理组成员身份。Common Active Directory Administrative Center actions such as resetting a user account password or managing group membership are available. 这些操作仅适用于直接在托管域中创建的用户和组。These actions only work for users and groups created directly in the managed domain. 标识信息仅从 Azure AD 同步到 Azure AD DS。Identity information only synchronizes from Azure AD to Azure AD DS. 没有从 Azure AD DS 回写到 Azure AD 的操作。There's no write back from Azure AD DS to Azure AD. 无法更改从 Azure AD 同步的用户的密码或托管组成员身份,并且无法将这些更改同步回来。You can't change passwords or managed group membership for users synchronized from Azure AD and have those changes synchronized back.

还可以使用作为管理工具的一部分安装的“适用于 Windows PowerShell 的 Active Directory 模块”来管理托管域中的常见操作。You can also use the Active Directory Module for Windows PowerShell, installed as part of the administrative tools, to manage common actions in your managed domain.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 了解可在托管域中执行的管理任务Understand the available administrative tasks in a managed domain
  • 在 Windows Server VM 上安装 Active Directory 管理工具Install the Active Directory administrative tools on a Windows Server VM
  • 使用 Active Directory 管理中心执行常见任务Use the Active Directory Administrative Center to perform common tasks

若要从其他应用程序与托管域进行安全交互,请启用安全的轻型目录访问协议 (LDAPS)。To safely interact with your managed domain from other applications, enable secure Lightweight Directory Access Protocol (LDAPS).