以受控方式验证混合 Azure AD 加入Controlled validation of hybrid Azure AD join

满足所有先决条件后,Windows 设备将自动注册为 Azure AD 租户中的设备。When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. Azure AD 中这些设备标识的状态称为混合 Azure AD 联接。The state of these device identities in Azure AD is referred as hybrid Azure AD join. 有关本文中涉及的概念的详细信息,请参阅文章 Azure Active Directory 中设备管理的简介规划混合 Azure Active Directory 联接实现More information about the concepts covered in this article can be found in the articles Introduction to device management in Azure Active Directory and Plan your hybrid Azure Active Directory join implementation.

组织可能需要在整个组织中同时启用混合 Azure AD 联接之前对其进行受控验证。Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. 本文将介绍如何完成混合 Azure AD 联接的受控验证。This article will explain how to accomplish a controlled validation of hybrid Azure AD join.

在 Windows 当前设备上以受控方式验证混合 Azure AD 联接Controlled validation of hybrid Azure AD join on Windows current devices

对于运行 Windows 桌面操作系统的设备,支持的版本是 Windows 10 周年更新(版本 1607)或更高版本。For devices running the Windows desktop operating system, the supported version is the Windows 10 Anniversary Update (version 1607) or later. 最佳做法是升级到最新版本的 Windows 10。As a best practice, upgrade to the latest version of Windows 10.

若要在 Windows 当前设备上以受控方式验证混合 Azure AD 联接,需要执行以下操作:To do a controlled validation of hybrid Azure AD join on Windows current devices, you need to:

  1. 将服务连接点 (SCP) 项从 Active Directory (AD) 中清除(如果存在)Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists
  2. 使用组策略对象 (GPO) 在加入域的计算机上为 SCP 配置客户端注册表设置Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO)
  3. 如果使用 AD FS,则还必须使用 GPO 在 AD FS 服务器上为 SCP 配置客户端注册表设置If you are using AD FS, you must also configure the client-side registry setting for SCP on your AD FS server using a GPO
  4. 还需要在 Azure AD Connect 中自定义同步选项以启用设备同步。You may also need to customize synchronization options in Azure AD Connect to enable device synchronization.

清除 AD 中的 SCPClear the SCP from AD

使用 Active Directory 服务接口编辑器 (ADSI Edit) 来修改 AD 中的 SCP 对象。Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.

  1. 作为企业管理员从管理工作站或域控制器启动 ADSI Edit 桌面应用程序。Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
  2. 连接到域的配置命名上下文。Connect to the Configuration Naming Context of your domain.
  3. 浏览“CN=Configuration,DC=contoso,DC=com” > “CN=Services” > “CN=Device Registration Configuration” Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration
  4. 右键单击叶对象“CN=62a0ff2e-97b9-4513-943f-0d221bd30080”并选择“属性” Right click on the leaf object CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties
    1. 从“属性编辑器”窗口中选择“关键字”,然后单击“编辑” Select keywords from the Attribute Editor window and click Edit
    2. 选择 azureADId 和 azureADName 的值(一次一个),然后单击“删除” Select the values of azureADId and azureADName (one at a time) and click Remove
  5. 关闭“ADSI Edit”Close ADSI Edit

为 SCP 配置客户端注册表设置Configure client-side registry setting for SCP

使用以下示例创建组策略对象 (GPO) 以部署注册表设置,在设备的注册表中配置 SCP 项。Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices.

  1. 打开组策略管理控制台并在域中新建组策略对象。Open a Group Policy Management console and create a new Group Policy Object in your domain.
    1. 为新创建的 GPO 提供一个名称(例如 ClientSideSCP)。Provide your newly created GPO a name (for example, ClientSideSCP).
  2. 编辑 GPO 并找到以下路径:“计算机配置” > “首选项” > “Windows 设置” > “注册表” Edit the GPO and locate the following path: Computer Configuration > Preferences > Windows Settings > Registry
  3. 右键单击“注册表”,然后选择“新建” > “注册表项” Right-click on the Registry and select New > Registry Item
    1. 在“常规”选项卡上,配置以下内容On the General tab, configure the following
      1. 操作:更新Action: Update
      2. Hive:HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
      3. 密钥路径:SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AADKey Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. 值名称:TenantIdValue name: TenantId
      5. 值类型:REG_SZValue type: REG_SZ
      6. 值数据:Azure AD 实例的 GUID 或目录 ID(此值可以在“Azure 门户” > “Azure Active Directory” > “属性” > “目录 ID”中找到 )Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
    2. 单击 “确定”Click OK
  4. 右键单击“注册表”,然后选择“新建” > “注册表项” Right-click on the Registry and select New > Registry Item
    1. 在“常规”选项卡上,配置以下内容On the General tab, configure the following
      1. 操作:更新Action: Update
      2. Hive:HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
      3. 密钥路径:SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AADKey Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. 值名称:TenantNameValue name: TenantName
      5. 值类型:REG_SZValue type: REG_SZ
      6. 值数据:如果使用联合环境(如 AD FS),则为验证的域名。Value data: Your verified domain name if you are using federated environment such as AD FS. 如果使用托管环境,则为已验证的域名或 partner.onmschina.cn 域名,例如 contoso.partner.onmschina.cnYour verified domain name or your partner.onmschina.cn domain name for example, contoso.partner.onmschina.cn if you are using managed environment
    2. 单击 “确定”Click OK
  5. 关闭新创建的 GPO 的编辑器Close the editor for the newly created GPO
  6. 将新创建的 GPO 链接到包含属于受控推出总体的已加入域的计算机的所需的 OULink the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population

配置 AD FS 设置Configure AD FS settings

如果使用 AD FS,首先需要使用上述说明配置客户端 SCP,方法是将 GPO 链接到 AD FS 服务器。If you are using AD FS, you first need to configure client-side SCP using the instructions mentioned above by linking the GPO to your AD FS servers. SCP 对象定义设备对象的授权源。The SCP object defines the source of authority for device objects. 它可以是本地的,也可以是 Azure AD。It can be on-premises or Azure AD. 当为 AD FS 配置客户端 SCP 时,设备对象的源将建立为 Azure AD。When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.

备注

如果未能在 AD FS 服务器上配置客户端 SCP,则设备标识的源将被视为本地。If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-premises. 然后,ADFS 将在 ADFS 设备注册的属性“MaximumInactiveDays”中定义的规定期限后,从本地目录开始删除设备对象。ADFS will then start deleting device objects from on-premises directory after the stipulated period defined in the ADFS Device Registration's attribute "MaximumInactiveDays". 可以使用 Get-AdfsDeviceRegistration cmdlet 找到 ADFS 设备注册对象。ADFS Device Registration objects can be found using the Get-AdfsDeviceRegistration cmdlet.

在 Windows 下级设备上以受控方式验证混合 Azure AD 联接Controlled validation of hybrid Azure AD join on Windows down-level devices

若要注册 Windows 下层设备,组织必须安装 Microsoft 下载中心提供的适用于 Windows 10 计算机的 Microsoft 工作区加入To register Windows down-level devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers available on the Microsoft Download Center.

可以使用  Microsoft Endpoint Configuration Manager 等软件分发系统部署该包。You can deploy the package by using a software distribution system like Microsoft Endpoint Configuration Manager. 此包支持使用标准无提示安装选项(包含 quiet 参数)。The package supports the standard silent installation options with the quiet parameter. Configuration Manager 的 Current Branch 提供优于早期版本的优势,例如可以跟踪已完成的注册。The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

安装程序会在系统上创建一项计划任务,该任务会在用户的上下文中运行。The installer creates a scheduled task on the system that runs in the user context. 当用户登录到 Windows 时触发该任务。The task is triggered when the user signs in to Windows. 通过 Azure AD 进行身份验证后,该任务以无提示方式使用用户凭据将设备联接到 Azure AD。The task silently joins the device with Azure AD with the user credentials after authenticating with Azure AD.

若要控制设备注册,应对所选的 Windows 下层设备组部署 Windows Installer 包。To control the device registration, you should deploy the Windows Installer package to your selected group of Windows down-level devices.

备注

如果 AD 中未配置 SCP,则应在已加入域的计算机上使用组策略对象 (GPO),并遵循为 SCP 配置客户端注册表设置所述的相同方法。If a SCP is not configured in AD, then you should follow the same approach as described to Configure client-side registry setting for SCP) on your domain-joined computers using a Group Policy Object (GPO).

验证一切均按预期工作后,可以使用 Azure AD Connect 配置 SCP,将剩下的 Windows 当前设备和下级设备自动注册到 Azure AD。After you verify that everything works as expected, you can automatically register the rest of your Windows current and down-level devices with Azure AD by configuring SCP using Azure AD Connect.

后续步骤Next steps

计划混合 Azure Active Directory 加入实现Plan your hybrid Azure Active Directory join implementation