教程:为托管域配置混合 Azure Active Directory 加入Tutorial: Configure hybrid Azure Active Directory join for managed domains

本教程介绍如何为已加入 Active Directory 域的设备配置混合 Azure Active Directory (Azure AD) 加入。In this tutorial, you learn how to configure hybrid Azure Active Directory (Azure AD) join for Active Directory domain-joined devices. 此方法支持同时包含本地 Active Directory 和 Azure AD 的托管环境。This method supports a managed environment that includes both on-premises Active Directory and Azure AD.

与组织中的用户一样,设备也是要保护的核心标识。Like a user in your organization, a device is a core identity you want to protect. 可以使用设备标识随时随地保护你的资源。You can use a device's identity to protect your resources at any time and from any location. 可以通过管理 Azure AD 中的设备标识来实现此目的。You can accomplish this goal by managing device identities in Azure AD. 使用下列方法之一:Use one of the following methods:

  • Azure AD 加入Azure AD join
  • 混合 Azure AD 加入Hybrid Azure AD join
  • Azure AD 注册Azure AD registration

本文重点介绍混合 Azure AD 加入。This article focuses on hybrid Azure AD join.

将设备引入 Azure AD 可通过云和本地资源中的单一登录 (SSO) 最大程度地提高用户的工作效率。Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. 同时,可以使用条件访问保护对云和本地资源的访问。You can secure access to your cloud and on-premises resources with Conditional Access at the same time.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 配置混合 Azure AD 联接Configure hybrid Azure AD join
  • 启用 Windows 下层设备Enable Windows down-level devices
  • 验证联接的设备Verify joined devices
  • 疑难解答Troubleshoot

先决条件Prerequisites

  • Azure AD Connect(1.1.819.0 或更高版本)The Azure AD Connect (1.1.819.0 or later)
  • Azure AD 租户的全局管理员凭据The credentials of a global administrator for your Azure AD tenant
  • 每个林的企业管理员凭据The enterprise administrator credentials for each of the forests

通过以下文章熟悉相关知识:Familiarize yourself with these articles:

备注

Azure AD 不支持托管域中的智能卡或证书。Azure AD doesn't support smartcards or certificates in managed domains.

验证 Azure AD Connect 是否已将要加入混合 Azure AD 的设备的计算机对象同步到 Azure AD。Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. 如果这些计算机对象属于特定的组织单位 (OU),请将 OU 配置为在 Azure AD Connect 中进行同步。If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. 若要详细了解如何使用 Azure AD Connect 同步计算机对象,请参阅基于组织单位的筛选To learn more about how to sync computer objects by using Azure AD Connect, see Organizational unit-based filtering.

从版本 1.1.819.0 开始,Azure AD Connect 包含用于配置混合 Azure AD 加入的向导。Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. 该向导显著简化了配置过程。The wizard significantly simplifies the configuration process. 向导配置设备注册的服务连接点 (SCP)。The wizard configures the service connection points (SCPs) for device registration.

本文中的配置步骤需要使用 Azure AD Connect 中的向导。The configuration steps in this article are based on using the wizard in Azure AD Connect.

混合 Azure AD 加入要求设备能够从组织的网络中访问以下 Microsoft 资源:Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization's network:

  • https://enterpriseregistration.chinacloudapi.cn
  • https://login.partner.microsoftonline.cn
  • https://device.login.partner.microsoftonline.cn
  • https://autologon.microsoftazuread-sso.com(如果使用或计划使用无缝 SSO)https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

警告

如果组织使用针对数据丢失防护或 Azure AD 租户限制等方案拦截 SSL 流量的代理服务器,请确保在 TLS 中断和检查中排除发往“https://device.login.partner.microsoftonline.cn”的流量。If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to 'https://device.login.partner.microsoftonline.cn' is excluded from TLS break-and-inspect. 未能排除“https://device.login.partner.microsoftonline.cn”可能会导致干扰客户端证书身份验证,从而导致设备注册和基于设备的条件访问出现问题。Failure to exclude 'https://device.login.partner.microsoftonline.cn' may cause interference with client certificate authentication, causing issues with device registration and device-based Conditional Access.

如果你的组织需要通过出站代理访问 Internet,你可使用实施 Web 代理自动发现 (WPAD),使 Windows 10 计算机能够在 Azure AD 中进行设备注册。If your organization requires access to the internet via an outbound proxy, you can use implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD. 若要解决在配置和管理 WPAD 时遇到问题,请参阅排查自动检测的问题To address issues configuring and managing WPAD, see Troubleshooting Automatic Detection. 在 1709 更新之前的 Windows 10 设备中,只能使用 WPAD 来配置代理以使用混合 Azure AD 联接。In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join.

从 Windows 10 1709 开始,如果不使用 WPAD,则可以在计算机上配置 WinHTTP 代理设置。If you don't use WPAD, you can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709. 有关详细信息,请参阅 GPO 部署的 WinHTTP 代理设置For more information, see WinHTTP Proxy Settings deployed by GPO.

备注

如果使用 WinHTTP 设置在计算机上配置代理设置,则无法连接到所配置的代理的任何计算机将无法连接到 Internet。If you configure proxy settings on your computer by using WinHTTP settings, any computers that can't connect to the configured proxy will fail to connect to the internet.

如果组织需要通过经身份验证的出站代理访问 Internet,请确保 Windows 10 计算机能够成功对出站代理进行身份验证。If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. 由于 Windows 10 计算机使用计算机上下文运行设备注册,因此请使用计算机上下文配置出站代理身份验证。Because Windows 10 computers run device registration by using machine context, configure outbound proxy authentication by using machine context. 根据配置要求使用相应的出站代理提供程序。Follow up with your outbound proxy provider on the configuration requirements.

使用测试设备注册连接脚本验证设备是否能够访问系统帐户下的上述 Microsoft 资源。Verify the device can access the above Microsoft resources under the system account by using the Test Device Registration Connectivity script.

配置混合 Azure AD 联接Configure hybrid Azure AD join

若要使用 Azure AD Connect 配置混合 Azure AD 加入:To configure a hybrid Azure AD join by using Azure AD Connect:

  1. 启动 Azure AD Connect,然后选择“配置”。Start Azure AD Connect, and then select Configure.

    欢迎使用

  2. 在“其他任务”中,依次选择“配置设备选项”、“下一步”。 In Additional tasks, select Configure device options, and then select Next.

    其他任务

  3. 在“概述”中选择“下一步”。 In Overview, select Next.

    概述

  4. 在“连接到 Azure AD”中,输入 Azure AD 租户的全局管理员凭据。In Connect to Azure AD, enter the credentials of a global administrator for your Azure AD tenant.

    连接到 Azure AD

  5. 在“设备选项”中,依次选择“配置混合 Azure AD 加入”、“下一步”。 In Device options, select Configure Hybrid Azure AD join, and then select Next.

    设备选项

  6. 在“SCP 配置”中,对于你希望 Azure AD Connect 在其中配置 SCP 的每个林,请完成以下步骤,然后选择“下一步”。 In SCP configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

    1. 选择“林”。Select the Forest.
    2. 选择“身份验证服务”。Select an Authentication Service.
    3. 单击“添加”,输入企业管理员凭据。Select Add to enter the enterprise administrator credentials.

    SCP

  7. 在“设备操作系统”中选择 Active Directory 环境中设备使用的操作系统,然后选择“下一步”。 In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next.

    设备操作系统

  8. 在“已准备好配置”中选择“配置”。 In Ready to configure, select Configure.

    已准备好配置

  9. 在“配置完成”中选择“退出”。 In Configuration complete, select Exit.

    配置完成

启用 Windows 下层设备Enable Windows down-level devices

如果某些已加入域的设备是 Windows 下层设备,则必须:If some of your domain-joined devices are Windows down-level devices, you must:

  • 配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration
  • 配置无缝 SSOConfigure seamless SSO
  • 在 Windows 下层计算机上安装 Microsoft 工作区加入Install Microsoft Workplace Join for Windows down-level computers

备注

Windows 7 支持已于 2020 年 1 月 14 日结束。Windows 7 support ended on January 14, 2020. 有关详细信息,请参阅已终止对 Windows 7 的支持For more information, see Windows 7 support ended.

配置设备注册的本地 Intranet 设置Configure the local intranet settings for device registration

若要完成 Windows 下层设备的混合 Azure AD 加入,同时避免在设备向 Azure AD 进行身份验证时出现证书提示,可将一个策略推送到已加入域的设备,以在 Internet Explorer 中将以下 URL 添加到本地 Intranet 区域:To complete hybrid Azure AD join of your Windows down-level devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

  • https://device.login.partner.microsoftonline.cn
  • https://autologon.microsoftazuread-sso.com

此外,必须在用户的本地 Intranet 区域中启用“允许通过脚本更新状态栏”。You also must enable Allow updates to status bar via script in the user's local intranet zone.

在 Windows 下层计算机上安装 Microsoft 工作区加入Install Microsoft Workplace Join for Windows down-level computers

若要注册 Windows 下层设备,组织必须安装适用于非 Windows 10 计算机的 Microsoft Workplace JoinTo register Windows down-level devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers. 适用于 Windows 10 计算机的 Microsoft Workplace Join 在 Microsoft 下载中心提供。Microsoft Workplace Join for non-Windows 10 computers is available in the Microsoft Download Center.

可以使用  Microsoft Endpoint Configuration Manager 等软件分发系统部署该包。You can deploy the package by using a software distribution system like Microsoft Endpoint Configuration Manager. 此包支持使用标准无提示安装选项(包含 quiet 参数)。The package supports the standard silent installation options with the quiet parameter. 最新版本的 Configuration Manager 比旧版更具优势,例如,它可以跟踪已完成的注册。The current version of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

安装程序会在系统上创建一项计划任务,该任务会在用户的上下文中运行。The installer creates a scheduled task on the system that runs in the user context. 当用户登录到 Windows 时触发该任务。The task is triggered when the user signs in to Windows. 在 Azure AD 中进行身份验证后,此任务便会使用用户凭据将设备静默加入 Azure AD。The task silently joins the device with Azure AD by using the user credentials after it authenticates with Azure AD.

验证注册Verify the registration

可通过以下三种方法查找和验证设备状态:Here are 3 ways to locate and verify the device state:

在设备本地Locally on the device

  1. 打开 Windows PowerShell。Open Windows PowerShell.
  2. 输入 dsregcmd /statusEnter dsregcmd /status.
  3. 确保“AzureAdJoined”和“DomainJoined”均设置为“是”。Verify that both AzureAdJoined and DomainJoined are set to YES.
  4. 可以使用 DeviceId,并使用 Azure 门户或 PowerShell 比较服务的状态。You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.

使用 Azure 门户Using the Azure portal

  1. 使用直接链接进入设备页面。Go to the devices page using a direct link.
  2. 有关如何查找设备的信息,请参阅如何使用 Azure 门户管理设备标识Information on how to locate a device can be found in How to manage device identities using the Azure portal.
  3. 如果“已注册”列显示“挂起”,则表明混合 Azure AD 联接尚未完成。If the Registered column says Pending, then Hybrid Azure AD Join has not completed.
  4. 如果“已注册”列包含日期/时间,则表明混合 Azure AD 联接已完成。If the Registered column contains a date/time, then Hybrid Azure AD Join has completed.

使用 PowerShellUsing PowerShell

使用 Get-MsolDevice 验证 Azure 租户中的设备注册状态。Verify the device registration state in your Azure tenant by using Get-MsolDevice. 此 cmdlet 位于 Azure Active Directory PowerShell module 中。This cmdlet is in the Azure Active Directory PowerShell module.

使用 Get-MSolDevice cmdlet 检查服务详细信息时:When you use the Get-MSolDevice cmdlet to check the service details:

  • 必须存在其 设备 ID 与 Windows 客户端上的 ID 相匹配的对象。An object with the device ID that matches the ID on the Windows client must exist.
  • DeviceTrustType 的值为 Domain JoinedThe value for DeviceTrustType is Domain Joined. 此设置相当于 Azure AD 门户中“设备”页上的“已加入混合 Azure AD”状态 。This setting is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
  • 对于条件访问中使用的设备,Enabled 的值为 TrueDeviceTrustLevel 的值为 ManagedFor devices that are used in Conditional Access, the value for Enabled is True and DeviceTrustLevel is Managed.
  1. 以管理员身份打开 Windows PowerShell。Open Windows PowerShell as an administrator.
  2. 输入 Connect-MsolService 以连接到 Azure 租户。Enter Connect-MsolService to connect to your Azure tenant.

统计所有已加入混合 Azure AD 的设备(不包括“挂起”状态)Count all Hybrid Azure AD joined devices (excluding Pending state)

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

统计所有已加入混合 Azure AD 并处于“挂起”状态的设备Count all Hybrid Azure AD joined devices with Pending state

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

列出所有已加入混合 Azure AD 的设备List all Hybrid Azure AD joined devices

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

列出所有已加入混合 Azure AD 并处于“挂起”状态的设备List all Hybrid Azure AD joined devices with Pending state

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

列出单个设备的详细信息:List details of a single device:

  1. 输入 get-msoldevice -deviceId <deviceId>(这是在设备本地获取的 DeviceId)。Enter get-msoldevice -deviceId <deviceId> (This is the DeviceId obtained locally on the device).
  2. 确认“已启用”设置为 True 。Verify that Enabled is set to True.

对实现进行故障排除Troubleshoot your implementation

如果在对已加入域的 Windows 设备完成混合 Azure AD 加入时遇到问题,请参阅:If you experience issues completing hybrid Azure AD join for domain-joined Windows devices, see:

后续步骤Next steps

继续学习下一篇文章,了解如何使用 Azure 门户管理设备标识。Advance to the next article to learn how to manage device identities by using the Azure portal.