ADSync 服务帐户ADSync service account

Azure AD Connect 会安装一个本地服务用于协调 Active Directory 与 Azure Active Directory 之间的同步。Azure AD Connect installs an on-premises service which orchestrates synchronization between Active Directory and Azure Active Directory. Azure AD Sync 同步服务 (ADSync) 在本地环境中的服务器上运行。The Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. 默认会在“快速”安装中设置该服务的凭据,不过,用户也可以根据组织的安全要求自定义凭据。The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements. 这些凭据不会用于连接到本地林或 Azure Active Directory。These credentials are not used to connect to your on-premises forests or Azure Active Directory.

选择 ADSync 服务帐户是在安装 Azure AD Connect 之前要做出的一项重要规划决策。Choosing the ADSync service account is an important planning decision to make prior to installing Azure AD Connect. 安装后尝试更改凭据会导致服务无法启动、无法访问同步数据库,以及无法在连接的目录(Azure 和 AD DS)中进行身份验证。Any attempt to change the credentials after installation will result in the service failing to start, losing access to the synchronization database, and failing to authenticate with your connected directories (Azure and AD DS). 在还原原始凭据之前无法进行同步。No synchronization will occur until the original credentials are restored.

同步服务可在不同帐户下运行。The sync service can run under different accounts. 它可以在虚拟服务帐户 (VSA)、托管服务帐户 (gMSA/sMSA) 或普通用户帐户下运行。It can run under a Virtual Service Account (VSA), a Managed Service Account (gMSA/sMSA), or a regular User Account. 执行全新安装时,支持的选项已随着 2017 年 4 月版和 2021 年 3 月版 Azure AD Connect 的发布而发生变化。The supported options were changed with the 2017 April release and 2021 March release of Azure AD Connect when you do a fresh installation. 如果从早期版本的 Azure AD Connect 升级,这些附加选项将不可用。If you upgrade from an earlier release of Azure AD Connect, these additional options are not available.

帐户的类型Type of account 安装选项Installation option 说明Description
虚拟服务帐户Virtual Service Account 快速和自定义,2017 年 4 月版及更高版本Express and custom, 2017 April and later 虚拟服务帐户用于所有快速安装,但域控制器上的安装除外。A Virtual Service Account is used for all express installations, except for installations on a Domain Controller. 使用自定义安装时,除非使用了其他选项,否则此选项是默认选项。When using custom installation, it is the default option unless another option is used.
托管服务帐户Managed Service Account 自定义,2017 年 4 月版及更高版本Custom, 2017 April and later 如果你使用远程 SQL Server,则我们建议使用组托管服务帐户。If you use a remote SQL Server, then we recommend using a group Managed Service Account.
托管服务帐户Managed Service Account 快速和自定义,2021 年 3 月版及更高版本Express and custom, 2021 March and later 在域控制器上安装时,将在执行快速安装期间创建前缀为 ADSyncMSA_ 的独立托管服务帐户。A standalone Managed Service Account prefixed with ADSyncMSA_ is created during installation for express installations when installed on a Domain Controller. 使用自定义安装时,除非使用了其他选项,否则此选项是默认选项。When using custom installation, it is the default option unless another option is used.
用户帐户User Account 快速和自定义,2017 年 4 月版至 2021 年 3 月版Express and custom, 2017 April to 2021 March 在域控制器上安装时,将在执行快速安装期间创建前缀为 AAD_ 的用户帐户。A User Account prefixed with AAD_ is created during installation for express installations when installed on a Domain Controller. 使用自定义安装时,除非使用了其他选项,否则此选项是默认选项。When using custom installation, it is the default option unless another option is used.
用户帐户User Account 快速和自定义,2017 年 3 月版及更早版本Express and custom, 2017 March and earlier 在执行快速安装期间将创建前缀为 AAD_ 的用户帐户。A User Account prefixed with AAD_ is created during installation for express installations. 使用自定义安装时,可指定另一个帐户。When using custom installation, another account can be specified.

重要

如果将 Connect 与 2017 年 3 月的版本或更早版本一起使用,则不应重置服务帐户中的密码,因为出于安全原因,Windows 会销毁加密密钥。If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the service account since Windows destroys the encryption keys for security reasons. 无法在不重装 Azure AD Connect 的情况下将帐户更改为任何其他帐户。You cannot change the account to any other account without reinstalling Azure AD Connect. 如果从 2017 年 4 月版或更高版本升级到某个版本,则支持更改服务帐户的密码,但无法更改使用的帐户。If you upgrade to a build from 2017 April or later, then it is supported to change the password on the service account, but you cannot change the account used.

重要

只能在首次安装时设置服务帐户。You can only set the service account on first installation. 安装完成后,不支持更改服务帐户。It is not supported to change the service account after the installation has been completed. 如果你需要更改服务帐户密码,我们支持此操作,在此处可找到相关说明。If you need to change the service account password, this is supported and instructions can be found here.

下面是同步服务帐户的默认、建议和支持的选项表格。The following is a table of the default, recommended, and supported options for the sync service account.

图例:Legend:

  • 粗体 表示默认选项,在大多数情况下也是建议的选项。Bold indicates the default option and, in most cases, the recommended option.
  • 斜体 表示建议选项(当该选项不是默认选项时)。Italic indicates the recommended option when it is not the default option.
  • 非粗体 - 支持的选项Non-bold - Supported option
  • 本地帐户 - 服务器上的本地用户帐户Local account - Local user account on the server
  • 域帐户 - 域用户帐户Domain account - Domain user account
  • sMSA - 独立托管服务帐户sMSA - standalone Managed Service account
  • gMSA - 组托管服务帐户gMSA - group Managed Service account
LocalDB
快速
LocalDB
Express
LocalDB/LocalSQL
自定义
LocalDB/LocalSQL
Custom
远程 SQL
自定义
Remote SQL
Custom
加入域的计算机domain-joined machine VSAVSA VSAVSA
sMSAsMSA
gMSAgMSA
本地帐户Local account
域帐户Domain account
gMSAgMSA
域帐户Domain account
域控制器Domain Controller sMSAsMSA sMSAsMSA
gMSAgMSA
域帐户Domain account
gMSAgMSA
域帐户Domain account

虚拟服务帐户Virtual Service Account

虚拟服务帐户是一种特殊类型的托管本地帐户,它不带有密码,由 Windows 自动管理。A Virtual Service Account is a special type of managed local account that does not have a password and is automatically managed by Windows.

虚拟服务帐户

虚拟服务帐户适用于同步引擎与 SQL 位于同一台服务器上的方案。The Virtual Service Account is intended to be used with scenarios where the sync engine and SQL are on the same server. 如果你使用远程 SQL,则我们建议改用组托管服务帐户。If you use remote SQL, then we recommend using a group Managed Service Account instead.

由于 Windows 数据保护 API (DPAPI) 的问题,无法在域控制器上使用虚拟服务帐户。The Virtual Service Account cannot be used on a Domain Controller due to Windows Data Protection API (DPAPI) issues.

托管服务帐户Managed Service Account

如果你使用远程 SQL Server,则我们建议使用组托管服务帐户。If you use a remote SQL Server, then we recommend to using a group Managed Service Account. 有关如何为组托管服务帐户准备 Active Directory 的详细信息,请参阅组托管服务帐户概述For more information on how to prepare your Active Directory for group Managed Service account, see Group Managed Service Accounts Overview.

要使用此选项,请在安装所需组件页上,选择“使用现有服务帐户”,并选择“托管服务帐户”。To use this option, on the Install required components page, select Use an existing service account, and select Managed Service Account.

托管服务帐户

还支持使用独立托管服务帐户。It is also supported to use a standalone managed service account. 但是,这些帐户只能在本地计算机上使用,因此使用这些帐户相对默认虚拟服务帐户而言并没有好处。However, these can only be used on the local machine and there is no benefit to using them over the default Virtual Service Account.

自动生成的独立托管服务帐户Auto-generated standalone Managed Service Account

如果在域控制器上安装 Azure AD Connect,则安装向导将创建独立的托管服务帐户(除非在自定义设置中指定了要使用的帐户)。If you install Azure AD Connect on a Domain Controller, a standalone Managed Service Account is created by the installation wizard (unless you specify the account to use in custom settings). 该帐户的前缀为 ADSyncMSA_ ,用作实际同步服务的运行方式帐户。The account is prefixed ADSyncMSA_ and used for the actual sync service to run as.

此帐户是一个托管域帐户,它不带有密码,由 Windows 自动管理。This account is a managed domain account that does not have a password and is automatically managed by Windows.

此帐户适用于同步引擎与 SQL 位于域控制器上的方案。This account is intended to be used with scenarios where the sync engine and SQL are on the Domain Controller.

用户帐户User Account

本地服务帐户由安装向导创建(除非在自定义设置指定了要使用的帐户)。A local service account is created by the installation wizard (unless you specify the account to use in custom settings). 该帐户具有 AAD_ 前缀,可用作实际同步服务的运行帐户。The account is prefixed AAD_ and used for the actual sync service to run as. 如果在域控制器上安装 Azure AD Connect,则会在该域中创建帐户。If you install Azure AD Connect on a Domain Controller, the account is created in the domain. 在以下情况下,AAD_ 服务帐户必须位于域中:The AAD_ service account must be located in the domain if:

  • 使用运行 SQL Server 的远程服务器you use a remote server running SQL Server
  • 使用需要身份验证的代理you use a proxy that requires authentication

用户帐户 (user account)

该帐户带有永不过期的长复杂密码。The account is created with a long complex password that does not expire.

此帐户用于以安全方式存储其他帐户的密码。This account is used to store passwords for the other accounts in a secure way. 其他这些帐户密码以加密形式存储在数据库中。These other accounts passwords are stored encrypted in the database. 通过使用 Windows 数据保护 API (DPAPI) 的密钥加密服务来保护加密密钥的私钥。The private keys for the encryption keys are protected with the cryptographic services secret-key encryption using Windows Data Protection API (DPAPI).

如果使用完整的 SQL Server,服务帐户将是为同步引擎创建的数据库的 DBO。If you use a full SQL Server, then the service account is the DBO of the created database for the sync engine. 如果使用任何其他权限,服务无法按预期工作。The service will not function as intended with any other permission. 此外会创建 SQL 登录名。A SQL login is also created.

还会为该帐户授予对文件、注册表项和与同步引擎相关的其他对象的权限。The account is also granted permission to files, registry keys, and other objects related to the Sync Engine.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.