ADSync 服务帐户ADSync service account

Azure AD Connect 会安装一个本地服务用于协调 Active Directory 与 Azure Active Directory 之间的同步。Azure AD Connect installs an on-premises service which orchestrates synchronization between Active Directory and Azure Active Directory. Azure AD Sync 同步服务 (ADSync) 在本地环境中的服务器上运行。The Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. 默认会在“快速”安装中设置该服务的凭据,不过,用户也可以根据组织的安全要求自定义凭据。The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements. 这些凭据不会用于连接到本地林或 Azure Active Directory。These credentials are not used to connect to your on-premises forests or Azure Active Directory.

选择 ADSync 服务帐户是在安装 Azure AD Connect 之前要做出的一项重要规划决策。Choosing the ADSync service account is an important planning decision to make prior to installing Azure AD Connect. 安装后尝试更改凭据会导致服务无法启动、无法访问同步数据库,以及无法在连接的目录(Azure 和 AD DS)中进行身份验证。Any attempt to change the credentials after installation will result in the service failing to start, losing access to the synchronization database, and failing to authenticate with your connected directories (Azure and AD DS). 在还原原始凭据之前无法进行同步。No synchronization will occur until the original credentials are restored.

默认的 ADSync 服务帐户The default ADSync service account

在成员服务器上运行时,AdSync 服务将在虚拟服务帐户 (VSA) 的上下文中运行。When run on a member server, the AdSync service runs in the context of a Virtual Service Account (VSA). 由于产品限制,在域控制器上安装时会创建一个自定义服务帐户。Due to a product limitation, a custom service account is created when installed on a domain controller. 如果使用“快速”设置时该服务帐户不能满足组织的安全要求,请选择“自定义”选项来部署 Azure AD Connect。If the Express settings service account does not meet your organizational security requirements, deploy Azure AD Connect by choosing the Customize option. 然后选择符合组织要求的服务帐户选项。Then choose the service account option which meets your organization’s requirements.

备注

在域控制器上安装时,默认服务帐户的格式为 Domain\AAD_InstallationIdentifier。The default service account when installed on a domain controller is of the form Domain\AAD_InstallationIdentifier. 此帐户的密码是随机生成的,这为恢复和密码轮换带来了重大挑战。The password for this account is randomly generated and presents significant challenges for recovery and password rotation. Microsoft 建议在域控制器上执行初始安装期间自定义服务帐户,以使用独立帐户或组托管服务帐户 (sMSA/gMSA)Microsoft recommends customizing the service account during initial installation on a domain controller to use either a standalone or group Managed Service Account (sMSA / gMSA)

Azure AD Connect 的位置Azure AD Connect location 已创建服务帐户Service account created
成员服务器Member Server NT SERVICE\ADSyncNT SERVICE\ADSync
域控制器Domain Controller Domain\AAD_74dc30c01e80(参阅注释)Domain\AAD_74dc30c01e80 (see note)

自定义 ADSync 服务帐户Custom ADSync service accounts

Microsoft 建议在虚拟服务帐户或者独立或组托管服务帐户的上下文中运行 ADSync 服务。Microsoft recommends running the ADSync service in the context of either a Virtual Service Account or a standalone or group Managed Service Account. 域管理员还可以选择创建一个根据具体组织安全要求预配的服务帐户。Your domain administrator may also choose to create a service account provisioned to meet your specific organizational security requirements. 若要自定义安装期间使用的服务帐户,请在“快速设置”页上选择如下所示的“自定义”选项。To customize the service account used during installation, choose the Customize option on the Express Settings page below. 提供了以下选项:The following options are available:

  • 默认帐户 - Azure AD Connect 将按上文所述预配服务帐户default account - Azure AD Connect will provision the service account as described above
  • 托管服务帐户 - 使用管理员预配的独立或组 MSAmanaged service account - use a standalone or group MSA provisioned by your administrator
  • 域帐户 - 使用管理员预配的域服务帐户domain account - use a domain service account provisioned by your administrator

“Azure AD Connect 快速设置”页的屏幕截图,其中显示了“自定义”或“使用快速设置”选项按钮。

Azure AD Connect“安装所需组件”页的屏幕截图,其中选定了“使用现有托管服务帐户”选项。

诊断 ADSync 服务帐户更改Diagnosing ADSync service account changes

安装后更改 ADSync 服务的凭据会导致服务无法启动、无法访问同步数据库,以及无法在连接的目录(Azure 和 AD DS)中进行身份验证。Changing the credentials for the ADSync service after installation will result in the service failing to start, losing access to the synchronization database, and failing to authenticate with your connected directories (Azure and AD DS). 为数据库授予对新 ADSync 服务帐户的访问权限并不足以从此问题恢复。Granting database access to the new ADSync service account is insufficient to recover from this issue. 在还原原始凭据之前无法进行同步。No synchronization will occur until the original credentials are restored.

无法启动时,ADSync 服务将在事件日志中发出错误级消息。The ADSync service will issue an error level message to the event log when it is unable to start. 该消息的内容根据使用的是内置数据库 (localdb) 还是完整 SQL 而异。The content of the message will vary depending on whether the built-in database (localdb) or full SQL is in use. 下面是可能显示的事件日志条目示例。The following are examples of the event log entries that may be present.

示例 1Example 1

找不到 AdSync 服务加密密钥,或者已重新创建这些密钥。The AdSync service encryption keys could not be found and have been recreated. 在更正此问题之前无法进行同步。Synchronization will not occur until this issue is corrected.

排查此问题:如果更改了 AdSync 服务登录凭据,Azure AD Sync 加密密钥将不可访问。Troubleshooting this Issue The Azure AD Sync encryption keys will become inaccessible if the AdSync service Log On credentials are changed. 如果更改了凭据,请使用“服务”应用程序将登录帐户改回到其原始配置值(例如If the credentials have been changed, use the Services application to change the Log On account back to its originally configured value (ex. NT SERVICE\AdSync),并重启该服务。NT SERVICE\AdSync) and restart the service. 这可以使 AdSync 服务立即恢复正常运行。This will immediately restore correct operation of the AdSync service.

有关详细信息,请参阅以下文章Please see the following article for further information.

示例 2Example 2

由于无法与本地数据库 (localdb) 建立连接,该服务无法启动。The service was unable to start because a connection to the local database (localdb) could not be established.

排查此问题:如果更改了 AdSync 服务登录凭据,Azure AD Sync 服务将失去本地数据库提供程序的访问权限。Troubleshooting this Issue The Azure AD Sync service will lose permission to access the local database provider if the AdSync service Log On credentials are changed. 如果更改了凭据,请使用“服务”应用程序将登录帐户改回到其原始配置值(例如If the credentials have been changed use the Services application to change the Log On account back to its originally configured value (ex. NT SERVICE\AdSync),并重启该服务。NT SERVICE\AdSync) and restart the service. 这可以使 AdSync 服务立即恢复正常运行。This will immediately restore correct operation of the AdSync service.

有关详细信息,请参阅以下文章Please see the following article for further information.

其他详细信息:提供程序返回了以下错误信息:Additional Details The following error information was returned by the provider:

OriginalError=0x80004005 OLEDB Provider error(s): 
Description  = 'Login timeout expired'
Failure Code = 0x80004005
Minor Number = 0 
Description  = 'A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.'

后续步骤Next steps

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.