Azure AD Connect 同步:了解默认配置Azure AD Connect sync: Understanding the default configuration

本文介绍现成的配置规则。This article explains the out-of-box configuration rules. 其中将说明这些规则及其对配置有何影响。It documents the rules and how these rules impact the configuration. 此外还会逐步介绍如何完成 Azure AD Connect 同步的默认配置。其目的是让读者了解配置模型(名为声明性设置)在实际示例中的运行情形。It also walks you through the default configuration of Azure AD Connect sync. The goal is that the reader understands how the configuration model, named declarative provisioning, is working in a real-world example. 本文假设已使用安装向导安装并配置了 Azure AD Connect 同步。This article assumes that you have already installed and configure Azure AD Connect sync using the installation wizard.

若要了解配置模型的详细信息,请参阅了解声明性预配To understand the details of the configuration model, read Understanding Declarative Provisioning.

从本地到 Azure AD 的现成规则Out-of-box rules from on-premises to Azure AD

现成的配置中包含以下表达式。The following expressions can be found in the out-of-box configuration.

用户的现成规则User out-of-box rules

这些规则也适用于 iNetOrgPerson 对象类型。These rules also apply to the iNetOrgPerson object type.

用户对象必须满足以下条件才进行同步:A user object must satisfy the following to be synchronized:

  • 必须具有 sourceAnchor。Must have a sourceAnchor.
  • 在 Azure AD 中创建对象之后,无法更改 sourceAnchor。After the object has been created in Azure AD, then sourceAnchor cannot change. 如果值在本地更改,对象将停止同步,直到 sourceAnchor 重新改回其原先的值。If the value is changed on-premises, the object stops synchronizing until the sourceAnchor is changed back to its previous value.
  • 必须填充 accountEnabled (userAccountControl) 属性。Must have the accountEnabled (userAccountControl) attribute populated. 在本地 Active Directory 中始终有此属性存在,并且进行填充。With an on-premises Active Directory, this attribute is always present and populated.

以下用户对象 不会 同步到 Azure AD:The following user objects are not synchronized to Azure AD:

  • IsPresent([isCriticalSystemObject])IsPresent([isCriticalSystemObject]). 确保不会同步 Active Directory 中的多个现成对象(例如内置的管理员帐户)。Ensure many out-of-box objects in Active Directory, such as the built-in administrator account, are not synchronized.
  • IsPresent([sAMAccountName]) = FalseIsPresent([sAMAccountName]) = False. 确定不会同步没有 sAMAccountName 属性的用户对象。Ensure user objects with no sAMAccountName attribute are not synchronized. 这种情况实际上只发生在从 NT4 升级的域中。This case would only practically happen in a domain upgraded from NT4.
  • Left([sAMAccountName], 4) = "AAD_", Left([sAMAccountName], 5) = "MSOL_".Left([sAMAccountName], 4) = "AAD_", Left([sAMAccountName], 5) = "MSOL_". 不同步 Azure AD Connect Sync 和早期版本使用的服务帐户。Do not synchronize the service account used by Azure AD Connect sync and its earlier versions.
  • 不同步不在 Exchange Online 中运行的 Exchange 帐户。Do not synchronize Exchange accounts that would not work in Exchange Online.
    • [sAMAccountName] = "SUPPORT_388945a0"
    • Left([mailNickname], 14) = "SystemMailbox{"
    • (Left([mailNickname], 4) = "CAS_" && (InStr([mailNickname], "}") > 0))
    • (Left([sAMAccountName], 4) = "CAS_" && (InStr([sAMAccountName], "}")> 0))
  • 不同步不在 Exchange Online 中运行的对象。Do not synchronize objects that would not work in Exchange Online. CBool(IIF(IsPresent([msExchRecipientTypeDetails]),BitAnd([msExchRecipientTypeDetails],&H21C07000) > 0,NULL))
    此位掩码 (&H21C07000) 将筛选掉以下对象:This bitmask (&H21C07000) would filter out the following objects:
    • 启用电子邮件的公用文件夹(在版本 1.1.524.0 的预览版中)Mail-enabled Public Folder (In Preview as of version 1.1.524.0)
    • 系统助理邮箱System Attendant Mailbox
    • 邮箱数据库邮箱(系统邮箱)Mailbox Database Mailbox (System Mailbox)
    • 通用安全组(不适用于用户,但由于历史原因而存在)Universal Security Group (wouldn't apply for a user, but is present for legacy reasons)
    • 非通用组(不适用于用户,但由于历史原因而存在)Non-Universal Group (wouldn't apply for a user, but is present for legacy reasons)
    • 邮箱计划Mailbox Plan
    • 发现邮箱Discovery Mailbox
  • CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0)CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0). 不同步任何复制牺牲者对象。Do not synchronize any replication victim objects.

适用的属性规则如下:The following attribute rules apply:

  • sourceAnchor <- IIF([msExchRecipientTypeDetails]=2,NULL,..)sourceAnchor <- IIF([msExchRecipientTypeDetails]=2,NULL,..). sourceAnchor 属性不会从链接的邮箱提供。The sourceAnchor attribute is not contributed from a linked mailbox. 根据假设,如果已找到链接的邮箱,实际的帐户在稍后加入。It is assumed that if a linked mailbox has been found, the actual account is joined later.
  • 仅当属性 mailNickName 有值时,才同步 Exchange 的相关属性。Exchange related attributes are only synchronized if the attribute mailNickName has a value.
  • 如果有多个林,将按以下顺序使用属性:When there are multiple forests, then attributes are consumed in the following order:
    1. 登录的相关属性(例如 userPrincipalName)将从具有已启用帐户的林提供。Attributes related to sign-in (for example userPrincipalName) are contributed from the forest with an enabled account.
    2. 可以在 Exchange GAL(全局地址列表)中找到的属性将从具有 Exchange 邮箱的林提供。Attributes that can be found in an Exchange GAL (Global Address List) are contributed from the forest with an Exchange Mailbox.
    3. 如果找不到邮箱,这些属性可来自于任何林。If no mailbox can be found, then these attributes can come from any forest.
    4. Exchange 相关的属性(GAL 中未显示的技术属性)从 mailNickname ISNOTNULL 的林提供。Exchange related attributes (technical attributes not visible in the GAL) are contributed from the forest where mailNickname ISNOTNULL.
    5. 如果有多个林匹配其中一个规则,将使用连接器(林)的创建顺序(日期/时间)来确定属性将由哪个林提供。If there are multiple forests that would satisfy one of these rules, then the creation order (date/time) of the Connectors (forests) is used to determine which forest contributes the attributes. 连接的第一个林将是要同步的第一个林。The first forest connected will be the first forest to sync.

联系人现成规则Contact out-of-box rules

联系人对象必须满足以下条件才进行同步:A contact object must satisfy the following to be synchronized:

  • 联系人必须已启用邮件。The contact must be mail-enabled. 这可以使用以下规则来验证:It is verified with the following rules:
    • IsPresent([proxyAddresses]) = True)IsPresent([proxyAddresses]) = True). 必须填充 proxyAddresses 属性。The proxyAddresses attribute must be populated.
    • 可在 proxyAddresses 属性或 mail 属性中找到主要电子邮件地址。A primary email address can be found in either the proxyAddresses attribute or the mail attribute. 提供的 @ 用于验证内容是否为电子邮件地址。The presence of an @ is used to verify that the content is an email address. 以下两条规则之一必须评估为 True。One of these two rules must be evaluated to True.
      • (Contains([proxyAddresses], "SMTP:") > 0) && (InStr(Item([proxyAddresses], Contains([proxyAddresses], "SMTP:")), "@") > 0))(Contains([proxyAddresses], "SMTP:") > 0) && (InStr(Item([proxyAddresses], Contains([proxyAddresses], "SMTP:")), "@") > 0)). 是否有包含“SMTP:”的项,如果有,是否可在字符串中找到 @?Is there an entry with "SMTP:" and if there is, can an @ be found in the string?
      • (IsPresent([mail]) = True && (InStr([mail], "@") > 0)(IsPresent([mail]) = True && (InStr([mail], "@") > 0). 是否已填充邮件属性,如果是,是否可在字符串中找到 @?Is the mail attribute populated and if it is, can an @ be found in the string?

以下联系人对象不会同步到 Azure AD:The following contact objects are not synchronized to Azure AD:

  • IsPresent([isCriticalSystemObject])IsPresent([isCriticalSystemObject]). 确保不会同步标记为关键的联系人对象。Ensure no contact objects marked as critical are synchronized. 不应是任何使用默认配置的项。Shouldn't be any with a default configuration.
  • ((InStr([displayName], "(MSOL)") > 0) && (CBool([msExchHideFromAddressLists])))((InStr([displayName], "(MSOL)") > 0) && (CBool([msExchHideFromAddressLists]))).
  • (Left([mailNickname], 4) = "CAS_" && (InStr([mailNickname], "}") > 0))(Left([mailNickname], 4) = "CAS_" && (InStr([mailNickname], "}") > 0)). 这些对象无法在 Exchange Online 中运行。These objects wouldn't work in Exchange Online.
  • CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0)CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0). 不同步任何复制牺牲者对象。Do not synchronize any replication victim objects.

组现成规则Group out-of-box rules

组对象必须满足以下条件才进行同步:A group object must satisfy the following to be synchronized:

  • 成员必须少于 50,000 个。Must have less than 50,000 members. 该计数为本地组中的成员数目。This count is the number of members in the on-premises group.
    • 如果组在首次同步启动之前包含更多的成员,该组不会进行同步。If it has more members before synchronization starts the first time, the group is not synchronized.
    • 如果成员数目在组最初创建之后有所增加,在达到 50,000 个成员时,组将停止同步,直到成员身份计数再次低于 50,000。If the number of members grow from when it was initially created, then when it reaches 50,000 members it stops synchronizing until the membership count is lower than 50,000 again.
    • 注意:Azure AD 也强制实施 50,000 个成员身份计数。Note: The 50,000 membership count is also enforced by Azure AD. 无法同步包含更多成员的组,即使修改或删除此规则,也是如此。You are not able to synchronize groups with more members even if you modify or remove this rule.
  • 如果组是 通讯组,则还必须启用邮件。If the group is a Distribution Group, then it must also be mail enabled. 请参阅 Contact out-of-box rules (联系人的现成规则),了解实施此规则的情况。See Contact out-of-box rules for this rule is enforced.

以下组对象 不会 同步到 Azure AD:The following group objects are not synchronized to Azure AD:

  • IsPresent([isCriticalSystemObject])IsPresent([isCriticalSystemObject]). 确保不会同步 Active Directory 中的多个现成对象(例如内置的管理员组)。Ensure many out-of-box objects in Active Directory, such as the built-in administrators group, are not synchronized.
  • [sAMAccountName] = "MSOL_AD_Sync_RichCoexistence"[sAMAccountName] = "MSOL_AD_Sync_RichCoexistence". DirSync 使用的传统组。Legacy group used by DirSync.
  • BitAnd([msExchRecipientTypeDetails],&amp;H40000000)BitAnd([msExchRecipientTypeDetails],&amp;H40000000). 角色组。Role Group.
  • CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0)CBool(InStr(DNComponent(CRef([dn]),1),"\\0ACNF:")>0). 不同步任何复制牺牲者对象。Do not synchronize any replication victim objects.

ForeignSecurityPrincipal 现成规则ForeignSecurityPrincipal out-of-box rules

FSP 联接到 Metaverse 中的“任何”(*)对象。FSPs are joined to "any" (*) object in the metaverse. 这种联接实际上只发生在用户和安全组上。In reality, this join only happens for users and security groups. 这种配置可确保解析并在 Azure AD 中正确显示跨林成员身份。This configuration ensures that cross-forest memberships are resolved and represented correctly in Azure AD.

计算机现成规则Computer out-of-box rules

计算机对象必须满足以下条件才进行同步:A computer object must satisfy the following to be synchronized:

  • userCertificate ISNOTNULLuserCertificate ISNOTNULL. 只有 Windows 10 计算机填充此属性。Only Windows 10 computers populate this attribute. 所有具有此属性值的计算机对象都进行同步。All computer objects with a value in this attribute are synchronized.

了解现成的规则方案Understanding the out-of-box rules scenario

在本示例中,将使用具有一个帐户林(A)、一个资源林 (R) 和一个 Azure AD 目录的部署。In this example, we are using a deployment with one account forest (A), one resource forest (R), and one Azure AD directory.

包含情景说明的图片

在此配置中,假设帐户林中存在已启用的帐户,并且具有链接邮箱的资源林中存在已禁用的帐户。In this configuration, it is assumed there is an enabled account in the account forest and a disabled account in the resource forest with a linked mailbox.

我们使用默认配置的目的是:Our goal with the default configuration is:

  • 与登录相关的属性将从具有已启用帐户的林同步。Attributes related to sign-in are synchronized from the forest with the enabled account.
  • 可以在 GAL(全局地址列表)中找到的属性从林与邮箱同步。Attributes that can be found in the GAL (Global Address List) are synchronized from the forest with the mailbox. 如果找不到邮箱,则使用任何其他林。If no mailbox can be found, any other forest is used.
  • 如果找到链接邮箱,则要导出到 Azure AD 的对象必须有已链接并启用的帐户。If a linked mailbox is found, the linked enabled account must be found for the object to be exported to Azure AD.

同步规则编辑器Synchronization Rule Editor

可以使用同步规则编辑器 (SRE) 工具来查看和更改配置,可以在开始菜单中找到其快捷方式。The configuration can be viewed and changed with the tool Synchronization Rules Editor (SRE) and a shortcut to it can be found in the start menu.

同步规则编辑器图标

SRE 是一个资源套件工具,随 Azure AD Connect 同步一起安装。必须是 ADSyncAdmins 组的成员才能启动它。The SRE is a resource kit tool and it is installed with Azure AD Connect sync. To be able to start it, you must be a member of the ADSyncAdmins group. 该工具启动时显示以下屏幕:When it starts, you see something like this:

入站同步规则

此窗格中显示所有为配置创建的同步规则。In this pane, you see all Synchronization Rules created for your configuration. 表中的每一行代表一个同步规则。Each line in the table is one Synchronization Rule. “规则类型”的左下侧列出了两种不同的类型:“入站”和“出站”。To the left under Rule Types, the two different types are listed: Inbound and Outbound. 入站和出站来自 metaverse 视图。Inbound and Outbound is from the view of the metaverse. 本概述主要介绍入站规则。You are mainly going to focus on the inbound rules in this overview. 同步规则的实际列表取决于在 AD 中检测到的架构。The actual list of Synchronization Rules depends on the detected schema in AD. 在上图中,帐户林 (fabrikamonline.com) 没有任何服务(如 Exchange 和 Lync),并且没有针对这些服务创建任何同步规则。In the picture above, the account forest (fabrikamonline.com) does not have any services, such as Exchange and Lync, and no Synchronization Rules have been created for these services. 但在资源林 (res.fabrikamonline.com) 中可以找到这些服务的同步规则。However, in the resource forest (res.fabrikamonline.com) you find Synchronization Rules for these services. 规则的内容因检测到的版本而异。The content of the rules is different depending on the version detected. 例如,在使用 Exchange 2013 的部署中,配置的属性流比在 Exchange 2010/2007 中更多。For example, in a deployment with Exchange 2013 there are more attribute flows configured than in Exchange 2010/2007.

同步规则Synchronization Rule

满足条件时,同步规则是具有一组流动属性的配置对象。A Synchronization Rule is a configuration object with a set of attributes flowing when a condition is satisfied. 它还用于描述连接器空间中对象与 Metaverse 中对象的相关性,这种相关性称为联接或匹配。 It is also used to describe how an object in a connector space is related to an object in the metaverse, known as join or match. 同步规则具有优先级值,该优先级指示这些规则彼此的相关性。The Synchronization Rules have a precedence value indicating how they relate to each other. 数值较小的同步规则具有较高的优先级,当属性流发生冲突时,较高的优先级会赢得冲突解决方案。A Synchronization Rule with a lower numeric value has a higher precedence and in an attribute flow conflict, higher precedence wins the conflict resolution.

例如,查看同步规则“In from AD – User AccountEnabled”。 As an example, look at the Synchronization Rule In from AD - User AccountEnabled. 在 SRE 中标记此行,然后选择“编辑”。 Mark this line in the SRE and select Edit.

由于这是一条现成的规则,因此在打开该规则时将看到警告。Since this rule is an out-of-box rule, you receive a warning when you open the rule. 用户不应对现成规则进行任何更改,因此系统会询问意图是什么。You should not make any changes to out-of-box rules, so you are asked what your intentions are. 在本例中,我们只想要查看规则。In this case, you only want to view the rule. 请选择“否”。 Select No.

同步规则警告

同步规则具有四个配置部分:描述、范围筛选器、联接规则和转换。A Synchronization Rule has four configuration sections: Description, Scoping filter, Join rules, and Transformations.

说明Description

第一部分提供名称和说明等基本信息。The first section provides basic information such as a name and description.

同步规则编辑器中的“说明”选项卡

还可以找到以下相关信息:此规则与哪个已连接系统相关、此规则适合于已连接系统中的哪种对象类型,以及 metaverse 对象类型。You also find information about which connected system this rule is related to, which object type in the connected system it applies to, and the metaverse object type. 无论源对象类型是用户、iNetOrgPerson 还是联系人,metaverse 对象类型始终是人。The metaverse object type is always person regardless when the source object type is a user, iNetOrgPerson, or contact. Metaverse 对象类型应该永不更改,因此将它创建为泛型类型。The metaverse object type should never change so it is created as a generic type. 可以将链接类型设置为“联接”、“StickyJoin”或“预配”。The Link Type can be set to Join, StickyJoin, or Provision. 此设置将与“联接规则”部分协同工作,稍后介绍此方面的内容。This setting works together with the Join Rules section and is covered later.

还可以看到此同步规则用于密码同步。如果用户在此同步规则的范围内,密码将从本地同步到云(假设已启用密码同步功能)。You can also see that this sync rule is used for password sync. If a user is in scope for this sync rule, the password is synchronized from on-premises to cloud (assuming you have enabled the password sync feature).

范围筛选器Scoping filter

“范围筛选器”部分用于配置同步规则何时适用。The Scoping Filter section is used to configure when a Synchronization Rule should apply. 由于正在查看的同步规则的名称指示只应对已启用的用户应用该规则,因此对范围进行了配置,使得 AD 属性 userAccountControl 不能对 2 这个位进行设置。Since the name of the Synchronization Rule you are looking at indicates it should only be applied for enabled users, the scope is configured so the AD attribute userAccountControl must not have the bit 2 set. 同步引擎在 AD 中找到用户时,如果 userAccountControl 设置为十进制值 512(已启用的普通用户),则应用此同步规则。 When the sync engine finds a user in AD, it applies this sync rule when userAccountControl is set to the decimal value 512 (enabled normal user). 如果用户的 userAccountControl 设置为 514(已禁用的普通用户),则不应用该规则。 It does not apply the rule when the user has userAccountControl set to 514 (disabled normal user).

同步规则编辑器中的“范围”选项卡

范围筛选器具有可以嵌套的组和子句。The scoping filter has Groups and Clauses that can be nested. 必须满足组内所有子句的条件,才能应用同步规则。All clauses inside a group must be satisfied for a Synchronization Rule to apply. 如果定义了多个组,则要应用该规则,必须满足至少一个组的条件。When multiple groups are defined, then at least one group must be satisfied for the rule to apply. 也就是说,组之间按逻辑“或”进行计算,组内按逻辑“和”进行计算。That is, a logical OR is evaluated between groups and a logical AND is evaluated inside a group. 可以在出站同步规则“Out to AAD - Group Join”中找到此配置的示例。 An example of this configuration can be found in the outbound Synchronization Rule Out to AAD - Group Join. 有多个同步筛选器组,例如,一个用于安全组 (securityEnabled EQUAL True),一个用于分发组 (securityEnabled EQUAL False)。There are several synchronization filter groups, for example one for security groups (securityEnabled EQUAL True) and one for distribution groups (securityEnabled EQUAL False).

同步规则编辑器中的“范围”选项卡

此规则用于定义哪些组应设置到 Azure AD。This rule is used to define which Groups should be provisioned to Azure AD. 通讯组必须启用邮件,才能与 Azure AD 同步,但对于安全组,电子邮件不是必需的。Distribution Groups must be mail enabled to be synchronized with Azure AD, but for security groups an email is not required.

联接规则Join rules

第三部分用于配置连接器空间中的对象与 Metaverse 中的对象的相关性。The third section is used to configure how objects in the connector space relate to objects in the metaverse. 前面查看过的规则没有针对“联接规则”的任何配置,因此现在将查看“In from AD - User Join”。 The rule you have looked at earlier does not have any configuration for Join Rules, so instead you are going to look at In from AD - User Join.

同步规则编辑器中的“联接规则”选项卡

联接规则的内容取决于在安装向导中选择的匹配选项。The content of the join rule depends on the matching option selected in the installation wizard. 对于入站规则,评估从源连接器空间中的对象开始,将按顺序对联接规则中的每个组进行评估。For an inbound rule, the evaluation starts with an object in the source connector space and each group in the join rules is evaluated in sequence. 如果根据某个联接规则,某个源对象的评估结果是与 Metaverse 中的某个对象完全匹配,则这两个对象将联接在一起。If a source object is evaluated to match exactly one object in the metaverse using one of the join rules, the objects are joined. 如果已对所有规则进行评估但没有匹配项,则使用描述页上的“链接类型”。If all rules have been evaluated and there is no match, then the Link Type on the description page is used. 如果此配置设为“预配”,则在目标(即 Metaverse)中创建一个新对象。 If this configuration is set to Provision, then a new object is created in the target, the metaverse. 投影 到 Metaverse。To provision a new object to the metaverse is also known as to project an object to the metaverse.

只对联接规则评估一次。The join rules are only evaluated once. 当连接器空间对象与 metaverse 对象联接在一起时,只要仍然满足同步规则的范围,它们就保持联接。When a connector space object and a metaverse object are joined, they remain joined as long as the scope of the Synchronization Rule is still satisfied.

评估同步规则时,必须只有一个定义了联接规则的同步规则在范围内。When evaluating Synchronization Rules, only one Synchronization Rule with join rules defined must be in scope. 如果一个对象找到多个包含联接规则的同步规则,则会引发错误。If multiple Synchronization Rules with join rules are found for one object, an error is thrown. 因此最佳做法是,当一个对象有多个同步规则在范围内时,只让一个同步规则有定义的联接。For this reason, the best practice is to have only one Synchronization Rule with join defined when multiple Synchronization Rules are in scope for an object. 在 Azure AD Connect 同步的现成配置中,可以通过查看名称并查找在名称末尾带有单词 Join 的规则来找到这些规则。In the out-of-box configuration for Azure AD Connect sync, these rules can be found by looking at the name and find those with the word Join at the end of the name. 如果另一个同步规则将对象联接在一起或在目标中预配了新对象,则未定义任何联接规则的同步规则将应用属性流。A Synchronization Rule without any join rules defined applies the attribute flows when another Synchronization Rule joined the objects together or provisioned a new object in the target.

查看上图,可以看到规则尝试将 objectSID 与 msExchMasterAccountSid (Exchange) 和 msRTCSIP-OriginatorSid (Lync) 相联接,而这正是我们在帐户资源林拓扑中所预期的。 If you look at the picture above, you can see that the rule is trying to join objectSID with msExchMasterAccountSid (Exchange) and msRTCSIP-OriginatorSid (Lync), which is what we expect in an account-resource forest topology. 会发现所有林具有相同的规则。You find the same rule on all forests. 假设每个林可以是帐户或资源林。The assumption is that every forest could be either an account or resource forest. 如果有帐户存在于单个林中且不需要联接,此配置也能正常运行。This configuration also works if you have accounts that live in a single forest and do not have to be joined.

转换Transformations

“转换”部分定义当对象已联接且满足范围筛选条件时,应用于目标对象的所有属性流。The transformation section defines all attribute flows that apply to the target object when the objects are joined and the scope filter is satisfied. 回到“In from AD - User AccountEnabled”同步规则,找到以下转换: Going back to the In from AD - User AccountEnabled Synchronization Rule, you find the following transformations:

同步规则编辑器中的“转换”选项卡

如果将此配置放在帐户-资源林部署的上下文中,应在帐户林中找到已启用的帐户,在具有 Exchange 和 Lync 设置的资源林中找到已禁用的帐户。To put this configuration in context, in an Account-Resource forest deployment, it is expected to find an enabled account in the account forest and a disabled account in the resource forest with Exchange and Lync settings. 查看的同步规则包含进行登录所需的属性,这些属性应从包含已启用帐户的林流动。The Synchronization Rule you are looking at contains the attributes required for sign-in and these attributes should flow from the forest where there is an enabled account. 所有这些属性流会在一个同步规则中进行组合。All these attribute flows are put together in one Synchronization Rule.

转换可以具有不同类型:常量、指令和表达式。A transformation can have different types: Constant, Direct, and Expression.

  • 常量流始终传递硬编码值。A constant flow always flows a hardcoded value. 在上例中,始终将名为 accountEnabled 的 Metaverse 属性设置为 True 值。 In the case above, it always sets the value True in the metaverse attribute named accountEnabled.
  • 直接流始终将源中的属性值按原样传递到目标属性。A direct flow always flows the value of the attribute in the source to the target attribute as-is.
  • 第三种流类型是“表达式”,它允许进行更高级的配置。The third flow type is Expression and it allows for more advanced configurations.

表达式语言是 VBA (Visual Basic for Applications),因此具有 Microsoft Office 或 VBScript 经验的用户认识该格式。The expression language is VBA (Visual Basic for Applications), so people with experience of Microsoft Office or VBScript will recognize the format. 属性将括在方括号内,如 [attributeName]。Attributes are enclosed in square brackets, [attributeName]. 属性名称和函数名称是区分大小写的,但同步规则编辑器将对表达式求值并在表达式无效时提供警告。Attribute names and function names are case-sensitive, but the Synchronization Rules Editor evaluates the expressions and provide a warning if the expression is not valid. 所有表达式都使用嵌套函数表示在一行上。All expressions are expressed on a single line with nested functions. 为了显示配置语言的强大功能,下面给出了 pwdLastSet 流的示例,但插入了附加注释:To show the power of the configuration language, here is the flow for pwdLastSet, but with additional comments inserted:

// If-then-else
IIF(
// (The evaluation for IIF) Is the attribute pwdLastSet present in AD?
IsPresent([pwdLastSet]),
// (The True part of IIF) If it is, then from right to left, convert the AD time format to a .NET datetime, change it to the time format used by Azure AD, and finally convert it to a string.
CStr(FormatDateTime(DateFromNum([pwdLastSet]),"yyyyMMddHHmmss.0Z")),
// (The False part of IIF) Nothing to contribute
NULL
)

有关属性流表达式语言的详细信息,请参阅了解声明性预配表达式See Understanding Declarative Provisioning Expressions for more information on the expression language for attribute flows.

优先级Precedence

现已了解几个不同的同步规则,但这些规则在配置中配合运行。You have now looked at some individual Synchronization Rules, but the rules work together in the configuration. 在某些情况下,属性值由相同目标属性的多个同步规则提供。In some cases, an attribute value is contributed from multiple synchronization rules to the same target attribute. 在此情况下,可以使用属性优先级来确定哪个属性胜出。In this case, attribute precedence is used to determine which attribute wins. 以属性 sourceAnchor 为例。As an example, look at the attribute sourceAnchor. 此属性是决定能否登录 Azure AD 的重要属性。This attribute is an important attribute to be able to sign in to Azure AD. 可以在两个不同的同步规则中看到此属性的属性流:“In from AD – User AccountEnabled”和“In from AD – User Common”。 You can find an attribute flow for this attribute in two different Synchronization Rules, In from AD - User AccountEnabled and In from AD - User Common. 由于有同步规则优先级,如果有多个对象联接到 Metaverse 对象,sourceAnchor 属性将先由具有已启用帐户的林提供。Due to Synchronization Rule precedence, the sourceAnchor attribute is contributed from the forest with an enabled account first when there are several objects joined to the metaverse object. 如果没有已启用的帐户,同步引擎将使用全部提取同步规则“In from AD – User Common”。 If there are no enabled accounts, then the sync engine uses the catch-all Synchronization Rule In from AD - User Common. 此配置可确保即使帐户已禁用,也仍有一个 sourceAnchor。This configuration ensures that even for accounts that are disabled, there is still a sourceAnchor.

入站同步规则

同步规则的优先级由安装向导设置在组中。The precedence for Synchronization Rules is set in groups by the installation wizard. 组中的所有规则具有相同的名称,但连接到不同的连接目录。All rules in a group have the same name, but they are connected to different connected directories. 安装向导为规则“In from AD – User Join”赋予最高优先级,并使其循环访问所有连接的 AD 目录。 The installation wizard gives the rule In from AD - User Join highest precedence and it iterates over all connected AD directories. 接下来,以预定义的顺序继续处理后续规则组。It then continues with the next groups of rules in a predefined order. 在组中,以在向导中添加连接器的顺序来添加规则。Inside a group, the rules are added in the order the Connectors were added in the wizard. 如果通过向导添加其他连接器,同步规则会重新排序,新连接器规则插到每个组中的末尾。If another Connector is added through the wizard, the Synchronization Rules are reordered and the new Connector’s rules are inserted last in each group.

汇总Putting it all together

我们现在对同步规则已有足够的认识,能够了解配置如何在不同的同步规则下运行。We now know enough about Synchronization Rules to be able to understand how the configuration works with the different Synchronization Rules. 如果观察某个用户和提供给 metaverse 的属性,会发现规则按以下顺序应用:If you look at a user and the attributes that are contributed to the metaverse, the rules are applied in the following order:

NameName 注释Comment
In from AD - User JoinIn from AD - User Join 联接连接器空间对象与 metaverse 的规则。Rule for joining connector space objects with metaverse.
In from AD - UserAccount EnabledIn from AD - UserAccount Enabled 登录 Azure AD 和 Office 365 所需的属性。Attributes required for sign-in to Azure AD and Office 365. 我们可以从已启用的帐户获取这些属性。We want these attributes from the enabled account.
In from AD - User Common from ExchangeIn from AD - User Common from Exchange 在全局地址列表中找到的属性。Attributes found in the Global Address List. 我们假设用户邮箱所在的林中具有最佳的数据质量。We assume the data quality is best in the forest where we have found the user’s mailbox.
In from AD - User CommonIn from AD - User Common 在全局地址列表中找到的属性。Attributes found in the Global Address List. 如果找不到邮箱,可由任何其他联接对象提供属性值。In case we didn’t find a mailbox, any other joined object can contribute the attribute value.
In from AD - User ExchangeIn from AD - User Exchange 仅当检测到 Exchange 时才存在。Only exists if Exchange has been detected. 传递所有基础结构 Exchange 属性。It flows all infrastructure Exchange attributes.
In from AD - User LyncIn from AD - User Lync 仅当检测到 Lync 时才存在。Only exists if Lync has been detected. 传递所有基础结构 Lync 属性。It flows all infrastructure Lync attributes.

后续步骤Next steps

概述主题Overview topics