Azure AD Connect 同步:了解用户、组和联系人Azure AD Connect sync: Understanding Users, Groups, and Contacts

有几个不同的原因导致有多个 Active Directory 林,并且有几个不同的部署拓扑。There are several different reasons why you would have multiple Active Directory forests and there are several different deployment topologies. 常见的模型包括合并和收购之后的帐户-资源部署和 GAL 同步的林。Common models include an account-resource deployment and GAL sync’ed forests after a merger & acquisition. 但即使有纯模型,混合模型也是常见的模型。But even if there are pure models, hybrid models are common as well. Azure AD Connect 同步中的默认配置不会假定任何特定模型,但根据安装指南中选择用户匹配的方式,可以观察到不同的行为。The default configuration in Azure AD Connect sync does not assume any particular model but depending on how user matching was selected in the installation guide, different behaviors can be observed.

本主题讨论默认配置在某些拓扑中的行为方式。In this topic, we will go through how the default configuration behaves in certain topologies. 我们讨论配置,并且同步规则编辑器可用于查看配置。We will go through the configuration and the Synchronization Rules Editor can be used to look at the configuration.

配置假定了几条一般规则:There are a few general rules the configuration assumes:

  • 不管按什么顺序从源 Active Directory 导入,最终结果始终相同。Regardless of which order we import from the source Active Directories, the end result should always be the same.
  • 活动帐户会始终提供登录信息,包括 userPrincipalNamesourceAnchorAn active account will always contribute sign-in information, including userPrincipalName and sourceAnchor.
  • 如果找不到活动帐户,已禁用帐户会提供 userPrincipalName 和 sourceAnchor,除非该帐户为已链接邮箱。A disabled account will contribute userPrincipalName and sourceAnchor, unless it is a linked mailbox, if there is no active account to be found.
  • 具有已链接邮箱的帐户永远不会用于 userPrincipalName 和 sourceAnchor。An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. 假定稍后会找到活动帐户。It is assumed that an active account will be found later.
  • 可能会为 Azure AD 设置联系人对象,作为联系人或用户。A contact object might be provisioned to Azure AD as a contact or as a user. 在处理完所有源 Active Directory 林之前,确实不会知道。You don’t really know until all source Active Directory forests have been processed.

Groups

将组从 Active Directory 同步到 Azure AD 时,注意的要点是:Important points to be aware of when synchronizing groups from Active Directory to Azure AD:

  • Azure AD Connect 会从目录同步中排除内置安全组。Azure AD Connect excludes built-in security groups from directory synchronization.

  • Azure AD Connect 不支持将主要组成员身份同步到 Azure AD。Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.

  • 若要以启用邮件的组的形式将 Active Directory 组同步到 Azure AD:To synchronize an Active Directory group to Azure AD as a mail-enabled group:

    • 如果该组的 proxyAddress 属性为空,则其 mail 属性必须包含一个值If the group's proxyAddress attribute is empty, its mail attribute must have a value

    • 如果组的 proxyAddress 属性为非空,则必须至少包含一个 SMTP 代理地址值。If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address value. 下面是一些示例:Here are some examples:

      • 其 proxyAddress 属性包含值 {"X500:/0=contoso.com/ou=users/cn=testgroup"} 的 Active Directory 组在 Azure AD 中不会启用邮件。An Active Directory group whose proxyAddress attribute has value {"X500:/0=contoso.com/ou=users/cn=testgroup"} will not be mail-enabled in Azure AD. 它没有 SMTP 地址。It does not have an SMTP address.

      • 其 proxyAddress 属性包含值 {"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:johndoe@contoso.com"} 的 Active Directory 组在 Azure AD 中会启用邮件。An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:johndoe@contoso.com"} will be mail-enabled in Azure AD.

      • 其 proxyAddress 属性包含值 {"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:johndoe@contoso.com"} 的 Active Directory 组在 Azure AD 中也会启用邮件。An Active Directory group whose proxyAddress attribute has values {"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:johndoe@contoso.com"} will also be mail-enabled in Azure AD.

联系人Contacts

合并和收购(即 GALSync 解决方案对两个或多个 Exchange 林进行桥接)之后,不同林中具有代表一个用户的多个联系人很常见。Having contacts representing a user in a different forest is common after a merger & acquisition where a GALSync solution is bridging two or more Exchange forests. 联系人对象始终使用邮件属性从连接器空间联接到 metaverse。The contact object is always joining from the connector space to the metaverse using the mail attribute. 如果已存在具有相同邮件地址的联系人对象或用户对象,则会将这些对象联接在一起。If there is already a contact object or user object with the same mail address, the objects are joined together. 这在规则 In from AD - Contact Join中进行配置。This is configured in the rule In from AD - Contact Join. 另外,还有一条名为 In from AD - Contact Common 的规则,该规则具有到包含常量 Contact 的 metaverse 属性 sourceObjectType 的属性流。There is also a rule named In from AD - Contact Common with an attribute flow to the metaverse attribute sourceObjectType with the constant Contact. 如果将任何用户对象联接到相同的 metaverse 对象,则此规则的优先级非常低,并且 In from AD - User Common 规则会为此属性提供值 User。This rule has very low precedence so if any user object is joined to the same metaverse object, then the rule In from AD - User Common will contribute the value User to this attribute. 在使用此规则的情况下,如果没有联接任何用户,此属性则会具有值 Contact,如果至少找到了一个用户,则会具有值 User。With this rule, this attribute will have the value Contact if no user has been joined and the value User if at least one user has been found.

为 Azure AD 预配对象时,如果将 metaverse 属性 sourceObjectType 设置为 Contact,出站规则 Out to AAD - Contact Join 则会创建联系人对象。For provisioning an object to Azure AD, the outbound rule Out to AAD - Contact Join will create a contact object if the metaverse attribute sourceObjectType is set to Contact. 如果将此属性设置为 UserOut to AAD - User Join 规则则会改为创建用户对象。If this attribute is set to User, then the rule Out to AAD - User Join will create a user object instead. 当导入和同步更多源 Active Directory 时,对象很可能由 Contact 提升为 User。It is possible that an object is promoted from Contact to User when more source Active Directories are imported and synchronized.

例如,在 GALSync 拓扑中,当我们导入第一个林时,我们会在第二个林中发现每个的联系人对象。For example, in a GALSync topology we will find contact objects for everyone in the second forest when we import the first forest. 这会在 AAD 连接器中暂存新的联系人对象。This will stage new contact objects in the AAD Connector. 当我们之后导入并同步第二个林时,我们会找到实际用户并将他们联接到现有的 metaverse 对象。When we later import and synchronize the second forest, we will find the real users and join them to the existing metaverse objects. 然后我们会删除 AAD 中的联系人对象,并改为创建新的用户对象。We will then delete the contact object in AAD and create a new user object instead.

如果有将用户表示为联系人的拓扑,请确保你的选择匹配安装指南中 mail 属性上的用户。If you have a topology where users are represented as contacts, make sure you select to match users on the mail attribute in the installation guide. 如果选择另一个选项,则会具有依赖于顺序的配置。If you select another option, then you will have an order-dependent configuration. 联系人对象始终会联接 mail 属性,但如果安装指南中选择了此选项,则用户对象只会联接 mail 属性。Contact objects will always join on the mail attribute, but user objects will only join on the mail attribute if this option was selected in the installation guide. 如果在用户对象之前已导入联系人对象,那么具有相同 mail 属性的 metaverse 中可能最终会有两个不同的对象。You could then end up with two different objects in the metaverse with the same mail attribute if the contact object was imported before the user object. 在导出到 Azure AD 期间,会引发错误。During export to Azure AD, an error will be thrown. 此行为是设计使然,并且会指示错误数据或者在安装过程中未正确标识拓扑。This behavior is by design and would indicate bad data or that the topology was not correctly identified during the installation.

已禁用帐户Disabled accounts

已禁用帐户也会同步到 Azure AD。Disabled accounts are synchronized as well to Azure AD. 已禁用帐户常用于表示 Exchange 中的资源,例如会议室。Disabled accounts are common to represent resources in Exchange, for example conference rooms. 例外情况是具有链接邮箱的用户;如前文所述,这些用户永远不会将帐户预配到 Azure AD。The exception is users with a linked mailbox; as previously mentioned, these will never provision an account to Azure AD.

这里假设,如果找到已禁用的用户帐户,那么之后我们找不到另一个活动帐户,并且在找到 userPrincipalName 和 sourceAnchor 的情况下,对象会设置到 Azure AD。The assumption is that if a disabled user account is found, then we will not find another active account later and the object is provisioned to Azure AD with the userPrincipalName and sourceAnchor found. 如果另一个活动帐户联接到相同的 metaverse 对象,则会使用其 userPrincipalName 和 sourceAnchor。In case another active account will join to the same metaverse object, then its userPrincipalName and sourceAnchor will be used.

更改 sourceAnchorChanging sourceAnchor

对象已导出到 Azure AD 后,不再允许更改 sourceAnchor。When an object has been exported to Azure AD then it is not allowed to change the sourceAnchor anymore. 当已导出对象时,则采用 Azure AD 接受的 sourceAnchor 值设置 metaverse 属性 cloudSourceAnchorWhen the object has been exported the metaverse attribute cloudSourceAnchor is set with the sourceAnchor value accepted by Azure AD. 如果更改了 sourceAnchor,且不匹配 cloudSourceAnchor,规则 Out to AAD - User Join 将引发错误“sourceAnchor 属性已更改” 。If sourceAnchor is changed and not match cloudSourceAnchor, the rule Out to AAD - User Join will throw the error sourceAnchor attribute has changed. 在这种情况下,必须更正配置或数据,以便相同的 sourceAnchor 再次在 metaverse 中出现,才能再次同步对象。In this case, the configuration or data must be corrected so the same sourceAnchor is present in the metaverse again before the object can be synchronized again.

其他资源Additional Resources