使用 ADConnectivityTool PowerShell 模块排查 Azure AD 连接问题Troubleshoot Azure AD connectivity with the ADConnectivityTool PowerShell module

ADConnectivity 工具是一个 PowerShell 模块,可在以下任一情形下使用:The ADConnectivity tool is a PowerShell module that is used in one of the following:

  • 在安装过程中,当网络连接问题阻止成功验证用户在向导中提供的 Active Directory 凭据时。During installation when a network connectivity problem prevents the successful validation of the Active Directory credentials the user provided in the Wizard.
  • 在 PowerShell 会话中调用函数的用户安装后。Post installation by a user who calls the functions from a PowerShell session.

该工具位于:C:\Program Files\Azure Active Directory Connect\Tools\ ADConnectivityTool.psm1The tool is located in: C:\Program Files\Azure Active Directory Connect\Tools\ ADConnectivityTool.psm1

安装过程中的 ADConnectivityToolADConnectivityTool during installation

在“连接目录”页的 Azure AD Connect 向导中,如果发生网络问题,ADConnectivityTool 将自动使用其函数之一来确定发生的问题。On the Connect your directories page, in the Azure AD Connect Wizard, if a network issue occurs, the ADConnectivityTool will automatically use one of its functions to determine what is going on. 以下任何一种都可以被视为网络问题:Any of the following can be considered network issues:

  • 用户提供的林名称键入错误,或该林不存在The name of the Forest the user provided was typed wrongly, or said Forest doesn’t exist
  • 与用户提供的林相关联的域控制器中已关闭 UDP 端口 389UDP port 389 is closed in the Domain Controllers associated with the Forest the user provided
  • 在“AD 林帐户”窗口中提供的凭据无权检索与目标林关联的域控制器The credentials provided in the ‘AD forest account’ window doesn’t have privileges to retrieve the Domain Controllers associated with the target Forest
  • 与用户提供的林相关联的域控制器中已关闭任一 TCP 端口 53、88 或 389Any of the TCP ports 53, 88 or 389 are closed in the Domain Controllers associated with the Forest the user provided
  • UDP 389 和 TCP 端口(或多个端口)都已关闭Both UDP 389 and a TCP port (or ports) are closed
  • 无法为提供的林和\或其关联的域控制器解析 DNSDNS could not be resolved for the provided Forest and\or its associated Domain Controllers

每当发现任何这些问题时,AADConnect 向导中都会显示相关的错误消息:Whenever any of these issues are found, a related error message is displayed in the AADConnect Wizard:

错误

例如,当我们尝试在“连接目录”屏幕上添加目录时,Azure AD Connect 需要对此进行验证,并应能够通过端口 389 与域控制器进行通信。For example, when we are attempting to add a directory on the Connect your directories screen, Azure AD Connect needs to verify this and expects to be able to communicate with a domain controller over port 389. 如果不能,我们将看到上面屏幕截图中显示的错误。If it cannot, we will see the error that is shown in the screenshot above.

Azure AD Connect 实际上正在后台调用 Start-NetworkConnectivityDiagnosisTools 函数。What is actually happening behind the scenes, is that Azure AD Connect is calling the Start-NetworkConnectivityDiagnosisTools function. 当凭据验证由于网络连接问题而失败时,将调用此函数。This function is called when the validation of credentials fails due to a network connectivity issue.

最后,只要从向导调用工具,就会生成详细的日志文件。Finally, a detailed log file is generated whenever the tool is called from the wizard. 该日志位于 C:\ProgramData\AADConnect\ADConnectivityTool-<date>-<time>.logThe log is located in C:\ProgramData\AADConnect\ADConnectivityTool-<date>-<time>.log

ADConnectivityTools 安装后ADConnectivityTools post installation

安装 Azure AD Connect 后,可以使用 ADConnectivityTools PowerShell 模块中的任何函数。After Azure AD Connect has been installed, any of the functions in the ADConnectivityTools PowerShell module can be used.

有关这些函数的参考信息,请参阅 ADConnectivityTools 参考You can find reference information on the functions in the ADConnectivityTools Reference

Start-ConnectivityValidationStart-ConnectivityValidation

我们将调用此函数,因为将 ADConnectivityTool.psm1 导入到 PowerShell 之后,就只能手动调用该函数。We are going to call out this function because it can only be called manually once the ADConnectivityTool.psm1 has been imported into PowerShell.

此函数执行与 Azure AD Connect 向导相同的逻辑,以验证提供的 AD 凭据。This function executes the same logic that the Azure AD Connect Wizard runs to validate the provided AD Credentials. 此外,它还提供了有关问题和建议解决方案的更详细的解释。However it provides a much more verbose explanation about the problem and a suggested solution.

连接验证包括以下步骤:The connectivity validation consists of the following steps:

  • 获取域 FQDN(完全限制的域名)对象Get Domain FQDN (fully qualified domain name) object
  • 对其进行验证,如果用户选择“创建新的 AD 帐户”,则这些凭据属于“企业管理员”组Validate that, if the user selected ‘Create new AD account’, these credentials belong to the Enterprise Administrators group
  • 获取林 FQDN 对象Get Forest FQDN object
  • 确认至少有一个与先前获取的林 FQDN 对象关联的域是可访问的Confirm that at least one domain associated with the previously obtained Forest FQDN object is reachable
  • 验证林函数级别是否是 Windows Server 2003 或更高版本。Verify that the functional level of the forest is Windows Server 2003 or greater.

如果所有这些操作都成功执行,用户将能够添加目录。The user will be able to add a Directory if all these actions were executed successfully.

如果用户在问题解决后运行此函数(或者根本不存在任何问题),则输出将指示用户返回 Azure AD Connect 向导并尝试再次插入凭据。If the user runs this function after a problem is solved (or if no problem exists at all) the output will indicate for the user to go back to the Azure AD Connect Wizard and try inserting the credentials again.

后续步骤Next Steps