导入和导出 Azure AD Connect 配置设置(公共预览版)Import and export Azure AD Connect configuration settings (public preview)

Azure Active Directory (Azure AD) Connect 部署有多种变化,从单个林快捷模式安装到通过使用自定义同步规则跨多个林进行同步的复杂部署。Azure Active Directory (Azure AD) Connect deployments vary from a single forest Express mode installation to complex deployments that synchronize across multiple forests by using custom synchronization rules. 由于配置选项和机制数量巨大,因此了解哪些设置有效,且能够快速部署具有相同配置的服务器非常重要。Because of the large number of configuration options and mechanisms, it's essential to understand what settings are in effect and be able to quickly deploy a server with an identical configuration. 此功能引入了对给定同步服务器的配置进行分类并将设置导入到新部署中的功能。This feature introduces the ability to catalog the configuration of a given synchronization server and import the settings into a new deployment. 可以比较不同的同步设置快照,以便轻松地直观显示两个服务器间的差异,或一段时间内同一服务器的差异。Different synchronization settings snapshots can be compared to easily visualize the differences between two servers, or the same server over time.

每次从 Azure AD Connect 向导更改配置时,会自动将新的带时间戳的 JSON 设置文件导出到“%ProgramData%\AADConnect”  。Each time the configuration is changed from the Azure AD Connect wizard, a new time-stamped JSON settings file is automatically exported to %ProgramData%\AADConnect. 设置文件名的格式为“Applied-SynchronizationPolicy-*.JSON”,其中文件名的最后一部分为时间戳。The settings file name is of the form Applied-SynchronizationPolicy-*.JSON, where the last part of the file name is a time stamp.

重要

只会自动导出由 Azure AD Connect 进行的更改。Only changes made by Azure AD Connect are automatically exported. 使用 PowerShell、Synchronization Service Manager 或同步规则编辑器所做的任何更改都必须根据需要按需导出,以维护最新副本。Any changes made by using PowerShell, the Synchronization Service Manager, or the Synchronization Rules Editor must be exported on demand as needed to maintain an up-to-date copy. 按需导出还可用于将设置的副本放在安全位置,以实现灾难恢复。Export on demand can also be used to place a copy of the settings in a secure location for disaster recovery purposes.

导出 Azure AD Connect 设置Export Azure AD Connect settings

若要查看配置设置的摘要,请打开 Azure AD Connect 工具,然后选择名为“查看或导出当前配置”的其他任务。To view a summary of your configuration settings, open the Azure AD Connect tool, and select the additional task named View or Export Current Configuration. 将显示你的设置的快速摘要以及用于导出服务器完整配置的功能。A quick summary of your settings is shown along with the ability to export the full configuration of your server.

默认情况下,设置会导出到 %ProgramData%\AADConnect。By default, the settings are exported to %ProgramData%\AADConnect. 你也可以选择将设置保存到受保护的位置,以确保在发生灾难时可用。You also can choose to save the settings to a protected location to ensure availability if a disaster occurs. 设置是使用 JSON 文件格式导出的,不应手动创建或编辑设置,以确保逻辑一致性。Settings are exported by using the JSON file format and should not be hand-created or edited to ensure logical consistency. 不支持导入手动创建或编辑的文件,这可能会导致意外的结果。Importing a hand-created or edited file isn't supported and might lead to unexpected results.

导入 Azure AD Connect 设置Import Azure AD Connect settings

导入先前导出的设置,方法如下:To import previously exported settings:

  1. 在新服务器上安装 Azure AD Connect。Install Azure AD Connect on a new server.

  2. 在“欢迎”页后,选择“自定义”选项 。Select the Customize option after the Welcome page.

  3. 选择“导入同步设置”。Select Import synchronization settings. 浏览先前导出的 JSON 设置文件。Browse for the previously exported JSON settings file.

  4. 选择“安装”。Select Install.

    显示“安装所需的组件”屏幕的屏幕截图

备注

替代此页上的设置,如使用 SQL Server 而不是 LocalDB 或使用现有服务帐户而不是默认 VSA。Override settings on this page like the use of SQL Server instead of LocalDB or the use of an existing service account instead of a default VSA. 这些设置不会从配置设置文件导入。These settings aren't imported from the configuration settings file. 它们用于提供信息以及进行比较。They are there for information and comparison purposes.

导入安装体验Import installation experience

导入安装体验有意保持简单,只需用户进行极少的输入即可轻松地提供现有服务器的可再现性。The import installation experience is intentionally kept simple with minimal inputs from the user to easily provide reproducibility of an existing server.

下面是在安装体验期间可以进行的唯一更改。Here are the only changes that can be made during the installation experience. 安装完成后,可通过 Azure AD Connect 向导进行所有其他更改:All other changes can be made after installation from the Azure AD Connect wizard:

  • Azure Active Directory 凭据:默认情况下,建议使用用于配置原始服务器的 Azure 全局管理员帐户名。Azure Active Directory credentials: The account name for the Azure Global Administrator used to configure the original server is suggested by default. 如果要将信息同步到新目录,则必须更改它 。It must be changed if you want to synchronize information to a new directory.
  • 用户登录:默认情况下会选择其为原始服务器配置的登录选项,并自动提示输入配置期间所需的凭据或其他信息。User sign-in: The sign-on options configured for your original server are selected by default and automatically prompt for credentials or other information that's needed during configuration. 在极少数情况下,可能需要使用不同的选项来设置服务器,以避免更改活动服务器的行为。In rare cases, there might be a need to set up a server with different options to avoid changing the behavior of the active server. 否则,请选择“下一步”以使用相同的设置。Otherwise, select Next to use the same settings.
  • 本地目录凭据:对于同步设置中包含的每个本地目录,必须提供凭据以创建同步帐户或提供预先创建的自定义同步帐户。On-premises directory credentials: For each on-premises directory included in your synchronization settings, you must provide credentials to create a synchronization account or supply a pre-created custom synchronization account. 此过程与全新安装体验相同,只是你不能添加或删除目录。This procedure is identical to the clean install experience with the exception that you can't add or remove directories.
  • 配置选项:与全新安装一样,你可以选择配置初始设置,来确定是启动自动同步还是启用暂存模式。Configuration options: As with a clean install, you might choose to configure the initial settings for whether to start automatic synchronization or enable Staging mode. 主要区别在于,默认有意启用暂存模式,以允许在将结果主动导出到 Azure 之前比较配置和同步结果。The main difference is that Staging mode is intentionally enabled by default to allow comparison of the configuration and synchronization results prior to actively exporting the results to Azure.

显示“连接目录”屏幕的屏幕截图

备注

只有一个同步服务器可以担任主角色,并主动将配置更改导出到 Azure。Only one synchronization server can be in the primary role and actively exporting configuration changes to Azure. 所有其他服务器都必须处于暂存模式。All other servers must be placed in Staging mode.

从现有服务器迁移设置Migrate settings from an existing server

如果现有服务器不支持设置管理,则可以选择就地升级服务器或迁移设置以在新的暂存服务器上使用。If an existing server doesn't support settings management, you can either choose to upgrade the server in-place or migrate the settings for use on a new staging server.

迁移需要运行 PowerShell 脚本,该脚本可提取现有设置以在新的安装中使用。Migration requires running a PowerShell script that extracts the existing settings for use in a new installation. 使用此方法对现有服务器的设置进行分类,然后将其应用于新安装的暂存服务器。 Use this method to catalog the settings of your existing server and then apply them to a newly installed staging server. 将原始服务器的设置与新创建的服务器进行比较,可以快速对服务器之间的更改进行可视化。 Comparing the settings for the original server to a newly created server will quickly visualize the changes between the servers. 与往常一样,请遵循组织的认证过程以确保无需进行其他配置。 As always, follow your organization's certification process to ensure no additional configuration is required.

迁移过程Migration process

迁移设置的方法如下:To migrate the settings:

  1. 在新暂存服务器上启动 AzureADConnect.msi,然后转到 Azure AD Connect 的“欢迎”页 。Start AzureADConnect.msi on the new staging server, and stop at the Welcome page of Azure AD Connect.

  2. 将 MigrateSettings.ps1 从 Azure AD Connect\Tools 目录复制到现有服务器上的某个位置。Copy MigrateSettings.ps1 from the Azure AD Connect\Tools directory to a location on the existing server. 一个示例是 C:\setup,其中 setup 是在现有服务器上创建的目录。An example is C:\setup, where setup is a directory that was created on the existing server.

    显示 Azure AD Connect 目录的屏幕截图。

  3. 运行如下所示的脚本,并保存整个下级服务器配置目录。Run the script as shown here, and save the entire down-level server configuration directory. 将该目录复制到新的暂存服务器。Copy this directory to the new staging server. 必须将整个 Exported-ServerConfiguration-* 文件夹复制到新服务器。You must copy the entire Exported-ServerConfiguration-* folder to the new server.

    显示 Windows PowerShell 中的脚本的屏幕截图。 显示如何复制 Exported-Exported-ServerConfiguration-* 文件夹的屏幕截图。Screenshot that shows script in Windows PowerShell. Screenshot that shows copying the Exported-ServerConfiguration-* folder.

  4. 通过双击桌面上的图标启动 Azure AD Connect。Start Azure AD Connect by double-clicking the icon on the desktop. 接受 Microsoft 软件许可条款,然后在下一页上选择“自定义”。Accept the Microsoft Software License Terms, and on the next page, select Customize.

  5. 选择“导入同步设置”复选框。Select the Import synchronization settings check box. 选择“浏览”以浏览复制的 Exported-ServerConfiguration-* 文件夹。Select Browse to browse the copied-over Exported-ServerConfiguration-* folder. 选择 MigratedPolicy.json 以导入迁移的设置。Select the MigratedPolicy.json to import the migrated settings.

    显示“导入同步设置”选项的屏幕截图。

安装后验证Post-installation verification

将原始导入的设置文件与新部署的服务器的导出的设置文件进行比较,是了解预期部署与所得部署之间任何差异的必要步骤。Comparing the originally imported settings file with the exported settings file of the newly deployed server is an essential step in understanding any differences between the intended versus the resulting deployment. 使用你喜欢的并排文本比较应用程序会产出可快速突出显示任何所需或意外的更改的即时可视化效果。Using your favorite side-by-side text comparison application yields an instant visualization that quickly highlights any desired or accidental changes.

尽管现在已经取消了许多先前的手动配置步骤,但你仍应遵循组织的认证过程,以确保无需进行其他配置。While many formerly manual configuration steps are now eliminated, you should still follow your organization's certification process to ensure no additional configuration is required. 如果你使用高级设置(其当前在公共预览版本的设置管理中尚未被捕获),则可能会发生此配置。This configuration might occur if you use advanced settings, which aren't currently captured in the public preview release of settings management.

以下是已知限制:Here are known limitations:

  • 同步规则:自定义规则的优先顺序必须在 0 到 99 的保留范围内,以避免与 Microsoft 的标准规则发生冲突。Synchronization rules: The precedence for a custom rule must be in the reserved range of 0 to 99 to avoid conflicts with Microsoft's standard rules. 将自定义规则置于保留范围之外可能会导致自定义规则发生偏移,因为标准规则被添加到了配置。Placing a custom rule outside the reserved range might result in your custom rule being shifted around as standard rules are added to the configuration. 如果配置包含修改后的标准规则,则会出现类似问题。A similar issue will occur if your configuration contains modified standard rules. 不鼓励修改标准规则,且规则放置可能不正确。Modifying a standard rule is discouraged, and rule placement is likely to be incorrect.
  • 同步的对象类型:尽管可以使用 Synchronization Service Manager 约束同步对象类型(如用户、联系人和组)的列表,但当前不支持通过同步设置来实现此功能。Synchronized object types: Although it's possible to constrain the list of synchronized object types (such as users, contacts, and groups) by using the Synchronization Service Manager, this feature isn't currently supported via synchronization settings. 完成安装后,必须手动重新应用高级配置。After you finish the installation, you must manually reapply the advanced configuration.
  • 自定义运行配置文件:尽管可以使用 Synchronization Service Manager 修改默认的一组运行配置文件,但当前不支持通过同步设置来实现此功能。Custom run profiles: Although it's possible to modify the default set of run profiles by using the Synchronization Service Manager, this feature isn't currently supported via synchronization settings. 完成安装后,必须手动重新应用高级配置。After you finish the installation, you must manually reapply the advanced configuration.
  • 配置预配层次结构:不支持通过同步设置来实现 Synchronization Service Manager 的这一高级功能。Configuring the provisioning hierarchy: This advanced feature of the Synchronization Service Manager isn't supported via synchronization settings. 完成初始部署后,必须手动重新配置它。It must be manually reconfigured after you finish the initial deployment.
  • Active Directory 联合身份验证服务 (AD FS) 和 PingFederate 身份验证:与这些身份验证功能相关联的登录方法会自动进行预选。Active Directory Federation Services (AD FS) and PingFederate authentication: The sign-on methods associated with these authentication features are automatically preselected. 必须以交互方式提供所有其他所需的配置参数。You must interactively supply all other required configuration parameters.
  • 已禁用的自定义同步规则将导入为已启用:已禁用的自定义同步规则将导入为已启用。A disabled custom synchronization rule will be imported as enabled: A disabled custom synchronization rule is imported as enabled. 请确保在新服务器上也禁用它。Make sure to disable it on the new server too.

后续步骤Next steps