Azure Active Directory Connect 的自定义安装Custom installation of Azure Active Directory Connect

如果希望有更多的安装选项,请使用 Azure Active Directory (Azure AD) Connect 中的自定义设置。Use custom settings in Azure Active Directory (Azure AD) Connect when you want more options for the installation. 例如,如果你有多个林或希望配置可选功能,请使用这些设置。Use these settings, for example, if you have multiple forests or if you want to configure optional features. 只要快速安装不能满足部署或拓扑需求,即可使用自定义设置。Use custom settings in all cases where express installation doesn't satisfy your deployment or topology needs.

先决条件:Prerequisites:

自定义安装设置Custom installation settings

若要为 Azure AD Connect 设置自定义安装,请完成以下部分所述的向导页面。To set up a custom installation for Azure AD Connect, go through the wizard pages that the following sections describe.

快速设置Express settings

在“快速设置”页面上选择“自定义”,开始自定义设置安装。 On the Express Settings page, select Customize to start a customized-settings installation. 本文的其余部分将指导你完成自定义安装过程。The rest of this article guides you through the custom installation process. 使用以下链接可快速访问特定页面的信息:Use the following links to quickly go to the information for a particular page:

安装所需的组件Install required components

安装同步服务时,可以让可选配置部分保持未选中状态,When you install the synchronization services, you can leave the optional configuration section unselected. Azure AD Connect 会自动完成所有设置。Azure AD Connect sets up everything automatically. 它会设置 SQL Server 2012 Express LocalDB 实例、创建相应的组并分配权限。It sets up a SQL Server 2012 Express LocalDB instance, creates the appropriate groups, and assign permissions. 如果要更改默认值,请取消选中相应的框。If you want to change the defaults, clear the appropriate boxes. 下表汇总了这些选项,并提供指向其他信息的链接。The following table summarizes these options and provides links to additional information.

屏幕截图,显示 Azure AD Connect 中所需安装组件的可选选项。

可选配置Optional configuration 说明Description
指定自定义安装位置Specify a custom installation location 允许你更改 Azure AD Connect 的默认安装路径。Allows you to change the default installation path for Azure AD Connect.
使用现有的 SQL ServerUse an existing SQL Server 允许你指定 SQL Server 名称和实例名称。Allows you to specify the SQL Server name and instance name. 如果已有一个要使用的数据库服务器,请选择此选项。Choose this option if you already have a database server that you want to use. 如果 SQL Server 实例没有启用浏览功能,请在“实例名称”中输入实例名称、逗号和端口号。For Instance Name , enter the instance name, a comma, and the port number if your SQL Server instance doesn't have browsing enabled. 然后指定 Azure AD Connect 数据库的名称。Then specify the name of the Azure AD Connect database. 你的 SQL 权限决定了是可以创建新数据库,还是必须由 SQL 管理员提前创建数据库。Your SQL privileges determine whether a new database can be created or your SQL administrator must create the database in advance. 如果你有 SQL Server 管理员 (SA) 权限,请参阅使用现有数据库安装 Azure AD ConnectIf you have SQL Server administrator (SA) permissions, see Install Azure AD Connect by using an existing database. 如果你有委派的权限 (DBO),请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectIf you have delegated permissions (DBO), see Install Azure AD Connect by using SQL delegated administrator permissions.
使用现有的服务帐户Use an existing service account 默认情况下,Azure AD Connect 提供的虚拟服务帐户用于同步服务。By default, Azure AD Connect provides a virtual service account for the synchronization services. 如果使用远程 SQL Server 实例或使用需要身份验证的代理,可以使用托管服务帐户或域中受密码保护的服务帐户。If you use a remote instance of SQL Server or use a proxy that requires authentication, you can use a managed service account or a password-protected service account in the domain. 在这些情况下,请输入要使用的帐户。In those cases, enter the account you want to use. 若要运行安装,你必须是 SQL 中的 SA,这样你才能创建服务帐户的登录凭据。To run the installation, you need to be an SA in SQL so you can create sign-in credentials for the service account. 有关详细信息,请参阅 Azure AD Connect 帐户和权限For more information, see Azure AD Connect accounts and permissions.

通过使用最新的内部版本,SQL 管理员现在可以对数据库进行带外预配。By using the latest build, the SQL administrator can now provision the database out of band. 然后,Azure AD Connect 管理员可以使用数据库所有者权限来安装它。Then the Azure AD Connect administrator can install it with database owner rights. 有关详细信息,请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectFor more information, see Install Azure AD Connect by using SQL delegated administrator permissions.
指定自定义同步组Specify custom sync groups 默认情况下,在安装同步服务时,Azure AD Connect 会创建四个位于服务器本地的组。By default, when the synchronization services are installed, Azure AD Connect creates four groups that are local to the server. 这些组是:管理员组、操作员组、浏览组和密码重置组。These groups are Administrators, Operators, Browse, and Password Reset. 在此可以指定自己的组。You can specify your own groups here. 这些组必须位于服务器本地。The groups must be local on the server. 它们不能位于域中。They can't be located in the domain.
导入同步设置(预览)Import synchronization settings (preview) 允许你从 Azure AD Connect 的其他版本导入设置。Allows you to import settings from other versions of Azure AD Connect. 有关详细信息,请参阅导入和导出 Azure AD Connect 配置设置For more information, see Importing and exporting Azure AD Connect configuration settings.

连接到 Azure ADConnect to Azure AD

在“连接到 Azure AD”页上,输入全局管理员帐户和密码。On the Connect to Azure AD page, enter a global admin account and password. 如果在前一个页面上选择了“使用 AD FS 进行联合身份验证”,则不要使用你计划启用联合身份验证的域中的帐户登录。If you selected Federation with AD FS on the previous page, don't sign in with an account that's in a domain you plan to enable for federation.

可能需要使用默认 partner.onmschina.cn 域中的帐户(随你的 Azure AD 租户一起提供)。You might want to use an account in the default partner.onmschina.cn domain, which comes with your Azure AD tenant. 此帐户只用于在 Azure AD 中创建服务帐户,This account is used only to create a service account in Azure AD. 安装完成后不会使用。It's not used after the installation finishes.

显示“连接到 Azure AD”页的屏幕截图。

如果全局管理员帐户已启用多重身份验证,请在登录窗口中再次提供密码,并且必须完成多重身份验证质询。If your global admin account has multifactor authentication enabled, you provide the password again in the sign-in window, and you must complete the multifactor authentication challenge. 该质询可能是验证码或电话通话。The challenge could be a verification code or a phone call.

显示“连接到 Azure AD”页的屏幕截图。

全局管理员帐户也可以启用 Privileged Identity ManagementThe global admin account can also have privileged identity management enabled.

如果出现错误或连接性问题,请参阅排查连接性问题If you see an error or have problems with connectivity, then see Troubleshoot connectivity problems.

“同步”页面Sync pages

以下部分介绍“同步”部分中的页面。The following sections describe the pages in the Sync section.

连接目录Connect your directories

若要连接到 Active Directory 域服务 (Azure AD DS),Azure AD Connect 需要使用具有足够权限的帐户的林名称和凭据。To connect to Active Directory Domain Services (Azure AD DS), Azure AD Connect needs the forest name and credentials of an account that has sufficient permissions.

显示“连接目录”页的屏幕截图。

输入林名称并选择“添加目录”后,会显示一个窗口。After you enter the forest name and select Add Directory , a window appears. 下表对选项进行了说明。The following table describes your options.

选项Option 说明Description
创建新帐户Create new account 创建 Azure AD DS 帐户,Azure AD Connect 在目录同步期间需要使用该帐户来连接到 Active Directory 林。Create the Azure AD DS account that Azure AD Connect needs to connect to the Active Directory forest during directory synchronization. 选择此选项后,请输入企业管理员帐户的用户名和密码。After you select this option, enter the username and password for an enterprise admin account. Azure AD Connect 使用提供的企业管理员帐户创建所需的 Azure AD DS 帐户。Azure AD Connect uses the provided enterprise admin account to create the required Azure AD DS account. 可以采用 NetBIOS 格式或 FQDN 格式输入域部分。You can enter the domain part in either NetBIOS format or FQDN format. 即,输入 FABRIKAM\administrator 或 fabrikam.com\administrator。That is, enter FABRIKAM\administrator or fabrikam.com\administrator.
使用现有帐户Use existing account 提供现有的 Azure AD DS 帐户,Azure AD Connect 在目录同步期间可以使用该帐户来连接到 Active Directory 林。Provide an existing Azure AD DS account that Azure AD Connect can use to connect to the Active Directory forest during directory synchronization. 可以采用 NetBIOS 格式或 FQDN 格式输入域部分。You can enter the domain part in either NetBIOS format or FQDN format. 即,输入 FABRIKAM\syncuser 或 fabrikam.com\syncuser。That is, enter FABRIKAM\syncuser or fabrikam.com\syncuser. 此帐户可以是普通的用户帐户,因为它只需默认的读取权限。This account can be a regular user account because it needs only the default read permissions. 但是,你可能会需要更多权限,具体取决于你的情况。But depending on your scenario, you might need more permissions. 有关详细信息,请参阅 Azure AD Connect 帐户和权限For more information, see Azure AD Connect accounts and permissions.

屏幕截图,显示了“连接目录”页和 AD 林帐户窗口,你可以在其中选择创建新帐户或使用现有帐户。

备注

从内部版本 1.4.18.0 起,你不再能够使用企业管理员或域管理员帐户作为 Azure AD DS 连接器帐户。As of build 1.4.18.0, you can't use an enterprise admin or domain admin account as the Azure AD DS connector account. 选择“使用现有帐户”时,如果尝试输入企业管理员帐户或域管理员帐户,则会看到以下错误:“不允许对 AD 林帐户使用企业或域管理员帐户。When you select Use existing account , if you try to enter an enterprise admin account or a domain admin account, you see the following error: "Using an Enterprise or Domain administrator account for your AD forest account is not allowed. 让 Azure AD Connect 为你创建帐户,或者指定一个具有适当权限的同步帐户。”Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions."

Azure AD 登录配置Azure AD sign-in configuration

在“Azure AD 登录配置”页上,查看本地 Azure AD DS 中的用户主体名称 (UPN) 域。On the Azure AD sign-in configuration page, review the user principal name (UPN) domains in on-premises Azure AD DS. 这些 UPN 域已在 Azure AD 中进行了验证。These UPN domains have been verified in Azure AD. 在此页上,请配置要用于 userPrincipalName 的属性。On this page, you configure the attribute to use for the userPrincipalName.

屏幕截图,显示“Azure AD 登录配置”页上未验证的域。

查看标记为“未添加”或“未验证”的每个域。 Review every domain that's marked as Not Added or Not Verified. 确保使用的域都已在 Azure AD 中经过了验证。Make sure that the domains you use have been verified in Azure AD. 验证域后,选择“循环刷新”图标。After you verify your domains, select the circular refresh icon. 有关详细信息,请参阅添加和验证域For more information, see Add and verify the domain.

用户在登录到 Azure AD 和 Microsoft 365 时使用 userPrincipalName 属性。Users use the userPrincipalName attribute when they sign in to Azure AD and Microsoft 365. Azure AD 应在对用户进行同步之前验证域(也称为 UPN 后缀)。Azure AD should verify the domains, also known as the UPN-suffix, before users are synchronized. Microsoft 建议你保留默认属性 userPrincipalName。Microsoft recommends that you keep the default attribute userPrincipalName.

如果 userPrincipalName 属性不可路由且无法进行验证,可以选择另一属性。If the userPrincipalName attribute is nonroutable and can't be verified, then you can select another attribute. 例如,可以选择 email 作为保存登录 ID 的属性。You can, for example, select email as the attribute that holds the sign-in ID. 使用除 userPrincipalName 以外的某个属性时,该属性称为“备用 ID”。When you use an attribute other than userPrincipalName, it's known as an alternate ID.

备用 ID 属性值必须遵循 RFC 822 标准。The alternate ID attribute value must follow the RFC 822 standard. 可将备用 ID 与密码哈希同步和联合身份验证一起使用。You can use an alternate ID with password hash sync and federation. 在 Active Directory 中,不能将该属性定义为多值,即使它只有单个值。In Active Directory, the attribute can't be defined as multivalued, even if it has only a single value.

警告

备用 ID 不与所有 Microsoft 365 工作负荷兼容。Alternate IDs aren't compatible with all Microsoft 365 workloads. 有关详细信息,请参阅配置备用登录 IDFor more information, see Configuring alternate sign-in IDs.

域和 OU 筛选Domain and OU filtering

默认情况下会同步所有域和组织单位 (OU)。By default, all domains and organizational units (OUs) are synchronized. 如果不想将某些域或 OU 同步到 Azure AD,可以取消选中相应的选项。If you don't want to synchronize some domains or OUs to Azure AD, you can clear the appropriate selections.

屏幕截图,显示“域和 OU 筛选”页。

此页配置基于域和基于 OU 的筛选。This page configures domain-based and OU-based filtering. 如果打算进行更改,请参阅基于域的筛选基于 OU 的筛选If you plan to make changes, then see Domain-based filtering and OU-based filtering. 某些 OU 对功能至关重要,应让其处于选中状态。Some OUs are essential for functionality, so you should leave them selected.

如果将基于 OU 的筛选与早于 1.1.524.0 的 Azure AD Connect 版本配合使用,则会默认同步新 OU。If you use OU-based filtering with an Azure AD Connect version older than 1.1.524.0, new OUs are synchronized by default. 如果不想要同步新 OU,则可以在基于 OU 的筛选步骤之后调整默认行为。If you don't want new OUs to be synchronized, then you can adjust the default behavior after the OU-based filtering step. 对于 Azure AD Connect 1.1.524.0 或更高版本,可以指示是否需要同步新 OU。For Azure AD Connect 1.1.524.0 or later, you can indicate whether you want new OUs to be synchronized.

如果打算使用基于组的筛选,请确保包含该组所在的 OU,而未使用 OU 筛选将该 OU 筛选掉。If you plan to use group-based filtering, then make sure the OU with the group is included and isn't filtered by using OU-filtering. OU 筛选是在基于组的筛选被评估之前评估的。OU filtering is evaluated before group-based filtering is evaluated.

由于防火墙限制,也可能无法连接到某些域。It's also possible that some domains are unreachable because of firewall restrictions. 这些域在默认情况下处于未选中状态,并且它们会显示警告。These domains are unselected by default, and they display a warning.

屏幕截图,显示无法访问的域。

如果看到此警告,请确认这些域确实无法访问,并且该警报在意料之中。If you see this warning, make sure that these domains are indeed unreachable and that the warning is expected.

唯一标识用户Uniquely identifying your users

在“标识用户”页上,选择如何在本地目录中标识用户,以及如何使用 sourceAnchor 属性来标识他们。On the Identifying users page, choose how to identify users in your on-premises directories and how to identify them by using the sourceAnchor attribute.

选择应如何在本地目录中标识用户Select how users should be identified in your on-premises directories

使用“跨林匹配”功能,可以定义如何在 Azure AD 中呈现 Azure AD DS 林中的用户。By using the Matching across forests feature, you can define how users from your Azure AD DS forests are represented in Azure AD. 一个用户可能会在所有林中只被表示一次,也可能会具有已启用和已禁用帐户的组合。A user might be represented only once across all forests or might have a combination of enabled and disabled accounts. 在某些林中,用户还可以被呈现为联系人。The user might also be represented as a contact in some forests.

屏幕截图,显示可在其中对用户进行唯一标识的页面。

设置Setting 说明Description
用户在所有林中只被表示一次Users are represented only once across all forests 将所有用户在 Azure AD 中创建为单独的对象。All users are created as individual objects in Azure AD. 不会在 Metaverse 中联接对象。The objects aren't joined in the metaverse.
邮件属性Mail attribute 如果邮件属性在不同的林中具有相同的值,此选项将联接用户和联系人。This option joins users and contacts if the mail attribute has the same value in different forests. 当已使用 GALSync 创建了联系人时,请使用此选项。Use this option when your contacts were created by using GALSync. 如果选择此选项,则不会将 mail 属性未被填充的用户对象同步到 Azure AD。If you choose this option, user objects whose mail attribute is unpopulated aren't synchronized to Azure AD.
ObjectSID 和 msExchangeMasterAccountSID/ msRTCSIP-OriginatorSID 属性ObjectSID and msExchangeMasterAccountSID/ msRTCSIP-OriginatorSID attributes 此选项将帐户林中的已启用用户与资源林中的已禁用用户进行联接。This option joins an enabled user in an account forest with a disabled user in a resource forest. 在 Exchange 中,此配置称为链接邮箱。In Exchange, this configuration is known as a linked mailbox. 如果只使用 Lync 且资源林中没有 Exchange,则可以使用此选项。You can use this option if you use only Lync and if Exchange isn't present in the resource forest.
SAMAccountName 和 MailNickName 属性SAMAccountName and MailNickName attributes 此选项根据预期可以在其中找到用户登录 ID 的属性进行联接。This option joins on attributes where the sign-in ID for the user is expected to be found.
选择特定属性Choose a specific attribute 此选项允许选择自己的属性。This option allows you to select your own attribute. 如果选择此选项,则不会将其(选定)属性未填充的用户对象同步到 Azure AD。If you choose this option, user objects whose (selected) attribute is unpopulated aren't synchronized to Azure AD. 限制: 仅 Metaverse 中已有的属性适用此选项。Limitation: Only attributes that are already in the metaverse are available for this option.

选择应如何使用源定位点来标识用户Select how users should be identified by using a source anchor

sourceAnchor 属性是一个在用户对象的生命周期内不会改变的属性。The sourceAnchor attribute is immutable during the lifetime of a user object. 它是将本地用户与 Azure AD 中用户进行关联的主键。It's the primary key that links the on-premises user with the user in Azure AD.

设置Setting 说明Description
允许 Azure 管理源定位点Let Azure manage the source anchor 如果希望 Azure AD 为你选取属性,请选择此选项。Select this option if you want Azure AD to pick the attribute for you. 如果选择此选项,Azure AD Connect 会应用 sourceAnchor 属性选择逻辑,该逻辑在使用 ms-DS-ConsistencyGuid 作为 sourceAnchor 中进行了说明。If you select this option, Azure AD Connect applies the sourceAnchor attribute selection logic that's described in Using ms-DS-ConsistencyGuid as sourceAnchor. 自定义安装完成后,你会看到已选取哪个属性作为 sourceAnchor 属性。After the custom installation finishes, you see which attribute was picked as the sourceAnchor attribute.
选择特定属性Choose a specific attribute 如果希望指定现有的 AD 属性作为 sourceAnchor 属性,请选择此选项。Select this option if you want to specify an existing AD attribute as the sourceAnchor attribute.

由于 sourceAnchor 属性无法更改,因此必须选择适当的属性。Because the sourceAnchor attribute can't be changed, you must choose an appropriate attribute. objectGUID 就是不错的候选项。A good candidate is objectGUID. 除非在林或域之间移动用户帐户,否则此属性不会更改。This attribute isn't changed unless the user account is moved between forests or domains. 请勿选择某人结婚或更改分配时会改变的属性。Don't choose attributes that can change when a person marries or changes assignments.

不能使用包含 at 符号 (@) 的属性,因此不能使用 email 和 userPrincipalName。You can't use attributes that include an at sign (@), so you can't use email and userPrincipalName. 属性也区分大小写,因此在林间移动对象时,请务必保留大小写。The attribute is also case sensitive, so when you move an object between forests, make sure to preserve uppercase and lowercase. 二进制属性采用 Base64 编码,但其他属性类型会保留其未编码的状态。Binary attributes are Base64-encoded, but other attribute types remain in their unencoded state.

在联合方案和某些 Azure AD 接口中,sourceAnchor 属性也称为 immutableID。In federation scenarios and some Azure AD interfaces, the sourceAnchor attribute is also known as immutableID.

有关源定位点的详细信息,请参阅设计概念For more information about the source anchor, see Design concepts.

根据组同步筛选Sync filtering based on groups

使用按组筛选功能可以只同步一小部分的对象来进行试点。The filtering-on-groups feature allows you to sync only a small subset of objects for a pilot. 若要使用此功能,请在 Active Directory 本地实例中针对此目的创建一个组。To use this feature, create a group for this purpose in your on-premises instance of Active Directory. 然后添加应该以直属成员身份与 Azure AD 同步的用户和组。Then add users and groups that should be synchronized to Azure AD as direct members. 稍后可以在此组中添加或删除用户,以维护应该要在 Azure AD 中显示的对象列表。You can later add users or remove users from this group to maintain the list of objects that should be present in Azure AD.

要同步的所有对象必须是组的直接成员。All objects that you want to synchronize must be direct members of the group. 用户、组、联系人和计算机或设备都必须是直接成员。Users, groups, contacts, and computers or devices must all be direct members. 系统不会解析嵌套组成员身份。Nested group membership isn't resolved. 添加组作为成员时,只会添加组本身,When you add a group as a member, only the group itself is added. 而不添加其成员。Its members aren't added.

屏幕截图,显示了一个页面,你可以在其中选择筛选用户和设备的方式。

警告

此功能仅用于支持试点部署。This feature is intended to support only a pilot deployment. 请不要将其用于完整的生产部署。Don't use it in a full production deployment.

在完整的生产部署中,很难维护单个组及其要同步的所有对象。In a full production deployment, it would be hard to maintain a single group and all of its objects to synchronize. 请使用配置筛选中所述的方法之一,而不是按组筛选功能。Instead of the filtering-on-groups feature, use one of the methods described in Configure filtering.

可选功能Optional features

在下一页上,可以针对方案选择可选功能。On the next page, you can select optional features for your scenario.

警告

Azure AD Connect 1.0.8641.0 及更低版本依赖于 Azure 访问控制服务进行密码写回。Azure AD Connect versions 1.0.8641.0 and earlier rely on Azure Access Control Service for password writeback. 该服务已于 2018 年 11 月 7 日停用。This service was retired on November 7, 2018. 如果你使用上述任一版本的 Azure AD Connect 并启用了密码写回,则当服务停用后,用户可能无法更改或重置其密码。If you use any of these versions of Azure AD Connect and have enabled password writeback, users might lose the ability to change or reset their passwords when the service is retired. 这些版本的 Azure AD Connect 不支持密码写回。These versions of Azure AD Connect don't support password writeback.

如果要使用密码写回,请下载最新版本的 Azure AD ConnectIf you want to use password writeback, download the latest version of Azure AD Connect.

屏幕截图,显示“可选功能”页面。

警告

如果 Azure AD Sync 或 Direct Synchronization (DirSync) 处于活动状态,请勿激活 Azure AD Connect 中的任何写回功能。If Azure AD Sync or Direct Synchronization (DirSync) are active, don't activate any writeback features in Azure AD Connect.

可选功能Optional features 说明Description
Exchange 混合部署Exchange hybrid deployment Exchange 混合部署功能使 Exchange 邮箱能够在本地和 Microsoft 365 中共存。The Exchange hybrid deployment feature allows for the coexistence of Exchange mailboxes both on-premises and in Microsoft 365. Azure AD Connect 会将特定的属性集从 Azure AD 同步回本地目录。Azure AD Connect synchronizes a specific set of attributes from Azure AD back into your on-premises directory.
Exchange 邮件公用文件夹Exchange mail public folders “Exchange 邮件公用文件夹”功能可以将支持邮件功能的公用文件夹对象从 Active Directory 的本地实例同步到 Azure AD。The Exchange mail public folders feature allows you to synchronize mail-enabled public-folder objects from your on-premises instance of Active Directory to Azure AD.
Azure AD 应用程序和属性筛选Azure AD app and attribute filtering 通过启用 Azure AD 应用和属性筛选,可以定制已同步属性的集合。By enabling Azure AD app and attribute filtering, you can tailor the set of synchronized attributes. 此选项会在向导中额外添加两个配置页。This option adds two more configuration pages to the wizard. 有关详细信息,请参阅 Azure AD 应用程序和属性筛选For more information, see Azure AD app and attribute filtering.
密码哈希同步Password hash synchronization 如果选择了联合身份验证作为登录解决方案,则可启用密码哈希同步。If you selected federation as the sign-in solution, you can enable password hash synchronization. 然后,可以将它用作备份选项。Then you can use it as a backup option.

有关详细信息,请参阅密码哈希同步For more information, see Password hash synchronization.
密码写回Password writeback 使用此选项来确保源自 Azure AD 的密码更改会写回到本地目录。Use this option to ensure that password changes that originate in Azure AD are written back to your on-premises directory. 有关详细信息,请参阅密码管理入门For more information, see Getting started with password management.
目录扩展属性同步Directory extension attribute sync 选择此选项可将指定的属性同步到 Azure AD。Select this option to sync specified attributes to Azure AD. 有关详细信息,请参阅目录扩展For more information, see Directory extensions.

Azure AD 应用程序和属性筛选Azure AD app and attribute filtering

如果想要限制同步到 Azure AD 的属性,则可以从选择使用的服务来着手。If you want to limit which attributes synchronize to Azure AD, then start by selecting the services you use. 如果更改此页上的选项,则必须通过重新运行安装向导来显式选择新的服务。If you change the selections on this page, you have to explicitly select a new service by rerunning the installation wizard.

屏幕截图,显示可选的 Azure AD 应用功能。

此页面根据上一步选择的服务来显示同步的所有属性。Based on the services you selected in the previous step, this page shows all attributes that are synchronized. 此列表是要同步的所有对象类型的组合。This list is a combination of all object types that are being synchronized. 如果需要某些属性保持非同步状态,可以从这些属性中清除所选内容。If you need some attributes to remain unsynchronized, you can clear the selection from those attributes.

屏幕截图,显示可选的 Azure AD 属性特性。

警告

删除属性可能会影响功能。Removing attributes can affect functionality. 有关最佳做法和建议,请参阅要同步的属性For best practices and recommendations, see Attributes to synchronize.

目录扩展属性同步Directory Extension attribute sync

可以使用组织添加的自定义属性或使用 Active Directory 中的其他属性,在 Azure AD 中扩展架构。You can extend the schema in Azure AD by using custom attributes that your organization added or by using other attributes in Active Directory. 若要使用这项功能,请在“可选功能”页上选择“目录扩展属性同步”。 可以在“目录扩展”页上选择要同步的其他属性。To use this feature, on the Optional Features page, select Directory Extension attribute sync. On the Directory Extensions page, you can select more attributes to sync.

备注

“可用属性”字段区分大小写。The Available Attributes field is case sensitive.

屏幕截图,显示“目录扩展”页。

有关详细信息,请参阅目录扩展For more information, see Directory extensions.

启用单一登录Enabling single sign-on

Azure 中国区目前不支持单一登录 (SSO)。Single sign on (SSO) is currently not supported in Azure China.

配置与 AD FS 的联合Configuring federation with AD FS

只需单击几下鼠标,即可使用 Azure AD Connect 配置 AD FS。You can configure AD FS with Azure AD Connect in just a few clicks. 在开始之前,你需要:Before you start, you need:

  • 用于联合服务器的 Windows Server 2012 R2 或更高版本。Windows Server 2012 R2 or later for the federation server. 应启用远程管理。Remote management should be enabled.
  • 用于 Web 应用程序代理服务器的 Windows Server 2012 R2 或更高版本。Windows Server 2012 R2 or later for the Web Application Proxy server. 应启用远程管理。Remote management should be enabled.
  • 要使用的联合身份验证服务名称(例如 sts.contoso.com)的 TLS/SSL 证书。A TLS/SSL certificate for the federation service name that you intend to use (for example, sts.contoso.com).

备注

可以使用 Azure AD Connect 更新 AD FS 场的 TLS/SSL 证书,即使不使用它来管理联合身份验证信任。You can update a TLS/SSL certificate for your AD FS farm by using Azure AD Connect even if you don't use it to manage your federation trust.

AD FS 配置先决条件AD FS configuration prerequisites

若要使用 Azure AD Connect 配置 AD FS 场,请确保已在远程服务器上启用 WinRM。To configure your AD FS farm by using Azure AD Connect, ensure that WinRM is enabled on the remote servers. 确保已完成联合身份验证先决条件中的其他任务。Make sure you've completed the other tasks in Federation prerequisites. 另请确保遵循 Azure AD Connect 和联合身份验证/WAP 服务器表中列出的端口要求。Also make sure you follow the ports requirements that are listed in the Azure AD Connect and Federation/WAP servers table.

创建新的 AD FS 场或使用现有的 AD FS 场Create a new AD FS farm or use an existing AD FS farm

可以使用现有的 AD FS 场,也可以创建一个新的。You can use an existing AD FS farm or create a new one. 如果选择创建新的场,则必须提供 TLS/SSL 证书。If you choose to create a new one, you must provide the TLS/SSL certificate. 如果 TLS/SSL 证书受密码保护,则系统会提示你提供密码。If the TLS/SSL certificate is protected by a password, then you're prompted to provide the password.

屏幕截图,显示“AD FS 场”页

如果选择使用现有 AD FS 场,则会出现一个页面,你可以在其中配置 AD FS 与 Azure AD 之间的信任关系。If you choose to use an existing AD FS farm, you see the page where you can configure the trust relationship between AD FS and Azure AD.

备注

只能使用 Azure AD Connect 来管理一个 AD FS 场。You can use Azure AD Connect to manage only one AD FS farm. 如果现有的联合身份验证信任在所选 AD FS 场上配置了 Azure AD,则 Azure AD Connect 会从头开始重新创建信任。If you have an existing federation trust where Azure AD is configured on the selected AD FS farm, Azure AD Connect re-creates the trust from scratch.

指定 AD FS 服务器Specify the AD FS servers

指定要在其中安装 AD FS 的服务器。Specify the servers where you want to install AD FS. 可以根据容量需求添加一个或多个服务器。You can add one or more servers, depending on your capacity needs. 在设置此配置之前,请将所有 AD FS 服务器加入 Active Directory。Before you set up this configuration, join all AD FS servers to Active Directory. 对于 Web 应用程序代理服务器,此步骤不是必需的。This step isn't required for the Web Application Proxy servers.

Microsoft 建议安装一台 AD FS 服务器用于测试和试验部署。Microsoft recommends installing a single AD FS server for test and pilot deployments. 完成初始配置之后,可以通过再次运行 Azure AD Connect,根据缩放需求添加和部署更多的服务器。After the initial configuration, you can add and deploy more servers to meet your scaling needs by running Azure AD Connect again.

备注

在设置此配置之前,请确保所有服务器已加入 Azure AD 域。Before you set up this configuration, ensure that all of your servers are joined to an Azure AD domain.

屏幕截图,显示“联合服务器”页。

指定 Web 应用程序代理服务器Specify the Web Application Proxy servers

指定 Web 应用程序代理服务器。Specify your Web Application Proxy servers. Web 应用程序代理服务器部署在外围网络中,面向 Extranet。The Web Application Proxy server is deployed in your perimeter network, facing the extranet. 它支持来自 Extranet 的身份验证请求。It supports authentication requests from the extranet. 可以根据容量需求添加一个或多个服务器。You can add one or more servers, depending on your capacity needs.

Microsoft 建议安装一台 Web 应用程序代理服务器,用于测试和试点部署。Microsoft recommends installing a single Web Application Proxy server for test and pilot deployments. 完成初始配置之后,可以通过再次运行 Azure AD Connect,根据缩放需求添加和部署更多的服务器。After the initial configuration, you can add and deploy more servers to meet your scaling needs by running Azure AD Connect again. 建议使用数量相当的代理服务器,以满足来自 Intranet 的身份验证要求。We recommend that you have an equivalent number of proxy servers to satisfy authentication from the intranet.

备注

  • 如果使用的帐户不是 Web 应用程序代理服务器上的本地管理员,系统会提示你提供管理员凭据。If the account you use isn't a local admin on the Web Application Proxy servers, then you're prompted for admin credentials.
  • 在指定 Web 应用程序代码服务器之前,请确保 Azure AD Connect 服务器与 Web 应用程序代理服务器之间已建立 HTTP/HTTPS 连接。Before you specify Web Application Proxy servers, ensure that there's HTTP/HTTPS connectivity between the Azure AD Connect server and the Web Application Proxy server.
  • 确保 Web 应用程序服务器与 AD FS 服务器之间的 HTTP/HTTPS 连接允许通过身份验证请求。Ensure that there's HTTP/HTTPS connectivity between the Web Application Server and the AD FS server to allow authentication requests to flow through.

屏幕截图,显示“Web 应用代理服务器”页。

系统会提示你输入凭据,使 Web 应用程序服务器可以创建与 AD FS 服务器的安全连接。You're prompted to enter credentials so that the web application server can establish a secure connection to the AD FS server. 这些凭据必须适用于 AD FS 服务器上的本地管理员帐户。These credentials must be for a local administrator account on the AD FS server.

屏幕截图,显示“凭据”页。

指定 AD FS 服务的服务帐户Specify the service account for the AD FS service

AD FS 服务需要使用域服务帐户来验证用户身份以及在 Active Directory 中查找用户信息。The AD FS service requires a domain service account to authenticate users and to look up user information in Active Directory. 它可以支持两种类型的服务帐户:It can support two types of service accounts:

  • 组托管服务帐户 :此帐户类型已由 Windows Server 2012 引入 AD DS 中。Group managed service account : This account type was introduced into AD DS by Windows Server 2012. 此类型的帐户提供 AD FS 之类的服务。This type of account provides services such as AD FS. 它是单个帐户,你不需要在其中定期更新密码。It's a single account in which you don't need to update the password regularly. 如果 AD FS 服务器所属的域中已有 Windows Server 2012 域控制器,请使用此选项。Use this option if you already have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.
  • 域用户帐户 :此类型的帐户会要求你提供密码,并在密码过期时定期更新密码。Domain user account : This type of account requires you to provide a password and regularly update it when it expires. 仅当 AD FS 服务器所属的域中没有 Windows Server 2012 域控制器时,才使用此选项。Use this option only when you don't have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.

如果选择了“创建组托管服务帐户”但从未在 Active Directory 中使用过此功能,则输入企业管理员凭据。If you selected Create a group Managed Service Account and this feature has never been used in Active Directory, then enter your enterprise admin credentials. 这些凭据用于启动密钥存储,以及在 Active Directory 中启用该功能。These credentials are used to initiate the key store and enable the feature in Active Directory.

备注

Azure AD Connect 会检查 AD FS 服务是否已在域中注册为服务主体名称 (SPN)。Azure AD Connect checks whether the AD FS service is already registered as a service principal name (SPN) in the domain. Azure AD DS 不允许同时注册重复的 SPN。Azure AD DS doesn't allow duplicate SPNs to be registered at the same time. 如果发现重复的 SPN,则必须删除该 SPN 才能继续操作。If a duplicate SPN is found, you can't proceed further until the SPN is removed.

屏幕截图,显示“AD FS 服务帐户”页。

选择要联合的 Azure AD 域Select the Azure AD domain that you want to federate

使用“Azure AD 域”页设置 AD FS 与 Azure AD 之间的联合关系。Use the Azure AD Domain page to set up the federation relationship between AD FS and Azure AD. 在这里,请将 AD FS 配置为向 Azure AD 提供安全令牌。Here, you configure AD FS to provide security tokens to Azure AD. 另请将 Azure AD 配置为信任来自此 AD FS 实例的令牌。You also configure Azure AD to trust the tokens from this AD FS instance.

在此页上,你只能在初始安装中配置单个域。On this page, you can configure only a single domain in the initial installation. 以后可以通过再次运行 Azure AD Connect 来配置其他域。You can configure more domains later by running Azure AD Connect again.

屏幕截图,显示“Azure AD 域”页。

验证选择用于联合的 Azure AD 域Verify the Azure AD domain selected for federation

当你选择要联合的域时,Azure AD Connect 会提供相关信息,供你用来验证尚未验证的域。When you select the domain that you want to federate, Azure AD Connect provides information that you can use to verify an unverified domain. 有关详细信息,请参阅添加和验证域For more information, see Add and verify the domain.

屏幕截图,显示“Azure AD 域”页,其中包括可用来验证域的信息。

备注

Azure AD Connect 会尝试在配置阶段验证域。Azure AD Connect tries to verify the domain during the configuration stage. 如果不添加所需的域名系统 (DNS) 记录,则无法完成配置。If you don't add the necessary Domain Name System (DNS) records, the configuration can't be completed.

配置使用 PingFederate 的联合身份验证Configuring federation with PingFederate

只需单击几下鼠标,即可使用 Azure AD Connect 配置 PingFederate。You can configure PingFederate with Azure AD Connect in just a few clicks. 需要以下先决条件:The following prerequisites are required:

验证域Verify the domain

在你选择使用 PingFederate 来设置联合身份验证之后,系统会要求你验证需要进行联合身份验证的域。After you choose to set up federation by using PingFederate, you're asked to verify the domain you want to federate. 从下拉菜单中选择域。Select the domain from the drop-down menu.

屏幕截图,显示“Azure AD 域”页。

导出 PingFederate 设置Export the PingFederate settings

将 PingFederate 配置为每个联合 Azure 域的联合服务器。Configure PingFederate as the federation server for each federated Azure domain. 选择“导出设置”,以便与 PingFederate 管理员共享此信息。Select Export Settings to share this information with your PingFederate administrator. 联合服务器管理员会更新配置,然后提供 PingFederate 服务器 URL 和端口号,以便 Azure AD Connect 可以验证元数据设置。The federation server administrator updates the configuration and then provides the PingFederate server URL and port number so that Azure AD Connect can verify the metadata settings.

屏幕截图,显示“PingFederate 设置”页。

与 PingFederate 管理员联系以解决任何验证问题。Contact your PingFederate administrator to resolve any validation issues. 下图显示了有关 PingFederate 服务器的信息,该服务器与 Azure 之间尚无有效的信任关系。The following image shows information about a PingFederate server that has no valid trust relationship with Azure.

屏幕截图,显示的服务器信息为:PingFederate 服务器已找到,但 Azure 的服务提供程序连接缺失或已禁用。

验证联合身份验证连接性Verify federation connectivity

Azure AD Connect 会尝试验证它从上一步中的 PingFederate 元数据检索的身份验证终结点。Azure AD Connect attempts to validate the authentication endpoints that it retrieves from the PingFederate metadata in the previous step. Azure AD Connect 会首先尝试使用本地 DNS 服务器来解析终结点。Azure AD Connect first attempts to resolve the endpoints by using your local DNS servers. 接下来,它会尝试使用外部 DNS 提供程序来解析终结点。Next, it attempts to resolve the endpoints by using an external DNS provider. 与 PingFederate 管理员联系以解决任何验证问题。Contact your PingFederate administrator to resolve any validation issues.

屏幕截图,显示“验证连接性”页。

验证联合登录Verify federation sign-in

最后,可以通过登录到联合域来验证新配置的联合登录流。Finally, you can verify the newly configured federated login flow by signing in to the federated domain. 如果登录成功,则说明已成功配置了使用 PingFederate 的联合身份验证。If your sign-in succeeds, then the federation with PingFederate is successfully configured.

屏幕截图,显示“验证联合登录”页。

配置和验证页面Configure and verify pages

配置发生在“配置”页上。The configuration happens on the Configure page.

备注

在继续安装之前,如果配置了联合身份验证,请确保也已配置联合服务器的名称解析If you configured federation, then make sure that you have also configured Name resolution for federation servers before you continue the installation.

屏幕截图,显示“准备进行配置”页。

使用暂存模式Use staging mode

在暂存模式下,可以同时设置新的同步服务器。It's possible to set up a new sync server in parallel with staging mode. 如果要使用此设置,则只能将一台同步服务器导出到云中的一个目录。If you want to use this setup, then only one sync server can export to one directory in the cloud. 但如果想要从另一台服务器(例如运行 DirSync 的服务器)进行迁移,则可以启用暂存模式的 Azure AD Connect。But if you want to move from another server, for example a server running DirSync, then you can enable Azure AD Connect in staging mode.

启用暂存设置后,同步引擎会像平时一样导入并同步数据,When you enable the staging setup, the sync engine imports and synchronizes data as normal. 但不会将任何数据导出到 Azure AD 或 Active Directory。But it exports no data to Azure AD or Active Directory. 密码同步功能和密码写回功能在暂存模式下禁用。In staging mode, the password sync feature and password writeback feature are disabled.

屏幕截图,显示“启用暂存模式”选项。

在暂存模式下,可以对同步引擎进行所需的更改,并查看要导出的内容。In staging mode, you can make required changes to the sync engine and review what will be exported. 如果配置看起来正常,请再次运行安装向导,并禁用过渡模式。When the configuration looks good, run the installation wizard again and disable staging mode.

现在,已将数据从服务器导出到 Azure AD。Data is now exported to Azure AD from the server. 确保同时禁用其他服务器,以便只有一台服务器在主动导出。Make sure to disable the other server at the same time so only one server is actively exporting.

有关详细信息,请参阅过渡模式For more information, see Staging mode.

验证联合配置Verify your federation configuration

选择“验证”按钮后,Azure AD Connect 会验证 DNS 设置。Azure AD Connect verifies the DNS settings when you select the Verify button. 它检查以下设置:It checks the following settings:

  • Intranet 连接性Intranet connectivity
    • 解析联合 FQDN:Azure AD Connect 会检查 DNS 是否可以解析联合 FQDN,以确保连接性。Resolve federation FQDN: Azure AD Connect checks whether the DNS can resolve the federation FQDN to ensure connectivity. 如果 Azure AD Connect 无法解析 FQDN,则验证失败。If Azure AD Connect can't resolve the FQDN, then the verification fails. 若要完成验证,请确保提供联合身份验证服务 FQDN 的 DNS 记录。To complete the verification, ensure that a DNS record is present for the federation service FQDN.
    • DNS A 记录:Azure AD Connect 会检查联合身份验证服务是否有 A 记录。DNS A record: Azure AD Connect checks whether your federation service has an A record. 在没有 A 记录的情况下,验证会失败。In the absence of an A record, the verification fails. 若要完成验证,请为联合 FQDN 创建 A 记录(不是 CNAME 记录)。To complete the verification, create an A record (not a CNAME record) for your federation FQDN.
  • Extranet 连接性Extranet connectivity
    • 解析联合 FQDN:Azure AD Connect 会检查 DNS 是否可以解析联合 FQDN,以确保连接性。Resolve federation FQDN: Azure AD Connect checks whether the DNS can resolve the federation FQDN to ensure connectivity.

      屏幕截图,显示“安装完成”页。

      屏幕截图,显示“安装完成”页。

若要验证端到端身份验证,请手动执行下列一个或多个测试:To validate end-to-end authentication, manually perform one or more of the following tests:

  • 同步完成后,在 Azure AD Connect 中使用”验证联合登录”附加任务对你选择的本地用户帐户进行身份验证。When synchronization finishes, in Azure AD Connect, use the Verify federated login additional task to verify authentication for an on-premises user account that you choose.
  • 在 Intranet 的已加入域的计算机上,确保你能够从浏览器登录。From a domain-joined machine on the intranet, ensure that you can sign in from a browser. 连接到 https://account.activedirectory.windowsazure.cn/r#/applications。Connect to https://account.activedirectory.windowsazure.cn/r#/applications. 然后使用登录帐户来验证登录。Then use your logged-on account to verify the sign-in. 内置的 Azure AD DS 管理员帐户未同步,你无法将它用于验证。The built-in Azure AD DS administrator account isn't synchronized, and you can't use it for verification.
  • 确保你能够从 Extranet 上的设备登录。Ensure that you can sign in from a device on the extranet. 在家庭计算机或移动设备上连接到 https://account.activedirectory.windowsazure.cn/r#/applicationsOn a home machine or a mobile device, connect to https://account.activedirectory.windowsazure.cn/r#/applications. 然后提供凭据。Then provide your credentials.
  • 验证富客户端登录。Validate rich client sign-in. 连接到 https://testconnectivity.microsoft.com。Connect to https://testconnectivity.microsoft.com. 然后选择“Office 365” > “Office 365 单一登录测试”。 Then select Office 365 > Office 365 Single Sign-On Test.

故障排除Troubleshoot

此部分包含你在遇到 Azure AD Connect 安装问题时可以使用的故障排除信息。This section contains troubleshooting information that you can use if you have a problem while installing Azure AD Connect.

若要自定义 Azure AD Connect 安装,可以在“安装所需的组件”页上选择“使用现有的 SQL Server”。When you customize an Azure AD Connect installation, on the Install required components page, you can select Use an existing SQL Server. 你可能会看到以下错误:“ADSync 数据库已经包含数据,无法覆盖。You might see the following error: "The ADSync database already contains data and cannot be overwritten. 请删除现有的数据库,然后重试。”Please remove the existing database and try again."

显示“安装所需的组件”页的屏幕截图。

你看到此错误是因为指定的 SQL Server 的 SQL 实例上已存在名为 ADSync 的数据库。You see this error because a database named ADSync already exists on the SQL instance of SQL Server that you specified.

通常会在卸载 Azure AD Connect 之后看到此错误。You typically see this error after you have uninstalled Azure AD Connect. 卸载 Azure AD Connect 时,不会从运行 SQL Server 的计算机中删除该数据库。The database isn't deleted from the computer that runs SQL Server when you uninstall Azure AD Connect.

若要修复此问题:To fix this problem:

  1. 检查 Azure AD Connect 在卸载之前使用过的 ADSync 数据库。Check the ADSync database that Azure AD Connect used before it was uninstalled. 确保不再使用该数据库。Make sure that the database is no longer being used.

  2. 备份数据库。Back up the database.

  3. 删除数据库:Delete the database:

    1. 使用 Microsoft SQL Server Management Studio 连接到 SQL 实例。Use Microsoft SQL Server Management Studio to connect to the SQL instance.
    2. 找到 ADSync 数据库并右键单击它。Find the ADSync database and right-click it.
    3. 在上下文菜单上选择“删除”。On the context menu, select Delete.
    4. 选择“确定”以删除数据库。Select OK to delete the database.

屏幕截图,显示 Microsoft SQL Server Management Studio。

删除 ADSync 数据库后,请选择“安装”来重试安装。After you delete the ADSync database, select Install to retry the installation.

后续步骤Next steps

安装完成后,请注销 Windows。After the installation finishes, sign out of Windows. 然后再次登录,以便使用 Synchronization Service Manager 或同步规则编辑器。Then sign in again before you use Synchronization Service Manager or Synchronization Rule Editor.

安装 Azure AD Connect 后,就可以验证安装并分配许可证了。Now that you have installed Azure AD Connect, you can verify the installation and assign licenses.

若要详细了解在安装过程中启用的这些功能,请参阅防止意外删除For more information about the features that you enabled during the installation, see Prevent accidental deletes.

有关其他常见主题的详细信息,请参阅 Azure AD Connect 同步:计划程序将本地标识与 Azure AD 集成For more information about other common topics, see Azure AD Connect sync: Scheduler and Integrate your on-premises identities with Azure AD.