Azure AD Connect 的自定义安装Custom installation of Azure AD Connect

如果希望有更多的安装选项,可以使用 Azure AD Connect“自定义设置”。Azure AD Connect Custom settings is used when you want more options for the installation. 如果拥有多个林或希望配置未覆盖在快速安装中的可选功能,可以使用它。It is used if you have multiple forests or if you want to configure optional features not covered in the express installation. 它适用于快速安装不能满足部署或拓扑的所有情况。It is used in all cases where the express installation option does not satisfy your deployment or topology.

开始安装 Azure AD Connect 之前,请务必下载 Azure AD Connect,并完成 Azure AD Connect:硬件和先决条件Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-requisite steps in Azure AD Connect: Hardware and prerequisites. 此外请确保拥有 Azure AD Connect 帐户和权限所述的可用的必需帐户。Also make sure you have required accounts available as described in Azure AD Connect accounts and permissions.

Azure AD Connect 的自定义设置安装Custom settings installation of Azure AD Connect

快速设置Express Settings

在此页面上,单击“自定义” ,开始自定义的设置安装。On this page, click Customize to start a customized settings installation.

安装所需的组件Install required components

安装同步服务时,可以将可选配置部分保留未选中状态,Azure AD Connect 会自动完成所有设置。When you install the synchronization services, you can leave the optional configuration section unchecked and Azure AD Connect sets up everything automatically. 这会设置 SQL Server 2012 Express LocalDB 实例、创建相应的组并分配权限。It sets up a SQL Server 2012 Express LocalDB instance, create the appropriate groups, and assign permissions. 如果想要更改默认设置,可以使用下表来了解可用的可选配置选项。If you wish to change the defaults, you can use the following table to understand the optional configuration options that are available.


可选配置Optional Configuration 说明Description
使用现有的 SQL ServerUse an existing SQL Server 允许指定 SQL Server 名称和实例名称。Allows you to specify the SQL Server name and the instance name. 如果已有一个要使用的数据库服务器,请选择此选项。Choose this option if you already have a database server that you would like to use. 如果 SQL Server 没有启用浏览,请在“实例名称” 中输入实例名称,后接逗号和端口号。Enter the instance name followed by a comma and port number in Instance Name if your SQL Server does not have browsing enabled. 然后指定 Azure AD Connect 数据库的名称。Then specify the name of the Azure AD Connect database. 你的 SQL 权限决定了将创建新数据库还是 SQL 管理员必须提前创建数据库。Your SQL privileges determine whether a new database will be created or your SQL administrator must create the database in advance. 如果你有 SQL SA 权限,请参阅如何使用现有数据库进行安装If you have SQL SA permissions see How to install using an existing database. 如果为你委派了权限 (DBO),请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectIf you have been delegated permissions (DBO) see Install Azure AD Connect with SQL delegated administrator permissions.
使用现有的服务帐户Use an existing service account 默认情况下,Azure AD Connect 将虚拟服务帐户用于为要使用的同步服务。By default Azure AD Connect uses a virtual service account for the synchronization services to use. 如果使用远程 SQL 服务器或使用需要身份验证的代理,则需使用托管服务帐户,或者使用域中的服务帐户并知道密码。If you use a remote SQL server or use a proxy that requires authentication, you need to use a managed service account or use a service account in the domain and know the password. 在这些情况下,请输入要使用的帐户。In those cases, enter the account to use. 确保运行安装的用户是 SQL 中的 SA,以便可以创建服务帐户的登录名。Make sure the user running the installation is an SA in SQL so a login for the service account can be created. 请参阅 Azure AD Connect 帐户和权限See Azure AD Connect accounts and permissions.
现在,在使用最新版本的情况下,可以由 SQL 管理员在带外进行数据库预配,然后由具有数据库所有者权限的 Azure AD Connect 管理员完成安装。With the latest build, provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights. 有关详细信息,请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectFor more information see Install Azure AD Connect using SQL delegated administrator permissions.
指定自定义同步组Specify custom sync groups 默认情况下,在安装同步服务时,Azure AD Connect 会在服务器本地创建四个组。By default Azure AD Connect creates four groups local to the server when the synchronization services are installed. 这些组是:管理员组、操作员组、浏览组和密码重置组。These groups are: Administrators group, Operators group, Browse group, and the Password Reset Group. 在此可以指定自己的组。You can specify your own groups here. 组必须在服务器本地,并且不能位于域中。The groups must be local on the server and cannot be located in the domain.

用户登录User sign-in

在安装所需的组件后,需要选择用户单一登录方法。After installing the required components, you are asked to select your users single sign-on method. 下表提供了可用选项的简短说明。The following table provides a brief description of the available options. 有关登录方法的完整说明,请参阅用户登录For a full description of the sign-in methods, see User sign-in.


单一登录选项Single Sign On option 说明Description
密码哈希同步Password Hash Sync 用户能够用在其本地网络中使用的相同密码登录到 Azure 云服务,例如 Office 365。Users are able to sign in to Azure cloud services, such as Office 365, using the same password they use in their on-premises network. 用户密码作为密码哈希同步到 Azure AD,并在云中进行身份验证。The users passwords are synchronized to Azure AD as a password hash and authentication occurs in the cloud. 有关详细信息,请参阅密码哈希同步See Password hash synchronization for more information.
使用 AD FS 进行联合身份验证Federation with AD FS 用户能够用在其本地网络中使用的相同密码登录到 Azure 云服务,例如 Office 365。Users are able to sign in to Azure cloud services, such as Office 365, using the same password they use in their on-premises network. 用户被重定向到他们的本地 AD FS 实例以进行登录,并在本地完成身份验证。The users are redirected to their on-premises AD FS instance to sign in and authentication occurs on-premises.
使用 PingFederate 进行联合身份验证Federation with PingFederate 用户能够用在其本地网络中使用的相同密码登录到 Azure 云服务,例如 Office 365。Users are able to sign in to Azure cloud services, such as Office 365, using the same password they use in their on-premises network. 用户被重定向到他们的本地 PingFederate 实例以进行登录,并在本地完成身份验证。The users are redirected to their on-premises PingFederate instance to sign in and authentication occurs on-premises.
不配置Do not configure 不安装和配置用户登录功能。No user sign-in feature is installed and configured. 如果已有第三方联合服务器或部署了另一个现有解决方案,请选择此选项。Choose this option if you already have a 3rd party federation server or another existing solution in place.

连接到 Azure ADConnect to Azure AD

在“连接到 Azure AD”屏幕中,输入全局管理员的帐户和密码。On the Connect to Azure AD screen, enter a global admin account and password. 如果在前一个页面选择了“与 AD FS 联合” ,不要以计划启用联合的域中的帐户登录。If you selected Federation with AD FS on the previous page, do not sign in with an account in a domain you plan to enable for federation. 建议使用默认“”域中的帐户,Azure AD 租户随附该域。A recommendation is to use an account in the default domain, which comes with your Azure AD tenant.

此帐户只用于在 Azure AD 中创建服务帐户,向导完成后不会使用。This account is only used to create a service account in Azure AD and is not used after the wizard has completed.

如果全局管理员帐户已启用 MFA,则需要在登录弹出窗口中再次提供密码,并完成 MFA 质询。If your global admin account has MFA enabled, then you need to provide the password again in the sign-in popup and complete the MFA challenge. 该质询可能是提供验证码或打电话。The challenge could be a providing a verification code or a phone call.
用户登录 MFA

如果收到错误消息并且出现连接问题,请参阅排查连接问题If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.

“同步”部分下的页面Pages under the Sync section

连接目录Connect your directories

若要连接到 Active Directory 域服务,Azure AD Connect 工具需要使用具有足够权限的帐户的林名称和凭据。To connect to your Active Directory Domain Service, Azure AD Connect needs the forest name and credentials of an account with sufficient permissions.


在输入林名称并单击“添加目录”后,会显示一个弹出对话框,提示选择以下选项:After entering the forest name and clicking Add Directory, a pop-up dialog appears and prompts you with the following options:

选项Option 说明Description
创建新帐户Create new account 如果需要使用 Azure AD Connect 向导创建一个 Azure AD Connect 需要的 AD DS 帐户,以便在目录同步期间连接到 AD 林,请选择此选项。Select this option if you want Azure AD Connect wizard to create the AD DS account required by Azure AD Connect for connecting to the AD forest during directory synchronization. 选择此选项时,请输入企业管理员帐户的用户名和密码。When this option is selected, enter the username and password for an enterprise admin account. Azure AD Connect 向导将使用提供的企业管理员帐户创建所需的 AD DS 帐户。The enterprise admin account provided will be used by Azure AD Connect wizard to create the required AD DS account. 可以采用 NetBios 或 FQDN 格式输入域部分,即 FABRIKAM\administrator 或\administrator。You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\administrator or\administrator.
使用现有帐户Use existing account 如果需要提供一个现有的 AD DS 帐户,以便在目录同步期间用在 Azure AD Connect 中以连接到 AD 林,请选择此选项。Select this option if you want to provide an existing AD DS account to be used Azure AD Connect for connecting to the AD forest during directory synchronization. 可以采用 NetBios 或 FQDN 格式输入域部分,即 FABRIKAM\syncuser 或\syncuser。You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\syncuser or\syncuser. 此帐户可以是普通的用户帐户,因为该帐户只需默认的读取权限。This account can be a regular user account because it only needs the default read permissions. 不过,根据情况,可能会需要更多权限。However, depending on your scenario, you may need more permissions. 有关详细信息,请参阅 Azure AD Connect 帐户和权限For more information, see Azure AD Connect Accounts and permissions.


Azure AD 登录配置Azure AD sign-in configuration

在此页中,可以查看本地 AD DS 中存在的 UPN 域,以及已在 Azure AD 中验证的 UPN 域。This page allows you to review the UPN domains present in on-premises AD DS and which have been verified in Azure AD. 还可以在此页中配置要用于 userPrincipalName 的属性。This page also allows you to configure the attribute to use for the userPrincipalName.

查看标记为“未添加”和“未验证”的每个域。Review every domain marked Not Added and Not Verified. 确保使用的域都已在 Azure AD 中验证。Make sure those domains you use have been verified in Azure AD. 验证域后,请单击“刷新”符号。Click the Refresh symbol when you have verified your domains. 有关详细信息,请参阅添加和验证域For more information, see add and verify the domain

UserPrincipalName - 属性 userPrincipalName 是用户登录 Azure AD 和 Office 365 时使用的属性。UserPrincipalName - The attribute userPrincipalName is the attribute users use when they sign in to Azure AD and Office 365. 应在同步处理用户前在 Azure AD 中对使用的域(也称为 UPN 后缀)进行验证。The domains used, also known as the UPN-suffix, should be verified in Azure AD before the users are synchronized. Microsoft 建议保留默认属性 userPrincipalName。Microsoft recommends to keep the default attribute userPrincipalName. 如果此属性不可路由且无法验证,可以选择另一个属性。If this attribute is non-routable and cannot be verified, then it is possible to select another attribute. 例如,可以选择 email 作为保存登录 ID 的属性。You can for example select email as the attribute holding the sign-in ID. 使用除 userPrincipalName 以外的其他属性被称为“替代 ID” 。Using another attribute than userPrincipalName is known as Alternate ID. “替代 ID”属性值必须遵循 RFC822 标准。The Alternate ID attribute value must follow the RFC822 standard. 替代 ID 可以配合密码同步和联合使用。An Alternate ID can be used with both password sync and federation. 不得在 Active Directory 中将该属性定义为多值,即使它只有单个值。The attribute must not be defined in Active Directory as multi-valued, even if it only has a single value.


所有 Office 365 工作负荷都不允许使用替代 ID。Using an Alternate ID is not compatible with all Office 365 workloads. 有关详细信息,请参阅 配置替代登录 IDFor more information, refer to Configuring Alternate Login ID.

域和 OU 筛选 Domain and OU filtering

默认情况下会同步所有域和 OU。By default all domains and OUs are synchronized. 如果不想将某些域或 OU 同步到 Azure AD,可以取消选择这些域和 OU。If there are some domains or OUs you do not want to synchronize to Azure AD, you can unselect these domains and OUs.
DomainOU 筛选
向导中的此页面用于配置基于域和基于 OU 的筛选。This page in the wizard is configuring domain-based and OU-based filtering. 如果打算进行更改,请在更改之前参阅基于域的筛选基于 OU 的筛选If you plan to make changes, then see domain-based filtering and ou-based filtering before you make these changes. 某些 OU 对功能至关重要,不应取消选中。Some OUs are essential for the functionality and should not be unselected.

如果将基于 OU 的筛选与 1.1.524.0 之前的 Azure AD Connect 版本配合使用,则会默认同步以后添加的新 OU。If you use OU-based filtering with Azure AD Connect version before 1.1.524.0, new OUs added later are synchronized by default. 如果希望行为是不同步新 OU,可在向导完成后,使用基于 OU 的筛选来配置此行为。If you want the behavior that new OUs should not be synchronized, then you can configure it after the wizard has completed with ou-based filtering. 对于 Azure AD Connect 1.1.524.0 或更高版本,可以指示是否需要同步新 OU。For Azure AD Connect version 1.1.524.0 or after, you can indicate whether you want new OUs to be synchronized or not.

如果打算使用基于组的筛选,请确保包含该组所在的 OU,而未使用 OU 筛选将该 OU 筛选掉。If you plan to use group-based filtering, then make sure the OU with the group is included and not filtered with OU-filtering. OU 筛选会在基于组的筛选之前评估。OU filtering is evaluated before group-based filtering.

由于防火墙限制,也可能无法连接到某些域。It is also possible that some domains are not reachable due to firewall restrictions. 默认情况下未选择这些域,并且会出现警告。These domains are unselected by default and have a warning.
如果看到此警告,请确认确实无法访问这些域,并且该警报在意料之中。If you see this warning, make sure that these domains are indeed unreachable and the warning is expected.

唯一标识用户Uniquely identifying your users

选择应如何在本地目录中标识用户Select how users should be identified in your on-premises directories

“跨林匹配”功能允许定义如何在 Azure AD 中呈现 AD DS 林中的用户。The Matching across forests feature allows you to define how users from your AD DS forests are represented in Azure AD. 一个用户可以在所有林中只呈现一次,也可以使用已启用和已禁用帐户的组合。A user might either be represented only once across all forests or have a combination of enabled and disabled accounts. 在某些林中,用户还可以被呈现为联系人。The user might also be represented as a contact in some forests.


设置Setting 说明Description
用户在所有林中只呈现一次Users are only represented once across all forests 将所有用户在 Azure AD 中创建为单独的对象。All users are created as individual objects in Azure AD. 不会在 Metaverse 中联接对象。The objects are not joined in the metaverse.
邮件属性Mail attribute 如果邮件属性在不同的林中具有相同的值,此选项将联接用户和联系人。This option joins users and contacts if the mail attribute has the same value in different forests. 当已使用 GALSync 创建了联系人时,请使用此选项。Use this option when your contacts have been created using GALSync. 如果选择此选项,则不会将 Mail 属性尚未填充的 User 对象同步到 Azure AD。If this option is chosen, User objects whose Mail attribute aren't populated will not be synchronized to Azure AD.
ObjectSID 和 msExchangeMasterAccountSID/ msRTCSIP-OriginatorSidObjectSID and msExchangeMasterAccountSID/ msRTCSIP-OriginatorSid 此选项将帐户林中的已启用用户与资源林中的已禁用用户进行联接。This option joins an enabled user in an account forest with a disabled user in a resource forest. 在 Exchange 中,此配置称为链接邮箱。In Exchange, this configuration is known as a linked mailbox. 如果只使用 Lync 并且资源林中没有 Exchange,也可以使用此选项。This option can also be used if you only use Lync and Exchange is not present in the resource forest.
sAMAccountName 和 MailNickNamesAMAccountName and MailNickName 此选项根据预期可以在其中找到用户登录 ID 的属性进行联接。This option joins on attributes where it is expected the sign-in ID for the user can be found.
特定的属性A specific attribute 此选项允许选择自己的属性。This option allows you to select your own attribute. 如果选择此选项,则不会将其选定属性尚未填充的 User 对象同步到 Azure AD。If this option is chosen, User objects whose (selected) attribute aren't populated will not be synchronized to Azure AD. 限制: 确保选择已可在 Metaverse 中找到的属性。Limitation: Make sure to pick an attribute that already can be found in the metaverse. 如果选择自定义属性(不在 Metaverse 中),向导将无法完成。If you pick a custom attribute (not in the metaverse), the wizard cannot complete.

选择应如何使用 Azure AD 标识用户 - 源定位点Select how users should be identified with Azure AD - Source Anchor

sourceAnchor 属性是一个在用户对象的生命周期内不会改变的属性。The attribute sourceAnchor is an attribute that is immutable during the lifetime of a user object. 它是链接本地用户与 Azure AD 中用户的主密钥。It is the primary key linking the on-premises user with the user in Azure AD.

设置Setting 说明Description
让 Azure 为我管理源定位点Let Azure manage the source anchor for me 如果希望 Azure AD 为你选取属性,请选择此选项。Select this option if you want Azure AD to pick the attribute for you. 如果选择此选项,Azure AD Connect 向导会应用以下部分所述的 sourceAnchor 属性选择逻辑:Azure AD Connect:设计概念 - 将 ms-DS-ConsistencyGuid 用作 sourceAnchor 部分。If you select this option, Azure AD Connect wizard applies the sourceAnchor attribute selection logic described in article section Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor. 自定义安装完成后,向导会通知已选取哪个属性作为“源定位点”属性。The wizard informs you which attribute has been picked as the Source Anchor attribute after Custom installation completes.
特定的属性A specific attribute 如果希望指定现有的 AD 属性作为 sourceAnchor 属性,请选择此选项。Select this option if you wish to specify an existing AD attribute as the sourceAnchor attribute.

由于无法更改该属性,因此必须规划好要使用的合适属性。Since the attribute cannot be changed, you must plan for a good attribute to use. objectGUID 就是不错的候选项。A good candidate is objectGUID. 除非在林/域之间移动用户帐户,否则此属性不会更改。This attribute is not changed, unless the user account is moved between forests/domains. 避免某人结婚时会改变的属性,或会更改分配的属性。Avoid attributes that would change when a person marries or change assignments. 由于不可以使用带有 @-sign 符号的属性,因此无法使用 email 和 userPrincipalName。You cannot use attributes with an @-sign, so email and userPrincipalName cannot be used. 属性也区分大小写,因此在林间移动对象时,请务必保留大写/小写。The attribute is also case-sensitive so when you move an object between forests, make sure to preserve the upper/lower case. 二进制属性采用 base64 编码,但其他属性类型会保留未编码状态。Binary attributes are base64-encoded, but other attribute types remain in its unencoded state. 在联合方案和某些 Azure AD 接口中,此属性也称为 immutableID。In federation scenarios and some Azure AD interfaces, this attribute is also known as immutableID. 可以在设计概念中找到有关源定位点的详细信息。More information about the source anchor can be found in the design concepts.

根据组同步筛选 Sync filtering based on groups

使用按组筛选功能可以只同步一小部分的对象来进行试验。The filtering on groups feature allows you to sync only a small subset of objects for a pilot. 若要使用此功能,请在本地 Active Directory 中针对此目的创建一个组。To use this feature, create a group for this purpose in your on-premises Active Directory. 然后添加应该以直属成员身份与 Azure AD 同步的用户和组。Then add users and groups that should be synchronized to Azure AD as direct members. 稍后可以在此组中添加和删除用户,以维护应该要在 Azure AD 中显示的对象列表。You can later add and remove users to this group to maintain the list of objects that should be present in Azure AD. 要同步的所有对象必须是组的直属成员。All objects you want to synchronize must be a direct member of the group. 用户、组、联系人和计算机/设备都必须是直属成员。Users, groups, contacts, and computers/devices must all be direct members. 系统不会解析嵌套组成员身份。Nested group membership is not resolved. 添加某个组作为成员时,只会添加该组本身,而不添加其成员。When you add a group as a member, only the group itself is added and not its members.



此功能仅用于支持试验部署。This feature is only intended to support a pilot deployment. 请不要将其用于成熟的生产部署。Do not use it in a full-blown production deployment.

在成熟的生产部署中,往往很难维护包含要同步的所有对象的单个组。In a full-blown production deployment, it is going to be hard to maintain a single group with all objects to synchronize. 在这种情况下,应该使用配置筛选中所述的方法之一。Instead you should use one of the methods in Configure filtering.

可选功能Optional Features


如果当前启用了 DirSync 或 Azure AD Sync,请勿激活 Azure AD Connect 中的任何写回功能。If you currently have DirSync or Azure AD Sync active, do not activate any of the writeback features in Azure AD Connect.

可选功能Optional Features 说明Description
Exchange 混合部署Exchange Hybrid Deployment Exchange 混合部署功能使 Exchange 邮箱能够在本地和 Office 365 中共存。The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect 将特定的属性集从 Azure AD 同步回到本地目录。Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory.
Exchange 邮件公用文件夹Exchange Mail Public Folders “Exchange 邮件公用文件夹”功能可以将支持邮件功能的公用文件夹对象从本地 Active Directory 同步到 Azure AD。The Exchange Mail Public Folders feature allows you to synchronize mail-enabled Public Folder objects from your on-premises Active Directory to Azure AD.
Azure AD 应用程序和属性筛选Azure AD app and attribute filtering 通过启用 Azure AD 应用和属性筛选,可以定制同步的属性集。By enabling Azure AD app and attribute filtering, the set of synchronized attributes can be tailored. 此选项会在向导中额外添加两个配置页。This option adds two more configuration pages to the wizard. 有关详细信息,请参阅 Azure AD 应用程序和属性筛选For more information, see Azure AD app and attribute filtering.
密码哈希同步Password hash synchronization 如果选择了联合作为登录解决方案,则可以启用此选项。If you selected federation as the sign-in solution, then you can enable this option. 然后,可将密码哈希同步用作备份选项。Password hash synchronization can then be used as a backup option. 有关更多信息,请参阅密码哈希同步For additional information, see Password hash synchronization.
目录扩展属性同步Directory extension attribute sync 通过启用目录扩展属性同步,可将指定的属性同步到 Azure AD。By enabling directory extensions attribute sync, attributes specified are synced to Azure AD. 有关详细信息,请参阅目录扩展For more information, see Directory extensions.

Azure AD 应用程序和属性筛选Azure AD app and attribute filtering

如果想要限制同步到 Azure AD 的属性,请通过选择正在使用的服务来启动。If you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using. 如果在此页面上进行配置更改,必须通过重新运行安装向导来明确选择新的服务。If you make configuration changes on this page, a new service has to be selected explicitly by rerunning the installation wizard.

可选功能 - 应用

此页面根据上一步选择的服务来显示要同步的所有属性。Based on the services selected in the previous step, this page shows all attributes that are synchronized. 此列表是要同步的所有对象类型的组合。This list is a combination of all object types being synchronized. 如果需要禁止同步某些特定属性,可以取消选中这些属性。If there are some particular attributes you need to not synchronize, you can unselect those attributes.

可选功能 - 属性


删除属性可能会影响功能。Removing attributes can impact functionality. 有关最佳实践和建议,请参阅属性同步For best practices and recommendations, see attributes synchronized.

目录扩展属性同步Directory Extension attribute sync

可以使用组织添加的自定义属性或 Active Directory 中的其他属性,在 Azure AD 中扩展架构。You can extend the schema in Azure AD with custom attributes added by your organization or other attributes in Active Directory. 若要使用这项功能,请在“可选功能”页上选择“目录扩展属性同步”。To use this feature, select Directory Extension attribute sync on the Optional Features page. 可以在此页上选择要同步的其他属性。You can select more attributes to sync on this page.


“可用属性”框区分大小写。The Available attributes box is case sensitive.


有关详细信息,请参阅目录扩展For more information, see Directory extensions.

启用单一登录 (SSO)Enabling Single sign on (SSO)

Azure 中国区目前不支持单一登录 (SSO)。Single sign on (SSO) is currently not supported in Azure China.

配置与 AD FS 的联合Configuring federation with AD FS

使用 Azure AD Connect 配置 AD FS 非常简单,只需单击几下鼠标即可。Configuring AD FS with Azure AD Connect is simple and only requires a few clicks. 配置之前需要做好以下准备。The following is required before the configuration.

  • 已启用远程管理的、用作联合服务器的 Windows Server 2012 R2 或更高版服务器A Windows Server 2012 R2 or later server for the federation server with remote management enabled
  • 已启用远程管理的、用作 Web 应用程序代理服务器的 Windows Server 2012 R2 或更高版服务器A Windows Server 2012 R2 or later server for the Web Application Proxy server with remote management enabled
  • 要使用的联合身份验证服务名称(例如的 SSL 证书An SSL certificate for the federation service name you intend to use (for example


可以使用 Azure AD Connect 更新 AD FS 场的 SSL 证书,即使不使用它来管理联合身份验证信任。You can update SSL certificate for your AD FS farm using Azure AD Connect even if you do not use it to manage your federation trust.

AD FS 配置先决条件AD FS configuration pre-requisites

若要使用 Azure AD Connect 配置 AD FS 场,请确保已在远程服务器上启用 WinRM。To configure your AD FS farm using Azure AD Connect, ensure WinRM is enabled on the remote servers. 确保已完成联合身份验证先决条件中的其他任务。Make sure you have completed the other tasks in federation prerequisites. 此外,请仔细查看表 3 - Azure AD Connect 和联合服务器/WAP 中列出的端口要求。In addition, go through the ports requirement listed in Table 3 - Azure AD Connect and Federation Servers/WAP.

创建新的 AD FS 场或使用现有的 AD FS 场Create a new AD FS farm or use an existing AD FS farm

可以使用现有的 AD FS 场,或选择创建新的 AD FS 场。You can use an existing AD FS farm or you can choose to create a new AD FS farm. 如果选择创建新的场,则需要提供 SSL 证书。If you choose to create a new one, you are required to provide the SSL certificate. 如果 SSL 证书受密码保护,系统会提示输入密码。If the SSL certificate is protected by a password, you are prompted for the password.


如果选择使用现有 AD FS 场,将直接转到一个屏幕,可以在其中配置 AD FS 与 Azure AD 之间的信任关系。If you choose to use an existing AD FS farm, you are taken directly to the configuring the trust relationship between AD FS and Azure AD screen.


Azure AD Connect 只能用来管理一个 AD FS 场。Azure AD Connect can be used to manage only one AD FS farm. 如果现有的联合身份验证信任在所选 AD FS 场上配置了 Azure AD,则会由 Azure AD Connect 从头开始重新建立信任。If you have existing federation trust with Azure AD configured on the selected AD FS farm, the trust will be re-created again from scratch by Azure AD Connect.

指定 AD FS 服务器Specify the AD FS servers

输入要在其中安装 AD FS 的服务器。Enter the servers that you want to install AD FS on. 可以根据容量规划需求添加一个或多个服务器。You can add one or more servers based on your capacity planning needs. 执行此配置之前,请将所有 AD FS 服务器(不是 WAP 服务器所需的)加入 Active Directory。Join all AD FS servers (not required for the WAP servers) to Active Directory before you perform this configuration. Microsoft 建议安装一台 AD FS 服务器用于测试和试验部署。Microsoft recommends installing a single AD FS server for test and pilot deployments. 然后,在完成初始配置之后通过再次运行 Azure AD Connect,根据缩放需求添加和部署更多的服务器。Then add and deploy more servers to meet your scaling needs by running Azure AD Connect again after initial configuration.


在执行此配置之前,请确保所有服务器已加入 AD 域。Ensure that all your servers are joined to an AD domain before you do this configuration.

AD FS 服务器

指定 Web 应用程序代理服务器Specify the Web Application Proxy servers

输入要用作 Web 应用程序代理服务器的服务器。Enter the servers that you want as your Web Application proxy servers. Web 应用程序代理服务器部署在外围网络中(面向 Extranet),支持来自 Extranet 的身份验证请求。The web application proxy server is deployed in your DMZ (extranet facing) and supports authentication requests from the extranet. 可以根据容量规划需求添加一个或多个服务器。You can add one or more servers based on your capacity planning needs. Microsoft 建议安装一台 Web 应用程序代理服务器用于测试和试验部署。Microsoft recommends installing a single Web application proxy server for test and pilot deployments. 然后,在完成初始配置之后通过再次运行 Azure AD Connect,根据缩放需求添加并部署更多的服务器。Then add and deploy more servers to meet your scaling needs by running Azure AD Connect again after initial configuration. 我们建议使用数量相当的代理服务器,以满足来自 Intranet 的身份验证要求。We recommend having an equivalent number of proxy servers to satisfy authentication from the intranet.


  • 如果使用的帐户不是 WAP 服务器上的本地管理员,系统会提示你提供管理员凭据。If the account you use is not a local admin on the WAP servers, then you are prompted for admin credentials.
  • 在运行此步骤之前,请确保 Azure AD Connect 服务器与 Web 应用程序代理服务器之间已建立 HTTP/HTTPS 连接。Ensure that there is HTTP/HTTPS connectivity between the Azure AD Connect server and the Web Application Proxy server before you run this step.
  • 确保 Web 应用程序服务器与 AD FS 服务器之间的 HTTP/HTTPS 连接允许通过身份验证请求。Ensure that there is HTTP/HTTPS connectivity between the Web Application Server and the AD FS server to allow authentication requests to flow through.

Web 应用

系统会提示输入凭据,使 Web 应用程序服务器可以创建与 AD FS 服务器的安全连接。You are prompted to enter credentials so that the web application server can establish a secure connection to the AD FS server. 这些凭据需是 AD FS 服务器上的本地管理员。These credentials need to be a local administrator on the AD FS server.


指定 AD FS 服务的服务帐户Specify the service account for the AD FS service

AD FS 服务需要域服务帐户来验证用户,以及在 Active Directory 中查找用户信息。The AD FS service requires a domain service account to authenticate users and lookup user information in Active Directory. 它可以支持两种类型的服务帐户:It can support two types of service accounts:

  • 组托管服务帐户 - Active Directory 域服务中随 Windows Server 2012 一起引入。Group Managed Service Account - Introduced in Active Directory Domain Services with Windows Server 2012. 此类型的帐户提供 AD FS 之类的服务,让可以使用单个帐户,且不需要定期更新帐户密码。This type of account provides services, such as AD FS, a single account without needing to update the account password regularly. 如果 AD FS 服务器所属的域中已有 Windows Server 2012 域控制器,请使用此选项。Use this option if you already have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.
  • 域用户帐户 - 此类型的帐户会要求你提供密码,并在密码更改或过期时定期更新密码。Domain User Account - This type of account requires you to provide a password and regularly update the password when the password changes or expires. 仅当 AD FS 服务器所属的域中没有 Windows Server 2012 域控制器时,才使用此选项。Use this option only when you do not have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.

如果选择了组托管的服务帐户且从未在 Active Directory 中使用过此功能,则系统会提示输入企业管理员凭据。If you selected Group Managed Service Account and this feature has never been used in Active Directory, you are prompted for Enterprise Admin credentials. 这些凭据用于启动密钥存储,以及在 Active Directory 中启用该功能。These credentials are used to initiate the key store and enable the feature in Active Directory.


Azure AD Connect 会检查 AD FS 服务是否已在域中注册为 SPN。Azure AD Connect performs a check to detect if the AD FS service is already registered as a SPN in the domain. AD DS 不允许同时注册重复的 SPN。AD DS will not allow duplicate SPN’s to be registered at once. 如果发现重复的 SPN,则必须删除该 SPN 才能继续操作。If a duplicate SPN is found, you will not be able to proceed further until the SPN is removed.

AD FS 服务帐户

选择要联合的 Azure AD 域Select the Azure AD domain that you wish to federate

此配置用于设置 AD FS 与 Azure AD 之间的联合关系。This configuration is used to setup the federation relationship between AD FS and Azure AD. 它将 AD FS 配置为向 Azure AD 颁发安全令牌,并将 Azure AD 配置为信任来自此特定 AD FS 实例的令牌。It configures AD FS to issue security tokens to Azure AD and configures Azure AD to trust the tokens from this specific AD FS instance. 此页只允许在初始安装中配置单个域。This page only allows you to configure a single domain in the initial installation. 以后可以通过再次运行 Azure AD Connect 来配置其他域。You can configure more domains later by running Azure AD Connect again.

Azure AD 域

验证选择用于联合的 Azure AD 域Verify the Azure AD domain selected for federation

选择要联合的域时,Azure AD Connect 将提供所需的信息来验证尚未验证的域。When you select the domain to be federated, Azure AD Connect provides you with necessary information to verify an unverified domain. 有关如何使用此信息,请参阅添加和验证域See Add and verify the domain for how to use this information.

Azure AD 域


AD Connect 尝试在配置阶段验证域。AD Connect tries to verify the domain during the configure stage. 如果继续进行配置但未添加所需的 DNS 记录,向导无法完成配置。If you continue to configure without adding the necessary DNS records, the wizard is not able to complete the configuration.

配置使用 PingFederate 的联合身份验证Configuring federation with PingFederate

使用 Azure AD Connect 配置 PingFederate 非常简单,只需单击几下鼠标即可。Configuring PingFederate with Azure AD Connect is simple and only requires a few clicks. 但是,以下先决条件是必需的。However, the following prerequisites are required.

验证域Verify the domain

选择使用 PingFederate 进行联合身份验证之后,会要求你要验证要进行联合身份验证的域。After selecting Federation with PingFederate, you will be asked to verify the domain you want to federate. 从下拉框中选择域。Select the domain from the drop-down box.


导出 PingFederate 设置Export the PingFederate settings

必须将 PingFederate 配置为每个联合 Azure 域的联合服务器。PingFederate must be configured as the federation server for each federated Azure domain. 单击“导出设置”按钮并与 PingFederate 管理员共享此信息。Click the Export Settings button and share this information with your PingFederate administrator. 联合服务器管理员将更新配置,然后提供 PingFederate 服务器 URL 和端口号,以便 Azure AD Connect 可以验证元数据设置。The federation server administrator will update the configuration, then provide the PingFederate server URL and port number so Azure AD Connect can verify the metadata settings.


与 PingFederate 管理员联系以解决任何验证问题。Contact your PingFederate administrator to resolve any validation issues. 下面是与 Azure 之间没有有效的信任关系的 PingFederate 服务器的示例:The following is an example of a PingFederate server that does not have a valid trust relationship with Azure:


验证联合身份验证连接性Verify federation connectivity

Azure AD Connect 将尝试验证从上一步中的 PingFederate 元数据检索的身份验证终结点。Azure AD Connect will attempt to validate the authentication endpoints retrieved from the PingFederate metadata in the previous step. Azure AD Connect 将首先尝试使用本地 DNS 服务器解析终结点。Azure AD Connect will first attempt to resolve the endpoints using your local DNS servers. 接下来,它将尝试使用外部 DNS 提供程序解析终结点。Next it will attempt to resolve the endpoints using an external DNS provider. 与 PingFederate 管理员联系以解决任何验证问题。Contact your PingFederate administrator to resolve any validation issues.


验证联合登录Verify federation login

最后,可以通过登录到联合域来验证新配置的联合登录流。Finally, you can verify the newly configured federated login flow by signing in to the federated domain. 如果此操作成功,则说明已成功配置了使用 PingFederate 的联合身份验证。When this succeeds, the federation with PingFederate is successfully configured. 验证登录

配置和验证页面Configure and verify pages

在此页上进行配置。The configuration happens on this page.


在继续安装之前,如果配置了联合服务器,请确保已配置联合服务器的名称解析Before you continue installation and if you configured federation, make sure that you have configured Name resolution for federation servers.


过渡模式Staging mode

在过渡模式下,可以同时设置新的同步服务器。It is possible to setup a new sync server in parallel with staging mode. 系统仅支持一台同步服务器导出到云中的一个目录。It is only supported to have one sync server exporting to one directory in the cloud. 但如果想要从另一台服务器(例如运行 DirSync 的服务器)迁移,则可以启用过渡模式的 Azure AD Connect。But if you want to move from another server, for example one running DirSync, then you can enable Azure AD Connect in staging mode. 启用后,同步引擎将像平时一样导入并同步数据,但不会将任何内容导出到 Azure AD。When enabled, the sync engine import and synchronize data as normal, but it does not export anything to Azure AD or AD. 密码同步功能在过渡模式下已禁用。The features password sync are disabled while in staging mode.


在过渡模式下,可以对同步引擎进行所需的更改,并复查要导出的内容。While in staging mode, it is possible to make required changes to the sync engine and review what is about to be exported. 如果配置看起来正常,请再次运行安装向导,并禁用过渡模式。When the configuration looks good, run the installation wizard again and disable staging mode. 现在,已将数据从此服务器导出到 Azure AD。Data is now exported to Azure AD from this server. 确保同时禁用其他服务器,以便只有一台服务器在主动导出。Make sure to disable the other server at the same time so only one server is actively exporting.

有关详细信息,请参阅过渡模式For more information, see Staging mode.

验证联合配置Verify your federation configuration

单击“验证”按钮后,Azure AD Connect 会验证 DNS 设置。Azure AD Connect verifies the DNS settings for you when you click the Verify button.

Intranet 连接检查Intranet connectivity checks

  • 解析联合 FQDN:Azure AD Connect 会检查是否可以通过 DNS 解析联合 FQDN,以确保连接性。Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to ensure connectivity. 如果 Azure AD Connect 无法解析 FQDN,验证会失败。If Azure AD Connect cannot resolve the FQDN, the verification will fail. 确保提供联合身份验证服务 FQDN 的 DNS 记录,以便成功完成验证。Ensure that a DNS record is present for the federation service FQDN in order to successfully complete the verification.
  • DNS A 记录:Azure AD Connect 会检查是否存在联合身份验证服务的 A 记录。DNS A record: Azure AD Connect checks if there is an A record for your federation service. 在没有 A 记录的情况下,验证会失败。In the absence of an A record, the verification will fail. 请为联合 FQDN 创建 A 记录而不是 CNAME 记录,以便成功完成验证。Create an A record and not CNAME record for your federation FQDN in order to successfully complete the verification.

Extranet 连接检查Extranet connectivity checks

  • 解析联合 FQDN:Azure AD Connect 会检查是否可以通过 DNS 解析联合 FQDN,以确保连接性。Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to ensure connectivity.



若要验证端到端身份验证是否成功,应当手动执行下列一个或多个测试:To validate end-to-end authentication is successful you should manually perform one or more the following tests:

  • 在同步完成后,使用 Azure AD Connect 中的”验证联合登录”附加任务来验证你选择的本地用户帐户的身份验证。Once synchronization in complete, use the Verify federated login additional task in Azure AD Connect to verify authentication for an on-premises user account of your choice.
  • 验证富客户端登录。Validate rich client sign-in. 连接到,选择“Office 365”选项卡,并选择“Office 365 单一登录测试”。Connect to, choose the Office 365 tab and chose the Office 365 Single Sign-On Test.


以下部分包含故障排除内容以及在遇到 Azure AD Connect 安装问题时可以使用的信息。The following section contains troubleshooting and information that you can use if you encounter an issue installing Azure AD Connect.

“ADSync 数据库已经包含数据,无法重写”“The ADSync database already contains data and cannot be overwritten”

对 Azure AD Connect 进行自定义安装并在“安装所需的组件”页上选择“使用现有的 SQL Server”选项时,可能会遇到一个错误,指出“ADSync 数据库已经包含数据,无法重写。请删除现有的数据库,然后重试。”When you custom install Azure AD Connect and select the option Use an existing SQL server on the Install required components page, you might encounter an error that states The ADSync database already contains data and cannot be overwritten. Please remove the existing database and try again.


这是因为在 SQL Server 的 SQL 实例上已经有一个现成的名为 ADSync 的数据库,该数据库是在上面的文本框中指定的。This is because there is already an existing database named ADSync on the SQL instance of the SQL server, which you specified in the above textboxes.

这通常发生在卸载 Azure AD Connect 之后。This typically occurs after you have uninstalled Azure AD Connect. 卸载时,此数据库不会从 SQL Server 中删除。The database will not be deleted from the SQL Server when you uninstall.

若要修复此问题,请首先验证在卸载之前由 Azure AD Connect 使用的 ADSync 数据库是否不再处于使用状态。To fix this issue, first verify that the ADSync database that was used by Azure AD Connect prior to being uninstalled, is no longer being used.

接下来,建议在删除数据库之前先备份数据库。Next, it is recommended that you backup the database prior to deleting it.

最后,需删除该数据库。Finally, you need to delete the database. 为此,可使用 Microsoft SQL Server Management Studio 连接到 SQL 实例。You can do this by using Microsoft SQL Server Management Studio and connect to the SQL instance. 找到 ADSync 数据库后右键单击它,从上下文菜单中选择“删除”。Find the ADSync database, right click on it, and select Delete from the context menu. 然后单击“确定”按钮,将其删除。Then click OK button to delete it.


删除 ADSync 数据库后,可以单击“安装”按钮来重试安装。After you delete the ADSync database, you can click the install button, to retry installation.

后续步骤Next steps

安装完成后,请注销并再次登录到 Windows,即可使用同步服务管理器或同步规则编辑器。After the installation has completed, sign out and sign in again to Windows before you use Synchronization Service Manager or Synchronization Rule Editor.

安装 Azure AD Connect 后,可以验证安装并分配许可证Now that you have Azure AD Connect installed you can verify the installation and assign licenses.

若要了解在安装过程中启用的这些功能,请参阅:防止意外删除Learn more about these features, which were enabled with the installation: Prevent accidental deletes.

若要了解有关这些常见主题的详细信息,请参阅计划程序以及如何触发同步Learn more about these common topics: scheduler and how to trigger sync.

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.