使用现有 ADSync 数据库安装 Azure AD ConnectInstall Azure AD Connect using an existing ADSync database

Azure AD Connect 要求使用 SQL Server 数据库来存储数据。Azure AD Connect requires a SQL Server database to store data. 可以使用随 Azure AD Connect 一起安装的默认 SQL Server 2012 Express LocalDB,也可以使用自己的完整版本 SQL。You can either use the default SQL Server 2012 Express LocalDB installed with Azure AD Connect or use your own full version of SQL. 以前,当安装 Azure AD Connect 时,始终会创建一个名为 ADSync 的新数据库。Previously, when you installed Azure AD Connect, a new database named ADSync was always created. 使用 Azure AD Connect 版本 1.1.613.0(或更高版本),可以选择通过将 Azure AD Connect 指向现有的 ADSync 数据库来安装 Azure AD Connect。With Azure AD Connect version 1.1.613.0 (or after), you have the option to install Azure AD Connect by pointing it to an existing ADSync database.

使用现有 ADSync 数据库的优势Benefits of using an existing ADSync database

通过指向现有 ADSync 数据库:By pointing to an existing ADSync database:

  • 除凭据信息外,ADSync 数据库中存储的同步配置(包括自定义同步规则、连接器、筛选和可选功能配置)在安装过程中会自动恢复并使用。Except for credentials information, synchronization configuration stored in the ADSync database (including custom synchronization rules, connectors, filtering, and optional features configuration) is automatically recovered and used during installation. Azure AD Connect 与本地 AD 和 Azure AD 同步更改所使用的凭据已加密,只能由先前的 Azure AD Connect 服务器访问。Credentials used by Azure AD Connect to synchronize changes with on-premises AD and Azure AD are encrypted and can only be accessed by the previous Azure AD Connect server.
  • 同时恢复存储在 ADSync 数据库中的所有标识数据(已与连接器空间和 Metaverse 关联)以及同步 Cookie。All the identity data (associated with connector spaces and metaverse) and synchronization cookies stored in the ADSync database are also recovered. 新安装的 Azure AD Connect 服务器可以从先前 Azure AD Connect 服务器离开的位置继续同步,无需执行完全同步。The newly installed Azure AD Connect server can continue to synchronize from where the previous Azure AD Connect server left off, instead of having the need to perform a full sync.

受益于使用现有 ADSync 数据库的方案Scenarios where using an existing ADSync database is beneficial

这些优势在以下方案中非常有用:These benefits are useful in the following scenarios:

  • 拥有现有的 Azure AD Connect 部署。You have an existing Azure AD Connect deployment. 现有 Azure AD Connect 服务器不再工作,但包含 ADSync 数据库的 SQL Server 仍然可用。Your existing Azure AD Connect server is no longer working but the SQL server containing the ADSync database is still functioning. 可以安装新的 Azure AD Connect 服务器并将其指向现有 ADSync 数据库。You can install a new Azure AD Connect server and point it to the existing ADSync database.
  • 拥有现有的 Azure AD Connect 部署。You have an existing Azure AD Connect deployment. 包含 ADSync 数据库的 SQL Server 不再运行。Your SQL server containing the ADSync database is no longer functioning. 但是拥有数据库的近期备份。However, you have a recent back up of the database. 可先将 ADSync 数据库还原到新的 SQL Server。You can restore the ADSync database to a new SQL server first. 随后,可以安装新的 Azure AD Connect 服务器并将其指向已还原的 ADSync 数据库。After which, you can install a new Azure AD Connect server and point it to the restored ADSync database.
  • 拥有正在使用 LocalDB 的现有 Azure AD Connect 部署。You have an existing Azure AD Connect deployment that is using LocalDB. 由于 LocalDB 规定了 10 GB 的限制,你可能希望迁移到完整的 SQL。Due to the 10-GB limit imposed by LocalDB, you would like to migrate to full SQL. 可从 LocalDB 备份 ADSync 数据库并将其还原到 SQL Server。You can back up the ADSync database from LocalDB and restore it to a SQL server. 随后,可以重新安装新的 Azure AD Connect 服务器并将其指向已还原的 ADSync 数据库。After which, you can reinstall a new Azure AD Connect server and point it to the restored ADSync database.
  • 正在尝试设置暂存服务器,并希望确保其配置与当前活动服务器的配置相匹配。You are trying to set up a staging server and wants to make sure its configuration matches that of the current active server. 可以备份 ADSync 数据库并将其还原到其他 SQL Server。You can back up the ADSync database and restore it to another SQL server. 随后,可以重新安装新的 Azure AD Connect 服务器并将其指向已还原的 ADSync 数据库。After which, you can reinstall a new Azure AD Connect server and point it to the restored ADSync database.

先决条件信息Prerequisite information

在开始之前,请注意如下重要注意事项:Important notes to take note of before you proceed:

  • 请务必查看安装 Azure AD Connect 在硬件和其他方面的先决条件,以及安装 Azure AD Connect 所需的帐户和权限。Make sure to review the pre-requisites for installing Azure AD Connect at Hardware and prerequisites, and account and permissions required for installing Azure AD Connect. 通过“使用现有数据库”模式安装 Azure AD Connect 所需的权限与“自定义”安装相同。The permissions required for installing Azure AD Connect using “use existing database” mode is the same as “custom” installation.
  • 仅完整的 SQL 才支持针对现有 ADSync 数据库部署 Azure AD Connect。Deploying Azure AD Connect against an existing ADSync database is only supported with full SQL. 它不支持 SQL Express LocalDB。It is not supported with SQL Express LocalDB. 如果 LocalDB 中存在要使用的现有 ADSync 数据库,则必须先备份 ADSync 数据库 (LocalDB) 并将其还原至完整的 SQL。If you have an existing ADSync database in LocalDB that you wish to use, you must first backup the ADSync database (LocalDB) and restore it to full SQL. 之后才可使用此方法针对还原的数据库部署 Azure AD Connect。After which, you can deploy Azure AD Connect against the restored database using this method.
  • 用于安装的 Azure AD Connect 版本必须满足以下条件:The version of the Azure AD Connect used for installation must satisfy the following criteria:
    • 1.1.613.0 或更高版本,并且1.1.613.0 or above, AND
    • 与上次同 ADSync 数据库一起使用的 Azure AD Connect 版本相同或比之更高。Same or higher than the version of the Azure AD Connect last used with the ADSync database. 如果用于安装的 Azure AD Connect 版本高于上次与 ADSync 数据库一起使用时的版本,则可能需要进行完全同步。If the Azure AD Connect version used for installation is higher than the version last used with the ADSync database, then a full sync may be required. 如果两个版本之间存在架构或同步规则更改,则完全同步是必需的。Full sync is required if there are schema or sync rule changes between the two versions.
  • 所使用的 ADSync 数据库应包含相对较新的同步状态。The ADSync database used should contain a synchronization state that is relatively recent. 与现有 ADSync 数据库的最后一次同步活动应在最近三周内。The last synchronization activity with the existing ADSync database should be within the last three weeks.
  • 通过“使用现有数据库”方法安装 Azure AD Connect 时,不会保留在之前的 Azure AD Connect 服务器上配置的登录方法。When installing Azure AD Connect using “use existing database” method, sign-in method configured on the previous Azure AD Connect server is not preserved. 此外,无法在安装过程中配置登录方法。Further, you cannot configure sign-in method during installation. 只能在安装完成后配置登录方法。You can only configure sign-in method after installation is complete.
  • 多个 Azure AD Connect 服务器不能共享相同的 ADSync 数据库。You cannot have multiple Azure AD Connect servers share the same ADSync database. “使用现有数据库”方法允许在新的 Azure AD Connect 服务器中重用现有 ADSync 数据库。The “use existing database” method allows you to reuse an existing ADSync database with a new Azure AD Connect server. 此方法不支持共享。It does not support sharing.

通过“使用现有数据库”模式安装 Azure AD Connect 的步骤Steps to install Azure AD Connect with “use existing database” mode

  1. 将 Azure AD Connect 安装程序 (AzureADConnect.MSI) 下载到 Windows Server。Download Azure AD Connect installer (AzureADConnect.MSI) to the Windows server. 双击 Azure AD Connect 安装程序,开始安装 Azure AD Connect。Double-click the Azure AD Connect installer to start installing Azure AD Connect.
  2. MSI 安装完成后,将启动 Azure AD Connect 向导,进入快速模式安装。Once the MSI installation completes, the Azure AD Connect wizard starts with the Express mode setup. 单击“退出”图标关闭屏幕。Close the screen by clicking the Exit icon. 欢迎使用Welcome
  3. 启动新的命令提示符或 PowerShell 会话。Start a new command prompt or PowerShell session. 导航到“C:\Program Files\Azure Active Directory Connect”文件夹。Navigate to folder "C:\Program Files\Azure Active Directory Connect". 运行命令 .\AzureADConnect.exe /useexistingdatabase,在“使用现有数据库”安装模式下启动 Azure AD Connect 向导。Run command .\AzureADConnect.exe /useexistingdatabase to start the Azure AD Connect wizard in “Use existing database” setup mode.

备注

只有当数据库已包含来自早期 Azure AD Connect 安装的数据时,才应使用 /UseExistingDatabase 开关。Use the switch /UseExistingDatabase only when the database already contains data from an earlier Azure AD Connect installation. 例如,当从本地数据库移动到完整 SQL Server 数据库时,或者当重建 Azure AD Connect 服务器并且从早期 Azure AD Connect 安装还原了 ADSync 数据库的 SQL 备份时。For instance, when you are moving from a local database to a full SQL Server database or when the Azure AD Connect server was rebuilt and you restored a SQL backup of the ADSync database from an earlier installation of Azure AD Connect. 如果数据库为空(即不包含前面的 Azure AD Connect 安装的任何数据),请跳过此步骤。If the database is empty, that is, it doesn't contain any data from a previous Azure AD Connect installation, skip this step.

PowerShell

  1. 出现“欢迎使用 Azure AD Connect”屏幕。You are greeted with the Welcome to Azure AD Connect screen. 同意许可条款和隐私声明后,单击“继续”。Once you agree to the license terms and privacy notice, click Continue. 欢迎使用Welcome

  2. 在“安装所需组件”屏幕上,“使用现有 SQL Server”选项已启用 。On the Install required components screen, the Use an existing SQL Server option is enabled. 指定托管 ADSync 数据库的 SQL Server 的名称。Specify the name of the SQL server that is hosting the ADSync database. 如果用于托管 ADSync 数据库的 SQL 引擎实例不是 SQL Server 上的默认实例,则必须指定 SQL 引擎实例名称。If the SQL engine instance used to host the ADSync database is not the default instance on the SQL server, you must specify the SQL engine instance name. 此外,如果没有启用 SQL 浏览,还必须指定 SQL 引擎实例端口号。Further, if SQL browsing is not enabled, you must also specify the SQL engine instance port number. 例如:For example:
    欢迎使用Welcome

  3. 在“连接到 Azure AD”屏幕上,必须提供 Azure AD 目录的全局管理员凭据。On the Connect to Azure AD screen, you must provide the credentials of a global admin of your Azure AD directory. 建议使用默认 partner.onmschina.cn 域中的帐户。The recommendation is to use an account in the default partner.onmschina.cn domain. 此帐户只用于在 Azure AD 中创建服务帐户,向导完成后不会使用。This account is only used to create a service account in Azure AD and is not used after the wizard has completed. “连接”Connect

  4. 在“连接目录”屏幕上,为目录同步配置的现有 AD 林旁边显示有红色十字图标。On the Connect your directories screen, the existing AD forest configured for directory synchronization is listed with a red cross icon beside it. 若要同步本地 AD 林中的更改,需要 AD DS 帐户。To synchronize changes from an on-premises AD forest, an AD DS account is required. Azure AD Connect 向导无法检索存储在 ADSync 数据库中的 AD DS 帐户凭据,因为凭据已加密,只能由先前的 Azure AD Connect 服务器进行解密。The Azure AD Connect wizard is unable to retrieve the credentials of the AD DS account stored in the ADSync database because the credentials are encrypted and can only be decrypted by the previous Azure AD Connect server. 单击“更改凭据”为 AD 林指定 AD DS 帐户。Click Change Credentials to specify the AD DS account for the AD forest. DirectoriesDirectories

  5. 在弹出对话框中,可以 (i) 提供企业管理员凭据,并让 Azure AD Connect 为你创建 AD DS 帐户,或 (ii) 自行创建 AD DS 帐户,并将其凭据提供给 Azure AD Connect。In the pop-up dialog, you can either (i) provide an Enterprise Admin credential and let Azure AD Connect create the AD DS account for you, or (ii) create the AD DS account yourself and provide its credential to Azure AD Connect. 选择一个选项并提供必要凭据后,单击“确定”关闭弹出对话框。Once you have selected an option and provide the necessary credentials, click OK to close the pop-up dialog. 欢迎使用Welcome

  6. 提供凭据后,红色十字图标将被替换为绿色钩号图标。Once the credentials are provided, the red cross icon is replaced with a green tick icon. 单击“下一步”。Click Next. 欢迎使用Welcome

  7. 在“准备好配置”屏幕上,单击“安装” 。On the Ready to configure screen, click Install. 欢迎使用Welcome

  8. 安装完成后,Azure AD Connect 服务器自动启用暂存模式。Once installation completes, the Azure AD Connect server is automatically enabled for Staging Mode. 建议在禁用暂存模式之前,查看服务器配置和意外更改的挂起导出。It is recommended that you review the server configuration and pending exports for unexpected changes before disabling Staging Mode.

安装后任务Post installation tasks

还原使用低于 1.2.65.0 版本的 Azure AD Connect 创建的数据库备份时,暂存服务器会自动选择登录方法“不配置”。When restoring a database backup created by a version of Azure AD Connect prior to 1.2.65.0, the staging server will automatically select a sign-in method of Do Not Configure. 尽管会还原密码哈希同步首选项,但随后必须更改登录方法,以便与活动同步服务器的其他生效策略匹配。While your password hash sync preferences will be restored, you must subsequently change the sign-in method to match the other policies in effect for your active synchronization server. 如果不完成这些步骤,当此服务器变为活动状态时,用户可能无法登录。Failure to complete these steps may prevent users from signing in should this server becomes active.

使用下表来确认是否需要执行其他任何步骤。Use the table below to verify any additional steps that are required.

功能Feature 步骤Steps
密码哈希同步Password Hash Synchronization 从 Azure AD Connect 版本 1.2.65.0 开始,密码哈希同步设置将完全还原。the Password Hash Synchronization settings are fully restored for versions of Azure AD Connect starting with 1.2.65.0. 如果使用早期版本的 Azure AD Connect 还原,请查看这些功能的同步选项设置,以确保它们与活动的同步服务器匹配。If restoring using an older version of Azure AD Connect, review the synchronization option settings for these features to ensure they match your active synchronization server. 不必要执行其他任何配置步骤。No other configuration steps should be necessary.
使用 AD FS 进行联合身份验证Federation with AD FS Azure 身份验证将继续使用针对活动同步服务器配置的 AD FS 策略。Azure authentications will continue to use the AD FS policy configured for your active synchronization server. 如果使用 Azure AD Connect 来管理 AD FS 场,则可以选择性地将登录方法更改为 AD FS 联合身份验证,以应对备用服务器变成活动同步实例时的情况。If you use Azure AD Connect to manage your AD FS farm, you may optionally change the sign-in method to AD FS federation in preparation for your standby server becoming the active synchronization instance. 如果在活动同步服务器上启用了设备选项,请通过运行“配置设备选项”任务,在此服务器上配置这些选项。If device options are enabled on the active synchronization server, configure those options on this server by running the "Configure device options" task.
使用 PingFederate 进行联合身份验证Federation with PingFederate Azure 身份验证将继续使用针对活动同步服务器配置的 PingFederate 策略。Azure authentications will continue to use the PingFederate policy configured for your active synchronization server. 可以选择性地将登录方法更改为 PingFederate,以应对备用服务器变成活动同步实例时的情况。You may optionally change the sign-in method to PingFederate in preparation for your standby server becoming the active synchronization instance. 可将此步骤推迟到需要使用 PingFederate 联合其他域为止。This step may be deferred until you need to federate additional domains with PingFederate.

后续步骤Next steps