Azure AD Connect:已有租户时Azure AD Connect: When you have an existent tenant

有关如何使用 Azure AD Connect 的大多数主题假设一开始使用的是新 Azure AD 租户,其中不包含任何用户或其他对象。Most of the topics for how to use Azure AD Connect assumes you start with a new Azure AD tenant and that there are no users or other objects there. 但是,如果一开始使用的 Azure AD 租户中填充了用户和其他对象,现在想要使用 Connect,那么,本主题适合你阅读。But if you have started with an Azure AD tenant, populated it with users and other objects, and now want to use Connect, then this topic is for you.

基础知识The basics

Azure AD 中的对象在云中 (Azure AD) 或本地掌控。An object in Azure AD is either mastered in the cloud (Azure AD) or on-premises. 对于单个对象而言,无法在本地管理一些属性,在 Azure AD 中管理另一些属性。For one single object, you cannot manage some attributes on-premises and some other attributes in Azure AD. 每个对象都有一个标志,指示对象的管理位置。Each object has a flag indicating where the object is managed.

可以在本地管理一些用户,在云中管理另一些用户。You can manage some users on-premises and other in the cloud. 下面是此配置的常见应用情景:某家组织既有会计工作人员,也有销售工作人员。A common scenario for this configuration is an organization with a mix of accounting workers and sales workers. 会计工作人员有本地 AD 帐户,但销售工作人员没有,他们在 Azure AD 中有帐户。The accounting workers have an on-premises AD account, but the sales workers do not, they have an account in Azure AD. 这样,就需要在本地管理一些用户,在 Azure AD 中管理另一些用户。You would manage some users on-premises and some in Azure AD.

如果最初在 Azure AD 中管理用户,而这些用户同时又在本地 AD 中,后来你想要使用 Connect,那么,就需要考虑到其他一些因素。If you started to manage users in Azure AD that are also in on-premises AD and later want to use Connect, then there are some additional concerns you need to consider.

与 Azure AD 中的现有用户同步Sync with existing users in Azure AD

安装 Azure AD Connect 并开始同步时,Azure AD 同步服务(在 Azure AD 中)针对每个新对象执行检查,尝试查找匹配的现有对象。When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and try to find an existing object to match. 此过程使用三个属性:userPrincipalNameproxyAddressessourceAnchor/immutableIDThere are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID. 根据 userPrincipalNameproxyAddresses 执行的匹配称为软匹配A match on userPrincipalName and proxyAddresses is known as a soft match. 根据 sourceAnchor 执行的匹配称为硬匹配A match on sourceAnchor is known as hard match. 对于 proxyAddresses 属性,只会将包含 SMTP:(即主要电子邮件地址)的值用于评估。For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation.

只会针对来自 Connect 的新对象评估匹配。The match is only evaluated for new objects coming from Connect. 如果更改现有对象,使它与其中的任一属性匹配,则看到的是错误。If you change an existing object so it is matching any of these attributes, then you see an error instead.

如果 Azure AD 发现某个对象的属性值与来自 Connect 的某个对象的属性值相同,并且前一个对象已在 Azure AD 中存在,则 Azure AD 中的对象会被 Connect 取代。If Azure AD finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Azure AD, then the object in Azure AD is taken over by Connect. 以前,云管理的对象已标记为在本地管理。The previously cloud-managed object is flagged as on-premises managed. Azure AD 中的所有属性如果在本地 AD 中具有值,这些属性会被本地值覆盖,All attributes in Azure AD with a value in on-premises AD are overwritten with the on-premises value. 但属性在本地具有 NULL 值除外。The exception is when an attribute has a NULL value on-premises. 在这种情况下,Azure AD 中的值将会保留,但是,仍然只能在本地将它更改为其他值。In this case, the value in Azure AD remains, but you can still only change it on-premises to something else.

Warning

由于 Azure AD 中的所有属性将被本地值覆盖,因此请确保本地的数据正确。Since all attributes in Azure AD are going to be overwritten by the on-premises value, make sure you have good data on-premises. 例如,如果只是在 Office 365 中管理电子邮件地址,而没有在本地 AD DS 中将它保持更新,则会丢失 Azure AD/Office 365 中存在、但在 AD DS 中不存在的所有值。For example, if you only have managed email address in Office 365 and not kept it updated in on-premises AD DS, then you lose any values in Azure AD/Office 365 not present in AD DS.

Important

如果使用密码同步(快速设置始终会使用它),则 Azure AD 中的密码会被本地 AD 中的密码覆盖。If you use password sync, which is always used by express settings, then the password in Azure AD is overwritten with the password in on-premises AD. 如果用户经常管理不同的密码,则在安装 Connect 后,需要告知他们使用本地密码。If your users are used to manage different passwords, then you need to inform them that they should use the on-premises password when you have installed Connect.

在规划过程中,必须考虑上一部分的内容和警告。The previous section and warning must be considered in your planning. 如果在 Azure AD 中做了大量更改,但这些更改未反映在本地 AD DS 中,则在使用 Azure AD Connect 同步对象之前,需要规划好如何在 AD DS 中填充更新的值。If you have made many changes in Azure AD not reflected in on-premises AD DS, then you need to plan for how to populate AD DS with the updated values before you sync your objects with Azure AD Connect.

如果使用软匹配匹配了对象,则 sourceAnchor 已添加到 Azure AD 中的对象,因此以后可以使用硬匹配。If you matched your objects with a soft-match, then the sourceAnchor is added to the object in Azure AD so a hard match can be used later.

Important

Microsoft 强烈建议不要将本地帐户与 Azure Active Directory 中已有的管理帐户同步。Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory.

硬匹配与软匹配Hard-match vs Soft-match

对于全新的 Connect 安装,软匹配与硬匹配之间没有实质的差别。For a new installation of Connect, there is no practical difference between a soft- and a hard-match. 主要差别在于灾难恢复情形。The difference is in a disaster recovery situation. 如果解除了装有 Azure AD Connect 的服务器,可以重新安装一个新实例,而不会丢失任何数据。If you have lost your server with Azure AD Connect, you can reinstall a new instance without losing any data. 在初始安装期间,会向 Connect 发送一个包含 sourceAnchor 的对象。An object with a sourceAnchor is sent to Connect during initial install. 然后,客户端 (Azure AD Connect) 便可以评估匹配,与在 Azure AD 中执行相同的操作相比,速度要快得多。The match can then be evaluated by the client (Azure AD Connect), which is a lot faster than doing the same in Azure AD. 硬匹配同时由 Connect 和 Azure AD 评估。A hard match is evaluated both by Connect and by Azure AD. 软匹配只由 Azure AD 评估。A soft match is only evaluated by Azure AD.

除用户以外的其他对象Other objects than users

对于启用了邮件的组和联系人,可以根据 proxyAddresses 进行软匹配。For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. 硬匹配不适用,因为只能对用户更新 sourceAnchor/immutableID(使用 PowerShell)。Hard-match is not applicable since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. 对于未启用邮件的组,目前不支持软匹配和硬匹配。For groups that aren't mail-enabled, there is currently no support for soft-match or hard-match.

管理员角色注意事项Admin role considerations

为了防止不受信任的本地用户与担任管理员角色的云用户进行匹配,Azure AD Connect 不会将本地用户对象与担任管理员角色的对象进行匹配。To prevent untrusted on-premises users from matching with a cloud user that has any admin role, Azure AD Connect will not match on-premises user objects with objects that have an admin role. 这是默认设置。This is by default. 若要解决此行为,可以执行以下操作:To workaround this behavior you can do the following:

  1. 从仅限云的用户对象中删除目录角色Remove the directory roles from the cloud-only user object
  2. 触发同步Trigger a sync
  3. 可以在进行匹配以后将目录角色添加回云中的用户对象。Optionally add the directory roles back to the user object in cloud once the matching has occurred.

基于 Azure AD 中的数据创建新的本地 Active DirectoryCreate a new on-premises Active Directory from data in Azure AD

某些客户最初在 Azure AD 中使用仅限云的解决方案,而没有构建本地 AD。Some customers start with a cloud-only solution with Azure AD and they do not have an on-premises AD. 后来,他们想要使用本地资源,并希望基于 Azure AD 数据构建本地 AD。Later they want to consume on-premises resources and want to build an on-premises AD based on Azure AD data. 对于这种情况,Azure AD Connect 无法起到作用。Azure AD Connect cannot help you for this scenario. 它不会创建本地用户,并且没有能力将本地密码设置为与 Azure AD 中的密码相同。It does not create users on-premises and it does not have any ability to set the password on-premises to the same as in Azure AD.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.