Azure AD Connect 的先决条件Prerequisites for Azure AD Connect

本主题介绍 Azure AD Connect 的先决条件和硬件要求。This topic describes the pre-requisites and the hardware requirements for Azure AD Connect.

安装 Azure AD Connect 之前Before you install Azure AD Connect

在安装 Azure AD Connect 之前,需要准备好以下项目。Before you install Azure AD Connect, there are a few things that you need.

Azure ADAzure AD

  • Azure AD 租户。An Azure AD tenant. 通过 Azure 试用版获得一个租户。You get one with an Azure trial. 可以使用以下门户之一来管理 Azure AD Connect:You can use one of the following portals to manage Azure AD Connect:
  • 添加并验证域,该域是计划在 Azure AD 中使用的。Add and verify the domain you plan to use in Azure AD. 例如,如果计划让用户使用,请确保此域已经过验证,并且不是直接使用 默认域。For example, if you plan to use for your users then make sure this domain has been verified and you are not only using the default domain.
  • 默认情况下,一个 Azure AD 租户允许 5 万个对象。An Azure AD tenant allows by default 50k objects. 在验证域后,该限制增加到 30 万个对象。When you verify your domain, the limit is increased to 300k objects. 如果在 Azure AD 中需要更多的对象,则需要开具支持案例来请求增大此限制。If you need even more objects in Azure AD, then you need to open a support case to have the limit increased even further. 如果需要 50 万个以上的对象,则需要购买 Office 365、Azure AD Basic、Azure AD Premium 或企业移动性和安全性等许可证。If you need more than 500k objects, then you need a license, such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility and Security.

准备本地数据Prepare your on-premises data

本地 Active DirectoryOn-premises Active Directory

  • AD 架构版本与林功能级别必须是 Windows Server 2003 或更高版本。The AD schema version and forest functional level must be Windows Server 2003 or later. 只要符合架构和林级别的要求,域控制器就能运行任何版本。The domain controllers can run any version as long as the schema and forest level requirements are met.
  • 若打算使用密码写回功能,必须在 Windows Server 2008 R2 或更高版本上安装域控制器。If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 R2 or later.
  • Azure AD 使用的域控制器必须可写。The domain controller used by Azure AD must be writable. 不支持使用 RODC(只读域控制器),并且 Azure AD Connect 不会遵循任何写重定向。It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.
  • 不支持通过“以点分隔的”(名称包含句点“.”)NetBios 名称使用本地林/域。It is not supported to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.
  • 建议启用 Active Directory 回收站It is recommended to enable the Active Directory recycle bin.

Azure AD Connect 服务器Azure AD Connect server


Azure AD Connect 服务器包含关键标识数据,应将其视为第 0 层组件,如 Active Directory 管理层模型中所述The Azure AD Connect server contains critical identity data and should be treated as a Tier 0 component as documented in the Active Directory administrative tier model

  • 不能在 Small Business Server 或 2019 版以前的 Windows Server Essentials(支持 Windows Server Essentials 2019)上安装 Azure AD Connect。Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). 该服务器必须使用 Windows Server Standard 或更高版本。The server must be using Windows Server standard or better.
  • 建议不要在域控制器上安装 Azure AD Connect,因为安全措施和较严格的设置可能会阻碍正确安装 Azure AD Connect。Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly.
  • 必须在 Azure AD Connect 服务器上安装完整的 GUI。The Azure AD Connect server must have a full GUI installed. 不支持 在服务器核心上安装 GUI。It is not supported to install on server core.


不支持在 Small Business Server、Server Essentials 或 Server Core 上安装 Azure AD Connect。Installing Azure AD Connect on small business server, server essentials, or server core is not supported.

  • Azure AD Connect 必须安装在 Windows Server 2012 或更高版本上。Azure AD Connect must be installed on Windows Server 2012 or later. 此服务器必须加入域,并且可以是域控制器或成员服务器。This server must be domain joined and may be a domain controller or a member server.

  • 如果使用 Azure AD Connect 向导来管理 ADFS 配置,则 Azure AD Connect 服务器不得启用“PowerShell 转换”组策略。The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you are using Azure AD Connect wizard to manage ADFS configuration. 如果使用 Azure AD Connect 向导来管理同步配置,则可以启用 PowerShell 脚本。You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage sync configuration.

  • 如果正在部署 Active Directory 联合身份验证服务,则要安装 AD FS 或 Web 应用程序代理的服务器必须是 Windows Server 2012 R2 或更高版本。If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows 远程管理 才能进行远程安装。Windows remote management must be enabled on these servers for remote installation.

  • 若要部署 Active Directory 联合身份验证服务,需要 TLS/SSL 证书If Active Directory Federation Services is being deployed, you need TLS/SSL Certificates.

  • 若要部署 Active Directory 联合身份验证服务,需要配置 名称解析If Active Directory Federation Services is being deployed, then you need to configure name resolution.

  • 如果全局管理员已启用 MFA,URL 必须在受信任的站点列表中。If your global administrators have MFA enabled, then the URL must be in the trusted sites list. 在显示 MFA 质询提示之前,系统会先提示将此 URL 添加到受信任的站点列表中(如果尚未添加)。You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. 可以使用 Internet Explorer 将它添加到受信任站点。You can use Internet Explorer to add it to your trusted sites.

  • Microsoft 建议你加固 Azure AD Connect 服务器来减小 IT 环境中的此关键组件的安全攻击面。Microsoft recommends hardening your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. 遵循以下建议可降低你的组织的安全风险。Following the recommendations below will decrease the security risks to your organization.

  • 将 Azure AD Connect 部署在已加入域的服务器上,并仅限域管理员或其他严格受控的安全组进行管理性访问。Deploy Azure AD Connect on a domain joined server and restrict administrative access to domain administrators or other tightly controlled security groups.

若要了解更多信息,请参阅以下文章:To learn more, see:

Azure AD Connect 所使用的 SQL ServerSQL Server used by Azure AD Connect

  • Azure AD Connect 要求使用 SQL Server 数据库来存储标识数据。Azure AD Connect requires a SQL Server database to store identity data. 默认安装 SQL Server 2012 Express LocalDB(轻量版本的 SQL Server Express)。By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express 有 10GB 的大小限制,允许管理大约 100,000 个对象。SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. 如果需要管理更多的目录对象,则需要将安装向导指向不同的 SQL Server 安装。If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server. SQL Server 安装的类型可能会影响 Azure AD Connect 的性能The type of SQL Server installation can impact the performance of Azure AD Connect.
  • 如果使用不同的 SQL Server 安装,则以下要求适用:If you use a different installation of SQL Server, then these requirements apply:
    • Azure AD Connect 支持从 2012(包含最新的 Service Pack)到 SQL Server 2019 的所有 Microsoft SQL Server 版本。Azure AD Connect supports all versions of Microsoft SQL Server from 2012 (with latest Service Pack) to SQL Server 2019. 不支持将 Azure SQL 数据库用作数据库。Azure SQL Database is not supported as a database.
    • 必须使用不区分大小写的 SQL 排序规则。You must use a case-insensitive SQL collation. 可通过名称中的 _CI_ 识别这些排序规则。These collations are identified with a _CI_ in their name. 不支持使用区分大小写的排序规则,该规则可通过其名称中的 _CS_ 识别。It is not supported to use a case-sensitive collation, identified by _CS_ in their name.
    • 每个 SQL 实例只能有一个同步引擎。You can only have one sync engine per SQL instance. 不支持 与 FIM/MIM Sync、DirSync 或 Azure AD Sync 共享 SQL 实例。It is not supported to share a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync.


  • 要集成的 Azure AD 租户的 Azure AD 全局管理员帐户。An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. 该帐户必须是学校或组织帐户,而不能是 Microsoft 帐户This account must be a school or organization account and cannot be a Microsoft account.
  • 如果使用快速设置或者从 DirSync 升级,则必须拥有本地 Active Directory 的企业管理员帐户。If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises Active Directory.
  • 如果你使用自定义设置安装路径,则会有更多选项。If you use the custom settings installation path then you have more options. 有关详细信息,请参阅自定义安装设置For more information, see Custom installation settings.


  • Azure AD Connect 服务器需要 Intranet 和 Internet 的 DNS 解析。The Azure AD Connect server needs DNS resolution for both intranet and internet. DNS 服务器必须能够将名称解析成本地 Active Directory 以及 Azure AD 终结点。The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.
  • 如果 Intranet 有防火墙,且需要开放 Azure AD Connect 服务器与域控制器之间的端口,请参阅 Azure AD Connect 端口,了解详细信息。If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, then see Azure AD Connect Ports for more information.
  • 如果代理或防火墙限制了可访问的 URL,必须打开 Office 365 URL 和 IP 地址范围 中所述的 URL。If your proxy or firewall limit which URLs can be accessed, then the URLs documented in Office 365 URLs and IP address ranges must be opened.
  • Azure AD Connect(1.1.614.0 版及更高版本)默认情况下使用 TLS 1.2 对同步引擎和 Azure AD 之间的通信进行加密。Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Azure AD. 如果 TLS 1.2 在基础操作系统上不可用,Azure AD Connect 会递增地回退到较旧的协议(TLS 1.1 和 TLS 1.0)。If TLS 1.2 isn't available on the underlying operating system, Azure AD Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0).
  • 在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Azure AD. 若要更改为 TLS 1.2,请按照为 Azure AD connect 启用 TLS 1.2 中的步骤进行操作。To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Azure AD Connect.
  • 如果使用出站代理连接到 Internet,则必须在 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config 文件中添加以下设置,才能将安装向导和 Azure AD Connect 同步连接到 Internet 和 Azure AD。If you are using an outbound proxy for connecting to the Internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. 必须在文件底部输入此文本。This text must be entered at the bottom of the file. 在此代码中,<PROXYADDRESS> 代表实际代理 IP 地址或主机名。In this code, <PROXYADDRESS> represents the actual proxy IP address or host name.
  • 如果代理服务器要求身份验证,则服务帐户必须位于域中,必须使用自定义的设置安装路径来指定自定义服务帐户If your proxy server requires authentication, then the service account must be located in the domain and you must use the customized settings installation path to specify a custom service account. 还需要对 machine.config 进行不同的更改。在 machine.config 中进行此更改之后,安装向导和同步引擎响应来自代理服务器的身份验证请求。You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. 在所有安装向导页中(“配置”页除外)都使用已登录用户的凭据。 In all installation wizard pages, excluding the Configure page, the signed in user's credentials are used. 在安装向导末尾的“配置”页上,上下文将切换到已创建的服务帐户On the Configure page at the end of the installation wizard, the context is switched to the service account that was created by you. machine.config 节应如下所示。The machine.config section should look like this.
        <defaultProxy enabled="true" useDefaultCredentials="true">
  • 当 Azure AD Connect 在目录同步过程中将 Web 请求发送到 Azure AD 时,Azure AD 可能需要最多 5 分钟才能响应。When Azure AD Connect sends a web request to Azure AD as part of directory synchronization, Azure AD can take up to 5 minutes to respond. 代理服务器具有连接空闲超时配置很常见。It is common for proxy servers to have connection idle timeout configuration. 请确保配置设置为至少 6 分钟或更长时间。Please ensure the configuration is set to at least 6 minutes or more.

有关默认代理元素的详细信息,请参阅 MSDN。For more information, see MSDN about the default proxy Element.
有关遇到连接问题时的详细信息,请参阅排查连接问题For more information when you have problems with connectivity, see Troubleshoot connectivity problems.


  • 可选:一个用于验证同步的测试用户帐户。Optional: A test user account to verify synchronization.

组件先决条件Component prerequisites

PowerShell 和 .NET FrameworkPowerShell and .NET Framework

Azure AD Connect 依赖于 Microsoft PowerShell 和 .NET Framework 4.5.1。Azure AD Connect depends on Microsoft PowerShell and .NET Framework 4.5.1. 服务器上需要安装此版本或更高版本。You need this version or a later version installed on your server. 请根据 Windows Server 版本执行以下操作:Depending on your Windows Server version, do the following:

  • Windows Server 2012R2Windows Server 2012R2
    • 已按默认安装 Microsoft PowerShell,Microsoft PowerShell is installed by default. 因此不需要执行任何操作。No action is required.
    • .NET Framework 4.5.1 和更高版本通过 Windows 更新提供。.NET Framework 4.5.1 and later releases are offered through Windows Update. 请确保已在控制面板中安装 Windows Server 的最新更新。Make sure you have installed the latest updates to Windows Server in the Control Panel.
  • Windows Server 2012Windows Server 2012

为 Azure AD connect 启用 TLS 1.2Enable TLS 1.2 for Azure AD Connect

在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎服务器和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting the communication between the sync engine server and Azure AD. 可以通过配置 .NET 应用程序在服务器上默认使用 TLS 1.2 来更改此项。You can change this by configuring .NET applications to use TLS 1.2 by default on the server. 有关 TLS 1.2 的详细信息,请参阅 Microsoft 安全通报 2960358More information about TLS 1.2 can be found in Microsoft Security Advisory 2960358.

  1. 请确保已为操作系统安装了 .NET 4.5.1 修补程序,请参阅 Microsoft 安全通报 2960358Make sure you have the .NET 4.5.1 hotfix installed for your operating system, see Microsoft Security Advisory 2960358. 服务器上可能已经安装了此修补程序或更高版本的修补程序。You might have this hotfix or a later release installed on your server already.
  2. For all operating systems, set this registry key and restart the server.
    <span data-ttu-id="a161e-219">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SchUseStrongCrypto"=dword:00000001</span><span class="sxs-lookup"><span data-stu-id="a161e-219">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SchUseStrongCrypto"=dword:00000001</span></span>
  3. If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, then make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.

Prerequisites for federation installation and configuration

Windows Remote Management

When using Azure AD Connect to deploy Active Directory Federation Services or the Web Application Proxy, check these requirements:

  • If the target server is domain joined, then ensure that Windows Remote Managed is enabled
    • In an elevated PowerShell command window, use command Enable-PSRemoting -force
  • If the target server is a non-domain joined WAP machine, then there are a couple of additional requirements
    • On the target machine (WAP machine):
      • Ensure the winrm (Windows Remote Management / WS-Management) service is running via the Services snap-in
      • In an elevated PowerShell command window, use command Enable-PSRemoting -force
    • On the machine on which the wizard is running (if the target machine is non-domain joined or untrusted domain):
      • In an elevated PowerShell command window, use the command Set-Item WSMan:\localhost\Client\TrustedHosts -Value <DMZServerFQDN> -Force -Concatenate
      • In Server Manager:
        • add DMZ WAP host to machine pool (server manager -> Manage -> Add Servers...use DNS tab)
        • Server Manager All Servers tab: right click WAP server and choose Manage As..., enter local (not domain) creds for the WAP machine
        • To validate remote PowerShell connectivity, in the Server Manager All Servers tab: right click WAP server and choose Windows PowerShell. A remote PowerShell session should open to ensure remote PowerShell sessions can be established.

TLS/SSL Certificate Requirements

  • It's strongly recommended to use the same TLS/SSL certificate across all nodes of your AD FS farm and all Web Application proxy servers.
  • The certificate must be an X509 certificate.
  • You can use a self-signed certificate on federation servers in a test lab environment. However, for a production environment, we recommend that you obtain the certificate from a public CA.
    • If using a certificate that is not publicly trusted, ensure that the certificate installed on each Web Application Proxy server is trusted on both the local server and on all federation servers
  • The identity of the certificate must match the federation service name (for example,
    • The identity is either a subject alternative name (SAN) extension of type dNSName or, if there are no SAN entries, the subject name specified as a common name.
    • Multiple SAN entries can be present in the certificate, provided one of them matches the federation service name.
    • If you are planning to use Workplace Join, an additional SAN is required with the value enterpriseregistration. followed by the User Principal Name (UPN) suffix of your organization, for example,
  • Certificates based on CryptoAPI next generation (CNG) keys and key storage providers are not supported. This means you must use a certificate based on a CSP (cryptographic service provider) and not a KSP (key storage provider).
  • Wild-card certificates are supported.

Name resolution for federation servers

  • Set up DNS records for the AD FS federation service name (for example for both the intranet (your internal DNS server) and the extranet (public DNS through your domain registrar). For the intranet DNS record, ensure that you use A records and not CNAME records. This is required for windows authentication to work correctly from your domain joined machine.
  • If you are deploying more than one AD FS server or Web Application Proxy server, then ensure that you have configured your load balancer and that the DNS records for the AD FS federation service name (for example point to the load balancer.
  • For windows integrated authentication to work for browser applications using Internet Explorer in your intranet, ensure that the AD FS federation service name (for example is added to the intranet zone in IE. This can be controlled via group policy and deployed to all your domain joined computers.

Azure AD Connect supporting components

The following is a list of components that Azure AD Connect installs on the server where Azure AD Connect is installed. This list is for a basic Express installation. If you choose to use a different SQL Server on the Install synchronization services page, then SQL Express LocalDB is not installed locally.

  • Microsoft SQL Server 2012 Command Line Utilities
  • Microsoft SQL Server 2012 Express LocalDB
  • Microsoft SQL Server 2012 Native Client
  • Microsoft Visual C++ 2013 Redistribution Package

Hardware requirements for Azure AD Connect

The table below shows the minimum requirements for the Azure AD Connect sync computer.

Number of objects in Active Directory CPU Memory Hard drive size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000-50,000 1.6 GHz 4 GB 70 GB
50,000-100,000 1.6 GHz 16 GB 100 GB
For 100,000 or more objects the full version of SQL Server is required
100,000-300,000 1.6 GHz 32 GB 300 GB
300,000-600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB

The minimum requirements for computers running AD FS or Web Application Proxy Servers is the following:

  • CPU: Dual core 1.6 GHz or higher
  • MEMORY: 2 GB or higher
  • Azure VM: A2 configuration or higher

Next steps

Learn more about Integrating your on-premises identities with Azure Active Directory.