Azure AD Connect 的先决条件Prerequisites for Azure AD Connect

本主题介绍 Azure AD Connect 的先决条件和硬件要求。This topic describes the pre-requisites and the hardware requirements for Azure AD Connect.

安装 Azure AD Connect 之前Before you install Azure AD Connect

在安装 Azure AD Connect 之前,需要准备好以下项目。Before you install Azure AD Connect, there are a few things that you need.

Azure ADAzure AD

  • Azure AD 租户。An Azure AD tenant. 通过 Azure 试用版获得一个租户。You get one with an Azure trial. 可以使用以下门户之一来管理 Azure AD Connect:You can use one of the following portals to manage Azure AD Connect:
  • 添加并验证域,该域是计划在 Azure AD 中使用的。Add and verify the domain you plan to use in Azure AD. 例如,如果计划让用户使用 contoso.com,请确保此域已经过验证,并且不是直接使用 contoso.partner.onmschina.cn 默认域。For example, if you plan to use contoso.com for your users then make sure this domain has been verified and you are not only using the contoso.partner.onmschina.cn default domain.
  • 默认情况下,一个 Azure AD 租户允许 5 万个对象。An Azure AD tenant allows by default 50k objects. 在验证域后,该限制增加到 30 万个对象。When you verify your domain, the limit is increased to 300k objects. 如果在 Azure AD 中需要更多的对象,则需要开具支持案例来请求增大此限制。If you need even more objects in Azure AD, then you need to open a support case to have the limit increased even further. 如果需要 50 万个以上的对象,则需要购买 Office 365 或企业移动性和安全性等许可证。If you need more than 500k objects, then you need a license, such as Office 365 or Enterprise Mobility and Security.

准备本地数据Prepare your on-premises data

本地 Active DirectoryOn-premises Active Directory

  • AD 架构版本与林功能级别必须是 Windows Server 2003 或更高版本。The AD schema version and forest functional level must be Windows Server 2003 or later. 只要符合架构和林级别的要求,域控制器就能运行任何版本。The domain controllers can run any version as long as the schema and forest level requirements are met.
  • Azure AD 使用的域控制器必须可写。The domain controller used by Azure AD must be writable. 不支持使用 RODC(只读域控制器),并且 Azure AD Connect 不会遵循任何写重定向。It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.
  • 不支持通过“以点分隔的”(名称包含句点“.”)NetBios 名称使用本地林/域。It is not supported to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.
  • 建议启用 Active Directory 回收站It is recommended to enable the Active Directory recycle bin.

Azure AD Connect 服务器Azure AD Connect server

  • 不能在 Small Business Server 或 2019 版以前的 Windows Server Essentials(支持 Windows Server Essentials 2019)上安装 Azure AD Connect。Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). 该服务器必须使用 Windows Server Standard 或更高版本。The server must be using Windows Server standard or better.
  • 不建议在域控制器上安装 Azure AD Connect,因为安全措施和较严格的设置可能会阻碍正确安装 Azure AD Connect。Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly
  • 必须在 Azure AD Connect 服务器上安装完整的 GUI。The Azure AD Connect server must have a full GUI installed. 不支持 在服务器核心上安装 GUI。It is not supported to install on server core.

Important

不支持在 Small Business Server、Server Essentials 或 Server Core 上安装 Azure AD Connect。Installing Azure AD Connect on small business server, server essentials, or server core is not supported.

  • Azure AD Connect 必须安装在 Windows Server 2008 R2 或更高版本上。Azure AD Connect must be installed on Windows Server 2008 R2 or later. 此服务器必须加入域,并且可以是域控制器或成员服务器。This server must be domain joined and may be a domain controller or a member server.

  • 如果在 Windows Server 2008 R2 上安装 Azure AD Connect,请确保从 Windows 更新应用最新的修补程序。If you install Azure AD Connect on Windows Server 2008 R2, then make sure to apply the latest hotfixes from Windows Update. 在未修补的服务器上无法启动安装。The installation is not able to start with an unpatched server.

  • 如果打算使用 密码同步功能,则必须在 Windows Server 2008 R2 SP1 或更高版本上安装 Azure AD Connect 服务器。If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.

  • 如果打算使用组托管服务帐户,则 Azure AD Connect 服务器必须位于 Windows Server 2012 或更高版本上。If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.

  • Azure AD Connect 服务器必须安装 .NET Framework 4.5.1 或更高版本以及 Microsoft PowerShell 3.0 或更高版本。The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.

  • Azure AD Connect 服务器不得启用 PowerShell 脚本组策略。The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled.

  • 如果正在部署 Active Directory 联合身份验证服务,则要安装 AD FS 或 Web 应用程序代理的服务器必须是 Windows Server 2012 R2 或更高版本。If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows 远程管理 才能进行远程安装。Windows remote management must be enabled on these servers for remote installation.

  • 若要部署 Active Directory 联合身份验证服务,需要使用 SSL 证书If Active Directory Federation Services is being deployed, you need SSL Certificates.

  • 若要部署 Active Directory 联合身份验证服务,需要配置 名称解析If Active Directory Federation Services is being deployed, then you need to configure name resolution.

  • 如果全局管理员已启用 MFA,URL https://secure.aadcdn.parter.microsoftonline-p.cn 必须在受信任的站点列表中。If your global administrators have MFA enabled, then the URL https://secure.aadcdn.parter.microsoftonline-p.cn must be in the trusted sites list. 在显示 MFA 质询提示之前,系统会先提示将此 URL 添加到受信任的站点列表中(如果尚未添加)。You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. 可以使用 Internet Explorer 将它添加到受信任站点。You can use Internet Explorer to add it to your trusted sites.

  • Microsoft 建议你加固 Azure AD Connect 服务器来减小 IT 环境中的此关键组件的安全攻击面。Microsoft recommends hardening your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. 遵循以下建议可降低你的组织的安全风险。Following the recommendations below will decrease the security risks to your organization.

  • 将 Azure AD Connect 部署在已加入域的服务器上,并仅限域管理员或其他严格受控的安全组进行管理性访问。Deploy Azure AD Connect on a domain joined server and restrict administrative access to domain administrators or other tightly controlled security groups.

若要了解更多信息,请参阅以下文章:To learn more, see:

Azure AD Connect 所使用的 SQL ServerSQL Server used by Azure AD Connect

  • Azure AD Connect 要求使用 SQL Server 数据库来存储标识数据。Azure AD Connect requires a SQL Server database to store identity data. 默认安装 SQL Server 2012 Express LocalDB(轻量版本的 SQL Server Express)。By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express 有 10GB 的大小限制,允许管理大约 100,000 个对象。SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. 如果需要管理更多的目录对象,则需要将安装向导指向不同的 SQL Server 安装。If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.
  • 如果使用不同的 SQL Server 安装,则以下要求适用:If you use a different installation of SQL Server, then these requirements apply:
    • Azure AD Connect 支持从 2008 R2(包含最新的 Service Pack)到 SQL Server 2019 的所有 Microsoft SQL Server 版本。Azure AD Connect supports all versions of Microsoft SQL Server from 2008 R2 (with latest Service Pack) to SQL Server 2019. 不支持将 Azure SQL 数据库用作数据库。Azure SQL Database is not supported as a database.
    • 必须使用不区分大小写的 SQL 排序规则。You must use a case-insensitive SQL collation. 可通过名称中的 _CI_ 识别这些排序规则。These collations are identified with a _CI_ in their name. 不支持使用区分大小写的排序规则,该规则可通过其名称中的 _CS_ 识别。It is not supported to use a case-sensitive collation, identified by _CS_ in their name.
    • 每个 SQL 实例只能有一个同步引擎。You can only have one sync engine per SQL instance. 不支持 与 FIM/MIM Sync、DirSync 或 Azure AD Sync 共享 SQL 实例。It is not supported to share a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync.

帐户Accounts

  • 要集成的 Azure AD 租户的 Azure AD 全局管理员帐户。An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. 该帐户必须是学校或组织帐户,而不能是 Microsoft 帐户This account must be a school or organization account and cannot be a Microsoft account.
  • 如果使用快速设置或者从 DirSync 升级,则必须创建本地 Active Directory 的企业管理员帐户。If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises Active Directory.
  • Active Directory 中的帐户:如果为本地 Active Directory 使用自定义设置安装路径或企业管理员帐户。Accounts in Active Directory if you use the custom settings installation path or an Enterprise Administrator account for your on-premises Active Directory.

连接Connectivity

  • Azure AD Connect 服务器需要 Intranet 和 Internet 的 DNS 解析。The Azure AD Connect server needs DNS resolution for both intranet and internet. DNS 服务器必须能够将名称解析成本地 Active Directory 和 Azure AD 终结点。The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.

  • 如果 Intranet 有防火墙,且需要开放 Azure AD Connect 服务器与域控制器之间的端口,请参阅 Azure AD Connect 端口,了解详细信息。If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, then see Azure AD Connect Ports for more information.

  • 如果代理或防火墙限制了可访问的 URL,必须打开 Office 365 URL 和 IP 地址范围 中所述的 URL。If your proxy or firewall limit which URLs can be accessed, then the URLs documented in Office 365 URLs and IP address ranges must be opened.

  • Azure AD Connect(1.1.614.0 版及更高版本)默认情况下使用 TLS 1.2 对同步引擎和 Azure AD 之间的通信进行加密。Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Azure AD. 如果 TLS 1.2 在基础操作系统上不可用,Azure AD Connect 会递增地回退到较旧的协议(TLS 1.1 和 TLS 1.0)。If TLS 1.2 isn't available on the underlying operating system, Azure AD Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0).

  • 在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Azure AD. 若要更改为 TLS 1.2,请按照为 Azure AD connect 启用 TLS 1.2 中的步骤进行操作。To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Azure AD Connect.

  • 如果使用出站代理连接到 Internet,则必须在 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config 文件中添加以下设置,才能将安装向导和 Azure AD Connect 同步连接到 Internet 和 Azure AD。If you are using an outbound proxy for connecting to the Internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. 必须在文件底部输入此文本。This text must be entered at the bottom of the file. 在此代码中,<PROXYADDRESS> 代表实际代理 IP 地址或主机名。In this code, <PROXYADDRESS> represents the actual proxy IP address or host name.

        <system.net>
            <defaultProxy>
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • 如果代理服务器要求身份验证,则服务帐户必须位于域中,必须使用自定义的设置安装路径来指定自定义服务帐户If your proxy server requires authentication, then the service account must be located in the domain and you must use the customized settings installation path to specify a custom service account. 还需要对 machine.config 进行不同的更改。在 machine.config 中进行此更改之后,安装向导和同步引擎响应来自代理服务器的身份验证请求。You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. 在所有安装向导页中(“配置”页除外)都使用已登录用户的凭据。 In all installation wizard pages, excluding the Configure page, the signed in user's credentials are used. 在安装向导末尾的“配置”页上,上下文将切换到已创建的服务帐户On the Configure page at the end of the installation wizard, the context is switched to the service account that was created by you. machine.config 节应如下所示。The machine.config section should look like this.

        <system.net>
            <defaultProxy enabled="true" useDefaultCredentials="true">
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • 当 Azure AD Connect 在目录同步过程中将 Web 请求发送到 Azure AD 时,Azure AD 可能需要最多 5 分钟才能响应。When Azure AD Connect sends a web request to Azure AD as part of directory synchronization, Azure AD can take up to 5 minutes to respond. 代理服务器具有连接空闲超时配置很常见。It is common for proxy servers to have connection idle timeout configuration. 请确保配置设置为至少 6 分钟或更长时间。Please ensure the configuration is set to at least 6 minutes or more.

有关默认代理元素的详细信息,请参阅 MSDN。For more information, see MSDN about the default proxy Element.
有关遇到连接问题时的详细信息,请参阅排查连接问题For more information when you have problems with connectivity, see Troubleshoot connectivity problems.

其他Other

  • 可选:一个用于验证同步的测试用户帐户。Optional: A test user account to verify synchronization.

组件先决条件Component prerequisites

PowerShell 和 .NET FrameworkPowerShell and .NET Framework

Azure AD Connect 依赖于 Microsoft PowerShell 和 .NET Framework 4.5.1。Azure AD Connect depends on Microsoft PowerShell and .NET Framework 4.5.1. 服务器上需要安装此版本或更高版本。You need this version or a later version installed on your server. 请根据 Windows Server 版本执行以下操作:Depending on your Windows Server version, do the following:

  • Windows Server 2012R2Windows Server 2012R2
    • 已按默认安装 Microsoft PowerShell,Microsoft PowerShell is installed by default. 因此不需要执行任何操作。No action is required.
    • .NET Framework 4.5.1 和更高版本通过 Windows 更新提供。.NET Framework 4.5.1 and later releases are offered through Windows Update. 请确保已在控制面板中安装 Windows Server 的最新更新。Make sure you have installed the latest updates to Windows Server in the Control Panel.
  • Windows Server 2008 R2 和 Windows Server 2012Windows Server 2008 R2 and Windows Server 2012

为 Azure AD connect 启用 TLS 1.2Enable TLS 1.2 for Azure AD Connect

在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎服务器和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting the communication between the sync engine server and Azure AD. 可以通过配置 .NET 应用程序在服务器上默认使用 TLS 1.2 来更改此项。You can change this by configuring .NET applications to use TLS 1.2 by default on the server. 有关 TLS 1.2 的详细信息,请参阅 Microsoft 安全通报 2960358More information about TLS 1.2 can be found in Microsoft Security Advisory 2960358.

  1. 在 Windows Server 2008 R2 或更高版本之前无法启用 TLS 1.2。TLS 1.2 cannot be enabled prior to Windows Server 2008 R2 or later. 请确保已为操作系统安装了 .NET 4.5.1 修补程序,请参阅 Microsoft 安全通报 2960358Make sure you have the .NET 4.5.1 hotfix installed for your operating system, see Microsoft Security Advisory 2960358. 服务器上可能已经安装了此修补程序或更高版本的修补程序。You might have this hotfix or a later release installed on your server already.
  2. 如果使用 Windows Server 2008 R2,请确保已启用 TLS 1.2。If you use Windows Server 2008 R2, then make sure TLS 1.2 is enabled. Windows Server 2012 服务器及更高版本上应该已经启用了 TLS 1.2。On Windows Server 2012 server and later versions, TLS 1.2 should already be enabled.
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    
  3. 对于所有操作系统,设置此注册表项并重新启动服务器。For all operating systems, set this registry key and restart the server.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    "SchUseStrongCrypto"=dword:00000001
    
  4. 如果还想要在同步引擎服务器和远程 SQL Server 之间启用 TLS 1.2,请确保为 Microsoft SQL Server 的 TLS 1.2 支持安装所需的版本。If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, then make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.

联合身份验证安装和配置的先决条件Prerequisites for federation installation and configuration

Windows 远程管理Windows Remote Management

在使用 Azure AD Connect 部署 Active Directory 联合身份验证服务或 Web 应用程序代理时,请检查以下要求:When using Azure AD Connect to deploy Active Directory Federation Services or the Web Application Proxy, check these requirements:

  • 如果目标服务器已加入域,则请确保已启用“Windows 远程托管”If the target server is domain joined, then ensure that Windows Remote Managed is enabled
    • 在权限提升的 PSH 命令窗口中,使用命令 Enable-PSRemoting -forceIn an elevated PSH command window, use command Enable-PSRemoting -force
  • 如果目标服务器是未加入域的 WAP 计算机,则需要满足一些额外的要求If the target server is a non-domain joined WAP machine, then there are a couple of additional requirements
    • 在目标计算机(WAP 计算机)上:On the target machine (WAP machine):
      • 确保 winrm(Windows 远程管理/WS-Management)服务正在通过“服务”管理单元运行Ensure the winrm (Windows Remote Management / WS-Management) service is running via the Services snap-in
      • 在权限提升的 PSH 命令窗口中,使用命令 Enable-PSRemoting -forceIn an elevated PSH command window, use command Enable-PSRemoting -force
    • 在运行向导的计算机上(如果目标计算机未加入域或者是不受信任的域):On the machine on which the wizard is running (if the target machine is non-domain joined or untrusted domain):
      • 在权限提升的 PSH 命令窗口中,使用命令 Set-Item WSMan:\localhost\Client\TrustedHosts -Value <DMZServerFQDN> -Force -ConcatenateIn an elevated PSH command window, use the command Set-Item WSMan:\localhost\Client\TrustedHosts -Value <DMZServerFQDN> -Force -Concatenate
      • 在服务器管理器中:In Server Manager:
        • 将外围网络 WAP 主机添加到计算机池(“服务器管理器”->“管理”->“添加服务器”...使用 DNS选项卡)add DMZ WAP host to machine pool (server manager -> Manage -> Add Servers...use DNS tab)
        • 服务器管理器中的“所有服务器”选项卡:右键单击 WAP 服务器并选择“以下列身份进行管理...”,并输入 WAP 计算机的本地(非域)凭据Server Manager All Servers tab: right click WAP server and choose Manage As..., enter local (not domain) creds for the WAP machine
        • 如果要验证远程 PSH 连接,请在服务器管理器的“所有服务器”选项卡中:右键单击 WAP 服务器,并选择“Windows PowerShell”。To validate remote PSH connectivity, in the Server Manager All Servers tab: right click WAP server and choose Windows PowerShell. 此时应会打开远程 PSH 会话,以确保可以建立远程 PowerShell 会话。A remote PSH session should open to ensure remote PowerShell sessions can be established.

SSL 证书要求SSL Certificate Requirements

  • 强烈建议在 AD FS 场的所有节点中以及所有 Web 应用程序代理服务器中使用相同的 SSL 证书。It’s strongly recommended to use the same SSL certificate across all nodes of your AD FS farm and all Web Application proxy servers.
  • 该证书必须是 X509 证书。The certificate must be an X509 certificate.
  • 在测试实验室环境中,可以在联合服务器上使用自签名证书。You can use a self-signed certificate on federation servers in a test lab environment. 不过,对于生产环境,建议从某个公共 CA 获取证书。However, for a production environment, we recommend that you obtain the certificate from a public CA.
    • 如果使用未公开受信任的证书,请确保每个 Web 应用程序代理服务器上安装的证书同时受本地服务器和所有联合服务器的信任If using a certificate that is not publicly trusted, ensure that the certificate installed on each Web Application Proxy server is trusted on both the local server and on all federation servers
  • 证书的标识必须与联合身份验证服务名称(例如 sts.contoso.com)匹配。The identity of the certificate must match the federation service name (for example, sts.contoso.com).
    • 标识是类型为 dNSName 的使用者备用名称 (SAN) 扩展,或者是指定为公用名的使用者名称(当不存在 SAN 条目时)。The identity is either a subject alternative name (SAN) extension of type dNSName or, if there are no SAN entries, the subject name specified as a common name.
    • 证书中可以存在多个 SAN 条目,但是它们中必须有一个与联合身份验证服务名称匹配。Multiple SAN entries can be present in the certificate, provided one of them matches the federation service name.
    • 如果计划使用工作区加入,则需其他 SAN,其值为 enterpriseregistration.If you are planning to use Workplace Join, an additional SAN is required with the value enterpriseregistration. 后跟组织的用户主体名称 (UPN) 后缀,例如 enterpriseregistration.contoso.comfollowed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.
  • 不支持基于 CryptoAPI 下一代 (CNG) 密钥和密钥存储提供者的证书。Certificates based on CryptoAPI next generation (CNG) keys and key storage providers are not supported. 这意味着,必须使用基于 CSP(加密服务提供者)而非 KSP(密钥存储提供者)的证书。This means you must use a certificate based on a CSP (cryptographic service provider) and not a KSP (key storage provider).
  • 支持通配符证书。Wild-card certificates are supported.

联合服务器的名称解析Name resolution for federation servers

  • 针对 Intranet(内部 DNS 服务器)和 Extranet(通过域注册机构注册的公共 DNS)设置 AD FS 联合身份验证服务名称(例如 sts.contoso.com)的 DNS 记录。Set up DNS records for the AD FS federation service name (for example sts.contoso.com) for both the intranet (your internal DNS server) and the extranet (public DNS through your domain registrar). 对于 Intranet DNS 记录,请确保使用 A 记录而不是 CNAME 记录。For the intranet DNS record, ensure that you use A records and not CNAME records. 只有这样,才能从加入域的计算机正常执行 Windows 身份验证。This is required for windows authentication to work correctly from your domain joined machine.
  • 如果要部署多个 AD FS 服务器或 Web 应用程序代理服务器,则请确保负载均衡器已配置,且 AD FS 联合身份验证服务名称(例如 sts.contoso.com)的 DNS 记录指向该负载均衡器。If you are deploying more than one AD FS server or Web Application Proxy server, then ensure that you have configured your load balancer and that the DNS records for the AD FS federation service name (for example sts.contoso.com) point to the load balancer.
  • 如果要将 Windows 集成身份验证用于 Intranet 中使用 Internet Explorer 的浏览器应用程序,请确保将 AD FS 联合身份验证服务名称(例如 sts.contoso.com)添加到 IE 中的 Intranet 区域。For windows integrated authentication to work for browser applications using Internet Explorer in your intranet, ensure that the AD FS federation service name (for example sts.contoso.com) is added to the intranet zone in IE. 此配置可以通过组策略进行控制,并可部署到所有已加入域的计算机中。This can be controlled via group policy and deployed to all your domain joined computers.

Azure AD Connect 支持组件Azure AD Connect supporting components

下面列出了 Azure AD Connect 在要安装 Azure AD Connect 的服务器上安装的组件。The following is a list of components that Azure AD Connect installs on the server where Azure AD Connect is installed. 此列表针对基本快速安装。This list is for a basic Express installation. 如果在“安装同步服务”页上选择使用不同的 SQL Server,则不会在本地安装 SQL Express LocalDB。If you choose to use a different SQL Server on the Install synchronization services page, then SQL Express LocalDB is not installed locally.

  • Microsoft SQL Server 2012 命令行实用工具Microsoft SQL Server 2012 Command Line Utilities
  • Microsoft SQL Server 2012 Express LocalDBMicrosoft SQL Server 2012 Express LocalDB
  • Microsoft SQL Server 2012 本机客户端Microsoft SQL Server 2012 Native Client
  • Microsoft Visual C++ 2013 再分发包Microsoft Visual C++ 2013 Redistribution Package

Azure AD Connect 的硬件要求Hardware requirements for Azure AD Connect

下表显示了 Azure AD Connect 同步计算机的最低要求。The table below shows the minimum requirements for the Azure AD Connect sync computer.

Active Directory 中的对象数目Number of objects in Active Directory CPUCPU 内存Memory 硬盘驱动器大小Hard drive size
少于 10,000 个Fewer than 10,000 1.6 GHz1.6 GHz 4 GB4 GB 70 GB70 GB
10,000-50,00010,000-50,000 1.6 GHz1.6 GHz 4 GB4 GB 70 GB70 GB
50,000-100,00050,000-100,000 1.6 GHz1.6 GHz 16 GB16 GB 100 GB100 GB
如果对象数超过 100,000 个,则需要使用完整版本的 SQL ServerFor 100,000 or more objects the full version of SQL Server is required
100,000-300,000100,000-300,000 1.6 GHz1.6 GHz 32 GB32 GB 300 GB300 GB
300,000-600,000300,000-600,000 1.6 GHz1.6 GHz 32 GB32 GB 450 GB450 GB
超过 600,000 个More than 600,000 1.6 GHz1.6 GHz 32 GB32 GB 500 GB500 GB

以下是运行 AD FS 或 Web 应用程序服务器的计算机的最低要求:The minimum requirements for computers running AD FS or Web Application Servers is the following:

  • CPU:双核 1.6 GHz 或更高CPU: Dual core 1.6 GHz or higher
  • 内存:2 GB 或更高MEMORY: 2 GB or higher
  • Azure VM:A2 配置或更高Azure VM: A2 configuration or higher

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.