Azure AD Connect 的先决条件Prerequisites for Azure AD Connect

本文介绍 Azure Active Directory (Azure AD) Connect 的先决条件和硬件要求。This article describes the prerequisites and the hardware requirements for Azure Active Directory (Azure AD) Connect.

安装 Azure AD Connect 之前Before you install Azure AD Connect

在安装 Azure AD Connect 之前,需要准备好以下项目。Before you install Azure AD Connect, there are a few things that you need.

Azure ADAzure AD

  • 需要 Azure AD 租户。You need an Azure AD tenant. 通过 Azure 试用版获得一个租户。You get one with an Azure trial. 可以使用以下门户之一来管理 Azure AD Connect:You can use one of the following portals to manage Azure AD Connect:
  • 添加并验证域,该域是计划在 Azure AD 中使用的。Add and verify the domain you plan to use in Azure AD. 例如,如果计划让用户使用 contoso.com,请确保此域已经过验证,并且不是直接使用 contoso.partner.onmschina.cn 默认域。For example, if you plan to use contoso.com for your users, make sure this domain has been verified and you're not using only the contoso.partner.onmschina.cn default domain.
  • 默认情况下,一个 Azure AD 租户允许 5 万个对象。An Azure AD tenant allows, by default, 50,000 objects. 在验证域后,该限制增加到 30 万个对象。When you verify your domain, the limit increases to 300,000 objects. 如果 Azure AD 中需要更多的对象,则请创建支持案例来请求增大此限制。If you need even more objects in Azure AD, open a support case to have the limit increased even further. 如果需要 50 万个以上的对象,则需要具备许可证,例如 Microsoft 365、Azure AD Premium 或企业移动性 + 安全性。If you need more than 500,000 objects, you need a license, such as Microsoft 365, Azure AD Premium, or Enterprise Mobility + Security.

准备本地数据Prepare your on-premises data

本地 Active DirectoryOn-premises Active Directory

  • Active Directory 架构版本与林功能级别必须是 Windows Server 2003 或更高版本。The Active Directory schema version and forest functional level must be Windows Server 2003 or later. 只要符合架构版本和林级别的要求,域控制器就能运行任何版本。The domain controllers can run any version as long as the schema version and forest-level requirements are met.
  • 若打算使用密码写回功能,必须在 Windows Server 2012 或更高版本上安装域控制器。If you plan to use the feature password writeback, the domain controllers must be on Windows Server 2012 or later.
  • Azure AD 使用的域控制器必须可写。The domain controller used by Azure AD must be writable. 不支持使用只读域控制器 (RODC),Azure AD Connect 不遵循任何写入重定向。Using a read-only domain controller (RODC) isn't supported, and Azure AD Connect doesn't follow any write redirects.
  • 不支持通过“以点分隔的”(名称包含句点“.”)NetBIOS 名称来使用本地林或域。Using on-premises forests or domains by using "dotted" (name contains a period ".") NetBIOS names isn't supported.
  • 建议启用 Active Directory 回收站We recommend that you enable the Active Directory recycle bin.

PowerShell 执行策略PowerShell execution policy

Azure Active Directory Connect 在安装过程中运行已签名的 PowerShell 脚本。Azure Active Directory Connect runs signed PowerShell scripts as part of the installation. 确保 PowerShell 执行策略允许运行脚本。Ensure that the PowerShell execution policy will allow running of scripts.

安装期间建议的执行策略为“RemoteSigned”。The recommended execution policy during installation is "RemoteSigned".

有关设置 PowerShell 执行策略的详细信息,请参阅 Set-ExecutionPolicyFor more information on setting the PowerShell execution policy, see Set-ExecutionPolicy.

Azure AD Connect 服务器Azure AD Connect server

Azure AD Connect 服务器包含关键标识数据。The Azure AD Connect server contains critical identity data. 确保对此服务器的管理访问权限得到适当的保护非常重要。It's important that administrative access to this server is properly secured. 按照保护特权访问中的指南进行操作。Follow the guidelines in Securing privileged access.

必须将 Azure AD Connect 服务器视为第 0 层组件,如 Active Directory 管理层模型中所述The Azure AD Connect server must be treated as a Tier 0 component as documented in the Active Directory administrative tier model

若要详细了解如何保护 Active Directory 环境,请参阅保护 Active Directory 的最佳做法To read more about securing your Active Directory environment, see Best practices for securing Active Directory.

安装先决条件Installation prerequisites

  • Azure AD Connect 必须安装在已加入域的 Windows Server 2012 或更高版本上。Azure AD Connect must be installed on a domain-joined Windows Server 2012 or later.
  • 不能在 Small Business Server 或 2019 版以前的 Windows Server Essentials(支持 Windows Server Essentials 2019)上安装 Azure AD Connect。Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). 该服务器必须使用 Windows Server Standard 或更高版本。The server must be using Windows Server standard or better.
  • 必须在 Azure AD Connect 服务器上安装完整的 GUI。The Azure AD Connect server must have a full GUI installed. 不支持在 Windows Server Core 上安装 Azure AD Connect。Installing Azure AD Connect on Windows Server Core isn't supported.
  • 如果使用 Azure AD Connect 向导来管理 Active Directory 联合身份验证服务 (AD FS) 配置,则 Azure AD Connect 服务器不得启用“PowerShell 转换”组策略。The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled if you use the Azure AD Connect wizard to manage Active Directory Federation Services (AD FS) configuration. 如果使用 Azure AD Connect 向导来管理同步配置,则可以启用 PowerShell 脚本。You can enable PowerShell transcription if you use the Azure AD Connect wizard to manage sync configuration.
  • 如果正在部署 AD FS:If AD FS is being deployed:
  • 如果全局管理员已启用 MFA,URL https://secure.aadcdn.partner.microsoftonline-p.cn 必须在受信任的站点列表中。If your global administrators have MFA enabled, the URL https://secure.aadcdn.partner.microsoftonline-p.cn must be in the trusted sites list. 在显示 MFA 质询提示之前,系统会先提示将此 URL 添加到受信任的站点列表中(如果尚未添加)。You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. 可以使用 Internet Explorer 将它添加到受信任站点。You can use Internet Explorer to add it to your trusted sites.

强化 Azure AD Connect 服务器Harden your Azure AD Connect server

建议强化 Azure AD Connect 服务器来减小 IT 环境中的此关键组件的安全攻击面。We recommend that you harden your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. 遵循这些建议有助于降低组织的部分安全风险。Following these recommendations will help to mitigate some security risks to your organization.

Azure AD Connect 所使用的 SQL ServerSQL Server used by Azure AD Connect

  • Azure AD Connect 要求使用 SQL Server 数据库来存储标识数据。Azure AD Connect requires a SQL Server database to store identity data. 默认安装 SQL Server 2012 Express LocalDB(轻量版本的 SQL Server Express)。By default, a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express 有 10-GB 的大小限制,允许管理大约 100,000 个对象。SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects. 如果需要管理更多的 Directory 对象,请将安装向导指向不同的 SQL Server 安装。If you need to manage a higher volume of directory objects, point the installation wizard to a different installation of SQL Server. SQL Server 安装的类型可能会影响 Azure AD Connect 的性能The type of SQL Server installation can impact the performance of Azure AD Connect.
  • 如果使用不同的 SQL Server 安装,则以下要求适用:If you use a different installation of SQL Server, these requirements apply:
    • Azure AD Connect 支持从 2012(包含最新的服务包)到 SQL Server 2019 的所有 SQL Server 版本。Azure AD Connect supports all versions of SQL Server from 2012 (with the latest service pack) to SQL Server 2019. 不支持将 Azure SQL 数据库用作数据库。Azure SQL Database isn't supported as a database.
    • 必须使用不区分大小写的 SQL 排序规则。You must use a case-insensitive SQL collation. 可通过名称中的 _CI_ 识别这些排序规则。These collations are identified with a _CI_ in their name. 不支持使用区分大小写的排序规则,该规则可通过其名称中的 _CS_ 识别。Using a case-sensitive collation identified by _CS_ in their name isn't supported.
    • 每个 SQL 实例只能有一个同步引擎。You can have only one sync engine per SQL instance. 不支持与 FIM/MIM Sync、DirSync 或 Azure AD Sync 共享 SQL 实例。Sharing a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync isn't supported.

帐户Accounts

  • 必须具有要与之集成的 Azure AD 租户的 Azure AD 全局管理员帐户。You must have an Azure AD Global Administrator account for the Azure AD tenant you want to integrate with. 该帐户必须是学校或组织帐户,而不能是 Microsoft 帐户 。This account must be a school or organization account and can't be a Microsoft account.
  • 如果使用快速设置或者从 DirSync 升级,则必须拥有本地 Active Directory 的企业管理员帐户。If you use express settings or upgrade from DirSync, you must have an Enterprise Administrator account for your on-premises Active Directory.
  • 如果使用自定义设置安装路径,则会有更多选项。If you use the custom settings installation path, you have more options. 有关详细信息,请参阅自定义安装设置For more information, see Custom installation settings.

连接Connectivity

  • Azure AD Connect 服务器需要 Intranet 和 Internet 的 DNS 解析。The Azure AD Connect server needs DNS resolution for both intranet and internet. DNS 服务器必须能够将名称解析成本地 Active Directory 以及 Azure AD 终结点。The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.

  • 如果 Intranet 有防火墙,且需要开放 Azure AD Connect 服务器与域控制器之间的端口,请参阅 Azure AD Connect 端口,了解详细信息。If you have firewalls on your intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, see Azure AD Connect ports for more information.

  • 如果代理或防火墙限制了可访问的 URL,则必须打开 Office 365 URL 和 IP 地址范围中所述的 URL。If your proxy or firewall limit which URLs can be accessed, the URLs documented in Office 365 URLs and IP address ranges must be opened. 另请参阅在防火墙或代理服务器上将 Azure 门户 URL 加入安全列表Also see Safelist the Azure portal URLs on your firewall or proxy server.

  • Azure AD Connect(1.1.614.0 版及更高版本)默认情况下使用 TLS 1.2 对同步引擎和 Azure AD 之间的通信进行加密。Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Azure AD. 如果 TLS 1.2 在基础操作系统上不可用,Azure AD Connect 会递增地回退到较旧的协议(TLS 1.1 和 TLS 1.0)。If TLS 1.2 isn't available on the underlying operating system, Azure AD Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0).

  • 在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Azure AD. 若要更改为 TLS 1.2,请按照为 Azure AD connect 启用 TLS 1.2 中的步骤进行操作。To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Azure AD Connect.

  • 如果使用出站代理连接到 Internet,则必须在 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config 文件中添加以下设置,才能将安装向导和 Azure AD Connect 同步连接到 Internet 和 Azure AD。If you're using an outbound proxy for connecting to the internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Azure AD Connect sync to be able to connect to the internet and Azure AD. 必须在文件底部输入此文本。This text must be entered at the bottom of the file. 在此代码中,<PROXYADDRESS> 代表实际代理 IP 地址或主机名。In this code, <PROXYADDRESS> represents the actual proxy IP address or host name.

        <system.net>
            <defaultProxy>
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • 如果代理服务器需要身份验证,服务帐户必须位于域中。If your proxy server requires authentication, the service account must be located in the domain. 使用自定义设置安装路径指定自定义服务帐户Use the customized settings installation path to specify a custom service account. 还需要对 machine.config 进行不同的更改。在 machine.config 中进行此更改之后,安装向导和同步引擎响应来自代理服务器的身份验证请求。You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. 在所有安装向导页中(“配置”页除外)都使用已登录用户的凭据。In all installation wizard pages, excluding the Configure page, the signed-in user's credentials are used. 在安装向导末尾的“配置”页上,上下文将切换到你创建的服务帐户On the Configure page at the end of the installation wizard, the context is switched to the service account that you created. machine.config 部分应如下所示:The machine.config section should look like this:

        <system.net>
            <defaultProxy enabled="true" useDefaultCredentials="true">
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • 如果代理配置是在现有设置中完成的,则需要重启一次 Azure AD Sync 服务,以便 Azure AD Connect 读取代理配置并更新行为。If the proxy configuration is being done in an existing setup, the Azure AD Sync service needs to be restarted once for the Azure AD Connect to read the proxy configuration and update the behavior.

  • 当 Azure AD Connect 在目录同步过程中将 Web 请求发送到 Azure AD 时,Azure AD 可能需要最多 5 分钟才能响应。When Azure AD Connect sends a web request to Azure AD as part of directory synchronization, Azure AD can take up to 5 minutes to respond. 代理服务器具有连接空闲超时配置很常见。It's common for proxy servers to have connection idle timeout configuration. 确保配置设置为至少 6 分钟或更长时间。Ensure the configuration is set to at least 6 minutes or more.

有关默认代理元素的详细信息,请参阅 MSDN。For more information, see MSDN about the default proxy element. 有关遇到连接问题时的详细信息,请参阅排查连接问题For more information when you have problems with connectivity, see Troubleshoot connectivity problems.

其他Other

可选:使用测试用户帐户验证同步。Optional: Use a test user account to verify synchronization.

组件先决条件Component prerequisites

PowerShell 和 .NET FrameworkPowerShell and .NET Framework

Azure AD Connect 依赖于 Microsoft PowerShell 和 .NET Framework 4.5.1。Azure AD Connect depends on Microsoft PowerShell and .NET Framework 4.5.1. 服务器上需要安装此版本或更高版本。You need this version or a later version installed on your server. 请根据 Windows Server 版本执行以下操作:Depending on your Windows Server version, take the following actions:

  • Windows Server 2012 R2Windows Server 2012 R2
    • 已按默认安装 Microsoft PowerShell,Microsoft PowerShell is installed by default. 因此不需要执行任何操作。No action is required.
    • .NET Framework 4.5.1 和更高版本通过 Windows 更新提供。.NET Framework 4.5.1 and later releases are offered through Windows Update. 请确保已在控制面板中安装 Windows Server 的最新更新。Make sure you've installed the latest updates to Windows Server in Control Panel.
  • Windows Server 2012Windows Server 2012

为 Azure AD connect 启用 TLS 1.2Enable TLS 1.2 for Azure AD Connect

在 1.1.614.0 版以前,Azure AD Connect 默认情况下使用 TLS 1.0 对同步引擎服务器和 Azure AD 之间的通信进行加密。Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting the communication between the sync engine server and Azure AD. 默认情况下,可以将 .NET 应用程序配置为在服务器上使用 TLS 1.2。You can configure .NET applications to use TLS 1.2 by default on the server. 有关 TLS 1.2 的详细信息,请参阅 Microsoft 安全公告 2960358For more information about TLS 1.2, see Microsoft Security Advisory 2960358.

  1. 请确保已为操作系统安装了 .NET 4.5.1 修补程序。Make sure you have the .NET 4.5.1 hotfix installed for your operating system. 有关详细信息,请参阅 Microsoft 安全公告 2960358For more information, see Microsoft Security Advisory 2960358. 服务器上可能已经安装了此修补程序或更高版本的修补程序。You might have this hotfix or a later release installed on your server already.

  2. 对于所有操作系统,设置此注册表项并重新启动服务器。For all operating systems, set this registry key and restart the server.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    "SchUseStrongCrypto"=dword:00000001
    
  3. 如果还想要在同步引擎服务器和远程 SQL Server 之间启用 TLS 1.2,请确保为 Microsoft SQL Server 的 TLS 1.2 支持安装所需的版本。If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.

同步服务器上的 DCOM 必备组件DCOM prerequisites on the synchronization server

在同步服务的安装过程中,Azure AD Connect 会检查是否存在以下注册表项:During the installation of the synchronization service, Azure AD Connect checks for the presence of the following registry key:

  • HKEY_LOCAL_MACHINE: Software\Microsoft\OleHKEY_LOCAL_MACHINE: Software\Microsoft\Ole

在此注册表项下,Azure AD Connect 将检查以下值是否存在且未损坏:Under this registry key, Azure AD Connect will check to see if the following values are present and uncorrupted:

联合身份验证安装和配置的先决条件Prerequisites for federation installation and configuration

Windows 远程管理Windows Remote Management

使用 Azure AD Connect 部署 AD FS 或 Web 应用程序代理 (WAP) 时,请检查以下要求:When you use Azure AD Connect to deploy AD FS or the Web Application Proxy (WAP), check these requirements:

  • 如果目标服务器已加入域,请确保已启用“Windows 远程托管”。If the target server is domain joined, ensure that Windows Remote Managed is enabled.
    • 在权限提升的 PowerShell 命令窗口中,使用命令 Enable-PSRemoting -forceIn an elevated PowerShell command window, use the command Enable-PSRemoting -force.
  • 如果目标服务器是未加入域的 WAP 计算机,则需要满足一些额外的要求:If the target server is a non-domain-joined WAP machine, there are a couple of additional requirements:
    • 在目标计算机(WAP 计算机)上:On the target machine (WAP machine):
      • 确保 Windows 远程管理/WS-Management (WinRM) 服务正在通过“服务”管理单元运行。Ensure the Windows Remote Management/WS-Management (WinRM) service is running via the Services snap-in.
      • 在权限提升的 PowerShell 命令窗口中,使用命令 Enable-PSRemoting -forceIn an elevated PowerShell command window, use the command Enable-PSRemoting -force.
    • 在运行向导的计算机上(如果目标计算机未加入域或者是不受信任的域):On the machine on which the wizard is running (if the target machine is non-domain joined or is an untrusted domain):
      • 在权限提升的 PowerShell 命令窗口中,使用命令 Set-Item.WSMan:\localhost\Client\TrustedHosts -Value <DMZServerFQDN> -Force -ConcatenateIn an elevated PowerShell command window, use the command Set-Item.WSMan:\localhost\Client\TrustedHosts -Value <DMZServerFQDN> -Force -Concatenate.
      • 在服务器管理器中:In the server manager:
        • 将 DMZ WAP 主机添加到计算机池。Add a DMZ WAP host to a machine pool. 在服务器管理器中,选择“管理” > “添加服务器”,然后使用“DNS”选项卡 。In the server manager, select Manage > Add Servers, and then use the DNS tab.
        • 在“服务器管理器所有服务器”选项卡上,右键单击 WAP 服务器,然后选择“管理方式” 。On the Server Manager All Servers tab, right-click the WAP server, and select Manage As. 输入 WAP 计算机的本地(非域)凭据。Enter local (not domain) credentials for the WAP machine.
        • 若要验证远程 PowerShell 连接,请在“服务器管理器所有服务器”选项卡上,右键单击 WAP 服务器,并选择“Windows PowerShell” 。To validate remote PowerShell connectivity, on the Server Manager All Servers tab, right-click the WAP server and select Windows PowerShell. 此时应会打开远程 PowerShell 会话,以确保可以建立远程 PowerShell 会话。A remote PowerShell session should open to ensure remote PowerShell sessions can be established.

TLS/SSL 证书要求TLS/SSL certificate requirements

  • 建议在 AD FS 场的所有节点中以及所有 Web 应用程序代理服务器中使用相同的 TLS/SSL 证书。We recommend that you use the same TLS/SSL certificate across all nodes of your AD FS farm and all Web Application Proxy servers.
  • 该证书必须是 X509 证书。The certificate must be an X509 certificate.
  • 在测试实验室环境中,可以在联合服务器上使用自签名证书。You can use a self-signed certificate on federation servers in a test lab environment. 对于生产环境,建议从某个公共证书颁发机构获取证书。For a production environment, we recommend that you obtain the certificate from a public certificate authority.
    • 如果使用未公开受信任的证书,请确保每个 Web 应用程序代理服务器上安装的证书同时受本地服务器和所有联合服务器的信任。If you're using a certificate that isn't publicly trusted, ensure that the certificate installed on each Web Application Proxy server is trusted on both the local server and on all federation servers.
  • 证书的标识必须与联合身份验证服务名称(例如 sts.contoso.com)匹配。The identity of the certificate must match the federation service name (for example, sts.contoso.com).
    • 标识是类型为 dNSName 的使用者备用名称 (SAN) 扩展,或者是指定为公用名的使用者名称(当不存在 SAN 条目时)。The identity is either a subject alternative name (SAN) extension of type dNSName or, if there are no SAN entries, the subject name is specified as a common name.
    • 证书中可以存在多个 SAN 条目,但是它们中必须有一个与联合身份验证服务名称匹配。Multiple SAN entries can be present in the certificate provided one of them matches the federation service name.
    • 如果计划使用工作区加入,则需其他 SAN,其值为 enterpriseregistration。If you're planning to use Workplace Join, an additional SAN is required with the value enterpriseregistration. 后跟组织的用户主体名称 (UPN) 后缀,例如 enterpriseregistration.contoso.com。followed by the user principal name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.
  • 不支持基于 CryptoAPI 下一代 (CNG) 密钥和密钥存储提供者 (KSP) 的证书。Certificates based on CryptoAPI next-generation (CNG) keys and key storage providers (KSPs) aren't supported. 因此,必须使用基于加密服务提供者 (CSP) 的证书,而非基于 KSP 的证书。As a result, you must use a certificate based on a cryptographic service provider (CSP) and not a KSP.
  • 支持通配符证书。Wild-card certificates are supported.

联合服务器的名称解析Name resolution for federation servers

  • 针对 Intranet(内部 DNS 服务器)和 Extranet(通过域注册机构注册的公共 DNS)设置 AD FS 名称(例如 sts.contoso.com)的 DNS 记录。Set up DNS records for the AD FS name (for example, sts.contoso.com) for both the intranet (your internal DNS server) and the extranet (public DNS through your domain registrar). 对于 Intranet DNS 记录,请确保使用 A 记录而不是 CNAME 记录。For the intranet DNS record, ensure that you use A records and not CNAME records. 要让 Windows 身份验证在已加入域的计算机上正确工作,就需要使用记录。Using A records is required for Windows authentication to work correctly from your domain-joined machine.
  • 如果要部署多个 AD FS 服务器或 Web 应用程序代理服务器,则请确保负载均衡器已配置,且 AD FS 名称(例如 sts.contoso.com)的 DNS 记录指向该负载均衡器。If you're deploying more than one AD FS server or Web Application Proxy server, ensure that you've configured your load balancer and that the DNS records for the AD FS name (for example, sts.contoso.com) point to the load balancer.
  • 如果要将 Windows 集成身份验证用于 Intranet 中使用 Internet Explorer 的浏览器应用程序,请确保将 AD FS 名称(例如 sts.contoso.com)添加到 Internet Explorer 中的 Intranet 区域。For Windows integrated authentication to work for browser applications using Internet Explorer in your intranet, ensure that the AD FS name (for example, sts.contoso.com) is added to the intranet zone in Internet Explorer. 此要求可以通过组策略进行控制,并部署到所有加入域的计算机上。This requirement can be controlled via Group Policy and deployed to all your domain-joined computers.

Azure AD Connect 支持组件Azure AD Connect supporting components

Azure AD Connect 在安装了 Azure AD Connect 的服务器上安装以下组件。Azure AD Connect installs the following components on the server where Azure AD Connect is installed. 此列表针对基本快速安装。This list is for a basic Express installation. 如果在“安装同步服务”页上选择使用不同的 SQL Server,则不会在本地安装 SQL Express LocalDB。If you choose to use a different SQL Server on the Install synchronization services page, SQL Express LocalDB isn't installed locally.

  • Microsoft SQL Server 2012 命令行实用工具Microsoft SQL Server 2012 Command Line Utilities
  • Microsoft SQL Server 2012 Express LocalDBMicrosoft SQL Server 2012 Express LocalDB
  • Microsoft SQL Server 2012 本机客户端Microsoft SQL Server 2012 Native Client
  • Microsoft Visual C++ 2013 再分发包Microsoft Visual C++ 2013 Redistribution Package

Azure AD Connect 的硬件要求Hardware requirements for Azure AD Connect

下表显示了 Azure AD Connect 同步计算机的最低要求。The following table shows the minimum requirements for the Azure AD Connect sync computer.

Active Directory 中的对象数目Number of objects in Active Directory CPUCPU 内存Memory 硬盘驱动器大小Hard drive size
少于 10,000 个Fewer than 10,000 1.6 GHz1.6 GHz 4 GB4 GB 70 GB70 GB
10,000-50,00010,000-50,000 1.6 GHz1.6 GHz 4 GB4 GB 70 GB70 GB
50,000-100,00050,000-100,000 1.6 GHz1.6 GHz 16 GB16 GB 100 GB100 GB
如果对象数超过 100,000 个,则需要使用完整版本的 SQL ServerFor 100,000 or more objects, the full version of SQL Server is required
100,000-300,000100,000-300,000 1.6 GHz1.6 GHz 32 GB32 GB 300 GB300 GB
300,000-600,000300,000-600,000 1.6 GHz1.6 GHz 32 GB32 GB 450 GB450 GB
超过 600,000 个More than 600,000 1.6 GHz1.6 GHz 32 GB32 GB 500 GB500 GB

以下是运行 AD FS 或 Web 应用程序代理服务器的计算机的最低要求:The minimum requirements for computers running AD FS or Web Application Proxy servers are:

  • CPU:双核 1.6 GHz 或更高CPU: Dual core 1.6 GHz or higher
  • 内存:2 GB 或更高Memory: 2 GB or higher
  • Azure VM:A2 配置或更高Azure VM: A2 configuration or higher

后续步骤Next steps

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.