为 Azure AD Connect 将组从一个林迁移到另一个林Migrate groups from one forest to another for Azure AD Connect

本文介绍了如何将组从一个林成功迁移到另一个林,使迁移的组对象与云中的现有对象匹配。This article describes how to migrate groups from one forest to another so that the migrated group objects match the existing objects in the cloud.

先决条件Prerequisites

  • Azure AD Connect 1.5.18.0 或更高版本Azure AD Connect version 1.5.18.0 or later
  • 源定位点属性设置为 mS-DS-ConsistencyGuidSource anchor attribute set to mS-DS-ConsistencyGuid

迁移组Migrate groups

从版本 1.5.18.0 开始,Azure AD Connect 支持对组使用 mS-DS-ConsistencyGuid 属性。Starting in version 1.5.18.0, Azure AD Connect supports the use of the mS-DS-ConsistencyGuid attribute for groups. 如果选择 mS-DS-ConsistencyGuid 作为源定位点属性,并且该值在Active Directory 中填充,则 Azure AD Connect 使用 mS-DS-ConsistencyGuid 的值作为 immutableIdIf you choose mS-DS-ConsistencyGuid as the source anchor attribute and the value is populated in Active Directory, Azure AD Connect uses the value of mS-DS-ConsistencyGuid as the immutableId. 否则,它将回退为使用 objectGUIDOtherwise, it falls back to using objectGUID. 但是请注意,Azure AD Connect 不会将该值写回 Active Directory 中的 mS-DS-ConsistencyGuid 属性。But note that Azure AD Connect doesn't write the value back to the mS-DS-ConsistencyGuid attribute in Active Directory.

在将组对象从一个林(如 F1)移到另一个林(如 F2)的跨林移动期间,需要将林 F1 中对象的 mS-DS-ConsistencyGuid 值(如果存在)或 objectGUID 值复制到 F2 中对象的 mS-DS-ConsistencyGuid 属性。During a cross-forest move, when a group object is moving from one forest (say F1) to another forest (say F2), you need to copy either the mS-DS-ConsistencyGuid value (if it's present) or the objectGUID value from the object in forest F1 to the mS-DS-ConsistencyGuid attribute of the object in F2.

使用以下脚本作为指导,了解如何将单个组从一个林迁移到另一个林。Use the following scripts as a guide to learn how to migrate a single group from one forest to another. 还可以将这些脚本用作迁移多个组的指导。You can also use these scripts as a guide for the migration of multiple groups. 这些脚本使用林名称 F1 作为源林,使用 F2 作为目标林。The scripts use the forest name F1 for the source forest and F2 for the destination forest.

首先,我们获取林 F1 中组对象的 objectGUIDmS-DS-ConsistencyGuidFirst, we get the objectGUID and mS-DS-ConsistencyGuid of the group object in forest F1. 这些属性将导出到 CSV 文件中。These attributes are exported to a CSV file.

<#
DESCRIPTION
============
This script will take DN of a group as input.
It then copies the objectGUID and mS-DS-ConsistencyGuid values along with other attributes of the given group to a CSV file.

This CSV file can then be used as input to the Export-Group script.
#>
Param(
       [ValidateNotNullOrEmpty()]
       [string]
       $dn,

       [ValidateNotNullOrEmpty()]
       [string]
       $outputCsv
)

$defaultProperties = @('samAccountName', 'distinguishedName', 'objectGUID', 'mS-DS-ConsistencyGuid')
$group  = Get-ADGroup -Filter "DistinguishedName -eq '$dn'" -Properties $defaultProperties -ErrorAction Stop
$results = @()
if ($group -eq $null)
{
       Write-Error "Group not found"
}
else
{
       $objectGUIDValue = [GUID]$group.'objectGUID'
       $mSDSConsistencyGuidValue = "N/A"
       if ($group.'mS-DS-ConsistencyGuid' -ne $null)
       {
              $mSDSConsistencyGuidValue = [GUID]$group.'mS-DS-ConsistencyGuid'
       }
       $adgroup = New-Object -TypeName PSObject
       $adgroup | Add-Member -MemberType NoteProperty -Name samAccountName -Value $($group.'samAccountName')
       $adgroup | Add-Member -MemberType NoteProperty -Name distinguishedName -Value $($group.'distinguishedName')
       $adgroup | Add-Member -MemberType NoteProperty -Name objectGUID -Value $($objectGUIDValue)
       $adgroup | Add-Member -MemberType NoteProperty -Name mS-DS-ConsistencyGuid -Value $($mSDSConsistencyGuidValue)
       $results += $adgroup
}

Write-Host "Exporting group to output file"
$results | Export-Csv "$outputCsv" -NoTypeInformation

接下来,我们使用生成的输出 CSV 文件来标记林 F2 中目标对象的 mS-DS-ConsistencyGuid 属性:Next, we use the generated output CSV file to stamp the mS-DS-ConsistencyGuid attribute on the target object in forest F2:

<#
DESCRIPTION
============
This script will take DN of a group as input and the CSV file that was generated by the Import-Group script.
It copies either the objectGUID or the mS-DS-ConsistencyGuid value from the CSV file to the given object.

#>
Param(
       [ValidateNotNullOrEmpty()]
       [string]
       $dn,

       [ValidateNotNullOrEmpty()]
       [string]
       $inputCsv
)

$group  = Get-ADGroup -Filter "DistinguishedName -eq '$dn'" -ErrorAction Stop
if ($group -eq $null)
{
       Write-Error "Group not found"
}

$csvFile = Import-Csv -Path $inputCsv -ErrorAction Stop
$msDSConsistencyGuid = $csvFile.'mS-DS-ConsistencyGuid'
$objectGuid = [GUID] $csvFile.'objectGUID'
$targetGuid = $msDSConsistencyGuid

if ($msDSConsistencyGuid -eq "N/A")
{
       $targetGuid = $objectGuid
}

Set-ADGroup -Identity $dn -Replace @{'mS-DS-ConsistencyGuid'=$targetGuid} -ErrorAction Stop

后续步骤Next steps

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about integrating your on-premises identities with Azure Active Directory.