Azure AD Connect 同步:有关更改默认配置的最佳实践Azure AD Connect sync: Best practices for changing the default configuration

本主题旨在说明支持和不支持的 Azure AD Connect 同步更改。The purpose of this topic is to describe supported and unsupported changes to Azure AD Connect sync.

通过 Azure AD Connect 创建的配置无需更改即可适用于同步本地 Active Directory 与 Azure AD 的大多数环境。The configuration created by Azure AD Connect works “as is” for most environments that synchronize on-premises Active Directory with Azure AD. 但是,在某些情况下,必须对配置应用某些更改,以满足特殊需求或要求。However, in some cases, it is necessary to apply some changes to a configuration to satisfy a particular need or requirement.

对服务帐户的更改Changes to the service account

Azure AD Connect 同步在安装向导创建的服务帐户下运行。Azure AD Connect sync is running under a service account created by the installation wizard. 此服务帐户保存了同步使用的数据库加密密钥。它是使用 127 个字符长的密码创建的,密码设置为永不过期。This service account holds the encryption keys to the database used by sync. It is created with a 127 characters long password and the password is set to not expire.

  • 不支持 更改或重置服务帐户的密码。It is unsupported to change or reset the password of the service account. 这样做会破坏加密密钥,服务无法访问数据库且无法启动。Doing so destroys the encryption keys and the service is not able to access the database and is not able to start.

对计划程序的更改Changes to the scheduler

从内部版本 1.1(2016 年 2 月)开始,可将计划程序配置为使用非默认的同步周期(默认周期为 30 分钟)。Starting with the releases from build 1.1 (February 2016) you can configure the scheduler to have a different sync cycle than the default 30 minutes.

同步规则的更改Changes to Synchronization Rules

安装向导提供的配置应该适用于最常见的方案。The installation wizard provides a configuration that is supposed to work for the most common scenarios. 如果需要对配置进行更改,必须遵循这些规则,以便仍保留支持的配置。In case you need to make changes to the configuration, then you must follow these rules to still have a supported configuration.

Warning

如果更改默认同步规则,则下次更新 Azure AD Connect 时将覆盖这些更改,从而导致意外且可能无用的同步结果。If you make changes to the default sync rules then these changes will be overwritten the next time Azure AD Connect is updated, resulting in unexpected and likely unwanted synchronization results.

  • 如果默认的直接属性流不适用于组织,可以更改属性流You can change attribute flows if the default direct attribute flows are not suitable for your organization.
  • 如果希望属性不流动并要删除 Azure AD 中的任何现有属性值,需要为此方案创建规则。If you want to not flow an attribute and remove any existing attribute values in Azure AD, then you need to create a rule for this scenario.
  • 禁用不需要的同步规则 而不是删除它。Disable an unwanted Sync Rule rather than deleting it. 升级期间将重新创建已删除的规则。A deleted rule is recreated during an upgrade.
  • 若要 更改现成的规则,应复制原始规则并禁用现成的规则。To change an out-of-box rule, you should make a copy of the original rule and disable the out-of-box rule. 同步规则编辑器将显示提示并提供帮助。The Sync Rule Editor prompts and helps you.
  • 使用同步规则编辑器导出自定义同步规则。Export your custom synchronization rules using the Synchronization Rules Editor. 编辑器会提供一个 PowerShell 脚本,可以在灾难恢复方案中使用它轻松重新创建同步规则。The editor provides you with a PowerShell script you can use to easily recreate them in a disaster recovery scenario.

Warning

现成的同步规则具有指纹。The out-of-box sync rules have a thumbprint. 如果更改这些规则,指纹不再匹配。If you make a change to these rules, the thumbprint is no longer matching. 将来尝试应用 Azure AD Connect 的新版本时可能会遇到问题。You might have problems in the future when you try to apply a new release of Azure AD Connect. 只能根据本文所述的方式进行更改。Only make changes the way it is described in this article.

禁用不需要的同步规则 Disable an unwanted Sync Rule

不要删除现成的同步规则。Do not delete an out-of-box sync rule. 下一次升级期间会重新创建该规则。It is recreated during next upgrade.

在某些情况下,安装向导生成的配置不适用于拓扑。In some cases, the installation wizard has produced a configuration that is not working for your topology. 例如,如果使用帐户资源林拓扑,但已在具有 Exchange 架构的帐户林中扩展该架构,则系统针对帐户林和资源林创建适用于 Exchange 的规则。For example, if you have an account-resource forest topology but you have extended the schema in the account forest with the Exchange schema, then rules for Exchange are created for the account forest and the resource forest. 在此情况下,需要禁用适用于 Exchange 的同步规则。In this case, you need to disable the Sync Rule for Exchange.

已禁用同步规则

在上图中,安装向导已在帐户林中找到旧的 Exchange 2003 架构。In the picture above, the installation wizard has found an old Exchange 2003 schema in the account forest. 此架构扩展是在 Fabrikam 环境中引入资源林之前添加的。This schema extension was added before the resource forest was introduced in Fabrikam's environment. 若要确保不同步任何来自旧 Exchange 实现的属性,应该按所述方式禁用同步规则。To ensure no attributes from the old Exchange implementation are synchronized, the sync rule should be disabled as shown.

更改现成的规则 Change an out-of-box rule

仅当需要更改联接规则时,才应更改现成的规则。The only time you should change an out-of-box rule is when you need to change the join rule. 若需更改属性流,则应在创建同步规则时,让其优先级高于现成的规则。If you need to change an attribute flow, then you should create a sync rule with higher precedence than the out-of-box rules. 实际上,需克隆的唯一规则是规则 In from AD - User JoinThe only rule you practically need to clone is the rule In from AD - User Join. 可以使用优先级更高的规则重写所有其他规则。You can override all other rules with a higher precedence rule.

如果需要对现成的规则进行更改,应该复制该现成的规则,并禁用原始规则。If you need to make changes to an out-of-box rule, then you should make a copy of the out-of-box rule and disable the original rule. 然后对克隆的规则进行更改。Then make the changes to the cloned rule. 同步规则编辑器会帮助完成这些步骤。The Sync Rule Editor is helping you with those steps. 打开现成的规则时,会显示此对话框:When you open an out-of-box rule, you are presented with this dialog box:
对现成规则的警告

选择“是”创建规则的副本。Select Yes to create a copy of the rule. 随后会打开克隆的规则。The cloned rule is then opened.
克隆的规则Cloned rule

在这个克隆的规则中,对范围、联接和转换进行任何必要的更改。On this cloned rule, make any necessary changes to scope, join, and transformations.

后续步骤Next steps

概述主题Overview topics