更改 ADSync 服务帐户密码Changing the ADSync service account password

如果更改了 ADSync 服务帐户密码,则将无法正常启动同步服务,除非已放弃加密密钥并重新初始化 ADSync 服务帐户密码。If you change the ADSync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the ADSync service account password.

Azure AD Connect 是同步服务的一部分,它使用加密密钥来存储 AD DS 连接器帐户和 ADSync 服务帐户的密码。Azure AD Connect, as part of the Synchronization Services uses an encryption key to store the passwords of the AD DS Connector account and ADSync service account. 这些帐户在存储到数据库之前会进行加密。These accounts are encrypted before they are stored in the database.

所使用的加密密钥通过 Windows 数据保护 (DPAPI) 进行保护。The encryption key used is secured using Windows Data Protection (DPAPI). DPAPI 使用 ADSync 服务帐户来保护加密密钥。DPAPI protects the encryption key using the ADSync service account.

如果需要更改服务帐户密码,可以使用放弃 ADSync 服务帐户加密密钥中的过程来完成该操作。If you need to change the service account password you can use the procedures in Abandoning the ADSync service account encryption key to accomplish this. 不管出于何种原因需要放弃加密密钥,都应该可以使用这些过程。These procedures should also be used if you need to abandon the encryption key for any reason.

更改密码导致的问题Issues that arise from changing the password

更改服务帐户密码时,需要完成两项操作。There are two things that need to be done when you change the service account password.

首先,需要在 Windows 服务控制管理器下更改密码。First, you need to change the password under the Windows Service Control Manager. 在此问题解决之前,会一直显示以下错误:Until this issue is resolved you will see following errors:

  • 如果尝试在 Windows 服务控制管理器中启动同步服务,会收到“Windows 无法在本地计算机上启动 Azure AD 同步服务”错误。 If you try to start the Synchronization Service in Windows Service Control Manager, you receive the error "Windows could not start the Azure AD Sync service on Local Computer". 错误 1069:服务因登录失败而无法启动。Error 1069: The service did not start due to a logon failure."
  • 在 Windows 事件查看器中,系统事件日志包含事件 ID 为 7038 且内容为“ADSync 服务无法通过当前配置的密码登录,因为出现以下错误:用户名或密码不正确。” Under Windows Event Viewer, the system event log contains an error with Event ID 7038 and message “The ADSync service was unable to log on as with the currently configured password due to the following error: The user name or password is incorrect."

其次,在特定条件下,如果密码已更新,则同步服务无法再通过 DPAPI 检索加密密钥。Second, under specific conditions, if the password is updated, the Synchronization Service can no longer retrieve the encryption key via DPAPI. 没有加密密钥,同步服务就不能解密在本地 AD 和 Azure AD 之间进行同步所需的密码。Without the encryption key, the Synchronization Service cannot decrypt the passwords required to synchronize to/from on-premises AD and Azure AD. 此时会出现错误,例如:You will see errors such as:

  • 如果尝试在 Windows 服务控制管理器中启动同步服务,但却无法检索加密密钥,则该服务会失败,并且会出现错误“Windows 无法在本地计算机上启动 Azure AD Sync”错误。有关详细信息,请查看系统事件日志。如果该服务是非 Microsoft 服务,请联系服务供应商,并请参阅特定于服务的错误代码 -21451857952。”Under Windows Service Control Manager, if you try to start the Synchronization Service and it cannot retrieve the encryption key, it fails with error “Windows could not start the Azure AD Sync on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -21451857952.”
  • 在 Windows 事件查看器中,应用程序事件日志包含事件 ID 为 6028 且内容为“服务器加密密钥无法访问”的错误消息。 Under Windows Event Viewer, the application event log contains an error with Event ID 6028 and error message “The server encryption key cannot be accessed.”

若要确保不收到这些错误,请在更改密码时,按照放弃 ADSync 服务帐户加密密钥中的过程进行操作。To ensure that you do not receive these errors, follow the procedures in Abandoning the ADSync service account encryption key when changing the password.

放弃 ADSync 服务帐户加密密钥Abandoning the ADSync service account encryption key

Important

以下过程仅适用于 Azure AD Connect 1.1.443.0 或更低版本。The following procedures only apply to Azure AD Connect build 1.1.443.0 or older.

请按以下过程操作,放弃加密密钥。Use the following procedures to abandon the encryption key.

如果需要放弃加密密钥,该怎么办What to do if you need to abandon the encryption key

如果需要放弃加密密钥,请执行以下过程。If you need to abandon the encryption key, use the following procedures to accomplish this.

  1. 停止同步服务Stop the Synchronization Service

  2. 放弃现有的加密密钥Abandon the existing encryption key

  3. 提供 AD DS 连接器帐户的密码Provide the password of the AD DS Connector account

  4. 重新初始化 ADSync 服务帐户的密码Reinitialize the password of the ADSync service account

  5. 启动同步服务Start the Synchronization Service

停止同步服务 Stop the Synchronization Service

首先可以在 Windows 服务控制管理器中停止该服务。First you can stop the service in the Windows Service Control Manager. 尝试停止该服务时,请确保该服务未在运行。Make sure that the service is not running when attempting to stop it. 如果该服务在运行,请等到它完成后再停止它。If it is, wait until it completes and then stop it.

  1. 转到“Windows 服务控制管理器”(“启动”→“服务”)。Go to Windows Service Control Manager (START → Services).
  2. 选择“Azure AD 同步”,并单击“停止”。 Select Azure AD Sync and click Stop.

放弃现有的加密密钥 Abandon the existing encryption key

放弃现有的加密密钥,以便创建新的加密密钥:Abandon the existing encryption key so that new encryption key can be created:

  1. 以管理员身份登录到 Azure AD Connect 服务器。Sign in to your Azure AD Connect Server as administrator.

  2. 启动新的 PowerShell 会话。Start a new PowerShell session.

  3. 导航到文件夹 $env:Program Files\Azure AD Sync\bin\Navigate to folder: $env:Program Files\Azure AD Sync\bin\

  4. 运行命令 ./miiskmu.exe /aRun the command: ./miiskmu.exe /a

Azure AD Connect 同步加密密钥实用工具

提供 AD DS 连接器帐户的密码Provide the password of the AD DS Connector account

由于存储在数据库中的现有密码再也不能解密,因此需要为同步服务提供 AD DS 连接器帐户的密码。As the existing passwords stored inside the database can no longer be decrypted, you need to provide the Synchronization Service with the password of the AD DS Connector account. 同步服务使用新的加密密钥对密码加密:The Synchronization Service encrypts the passwords using the new encryption key:

  1. 启动 Synchronization Service Manager(“开始”→ 同步服务)。Start the Synchronization Service Manager (START → Synchronization Service).
    Sync Service ManagerSync Service Manager
  2. 转到“连接器”选项卡。 Go to the Connectors tab.
  3. 选择与本地 AD 对应的“AD 连接器”。 Select the AD Connector that corresponds to your on-premises AD. 如果有多个 AD 连接器,请针对每个连接器重复以下步骤。If you have more than one AD connector, repeat the following steps for each of them.
  4. 在“操作”下面,选择“属性”。 Under Actions, select Properties.
  5. 在弹出对话框中,选择“连接到 Active Directory 林”: In the pop-up dialog, select Connect to Active Directory Forest:
  6. 在“密码”文本框中输入 AD DS 帐户的密码。 Enter the password of the AD DS account in the Password textbox. 如果不知道该密码,则必须将其设置为某个已知值,再执行此步骤。If you do not know its password, you must set it to a known value before performing this step.
  7. 单击“确定”保存新密码并关闭弹出对话框。 Click OK to save the new password and close the pop-up dialog. Azure AD Connect 同步加密密钥实用工具Azure AD Connect Sync Encryption Key Utility

重新初始化 ADSync 服务帐户的密码Reinitialize the password of the ADSync service account

不能直接向同步服务提供 Azure AD 服务帐户的密码,You cannot directly provide the password of the Azure AD service account to the Synchronization Service. 而只能使用 cmdlet Add-ADSyncAADServiceAccount 重新初始化 Azure AD 服务帐户。Instead, you need to use the cmdlet Add-ADSyncAADServiceAccount to reinitialize the Azure AD service account. 该 cmdlet 重置帐户密码,并使其可供同步服务使用:The cmdlet resets the account password and makes it available to the Synchronization Service:

  1. 在 Azure AD Connect 服务器上启动新的 PowerShell 会话。Start a new PowerShell session on the Azure AD Connect server.
  2. 运行 cmdlet Add-ADSyncAADServiceAccountRun cmdlet Add-ADSyncAADServiceAccount.
  3. 在弹出对话框中,为 Azure AD 租户提供 Azure AD 全局管理员凭据。In the pop-up dialog, provide the Azure AD Global admin credentials for your Azure AD tenant. Azure AD Connect 同步加密密钥实用工具Azure AD Connect Sync Encryption Key Utility
  4. 如果成功,会看到 PowerShell 命令提示符。If it is successful, you will see the PowerShell command prompt.

启动同步服务 Start the Synchronization Service

同步服务可以访问加密密钥及其所需的所有密码以后,即可在 Windows 服务控制管理器中重新启动该服务:Now that the Synchronization Service has access to the encryption key and all the passwords it needs, you can restart the service in the Windows Service Control Manager:

  1. 转到“Windows 服务控制管理器”(“启动”→“服务”)。Go to Windows Service Control Manager (START → Services).
  2. 选择“Azure AD 同步”,并单击“重新启动”。 Select Azure AD Sync and click Restart.

后续步骤Next steps

概述主题Overview topics