Azure AD Connect 同步:更改默认配置Azure AD Connect sync: Make a change to the default configuration

本文旨在介绍如何对 Azure Active Directory (Azure AD) Connect 同步中的默认配置进行更改。其中提供了一些常见方案的步骤。The purpose of this article is to walk you through how to make changes to the default configuration in Azure Active Directory (Azure AD) Connect sync. It provides steps for some common scenarios. 了解这些知识后,用户应该能够根据自己的业务规则对自己的配置进行简单的更改。With this knowledge, you should be able to make simple changes to your own configuration based on your own business rules.

Warning

如果更改默认同步规则,则下次更新 Azure AD Connect 时将覆盖这些更改,从而导致意外且可能无用的同步结果。If you make changes to the default sync rules then these changes will be overwritten the next time Azure AD Connect is updated, resulting in unexpected and likely unwanted synchronization results.

现成的同步规则具有指纹。The out-of-box sync rules have a thumbprint. 如果更改这些规则,指纹不再匹配。If you make a change to these rules, the thumbprint is no longer matching. 将来尝试应用 Azure AD Connect 的新版本时可能会遇到问题。You might have problems in the future when you try to apply a new release of Azure AD Connect. 只能根据本文所述的方式进行更改。Only make changes the way it is described in this article.

同步规则编辑器Synchronization Rules Editor

同步规则编辑器用于查看和更改默认配置。The Synchronization Rules Editor is used to see and change the default configuration. 可以在“Azure AD Connect”组下的“开始”菜单中找到它。You can find it on the Start menu under the Azure AD Connect group.
具有同步规则编辑器的开始菜单Start menu with Sync Rule Editor

打开编辑器时,将看到现成可用的默认规则。When you open the editor, you see the default out-of-box rules.

同步规则编辑器

通过编辑器顶部的下拉列表可以快速查找特定规则。Using the drop-downs at the top of the editor, you can quickly find a specific rule. 例如,如果想要查看包含属性 proxyAddresses 的规则,可将下拉列表更改为:For example, if you want to see the rules where the attribute proxyAddresses is included, you can change the drop-downs to the following:
SRE 筛选
若要重置筛选并加载新配置,请按键盘上的 F5。To reset filtering and load a fresh configuration, press F5 on the keyboard.

右上角上有一个“添加新规则”按钮。On the upper right is the Add new rule button. 使用此按钮可以创建自己的自定义规则。You use this button to create your own custom rule.

顶部有用于执行所选同步规则的按钮。At the bottom are buttons for acting on a selected sync rule. “编辑”和“删除”按钮可执行其应有的操作。Edit and Delete do what you expect them to. “导出”按钮可生成用于创建同步规则的 PowerShell 脚本。Export produces a PowerShell script for re-creating the sync rule. 使用此过程可将同步规则从一台服务器移到另一台。With this procedure, you can move a sync rule from one server to another.

创建第一个自定义规则Create your first custom rule

最常见的更改是对属性流的更改。The most common changes are to the attribute flows. 源目录中的数据可能与 Azure AD 中的不同。The data in your source directory might not be the same as in Azure AD. 在本部分的示例中,需要确保用户的给定名称始终为首字母大写。In the example in this section, make sure the given name of a user is always in proper case.

禁用计划程序Disable the scheduler

默认情况下,计划程序每 30 分钟运行一次。The scheduler runs every 30 minutes by default. 进行更改以及排查新规则错误时,需要确保其未启动。Make sure it is not starting while you are making changes and troubleshooting your new rules. 要临时禁用计划程序,请启动 PowerShell,并运行 Set-ADSyncScheduler -SyncCycleEnabled $falseTo temporarily disable the scheduler, start PowerShell and run Set-ADSyncScheduler -SyncCycleEnabled $false.

禁用计划程序

创建规则Create the rule

  1. 单击“添加新规则” 。Click Add new rule.
  2. 在“说明”页上输入以下内容:On the Description page, enter the following:
    入站规则筛选Inbound rule filtering
    • 名称:为规则提供说明性名称。Name: Give the rule a descriptive name.
    • 说明:提供一些说明以便他人可以理解规则的用途。Description: Give some clarification so someone else can understand what the rule is for.
    • 连接的系统:这是可从中找到对象的系统。Connected System: This is the system in which the object can be found. 在本例中,请选择“Active Directory 连接器”。In this case, select Active Directory Connector.
    • 连接的系统/Metaverse 对象类型:分别选择“用户”和“人员”。Connected System/Metaverse Object Type: Select User and Person, respectively.
    • 链接类型:将该值更改为“联接”。Link Type: Change this value to Join.
    • 优先级:提供在系统中唯一的值。Precedence: Provide a value that is unique in the system. 较低的数值表示较高的优先级。A lower numeric value indicates higher precedence.
    • 标记:将此项留空。Tag: Leave this empty. 只有 Microsoft 中现成可用的规则应该会要求在此框中填入值。Only out-of-box rules from Microsoft should have this box populated with a value.
  3. 在“范围筛选器”页上,输入“givenName ISNOTNULL”。On the Scoping filter page, enter givenName ISNOTNULL.
    入站规则范围筛选器Inbound rule scoping filter
    此部分用于定义规则应该应用到哪些对象。This section is used to define to which objects the rule should apply. 如果留空,该规则会应用到所有用户对象。If it's left empty, the rule would apply to all user objects. 但也可包括会议室、服务帐户和其他非个人用户对象。However, that would include conference rooms, service accounts, and other non-people user objects.
  4. 在“联接规则”页上,将字段留空。On the Join rules page, leave the field empty.
  5. 在“转换”页上,将 FlowType 更改为 ExpressionOn the Transformations page, change FlowType to Expression. 对于“目标属性”,请选择“givenName”。For Target Attribute, select givenName. 对于“源”,请输入 PCase([givenName])And for Source, enter PCase([givenName]). 入站规则转换Inbound rule transformations
    函数名称和属性名称上的同步引擎要区分大小写。The sync engine is case-sensitive for both the function name and the name of the attribute. 如果键入出错,则添加规则时会看到警告。If you type something wrong, you see a warning when you add the rule. 可以保存并继续,但需要重新打开规则并进行更正。You can save and continue, but you need to reopen and correct the rule.
  6. 单击“添加”保存规则。Click Add to save the rule.

新的自定义规则应该与系统中的其他同步规则一起显示。Your new custom rule should be visible with the other sync rules in the system.

验证更改Verify the change

采用此新更改后,需要确保其按预期方式工作并且不会引发任何错误。With this new change, you want to make sure it is working as expected and is not throwing any errors. 根据拥有的对象数量,有两种方法执行此步骤。Depending on the number of objects you have, there are two ways to do this step:

  • 在所有对象上运行完全同步。Run a full sync on all objects.
  • 在单个对象上运行预览和完全同步。Run a preview and full sync on a single object.

从“开始”菜单打开“同步服务”。Open the Synchronization Service from the Start menu. 本部分中所述步骤全部使用此工具。The steps in this section are all in this tool.

针对所有对象的完全同步Full sync on all objects

  1. 从“操作”中选择“运行” 。Select Connectors at the top. 标识在前面部分中进行过更改的连接器(在本例中为 Active Directory 域服务),并选中它。Identify the connector that you changed in the previous section (in this case, Active Directory Domain Services), and select it.
  2. 对于“操作”,请选择“运行”。For Actions, select Run.
  3. 依次选择“完全同步”、“确定”。Select Full Synchronization, and then select OK. 完全同步Full sync
    现已更新了 metaverse 中的对象。The objects are now updated in the metaverse. 查看 metaverse 中的对象来验证更改。Verify your changes by looking at the object in the metaverse.

针对单个对象的预览和完全同步Preview and full sync on a single object

  1. 从“操作”中选择“运行” 。Select Connectors at the top. 标识在前面部分中进行过更改的连接器(在本例中为 Active Directory 域服务),并选中它。Identify the connector that you changed in the previous section (in this case, Active Directory Domain Services), and select it.
  2. 选择“搜索连接器空间”。Select Search Connector Space.
  3. 使用“范围”查找想要用于测试更改的对象。Use Scope to find an object that you want to use to test the change. 选择该对象,并单击“预览” 。Select the object and click Preview.
  4. 在新的屏幕中,选择“提交预览”。On the new screen, select Commit Preview.
    Commit previewCommit preview
    现已将更改提交到 metaverse。The change is now committed to the metaverse.

查看 metaverse 中的对象View the object in the metaverse

  1. 选择几个示例对象,确保值符合预期并已应用规则。Pick a few sample objects to make sure that the value is expected and that the rule applied.
  2. 从顶部选择“Metaverse 搜索”。Select Metaverse Search from the top. 添加查找相关对象所需的筛选器。Add any filter that you need to find the relevant objects.
  3. 从搜索结果中,打开对象。From the search result, open an object. 查看属性值,同时还要在按预期方式应用规则的“同步规则”列中进行验证。Look at the attribute values, and also verify in the Sync Rules column that the rule applied as expected.
    Metaverse 搜索Metaverse search

启用计划程序Enable the scheduler

如果一切按预期方式进行,可以再次启用计划程序。If everything is as expected, you can enable the scheduler again. 从 PowerShell 中运行 Set-ADSyncScheduler -SyncCycleEnabled $trueFrom PowerShell, run Set-ADSyncScheduler -SyncCycleEnabled $true.

其他常见的属性流更改Other common attribute flow changes

前面部分介绍了如何更改属性流。The previous section described how to make changes to an attribute flow. 本部分提供了另外一些示例。In this section, some additional examples are provided. 虽然创建同步规则的步骤已缩简,但可以在前面部分中找到完整步骤。The steps for how to create the sync rule is abbreviated, but you can find the full steps in the previous section.

使用其他属性而不是默认属性Use an attribute other than the default

在此 Fabrikam 方案中,有对名字、姓氏和显示名称使用本地字母的林。In this Fabrikam scenario, there is a forest where the local alphabet is used for given name, surname, and display name. 以拉丁字母表示的这些属性可在扩展属性中找到。The Latin character representation of these attributes can be found in the extension attributes. 在 Azure AD 和 Office 365 中创建全局地址列表时,组织反而想要使用这些属性。For building a global address list in Azure AD and Office 365, the organization wants to use these attributes instead.

使用默认配置时,本地林中的对象如下所示:With a default configuration, an object from the local forest looks like this:
属性流 1

若要使用其他属性流创建规则,请执行以下操作:To create a rule with other attribute flows, do the following:

  1. 从“开始”菜单打开“同步规则编辑器”。Open the Synchronization Rules Editor from the Start menu.
  2. 在左侧依然选定了“入站”的情况下,单击“添加新规则”按钮。With Inbound still selected to the left, click the Add new rule button.
  3. 为规则指定名称和说明。Give the rule a name and description. 选择本地 Active Directory 实例和相关的对象类型。Select the on-premises Active Directory instance and the relevant object types. 在“链接类型”中选择“联接”。In Link Type, select Join. 为“优先级”选择一个未被其他规则使用的数字。For Precedence, pick a number that is not used by another rule. 现成的规则从 100 开始,因此该示例可以使用值 50。The out-of-box rules start with 100, so the value 50 can be used in this example. 属性流 2Attribute flow 2
  4. 将“范围筛选器”留空。Leave Scoping filter empty. (即它应该应用到林中的所有用户对象。)(That is, it should apply to all user objects in the forest.)
  5. 将“联接规则”留空。Leave Join rules empty. (即让现成的规则处理所有联接。)(That is, let the out-of-box rule handle any joins.)
  6. 在“转换”中创建以下流:In Transformations, create the following flows:
    属性流 3Attribute flow 3
  7. 单击“添加”保存规则。Click Add to save the rule.
  8. 转到“同步服务管理器” 。Go to Synchronization Service Manager. 在“连接器”上,选择已在其中添加了规则的连接器。On Connectors, select the connector where you added the rule. 依次选择“运行”、“完全同步”。Select Run, and then select Full Synchronization. 完全同步将使用当前规则重新计算所有对象。A full synchronization recalculates all objects by using the current rules.

这是使用此自定义规则的同一对象的结果:This is the result for the same object with this custom rule:
属性流 4

属性的长度Length of attributes

字符串属性默认为可编制索引,并且最大长度为 448 个字符。String attributes are indexable by default, and the maximum length is 448 characters. 如果使用其中可能包含更多字符的字符串属性,请确保属性流中包括以下内容:If you are working with string attributes that might contain more, make sure to include the following in the attribute flow:
attributeName <- Left([attributeName],448).attributeName <- Left([attributeName],448).

更改 userPrincipalSuffixChanging the userPrincipalSuffix

Active Directory 中的 userPrincipalName 属性并非始终被用户知晓,并且可能不适合作为登录 ID。The userPrincipalName attribute in Active Directory is not always known by the users and might not be suitable as the sign-in ID. 使用 Azure AD Connect 同步安装向导可以选择不同的属性 -- 例如 mailWith the Azure AD Connect sync installation wizard, you can choose a different attribute--for example, mail. 但在某些情况下,必须计算该属性。But in some cases, the attribute must be calculated.

例如:公司 Contoso 具有两个 Azure AD 目录,一个用于生产,另一个用于测试。For example, the company Contoso has two Azure AD directories, one for production and one for testing. 他们希望测试租户中的用户使用登录 ID 中的另一后缀:They want the users in their test tenant to use another suffix in the sign-in ID:
userPrincipalName <- Word([userPrincipalName],1,"@") & "@contosotest.com".userPrincipalName <- Word([userPrincipalName],1,"@") & "@contosotest.com".

在此表达式中,使用第一个 @-sign (Word) 左侧的所有内容,并与固定字符串连接。In this expression, take everything left of the first @-sign (Word) and concatenate with a fixed string.

将多值属性转换为单值属性Convert a multi-value attribute to single value

Active Directory 中的某些属性在架构中是多值,不过它们在 Active Directory 用户和计算机中看上去是单值。Some attributes in Active Directory are multi-valued in the schema, even though they look single-valued in Active Directory Users and Computers. 一个示例就是说明属性:An example is the description attribute:
description <- IIF(IsNullOrEmpty([description]),NULL,Left(Trim(Item([description],1)),448)).description <- IIF(IsNullOrEmpty([description]),NULL,Left(Trim(Item([description],1)),448)).

在此表达式中,如果属性具有值,请使用属性中的第一项 (Item),删除前导空格和尾随空格 (Trim),并保留字符串中的前 448 个字符 (Left)。In this expression, if the attribute has a value, take the first item (Item) in the attribute, remove leading and trailing spaces (Trim), and then keep the first 448 characters (Left) in the string.

不要流送属性Do not flow an attribute

有关本部分方案的背景信息,请参阅控制属性流过程For background on the scenario for this section, see Control the attribute flow process.

有两种方法可防止流送属性。There are two ways to not flow an attribute. 第一种方法是使用安装向导删除选定的属性The first is by using the installation wizard to remove selected attributes. 如果以前未曾同步该属性,则可以使用这个选项。This option works if you have never synchronized the attribute before. 但是,如果已开始同步此属性,后来使用此功能将它删除,则同步引擎将停止管理属性,现有值将保留在 Azure AD 中。However, if you have started to synchronize this attribute and later remove it with this feature, the sync engine stops managing the attribute and the existing values are left in Azure AD.

如果想要删除某个属性的值并确保将来不会流送该属性,则需要创建自定义规则。If you want to remove the value of an attribute and make sure it does not flow in the future, you need create a custom rule.

在此 Fabrikam 方案中,我们在同步到云的属性中发现了一些不应该存在的属性。In this Fabrikam scenario, we have realized that some of the attributes we synchronize to the cloud should not be there. 我们希望确保从 Azure AD 中删除这些属性。We want to make sure these attributes are removed from Azure AD.
错误的扩展属性

  1. 创建新的入站同步规则并填充说明。Create a new inbound synchronization rule and populate the description. 说明Descriptions
  2. 创建 FlowTypeExpressionSourceAuthoritativeNull 的属性流。Create attribute flows with Expression for FlowType and with AuthoritativeNull for Source. 即使优先顺序较低的同步规则尝试填充值,文本值 AuthoritativeNull 也会指出 metaverse 中的值应该为空。The literal AuthoritativeNull indicates that the value should be empty in the metaverse, even if a lower-precedence sync rule tries to populate the value. 扩展属性的转换Transformation for extension attributes
  3. 保存同步规则。Save the sync rule. 启动“同步服务”,查找“连接器”,并依次选择“运行”和“完全同步”。Start the Synchronization Service, find the connector, select Run, and then select Full Synchronization. 此步骤会重新计算所有属性流。This step recalculates all attribute flows.
  4. 通过搜索连接器空间来验证是否即将导出所需的更改。Verify that the intended changes are about to be exported by searching the Connector Space. 分阶段删除Staged delete

使用 PowerShell 创建规则Create rules with PowerShell

只需稍作更改时,可以使用同步规则编辑器。Using the sync rule editor works fine when you only have a few changes to make. 如需进行大量更改,最好选择 PowerShell。If you need to make many changes, PowerShell might be a better option. 一些高级功能仅在 PowerShell 中提供。Some advanced features are only available with PowerShell.

获取现成规则的 PowerShell 脚本Get the PowerShell script for an out-of-box rule

若要查看创建现成规则的 PowerShell 脚本,在同步规则编辑器中选择此规则,然后单击“导出”。To see the PowerShell script that created an out-of-box rule, select the rule in the sync rules editor and click Export. 此操作会提供创建该规则的 PowerShell 脚本。This action gives you the PowerShell script that created the rule.

高级优先级Advanced precedence

现成的同步规则一开始的优先级值为 100。The out-of-box sync rules start with a precedence value of 100. 如果有多个林,且需进行大量自定义更改,则 99 个同步规则可能不够。If you have many forests and you need to make many custom changes, then 99 sync rules might not be enough.

可以指示同步引擎需要在现成规则前插入其他规则。You can instruct the sync engine that you want additional rules inserted before the out-of-box rules. 若要实现此行为,请完成以下步骤:To get this behavior, follow these steps:

  1. 在同步规则编辑器中标记第一个现成同步规则 (In from AD-User Join),并选择“导出”。Mark the first out-of-box sync rule (In from AD-User Join) in the sync rules editor and select Export. 复制 SR 标识符值。Copy the SR Identifier value.
    更改之前的 PowerShellPowerShell before change
  2. 创建新的同步规则。Create the new sync rule. 可使用同步规则编辑器创建它。You can use the sync rules editor to create it. 将规则导出到 PowerShell 脚本。Export the rule to a PowerShell script.
  3. PrecedenceBefore 属性中,从现成规则插入标识符值。In the property PrecedenceBefore, insert the Identifier value from the out-of-box rule. 将“优先级”设置为“0”。Set the Precedence to 0. 请确保标识符属性唯一,且不会从另一规则中重复使用某个 GUID。Make sure the Identifier attribute is unique and that you are not reusing a GUID from another rule. 此外,请确保未设置 ImmutableTag 属性。Also make sure that the ImmutableTag property is not set. 仅为现成规则设置该属性。This property should be set only for an out-of-box rule.
  4. 保存并运行 PowerShell 脚本。Save the PowerShell script and run it. 结果是,为自定义规则分配了优先级值 100,所有其他现成规则的值递增。The result is that your custom rule is assigned the precedence value of 100 and all other out-of-box rules are incremented.
    更改后的 PowerShell

必要时,可让多个自定义同步规则使用相同的 PrecedenceBefore 值。You can have many custom sync rules by using the same PrecedenceBefore value when needed.

启用 UserType 同步Enable synchronization of UserType

Azure AD Connect 支持 1.1.524.0 及更高版本中 User 对象的 UserType 属性同步。Azure AD Connect supports synchronization of the UserType attribute for User objects in version 1.1.524.0 and later. 更具体地讲,已引入以下更改:More specifically, the following changes have been introduced:

  • Azure AD 连接器中对象类型 User 的架构经过扩展,包含字符串类型的单值 UserType 属性。The schema of the object type User in the Azure AD Connector is extended to include the UserType attribute, which is of the type string and is single-valued.
  • metaverse 中对象类型 Person 的架构经过扩展,包含字符串类型的单值 UserType 属性。The schema of the object type Person in the metaverse is extended to include the UserType attribute, which is of the type string and is single-valued.

默认情况下,UserType 属性未启用同步,因为在本地 Active Directory 中没有相应的 UserType 属性。By default, the UserType attribute is not enabled for synchronization because there is no corresponding UserType attribute in on-premises Active Directory. 必须手动启用同步。You must manually enable synchronization. 执行此操作之前,必须注意 Azure AD 强制实施的以下行为:Before doing this, you must take note of the following behavior enforced by Azure AD:

  • Azure AD 只接受 UserType 属性的两个值:MemberGuestAzure AD only accepts two values for the UserType attribute: Member and Guest.
  • 如果没有在 Azure AD Connect 中启用 UserType 属性同步,则通过目录同步创建的 Azure AD 用户的 UserType 属性将设置为 MemberIf the UserType attribute is not enabled for synchronization in Azure AD Connect, Azure AD users created through directory synchronization would have the UserType attribute set to Member.
  • Azure AD 不允许在现有 Azure AD 用户中使用会被 Azure AD Connect 更改的 UserType 属性。Azure AD does not permit the UserType attribute on existing Azure AD users to be changed by Azure AD Connect. 只能在创建 Azure AD 用户的过程中设置该属性。It can only be set during the creation of the Azure AD users.

在启用 UserType 属性同步之前,必须首先确定如何从本地 Active Directory 派生属性。Before enabling synchronization of the UserType attribute, you must first decide how the attribute is derived from on-premises Active Directory. 下面是最常见的方法:The following are the most common approaches:

  • 指定要用作源属性的尚未使用的本地 AD 属性(例如 extensionAttribute1)。Designate an unused on-premises AD attribute (such as extensionAttribute1) to be used as the source attribute. 指定的本地 AD 属性应为字符串类型,具有单值,且包含值 MemberGuestThe designated on-premises AD attribute should be of the type string, be single-valued, and contain the value Member or Guest.

    如果选择此方法,在启用 UserType 属性同步之前,必须确保指定的属性中填充了本地 Active Directory 中已同步到 Azure AD 的所有现有用户对象的正确值。If you choose this approach, you must ensure that the designated attribute is populated with the correct value for all existing user objects in on-premises Active Directory that are synchronized to Azure AD before enabling synchronization of the UserType attribute.

  • 或者,可以从其他属性派生 UserType 属性的值。Alternatively, you can derive the value for the UserType attribute from other properties. 例如,如果用户的本地 AD userPrincipalName 属性结尾是域部分 @partners.fabrikam123.org,则应将这些用户全部同步为 GuestFor example, you want to synchronize all users as Guest if their on-premises AD userPrincipalName attribute ends with domain part @partners.fabrikam123.org.

    如前所述,Azure AD Connect 不允许 Azure AD Connect 更改现有 Azure AD 用户的 UserType 属性。As mentioned previously, Azure AD Connect does not permit the UserType attribute on existing Azure AD users to be changed by Azure AD Connect. 因此,必须确保所确定的逻辑与针对租户中所有现有 Azure AD 用户配置 UserType 属性的方式一致。Therefore, you must ensure that the logic you have decided is consistent with how the UserType attribute is already configured for all existing Azure AD users in your tenant.

启用 UserType 属性同步的步骤可归纳如下:The steps to enable synchronization of the UserType attribute can be summarized as:

  1. 禁用同步计划程序,并验证是否没有正在进行的同步操作。Disable the sync scheduler and verify there is no synchronization in progress.
  2. 将源属性添加到本地 AD 连接器架构。Add the source attribute to the on-premises AD Connector schema.
  3. 将 UserType 添加到 Azure AD 连接器架构。Add the UserType to the Azure AD Connector schema.
  4. 创建流从本地 Active Directory 的属性值的入站的同步规则。Create an inbound synchronization rule to flow the attribute value from on-premises Active Directory.
  5. 创建流到 Azure AD 的属性值的出站同步规则。Create an outbound synchronization rule to flow the attribute value to Azure AD.
  6. 运行完全同步周期。Run a full synchronization cycle.
  7. 启用同步计划程序。Enable the sync scheduler.

Note

本部分的余下内容将介绍这些步骤。The rest of this section covers these steps. 在 Azure AD 部署使用单林拓扑和不使用自定义同步规则的上下文中描述它们。They are described in the context of an Azure AD deployment with single-forest topology and without custom synchronization rules. 如果有多林拓扑、自定义同步规则配置或者过渡服务器,则需要相应地调整步骤。If you have multi-forest topology, custom synchronization rules configured, or have a staging server, you need to adjust the steps accordingly.

步骤 1:禁用同步计划程序,并验证是否没有正在进行的同步Step 1: Disable the sync scheduler and verify there is no synchronization in progress

若要避免将意外的更改导出到 Azure AD,请确保实现新同步规则的中途不会发生同步。To avoid exporting unintended changes to Azure AD, ensure that no synchronization takes place while you are in the middle of updating synchronization rules. 若要禁用内置的同步计划程序,请执行以下操作:To disable the built-in sync scheduler:

  1. 在 Azure AD Connect 服务器上启动 PowerShell 会话。Start a PowerShell session on the Azure AD Connect server.
  2. 通过运行 cmdlet Set-ADSyncScheduler -SyncCycleEnabled $false 来禁用计划的同步。Disable scheduled synchronization by running the cmdlet Set-ADSyncScheduler -SyncCycleEnabled $false.
  3. 转到“开始” > “同步服务”,打开 Synchronization Service Manager。Open the Synchronization Service Manager by going to Start > Synchronization Service.
  4. 转到“操作”选项卡,确认是否不存在状态为“正在进行”的操作。Go to the Operations tab and confirm there is no operation with a status of in progress.

步骤 2:将源属性添加到本地 AD 连接器架构Step 2: Add the source attribute to the on-premises AD Connector schema

并非所有 Azure AD 属性都将导入本地 AD 连接器空间。Not all Azure AD attributes are imported into the on-premises AD Connector Space. 要将源属性添加到导入属性的列表:To add the source attribute to the list of the imported attributes:

  1. 在 Synchronization Service Manager 中转到“连接器”选项卡。Go to the Connectors tab in the Synchronization Service Manager.
  2. 右键单击本地 AD 连接器,并选择“属性”。Right-click the on-premises AD Connector and select Properties.
  3. 在弹出对话框中,转到“选择属性”选项卡。In the pop-up dialog box, go to the Select Attributes tab.
  4. 确保在属性列表中选中源属性。Make sure the source attribute is checked in the attribute list.
  5. 单击“确定”保存。Click OK to save. 将源属性添加到本地 AD 连接器架构Add source attribute to on-premises AD Connector schema

步骤 3:将 UserType 添加到 Azure AD 连接器架构Step 3: Add the UserType to the Azure AD Connector schema

默认情况下,UserType 属性不会导入 Azure AD 连接空间。By default, the UserType attribute is not imported into the Azure AD Connect Space. 将 UserType 属性添加到导入属性列表:To add the UserType attribute to the list of imported attributes:

  1. 在 Synchronization Service Manager 中转到“连接器”选项卡。Go to the Connectors tab in the Synchronization Service Manager.
  2. 右键单击“Azure AD 连接器”,并选择“属性”。Right-click the Azure AD Connector and select Properties.
  3. 在弹出对话框中,转到“选择属性”选项卡。In the pop-up dialog box, go to the Select Attributes tab.
  4. 确保在属性列表中选中 UserType 属性。Make sure the UserType attribute is checked in the attribute list.
  5. 单击“确定”保存。Click OK to save.

将源属性添加到 Azure AD 连接器架构

步骤 4:创建流从本地 Active Directory 的属性值的入站的同步规则Step 4: Create an inbound synchronization rule to flow the attribute value from on-premises Active Directory

入站同步规则允许要流到 metaverse 源属性从本地 Active Directory 中的属性值:The inbound synchronization rule permits the attribute value to flow from the source attribute from on-premises Active Directory to the metaverse:

  1. 转到“开始” > “同步规则编辑器”,打开同步规则编辑器。Open the Synchronization Rules Editor by going to Start > Synchronization Rules Editor.

  2. 将搜索筛选器的“方向”设置为“入站”。Set the search filter Direction to be Inbound.

  3. 单击“添加新规则”按钮创建新的入站规则。Click the Add new rule button to create a new inbound rule.

  4. 在“说明”选项卡下面提供以下配置:Under the Description tab, provide the following configuration:

    属性Attribute Value 详细信息Details
    NameName 提供名称Provide a name 例如 In from AD - User UserTypeFor example, In from AD - User UserType
    说明Description 提供说明Provide a description
    连接的系统Connected System 选择本地 AD 连接器Pick the on-premises AD connector
    连接的系统对象类型Connected System Object Type UserUser
    Metaverse 对象类型Metaverse Object Type PersonPerson
    链接类型Link Type JoinJoin
    优先级Precedence 选择介于 1 和 99 之间的数字Choose a number between 1-99 1-99 是为自定义同步规则保留的值。1-99 is reserved for custom sync rules. 请不要选择已被其他同步规则使用的值。Do not pick a value that is used by another synchronization rule.
  5. 转到“范围筛选器”选项卡,并添加包含以下子句的单个范围筛选器组Go to the Scoping filter tab and add a single scoping filter group with the following clause:

    属性Attribute 运算符Operator Value
    adminDescriptionadminDescription NOTSTARTWITHNOTSTARTWITH 用户_User_

    范围筛选器确定要将此入站同步规则应用到哪些本地 AD 对象。The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. 在本示例中,我们将使用 In from AD - User Common 现成同步规则中所用的相同范围筛选器,防止将同步规则应用到通过 Azure AD 用户写回功能创建的 User 对象。In this example, we use the same scoping filter used in the In from AD - User Common out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Azure AD User writeback feature. 可能需要根据 Azure AD Connect 部署调整范围筛选器。You might need to tweak the scoping filter according to your Azure AD Connect deployment.

  6. 转到“转换”选项卡并实现所需转换规则。Go to the Transformation tab and implement the desired transformation rule. 例如,如果指定了未使用的本地 AD 属性(例如 extensionAttribute1)作为 UserType 的源属性,则可以实现直接属性流:For example, if you have designated an unused on-premises AD attribute (such as extensionAttribute1) as the source attribute for the UserType, you can implement a direct attribute flow:

    流类型Flow type 目标属性Target attribute Source 应用一次Apply once 合并类型Merge type
    直接Direct UserTypeUserType extensionAttribute1extensionAttribute1 未选中Unchecked 更新Update

    另举一例,我们可以从其他属性派生 UserType 属性的值。In another example, you want to derive the value for the UserType attribute from other properties. 例如,如果用户的本地 AD userPrincipalName 属性结尾是域部分 @partners.fabrikam123.org,则应将这些用户全部同步为 Guest。可如下所示实现表达式:For example, you want to synchronize all users as Guest if their on-premises AD userPrincipalName attribute ends with domain part @partners.fabrikam123.org. You can implement an expression like this:

    流类型Flow type 目标属性Target attribute Source 应用一次Apply once 合并类型Merge type
    表达式Expression UserTypeUserType IIF(IsPresent([userPrincipalName]),IIF(CBool(InStr(LCase([userPrincipalName]),"@partners.fabrikam123.org")=0),"Member","Guest"),Error("UserPrincipalName is not present to determine UserType"))IIF(IsPresent([userPrincipalName]),IIF(CBool(InStr(LCase([userPrincipalName]),"@partners.fabrikam123.org")=0),"Member","Guest"),Error("UserPrincipalName is not present to determine UserType")) 未选中Unchecked 更新Update
  7. 单击“添加”创建入站规则。Click Add to create the inbound rule.

创建入站同步规则

步骤 5:创建流到 Azure AD 的属性值的出站同步规则Step 5: Create an outbound synchronization rule to flow the attribute value to Azure AD

出站同步规则允许属性值从 metaverse 流到 Azure AD 中的 UserType 属性:The outbound synchronization rule permits the attribute value to flow from the metaverse to the UserType attribute in Azure AD:

  1. 转到“同步规则编辑器”。Go to the Synchronization Rules Editor.

  2. 将搜索筛选器的“方向”设置为“出站”。Set the search filter Direction to be Outbound.

  3. 单击“添加新规则”按钮。Click the Add new rule button.

  4. 在“说明”选项卡下面提供以下配置:Under the Description tab, provide the following configuration:

    属性Attribute Value 详细信息Details
    NameName 提供名称Provide a name 例如“Out to AAD - User UserType”For example, Out to AAD - User UserType
    说明Description 提供说明Provide a description
    连接的系统Connected System 选择 AAD 连接器Select the AAD connector
    连接的系统对象类型Connected System Object Type UserUser
    Metaverse 对象类型Metaverse Object Type PersonPerson
    链接类型Link Type JoinJoin
    优先级Precedence 选择介于 1 和 99 之间的数字Choose a number between 1-99 1-99 是为自定义同步规则保留的值。1-99 is reserved for custom sync rules. 请不要选择已被其他同步规则使用的值。Do not pick a value that is used by another synchronization rule.
  5. 转到“范围筛选器”选项卡,并添加包含两个子句的单个范围筛选器组Go to the Scoping filter tab and add a single scoping filter group with two clauses:

    属性Attribute 运算符Operator Value
    sourceObjectTypesourceObjectType EQUALEQUAL UserUser
    cloudMasteredcloudMastered NOTEQUALNOTEQUAL TrueTrue

    范围筛选器确定要将此出站同步规则应用到哪些 Azure AD 对象。The scoping filter determines to which Azure AD objects this outbound synchronization rule is applied. 在本示例中,我们将使用 Out to AD - User Identity 现成同步规则中的相同范围筛选器。In this example, we use the same scoping filter from the Out to AD - User Identity out-of-box synchronization rule. 它可以防止将同步规则应用到未从本地 Active Directory 同步的 User 对象。It prevents the synchronization rule from being applied to User objects that are not synchronized from on-premises Active Directory. 可能需要根据 Azure AD Connect 部署调整范围筛选器。You might need to tweak the scoping filter according to your Azure AD Connect deployment.

  6. 转到“转换”选项卡并实现以下转换规则:Go to the Transformation tab and implement the following transformation rule:

    流类型Flow type 目标属性Target attribute Source 应用一次Apply once 合并类型Merge type
    直接Direct UserTypeUserType UserTypeUserType 未选中Unchecked 更新Update
  7. 单击“添加”创建出站规则。Click Add to create the outbound rule.

创建出站同步规则

步骤 6:运行完全同步周期Step 6: Run a full synchronization cycle

一般情况下,完全同步周期是必需的,因为我们已添加到这两个 Active Directory 的新属性和 Azure AD 连接器架构和引入的自定义同步规则。In general, a full synchronization cycle is required because we have added new attributes to both the Active Directory and Azure AD Connector schemas, and introduced custom synchronization rules. 建议在将更改导出到 Azure AD 之前验证更改。You want to verify the changes before exporting them to Azure AD.

可使用以下步骤手动运行完全同步周期所构成的步骤时验证更改。You can use the following steps to verify the changes while manually running the steps that make up a full synchronization cycle.

  1. 本地 AD 连接器上运行完全导入Run a Full import on the on-premises AD Connector:

    1. 在 Synchronization Service Manager 中转到“操作”选项卡。Go to the Operations tab in the Synchronization Service Manager.

    2. 右键单击“本地 AD 连接器”,并选择“运行”。Right-click the on-premises AD Connector and select Run.

    3. 在弹出对话框中,选择“完全导入”,并单击“确定”。In the pop-up dialog box, select Full Import and then click OK.

    4. 等待操作完成。Wait for the operation to finish.

      Note

      如果源属性已包含在导入属性列表中,则可以在本地 AD 连接器上跳过“完全导入”。You can skip a full import on the on-premises AD Connector if the source attribute is already included in the list of imported attributes. 换而言之,在执行步骤 2:将源属性添加到本地 AD 连接器架构的过程中不需要进行任何更改。In other words, you did not have to make any changes during Step 2: Add the source attribute to the on-premises AD Connector schema.

  2. Azure AD 连接器上运行“完全导入”:Run a Full import on the Azure AD Connector:

    1. 右键单击“Azure AD 连接器”,并选择“运行”。Right-click the Azure AD Connector and select Run.
    2. 在弹出对话框中,选择“完全导入”,并单击“确定”。In the pop-up dialog box, select Full Import and then click OK.
    3. 等待操作完成。Wait for the operation to finish.
  3. 验证现有 User 对象上的同步规则更改:Verify the synchronization rule changes on an existing User object:

    源属性已从本地 Active Directory 和 Azure AD 中的 UserType 导入相应的连接器空间。The source attribute from on-premises Active Directory and the UserType from Azure AD have been imported into their respective Connector Spaces. 在继续执行完全同步之前,请在本地 AD 连接器空间中的现有用户对象上执行“预览”。Before proceeding with a full synchronization, do a Preview on an existing User object in the on-premises AD Connector Space. 选择的对象应具有填充的源属性。The object you chose should have the source attribute populated.

    成功预览填充 metaverse 中 UserType 是一个很好的指标,表示已配置同步规则正确。A successful Preview with the UserType populated in the metaverse is a good indicator that you have configured the synchronization rules correctly. 有关如何执行预览的信息,请参阅验证更改部分。For information about how to do a Preview, refer to the section Verify the change.

  4. 本地 AD 连接器上运行完全同步Run a Full Synchronization on the on-premises AD Connector:

    1. 右键单击“本地 AD 连接器”,并选择“运行”。Right-click the on-premises AD Connector and select Run.
    2. 在弹出对话框中,选择“完全同步”,并单击“确定”。In the pop-up dialog box, select Full Synchronization and then click OK.
    3. 等待操作完成。Wait for the operation to finish.
  5. 验证 Azure AD 的挂起的导出Verify Pending Exports to Azure AD:

    1. 右键单击“Azure AD连接器”,并选择“搜索连接器空间”。Right-click the Azure AD Connector and select Search Connector Space.

    2. 在“搜索连接器空间”弹出对话框中:In the Search Connector Space pop-up dialog box:

      • 将“范围”设置为“挂起的导出”。Set Scope to Pending Export.
      • 选中所有三个复选框:“添加”、“修改”和“删除”。Select all three check boxes: Add, Modify, and Delete.
      • 单击“搜索”按钮获取要导出其更改的对象列表。Click the Search button to get the list of objects with changes to be exported. 若要检查给定对象的更改,请双击该对象。To examine the changes for a given object, double-click the object.
      • 验证更改是否符合需要。Verify that the changes are expected.
  6. Azure AD 连接器上运行导出Run Export on the Azure AD Connector:

    1. 右键单击“Azure AD 连接器”,并选择“运行”。Right-click the Azure AD Connector and select Run.
    2. 在“运行连接器”弹出对话框中选择“导出”,并单击“确定”。In the Run Connector pop-up dialog box, select Export and then click OK.
    3. 等待导出到 Azure AD 完成。Wait for the export to Azure AD to finish.

Note

这些步骤不包括完全同步步骤和 Azure AD 连接器上的导出步骤。These steps do not include the full synchronization and export steps on the Azure AD Connector. 由于属性值只会从本地 Active Directory 流向 Azure AD,因此不需要执行这些步骤。These steps are not required because the attribute values are flowing from on-premises Active Directory to Azure AD only.

步骤 7:重新启用同步计划程序Step 7: Re-enable the sync scheduler

重新启用内置的同步计划程序:Re-enable the built-in sync scheduler:

  1. 启动 PowerShell 会话。Start a PowerShell session.
  2. 通过运行 cmdlet Set-ADSyncScheduler -SyncCycleEnabled $true 来重新启用计划的同步。Re-enable scheduled synchronization by running the cmdlet Set-ADSyncScheduler -SyncCycleEnabled $true.

后续步骤Next steps

概述主题Overview topics