Azure AD Connect 同步:配置筛选Azure AD Connect sync: Configure filtering

使用筛选功能可以控制本地目录中的哪些对象应该出现在 Azure Active Directory (Azure AD) 中。By using filtering, you can control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory. 默认配置采用配置的林中所有域内的所有对象。The default configuration takes all objects in all domains in the configured forests. 我们一般建议使用这种配置。In general, this is the recommended configuration. 使用 Exchange Online 和 Skype for Business 等 Office 365 工作负荷的用户将受益于完整的全局地址列表,因为这样可以发送电子邮件和呼叫每个联系人。Users using Office 365 workloads, such as Exchange Online and Skype for Business, benefit from a complete Global Address List so they can send email and call everyone. 使用默认配置时,用户获得的体验与使用 Exchange 或 Lync 的本地实现获得的相同。With the default configuration, they would have the same experience that they would have with an on-premises implementation of Exchange or Lync.

但在某些情况下,需要对默认配置进行一些更改。In some cases however, you're required make some changes to the default configuration. 下面是一些示例:Here are some examples:

  • 打算使用多重 Azure AD 目录拓扑You plan to use the multi-Azure AD directory topology. 然后,需要应用筛选器以控制要将哪些对象同步到特定的 Azure AD 目录。Then you need to apply a filter to control which objects are synchronized to a particular Azure AD directory.
  • 要试用 Azure 或 Office 365,因此只想在 Azure AD 中创建少量的用户。You run a pilot for Azure or Office 365 and you only want a subset of users in Azure AD. 在进行小规模试用时,无需使用完整全局地址列表即可演示功能。In the small pilot, it's not important to have a complete Global Address List to demonstrate the functionality.
  • Azure AD 中有很多不需要的服务帐户和其他非个人帐户。You have many service accounts and other nonpersonal accounts that you don't want in Azure AD.
  • 因为符合性,所以不能删除任何本地用户帐户,For compliance reasons, you don't delete any user accounts on-premises. 而只能禁用它们。You only disable them. 但是在 Azure AD 中,建议只存在活动的帐户。But in Azure AD, you only want active accounts to be present.

本文介绍如何配置不同的筛选方法。This article covers how to configure the different filtering methods.

Important

Microsoft 不支持在正式记录的这些操作之外修改或操作 Azure AD Connect 同步。Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the actions that are formally documented. 其中的任何操作都可能会导致 Azure AD Connect 同步出现不一致或不受支持状态。因此,Microsoft 无法提供这种部署的技术支持。Any of these actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.

基础知识和重要说明Basics and important notes

在 Azure AD Connect 同步中,可以随时启用筛选。In Azure AD Connect sync, you can enable filtering at any time. 如果从目录同步的默认配置开始并在此后配置了筛选,则筛选出的对象不再同步到 Azure AD。If you start with a default configuration of directory synchronization and then configure filtering, the objects that are filtered out are no longer synchronized to Azure AD. 由于这种变化,Azure AD 中前面已同步,但之后进行筛选的任何对象会在 Azure AD 中进行删除。Because of this change, any objects in Azure AD that were previously synchronized but were then filtered are deleted in Azure AD.

在开始更改筛选之前,请确保 禁用计划的任务 ,以免意外导出尚未确认是否正确的更改。Before you start making changes to filtering, make sure that you disable the scheduled task so you don't accidentally export changes that you haven't yet verified to be correct.

由于筛选操作可能会同时删除很多的对象,因此请先确保新的筛选器正确无误,此后再开始将更改导出到 Azure AD。Because filtering can remove many objects at the same time, you want to make sure that your new filters are correct before you start exporting any changes to Azure AD. 完成配置步骤后,强烈建议先执行验证步骤,然后再对 Azure AD 进行导出和更改操作。After you've completed the configuration steps, we strongly recommend that you follow the verification steps before you export and make changes to Azure AD.

为了防止意外删除许多对象,默认情况下已打开防止意外删除功能。To protect you from deleting many objects by accident, the feature "prevent accidental deletes" is on by default. 如果由于筛选而删除了许多对象(默认为 500 个),则需要遵循本文中的步骤来允许将删除结果传播到 Azure AD。If you delete many objects due to filtering (500 by default), you need to follow the steps in this article to allow the deletes to go through to Azure AD.

如果使用 2015 年 11 月 (1.0.9125) 之前的内部版本、更改筛选器配置或使用密码哈希同步,则在完成配置之后,需要触发所有密码的完全同步。If you use a build before November 2015 (1.0.9125), make a change to a filter configuration, and use password hash synchronization, then you need to trigger a full sync of all passwords after you've completed the configuration. 有关如何触发密码完全同步的步骤,请参阅触发所有密码的完全同步For steps on how to trigger a password full sync, see Trigger a full sync of all passwords. 如果使用内部版本 1.0.9125 或更高版本,则常规的 完全同步 操作也会计算是否应同步密码,因此不再需要执行这个额外的步骤。If you're on build 1.0.9125 or later, then the regular full synchronization action also calculates whether passwords should be synchronized and if this extra step is no longer required.

如果在 Azure AD 中由于筛选错误导致用户对象被不慎删除,可以通过删除筛选配置在 Azure AD 中重新创建用户对象。If user objects were inadvertently deleted in Azure AD because of a filtering error, you can recreate the user objects in Azure AD by removing your filtering configurations. 然后再次同步目录。Then you can synchronize your directories again. 此操作可以从 Azure AD 的回收站中还原用户。This action restores the users from the recycle bin in Azure AD. 但是,无法取消删除其他对象类型。However, you can't undelete other object types. 例如,如果意外删除了某个安全组,而该组用于将资源加入 ACL,则无法恢复该组及其 ACL。For example, if you accidentally delete a security group and it was used to ACL a resource, the group and its ACLs can't be recovered.

Azure AD Connect 只删除其曾经认为在范围中的对象。Azure AD Connect only deletes objects that it has once considered to be in scope. 如果 Azure AD 中的对象由另一个同步引擎创建且不在范围内,则添加筛选并不会删除这些对象。If there are objects in Azure AD that were created by another sync engine and these objects aren't in scope, adding filtering doesn't remove them. 例如,如果一开始使用 DirSync 服务器,而该服务器在 Azure AD 中创建了整个目录的完整副本,并在从一开始便启用筛选的情况下并行安装了新的 Azure AD Connect 同步服务器,则 Azure AD Connect 不会删除 DirSync 所创建的额外对象。For example, if you start with a DirSync server that created a complete copy of your entire directory in Azure AD, and you install a new Azure AD Connect sync server in parallel with filtering enabled from the beginning, Azure AD Connect doesn't remove the extra objects that are created by DirSync.

安装或升级到较新版本的 Azure AD Connect 时,筛选配置会保留。The filtering configuration is retained when you install or upgrade to a newer version of Azure AD Connect. 运行第一个同步周期之前,在升级到较新版本之后验证配置没有被无意中更改,这始终是最佳做法。It's always a best practice to verify that the configuration wasn't inadvertently changed after an upgrade to a newer version before running the first synchronization cycle.

如果有多个林,必须将本主题中所述的筛选配置应用到每个林(假设要让所有林使用相同的配置)。If you have more than one forest, then you must apply the filtering configurations that are described in this topic to every forest (assuming that you want the same configuration for all of them).

禁用计划的任务 Disable the scheduled task

若要禁用每隔 30 分钟触发同步周期一次的内置计划程序,请遵循以下步骤:To disable the built-in scheduler that triggers a synchronization cycle every 30 minutes, follow these steps:

  1. 转到 PowerShell 提示符。Go to a PowerShell prompt.
  2. 运行 Set-ADSyncScheduler -SyncCycleEnabled $False 以禁用计划程序。Run Set-ADSyncScheduler -SyncCycleEnabled $False to disable the scheduler.
  3. 如本文中所述进行更改。Make the changes that are documented in this article.
  4. 运行 Set-ADSyncScheduler -SyncCycleEnabled $True 以再次启用计划程序。Run Set-ADSyncScheduler -SyncCycleEnabled $True to enable the scheduler again.

如果使用低于 1.1.105.0 的 Azure AD Connect 内部版本If you use an Azure AD Connect build before 1.1.105.0
若要禁用每三小时触发一次同步循环的已计划任务,请执行以下步骤:To disable the scheduled task that triggers a synchronization cycle every three hours, follow these steps:

  1. 从开始菜单启动“任务计划程序”。Start Task Scheduler from the Start menu.
  2. 在“任务计划程序库”正下方找到名为“Azure AD 同步计划程序”的任务,单击右键,然后选择“禁用”。Directly under Task Scheduler Library, find the task named Azure AD Sync Scheduler, right-click, and select Disable.
    任务计划程序
  3. 现在可以进行配置更改,并从“同步服务管理器”控制台手动运行同步引擎。You can now make configuration changes and run the sync engine manually from the Synchronization Service Manager console.

完成所有筛选更改之后,别忘了回来重新 启用 任务。After you've completed all your filtering changes, don't forget to come back and Enable the task again.

筛选选项Filtering options

可将以下筛选配置类型应用到目录同步工具:You can apply the following filtering configuration types to the directory synchronization tool:

  • 基于组:只能在初始安装时使用安装向导配置基于单个组的筛选。Group-based: Filtering based on a single group can only be configured on initial installation by using the installation wizard.
  • 基于域:使用此选项,可以选择要同步到 Azure AD 的域。Domain-based: By using this option, you can select which domains synchronize to Azure AD. 在安装 Azure AD Connect 同步之后对本地基础结构进行更改时,还可以在同步引擎配置中添加和删除域。You can also add and remove domains from the sync engine configuration when you make changes to your on-premises infrastructure after you install Azure AD Connect sync.
  • 基于组织单位 (OU):使用此选项,可以选择要同步到 Azure AD 的 OU。Organizational unit (OU)-based: By using this option, you can select which OUs synchronize to Azure AD. 此选项适用于所选 OU 中的所有对象类型。This option is for all object types in selected OUs.
  • 基于属性:使用此选项,可以根据对象属性值筛选对象。Attribute-based: By using this option, you can filter objects based on attribute values on the objects. 也可以对不同的对象类型使用不同的筛选器。You can also have different filters for different object types.

可以同时使用多个筛选选项。You can use multiple filtering options at the same time. 例如,可以使用基于 OU 的筛选以便只包含某个 OU 中的对象。For example, you can use OU-based filtering to only include objects in one OU. 同时,可以使用基于属性的筛选进一步筛选这些对象。At the same time, you can use attribute-based filtering to filter the objects further. 使用多个筛选方法时,筛选器之间使用逻辑“AND”。When you use multiple filtering methods, the filters use a logical "AND" between the filters.

基于域的筛选Domain-based filtering

本部分提供配置域筛选器时需要执行的步骤。This section provides you with the steps to configure your domain filter. 如果安装 Azure AD Connect 之后在林中添加或删除了域,则也必须更新筛选配置。If you added or removed domains in your forest after you installed Azure AD Connect, you also have to update the filtering configuration.

更改基于域的筛选的首选方法是运行安装向导并更改域和 OU 筛选The preferred way to change domain-based filtering is by running the installation wizard and changing domain and OU filtering. 使用安装向导可以自动完成本主题中所述的所有任务。The installation wizard automates all the tasks that are documented in this topic.

仅当出于某种原因而无法运行安装向导时,才遵循以下步骤。You should only follow these steps if you're unable to run the installation wizard for some reason.

基于域的筛选配置包括以下步骤:Domain-based filtering configuration consists of these steps:

  1. 选择想要包含在同步操作中的域。Select the domains that you want to include in the synchronization.
  2. 针对添加和删除的每个域,请调整运行配置文件。For each added and removed domain, adjust the run profiles.
  3. 应用并验证更改Apply and verify changes.

选择要同步的域Select the domains to be synchronized

可以采用两种方法选择要同步的域:There are two ways to select the domains to be synchronized:

  • 使用同步服务Using the Synchronization Service
  • 使用 Azure AD Connect 向导。Using the Azure AD Connect wizard.

使用同步服务选择要同步的域Select the domains to be synchronized using the Synchronization Service

若要设置域筛选器,请执行以下步骤:To set the domain filter, do the following steps:

  1. 通过使用属于 ADSyncAdmins 安全组的成员的帐户,登录到正在运行 Azure AD Connect 同步的服务器。Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
  2. 从“开始”菜单启动“同步服务”。Start Synchronization Service from the Start menu.
  3. 选择“连接器”,然后在“连接器”列表中选择类型为“Active Directory 域服务”的连接器。Select Connectors, and in the Connectors list, select the Connector with the type Active Directory Domain Services. 从“操作”中选择“属性”。In Actions, select Properties.
    连接器属性
  4. 单击“配置目录分区” 。Click Configure Directory Partitions.
  5. 在“选择目录分区”列表中,根据需要选择和取消选择域。In the Select directory partitions list, select and unselect domains as needed. 确认只选择了想要同步的分区。Verify that only the partitions that you want to synchronize are selected.
    分区
    如果更改了本地 Active Directory 基础结构并在林中添加或删除了域,请单击“刷新”按钮以获取更新的列表。If you've changed your on-premises Active Directory infrastructure and added or removed domains from the forest, then click the Refresh button to get an updated list. 刷新时,系统将要求提供凭据。When you refresh, you're asked for credentials. 请提供具有 Windows Server Active Directory 读取权限的任何凭据。Provide any credentials with read access to Windows Server Active Directory. 不一定要使用对话框中预先填充的用户。It doesn't have to be the user that is prepopulated in the dialog box.
    需要刷新
  6. 完成后,请单击“确定”关闭“属性”对话框。When you're done, close the Properties dialog by clicking OK. 如果在林中删除了域,屏幕上会弹出消息,指出已删除域且将清除配置。If you removed domains from the forest, a message pop-up says that a domain was removed and that configuration will be cleaned up.
  7. 继续调整运行配置文件。Continue to adjust the run profiles.

使用 Azure AD Connect 向导选择要同步的域Select the domains to be synchronized using the Azure AD Connect wizard

若要设置域筛选器,请执行以下步骤:To set the domain filter, do the following steps:

  1. 启动 Azure AD Connect 向导Start the Azure AD Connect wizard
  2. 单击 “配置”Click Configure.
  3. 选择“自定义同步选项”,然后单击“下一步”。Select Customize Synchronization Options and click Next.
  4. 输入 Azure AD 凭据Enter your Azure AD credentials
  5. 在“连接的目录”屏幕上,单击“下一步”。On the Connected Directories screen click Next.
  6. 在“域和 OU 筛选”页上,单击“刷新”。On the Domain and OU filtering page click Refresh. 新域现在将显示,删除的域会消失。New domains ill now appear and deleted domains will disappear. 分区

更新运行配置文件 Update the run profiles

如果已修改域筛选器,则还需要更新运行配置文件。If you've updated your domain filter, you also need to update the run profiles.

  1. 在“连接器”列表中,确保已选择在上一个步骤中更改的连接器。In the Connectors list, make sure that the Connector that you changed in the previous step is selected. 从“操作”中选择“配置运行配置文件”。In Actions, select Configure Run Profiles.
    连接器运行配置文件 1
  2. 找到以下配置文件:Find and identify the following profiles:
    • 完全导入Full Import
    • 完全同步Full Synchronization
    • 增量导入Delta Import
    • 增量同步Delta Synchronization
    • 导出Export
  3. 对于每个配置文件,调整“已添加”和“已删除”的域。For each profile, adjust the added and removed domains.
    1. 针对上述五个配置文件,请对每个 已添加 的域执行以下步骤:For each of the five profiles, do the following steps for each added domain:
      1. 选择运行配置文件,然后单击“新建步骤”。Select the run profile and click New Step.
      2. 在“配置步骤”页上的“类型”下拉菜单中,选择与要配置的配置文件同名的步骤类型。On the Configure Step page, in the Type drop-down menu, select the step type with the same name as the profile that you're configuring. Then click Next.
        连接器运行配置文件 2
      3. 在“连接器配置”页上的“分区”下拉菜单中,选择已添加到域筛选器的域名。On the Connector Configuration page, in the Partition drop-down menu, select the name of the domain that you've added to your domain filter.
        连接器运行配置文件 3
      4. 若要关闭“配置运行配置文件”对话框,请单击“完成”。To close the Configure Run Profile dialog, click Finish.
    2. 针对上述五个配置文件,请对每个 已删除 的域执行以下步骤:For each of the five profiles, do the following steps for each removed domain:
      1. 选择运行配置文件。Select the run profile.
      2. 如果“分区”属性的“值”为 GUID,请选择运行步骤并单击“删除步骤”。If the Value of the Partition attribute is a GUID, select the run step and click Delete Step.
        连接器运行配置文件 4
    3. 检查更改。Verify your change. 想要同步的每个域都已列为每个运行配置文件中的步骤。Each domain that you want to synchronize should be listed as a step in each run profile.
  4. 若要关闭“配置运行配置文件”对话框,请单击“确定”。To close the Configure Run Profiles dialog, click OK.
  5. 若要完成配置,需要运行“完全导入”和“增量同步”。请继续阅读 应用并检查更改部分。To complete the configuration, you need to run a Full import and a Delta sync. Continue reading the section Apply and verify changes.

基于组织单位的筛选Organizational unit-based filtering

更改基于 OU 的筛选的首选方法是运行安装向导并更改域和 OU 筛选The preferred way to change OU-based filtering is by running the installation wizard and changing domain and OU filtering. 使用安装向导可以自动完成本主题中所述的所有任务。The installation wizard automates all the tasks that are documented in this topic.

仅当出于某种原因而无法运行安装向导时,才遵循以下步骤。You should only follow these steps if you're unable to run the installation wizard for some reason.

若要配置基于组织单位的筛选,请执行以下步骤:To configure organizational unit-based filtering, do the following steps:

  1. 通过使用属于 ADSyncAdmins 安全组的成员的帐户,登录到正在运行 Azure AD Connect 同步的服务器。Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
  2. 从“开始”菜单启动“同步服务”。Start Synchronization Service from the Start menu.
  3. 选择“连接器”,然后在“连接器”列表中选择类型为“Active Directory 域服务”的连接器。Select Connectors, and in the Connectors list, select the Connector with the type Active Directory Domain Services. 从“操作”中选择“属性”。In Actions, select Properties.
    连接器属性
  4. 单击“配置目录分区”,选择要配置的域,然后单击“容器”。Click Configure Directory Partitions, select the domain that you want to configure, and then click Containers.
  5. 出现提示时,请提供具有本地 Active Directory 读取权限的任何凭据。When you're prompted, provide any credentials with read access to your on-premises Active Directory. 不一定要使用对话框中预先填充的用户。It doesn't have to be the user that is prepopulated in the dialog box.
  6. 在“选择容器”对话框中,清除不想与云目录同步的 OU,然后单击“确定”。In the Select Containers dialog box, clear the OUs that you don’t want to synchronize with the cloud directory, and then click OK.
    “选择容器”对话框中的 OU
    • 应选择“计算机”容器,这样 Windows 10 计算机才能成功同步到 Azure AD。The Computers container should be selected for your Windows 10 computers to be successfully synchronized to Azure AD. 如果已加入域的计算机位于其他 OU,请确保已选择这些计算机。If your domain-joined computers are located in other OUs, make sure those are selected.
    • 如果有多个信任的林,则应选择 ForeignSecurityPrincipals 容器。The ForeignSecurityPrincipals container should be selected if you have multiple forests with trusts. 使用此容器可以解析跨林安全组成员身份。This container allows cross-forest security group membership to be resolved.
    • 选择用户、iNetOrgPersons、组、联系人和计算机所在位置的其他 OU。Select any other OU where Users, iNetOrgPersons, Groups, Contacts, and Computers are located. 在上图中,这些 OU 全都位于 ManagedObjects OU 中。In the picture, all these OUs are located in the ManagedObjects OU.
    • 如果使用基于组的筛选,必须包含该组所在的 OU。If you use group-based filtering, then the OU where the group is located must be included.
    • 请注意,可以配置在完成筛选配置后添加的新 OU 是否应该同步。Note that you can configure whether new OUs that are added after the filtering configuration finishes are synchronized or not synchronized. 有关详细信息,请参阅下一节。See the next section for details.
  7. 完成后,请单击“确定”关闭“属性”对话框。When you're done, close the Properties dialog by clicking OK.
  8. 若要完成配置,需要运行“完全导入”和“增量同步”。请继续阅读 应用并检查更改部分。To complete the configuration, you need to run a Full import and a Delta sync. Continue reading the section Apply and verify changes.

同步新 OUSynchronize new OUs

默认情况下,将同步配置完筛选之后创建的新 OU。New OUs that are created after filtering has been configured are synchronized by default. 选中的复选框指示了此状态。This state is indicated by a selected check box. 可以取消选中某些子 OU。You can also unselect some sub-OUs. 为此,请单击该框,直到该框变为白色,复选标记为蓝色(这是其默认状态)。To get this behavior, click the box until it becomes white with a blue check mark (its default state). 然后,取消选中不需要同步的子 OU。Then unselect any sub-OUs that you don't want to synchronize.

如果已同步所有子 OU,该框将变为白色,带有蓝色的复选标记。If all sub-OUs are synchronized, then the box is white with a blue check mark.
OU,已选中所有框

如果已取消选中某些子 OU,则框变为灰色,复选标记为白色。If some sub-OUs have been unselected, then the box is gray with a white check mark.
OU,已取消选中某些子 OU

使用此配置时,会同步在 ManagedObjects 下创建的新 OU。With this configuration, a new OU that was created under ManagedObjects is synchronized.

Azure AD Connect 安装向导始终创建此配置。The Azure AD Connect installation wizard always creates this configuration.

不要同步新 OUDon't synchronize new OUs

可将同步引擎配置为在完成筛选配置后不同步新 OU。You can configure the sync engine to not synchronize new OUs after the filtering configuration has finished. 如果 UI 中纯灰色框内不包含复选标记,则表示状态为不同步。This state is indicated in the UI by the box appearing solid gray with no check mark. 若要实施此行为,请单击该框,使其变为白色且不包含复选标记。To get this behavior, click the box until it becomes white with no check mark. 然后,选择要同步的子 OU。Then select the sub-OUs that you want to synchronize.

OU,已取消选中根

使用此配置时,在 ManagedObjects 下创建的新 OU 不会同步。With this configuration, a new OU that was created under ManagedObjects isn't synchronized.

基于属性的筛选Attribute-based filtering

为了正常执行这些步骤,请确保使用 2015 年 11 月 (1.0.9125) 或更高版本。Make sure that you're using the November 2015 (1.0.9125) or later build for these steps to work.

Important

Microsoft 建议不要修改由 Azure AD Connect 创建的默认规则。Microsoft recommends to not modify the default rules created by Azure AD Connect. 如果想要修改规则,请克隆它,然后禁用原始规则。If you want to modify the rule, then clone it, and disable the original rule. 对克隆的规则进行任何更改。Make any changes to the cloned rule. 请注意,这样做(禁用原始规则)会丢失通过该规则启用的任何 bug 修复或功能。Please note that by doing so (disabling original rule) you will miss any bug fixes or features enabled through that rule.

基于属性的筛选是最灵活的对象筛选方式。Attribute-based filtering is the most flexible way to filter objects. 将对象同步到 Azure AD 时,可以使用声明性预配功能来控制几乎每个方面的问题。You can use the power of declarative provisioning to control almost every aspect of when an object is synchronized to Azure AD.

可以应用从 Active Directory 到 Metaverse 的入站筛选,以及从 Metaverse 到 Azure AD 的出站筛选。You can apply inbound filtering from Active Directory to the metaverse, and outbound filtering from the metaverse to Azure AD. 建议应用入站筛选,因为这样做最容易进行维护。We recommend that you apply inbound filtering because that is the easiest to maintain. 仅当需要先要从多个林加入对象再进行评估时,才使用出站筛选。You should only use outbound filtering if it's required to join objects from more than one forest before the evaluation can take place.

入站筛选Inbound filtering

入站筛选使用默认配置,其中,传入 Azure AD 的对象必须未将 Metaverse 属性 cloudFiltered 设置为要同步的值。Inbound filtering uses the default configuration, where objects going to Azure AD must have the metaverse attribute cloudFiltered not set to a value to be synchronized. 如果这个属性的值设置为 True,则不会同步对象。If this attribute's value is set to True, then the object isn't synchronized. 根据设计,此值不应设为 FalseIt shouldn't be set to False, by design. 若要确保其他规则能够提供值,这个属性只应具有 True 或 NULL(不存在)值。To make sure other rules have the ability to contribute a value, this attribute is only supposed to have the values True or NULL (absent).

在入站筛选中,使用 范围 功能来决定哪些对象要同步或者不同步。In inbound filtering, you use the power of scope to determine which objects to synchronize or not synchronize. 可以在此处根据组织的要求进行调整。This is where you make adjustments to fit your own organization's requirements. 范围模块包含组和子句,决定何时在范围内包含同步规则。The scope module has a group and a clause to determine when a sync rule is in scope. 一个组包含一个或多个子句。A group contains one or many clauses. 多个子句之间使用逻辑“AND”,多个组之间使用逻辑“OR”。There is a logical "AND" between multiple clauses, and a logical "OR" between multiple groups.

让我们看看以下示例:Let us look at an example:
作用域
这应该显示为 (department = IT) OR (department = Sales AND c = US)。This should be read as (department = IT) OR (department = Sales AND c = US).

以下示例和步骤以用户对象为例,但可以将此示例用于所有对象类型。In the following samples and steps, you use the user object as an example, but you can use this for all object types.

在以下示例中,优先顺序值从 50 开始。In the following samples, the precedence value starts with 50. 这可以是未使用的任何数值,但应小于 100。This can be any number not used, but should be lower than 100.

负筛选:“不同步这些项目”Negative filtering: "do not sync these"

在以下示例中,将筛选(不同步)出 extensionAttribute15 的值为 NoSync 的所有用户。In the following example, you filter out (not synchronize) all users where extensionAttribute15 has the value NoSync.

  1. 通过使用属于 ADSyncAdmins 安全组的成员的帐户,登录到正在运行 Azure AD Connect 同步的服务器。Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
  2. 从“开始”菜单启动“同步规则编辑器”。Start Synchronization Rules Editor from the Start menu.
  3. 确保选择了“入站”,然后单击“添加新规则”。Make sure Inbound is selected, and click Add New Rule.
  4. 为规则指定一个说明性的名称,如In from AD - User DoNotSyncFilterGive the rule a descriptive name, such as "In from AD - User DoNotSyncFilter". 依次选择正确的林,选择“用户”作为“CS 对象类型”,选择“人员”作为“MV 对象类型”。Select the correct forest, select User as the CS object type, and select Person as the MV object type. 在“链接类型”中选择“联接”。In Link Type, select Join. 在“优先顺序”中,键入当前未由其他同步规则使用的值(例如 50),然后单击“下一步”。In Precedence, type a value that isn't currently used by another synchronization rule (for example 50), and then click Next.
    入站 1 说明
  5. 在“范围筛选器”中,单击“添加组”,然后单击“添加子句”。In Scoping filter, click Add Group, and click Add Clause. 在“属性”中选择“ExtensionAttribute15”。In Attribute, select ExtensionAttribute15. 确保“运算符”设置为“等于”,在“值”框中键入值“NoSync”。Make sure that Operator is set to EQUAL, and type the value NoSync in the Value box. 单击“下一步”。Click Next.
    入站 2 范围
  6. 将“联接”规则留空,然后单击“下一步”。Leave the Join rules empty, and then click Next.
  7. 单击“添加转换”,选择“FlowType”作为“Constant”,选择“cloudFiltered”作为“目标属性”。Click Add Transformation, select the FlowType as Constant, and select cloudFiltered as the Target Attribute. 在“源”文本框中键入“True”。In the Source text box, type True. 单击“添加”保存规则。Click Add to save the rule.
    入站 3 转换
  8. 若要完成配置,需要运行 完全同步。请继续阅读 应用并检查更改部分。To complete the configuration, you need to run a Full sync. Continue reading the section Apply and verify changes.

正筛选:“只同步这些项目”Positive filtering: "only sync these"

表达正筛选更加复杂,因为必须同时考虑不是明显需要同步的对象,例如会议室。Expressing positive filtering can be more challenging because you also have to consider objects that aren't obvious to be synchronized, such as conference rooms. 还要重写现成规则 In from AD - User Join中的默认筛选器。You are also going to override the default filter in the out-of-box rule In from AD - User Join. 创建自定义筛选器时,请确保不包括 Azure AD Connect 的关键系统对象、复制冲突对象、特殊邮箱和服务帐户。When you create your custom filter, make sure to not include critical system objects, replication conflict objects, special mailboxes, and the service accounts for Azure AD Connect.

正筛选选项需要两个同步规则。The positive filtering option requires two sync rules. 需要一个或多个包含对象的正确范围的同步规则。You need one rule (or several) with the correct scope of objects to synchronize. 还需要另一个全方位同步规则,用于筛选出尚未标识为属于应同步对象的所有对象。You also need a second catch-all sync rule that filters out all objects that haven't yet been identified as an object that should be synchronized.

在以下示例中,只同步部门属性值为 Sales的用户对象。In the following example, you only synchronize user objects where the department attribute has the value Sales.

  1. 通过使用属于 ADSyncAdmins 安全组的成员的帐户,登录到正在运行 Azure AD Connect 同步的服务器。Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
  2. 从“开始”菜单启动“同步规则编辑器”。Start Synchronization Rules Editor from the Start menu.
  3. 确保选择了“入站”,然后单击“添加新规则”。Make sure Inbound is selected, and click Add New Rule.
  4. 为规则指定一个说明性的名称,如In from AD - User Sales syncGive the rule a descriptive name, such as "In from AD - User Sales sync". 依次选择正确的林,选择“用户”作为“CS 对象类型”,选择“人员”作为“MV 对象类型”。Select the correct forest, select User as the CS object type, and select Person as the MV object type. 在“链接类型”中选择“联接”。In Link Type, select Join. 在“优先顺序”中,键入当前未由其他同步规则使用的值(例如 51),然后单击“下一步”。In Precedence, type a value that isn't currently used by another synchronization rule (for example 51), and then click Next.
    入站 4 说明
  5. 在“范围筛选器”中,单击“添加组”,然后单击“添加子句”。In Scoping filter, click Add Group, and click Add Clause. 在“属性”中选择“department”。In Attribute, select department. 确保“运算符”设置为“等于”,在“值”框中键入值“Sales”。Make sure that Operator is set to EQUAL, and type the value Sales in the Value box. 单击“下一步”。Click Next.
    入站 5 范围
  6. 将“联接”规则留空,然后单击“下一步”。Leave the Join rules empty, and then click Next.
  7. 单击“添加转换”,选择“Constant”作为“FlowType”,选择“cloudFiltered”作为“目标属性”。Click Add Transformation, select Constant as the FlowType, and select the cloudFiltered as the Target Attribute. 在“源”框中键入“False”。In the Source box, type False. 单击“添加”保存规则。Click Add to save the rule.
    入站 6 转换
    这是一种特殊情况,在此将 cloudFiltered 显式设置为“False”。This is a special case where you explicitly set cloudFiltered to False.
  8. 我们现在必须创建全方位同步规则。We now have to create the catch-all sync rule. 为规则指定一个说明性的名称,如In from AD - User Catch-all filterGive the rule a descriptive name, such as "In from AD - User Catch-all filter". 依次选择正确的林,选择“用户”作为“CS 对象类型”,选择“人员”作为“MV 对象类型”。Select the correct forest, select User as the CS object type, and select Person as the MV object type. 在“链接类型”中选择“联接”。In Link Type, select Join. 在“优先顺序”中,键入当前未由其他同步规则使用的值(例如 99)。In Precedence, type a value that isn't currently used by another Synchronization Rule (for example 99). 现在选择的优先顺序值比之前同步规则的值更高(优先性更低)。You've selected a precedence value that is higher (lower precedence) than the previous sync rule. 但同时也预留了一些空间,以便可以在稍后想要开始同步其他部门时添加其他筛选同步规则。But you've also left some room so that you can add more filtering sync rules later when you want to start synchronizing additional departments. 单击“下一步”。Click Next.
    入站 7 说明
  9. 让“范围筛选器”保留空白,然后单击“下一步”。Leave Scoping filter empty, and click Next. 空白筛选器表示规则将应用到所有对象。An empty filter indicates that the rule is to be applied to all objects.
  10. 将“联接”规则留空,然后单击“下一步”。Leave the Join rules empty, and then click Next.
  11. 单击“添加转换”,选择“Constant”作为“FlowType”,选择“cloudFiltered”作为“目标属性”。Click Add Transformation, select Constant as the FlowType, and select cloudFiltered as the Target Attribute. 在“源”框中键入“True”。In the Source box, type True. 单击“添加”保存规则。Click Add to save the rule.
    入站 3 转换
  12. 若要完成配置,需要运行 完全同步。请继续阅读 应用并检查更改部分。To complete the configuration, you need to run a Full sync. Continue reading the section Apply and verify changes.

如果需要,可以创建更多第一种类型的规则,以便在同步中包含更多的对象。If you need to, you can create more rules of the first type where you include more objects in the synchronization.

出站筛选Outbound filtering

在某些情况下,仅在对象已联接到 metaverse 中之后执行筛选是必要的。In some cases, it's necessary to do the filtering only after the objects have joined in the metaverse. 例如,可能需要从资源林中查看邮件属性,并需要从帐户林中查看 userPrincipalName 属性,确定某个对象是否应同步。For example, it might be necessary to look at the mail attribute from the resource forest, and the userPrincipalName attribute from the account forest, to determine if an object should be synchronized. 在这些情况下,可以基于出站规则创建筛选。In these cases, you create the filtering on the outbound rule.

本示例将更改筛选,以便只同步 mail 和 userPrincipalName 均以 @contoso.com 结尾的用户:In this example, you change the filtering so that only users that have both their mail and userPrincipalName ending in @contoso.com are synchronized:

  1. 通过使用属于 ADSyncAdmins 安全组的成员的帐户,登录到正在运行 Azure AD Connect 同步的服务器。Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
  2. 从开始菜单启动“同步规则编辑器”。Start Synchronization Rules Editor from the Start menu.
  3. 在“规则类型”下,单击“出站”。Under Rules Type, click Outbound.
  4. 查找名为“同步到 AAD - 用户加入”或“同步到 AAD - 用户加入 SOAInAD”的规则(具体视使用的 Connect 版本而定),再单击“编辑”。Depending on the version of Connect you use, either find the rule named Out to AAD - User Join or Out to AAD - User Join SOAInAD, and click Edit.
  5. 在弹出窗口中,回答“是”,以创建规则的副本。In the pop-up, answer Yes to create a copy of the rule.
  6. 在“说明”页上,将“优先顺序”更改为某个尚未使用的值,例如 50。On the Description page, change Precedence to an unused value, such as 50.
  7. 单击左侧导航栏中的“范围筛选器”,然后单击“添加子句”。Click Scoping filter on the left-hand navigation, and then click Add clause. 在“属性”中选择“mail”。In Attribute, select mail. 在“运算符”中选择“ENDSWITH”。In Operator, select ENDSWITH. 在“值”中键入 @contoso.com,然后单击“添加子句”。In Value, type @contoso.com, and then click Add clause. 在“属性”中选择“userPrincipalName”。In Attribute, select userPrincipalName. 在“运算符”中选择“ENDSWITH”。In Operator, select ENDSWITH. 在“值”中,键入 @contoso.comIn Value, type @contoso.com.
  8. 单击“保存” 。Click Save.
  9. 若要完成配置,需要运行 完全同步。请继续阅读 应用并检查更改部分。To complete the configuration, you need to run a Full sync. Continue reading the section Apply and verify changes.

应用并验证更改 Apply and verify changes

更改配置后,必须将这些更改应用到系统中现有的对象。After you've made your configuration changes, you must apply them to the objects that are already present in the system. 也可能需要处理同步引擎中当前不存在的对象,因此同步引擎需要再次读取源系统来验证其内容。It might also be that the objects that aren't currently in the sync engine should be processed (and the sync engine needs to read the source system again to verify its content).

如果使用域或组织单位筛选更改了配置,则需要执行完全导入,然后执行增量同步。If you changed the configuration by using domain or organizational-unit filtering, then you need to do a Full import, followed by Delta synchronization.

如果使用属性筛选更改了配置,则需要执行完全同步。If you changed the configuration by using attribute filtering, then you need to do a Full synchronization.

执行以下步骤:Do the following steps:

  1. 从“开始”菜单启动“同步服务”。Start Synchronization Service from the Start menu.
  2. 选择“连接器”。Select Connectors. 在“连接器”列表中选择前面进行了配置更改的连接器。In the Connectors list, select the Connector where you made a configuration change earlier. 在“操作”中选择“运行”。In Actions, select Run.
    连接器运行
  3. 在“运行配置文件”中,选择上一部分中所述的操作。In Run profiles, select the operation that was mentioned in the previous section. 如果需要运行两项操作,请在完成第一项操作后再运行第二项操作。If you need to run two actions, run the second after the first one has finished. (所选连接器的“状态”列为“空闲”)。(The State column is Idle for the selected connector.)

同步后,将暂存所有更改以便导出。After the synchronization, all changes are staged to be exported. 在 Azure AD 中实际进行更改之前,请验证所有更改是否正确。Before you actually make the changes in Azure AD, you want to verify that all these changes are correct.

  1. 启动命令提示符并转到 %Program Files%\Azure AD Sync\binStart a command prompt, and go to %Program Files%\Azure AD Sync\bin.
  2. 运行 csexport "Name of Connector" %temp%\export.xml /f:xRun csexport "Name of Connector" %temp%\export.xml /f:x.
    在同步服务中可以找到连接器名称。The name of the Connector is in Synchronization Service. 它的名称类似于“contoso.com - AAD”(表示 Azure AD)。It has a name similar to "contoso.com - AAD" for Azure AD.
  3. 运行 CSExportAnalyzer %temp%\export.xml > %temp%\export.csvRun CSExportAnalyzer %temp%\export.xml > %temp%\export.csv.
  4. 现在在 %temp% 中已经有名为 export.csv 的文件,可在 Microsoft Excel 中检查。You now have a file in %temp% named export.csv that can be examined in Microsoft Excel. 此文件包含要导出的所有更改。This file contains all the changes that are about to be exported.
  5. 对数据或配置进行必要的更改并再次运行这些步骤(导入、同步和验证),直到要导出的更改都按预期进行。Make the necessary changes to the data or configuration, and run these steps again (Import, Synchronize, and Verify) until the changes that are about to be exported are what you expect.

感到满意后,将更改导出到 Azure AD。When you're satisfied, export the changes to Azure AD.

  1. 选择“连接器”。Select Connectors. 在“连接器”列表中选择“Azure AD 连接器”。In the Connectors list, select the Azure AD Connector. 在“操作”中选择“运行”。In Actions, select Run.
  2. 在“运行配置文件”中选择“导出”。In Run profiles, select Export.
  3. 如果配置更改会删除许多对象,且数目超过配置的阈值(默认为 500),则在导出时会出现错误。If your configuration changes delete many objects, then you see an error in the export when the number is more than the configured threshold (by default 500). 如果看到此错误,需要暂时禁用“防止意外删除”功能。If you see this error, then you need to temporarily disable the "prevent accidental deletes" feature.

现在,需要再次启用计划程序。Now it's time to enable the scheduler again.

  1. 从“开始”菜单启动“任务计划程序”。Start Task Scheduler from the Start menu.
  2. 在“任务计划程序库”正下方找到名为“Azure AD 同步计划程序”的任务,单击右键,然后选择“启用”。Directly under Task Scheduler Library, find the task named Azure AD Sync Scheduler, right-click, and select Enable.

基于组的筛选 Group-based filtering

首次使用自定义安装设置安装 Azure AD Connect 时,可配置基于组的筛选。You can configure group-based filtering the first time that you install Azure AD Connect by using custom installation. 这种筛选专用于只需同步一小组对象的试验部署。It's intended for a pilot deployment where you want only a small set of objects to be synchronized. 禁用基于组的筛选后,将无法重新启用它。When you disable group-based filtering, it can't be enabled again. 不支持在自定义配置中使用基于组的筛选。It's not supported to use group-based filtering in a custom configuration. 仅支持使用安装向导配置此功能。It's only supported to configure this feature by using the installation wizard. 完成试验后,请使用本主题所述的其他某个筛选选项。When you've completed your pilot, then use one of the other filtering options in this topic. 将基于 OU 的筛选与基于组的筛选结合使用时,必须包含组及其成员所在的 OU。When using OU-based filtering in conjunction with group-based filtering, the OU(s) where the group and its members are located must be included.

同步多个 AD 林时,可以通过为每个 AD 连接器指定不同组来配置基于组的筛选。When synchronizing multiple AD forests, you can configure group-based filtering by specifying a different group for each AD connector. 如果希望在一个 AD 林中同步某个用户,且同一用户在其他 AD 林中具有一个或多个相应的对象,则必须确保用户对象及其所有相应对象都在基于组的筛选范围内。If you wish to synchronize a user in one AD forest and the same user has one or more corresponding objects in other AD forests, you must ensure that the user object and all its corresponding objects are within group-based filtering scope. 例如:For examples:

  • 在一个林中有某个用户,此用户在其他林中有一个相应 FSP(外部安全主体)对象。You have a user in one forest that has a corresponding FSP (Foreign Security Principal) object in another forest. 这两个对象都必须在基于组的筛选范围内。Both objects must be within group-based filtering scope. 否则,用户不会同步到 Azure AD。Otherwise, the user will not be synchronized to Azure AD.

  • 在一个林中有某个用户,此用户在其他林中有一个相应的资源帐户(例如链接的邮箱)。You have a user in one forest that has a corresponding resource account (e.g., linked mailbox) in another forest. 此外,已配置 Azure AD Connect,用于链接用户和资源帐户。Further, you have configured Azure AD Connect to link the user with the resource account. 这两个对象都必须在基于组的筛选范围内。Both objects must be within group-based filtering scope. 否则,用户不会同步到 Azure AD。Otherwise, the user will not be synchronized to Azure AD.

  • 在一个林中有某个用户,此用户在其他林中有一个相应的邮件联系人。You have a user in one forest that has a corresponding mail contact in another forest. 此外,已配置 Azure AD Connect,用于链接用户和邮件联系人。Further, you have configured Azure AD Connect to link the user with the mail contact. 这两个对象都必须在基于组的筛选范围内。Both objects must be within group-based filtering scope. 否则,用户不会同步到 Azure AD。Otherwise, the user will not be synchronized to Azure AD.

后续步骤Next steps