Azure AD Connect 同步:计划程序Azure AD Connect sync: Scheduler

本主题介绍 Azure AD Connect 同步(同步引擎)中的内置计划程序。This topic describes the built-in scheduler in Azure AD Connect sync (sync engine).

此功能是随内部版本 1.1.105.0(于 2016 年 2 月发布)一起推出的。This feature was introduced with build 1.1.105.0 (released February 2016).

概述Overview

Azure AD Connect 同步会使用计划程序同步本地目录中发生的更改。Azure AD Connect sync synchronize changes occurring in your on-premises directory using a scheduler. 有两个计划程序进程,一个用于密码同步,另一个用于对象/属性同步和维护任务。There are two scheduler processes, one for password sync and another for object/attribute sync and maintenance tasks. 本主题涵盖后者。This topic covers the latter.

在早期版本中,对象和属性的计划程序位于同步引擎外部。In earlier releases, the scheduler for objects and attributes was external to the sync engine. 它使用 Windows 任务计划程序或单独的 Windows 服务来触发同步进程。It used Windows task scheduler or a separate Windows service to trigger the synchronization process. 计划程序在同步引擎的内置 1.1 版本中,并允许进行一些自定义。The scheduler is with the 1.1 releases built-in to the sync engine and do allow some customization. 新的默认同步频率为 30 分钟。The new default synchronization frequency is 30 minutes.

计划程序负责执行两项任务:The scheduler is responsible for two tasks:

  • 同步周期Synchronization cycle. 用于导入、同步和导出更改的过程。The process to import, sync, and export changes.
  • 维护任务Maintenance tasks. 续订用于密码重置和设备注册服务 (DRS) 的密钥和证书。Renew keys and certificates for Password reset and Device Registration Service (DRS). 清除操作日志中的旧条目。Purge old entries in the operations log.

计划程序本身始终运行,但可以将它配置为仅运行其中一个任务或一个任务都不运行。The scheduler itself is always running, but it can be configured to only run one or none of these tasks. 例如,如果需要运行自己的同步周期过程,则可以在计划程序中禁用此任务,但仍运行维护任务。For example, if you need to have your own synchronization cycle process, you can disable this task in the scheduler but still run the maintenance task.

计划程序配置Scheduler configuration

若要查看当前配置设置,请转到 PowerShell 并运行 Get-ADSyncSchedulerTo see your current configuration settings, go to PowerShell and run Get-ADSyncScheduler. 它显示的内容如此图所示:It shows you something like this picture:

GetSyncScheduler

如果在运行此 cmdlet 时看到“此同步命令或 cmdlet 不可用”,则 PowerShell 模块未加载 。If you see The sync command or cmdlet is not available when you run this cmdlet, then the PowerShell module is not loaded. 如果在 PowerShell 限制级别高于默认设置的域控制器或服务器上运行 Azure AD Connect,则可能会发生这种问题。This problem could happen if you run Azure AD Connect on a domain controller or on a server with higher PowerShell restriction levels than the default settings. 如果看到此错误,则运行 Import-Module ADSync 可使该 cmdlet 可用。If you see this error, then run Import-Module ADSync to make the cmdlet available.

  • AllowedSyncCycleIntervalAllowedSyncCycleInterval. Azure AD 允许的同步周期间的最短时间间隔。The shortest time interval between synchronization cycles allowed by Azure AD. 不能比这一设置更频繁地同步,但仍会支持。You cannot synchronize more frequently than this setting and still be supported.
  • CurrentlyEffectiveSyncCycleIntervalCurrentlyEffectiveSyncCycleInterval. 当前生效的计划。The schedule currently in effect. 如果它不比 AllowedSyncInterval 更频繁,它具有与 CustomizedSyncInterval 相同的值(如果已设置)。It has the same value as CustomizedSyncInterval (if set) if it is not more frequent than AllowedSyncInterval. 如果使用早于 1.1.281 的版本,且更改了 CustomizedSyncCycleInterval,该更改会在下一个同步周期后生效。If you use a build before 1.1.281 and you change CustomizedSyncCycleInterval, this change takes effect after next synchronization cycle. 从版本 1.1.281 开始,更改会立即生效。From build 1.1.281 the change takes effect immediately.
  • CustomizedSyncCycleIntervalCustomizedSyncCycleInterval. 如果希望计划程序以默认 30 分钟以外的任何其他频率运行,则可配置此设置。If you want the scheduler to run at any other frequency than the default 30 minutes, then you configure this setting. 在上图中,计划程序已改设为每隔一小时运行一次。In the picture above, the scheduler has been set to run every hour instead. 如果此项设置为低于 AllowedSyncInterval 的值,则使用后者。If you set this setting to a value lower than AllowedSyncInterval, then the latter is used.
  • NextSyncCyclePolicyTypeNextSyncCyclePolicyType. Delta 或 Initial。Either Delta or Initial. 定义下次运行是只应处理增量更改,还是应执行完全导入和同步。后者还会重新处理任何新的或更改的规则。Defines if the next run should only process delta changes, or if the next run should do a full import and sync. The latter would also reprocess any new or changed rules.
  • NextSyncCycleStartTimeInUTCNextSyncCycleStartTimeInUTC. 计划程序启动下一个同步周期的时间。Next time the scheduler starts the next sync cycle.
  • PurgeRunHistoryIntervalPurgeRunHistoryInterval. 操作日志应保留的时间。The time operation logs should be kept. 可以在 Synchronization Service Manager 中查看这些日志。These logs can be reviewed in the synchronization service manager. 默认设置是保留这些日志 7 天。The default is to keep these logs for 7 days.
  • SyncCycleEnabledSyncCycleEnabled. 指示计划程序是否正在运行导入、同步和导出过程作为其操作的一部分。Indicates if the scheduler is running the import, sync, and export processes as part of its operation.
  • MaintenanceEnabledMaintenanceEnabled. 显示是否启用了维护过程。Shows if the maintenance process is enabled. 它会更新证书/密钥,并清除操作日志。It updates the certificates/keys and purges the operations log.
  • StagingModeEnabledStagingModeEnabled. 显示是否启用了暂存模式Shows if staging mode is enabled. 如果启用此设置,它会取消运行导出,但仍运行导入和同步。If this setting is enabled, then it suppresses the exports from running but still run import and synchronization.
  • SchedulerSuspendedSchedulerSuspended. 在升级过程中由 Connect 设置,以暂时阻止计划程序运行。Set by Connect during an upgrade to temporarily block the scheduler from running.

可以使用 Set-ADSyncScheduler更改上述一些设置。You can change some of these settings with Set-ADSyncScheduler. 可以修改以下参数:The following parameters can be modified:

  • CustomizedSyncCycleIntervalCustomizedSyncCycleInterval
  • NextSyncCyclePolicyTypeNextSyncCyclePolicyType
  • PurgeRunHistoryIntervalPurgeRunHistoryInterval
  • SyncCycleEnabledSyncCycleEnabled
  • MaintenanceEnabledMaintenanceEnabled

在早期版本的 Azure AD Connect 中, isStagingModeEnabled 已在 Set-ADSyncScheduler 中公开。In earlier builds of Azure AD Connect, isStagingModeEnabled was exposed in Set-ADSyncScheduler. 不支持 设置此属性。It is unsupported to set this property. 属性 SchedulerSuspended 只应通过 Connect 修改。The property SchedulerSuspended should only be modified by Connect. 不支持 直接使用 PowerShell 设置此属性。It is unsupported to set this with PowerShell directly.

计划程序配置存储在 Azure AD 中。The scheduler configuration is stored in Azure AD. 如果具有暂存服务器,主服务器上的任何更改还将影响暂存服务器(IsStagingModeEnabled 除外)。If you have a staging server, any change on the primary server also affects the staging server (except IsStagingModeEnabled).

CustomizedSyncCycleIntervalCustomizedSyncCycleInterval

语法: Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ssSyntax: Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss
d - 天,HH - 小时,mm - 分钟,ss - 秒d - days, HH - hours, mm - minutes, ss - seconds

示例: Set-ADSyncScheduler -CustomizedSyncCycleInterval 03:00:00Example: Set-ADSyncScheduler -CustomizedSyncCycleInterval 03:00:00
将计划程序更改为每隔 3 小时运行一次。Changes the scheduler to run every 3 hours.

示例: Set-ADSyncScheduler -CustomizedSyncCycleInterval 1.0:0:0Example: Set-ADSyncScheduler -CustomizedSyncCycleInterval 1.0:0:0
这些更改将计划程序更改为每天运行一次。Changes change the scheduler to run daily.

禁用计划程序Disable the scheduler

若需要对配置进行更改,则要禁用该计划程序。If you need to make configuration changes, then you want to disable the scheduler. 例如,配置筛选更改同步规则时。For example, when you configure filtering or make changes to synchronization rules.

若要禁用计划程序,请运行 Set-ADSyncScheduler -SyncCycleEnabled $falseTo disable the scheduler, run Set-ADSyncScheduler -SyncCycleEnabled $false.

禁用计划程序

在完成更改后,请不要忘记通过 Set-ADSyncScheduler -SyncCycleEnabled $true再次启用计划程序。When you've made your changes, do not forget to enable the scheduler again with Set-ADSyncScheduler -SyncCycleEnabled $true.

启动计划程序 Start the scheduler

默认情况下,计划程序每 30 分钟运行一次。The scheduler is by default run every 30 minutes. 在某些情况下,可能想要在已计划的周期之间运行同步周期,或者需要运行不同的类型。In some cases, you might want to run a sync cycle in between the scheduled cycles or you need to run a different type.

增量同步周期Delta sync cycle

增量同步周期包括以下步骤:A delta sync cycle includes the following steps:

  • 在所有连接器上增量导入Delta import on all Connectors
  • 在所有连接器上增量同步Delta sync on all Connectors
  • 在所有连接器上导出Export on all Connectors

完全同步周期Full sync cycle

完全同步周期包括以下步骤:A full sync cycle includes the following steps:

  • 在所有连接器上完全导入Full Import on all Connectors
  • 在所有连接器上完全同步Full Sync on all Connectors
  • 在所有连接器上导出Export on all Connectors

有时可能有必须立即同步的紧急更改,这就是为什么需要手动运行周期的原因。It could be that you have an urgent change that must be synchronized immediately, which is why you need to manually run a cycle.

如果需要手动运行同步周期,则从 PowerShell 运行 Start-ADSyncSyncCycle -PolicyType DeltaIf you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.

若要启动完全同步周期,请在 PowerShell 提示符下运行 Start-ADSyncSyncCycle -PolicyType InitialTo initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.

运行完全同步周期可能非常耗时,请阅读下一部分以了解如何优化此过程。Running a full sync cycle can be very time consuming, read the next section to read how to optimize this process.

不同配置更改所需的同步步骤Sync steps required for different configuration changes

不同的配置更改需要不同的同步步骤,以确保更改正确应用于所有对象。Different configuration changes require different sync steps to ensure the changes are correctly applied to all objects.

  • 添加了更多要从源目录导入的对象或属性(通过添加/修改同步规则)Added more objects or attributes to be imported from a source directory (by adding/modifying the sync rules)
    • 对于该源目录,连接器需要完全导入A Full Import is required on the Connector for that source directory
  • 更改了同步规则Made changes to the Synchronization rules
    • 对于更改的同步规则,连接器需要完全同步A Full Sync is required on the Connector for the changed Synchronization rules
  • 更改了筛选设置,因此应包含不同的对象数Changed filtering so a different number of objects should be included
    • 对于每个 AD 连接器,连接器都需要完全导入,除非你使用基于属性的筛选(基于已经导入到同步引擎中的属性)A Full Import is required on the Connector for each AD Connector UNLESS you are using Attribute-based filtering based on attributes that are already being imported into the sync engine

自定义同步周期会运行增量同步和完全同步步骤的正确组合Customizing a sync cycle run the right mix of Delta and Full sync steps

若要避免运行完全同步周期,可以使用以下 cmdlet 标记特定连接器以运行完整步骤。To avoid running a full sync cycle you can mark specific Connectors to run a Full step using the following cmdlets.

Set-ADSyncSchedulerConnectorOverride -Connector <ConnectorGuid> -FullImportRequired $true

Set-ADSyncSchedulerConnectorOverride -Connector <ConnectorGuid> -FullSyncRequired $true

Get-ADSyncSchedulerConnectorOverride -Connector <ConnectorGuid>

示例:如果你更改了不需要导入任何新属性的连接器“AD Forest A”的同步规则,则可以运行以下 cmdlet 来运行增量同步周期,该周期也会对该连接器执行完全同步步骤。Example: If you made changes to the synchronization rules for Connector “AD Forest A” that don’t require any new attributes to be imported you would run the following cmdlets to run a delta sync cycle which also did a Full Sync step for that Connector.

Set-ADSyncSchedulerConnectorOverride -ConnectorName “AD Forest A” -FullSyncRequired $true

Start-ADSyncSyncCycle -PolicyType Delta

示例:如果你更改了连接器“AD Forest A”的同步规则,于是它们现在需要导入新属性,则可运行以下 cmdlet 以运行增量同步周期,该周期也会对该连接器执行完全导入、完全同步步骤。Example: If you made changes to the synchronization rules for Connector “AD Forest A” so that they now require a new attribute to be imported you would run the following cmdlets to run a delta sync cycle which also did a Full Import, Full Sync step for that Connector.

Set-ADSyncSchedulerConnectorOverride -ConnectorName “AD Forest A” -FullImportRequired $true

Set-ADSyncSchedulerConnectorOverride -ConnectorName “AD Forest A” -FullSyncRequired $true

Start-ADSyncSyncCycle -PolicyType Delta

停止计划程序Stop the scheduler

如果计划程序当前正在运行同步周期,可能需要将其停止。If the scheduler is currently running a synchronization cycle, you might need to stop it. 例如,如果启动安装向导并收到以下错误:For example if you start the installation wizard and you get this error:

SyncCycleRunningError

正在运行同步周期时,不能进行配置更改。When a sync cycle is running, you cannot make configuration changes. 可以等到计划程序已完成该过程,但也可以将其停止,以便可以立即进行更改。You could wait until the scheduler has finished the process, but you can also stop it so you can make your changes immediately. 停止当前周期没有任何害处,挂起的更改会在下次运行时处理。Stopping the current cycle is not harmful and pending changes are processed with next run.

  1. 先要使用 PowerShell cmdlet Stop-ADSyncSyncCycle指示计划程序停止其当前周期。Start by telling the scheduler to stop its current cycle with the PowerShell cmdlet Stop-ADSyncSyncCycle.
  2. 如果使用 1.1.281 之前的版本,停止计划程序并不会使当前连接器停止执行其当前任务。If you use a build before 1.1.281, then stopping the scheduler does not stop the current Connector from its current task. 若要强制停止连接器,请执行以下操作:StopAConnectorTo force the Connector to stop, take the following actions: StopAConnector
    • 从“开始”菜单启动“同步服务”。 Start Synchronization Service from the start menu. 转到“连接器”,突出显示状态为“正在运行”的连接器,然后从“操作”中选择“停止”。 Go to Connectors, highlight the Connector with the state Running, and select Stop from the Actions.

计划程序仍处于活动状态,并在下次有机会时重新启动。The scheduler is still active and starts again on next opportunity.

自定义计划程序Custom scheduler

本部分所述的 cmdlet 仅在内部版本 1.1.130.0 及更高版本中提供。The cmdlets documented in this section are only available in build 1.1.130.0 and later.

如果内置的计划程序不符合要求,则可以使用 PowerShell 计划连接器。If the built-in scheduler does not satisfy your requirements, then you can schedule the Connectors using PowerShell.

Invoke-ADSyncRunProfileInvoke-ADSyncRunProfile

可以用这种方式为连接器启动配置文件:You can start a profile for a Connector in this way:

Invoke-ADSyncRunProfile -ConnectorName "name of connector" -RunProfileName "name of profile"

用于连接器名称运行配置文件名称的名称可以在 Synchronization Service Manager UI 中找到。The names to use for Connector names and Run Profile Names can be found in the Synchronization Service Manager UI.

调用运行配置文件

Invoke-ADSyncRunProfile cmdlet 是同步的,即在连接器完成操作(无论成功还是出错)之前,它不会返回控制。The Invoke-ADSyncRunProfile cmdlet is synchronous, that is, it does not return control until the Connector has completed the operation, either successfully or with an error.

计划连接器时,建议按以下顺序进行计划:When you schedule your Connectors, the recommendation is to schedule them in the following order:

  1. 从本地目录(如 Active Directory)中(完全/增量)导入(Full/Delta) Import from on-premises directories, such as Active Directory
  2. 从 Azure AD 中(完全/增量)导入(Full/Delta) Import from Azure AD
  3. 从本地目录(如 Active Directory)(完全/增量)同步(Full/Delta) Synchronization from on-premises directories, such as Active Directory
  4. 从 Azure AD(完全/增量)同步(Full/Delta) Synchronization from Azure AD
  5. 导出到 Azure ADExport to Azure AD
  6. 导出到本地目录,如 Active DirectoryExport to on-premises directories, such as Active Directory

此顺序即内置计划程序运行连接器的原理。This order is how the built-in scheduler runs the Connectors.

Get-ADSyncConnectorRunStatusGet-ADSyncConnectorRunStatus

还可以监视同步引擎以了解它是忙还是空闲。You can also monitor the sync engine to see if it is busy or idle. 如果同步引擎处于空闲状态且未运行连接器,则此 cmdlet 返回一个空结果。This cmdlet returns an empty result if the sync engine is idle and is not running a Connector. 如果连接器正在运行,则返回连接器的名称。If a Connector is running, it returns the name of the Connector.

Get-ADSyncConnectorRunStatus

连接器运行状态
在上图中,第一行来自同步引擎处于空闲的状态。In the picture above, the first line is from a state where the sync engine is idle. 第二行来自 Azure AD 连接器正在运行时。The second line from when the Azure AD Connector is running.

计划程序和安装向导Scheduler and installation wizard

如果启动安装向导,计划程序会暂时暂停。If you start the installation wizard, then the scheduler is temporarily suspended. 此行为是因为它认为用户将进行配置更改,如果同步引擎正处于活动运行状态,则不能应用这些设置。This behavior is because it is assumed you make configuration changes and these settings cannot be applied if the sync engine is actively running. 出于此原因,不要让安装向导处于打开状态,因为这会使同步引擎停止执行任何同步操作。For this reason, do not leave the installation wizard open since it stops the sync engine from performing any synchronization actions.

后续步骤Next steps

了解有关 Azure AD Connect 同步配置的详细信息。Learn more about the Azure AD Connect sync configuration.

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.