Azure AD Connect 同步:技术概念Azure AD Connect sync: Technical Concepts

本文是了解体系结构主题的总结。This article is a summary of the topic Understanding architecture.

Azure AD Connect 同步构建在稳固的元目录同步平台基础之上。Azure AD Connect sync builds upon a solid metadirectory synchronization platform. 以下部分介绍了元目录同步的概念。The following sections introduce the concepts for metadirectory synchronization. Azure Active Directory 同步服务基于 MIIS、ILM 和 FIM 进行构建,它提供了下一个平台,用于连接到数据源、同步数据源之间的数据以及设置标识和取消标识设置。Building upon MIIS, ILM, and FIM, the Azure Active Directory Sync Services provides the next platform for connecting to data sources, synchronizing data between data sources, as well as the provisioning and deprovisioning of identities.

技术概念

以下各部分提供有关 FIM 同步服务的以下方面的更多详细信息:The following sections provide more details about the following aspects of the FIM Synchronization Service:

  • 连接器Connector
  • 属性流Attribute flow
  • 连接器空间Connector space
  • MetaverseMetaverse
  • 设置Provisioning

连接器Connector

用于与连接的目录进行通信的代码模块称为连接器(以前称为管理代理 (MA))。The code modules that are used to communicate with a connected directory are called connectors (formerly known as management agents (MAs)).

这些连接器在运行 Azure AD Connect 同步的计算机上进行安装。连接器通过使用远程系统协议(而不是依靠专用代理部署)提供进行人机对话的无代理功能。These are installed on the computer running Azure AD Connect sync. The connectors provide the agentless ability to converse by using remote system protocols instead of relying on the deployment of specialized agents. 这意味着降低了风险和减少了部署时间,尤其是在处理关键应用程序和系统时。This means decreased risk and deployment times, especially when dealing with critical applications and systems.

如上图所示,连接器与连接器空间同义,但包含与外部系统的所有通信。In the picture above, the connector is synonymous with the connector space but encompasses all communication with the external system.

连接器负责到系统的所有导入和导出功能,并且当使用声明性设置自定义数据转换时,使开发人员无需了解如何以本机方式连接到每个系统。The connector is responsible for all import and export functionality to the system and frees developers from needing to understand how to connect to each system natively when using declarative provisioning to customize data transformations.

导入和导出仅在计划时发生,由于更改不会自动传播到已连接数据源,因此使得能够进一步避免更改发生在系统中。Imports and exports only occur when scheduled, allowing for further insulation from changes occurring within the system, since changes do not automatically propagate to the connected data source. 此外,开发人员还可以创建他们自己的连接器,以便用于连接到几乎任何数据源。In addition, developers may also create their own connectors for connecting to virtually any data source.

属性流Attribute flow

metaverse 是相邻连接器空间中的所有已联接标识的合并视图。The metaverse is the consolidated view of all joined identities from neighboring connector spaces. 在上图中,属性流是由带箭头的表示入站和出站流的线条描绘的。In the figure above, attribute flow is depicted by lines with arrowheads for both inbound and outbound flow. 属性流是将数据从一个系统复制或转换到另一个系统的过程,并且可以是所有属性流(入站或出站)。Attribute flow is the process of copying or transforming data from one system to another and all attribute flows (inbound or outbound).

当计划运行同步(完整或增量)操作时,属性流在连接器空间和 metaverse 之间双向发生。Attribute flow occurs between the connector space and the metaverse bi-directionally when synchronization (full or delta) operations are scheduled to run.

属性流仅在运行这些同步时发生。Attribute flow only occurs when these synchronizations are run. 属性流在同步规则中进行定义。Attribute flows are defined in Synchronization Rules. 这些属性流可以是入站(上图所示 ISR)或出站(上图所示 OSR)。These can be inbound (ISR in the picture above) or outbound (OSR in the picture above).

连接的系统Connected system

连接的系统(也称为连接的目录)是指 Azure AD Connect 同步已连接到且从中读取或向其写入标识数据的远程系统。Connected system (aka connected directory) is referring to the remote system Azure AD Connect sync has connected to and reading and writing identity data to and from.

连接器空间Connector space

每个已连接数据源都表示为连接器空间中对象和属性的已筛选子集。Each connected data source is represented as a filtered subset of the objects and attributes in the connector space. 此特点允许同步服务在本地工作,并且当同步对象时,不需要联系远程系统,此外还将交互限制为仅导入和导出。This allows the sync service to operate locally without the need to contact the remote system when synchronizing the objects and restricts interaction to imports and exports only.

当数据源和连接器具有提供更改列表(增量导入)的功能时,则操作效率作为仅有的更改会显著增加,因为最后一个轮询周期进行了交换。When the data source and the connector have the ability to provide a list of changes (a delta import), then the operational efficiency increases dramatically as only changes since the last polling cycle are exchanged. 连接器空间通过要求连接器计划导入和导出保护已连接数据源免于进行自动传播的更改。The connector space insulates the connected data source from changes propagating automatically by requiring that the connector schedule imports and exports. 当测试、预览或确认下一次更新时,此添加的保护让你高枕无忧。This added insurance grants you peace of mind while testing, previewing, or confirming the next update.

MetaverseMetaverse

metaverse 是相邻连接器空间中的所有已联接标识的合并视图。The metaverse is the consolidated view of all joined identities from neighboring connector spaces.

标识链接在一起,并且机构通过导入流映射分配给各种属性,中心 metaverse 对象开始聚合来自多个系统的信息。As identities are linked together and authority is assigned for various attributes through import flow mappings, the central metaverse object begins to aggregate information from multiple systems. 通过此对象属性流,映射将信息携带到出站系统。From this object attribute flow, mappings carry information to outbound systems.

当权威系统将对象投入到 metaverse 中时创建对象。Objects are created when an authoritative system projects them into the metaverse. 只要所有连接都已删除,则会删除 metaverse 对象。As soon as all connections are removed, the metaverse object is deleted.

不能直接编辑 metaverse 中的对象。Objects in the metaverse cannot be edited directly. 该对象中的所有数据都必须通过属性流提供。All data in the object must be contributed through attribute flow. metaverse 为每个连接器空间维护永久性连接器。The metaverse maintains persistent connectors with each connector space. 这些连接器不要求针对每次同步运行进行重新评估。These connectors do not require reevaluation for each synchronization run. 这意味着 Azure AD Connect 同步不必每次都查找匹配的远程对象。This means that Azure AD Connect sync does not have to locate the matching remote object each time. 这样就不需要使用开销较高的代理来避免更改通常负责关联对象的属性。This avoids the need for costly agents to prevent changes to attributes that would normally be responsible for correlating the objects.

当发现可能具有需要管理的先前存在对象的新数据源时,Azure AD Connect 同步使用一个称为联接规则的进程来评估要与之建立链路的潜在候选者。When discovering new data sources that may have preexisting objects that need to be managed, Azure AD Connect sync uses a process called a join rule to evaluate potential candidates with which to establish a link. 一旦建立链接,此评估则不会再次出现,且远程连接的数据源和 metaverse 之间可能发生普通属性流。Once the link is established, this evaluation does not reoccur and normal attribute flow can occur between the remote connected data source and the metaverse.

设置Provisioning

当权威源将新对象投入到 metaverse 中时,则可能在另一个连接器中创建表示下游连接的数据源的新连接器空间对象。When an authoritative source projects a new object into the metaverse a new connector space object can be created in another Connector representing a downstream connected data source.

这本质上会建立链接,并且属性流可以双向继续。This inherently establishes a link, and attribute flow can proceed bi-directionally.

每当某条规则确定需要创建新的连接器空间对象时,它都称为设置。Whenever a rule determines that a new connector space object needs to be created, it is called provisioning. 但是,因为此操作只在连接器空间内发生,所以它不会延续到已连接数据源,直到执行导出。However, because this operation only takes place within the connector space, it does not carry over into the connected data source until an export is performed.

其他资源Additional Resources