标识同步和重复属性复原Identity synchronization and duplicate attribute resiliency

重复属性复原是 Azure Active Directory 的一项功能,可在运行 Microsoft 的同步工具之一时消除 UserPrincipalNameProxyAddress 冲突所造成的不便。Duplicate Attribute Resiliency is a feature in Azure Active Directory that will eliminate friction caused by UserPrincipalName and ProxyAddress conflicts when running one of Microsoft’s synchronization tools.

在给定 Azure Active Directory 租户的所有“User”、“Group”或“Contact”对象中,这两个属性通常必须唯一。These two attributes are generally required to be unique across all User, Group, or Contact objects in a given Azure Active Directory tenant.

Note

只有用户可以拥有 UPN。Only Users can have UPNs.

此功能实现的新行为是同步管道的云部分,因此,此功能不区分客户端,而是与任何 Microsoft 同步产品(包括 Azure AD Connect、DirSync 和 MIM + 连接器)相关。The new behavior that this feature enables is in the cloud portion of the sync pipeline, therefore it is client agnostic and relevant for any Microsoft synchronization product including Azure AD Connect, DirSync and MIM + Connector. 本文档中使用的概括术语“同步客户端”用于表示上述任一产品。The generic term “sync client” is used in this document to represent any one of these products.

当前行为Current behavior

如果尝试预配的新对象具有违反此唯一性约束的 UPN 或 ProxyAddress 值,则 Azure Active Directory 会阻止创建该对象。If there is an attempt to provision a new object with a UPN or ProxyAddress value that violates this uniqueness constraint, Azure Active Directory blocks that object from being created. 同样地,如果以非唯一的 UPN 或 ProxyAddress 更新对象,则更新会失败。Similarly, if an object is updated with a non-unique UPN or ProxyAddress, the update fails. 同步客户端在每个导出周期重试预配尝试或更新,在冲突解决前,操作仍将失败。The provisioning attempt or update is retried by the sync client upon each export cycle, and continues to fail until the conflict is resolved. 每次尝试时都会生成错误报告电子邮件,并由同步客户端记录一个错误。An error report email is generated upon each attempt and an error is logged by the sync client.

重复属性复原的行为Behavior with Duplicate Attribute Resiliency

Azure Active Directory 并不是完全无法预配或更新具有重复属性的对象,而是“隔离”违反唯一性约束的重复属性。Instead of completely failing to provision or update an object with a duplicate attribute, Azure Active Directory “quarantines” the duplicate attribute which would violate the uniqueness constraint. 如果预配时需要此属性(例如 UserPrincipalName),则服务将分配占位符值。If this attribute is required for provisioning, like UserPrincipalName, the service assigns a placeholder value. 这些临时值的格式为The format of these temporary values is
<OriginalPrefix>+<4DigitNumber>@<InitialTenantDomain>.partner.onmschina.cn”。<OriginalPrefix>+<4DigitNumber>@<InitialTenantDomain>.partner.onmschina.cn”.
如果不需要此属性(例如 ProxyAddress),则 Azure Active Directory 只隔离冲突属性并继续创建或更新对象。If the attribute is not required, like a ProxyAddress, Azure Active Directory simply quarantines the conflict attribute and proceeds with the object creation or update.

隔离属性后,有关冲突的信息以旧行为中使用的相同错误报告电子邮件发送。Upon quarantining the attribute, information about the conflict is sent in the same error report email used in the old behavior. 但是,此信息只出现在错误报告中一次,发生隔离时,不会继续记录在以后的电子邮件中。However, this info only appears in the error report one time, when the quarantine happens, it does not continue to be logged in future emails. 此外,由于此对象已成功导出,因此同步客户端不会记录错误,并且不会在后续的同步周期中重试创建/更新操作。Also, since the export for this object has succeeded, the sync client does not log an error and does not retry the create / update operation upon subsequent sync cycles.

为了支持此行为,已向 User、Group 和 Contact 对象类添加新属性:To support this behavior a new attribute has been added to the User, Group, and Contact object classes:
DirSyncProvisioningErrorsDirSyncProvisioningErrors

这是一个多值属性,用于存储正常添加时违反唯一性约束的冲突属性。This is a multi-valued attribute that is used to store the conflicting attributes that would violate the uniqueness constraint should they be added normally. Azure Active Directory 中已启用后台计时器任务,该任务每小时运行一次,用于查找已解决的重复属性冲突,并自动从隔离区中删除有问题的属性。A background timer task has been enabled in Azure Active Directory that runs every hour to look for duplicate attribute conflicts that have been resolved, and automatically removes the attributes in question from quarantine.

启用重复属性复原Enabling Duplicate Attribute Resiliency

重复属性复原将是所有 Azure Active Directory 租户上的新默认行为。Duplicate Attribute Resiliency will be the new default behavior across all Azure Active Directory tenants. 对于所有在 2016 年 8 月 22 日或之后第一次启用同步的租户,该行为默认启用。It will be on by default for all tenants that enabled synchronization for the first time on August 22nd, 2016 or later. 在此日期之前启用同步的租户会通过批处理方式启用此功能。Tenants that enabled sync prior to this date will have the feature enabled in batches. 此部署于 2016 年 9 月开始,我们会向每个租户的技术通知联系人发送电子邮件通知,告知启用此功能的具体日期。This rollout will begin in September 2016, and an email notification will be sent to each tenant's technical notification contact with the specific date when the feature will be enabled.

Note

重复属性复原在启用后无法禁用。Once Duplicate Attribute Resiliency has been turned on it cannot be disabled.

如果要查看是否为租户启用了此功能,可以下载最新版 Azure Active Directory PowerShell 模块,并运行以下命令:To check if the feature is enabled for your tenant, you can do so by downloading the latest version of the Azure Active Directory PowerShell module and running:

Get-MsolDirSyncFeatures -Feature DuplicateUPNResiliency

Get-MsolDirSyncFeatures -Feature DuplicateProxyAddressResiliency

Note

为租户启用“重复属性复原”功能之前,将不再能够使用 Set-MsolDirSyncFeature cmdlet 来主动启用该功能。You can no longer use Set-MsolDirSyncFeature cmdlet to proactively enable the Duplicate Attribute Resiliency feature before it is turned on for your tenant. 若要能够测试该功能,需创建新的 Azure Active Directory 租户。To be able to test the feature, you will need to create a new Azure Active Directory tenant.

识别具有 DirSyncProvisioningErrors 的对象Identifying Objects with DirSyncProvisioningErrors

目前有两种方法可识别因为重复属性冲突而发生错误的对象:Azure Active Directory PowerShell 和 Microsoft 365 管理中心。There are currently two methods to identify objects that have these errors due to duplicate property conflicts, Azure Active Directory PowerShell and the Microsoft 365 admin center. 我们已计划将来扩展到其他基于门户的报告。There are plans to extend to additional portal based reporting in the future.

Azure Active Directory PowerShellAzure Active Directory PowerShell

本主题中的 PowerShell cmdlet 具有以下特点:For the PowerShell cmdlets in this topic, the following is true:

  • 以下所有 cmdlet 都区分大小写。All of the following cmdlets are case sensitive.
  • 始终必须包含 -ErrorCategory PropertyConflictThe -ErrorCategory PropertyConflict must always be included. 目前没有其他类型的 ErrorCategory,但将来可能会扩展此项。There are currently no other types of ErrorCategory, but this may be extended in the future.

首先,应运行 Connect-MsolService -AzureEnvironment AzureChinaCloud 并输入租户管理员的凭据。First, get started by running Connect-MsolService -AzureEnvironment AzureChinaCloud and entering credentials for a tenant administrator.

然后,使用以下 cmdlet 和运算符以不同方式查看错误:Then, use the following cmdlets and operators to view errors in different ways:

  1. 查看全部See All
  2. 按属性类型By Property Type
  3. 按冲突值By Conflicting Value
  4. 使用字符串搜索Using a String Search
  5. 排序Sorted
  6. 以有限的数量或全部In a Limited Quantity or All

查看全部See all

连接后,若要查看租户中属性预配错误的常规列表,请运行:Once connected, to see a general list of attribute provisioning errors in the tenant run:

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict

随后会生成如下所示的结果:This produces a result like the following:
Get-MsolDirSyncProvisioningErrorGet-MsolDirSyncProvisioningError

按属性类型By property type

若要按属性类型查看错误,请添加带 UserPrincipalName 或 ProxyAddresses 参数的 -PropertyName 标志:To see errors by property type, add the -PropertyName flag with the UserPrincipalName or ProxyAddresses argument:

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName UserPrincipalName

Or

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName ProxyAddresses

按冲突值By conflicting value

若要查看与特定属性相关的错误,请添加 -PropertyValue 标志(添加此标志时也必须使用 -PropertyName):To see errors relating to a specific property add the -PropertyValue flag (-PropertyName must be used as well when adding this flag):

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyValue User@domain.com -PropertyName UserPrincipalName

若要进行广泛的字符串搜索,请使用 -SearchString 标志。To do a broad string search use the -SearchString flag. 此标志可以独立于上述所有标志使用,但 -ErrorCategory PropertyConflict除外(此标志始终是必需的):This can be used independently from all of the above flags, with the exception of -ErrorCategory PropertyConflict, which is always required:

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -SearchString User

以有限的数量或全部In a limited quantity or all

  1. MaxResults <Int> 可用于将查询限制为特定数目的值。MaxResults <Int> can be used to limit the query to a specific number of values.
  2. All 可用于确保在有大量错误的情况下检索所有结果。All can be used to ensure all results are retrieved in the case that a large number of errors exists.

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -MaxResults 5

Microsoft 365 管理中心Microsoft 365 admin center

可以在 Microsoft 365 管理中心查看目录同步错误。You can view directory synchronization errors in the Microsoft 365 admin center. Microsoft 365 管理中心的报告只显示存在这些错误的 User 对象。The report in the Microsoft 365 admin center only displays User objects that have these errors. 它不显示有关 Groups 和 Contacts 之间的冲突的信息。It does not show info about conflicts between Groups and Contacts.

活动用户Active Users

有关如何在 Microsoft 365 管理中心查看目录同步错误的说明,请参阅识别 Office 365 中的目录同步错误For instructions on how to view directory synchronization errors in the Microsoft 365 admin center, see Identify directory synchronization errors in Office 365.

标识同步错误报告Identity synchronization error report

使用此新行为处理具有重复属性冲突的对象时,通知包含在标准标识同步错误报告电子邮件中,而该电子邮件将发送给租户的技术通知联系人。When an object with a duplicate attribute conflict is handled with this new behavior a notification is included in the standard Identity Synchronization Error Report email that is sent to the Technical Notification contact for the tenant. 但是,此行为有一项重大变化。However, there is an important change in this behavior. 在过去,有关重复属性冲突的信息包含在每个后续错误报告中,直到解决冲突为止。In the past, information about a duplicate attribute conflict would be included in every subsequent error report until the conflict was resolved. 使用此新行为,给定冲突的错误通知只出现一次 - 在冲突属性被隔离时。With this new behavior, the error notification for a given conflict does only appear once- at the time the conflicting attribute is quarantined.

ProxyAddress 冲突的电子邮件通知示例如下所示:Here is an example of what the email notification looks like for a ProxyAddress conflict:
活动用户Active Users

解决冲突Resolving conflicts

针对这些错误的故障排除策略和解决技巧不应与过去处理重复属性错误的方式不同。Troubleshooting strategy and resolution tactics for these errors should not differ from the way duplicate attribute errors were handled in the past. 唯一的差别在于,计时器任务将扫描服务端的租户,以便在冲突解决后,自动将有问题的属性添加到适当的对象。The only difference is that the timer task sweeps through the tenant on the service-side to automatically add the attribute in question to the proper object once the conflict is resolved.

以下文章概述了各种故障排除和解决方案策略:Duplicate or invalid attributes prevent directory synchronization in Office 365(Office 365 中的重复或无效属性导致无法进行目录同步)。The following article outlines various troubleshooting and resolution strategies: Duplicate or invalid attributes prevent directory synchronization in Office 365.

已知问题Known issues

没有任何已知问题导致数据丢失或服务降级。None of these known issues causes data loss or service degradation. 其中有些问题是外观问题,有些问题会导致引发标准的“复原前”重复属性错误,而不是隔离冲突属性,还有一些问题导致特定错误需要额外的手动修复。Several of them are aesthetic, others cause standard “pre-resiliency” duplicate attribute errors to be thrown instead of quarantining the conflict attribute, and another causes certain errors to require extra manual fix-up.

核心行为:Core behavior:

  1. 具有特定属性配置的对象继续收到导出错误,而不是重复属性被隔离。Objects with specific attribute configurations continue to receive export errors as opposed to the duplicate attribute(s) being quarantined.
    例如:For example:

    a.a. 在 AD 中创建一个新用户,其 UPN 为 Joe@contoso.com,ProxyAddress 为 smtp:Joe@contoso.comNew user is created in AD with a UPN of Joe@contoso.com and ProxyAddress smtp:Joe@contoso.com

    b.b. 此对象的属性与现有 Group 发生冲突,其中 ProxyAddress 为 SMTP:Joe@contoso.comThe properties of this object conflict with an existing Group, where ProxyAddress is SMTP:Joe@contoso.com.

    c.c. 导出时,将引发“ProxyAddress 冲突”错误,而非隔离冲突属性。Upon export, a ProxyAddress conflict error is thrown instead of having the conflict attributes quarantined. 此操作在每个后续的同步周期中重试,就如同在启用复原功能之前一样。The operation is retried upon each subsequent sync cycle, as it would have been before the resiliency feature was enabled.

  2. 如果在本地创建两个具有相同 SMTP 地址的组,则其中一个组在首次尝试预配时会失败并返回标准的重复 ProxyAddress 错误。If two Groups are created on-premises with the same SMTP address, one fails to provision on the first attempt with a standard duplicate ProxyAddress error. 但是,重复值会在下一个同步周期被适当隔离。However, the duplicate value is properly quarantined upon the next sync cycle.

Office 门户报告Office Portal Report:

  1. UPN 冲突集中两个对象的详细错误消息是相同的。The detailed error message for two objects in a UPN conflict set is the same. 这意味着,它们的 UPN 都已更改/隔离,此时,实际上只有其中一个对象的数据发生更改。This indicates that they have both had their UPN changed / quarantined, when in fact only a one of them had any data changed.

  2. UPN 冲突的详细错误消息对已更改/隔离其 UPN 的用户显示不正确的 displayName。The detailed error message for a UPN conflict shows the wrong displayName for a user who has had their UPN changed/quarantined. 例如:For example:

    a.a. 用户 A 首先使用 UPN = User@contoso.com 同步。User A syncs up first with UPN = User@contoso.com.

    b.b. 然后,尝试使用 UPN = User@contoso.com 同步用户 BUser B is attempted to be synced up next with UPN = User@contoso.com.

    c.c. 用户 B 的 UPN 已更改为User1234@contoso.partner.onmschina.cnUser@contoso.com 已添加到 DirSyncProvisioningErrorsUser B’s UPN is changed to User1234@contoso.partner.onmschina.cn and User@contoso.com is added to DirSyncProvisioningErrors.

    d.d. 用户 B 的错误消息应指出用户 A 已有用作 UPN 的 User@contoso.com,但却显示用户 B 自己的 displayName。The error message for User B should indicate that User A already has User@contoso.com as a UPN, but it shows User B’s own displayName.

标识同步错误报告Identity synchronization error report:

“关于如何解决此问题的步骤”链接不正确:The link for steps on how to resolve this issue is incorrect:
活动用户Active Users

它应指向 duplicateattributeresiliencyIt should point to duplicateattributeresiliency.

另请参阅See also