Azure AD Connect:从 DirSync 升级Azure AD Connect: Upgrade from DirSync

Azure AD Connect 是 DirSync 的后继产品。Azure AD Connect is the successor to DirSync. 将在本主题中了解可从 DirSync 升级的方式。You find the ways you can upgrade from DirSync in this topic. 这些步骤不适用于从另一个版本的 Azure AD Connect 或从 Azure AD Sync 升级。These steps do not work for upgrading from another release of Azure AD Connect or from Azure AD Sync.

开始安装 Azure AD Connect 之前,确保下载 Azure AD Connect,并完成 Azure AD Connect:硬件和先决条件Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-requisite steps in Azure AD Connect: Hardware and prerequisites. 特别是,请阅读以下内容,因为其中描述了与 DirSync 不同的方面:In particular, you want to read about the following, since these areas are different from DirSync:

  • 必需的 .NET 和 PowerShell 版本。The required version of .NET and PowerShell. 服务器上的版本应高于 DirSync 要求的版本。Newer versions are required to be on the server than what DirSync needed.
  • 代理服务器配置。The proxy server configuration. 如果使用代理服务器连接 Internet,则必须在升级之前配置该设置。If you use a proxy server to reach the internet, this setting must be configured before you upgrade. DirSync 始终使用安装时为用户配置的代理服务器,但是 Azure AD Connect 使用计算机设置。DirSync always used the proxy server configured for the user installing it, but Azure AD Connect uses machine settings instead.
  • 代理服务器中需要打开的 URL。The URLs required to be open in the proxy server. 就基本方案来说,DirSync 也支持这些方案,要求相同。For basic scenarios, those scenarios also supported by DirSync, the requirements are the same. 如果要使用 Azure AD Connect 的一些新功能,则必须打开一些新 URL。If you want to use any of the new features included with Azure AD Connect, some new URLs must be opened.

Note

启用新的 Azure AD Connect 服务器并开始将更改同步到 Azure AD 以后,不得通过回退来使用 DirSync 或 Azure AD Sync。不支持从 Azure AD Connect 降级到旧版客户端(包括 DirSync 和 Azure AD Sync),降级会导致 Azure AD 中的数据丢失等问题。Once you have enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll back to using DirSync or Azure AD Sync. Downgrading from Azure AD Connect to legacy clients including DirSync and Azure AD Sync is not supported and can lead to issues such as data loss in Azure AD.

从 DirSync 升级Upgrade from DirSync

根据当前的 DirSync 部署,可以使用不同的升级选项。Depending on your current DirSync deployment, there are different options for the upgrade. 如果升级时间预计少于 3 小时,建议进行就地升级。If the expected upgrade time is less than three hours, then the recommendation is to do an in-place upgrade. 如果升级时间预计超过 3 小时,建议在另一台服务器上进行并行部署。If the expected upgrade time is more than three hours, then the recommendation is to do a parallel deployment on another server. 如果对象数超过 50,000 个,预计需要 3 个多小时才能完成升级。It is estimated that if you have more than 50,000 objects it takes more than three hours to do the upgrade.

方案Scenario
就地升级In-place upgrade
并行部署Parallel deployment

Note

规划从 DirSync 升级到 Azure AD Connect 时,在升级之前请勿自行卸载 DirSync。When you plan to upgrade from DirSync to Azure AD Connect, do not uninstall DirSync yourself before the upgrade. Azure AD Connect 将读取和迁移 DirSync 的配置,并在检查服务器之后卸载 DirSync。Azure AD Connect will read and migrate the configuration from DirSync and uninstall after inspecting the server.

就地升级In-place upgrade
向导会显示完成升级的预期所需时间。The expected time to complete the upgrade is displayed by the wizard. 这个估计是基于需要 3 小时才能完成包含 50,000 个对象(用户、联系人和组)的数据库的升级的假设。This estimate is based on the assumption that it takes three hours to complete an upgrade for a database with 50,000 objects (users, contacts, and groups). 如果数据库中的对象数少于 50,000 个,则 Azure AD Connect 建议就地升级。If the number of objects in your database is less than 50,000, then Azure AD Connect recommends an in-place upgrade. 如果确定继续,升级期间会自动应用当前设置,服务器也会自动恢复活动的同步。If you decide to continue, your current settings are automatically applied during upgrade and your server automatically resumes active synchronization.

若要进行配置迁移和并行部署,可以忽略就地升级建议。If you want to do a configuration migration and do a parallel deployment, then you can override the in-place upgrade recommendation. 例如,可以借机刷新硬件和操作系统。You might for example take the opportunity to refresh the hardware and operating system. 有关详细信息,请参阅并行部署部分。For more information, see the parallel deployment section.

并行部署Parallel deployment
如果对象数超过 50,000 个,则建议执行并行部署。If you have more than 50,000 objects, then a parallel deployment is recommended. 此部署可以让用户避免遇到操作延迟。This deployment avoids any operational delays experienced by your users. Azure AD Connect 安装程序将尝试预估升级时的停机时间,但是,如果曾升级过 DirSync,那么,自己的经验可能会提供最佳指导。The Azure AD Connect installation attempts to estimate the downtime for the upgrade, but if you've upgraded DirSync in the past, your own experience is likely to be the best guide.

要升级的受支持 DirSync 配置Supported DirSync configurations to be upgraded

升级的 DirSync 支持以下配置更改:The following configuration changes are supported with upgraded DirSync:

  • 域和 OU 筛选Domain and OU filtering
  • 备用 ID (UPN)Alternate ID (UPN)
  • 密码同步与 Exchange 混合设置Password sync and Exchange hybrid settings
  • 林/域与 Azure AD 设置Your forest/domain and Azure AD settings
  • 基于用户属性进行筛选Filtering based on user attributes

以下更改无法升级。The following change cannot be upgraded. 如果进行了此项配置更改,会阻止升级:If you have this configuration, the upgrade is blocked:

  • 不支持的 DirSync 更改有:已删除的属性以及使用自定义的扩展 DLLUnsupported DirSync changes, for example removed attributes and using a custom extension DLL

已阻止升级

在这些情况下,建议在过渡模式下安装新的 Azure AD Connect 服务器,并确认旧的 DirSync 及新的 Azure AD Connect 配置。In those cases, the recommendation is to install a new Azure AD Connect server in staging mode and verify the old DirSync and new Azure AD Connect configuration. 使用自定义配置重新应用所有更改,如 Azure AD Connect 同步自定义配置中所述。Reapply any changes using custom configuration, as described in Azure AD Connect Sync custom configuration.

无法检索且不会迁移 DirSync 用于服务帐户的密码。The passwords used by DirSync for the service accounts cannot be retrieved and are not migrated. 这些密码会在升级期间重置。These passwords are reset during the upgrade.

从 DirSync 升级到 Azure AD Connect 的高级步骤High-level steps for upgrading from DirSync to Azure AD Connect

  1. 欢迎使用 Azure AD ConnectWelcome to Azure AD Connect
  2. 当前 DirSync 配置的分析Analysis of current DirSync configuration
  3. 收集 Azure AD 全局管理员密码Collect Azure AD global admin password
  4. 收集企业管理员帐户的凭据(仅在 Azure AD Connect 安装期间使用)Collect credentials for an enterprise admin account (only used during the installation of Azure AD Connect)
  5. 安装 Azure AD ConnectInstallation of Azure AD Connect
    • 卸载(或暂时禁用)DirSyncUninstall DirSync (or temporarily disable it)
    • 安装 Azure AD ConnectInstall Azure AD Connect
    • (可选)开始同步Optionally begin synchronization

发生以下情况时,需要执行其他步骤:Additional steps are required when:

  • 当前正在使用完全版 SQL Server - 本地或远程You're currently using Full SQL Server - local or remote
  • 要同步的对象超过 50,000 个You have more than 50,000 objects in scope for synchronization

就地升级In-place upgrade

  1. 启动 Azure AD Connect 安装程序 (MSI)。Launch the Azure AD Connect installer (MSI).
  2. 查看并同意许可条款和隐私声明。Review and agree to license terms and privacy notice.
    欢迎使用 Azure
  3. 单击“下一步”开始分析现有的 DirSync 安装。Click next to begin analysis of your existing DirSync installation.
    分析现有的目录同步安装
  4. 完成分析后,可以看到操作建议。When the analysis completes, you see the recommendations on how to proceed.
    • 如果使用 SQL Server Express 并且对象数少于 50,000 个,则会显示以下屏幕:If you use SQL Server Express and have less than 50,000 objects, the following screen is shown:
      分析完成,已准备好从 DirSync 升级
    • 如果使用完整的 SQL Server for DirSync,则会看到以下页面:If you use a full SQL Server for DirSync, you see this page instead:
      分析完成,已准备好从 DirSync 升级
      系统会显示有关 DirSync 使用的现有 SQL Server 数据库服务器的信息。The information regarding the existing SQL Server database server being used by DirSync is displayed. 如果需要,请做相应的调整。Make appropriate adjustments if needed. 单击“下一步”继续安装。Click Next to continue the installation.
    • 如果有超过 50,000 个对象,则会看到以下屏幕:If you have more than 50,000 objects, you see this screen instead:
      分析完成,已准备好从 DirSync 升级
      若要继续进行就地升级,请单击消息旁的复选框:继续在此计算机上升级 DirSync。To proceed with an in-place upgrade, click the checkbox next to this message: Continue upgrading DirSync on this computer. 若要改为进行并行部署,请导出 DirSync 配置设置,将该配置迁移到新的服务器。To do a parallel deployment instead, you export the DirSync configuration settings and move the configuration to the new server.
  5. 提供当前用于连接 Azure AD 的帐户的密码。Provide the password for the account you currently use to connect to Azure AD. 这必须是 DirSync 当前使用的帐户。This must be the account currently used by DirSync.
    输入 Azure AD 凭据
    如果收到错误消息并且出现了连接问题,请参阅排查连接问题If you receive an error and have problems with connectivity, see Troubleshoot connectivity problems.
  6. 提供 Active Directory 的企业管理员帐户。Provide an enterprise admin account for Active Directory.
    输入 ADDS 凭据
  7. 现在可以开始配置。You're now ready to configure. 单击“升级” 后,会卸载 DirSync 并配置 Azure AD Connect,并开始同步。When you click Upgrade, DirSync is uninstalled and Azure AD Connect is configured and begins synchronizing.
    已准备好配置
  8. 安装完成后,请注销并再次登录到 Windows,即可使用同步服务管理器或同步规则编辑器,或者尝试进行其他任何配置更改。After the installation has completed, sign out and sign in again to Windows before you use Synchronization Service Manager, Synchronization Rule Editor, or try to make any other configuration changes.

并行部署Parallel deployment

导出 DirSync 配置Export the DirSync configuration

对象数超过 50,000 时执行并行部署Parallel deployment with more than 50,000 objects

如果对象数超过 50,000 个,Azure AD Connect 安装程序会建议执行并行部署。If you have more than 50,000 objects, then the Azure AD Connect installation recommends a parallel deployment.

会显示如下屏幕:A screen similar to the following is displayed:
分析已完成

如果想继续进行并行部署,需要执行以下步骤:If you want to proceed with parallel deployment, you need to perform the following steps:

  • 单击“导出设置”按钮。Click the Export settings button. 在单独的服务器上安装 Azure AD Connect 时,会将当前 DirSync 中的这些设置迁移到新的 Azure AD Connect 安装位置。When you install Azure AD Connect on a separate server, these settings are migrated from your current DirSync to your new Azure AD Connect installation.

成功导出设置后,可以退出 DirSync 服务器上的 Azure AD Connect 向导。Once your settings have been successfully exported, you can exit the Azure AD Connect wizard on the DirSync server. 继续执行下一步,在不同的服务器上安装 Azure AD ConnectContinue with the next step to install Azure AD Connect on a separate server

对象数少于 50,000 时执行并行部署Parallel deployment with less than 50,000 objects

如果对象数少于 50,000 个,但仍然想要执行并行部署,请执行以下操作:If you have less than 50,000 objects but still want to do a parallel deployment, then do the following:

  1. 运行 Azure AD Connect 安装程序 (MSI)。Run the Azure AD Connect installer (MSI).
  2. 看到“欢迎使用 Azure AD Connect”屏幕时,请单击窗口右上角的“X”退出安装向导。When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the "X" in the top right corner of the window.
  3. 打开命令提示符。Open a command prompt.
  4. 从 Azure AD Connect 的安装位置(默认值:C:\Program Files\Azure Active Directory Connect)执行以下命令:AzureADConnect.exe /ForceExportFrom the install location of Azure AD Connect (Default: C:\Program Files\Azure Active Directory Connect) execute the following command: AzureADConnect.exe /ForceExport.
  5. 单击“导出设置”按钮。Click the Export settings button. 在单独的服务器上安装 Azure AD Connect 时,会将当前 DirSync 中的这些设置迁移到新的 Azure AD Connect 安装位置。When you install Azure AD Connect on a separate server, these settings are migrated from your current DirSync to your new Azure AD Connect installation.

分析已完成

成功导出设置后,可以退出 DirSync 服务器上的 Azure AD Connect 向导。Once your settings have been successfully exported, you can exit the Azure AD Connect wizard on the DirSync server. 继续执行下一步,在不同的服务器上安装 Azure AD Connect。Continue with the next step to install Azure AD Connect on a separate server.

在不同的服务器上安装 Azure AD ConnectInstall Azure AD Connect on separate server

在新的服务器上安装 Azure AD Connect 时,假设要执行 Azure AD Connect 的全新安装。When you install Azure AD Connect on a new server, the assumption is that you want to perform a clean install of Azure AD Connect. 由于想要使用 DirSync 配置,因此还要执行一些额外的步骤:Since you want to use the DirSync configuration, there are some extra steps to take:

  1. 运行 Azure AD Connect 安装程序 (MSI)。Run the Azure AD Connect installer (MSI).
  2. 看到“欢迎使用 Azure AD Connect”屏幕时,请单击窗口右上角的“X”退出安装向导。When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the "X" in the top right corner of the window.
  3. 打开命令提示符。Open a command prompt.
  4. 从 Azure AD Connect 的安装位置(默认值:C:\Program Files\Azure Active Directory Connect)执行以下命令:AzureADConnect.exe /migrateFrom the install location of Azure AD Connect (Default: C:\Program Files\Azure Active Directory Connect) execute the following command: AzureADConnect.exe /migrate. Azure AD Connect 安装向导启动并显示以下屏幕:The Azure AD Connect installation wizard starts and presents you with the following screen:
    输入 Azure AD 凭据
  5. 选择从 DirSync 安装中导出的设置文件。Select the settings file that exported from your DirSync installation.
  6. 配置任何高级选项,包括:Configure any advanced options including:
    • Azure AD Connect 的自定义安装位置。A custom installation location for Azure AD Connect.
    • SQL Server 的现有实例(默认值:Azure AD Connect 安装 SQL Server 2012 Express)。An existing instance of SQL Server (Default: Azure AD Connect installs SQL Server 2012 Express). 请不要使用与 DirSync 服务器相同的数据库实例。Do not use the same database instance as your DirSync server.
    • 用于连接 SQL Server 的服务帐户(如果 SQL Server 数据库位于远程,则此帐户必须是域服务帐户)。A service account used to connect to SQL Server (If your SQL Server database is remote then this account must be a domain service account). 可以在此屏幕上看到以下选项:These options can be seen on this screen:
      输入 Azure AD 凭据
  7. 单击“下一步”。Click Next.
  8. 在“已准备好配置”页上,保留选中“配置完成后立即开始同步过程”。On the Ready to configure page, leave the Start the synchronization process as soon as the configuration completes checked. 服务器当前为过渡模式,更改不会导出到 Azure AD。The server is now in staging mode so changes are not exported to Azure AD.
  9. 单击“安装”。Click Install.
  10. 安装完成后,请注销并再次登录到 Windows,即可使用同步服务管理器或同步规则编辑器,或者尝试进行其他任何配置更改。After the installation has completed, sign out and sign in again to Windows before you use Synchronization Service Manager, Synchronization Rule Editor, or try to make any other configuration changes.

Note

将会开始同步 Windows Server Active Directory 和 Azure Active Directory,但不会将更改导出到 Azure AD。Synchronization between Windows Server Active Directory and Azure Active Directory begins, but no changes are exported to Azure AD. 每次只能有一个同步工具在主动导出更改。Only one synchronization tool can be actively exporting changes at a time. 此状态称为过渡模式This state is called staging mode.

验证 Azure AD Connect 是否已准备好开始同步Verify that Azure AD Connect is ready to begin synchronization

若要验证 Azure AD Connect 是否已准备好接管 DirSync,需要从“开始”菜单的“Azure AD Connect”组中,打开“同步服务管理器”。To verify that Azure AD Connect is ready to take over from DirSync, you need to open Synchronization Service Manager in the group Azure AD Connect from the start menu.

在应用程序中,转到“操作”选项卡。在此选项卡上,确认以下操作已完成:In the application, go to the Operations tab. On this tab, confirm that the following operations have completed:

  • 在 AD 连接器上导入Import on the AD Connector
  • 在 Azure AD 连接器上导入Import on the Azure AD Connector
  • 在 AD 连接器上执行完全同步Full Sync on the AD Connector
  • 在 Azure AD 连接器上执行完全同步Full Sync on the Azure AD Connector

导入和同步已完成

检查这些操作的结果,并确保没有任何错误。Review the result from these operations and ensure there are no errors.

如果要查看并检查将要导出到 Azure AD 的更改,则阅读有关如何在暂存模式下验证配置的主题。If you want to see and inspect the changes that are about to be exported to Azure AD, then read how to verify the configuration under staging mode. 进行所需的配置更改,直到没有任何意外的错误。Make required configuration changes until you do not see anything unexpected.

完成上述步骤并获得满意的结果后,即可从 DirSync 切换到 Azure AD。You are ready to switch from DirSync to Azure AD when you have completed these steps and are happy with the result.

卸载 DirSync(旧服务器)Uninstall DirSync (old server)

  • 在“程序和功能”中查找“Azure Active Directory 同步工具”In Programs and features find Azure Active Directory sync tool
  • 卸载“Azure Active Directory 同步工具” Uninstall Azure Active Directory sync tool
  • 最长可能需要 15 分钟才能完成卸载。The uninstallation might take up to 15 minutes to complete.

如果希望以后卸载 DirSync,还可以暂时关闭服务器或禁用该服务。If you prefer to uninstall DirSync later, you can also temporarily shut down the server or disable the service. 采用这种方法,万一出现问题,还可以重新启用服务。If something goes wrong, this method allows you to re-enable it. 不过,下一步一般不会失败,因此不一定要执行这一步。However, it is not expected that the next step will fail so this should not be needed.

卸载或禁用 DirSync 后,不会将活动的服务器导出到 Azure AD。With DirSync uninstalled or disabled, there is no active server exporting to Azure AD. 必须先完成下一步,启用 Azure AD Connect,才能继续将本地 Active Directory 中的更改同步到 Azure AD。The next step to enable Azure AD Connect must be completed before any changes in your on-premises Active Directory will continue to be synchronized to Azure AD.

启用 Azure AD Connect(新服务器)Enable Azure AD Connect (new server)

安装之后,重新打开 Azure AD Connect 时可以进行其他配置更改。After installation, reopening Azure AD connect will allow you to make additional configuration changes. 从“开始”菜单或桌面快捷方式启动 Azure AD ConnectStart Azure AD Connect from the start menu or from the shortcut on the desktop. 请确保不要尝试重新运行安装 MSI。Make sure you do not try to run the installation MSI again.

应该显示以下内容:You should see the following:
其他任务

  • 选择“配置过渡模式”。Select Configure staging mode.
  • 取消选中“已启用过渡模式”复选框可以关闭过渡。Turn off staging by unchecking the Enabled staging mode checkbox.

输入 Azure AD 凭据

  • 单击“下一步”按钮。Click the Next button
  • 在确认页面上,单击“安装”按钮。On the confirmation page, click the install button.

Azure AD Connect 现在是活动服务器,用户不得切换回去使用现有的 DirSync 服务器。Azure AD Connect is now your active server and you must not switch back to using your existing DirSync server.

后续步骤Next steps

安装 Azure AD Connect 后,可以验证安装并分配许可证Now that you have Azure AD Connect installed you can verify the installation and assign licenses.

详细了解在安装过程中启用的这些新功能:自动升级防止意外删除Learn more about these new features, which were enabled with the installation: Automatic upgrade and Prevent accidental deletes.

若要了解有关这些常见主题的详细信息,请参阅计划程序以及如何触发同步Learn more about these common topics: scheduler and how to trigger sync.

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.