Azure AD Connect:从以前版本升级到最新版本Azure AD Connect: Upgrade from a previous version to the latest

本主题介绍可将 Azure Active Directory (Azure AD) Connect 安装升级到最新版本的不同方法。This topic describes the different methods that you can use to upgrade your Azure Active Directory (Azure AD) Connect installation to the latest release. 建议使用最新版本的 Azure AD Connect。We recommend that you keep yourself current with the releases of Azure AD Connect. 进行重大配置更改时,也可以使用交叉迁移部分所述的步骤。You also use the steps in the Swing migration section when you make a substantial configuration change.

Note

当前支持从任何版本的 Azure AD Connect 升级到当前版本。It is currently supported to upgrade from any version of Azure AD Connect to the current version. 不支持 DirSync 或 ADSync 的就地升级,必须进行交叉迁移。In-place upgrades of DirSync or ADSync are not supported and a swing migration is required. 如果要从 DirSync 升级,请参阅从 Azure AD 同步工具 (DirSync) 升级交叉迁移部分。If you want to upgrade from DirSync, see Upgrade from Azure AD sync tool (DirSync) or the Swing migration section.
实际上,极旧版本的客户可能会遇到不是与 Azure AD Connect 直接相关的问题。In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. 已经投入生产多年的服务器通常都应用了几个修补程序,并非所有这些都能解释清楚。Servers that have been in production for several years, typically have had several patches applied to them and not all of these can be accounted for. 通常情况下,在 12-18 个月内未升级过的客户应考虑交叉升级,因为这是最保守且风险最低的选项。Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead as this is the most conservative and least risky option.

如果要从 DirSync 升级,请参阅从 Azure AD 同步工具 (DirSync) 升级If you want to upgrade from DirSync, see Upgrade from Azure AD sync tool (DirSync) instead.

可以采用几种不同的策略来升级 Azure AD Connect。There are a few different strategies that you can use to upgrade Azure AD Connect.

方法Method 说明Description
自动升级Automatic upgrade 对于使用快速安装的客户,这是最容易的方法。This is the easiest method for customers with an express installation.
就地升级In-place upgrade 如果只有一台服务器,可在该服务器上就地升级安装。If you have a single server, you can upgrade the installation in-place on the same server.
交叉迁移Swing migration 如果有两台服务器,可将其中一台升级到最新版本或配置,并在准备就绪时更改活动服务器。With two servers, you can prepare one of the servers with the new release or configuration, and change the active server when you're ready.

有关权限信息,请参阅升级所需权限For permissions information, see the permissions required for an upgrade.

Note

启用新的 Azure AD Connect 服务器并开始将更改同步到 Azure AD 以后,不得通过回退来使用 DirSync 或 Azure AD Sync。不支持从 Azure AD Connect 降级到旧客户端(包括 DirSync 和 Azure AD Sync),那样可能会导致各种问题,例如数据在 Azure AD 中丢失。After you've enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll back to using DirSync or Azure AD Sync. Downgrading from Azure AD Connect to legacy clients, including DirSync and Azure AD Sync, isn't supported and can lead to issues such as data loss in Azure AD.

就地升级In-place upgrade

就地升级适用于从 Azure AD Sync 或 Azure AD Connect 迁移。An in-place upgrade works for moving from Azure AD Sync or Azure AD Connect. 它不适用于从 DirSync 迁移,也不适用于使用 Forefront Identity Manager (FIM) + Azure AD 连接器的解决方案。It doesn't work for moving from DirSync or for a solution with Forefront Identity Manager (FIM) + Azure AD Connector.

如果只有一台服务器且对象数少于约 100,000 个,则这是首选方法。This method is preferred when you have a single server and less than about 100,000 objects. 升级后,如果对现成的同步规则进行任何更改,则会发生完全导入和完全同步。If there are any changes to the out-of-box sync rules, a full import and full synchronization occur after the upgrade. 此方法可确保将新配置应用到系统中的所有现有对象。This method ensures that the new configuration is applied to all existing objects in the system. 此运行可能需要花费几小时的时间,具体取决于同步引擎作用域内的对象数。This run might take a few hours, depending on the number of objects that are in scope of the sync engine. 正常增量同步计划程序(默认为每隔 30 分钟同步一次)会暂停,但密码同步会继续。The normal delta synchronization scheduler (which synchronizes every 30 minutes by default) is suspended, but password synchronization continues. 可以考虑在周末进行就地升级。You might consider doing the in-place upgrade during a weekend. 如果未对新版 Azure AD Connect 中的现成配置进行更改,则会改为启动一般的增量导入/同步。If there are no changes to the out-of-box configuration with the new Azure AD Connect release, then a normal delta import/sync starts instead.
就地升级

如果已更改现成的同步规则,这些规则会在系统升级完成之后重置为默认配置。If you've made changes to the out-of-box synchronization rules, then these rules are set back to the default configuration on upgrade. 为了确保配置在每次升级之后得到保留,请务必按照更改默认配置的最佳做法中所述的步骤来更改配置。To make sure that your configuration is kept between upgrades, make sure that you make changes as they're described in Best practices for changing the default configuration.

在就地升级过程中,可能会引入更改,要求在升级完成后执行特定同步活动(包括完全导入步骤和完全同步步骤)。During in-place upgrade, there may be changes introduced that require specific synchronization activities (including Full Import step and Full Synchronization step) to be executed after upgrade completes. 若要推迟这些活动,请参考如何在升级后推迟完全同步部分。To defer such activities, refer to section How to defer full synchronization after upgrade.

如果正在将 Azure AD Connect 与非标准连接器(例如泛型 LDAP 连接器和泛型 SQL 连接器)配合使用,则必须在就地升级后,刷新 Synchronization Service Manager 中的相应连接器配置。If you are using Azure AD Connect with non-standard connector (for example, Generic LDAP Connector and Generic SQL Connector), you must refresh the corresponding connector configuration in the Synchronization Service Manager after in-place upgrade. 有关如何刷新连接器配置的详细信息,请参阅文章连接器版本发行历史记录 - 故障排除For details on how to refresh the connector configuration, refer to article section Connector Version Release History - Troubleshooting. 如果不刷新配置,针对连接器的导入和导出运行步骤将无法正常工作。If you do not refresh the configuration, import and export run steps will not work correctly for the connector. 将在应用程序事件日志中收到如下错误,内容为“AAD 连接器配置 ("X.X.XXX.X") 中的程序集版本低于 "C:\Program Files\Azure AD Sync\Extensions\Microsoft.IAM.Connector.GenericLdap.dll" 的实际版本 ("X.X.XXX.X")。You will receive the following error in the application event log with message "Assembly version in AAD Connector configuration ("X.X.XXX.X") is earlier than the actual version ("X.X.XXX.X") of "C:\Program Files\Azure AD Sync\Extensions\Microsoft.IAM.Connector.GenericLdap.dll".

交叉迁移 Swing migration

如果部署复杂或者有多个对象,在活动的系统上进行就地升级可能不切合实际。If you have a complex deployment or many objects, it might be impractical to do an in-place upgrade on the live system. 对于某些客户来说,此过程可能要花费几天时间,在此期间无法处理任何增量更改。For some customers, this process might take multiple days--and during this time, no delta changes are processed. 如果打算对配置进行重大更改,并且希望在将这些更改推送到云之前对其进行测试,则也可以使用此方法。You can also use this method when you plan to make substantial changes to your configuration and you want to try them out before they're pushed to the cloud.

针对这些方案的建议方法是使用交叉迁移。The recommended method for these scenarios is to use a swing migration. 至少需要两台服务器,一台是活动服务器,另一台是过渡服务器。You need (at least) two servers--one active server and one staging server. 活动服务器(在下图中以蓝色实线表示)负责处理活动的生产负载。The active server (shown with solid blue lines in the following picture) is responsible for the active production load. 过渡服务器(以紫色虚线表示)已升级到最新版本或配置。The staging server (shown with dashed purple lines) is prepared with the new release or configuration. 完全就绪以后,该服务器处于活动状态。When it's fully ready, this server is made active. 将目前安装了旧版本或配置的前一台活动服务器设为过渡服务器,并进行升级。The previous active server, which now has the old version or configuration installed, is made into the staging server and is upgraded.

两台服务器可以使用不同的版本。The two servers can use different versions. 例如,打算解除的活动服务器可以使用 Azure AD Sync,新的过渡服务器可以使用 Azure AD Connect。For example, the active server that you plan to decommission can use Azure AD Sync, and the new staging server can use Azure AD Connect. 如果使用交叉迁移来开发新配置,则建议在两台服务器上使用相同的版本。If you use swing migration to develop a new configuration, it's a good idea to have the same versions on the two servers.
暂存服务器

Note

对于这种方案,有些客户更愿意使用三到四台服务器进行交叉迁移。Some customers prefer to have three or four servers for this scenario. 升级过渡服务器后,将没有备份服务器用于灾难恢复When the staging server is upgraded, you don't have a backup server for disaster recovery. 如果使用三到四台服务器,就可以准备一组装有新版本的主服务器/待机服务器,确保始终都有用于接管的过渡服务器。With three or four servers, you can prepare one set of primary/standby servers with the new version, which ensures that there is always a staging server that's ready to take over.

以下步骤也适用于从 Azure AD Sync 进行的迁移,或者从使用 FIM + Azure AD 连接器的解决方案进行的迁移。These steps also work to move from Azure AD Sync or a solution with FIM + Azure AD Connector. 这些步骤不适用于 DirSync,但是,可以在升级 Azure Active Directory 同步 (DirSync) 一文中找到适用于 DirSync 的相同交叉迁移(也称为并行部署)方法的步骤。These steps don't work for DirSync, but the same swing migration method (also called parallel deployment) with steps for DirSync is in Upgrade Azure Active Directory sync (DirSync).

使用交叉迁移来升级Use a swing migration to upgrade

  1. 如果在两台服务器上使用 Azure AD Connect 并且只打算执行配置更改,请确保活动服务器和过渡服务器使用相同的版本。If you use Azure AD Connect on both servers and plan to only make a configuration change, make sure that your active server and staging server are both using the same version. 这会有助于稍后比较差异。That makes it easier to compare differences later. 如果要从 Azure AD Sync 升级,这些服务器将使用不同的版本。If you're upgrading from Azure AD Sync, then these servers have different versions. 如果要从旧版 Azure AD Connect 升级,建议使用相同的版本在两台服务器上开始升级,但不一定要这样做。If you're upgrading from an older version of Azure AD Connect, it's a good idea to start with the two servers that are using the same version, but it's not required.
  2. 如果创建了自定义配置,但过渡服务器没有该配置,请执行将自定义配置从活动服务器移到过渡服务器部分的步骤。If you've made a custom configuration and your staging server doesn't have it, follow the steps under Move a custom configuration from the active server to the staging server.
  3. 如果要从旧版 Azure AD Connect 升级,请将过渡服务器升级到最新版本。If you're upgrading from an earlier release of Azure AD Connect, upgrade the staging server to the latest version. 如果要从 Azure AD Sync 迁移,请在过渡服务器上安装 Azure AD Connect。If you're moving from Azure AD Sync, then install Azure AD Connect on your staging server.
  4. 让同步引擎在过渡服务器上运行完全导入和完全同步。Let the sync engine run full import and full synchronization on your staging server.
  5. 使用验证服务器的配置部分“验证”下面列出的步骤,验证新配置是否不会造成任何意外的更改。Verify that the new configuration didn't cause any unexpected changes by using the steps under "Verify" in Verify the configuration of a server. 如果出现异常,请按照相关步骤进行纠正,运行导入和同步,并对数据进行验证,直到一切正常。If something isn't as expected, correct it, run the import and sync, and verify the data until it looks good, by following the steps.
  6. 将过渡服务器切换为活动服务器。Switch the staging server to be the active server. 这是验证服务器的配置中的最后一个步骤,即“切换活动服务器”。This is the final step "Switch active server" in Verify the configuration of a server.
  7. 要升级 Azure AD Connect,请将现在处于过渡模式的服务器升级到最新版本。If you're upgrading Azure AD Connect, upgrade the server that's now in staging mode to the latest release. 按照与前面相同的步骤来升级数据和配置。Follow the same steps as before to get the data and configuration upgraded. 如果已从 Azure AD Sync 升级,现在可以关闭并解除旧服务器。If you upgraded from Azure AD Sync, you can now turn off and decommission your old server.

将自定义配置从活动服务器移到过渡服务器Move a custom configuration from the active server to the staging server

如果对活动服务器做了配置更改,需确保将相同的更改应用到过渡服务器。If you've made configuration changes to the active server, you need to make sure that the same changes are applied to the staging server. 有关此移动的帮助,可以使用 Azure AD Connect 配置文档To help with this move, you can use the Azure AD Connect configuration documenter.

可以使用 PowerShell 移动所创建的自定义同步规则。You can move the custom sync rules that you've created by using PowerShell. 必须在两个系统上使用同一方式应用其他更改,不能迁移所做的更改。You must apply other changes the same way on both systems, and you can't migrate the changes. 配置文档可帮助比较两个系统,以确保它们相同。The configuration documenter can help you comparing the two systems to make sure they are identical. 该工具还可帮助自动执行本部分中的步骤。The tool can also help in automating the steps found in this section.

需在两个服务器上使用同一方式配置以下内容:You need to configure the following things the same way on both servers:

  • 与相同林的连接Connection to the same forests
  • 任何域和 OU 筛选Any domain and OU filtering
  • 相同的可选功能,例如密码同步The same optional features, such as password sync

移动自定义同步规则Move custom synchronization rules
若要移动自定义同步规则,请执行以下操作:To move custom synchronization rules, do the following:

  1. 在活动服务器上打开“同步规则编辑器”。Open Synchronization Rules Editor on your active server.
  2. 选择自定义规则。Select a custom rule. 单击“导出”。Click Export. 此时会打开一个记事本窗口。This brings up a Notepad window. 使用 PS1 扩展名保存临时文件。Save the temporary file with a PS1 extension. 这样就可以将它转换为 PowerShell 脚本。This makes it a PowerShell script. 将此 PS1 文件复制到过渡服务器。Copy the PS1 file to the staging server.
    同步规则导出Sync rule export
  3. 过渡服务器上的连接器 GUID 不同,因此必须更改。The Connector GUID is different on the staging server, and you must change it. 要获取 GUID,请启动“同步规则编辑器”,选择表示同一个已连接系统的现成规则之一,并单击“导出”。To get the GUID, start Synchronization Rules Editor, select one of the out-of-box rules that represent the same connected system, and click Export. 将 PS1 文件中的 GUID 替换为过渡服务器中的 GUID。Replace the GUID in your PS1 file with the GUID from the staging server.
  4. 在 PowerShell 命令提示符下运行 PS1 文件。In a PowerShell prompt, run the PS1 file. 这会在过渡服务器上创建自定义同步规则。This creates the custom synchronization rule on the staging server.
  5. 针对所有自定义规则重复此步骤。Repeat this for all your custom rules.

如何在升级后推迟完全同步How to defer full synchronization after upgrade

在就地升级过程中,可能会引入更改,要求执行特定同步活动(包括完全导入步骤和完全同步步骤)。During in-place upgrade, there may be changes introduced that require specific synchronization activities (including Full Import step and Full Synchronization step) to be executed. 例如,在受影响的连接器上,连接器架构更改要求执行“完全导入”步骤,现成同步规则更改要求执行“完全同步”步骤。For example, connector schema changes require full import step and out-of-box synchronization rule changes require full synchronization step to be executed on affected connectors. 升级过程中,Azure AD Connect 确定必需执行哪些同步活动,并将它们记录为“替代”。During upgrade, Azure AD Connect determines what synchronization activities are required and records them as overrides. 在以下同步周期中,同步计划程序将选取并执行这些替代。In the following synchronization cycle, the synchronization scheduler picks up these overrides and executes them. 成功执行替代后,会将其移除。Once an override is successfully executed, it is removed.

在某些情况下,我们可能不希望在升级后立即执行这些替代。There may be situations where you do not want these overrides to take place immediately after upgrade. 例如,具有大量已同步对象,并希望在工作时间结束后再执行同步步骤。For example, you have numerous synchronized objects and you would like these synchronization steps to occur after business hours. 若要移除这些替代,请执行以下操作:To remove these overrides:

  1. 在升级过程中,取消选中“在配置完成后启动同步流程”选项。During upgrade, uncheck the option Start the synchronization process when configuration completes. 这将禁用同步计划程序,并防止在替代移除之前自动进入同步周期。This disables the synchronization scheduler and prevents synchronization cycle from taking place automatically before the overrides are removed.

    DisableFullSyncAfterUpgrade

  2. 升级完成后,运行以下 cmdlet,找出添加的替代:Get-ADSyncSchedulerConnectorOverride | flAfter upgrade completes, run the following cmdlet to find out what overrides have been added: Get-ADSyncSchedulerConnectorOverride | fl

    Note

    该替代特定于连接器。The overrides are connector-specific. 以下示例中,已在本地 AD 连接器和 Azure AD 连接器中添加完全导入步骤和完全同步步骤。In the following example, Full Import step and Full Synchronization step have been added to both the on-premises AD Connector and Azure AD Connector.

    DisableFullSyncAfterUpgrade

  3. 记下已添加的现有替代。Note down the existing overrides that have been added.

  4. 若要删除任意连接器上的完全导入和完全同步替代,请运行以下 cmdlet:Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid-of-ConnectorIdentifier> -FullImportRequired $false -FullSyncRequired $falseTo remove the overrides for both full import and full synchronization on an arbitrary connector, run the following cmdlet: Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid-of-ConnectorIdentifier> -FullImportRequired $false -FullSyncRequired $false

    若要删除所有连接器上的替代,请执行以下 PowerShell 脚本:To remove the overrides on all connectors, execute the following PowerShell script:

    foreach ($connectorOverride in Get-ADSyncSchedulerConnectorOverride)
    {
        Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier $connectorOverride.ConnectorIdentifier.Guid -FullSyncRequired $false -FullImportRequired $false
    }
    
  5. 若要恢复计划程序,请运行以下 cmdlet:Set-ADSyncScheduler -SyncCycleEnabled $trueTo resume the scheduler, run the following cmdlet: Set-ADSyncScheduler -SyncCycleEnabled $true

    Important

    请务必尽早执行必需的同步步骤。Remember to execute the required synchronization steps at your earliest convenience. 可使用 Synchronization Service Manager 手动执行这些步骤,或使用 Set-ADSyncSchedulerConnectorOverride cmdlet 重新添加替代。You can either manually execute these steps using the Synchronization Service Manager or add the overrides back using the Set-ADSyncSchedulerConnectorOverride cmdlet.

若要在任意连接器上添加完全导入和完全同步替代,请运行以下 cmdlet:Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid> -FullImportRequired $true -FullSyncRequired $trueTo add the overrides for both full import and full synchronization on an arbitrary connector, run the following cmdlet: Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid> -FullImportRequired $true -FullSyncRequired $true

故障排除Troubleshooting

以下部分包含故障排除内容以及在遇到 Azure AD Connect 升级问题时可以使用的信息。The following section contains troubleshooting and information that you can use if you encounter an issue upgrading Azure AD Connect.

Azure AD Connect 升级期间,发生 Azure Active Directory 连接器丢失错误Azure Active Directory connector missing error during Azure AD Connect upgrade

如果从以前的版本升级 Azure AD Connect,可能在升级前期发生以下错误When you upgrade Azure AD Connect from a previous version, you might hit following error at the beginning of the upgrade

错误

此错误发生的原因是当前 Azure AD Connect 配置中不存在标识符为 b891884f-051e-4a83-95af-2544101c9083 的 Azure Active Directory 连接器。This error happens because the Azure Active Directory connector with identifier, b891884f-051e-4a83-95af-2544101c9083, does not exist in the current Azure AD Connect configuration. 若要验证此情况,打开 PowerShell 窗口并运行 cmdlet Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083To verify this is the case, open a PowerShell window, run Cmdlet Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083

PS C:\> Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083
Get-ADSyncConnector : Operation failed because the specified MA could not be found.
At line:1 char:1
+ Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (Microsoft.Ident...ConnectorCmdlet:GetADSyncConnectorCmdlet) [Get-ADSyncConne
   ctor], ConnectorNotFoundException
    + FullyQualifiedErrorId : Operation failed because the specified MA could not be found.,Microsoft.IdentityManageme
   nt.PowerShell.Cmdlet.GetADSyncConnectorCmdlet

PowerShell cmdlet 将报告错误“找不到指定的 MA”。The PowerShell Cmdlet reports the error the specified MA could not be found.

此错误发生的原因是当前 Azure AD Connect 配置不支持升级。The reason that this occurs is because the current Azure AD Connect configuration is not supported for upgrade.

若要安装较新版本的 Azure AD Connect:关闭 Azure AD Connect 向导,卸载现有的 Azure AD Connect 并执行较新版本的 Azure AD Connect 的全新安装。If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.

后续步骤Next steps

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about integrating your on-premises identities with Azure Active Directory.