Azure AD Connect:设计概念Azure AD Connect: Design concepts

本文档旨在说明 Azure AD Connect 实现设计期间必须考虑到的各个方面。The purpose of this document is to describe areas that must be thought through during the implementation design of Azure AD Connect. 本文档是特定领域的深入探讨,其他文档中也简要描述了这些概念。This document is a deep dive on certain areas and these concepts are briefly described in other documents as well.

sourceAnchorsourceAnchor

sourceAnchor 属性定义为 在对象生存期内不会变化的属性The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. 它可将对象唯一标识为本地和 Azure AD 中的相同对象。It uniquely identifies an object as being the same object on-premises and in Azure AD. 该属性也称为 immutableId ,这两个名称可以换用。The attribute is also called immutableId and the two names are used interchangeable.

在本文档中,“不可变”(即无法更改)一词非常重要。The word immutable, that is "cannot be changed", is important to this document. 由于此属性的值在设置之后就无法更改,因此请务必挑选可支持方案的设计。Since this attribute’s value cannot be changed after it has been set, it is important to pick a design that supports your scenario.

该属性用于以下方案︰The attribute is used for the following scenarios:

  • 构建新的同步引擎服务器,或者在执行灾难恢复方案后进行重建时,此属性会将 Azure AD 中的现有对象链接到本地对象。When a new sync engine server is built, or rebuilt after a disaster recovery scenario, this attribute links existing objects in Azure AD with objects on-premises.
  • 如果从仅限云的标识转移到已同步的标识模型,则此属性可让对象将 Azure AD 中的现有对象与本地对象进行“硬匹配”。If you move from a cloud-only identity to a synchronized identity model, then this attribute allows objects to "hard match" existing objects in Azure AD with on-premises objects.
  • 如果使用联合,此属性与 userPrincipalName 一起在声明中使用,以唯一标识用户。If you use federation, then this attribute together with the userPrincipalName is used in the claim to uniquely identify a user.

本主题只讨论与用户相关的 sourceAnchor。This topic only talks about sourceAnchor as it relates to users. 相同的规则适用于所有对象类型,但只有用户才需要考虑这个问题。The same rules apply to all object types, but it is only for users this problem usually is a concern.

选择良好的 sourceAnchor 属性Selecting a good sourceAnchor attribute

属性值必须遵循以下规则:The attribute value must follow the following rules:

  • 长度少于 60 个字符Fewer than 60 characters in length
    • 系统将 a-z、A-Z 或 0-9 以外的字符编码并计为 3 个字符Characters not being a-z, A-Z, or 0-9 are encoded and counted as 3 characters
  • 不包含特殊字符:\ !Not contain a special character: \ ! # $ % & * + / = ?# $ % & * + / = ? ^ ` { } | ~ < > ( ) ' ; : , [ ] " @ _^ ` { } | ~ < > ( ) ' ; : , [ ] " @ _
  • 必须全局唯一Must be globally unique
  • 必须是字符串、整数或二进制数Must be either a string, integer, or binary
  • 不应基于用户的名称,因为它们会改变Should not be based on user's name because these can change
  • 不应区分大小写,避免使用可能因大小写而改变的值Should not be case-sensitive and avoid values that may vary by case
  • 应在创建对象时分配Should be assigned when the object is created

如果选定的 sourceAnchor 不是字符串类型,Azure AD Connect 会将此属性值进行 Base64Encode 处理,确保不会出现特殊字符。If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to ensure no special characters appear. 如果使用除 ADFS 以外的其他联合服务器,请确保服务器也能对此属性进行 Base64Encode 处理。If you use another federation server than ADFS, make sure your server can also Base64Encode the attribute.

sourceAnchor 属性区分大小写。The sourceAnchor attribute is case-sensitive. “JohnDoe”与“johndoe”是不同的值。A value of “JohnDoe” is not the same as “johndoe”. 但是,两个对象的不同之处不能只是大小写不同。But you should not have two different objects with only a difference in case.

如果有单个本地林,应使用属性 objectGUIDIf you have a single forest on-premises, then the attribute you should use is objectGUID. 这也是在 Azure AD Connect 中使用快速设置时所用的属性,而且也是 DirSync 所用的属性。This is also the attribute used when you use express settings in Azure AD Connect and also the attribute used by DirSync.

如果有多个林,并且不在林和域之间移动用户,则 objectGUID 是适当的属性(即使在本例中)。If you have multiple forests and do not move users between forests and domains, then objectGUID is a good attribute to use even in this case.

如果要在林和域之间移动用户,必须查找不会更改的属性或者在移动时可随用户移动的属性。If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. 建议的方法是引入合成属性。A recommended approach is to introduce a synthetic attribute. 可以保存 GUID 等信息的属性也可能适用。An attribute that could hold something that looks like a GUID would be suitable. 在对象创建期间,将创建新的 GUID 并将其作为戳记加盖到用户。During object creation, a new GUID is created and stamped on the user. 可以在同步引擎服务器中创建自定义同步规则,根据 objectGUID 创建此值,并在 ADDS 中更新选择的属性。A custom sync rule can be created in the sync engine server to create this value based on the objectGUID and update the selected attribute in ADDS. 当移动对象时,请务必同时复制此值的内容。When you move the object, make sure to also copy the content of this value.

另一个解决方案是选择已知不会更改的现有属性。Another solution is to pick an existing attribute you know does not change. 常用的属性包括 employeeIDCommonly used attributes include employeeID. 如果打算使用包含字母的属性,请确保属性值的大小写(大写与小写)不会更改。If you consider an attribute that contains letters, make sure there is no chance the case (upper case vs. lower case) can change for the attribute's value. 例如,包含用户姓名的属性就是不应使用的不当属性。Bad attributes that should not be used include those attributes with the name of the user. 因为在结婚或离婚时,此姓名很可能会更改,所以不适用于此属性。In a marriage or divorce, the name is expected to change, which is not allowed for this attribute. 这也是无法在 Azure AD Connect 安装向导中选择 userPrincipalNamemailtargetAddress 等属性的原因之一。This is also one reason why attributes such as userPrincipalName, mail, and targetAddress are not even possible to select in the Azure AD Connect installation wizard. 这些属性还包含 sourceAnchor 中不允许的“@”字符。Those attributes also contain the "@" character, which is not allowed in the sourceAnchor.

更改 sourceAnchor 属性Changing the sourceAnchor attribute

在 Azure AD 中创建对象并同步标识之后,无法更改 sourceAnchor 属性值。The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.

出于此原因,Azure AD Connect 实施以下限制:For this reason, the following restrictions apply to Azure AD Connect:

  • 只能在初始安装期间设置 sourceAnchor 属性。The sourceAnchor attribute can only be set during initial installation. 如果重新运行安装向导,此选项显示为只读。If you rerun the installation wizard, this option is read-only. 如果需要更改此设置,则必须卸载并重新安装。If you need to change this setting, then you must uninstall and reinstall.
  • 如果要安装其他 Azure AD Connect 服务器,则必须选择以前所用的同一 sourceAnchor 属性。If you install another Azure AD Connect server, then you must select the same sourceAnchor attribute as previously used. 如果以前使用 DirSync,现在想要迁移到 Azure AD Connect,则必须使用 objectGUID ,因为这是 DirSync 所用的属性。If you have earlier been using DirSync and move to Azure AD Connect, then you must use objectGUID since that is the attribute used by DirSync.
  • 如果 sourceAnchor 值在对象导出到 Azure AD 之后发生更改,Azure AD Connect 同步服务会引发错误,并且在更正问题且在源目录中改回 sourceAnchor 之前,不允许对此对象进行任何其他更改。If the value for sourceAnchor is changed after the object has been exported to Azure AD, then Azure AD Connect sync throws an error and does not allow any more changes on that object before the issue has been fixed and the sourceAnchor is changed back in the source directory.

将 ms-DS-ConsistencyGuid 用作 sourceAnchorUsing ms-DS-ConsistencyGuid as sourceAnchor

默认情况下,Azure AD Connect(1.1.486.0 及更低版本)将 objectGUID 用作 sourceAnchor 属性。By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID 是系统生成的。ObjectGUID is system-generated. 创建本地 AD 对象时,不能指定其值。You cannot specify its value when creating on-premises AD objects. sourceAnchor 部分所述,在某些情况下,需要指定 sourceAnchor 值。As explained in section sourceAnchor, there are scenarios where you need to specify the sourceAnchor value. 如果方案适用,则必须使用可配置的 AD 属性(例如 ms-DS-ConsistencyGuid)作为 sourceAnchor 属性。If the scenarios are applicable to you, you must use a configurable AD attribute (for example, ms-DS-ConsistencyGuid) as the sourceAnchor attribute.

Azure AD Connect(1.1.524.0 及更高版本)现可帮助你将 ms-DS-ConsistencyGuid 用作 sourceAnchor 属性。Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. 使用此功能时,Azure AD Connect 会自动配置同步规则,以便:When using this feature, Azure AD Connect automatically configures the synchronization rules to:

  1. 将 ms-DS-ConsistencyGuid 用作用户对象的 sourceAnchor 属性。Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID 用于其他对象类型。ObjectGUID is used for other object types.

  2. 对于任何给定的本地 AD 用户对象,如果其 ms-DS-ConsistencyGuid 属性未填充,Azure AD Connect 会将其 objectGUID 值写回到本地 Active Directory 中的 ms-DS-ConsistencyGuid 属性。For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn't populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. 填充 ms-DS-ConsistencyGuid 属性后,Azure AD Connect 会将对象导出到 Azure AD。After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

Note

一旦将本地 AD 对象导入 Azure AD Connect(即,导入 AD 连接器空间并投影到 Metaverse),就再也不能更改其 sourceAnchor 值。Once an on-premises AD object is imported into Azure AD Connect (that is, imported into the AD Connector Space and projected into the Metaverse), you cannot change its sourceAnchor value anymore. 要为给定的本地 AD 对象指定 sourceAnchor 值,请先配置其 ms-DS-ConsistencyGuid 属性,然后再将其导入 Azure AD Connect。To specify the sourceAnchor value for a given on-premises AD object, configure its ms-DS-ConsistencyGuid attribute before it is imported into Azure AD Connect.

所需的权限Permission required

要使用此功能,必须向用于通过本地 Active Directory 进行同步的 AD DS 帐户授予对本地 Active Directory 中的 ms-DS-ConsistencyGuid 属性的写入权限。For this feature to work, the AD DS account used to synchronize with on-premises Active Directory must be granted write permission to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory.

如何启用 ConsistencyGuid 功能 - 全新安装How to enable the ConsistencyGuid feature - New installation

可以在全新安装期间实现将 ConsistencyGuid 用作 sourceAnchor。You can enable the use of ConsistencyGuid as sourceAnchor during new installation. 本部分详细介绍了快速安装和自定义安装两种情况。This section covers both Express and Custom installation in details.

Note

仅较新版本的 Azure AD Connect(1.1.524.0 及更高版本)支持在新安装期间将 ConsistencyGuid 用作 sourceAnchor。Only newer versions of Azure AD Connect (1.1.524.0 and after) support the use of ConsistencyGuid as sourceAnchor during new installation.

如何启用 ConsistencyGuid 功能How to enable the ConsistencyGuid feature

目前,该功能只能在全新安装 Azure AD Connect 期间启用。Currently, the feature can only be enabled during new Azure AD Connect installation only.

快速安装Express Installation

使用“快速”模式安装 Azure AD Connect 时,Azure AD Connect 向导会根据以下逻辑,自动确定最适合用作 sourceAnchor 属性的 AD 属性:When installing Azure AD Connect with Express mode, the Azure AD Connect wizard automatically determines the most appropriate AD attribute to use as the sourceAnchor attribute using the following logic:

  • 首先,Azure AD Connect 向导会查询 Azure AD 租户,以便检索在上一 Azure AD Connect 安装(如果进行过)中用作 sourceAnchor 属性的 AD 属性。First, the Azure AD Connect wizard queries your Azure AD tenant to retrieve the AD attribute used as the sourceAnchor attribute in the previous Azure AD Connect installation (if any). 如果该信息可用,Azure AD Connect 会使用同一 AD 属性。If this information is available, Azure AD Connect uses the same AD attribute.

    Note

    仅较新版的 Azure AD Connect(1.1.524.0 及更高版本)会将新安装期间所使用的 sourceAnchor 属性的相关信息存储在 Azure AD 租户中。Only newer versions of Azure AD Connect (1.1.524.0 and after) store information in your Azure AD tenant about the sourceAnchor attribute used during installation. 较旧版本的 Azure AD Connect 不这样做。Older versions of Azure AD Connect do not.

  • 如果所用的 sourceAnchor 属性的相关信息不可用,向导会检查你本地 Active Directory 中的 ms-DS-ConsistencyGuid 属性的状态。If information about the sourceAnchor attribute used isn't available, the wizard checks the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. 如果该属性未在目录中的任何对象上配置,向导会将 ms-DS-ConsistencyGuid 用作 sourceAnchor 属性。If the attribute isn't configured on any object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. 如果已在目录中的一个或多个对象上配置该属性,向导就会认为该属性正由其他应用程序使用,不适合用作 sourceAnchor 属性...If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute...

  • 在这种情况下,向导将回退为使用 objectGUID 作为 sourceAnchor 属性。In which case, the wizard falls back to using objectGUID as the sourceAnchor attribute.

  • 确定 sourceAnchor 属性以后,向导会将信息存储在 Azure AD 租户中。Once the sourceAnchor attribute is decided, the wizard stores the information in your Azure AD tenant. 该信息会供将来的 Azure AD Connect 安装使用。The information will be used by future installation of Azure AD Connect.

快速安装完成后,向导会通知你已选取哪个属性作为“源定位点”属性。Once Express installation completes, the wizard informs you which attribute has been picked as the Source Anchor attribute.

向导会告知为 sourceAnchor 选取的 AD 属性

自定义安装Custom installation

使用“自定义”模式安装 Azure AD Connect 时,Azure AD Connect 向导在配置 sourceAnchor 属性时提供两个选项:When installing Azure AD Connect with Custom mode, the Azure AD Connect wizard provides two options when configuring sourceAnchor attribute:

自定义安装 - sourceAnchor 配置

设置Setting 说明Description
让 Azure 为我管理源定位点Let Azure manage the source anchor for me 如果希望 Azure AD 为你选取属性,请选择此选项。Select this option if you want Azure AD to pick the attribute for you. 如果选择此选项,Azure AD Connect 向导会应用在快速安装时使用的 sourceAnchor 属性选择逻辑If you select this option, Azure AD Connect wizard applies the same sourceAnchor attribute selection logic used during Express installation. 与快速安装类似,自定义安装完成后,向导会告知你已选取哪个属性作为“源定位点”属性。Similar to Express installation, the wizard informs you which attribute has been picked as the Source Anchor attribute after Custom installation completes.
特定的属性A specific attribute 如果希望指定现有的 AD 属性作为 sourceAnchor 属性,请选择此选项。Select this option if you wish to specify an existing AD attribute as the sourceAnchor attribute.

如何启用 ConsistencyGuid 功能 - 现有部署How to enable the ConsistencyGuid feature - Existing deployment

如果已经有使用 objectGUID 作为“源定位点”属性的现有 Azure AD Connect,可以将其切换为改用 ConsistencyGuid。If you have an existing Azure AD Connect deployment which is using objectGUID as the Source Anchor attribute, you can switch it to using ConsistencyGuid instead.

Note

仅较新版本的 Azure AD Connect(1.1.552.0 及更高版本)支持从使用 ObjectGuid 切换为使用 ConsistencyGuid 作为 Source Anchor 属性。Only newer versions of Azure AD Connect (1.1.552.0 and after) support switching from ObjectGuid to ConsistencyGuid as the Source Anchor attribute.

若要从以 objectGUID 作为“源定位点”属性切换到以 ConsistencyGuid 作为“源定位点”属性,请执行以下操作:To switch from objectGUID to ConsistencyGuid as the Source Anchor attribute:

  1. 启动 Azure AD Connect 向导并单击“配置”来转到“任务”屏幕。Start the Azure AD Connect wizard and click Configure to go to the Tasks screen.

  2. 选择“配置源定位点”任务选项并单击“下一步”。Select the Configure Source Anchor task option and click Next.

    为现有部署启用 ConsistencyGuid - 步骤 2

  3. 输入 Azure AD 管理员凭据并单击“下一步”。Enter your Azure AD Administrator credentials and click Next.

  4. Azure AD Connect 向导会分析本地 Active Directory 中 ms-DS-ConsistencyGuid 属性的状态。Azure AD Connect wizard analyzes the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. 如果未在目录中的任何对象上配置该属性,则 Azure AD Connect 会断定当前没有任何其他应用程序在使用该属性,可以放心将该属性用作“源定位点”属性。If the attribute isn't configured on any object in the directory, Azure AD Connect concludes that no other application is currently using the attribute and is safe to use it as the Source Anchor attribute. 单击“下一步”以继续操作。Click Next to continue.

    为现有部署启用 ConsistencyGuid - 步骤 4

  5. 在“已准备好进行配置”屏幕中,单击“配置”以进行配置更改。In the Ready to Configure screen, click Configure to make the configuration change.

    为现有部署启用 ConsistencyGuid - 步骤 5

  6. 完成配置后,该向导将指示 ms-DS-ConsistencyGuid 现正用作 Source Anchor 属性。Once the configuration completes, the wizard indicates that ms-DS-ConsistencyGuid is now being used as the Source Anchor attribute.

    为现有部署启用 ConsistencyGuid - 步骤 6

在分析期间(步骤 4),如果已在目录中的一个或多个对象上配置该属性,向导就会认为该属性正由其他应用程序使用,于是返回一个错误,如下图所示。During the analysis (step 4), if the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by another application and returns an error as illustrated in the diagram below. 如果先前已在 Azure AD Connect 主服务器上启用了 ConsistencyGuid 功能,并且要尝试在暂存服务器上执行相同的操作,也会发生此错误。This error can also occur if you have previously enabled the ConsistencyGuid feature on your primary Azure AD Connect server and you are trying to do the same on your staging server.

为现有部署启用 ConsistencyGuid - 错误

如果确定其他现有应用程序不使用该属性,则可以通过在指定“/SkipLdapSearch”开关的情况下重启 Azure AD Connect 向导来取消显示该错误。If you are certain that the attribute isn't used by other existing applications, you can suppress the error by restarting the Azure AD Connect wizard with the /SkipLdapSearch switch specified. 为此,请在命令提示符下运行以下命令:To do so, run the following command in command prompt:

"c:\Program Files\Azure Active Directory Connect\AzureADConnect.exe" /SkipLdapSearch

对 AD FS 或第三方联合身份验证配置的影响Impact on AD FS or third-party federation configuration

如果使用 Azure AD Connect 管理本地 AD FS 部署,Azure AD Connect 会自动更新声明规则,使用同一 AD 属性作为 sourceAnchor。If you are using Azure AD Connect to manage on-premises AD FS deployment, the Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceAnchor. 这样可确保由 ADFS 生成的 ImmutableID 声明与导出到 Azure AD 的 sourceAnchor 值一致。This ensures that the ImmutableID claim generated by ADFS is consistent with the sourceAnchor values exported to Azure AD.

如果在 Azure AD Connect 外部管理 AD FS,或者使用第三方联合身份验证服务器进行身份验证,则必须手动更新声明规则,以便 ImmutableID 声明与导出到 Azure AD 的 sourceAnchor 值一致,详见文章的修改 AD FS 声明规则部分。If you are managing AD FS outside of Azure AD Connect or you are using third-party federation servers for authentication, you must manually update the claim rules for ImmutableID claim to be consistent with the sourceAnchor values exported to Azure AD as described in article section Modify AD FS claim rules. 安装完成后,向导会返回以下警告:The wizard returns the following warning after installation completes:

第三方联合身份验证配置

向现有部署添加新目录Adding new directories to existing deployment

假设你在部署 Azure AD Connect 时启用了 ConsistencyGuid 功能,现在要将另一目录添加到部署中。Suppose you have deployed Azure AD Connect with the ConsistencyGuid feature enabled, and now you would like to add another directory to the deployment. 尝试添加目录时,Azure AD Connect 向导会检查目录中 ms-DS-ConsistencyGuid 属性的状态。When you try to add the directory, Azure AD Connect wizard checks the state of the ms-DS-ConsistencyGuid attribute in the directory. 如果已在目录中的一个或多个对象上配置该属性,向导就会认为该属性正由其他应用程序使用,于是返回一个错误,如下图所示。If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and returns an error as illustrated in the diagram below. 如果确定现有应用程序不使用该属性,则可以通过使用前文所述的指定 /SkipLdapSearch 开关的情况下重启 Azure AD Connect 向导来取消显示该错误或者需要联系支持人员以获得更多信息。If you are certain that the attribute isn't used by existing applications, you can suppress the error by restarting the Azure AD Connect wizard with the /SkipLdapSearch switch specified as described above or you need to contact Support for more information.

向现有部署添加新目录

Azure AD 登录Azure AD sign-in

将本地目录与 Azure AD 集成时,请务必了解同步设置对用户身份验证的方式有何影响。While integrating your on-premises directory with Azure AD, it is important to understand how the synchronization settings can affect the way user authenticates. Azure AD 使用 userPrincipalName (UPN) 对用户进行身份验证。Azure AD uses userPrincipalName (UPN) to authenticate the user. 但是,在同步用户时,必须小心选择要用于 userPrincipalName 值的属性。However, when you synchronize your users, you must choose the attribute to be used for value of userPrincipalName carefully.

选择 userPrincipalName 的属性Choosing the attribute for userPrincipalName

选择属性以便提供用于 Azure 的 UPN 值时,应确保When you are selecting the attribute for providing the value of UPN to be used in Azure one should ensure

  • 属性值符合 UPN 语法 (RFC 822),其格式应为 username@domainThe attribute values conform to the UPN syntax (RFC 822), that is it should be of the format username@domain
  • 这些值的后缀符合 Azure AD 中其中一个已验证的自定义域The suffix in the values matches to one of the verified custom domains in Azure AD

在快速设置中,属性的假设选择是 userPrincipalName。In express settings, the assumed choice for the attribute is userPrincipalName. 如果 userPrincipalName 属性不包含你希望用户用来登录 Azure 的值,则必须选择“自定义安装”。If the userPrincipalName attribute does not contain the value you want your users to sign in to Azure, then you must choose Custom Installation.

自定义域状态和 UPNCustom domain state and UPN

必须确保 UPN 后缀包含已验证的域。It is important to ensure that there is a verified domain for the UPN suffix.

John 是 contoso.com 中的用户。John is a user in contoso.com. 将用户同步到 Azure AD 目录 contoso.partner.onmschina.cn 之后,希望 John 使用本地 UPN john@contoso.com 登录到 Azure。You want John to use the on-premises UPN john@contoso.com to sign in to Azure after you have synced users to your Azure AD directory contoso.partner.onmschina.cn. 为此,需要先将 contoso.com 添加为 Azure AD 中的自定义域并进行验证,然后才能开始同步用户。To do so, you need to add and verify contoso.com as a custom domain in Azure AD before you can start syncing the users. 如果 John 的 UPN 后缀(例如 contoso.com)与 Azure AD 中已验证的域不匹配,则 Azure AD 会将该 UPN 后缀替换为 contoso.partner.onmschina.cn。If the UPN suffix of John, for example contoso.com, does not match a verified domain in Azure AD, then Azure AD replaces the UPN suffix with contoso.partner.onmschina.cn.

不可路由的本地域与 Azure AD 的 UPNNon-routable on-premises domains and UPN for Azure AD

有些组织使用不可路由的域(例如 contoso.local)或简单的单标签域(例如 contoso)。Some organizations have non-routable domains, like contoso.local, or simple single label domains like contoso. 在 Azure AD 中,无法验证不可路由的域。You are not able to verify a non-routable domain in Azure AD. Azure AD Connect 只能同步到 Azure AD 中已验证的域。Azure AD Connect can sync to only a verified domain in Azure AD. 创建 Azure AD 目录时,会创建可路由的域,该域成为 Azure AD 的默认域,例如 contoso.partner.onmschina.cn。When you create an Azure AD directory, it creates a routable domain that becomes default domain for your Azure AD for example, contoso.partner.onmschina.cn. 因此,如果不希望同步到默认的 partner.onmschina.cn 域,必须在此类方案中验证任何其他可路由的域。Therefore, it becomes necessary to verify any other routable domain in such a scenario in case you don't want to sync to the default partner.onmschina.cn domain.

有关添加和验证域的详细信息,请阅读 Add your custom domain name to Azure Active Directory(将自定义域名添加到 Azure Active Directory)。Read Add your custom domain name to Azure Active Directory for more info on adding and verifying domains.

Azure AD Connect 将检测是否在不可路由的域环境中运行,并在适当的情况下警告你不要继续使用快速设置。Azure AD Connect detects if you are running in a non-routable domain environment and would appropriately warn you from going ahead with express settings. 如果在不可路由的域中操作,用户的 UPN 可能也包含不可路由的后缀。If you are operating in a non-routable domain, then it is likely that the UPN, of the users, have non-routable suffixes too. 例如,如果在 contoso.local 下运行,Azure AD Connect 建议使用自定义设置而不是快速设置。For example, if you are running under contoso.local, Azure AD Connect suggests you to use custom settings rather than using express settings. 使用自定义设置,可以在用户同步到 Azure AD 之后,指定要用作 UPN 以供登录 Azure 的属性。Using custom settings, you are able to specify the attribute that should be used as UPN to sign in to Azure after the users are synced to Azure AD.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.