影响 Azure AD Connect 性能的因素Factors influencing the performance of Azure AD Connect

Azure AD Connect 将 Active Directory 同步到 Azure AD。Azure AD Connect syncs your Active Directory to Azure AD. 此服务器是将用户标识迁移到云的过程中发挥着重要作用。This server is a critical component of moving your user identities to the cloud. 影响 Azure AD Connect 性能的主要因素包括:The primary factors that affect the performance of an Azure AD Connect are:

设计因素Design factor 定义Definition
拓扑Topology Azure AD Connect 必须在网络上管理的终结点和组件的分布。The distribution of the endpoints and components Azure AD Connect must manage on the network.
缩放Scale 要由 Azure AD Connect 管理的用户、组和 OU 等对象的数量。The number of objects like the users, groups, and OUs, to be managed by Azure AD Connect.
硬件Hardware 用于 Azure AD Connect 的硬件(物理或虚拟)以及各个硬件组件(包括 CPU、内存、网络和硬盘配置)的相关性能容量。The hardware (physical or virtual) for the Azure AD Connect and dependent performance capacity of each hardware component including CPU, memory, network, and hard drive configuration.
配置Configuration Azure AD Connect 处理目录和信息的方式。How Azure AD Connect processes the directories and information.
加载Load 对象更改的频率。Frequency of object changes. 一小时、一日或一周内的负载各不相同。The loads may vary during an hour, day, or week. 可能需要根据峰值负载或平均负载进行设计,具体取决于组件。Depending on the component, you may have to design for peak load or average load.

本文档旨在介绍影响 Azure AD Connect 预配引擎性能的因素。The purpose of this document is to describe the factors influencing the performance of the Azure AD Connect provisioning engine. 大规模或复杂的组织(预配超过 10 万个对象的组织)如果遇到此处所述的任何性能问题,可使用建议方法来优化其 Azure AD Connect 实现。Large or complex organizations (organizations provisioning more than 100,000 objects) can use the recommendations to optimize their Azure AD Connect implementation, if they experience any performance issues outlined here. 此处不涉及 Azure AD Connect 的其他组件。The other components of Azure AD Connect aren't covered here.


Microsoft 不支持通过未正式记录的方法修改或操作 Azure AD Connect。Microsoft doesn't support modifying or operating Azure AD Connect outside of the actions that are formally documented. 其中的任何操作都可能会导致 Azure AD Connect 同步出现不一致或不受支持状态。因此,Microsoft 无法提供这种部署的技术支持。Any of these actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.

Azure AD Connect 组件因素Azure AD Connect component factors

下图显示了连接到一个林(尽管支持多个林)的预配引擎的高级体系结构。The following diagram shows a high-level architecture of provisioning engine connecting to a single forest, although multiple forests are supported. 此体系结构展示各组件之间的相互交互。This architecture shows how the various components interact with each other.


预配引擎连接到每个 Active Directory 林且连接到 Azure AD。The provisioning engine connects to each Active Directory forest and to Azure AD. 从每个目录读取信息的过程称为“导入”。The process of reading information from each directory is called Import. 导出是指从预配引擎更新目录。Export refers to updating the directories from the provisioning engine. 同步则评估规定对象在预配引擎内的流动方式的规则。Sync evaluates the rules of how the objects will flow inside the provisioning engine. 若要深入了解,可参阅 Azure AD Connect 同步:了解体系结构For a deeper dive you can refer to Azure AD Connect sync: Understanding the architecture.

Azure AD Connect 使用以下临时区域、规则和过程,以实现从 Active Directory 到 Azure AD 的同步:Azure AD Connect uses the following staging areas, rules, and processes to allow the sync from Active Directory to Azure AD:

  • 连接器空间 (CS) - 在此暂存每个已连接目录(缩写为 CD,是实际目录)的对象,然后再由预配引擎处理它们。Connector Space (CS) - Objects from each connected directory (CD), the actual directories, are staged here first before they can be processed by the provisioning engine. Azure AD 具有自己的 CS,并且连接的每个林也都有自己的 CS。Azure AD has its own CS and each forest you connect to has its own CS.
  • Metaverse (MV) - 在此根据同步规则创建需要同步的对象。Metaverse (MV) - Objects that need to be synced are create here based on the sync rules. 对象必须存在于 MV 中,然后它们才能将对象和属性填充到其他连接的目录。Objects must exist in the MV before they can populate objects and attributes to the other connected directories. 只有一个 MV。There's only one MV.
  • 同步规则 - 决定将创建(投射)哪些对象或将哪些对象连接(联接)到 MV 中的对象。Sync rules - They decide which objects will be created (projected) or connected (joined) to objects in the MV. 还决定要从目录或向目录复制或转换的属性值。The sync rules also decide which attribute values will be copied or transformed to and from the directories.
  • 运行配置文件 - 根据暂存区域和已连接目录之间的同步规则,捆绑复制对象及其属性值的过程步骤。Run profiles - Bundles the process steps of copying objects and their attribute values according to the sync rules between the staging areas and connected directories.

有多种用于优化预配引擎性能的运行配置文件。Different run profiles exist to optimize the performance of the provisioning engine. 大多数组织使用默认的计划和运行配置文件来处理常规操作,但某些组织可能需要更改计划或触发其他运行配置文件以应对不常见的情况。Most organizations will use the default schedules and run profiles for normal operations, but some organizations may have to change the schedule or trigger other run profiles to cater for uncommon situations. 可用的运行配置文件如下:The following run profiles are available:

初始同步配置文件Initial sync profile

初始同步配置文件涉及首次读取已连接目录(如 Active Directory 林)的过程。The Initial sync profile is the process of reading the connected directories, like an Active Directory forest, for the first time. 此后,它将对同步引擎数据库中的所有项进行分析。It then does an analysis on all entries in the sync engine database. 初始周期将在 Azure AD 中创建新对象;如果 Active Directory 林较大,将需要更多时间才能完成循环。The initial cycle will create new objects in Azure AD and will take extra time to complete if your Active Directory forests are large. 初始同步包括以下步骤:The initial sync includes the following steps:

  1. 在所有连接器上完全导入Full import on all connectors
  2. 在所有连接器上完全同步Full sync on all connectors
  3. 在所有连接器上导出Export on all connectors

增量同步配置文件Delta sync profile

为优化同步过程,此运行配置文件仅处理已连接目录中在上次同步过程后发生的对象更改(创建、删除和更新)。To optimize the sync process this run profile only process the changes (creates, deletes and updates) of objects in your connected directories, since the last sync process. 默认情况下,增量同步配置文件每 30 分钟运行一次。By default, the delta sync profile runs every 30 minutes. 组织应尽量将时间保持在 30 分钟以内,确保 Azure AD 保持最新状态。Organizations should strive to keep the time it takes to below 30 minutes, to make sure the Azure AD is up-to-date. 增量同步配置文件包括以下步骤:The delta sync profile includes the following steps:

  1. 在所有连接器上增量导入Delta import on all connectors
  2. 在所有连接器上增量同步Delta sync on all connectors
  3. 在所有连接器上导出Export on all connectors

典型的企业组织增量同步方案是:A typical enterprise organization delta sync scenario is:

  • 删除约 1% 的对象~1% of objects are deleted
  • 创建约 1% 的对象~1% of objects are created
  • 修改约 5% 的对象~5% of objects are modified

变化率可能因组织更新 Active Directory 中用户的频率而异。Your rate of change may vary depending on how often your organization updates users in your Active Directory. 例如,聘用和解聘员工的高峰期可能出现较高的变化率。For example, higher rates of change can occur with the seasonality of hiring and reducing work force.

完全同步配置文件Full sync profile

如果进行了以下任一项配置更改,则需要完全同步周期:A full sync cycle is required if you have made any of the following configuration changes:

  • 增加要从已连接目录导入的对象或属性的范围。Increased the scope of the objects or attributes to be imported from the connected directories. 例如,向导入范围添加域或 OU。For example, when you add a domain or OU to your import scope.
  • 更改同步规则。Made changes to the sync rules. 例如,创建了新规则,用于从 Active Directory 中的 extension_attribute3 填充 Azure AD 中的用户职务。For example, when you create a new rule to populate a user’s title in Azure AD from extension_attribute3 in Active Directory. 此更新需要预配引擎重新检查所有现有用户是否已更新其职务,以便以后应用此更改。This update requires that the provisioning engine re-examine all existing users to update their titles to apply the change going forward.

完全同步周期包括以下操作:The following operations are included in a full sync cycle:

  1. 在所有连接器上完全导入Full import on all connectors
  2. 在所有连接器上完全/增量同步Full/Delta sync on all connectors
  3. 在所有连接器上导出Export on all connectors


对 Active Directory 或 Azure AD 中的许多对象执行批量更新时,需要仔细规划。Careful planning is required when doing bulk updates to many objects in your Active Directory or Azure AD. 批量更新将导致增量同步过程在导入时花费更长时间,因为有大量对象发生了更改。Bulk updates will cause the delta sync process to take longer when importing, since a lot of objects have changed. 即使批量更新未影响同步过程,也可能出现导入时间长的情况。Long imports can happen even if the bulk update doesn't influence the sync process. 例如,将许可证分配给 Azure AD 中的多个用户将导致从 Azure AD 导入的周期较长,但不会导致 Active Directory 中的任何属性发生更改。For example, assigning licenses to many users in Azure AD will cause a long import cycle from Azure AD, but will not result in any attribute changes in Active Directory.


同步过程运行时具有以下性能特征:The sync process runtime has the following performance characteristics:

  • 同步是单线程的,因此,预配引擎不会并行处理已连接目录、对象或属性的运行配置文件。Sync is single threaded, meaning the provisioning engine doesn't do any parallel processing of run profiles of connected directories, objects, or attributes.
  • 导入时间随同步的对象数呈线性增长。Import time grows linearly with the number of objects being synced. 例如,如果导入 1 万个对象需要 10 分钟,则在同一服务器上导入 2 万个对象大约需要 20 分钟。For example, if 10,000 objects take 10 minutes to import, then 20,000 objects will take approximately 20 minutes on the same server.
  • 导出也是线性的。Export is also linear.
  • 同步将基于引用其他对象的对象的数量呈指数级增加。The sync will grow exponentially based on the number of objects with references to other objects. 组成员身份和嵌套组具有严重的性能影响,因为其成员引用用户对象或其他组。Group memberships and nested groups have the main performance impact, because their members refer to user objects or other groups. 要想完成同步周期,必须找到这些引用并使其引用到 MV 中的实际对象。These references must be found and referenced to actual objects in the MV to complete the sync cycle.


要导入的 Active Directory 拓扑的大小是影响性能和预配引擎内部组件所需总体时间的首要因素。The size of the Active Directory topology you want to import is the number one factor influencing the performance and overall time the internal components of the provisioning engine will take.

应利用筛选减少要同步的对象。Filtering should be used to reduce the objects to the synced. 这将避免处理不必要的对象并将其导出到 Azure AD。It will prevent unnecessary objects from being processed and exported to Azure AD. 可用的筛选方法如下(按优先顺序):In order of preference, the following techniques of filtering are available:

  • 基于域的筛选 - 使用此选项选择要同步到 Azure AD 的特定域。Domain-based filtering - use this option to select specific domains to sync to Azure AD. 在安装 Azure AD Connect 同步之后对本地基础结构进行更改时,必须在同步引擎配置中添加和删除域。You must add and remove domains from the sync engine configuration when you make changes to your on-premises infrastructure after you install Azure AD Connect sync.
  • 组织单位 (OU) 筛选 - 使用 OU 来确定要将 Active Directory 域中的哪些特定对象预配到 Azure AD。Organization Unit (OU) filtering - uses OUs to target specific objects in Active Directory domains for provisioning to Azure AD. 在建议的筛选机制中,OU 筛选排在第二位,因为它使用简单的 LDAP 范围查询从 Active Directory 导入较小的对象子集。OU filtering is the second recommended filtering mechanism, because it uses simple LDAP scope queries to import a smaller subset of objects from Active Directory.
  • 按对象筛选属性 - 使用对象上的属性值确定是否在 Azure AD 中预配 Active Directory 中的特定对象。Attribute filtering per object - uses the attribute values on objects to decide whether specific object in Active Directory is provisioned in Azure AD. 当域和 OU 筛选无法满足特定筛选要求时,属性筛选非常适合用于微调筛选器。Attribute filtering is great for fine-tuning your filters, when domain and OU filtering doesn't meet the specific filtering requirements. 属性筛选不会缩短导入时间,但会缩短同步和导出时间。Attribute filtering doesn't reduce the import time but can reduce sync and export times.
  • 基于组的筛选 - 使用组成员身份确定是否应在 Azure AD 中预配对象。Group-based filtering - uses group membership to decide whether objects should be provisioned in Azure AD. 基于组的筛选仅适用于测试场景,不建议用于生产场景,因为在同步周期期间检查组成员身份需要额外的开销。Group-based filtering is only suited for testing situations and not recommended for production, because of the extra overhead required to check group membership during the sync cycle.

Active Directory CS 中存在大量持久的断开连接器对象,可能导致同步时间较长,因为在同步周期中,预配引擎必须重新评估每个断开连接器对象可能具有的连接。Many persistent disconnector objects in your Active Directory CS can cause longer sync times, because the provisioning engine must reevaluate each disconnector object for possible connection in the sync cycle. 要解决此问题,请考虑以下建议之一:To overcome this issue, consider one of the following recommendations:

  • 将断开连接器对象放置在使用域或 OU 筛选的导入的范围之外。Place the disconnector objects out of scope for import using domain or OU filtering.
  • 将对象投射/联接到 MV,并将 cloudFiltered 属性设置为 True,以免在 Azure AD CS 中预配这些对象。Project/join the objects to the MV and set the cloudFiltered attribute equal to True, to prevent provisioning of these objects in the Azure AD CS.


筛选出过多对象时,可能会令用户感到困惑,也可能出现应用程序权限问题。Users can get confused or application permissions issues can occur, when too many objects are filtered. 例如,在混合 Exchange Online 实现中,使用本地邮箱的用户在全局地址列表中看到的用户比使用 Exchange Online 邮箱的用户看到的用户多。For example, in a hybrid Exchange online implementation, users with on-premises mailboxes will see more users in their global address list than users with mailboxes in Exchange online. 在其他情况下,用户可能希望向不在筛选的对象集范围内的其他用户授予云应用中的访问权限。In other cases, a user may want to grant access in a cloud app to another user which is not part of the scope of the filtered set of objects.

属性流Attribute flows

属性流是将对象的属性值从一个已连接目录复制或转换到另一个已连接目录的过程。Attribute flows is the process for copying or transforming the attribute values of objects from one connected directory to another connected directory. 属性流属于同步规则。They're defined as part of the sync rules. 例如,Active Directory 中用户的电话号码变化时,系统会更新 Azure AD 中的电话号码。For example, when the telephone number of a user is changed in your Active Directory, the telephone number in Azure AD will be updated. 组织可以修改属性流以满足各种要求。Organizations can modify the attribute flows to suite various requirements. 建议先复制现有属性流,然后再执行更改。It's recommended you copy the existing attribute flows before changing them.

简单重定向(例如将属性值提供给其他属性)不会产生重大性能影响。Simple redirects, like flowing an attribute value to a different attribute doesn't have material performance impact. 将 Active Directory 中的移动电话号码作为 Azure AD 中的办公室电话号码,这就是一个重定向示例。An example of a redirect is flowing a mobile number in Active Directory to the office phone number in Azure AD.

转换属性值可能对同步过程产生性能影响。Transforming attribute values can have a performance impact on the sync process. 转换属性值包含对属性值进行修改、重设格式、连接或相减等操作。Transforming attribute values includes modifying, reformatting, concatenating, or subtracting values of attributes.

组织可以阻止某些属性流入 Azure AD,但这不会影响预配引擎的性能。Organizations can prevent certain attributes to flow to Azure AD, but it won't influence the performance of the provisioning engine.


不要删除同步规则中不需要的属性流。Don’t delete unwanted attribute flows in your sync rules. 建议禁用这些属性流,因为 Azure AD Connect 升级期间会重新创建已删除的规则。It is recommended you rather disable them, because deleted rules are recreated during Azure AD Connect upgrades.

Azure AD Connect 依赖项因素Azure AD Connect dependency factors

Azure AD Connect 的性能依赖于它导入和导出到的已连接目录的性能。The performance of Azure AD Connect is dependent on the performance of the connected directories it imports and exports to. 例如,它需要导入的 Active Directory 的大小或 Azure AD 服务的网络延迟。For example, the size of the Active Directory it needs to import or the network latency to the Azure AD service. 预配引擎使用的 SQL 数据库也会影响同步周期的整体性能。The SQL database the provisioning engine uses also impacts the overall performance of the sync cycle.

Active Directory 因素Active Directory factors

如上文所述,要导入的对象数对性能具有显著影响。As mentioned previously, the number of objects to be imported influences the performance significantly. Azure AD Connect 的硬件和先决条件中概述了基于部署规模的特定硬件层。The hardware and prerequisites for Azure AD Connect outline specific hardware tiers based on the size of your deployment. Azure AD Connect 仅支持 Azure AD Connect 的拓扑中所述的特定拓扑。Azure AD Connect only support specific topologies as outlined in Topologies for Azure AD Connect. 对于不支持的拓扑,没有性能优化和建议。There are no performance optimizations and recommendations for unsupported topologies.

基于要导入的 Active Directory 的大小,确保 Azure AD Connect 服务器满足硬件要求。Make sure your Azure AD Connect server meets the hardware requirements based on your Active Directory size you want to import. Azure AD Connect 服务器与 Active Directory 域控制器之间的错误或缓慢网络连接可能导致导入速度缓慢。Bad or slow network connectivity between the Azure AD Connect server and your Active Directory domain controllers can slow down your import.

Azure AD 因素Azure AD factors

Azure AD 使用限制来防止云服务受到拒绝服务 (DoS) 攻击。Azure AD uses throttling to protect the cloud service from denial-of-service (DoS) attacks. 目前,Azure AD 限制为每 5 分钟 7,000 次写入(每小时 84,000 次)。Currently Azure AD has a throttling limit of 7,000 writes per 5 minutes (84,000 per hour). 例如,可以限制以下操作:For example, the following operations can be throttled:

  • Azure AD Connect 向 Azure AD 的导出。Azure AD Connect export to Azure AD.
  • PowerShell 脚本或应用程序直接更新、甚至在后台更新 Azure AD。PowerShell scripts or applications updating the Azure AD directly even in the background.
  • 用户更新自己的标识记录,例如注册 MFA 或 SSPR(自助式密码重置)。Users updating their own identity records such as registering for MFA or SSPR (self-service password reset).
  • 图形用户界面中的操作。Operations within the graphical user interface.

规划部署和维护任务,确保 Azure AD Connect 同步周期不会受到限制的影响。Plan for deployment and maintenance tasks, to make sure your Azure AD Connect sync cycle is not impacted by throttling limits. 例如,如果在聘用高峰期间创建了数千个用户标识,可能会导致许可分配和自助式密码重置注册发生更新。For example, if you have a large hiring wave where you create thousands of user identities, it can cause updates to licensing assignments, and self-service password reset registrations. 最好是将这些写入分配在数小时或数天内。It's better to spread these writes over several hours or a few days.

SQL 数据库因素SQL database factors

源 Active Directory 拓扑的大小将影响 SQL 数据库性能。The size of your source Active Directory topology will influence your SQL database performance. 请遵循 SQL Server 数据库的硬件要求并考虑以下建议:Follow the hardware requirements for the SQL server database and consider the following recommendations:

  • 拥有 10 万名以上用户的组织,可通过使 SQL 数据库和预配引擎位于同一服务器来减少网络延迟。Organizations with more than 100,000 users can reduce network latencies by colocating SQL database and the provisioning engine on the same server.
  • 鉴于同步过程的磁盘输入和输出 (I/O) 要求高,为获得最佳结果,请对预配引擎的 SQL 数据库使用固态硬盘 (SSD);如果无法使用,则考虑使用 RAID 0 或 RAID 1 配置。Due to the high disk input and output (I/O) requirements of the sync process, use Solid State Drives (SSD) for the SQL database of the provisioning engine for optimal results, if not possible, consider RAID 0 or RAID 1 configurations.
  • 请勿提前执行完全同步,这会造成不必要的改动和增加响应时间。Don’t do a full sync pre-emptively; it causes unnecessary churn and slower response times.


要想优化 Azure AD Connect 实现的性能,请考虑以下建议:To optimize the performance of your Azure AD Connect implementation, consider the following recommendations:

  • 基于 Azure AD Connect 服务器的实现大小,使用推荐的硬件配置Use the recommended hardware configuration based on your implementation size for the Azure AD Connect server.
  • 在大规模部署中升级 Azure AD Connect 时,考虑使用交叉迁移方法,确保故障时间最短和可靠性最佳。When upgrading Azure AD Connect in large-scale deployments, consider using swing migration method, to make sure you have the least downtime and best reliability.
  • 对 SQL 数据库使用 SSD,实现最佳写入性能。Use SSD for the SQL database for best writing performance.
  • 使用域、OU 或属性筛选来筛选 Active Directory 范围,使其只包含需要在 Azure AD 中预配的对象。Filter the Active Directory scope to only include objects that need to be provisioned in Azure AD, using domain, OU, or attribute filtering.
  • 如果需要更改默认属性流规则,请先复制规则,再更改副本并禁用原始规则。If you require to change the default attribute flow rules, first copy the rule, then change the copy and disable the original rule. 务必重新运行完全同步。Remember to rerun a full sync.
  • 为初始完全同步运行配置文件规划充足的时间。Plan adequate time for the initial full sync run profile.
  • 尽量在 30 分钟内完成增量同步周期。Strive to complete the delta sync cycle in 30 minutes. 如果未在 30 分钟内完成增量同步配置文件,请修改默认同步频率以确保包括一个完整的增量同步周期。If the delta sync profile doesn’t complete in 30 minutes, modify the default sync frequency to include a complete delta sync cycle.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.