Azure AD Connect 的拓扑Topologies for Azure AD Connect

本文介绍了使用 Azure AD Connect 同步作为关键集成解决方案的各种本地拓扑和 Azure Active Directory (Azure AD) 拓扑。This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution. 此外,介绍支持和不支持的配置。This article includes both supported and unsupported configurations.

下面是本文中的图片图例:Here's the legend for pictures in the article:

说明Description 符号Symbol
本地 Active Directory 林On-premises Active Directory forest 本地 Active Directory 林
包含筛选导入的本地 Active DirectoryOn-premises Active Directory with filtered import 包含筛选导入的 Active Directory
Azure AD Connect 同步服务器Azure AD Connect sync server Azure AD Connect 同步服务器
Azure AD Connect 同步服务器“暂存模式”Azure AD Connect sync server “staging mode” Azure AD Connect 同步服务器“暂存模式”
装有 Forefront Identity Manager (FIM) 2010 或 Microsoft Identity Manager (MIM) 2016 的 GALSyncGALSync with Forefront Identity Manager (FIM) 2010 or Microsoft Identity Manager (MIM) 2016 使用 FIM 2010 或 MIM 2016 的 GALSync
Azure AD Connect 同步服务器(详细说明)Azure AD Connect sync server, detailed Azure AD Connect 同步服务器,详细说明
Azure ADAzure AD Azure Active Directory
不支持的方案Unsupported scenario 不支持的方案

Important

Microsoft 不支持在正式记录的配置或操作之外修改或操作 Azure AD Connect 同步。Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the configurations or actions that are formally documented. 其中的任何配置或操作都可能会导致 Azure AD Connect 同步出现不一致或不受支持状态。因此,Microsoft 无法提供这种部署的技术支持。Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.

单个林,单个 Azure AD 租户Single forest, single Azure AD tenant

单个林和单个租户的拓扑

最常见的拓朴是包含一个或多个域的单个本地林,以及单个 Azure AD 租户。The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. Azure AD 身份验证使用密码哈希同步。For Azure AD authentication, password hash synchronization is used. Azure AD Connect 的快速安装仅支持此拓扑。The express installation of Azure AD Connect supports only this topology.

单个林,多个同步服务器连接到一个 Azure AD 租户Single forest, multiple sync servers to one Azure AD tenant

单个林不支持的筛选拓扑

不支持多个 Azure AD Connect 同步服务器连接到同一个 Azure AD 租户( 暂存服务器除外)。Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. 即使将这些服务器配置为与一组互斥对象同步,也不支持这种拓扑。It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects. 如果无法从单个服务器连接到林中的所有域,或者想要将负载分布到多个服务器,则应该考虑这种拓扑。You might have considered this topology if you can't reach all domains in the forest from a single server, or if you want to distribute load across several servers.

多个林,单个 Azure AD 租户Multiple forests, single Azure AD tenant

多个林和单个租户的拓扑

许多组织具有包含多个本地 Active Directory 林的环境。Many organizations have environments with multiple on-premises Active Directory forests. 有多种原因导致出现多个本地 Active Directory 林。There are various reasons for having more than one on-premises Active Directory forest. 典型示例是使用帐户资源林的设计,以及合并和收购之后采用的设计。Typical examples are designs with account-resource forests and the result of a merger or acquisition.

如果使用多个林,所有林必须可由单个 Azure AD Connect 同步服务器访问。When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. 不需要将服务器加入域。You don't have to join the server to a domain. 如果需要访问所有林,可将服务器放在外围网络(也称为外围网络、外围安全区域或屏蔽子网)中。If necessary to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

Azure AD Connect 安装向导提供多个选项用于合并多个林中显示的用户。The Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. 目标是一个用户只在 Azure AD 中显示一次。The goal is that a user is represented only once in Azure AD. 可以在安装向导的自定义安装路径中配置某些常见拓扑。There are some common topologies that you can configure in the custom installation path in the installation wizard. 在“唯一标识你的用户”页上选择表示拓扑的相应选项。On the Uniquely identifying your users page, select the corresponding option that represents your topology. 只对用户配置合并。The consolidation is configured only for users. 复制的组不会与默认配置合并。Duplicated groups are not consolidated with the default configuration.

有关独立的拓扑、完整网格帐户资源拓扑的部分讨论了常见拓扑。Common topologies are discussed in the sections about separate topologies, full mesh, and the account-resource topology.

Azure AD Connect 同步中的默认配置假设:The default configuration in Azure AD Connect sync assumes:

  • 每个用户只有一个已启用的帐户并且此帐户所在的林用于对用户进行身份验证。Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. 这种假设适用于密码哈希同步和联合。This assumption is for both password hash sync and federation. UserPrincipalName 和 sourceAnchor/immutableID 来自此林。UserPrincipalName and sourceAnchor/immutableID come from this forest.
  • 每个用户只有一个邮箱。Each user has only one mailbox.
  • 托管用户邮箱的林具有 Exchange 全局地址列表 (GAL) 中可见属性的最佳数据质量。The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). 如果用户没有邮箱,则任何林都可以用于提供这些属性值。If there's no mailbox for the user, any forest can be used to contribute these attribute values.
  • 如果有链接邮箱,则还有其他林中的某个帐户用于登录。If you have a linked mailbox, there's also an account in a different forest used for sign-in.

如果环境不符合这些假设,则会发生以下情况:If your environment does not match these assumptions, the following things happen:

  • 如果使用多个活动帐户或多个邮箱,同步引擎将选择其中一个并忽略其他帐户或邮箱。If you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other.
  • 没有其他活动帐户的链接邮箱不会导出到 Azure AD。A linked mailbox with no other active account is not exported to Azure AD. 用户帐户不会显示为任何组中的成员。The user account is not represented as a member in any group. DirSync 中的链接邮箱始终显示为普通邮箱。A linked mailbox in DirSync is always represented as a normal mailbox. 这项更改是有意而为的,目的是使用不同的行为来更好地支持多林方案。This change is intentionally a different behavior to better support multiple-forest scenarios.

可在了解默认配置中找到更多详细信息。You can find more details in Understanding the default configuration.

多个林,多个同步服务器连接到单个 Azure AD 租户Multiple forests, multiple sync servers to one Azure AD tenant

多个林和多个同步服务器不支持的拓扑

不支持多个 Azure AD Connect 同步服务器连接到单个 Azure AD 租户。Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. 使用 暂存服务器时例外。The exception is the use of a staging server.

此拓扑与下面的拓扑不同,不支持连接到单个 Azure AD 租户的多个同步服务器This topology differs from the one below in that multiple sync servers connected to a single Azure AD tenant is not supported.

多个林、单个同步服务器、用户仅在一个目录中表示Multiple forests, single sync server, users are represented in only one directory

表示用户在所有目录中只出现一次的选项

描述多个林和独立的拓扑

在此环境中,所有本地林都被视为独立的实体。In this environment, all on-premises forests are treated as separate entities. 没有用户出现在任何其他林中。No user is present in any other forest. 每个林都有其自己的 Exchange 组织,并且林之间没有任何 GALSync。Each forest has its own Exchange organization, and there's no GALSync between the forests. 合并/收购之后或者如果组织中的每个业务单位独立运营,可能会出现这种拓扑。This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. 在 Azure AD 中,这些林位于相同的组织中并与统一的 GAL 一起出现。These forests are in the same organization in Azure AD and appear with a unified GAL. 在上图中,每个林中的每个对象会在 Metaverse 中出现一次,并在目标 Azure AD 租户中聚合。In the preceding picture, each object in every forest is represented once in the metaverse and aggregated in the target Azure AD tenant.

多个林:匹配用户Multiple forests: match users

对于所有这些方案,一种常见情况是分发组和安全组可以包含用户、联系人和外部安全主体 (FSP) 的混合形式。Common to all these scenarios is that distribution and security groups can contain a mix of users, contacts, and Foreign Security Principals (FSPs). 可在 Active Directory 域服务 (AD DS) 中使用 FSP 来表示安全组中来自其他林的成员。FSPs are used in Active Directory Domain Services (AD DS) to represent members from other forests in a security group. 在 Azure AD 中,所有 FSP 解析为实际对象。All FSPs are resolved to the real object in Azure AD.

多个林:包含可选 GALSync 的完整网格Multiple forests: full mesh with optional GALSync

当用户标识跨多个目录存在时使用 mail 属性进行匹配的选项

多个林的完整网格拓扑

完整网格拓扑允许用户和资源位于任何林中。A full mesh topology allows users and resources to be located in any forest. 通常,林之间建立了双向信任。Commonly, there are two-way trusts between the forests.

如果 Exchange 存在于多个林中,则可以选择使用本地 GALSync 解决方案。If Exchange is present in more than one forest, there might be (optionally) an on-premises GALSync solution. 这样,每个用户将表示为其他所有林中的联系人。Every user is then represented as a contact in all other forests. GALSync 通常是使用 FIM 2010 或 MIM 2016 实现的。GALSync is commonly implemented through FIM 2010 or MIM 2016. Azure AD Connect 无法用于本地 GALSync。Azure AD Connect cannot be used for on-premises GALSync.

在此方案中,标识对象通过 mail 属性进行联接。In this scenario, identity objects are joined via the mail attribute. 一个林中具有邮箱的用户与其他林中的联系人进行联接。A user who has a mailbox in one forest is joined with the contacts in the other forests.

多个林:帐户资源林Multiple forests: account-resource forest

当用户标识跨多个目录存在时使用 ObjectSID 和 msExchMasterAccountSID 属性进行匹配的选项

多个林的帐户资源林拓扑

在帐户资源林拓扑中,有一个或多个包含活动用户帐户的 帐户 林。In an account-resource forest topology, you have one or more account forests with active user accounts. 此外,还有一个或多个包含已禁用帐户的 资源 林。You also have one or more resource forests with disabled accounts.

在此方案中,一个(或多个)资源林信任所有帐户林。In this scenario, one (or more) resource forest trusts all account forests. 资源林通常包含装有 Exchange 和 Lync 的扩展 Active Directory 架构。The resource forest typically has an extended Active Directory schema with Exchange and Lync. 所有 Exchange 和 Lync 服务以及其他共享服务都位于此林中。All Exchange and Lync services, along with other shared services, are located in this forest. 用户在此林中具有一个禁用的用户帐户,并且邮箱被链接到帐户林。Users have a disabled user account in this forest, and the mailbox is linked to the account forest.

Office 365 和拓扑注意事项Office 365 and topology considerations

某些 Office 365 工作负荷对支持的拓扑实施一些限制:Some Office 365 workloads have certain restrictions on supported topologies:

工作负载Workload 限制Restrictions
Exchange OnlineExchange Online 有关 Exchange Online 支持的混合拓扑的详细信息,请参阅具有多个 Active Directory 林的混合部署For more information about hybrid topologies supported by Exchange Online, see Hybrid deployments with multiple Active Directory forests.
Skype for BusinessSkype for Business 使用多个本地林时,只支持帐户资源林拓扑。When you're using multiple on-premises forests, only the account-resource forest topology is supported. 有关详细信息,请参阅 Skype for Business Server 2015 的环境要求For more information, see Environmental requirements for Skype for Business Server 2015.

暂存服务器Staging server

拓扑中的暂存服务器

Azure AD Connect 支持以 暂存模式安装第二个服务器。Azure AD Connect supports installing a second server in staging mode. 使用此模式的服务器从所有已连接的目录读取数据,但不会向已连接的目录写入任何数据。A server in this mode reads data from all connected directories but does not write anything to connected directories. 它使用普通的同步周期,因此具有标识数据的更新副本。It uses the normal synchronization cycle and therefore has an updated copy of the identity data.

在主服务器发生故障的灾难事件中,可以故障转移到暂存服务器。In a disaster where the primary server fails, you can fail over to the staging server. 在 Azure AD Connect 向导中执行此操作。You do this in the Azure AD Connect wizard. 可将第二个服务器定位在不同的数据中心,因为没有基础结构与主服务器共享。This second server can be located in a different datacenter because no infrastructure is shared with the primary server. 必须手动将主服务器上所做的任何配置更改复制到第二个服务器。You must manually copy any configuration change made on the primary server to the second server.

可以使用暂存服务器来测试新的自定义配置及其对数据造成的影响。You can use a staging server to test a new custom configuration and the effect that it has on your data. 可以预览更改并调整配置。You can preview the changes and adjust the configuration. 如果满意新的配置,可让暂存服务器成为活动服务器,将旧的活动服务器设置为暂存模式。When you're happy with the new configuration, you can make the staging server the active server and set the old active server to staging mode.

还可以使用此方法替换活动的同步服务器。You can also use this method to replace the active sync server. 准备新的服务器,并将其设置为暂存模式。Prepare the new server and set it to staging mode. 确保它处于良好状态、禁用暂存模式(使之成为活动服务器),然后关闭当前活动的服务器。Make sure it's in a good state, disable staging mode (making it active), and shut down the currently active server.

如果想要在不同的数据中心拥有多个备份,也可以配置多个暂存服务器。It's possible to have more than one staging server when you want to have multiple backups in different datacenters.

多个 Azure AD 租户Multiple Azure AD tenants

建议组织在 Azure AD 中部署单个租户。We recommend having a single tenant in Azure AD for an organization.

多个林和多个租户的拓扑

Azure AD Connect 同步服务器与 Azure AD 租户之间不存在一对一的关系。There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. 在每个 Azure AD 租户中,需要安装一个 Azure AD Connect 同步服务器。For each Azure AD tenant, you need one Azure AD Connect sync server installation. Azure AD 租户实例在设计上是隔离的。The Azure AD tenant instances are isolated by design. 也就是说,一个租户中的用户看不到另一个租户中的用户。That is, users in one tenant can't see users in the other tenant. 如果想要这种隔离,可以使用这种受支持的配置。If you want this separation, this is a supported configuration. 否则,应使用单一 Azure AD 租户模型。Otherwise, you should use the single Azure AD tenant model.

每个对象只在 Azure AD 租户中运行一次Each object only once in an Azure AD tenant

单个林的筛选拓扑

在此拓扑中,一个 Azure AD Connect 同步服务器连接到每个 Azure AD 租户。In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. Azure AD Connect 同步服务器必须设置筛选,让它们都有一组对象的互斥集可运行。The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. 例如,可将每个服务器的范围设置为特定域或组织单位。You can, for example, scope each server to a particular domain or organizational unit.

DNS 域只能在单个 Azure AD 租户中注册。A DNS domain can be registered in only a single Azure AD tenant. 本地 Active Directory 实例中的用户 UPN 也必须使用独立的命名空间。The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces. 例如,在上图中,三个独立 UPN 后缀都注册在本地 Active Directory 实例中:contoso.com、fabrikam.com 和 wingtiptoys.com。For example, in the preceding picture, three separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com, and wingtiptoys.com. 每个本地 Active Directory 域中的用户使用不同的命名空间。The users in each on-premises Active Directory domain use a different namespace.

Note

全局地址列表同步 (GalSync) 未在此拓扑中自动执行,需要其他自定义 MIM 实现,以确保每个租户在 Exchange Online 和 Skype for Business Online 中具有完整的全局地址列表 (GAL)。Global Address List Synchronization (GalSync) is not done automatically in this topology and requires an additional custom MIM implementation to ensure each tenant has a complete Global Address List (GAL) in Exchange Online and Skype for Business Online.

另外,此拓扑对支持的方案实施以下限制:This topology has the following restrictions on otherwise supported scenarios:

  • 只有一个 Azure AD 租户可以使用本地 Active Directory 实例启用 Exchange 混合部署。Only one of the Azure AD tenants can enable an Exchange hybrid with the on-premises Active Directory instance.
  • Windows 10 设备只能与一个 Azure AD 租户相关联。Windows 10 devices can be associated with only one Azure AD tenant.

每个对象在 Azure AD 租户中运行多次Each object multiple times in an Azure AD tenant

单个林和多个租户不支持的拓扑 单个林和多个连接器不支持的拓扑

不支持以下任务:These tasks are unsupported:

  • 将同一用户同步到多个 Azure AD 租户。Sync the same user to multiple Azure AD tenants.
  • 进行配置更改,使一个 Azure AD 租户中的用户显示为另一个 Azure AD 租户中的联系人。Make a configuration change so that users in one Azure AD tenant appear as contacts in another Azure AD tenant.
  • 将 Azure AD Connect 同步修改为连接到多个 Azure AD 租户。Modify Azure AD Connect sync to connect to multiple Azure AD tenants.

使用写回的 GALSyncGALSync by using writeback

多个林和多个目录不支持的拓扑,其中的 GALSync 重点用于 Azure AD 多个林和多个目录不支持的拓扑,其中的 GALSync 重点用于本地 Active Directory

Azure AD 租户在设计上是隔离的。Azure AD tenants are isolated by design. 不支持以下任务:These tasks are unsupported:

  • 将 Azure AD Connect 同步更改为从另一个 Azure AD 租户读取数据。Change the configuration of Azure AD Connect sync to read data from another Azure AD tenant.
  • 使用 Azure AD Connect 同步将用户作为联系人导出到另一个本地 Active Directory 实例。Export users as contacts to another on-premises Active Directory instance by using Azure AD Connect sync.

使用本地同步服务器的 GALSyncGALSync with on-premises sync server

多个林和多个目录的拓扑中的 GALSync

可以使用本地 FIM 2010 或 MIM 2016 在两个 Exchange 组织之间同步用户(通过 GALSync)。You can use FIM 2010 or MIM 2016 on-premises to sync users (via GALSync) between two Exchange organizations. 一个组织中的用户显示为另一组织中的外部用户/联系人。The users in one organization appear as foreign users/contacts in the other organization. 这些不同的本地 Active Directory 实例可与其自身的 Azure AD 租户同步。These different on-premises Active Directory instances can then be synchronized with their own Azure AD tenants.

后续步骤Next steps

若要了解如何为这些方案安装 Azure AD Connect,请参阅 Azure AD Connect 的自定义安装To learn how to install Azure AD Connect for these scenarios, see Custom installation of Azure AD Connect.

了解有关 Azure AD Connect 同步 配置的详细信息。Learn more about the Azure AD Connect sync configuration.

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about integrating your on-premises identities with Azure Active Directory.