Azure AD Connect:帐户和权限Azure AD Connect: Accounts and permissions

用于 Azure AD Connect 的帐户Accounts used for Azure AD Connect

帐户概述

Azure AD Connect 使用 3 个帐户,将信息从本地或 Windows Server Active Directory 同步到 Azure Active Directory。Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. 这些帐户是:These accounts are:

  • AD DS 连接器帐户:用于将信息读/写到 Windows Server Active Directory AD DS Connector account: used to read/write information to Windows Server Active Directory

  • ADSync 服务帐户:用于运行同步服务和访问 SQL 数据库 ADSync service account: used to run the synchronization service and access the SQL database

  • Azure AD 连接器帐户:用于将信息写入 Azure AD Azure AD Connector account: used to write information to Azure AD

除了用于运行 Azure AD Connect 的这三个帐户外,还需要以下其他帐户以安装 Azure AD Connect。In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. 其中包括:These are:

  • 本地管理员帐户:将安装 Azure AD Connect 并且在计算机上具有本地管理员权限的管理员。Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.

  • AD DS 企业管理员帐户:可以选择使用此帐户创建上面的“AD DS 连接器帐户”。AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.

  • Azure AD 全局管理员帐户:用于创建 Azure AD 连接器帐户和配置 Azure AD 。Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD.

  • SQL SA 帐户(可选):用于使用完整版 SQL Server 时创建 ADSync 数据库 。SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. 此 SQL Server 对 Azure AD Connect 安装而言可能是本地或远程的。This SQL Server may be local or remote to the Azure AD Connect installation. 此帐户可能是企业管理员的帐户。This account may be the same account as the Enterprise Administrator. 现在,可以由 SQL 管理员在带外进行数据库预配,然后由具有数据库所有者权限的 Azure AD Connect 管理员完成安装。Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights. 有关详细信息,请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectFor information on this see Install Azure AD Connect using SQL delegated administrator permissions

Important

从内部版本 1.4.###.# 起,不再支持使用企业管理员或域管理员帐户作为 AD DS 连接器帐户。As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. 如果在指定“使用现有帐户” 时尝试输入是企业管理员或域管理员的帐户,你将收到错误。If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error.

Note

支持从 ESAE 管理林(也称为“红林”)管理 Azure AD Connect 中使用的管理帐户。It is supported to manage the administrative accounts used in Azure AD Connect from an ESAE Administrative Forest (also know as "Red forest"). 专用管理林允许组织在具有比生产环境更强的安全控制的环境中托管管理帐户、工作站和组。Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups in an environment that has stronger security controls than the production environment. 若要详细了解专用管理林,请参阅 ESAE 管理林设计方法To learn more about dedicated administrative forests please refer to ESAE Administrative Forest Design Approach

e683a61b0ed62ae739941410f658a127534e2481e683a61b0ed62ae739941410f658a127534e2481

Note

初始设置后不需要全局管理员角色,唯一需要的帐户将是“目录同步帐户” 角色帐户。The Global Administrator role is not required after the initial setup and the only required account will be the Directory Synchronization Accounts role account. 这并不意味着你只需要删除具有全局管理员角色的帐户。That does not necssarily mean that you will want to just remove the account with the Global Administrator role. 最好将角色更改为功能较弱的角色,因为如果需要再次运行向导,完全删除帐户可能会带来问题。It is better to change the role to a less powerful role, as totally removing the account may introduce issues if you ever need to re-run the wizard again. 减小角色的权限后,如果你需要再次利用 Azure AD Connect 向导,则始终可以重新提升权限。By reducing the privilege of the role you can always re-elevate the priviliges if you have to utilize the Azure AD Connect wizard again.

安装 Azure AD ConnectInstalling Azure AD Connect

Azure AD Connect 安装向导提供提供两种不同的路径:The Azure AD Connect installation wizard offers two different paths:

  • 在“快速设置”中,此向导需要更多权限。In Express Settings, the wizard requires more privileges. 这样便可以轻松设置配置,而无需创建用户或配置权限。This is so that it can set up your configuration easily, without requiring you to create users or configure permissions.
  • 在“自定义设置”中,此向导可提供更多选择和选项。In Custom Settings, the wizard offers you more choices and options. 但是,在某些情况下,需要确保自己具有相应的权限。However, there are some situations in which you need to ensure you have the correct permissions yourself.

快速设置安装Express settings installation

在“快速设置”中,安装向导要求提供以下内容:In Express settings, the installation wizard asks for the following:

  • AD DS 企业管理员凭据AD DS Enterprise Administrator credentials
  • Azure AD 全局管理员凭据Azure AD Global Administrator credentials

AD DS 企业管理员凭据AD DS Enterprise Admin credentials

AD DS 企业管理员帐户用于配置本地 Active Directory。The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. 这些凭据只能在安装期间使用,而不能在安装完成后使用。These credentials are only used during the installation and are not used after the installation has completed. 由企业管理员而不是域管理员确保可以在所有域中设置 Active Directory 中的权限。The Enterprise Admin, not the Domain Admin should make sure the permissions in Active Directory can be set in all domains.

如果从 DirSync 升级,AD DS 企业管理员凭据可用于重置 DirSync 所用帐户的密码。If you are upgrading from DirSync, the AD DS Enterprise Admins credentials are used to reset the password for the account used by DirSync. 此外,还需要 Azure AD 全局管理员凭据。You also need Azure AD Global Administrator credentials.

Azure AD 全局管理员凭据Azure AD Global Admin credentials

这些凭据只能在安装期间使用,而不能在安装完成后使用。These credentials are only used during the installation and are not used after the installation has completed. 它用于创建 Azure AD 连接器帐户,以便将更改同步到 Azure AD。It is used to create the Azure AD Connector account used for synchronizing changes to Azure AD. 该帐户还会在 Azure AD 中启用同步作为功能。The account also enables sync as a feature in Azure AD.

AD DS 连接器帐户需要快速设置权限AD DS Connector account required permissions for express settings

创建 AD DS 连接器帐户,用于读取和写入 Windows Server AD,如果由快速设置创建,该帐户具有以下权限:The AD DS Connector account is created for reading and writing to Windows Server AD and has the following permissions when created by express settings:

权限Permission 用途Used for
  • 复制目录更改Replicate Directory Changes
  • 复制所有目录更改Replicate Directory Changes All
  • 密码哈希同步Password hash sync
    读取/写入所有用户属性Read/Write all properties User 导入和执行 Exchange 混合部署Import and Exchange hybrid
    读取/写入所有 iNetOrgPerson 属性Read/Write all properties iNetOrgPerson 导入和执行 Exchange 混合部署Import and Exchange hybrid
    读取/写入所有组属性Read/Write all properties Group 导入和执行 Exchange 混合部署Import and Exchange hybrid
    读取/写入所有联系人属性Read/Write all properties Contact 导入和执行 Exchange 混合部署Import and Exchange hybrid

    快速安装向导摘要Express installation wizard summary

    快速安装

    以下是有关快速安装向导页、所收集凭据及其用途的摘要。The following is a summary of the express installation wizard pages, the credentials collected, and what they are used for.

    向导页Wizard Page 收集的凭据Credentials Collected 所需的权限Permissions Required 用途Used For
    不适用N/A 运行安装向导的用户User running the installation wizard 本地服务器的管理员Administrator of the local server
  • 创建用于运行同步服务的 ADSync 服务帐户。Creates the ADSync service account that is used as to run the synchronization service.
  • 连接到 Azure ADConnect to Azure AD Azure AD 目录凭据Azure AD directory credentials Azure AD 中的全局管理员角色Global administrator role in Azure AD
  • 在 Azure AD 目录中启用同步。Enabling sync in the Azure AD directory.
  • 创建在 Azure AD 中用于持续同步操作的 Azure AD 连接器帐户。Creation of the Azure AD Connector account that is used for on-going sync operations in Azure AD.
  • 连接到 AD DSConnect to AD DS 本地 Active Directory 凭据On-premises Active Directory credentials Active Directory 中企业管理员 (EA) 组的成员Member of the Enterprise Admins (EA) group in Active Directory
  • 在 Active Directory 中创建 AD DS 连接器帐户并向其授予权限。Creates the AD DS Connector account in Active Directory and grants permissions to it. 同步期间,所创建的该帐户用于读取和写入目录信息。This created account is used to read and write directory information during synchronization.
  • 自定义安装设置Custom installation settings

    通过自定义设置安装,此向导可提供更多选择和选项。With the custom settings installation, the wizard offers you more choices and options.

    自定义安装向导摘要Custom installation wizard summary

    以下是有关自定义安装向导页、所收集凭据及其用途的摘要。The following is a summary of the custom installation wizard pages, the credentials collected, and what they are used for.

    快速安装

    向导页Wizard Page 收集的凭据Credentials Collected 所需的权限Permissions Required 用途Used For
    不适用N/A 运行安装向导的用户User running the installation wizard
  • 本地服务器的管理员Administrator of the local server
  • 只有 SQL 中的系统管理员 (SA) 才可使用 SQL Server 完整版。If using a full SQL Server, the user must be System Administrator (SA) in SQL
  • 默认情况下,将创建充当同步引擎服务帐户的本地帐户。By default, creates the local account that is used as the sync engine service account. 只有在管理员未指定特定帐户时才创建该帐户。The account is only created when the admin does not specify a particular account.
    安装同步服务,服务帐户选项Install synchronization services, Service account option AD 或本地用户帐户凭据AD or local user account credentials 用户,权限由安装向导授予User, permissions are granted by the installation wizard 如果管理员指定了帐户,则此帐户用作同步服务的服务帐户。If the admin specifies an account, this account is used as the service account for the sync service.
    连接到 Azure ADConnect to Azure AD Azure AD 目录凭据Azure AD directory credentials Azure AD 中的全局管理员角色Global administrator role in Azure AD
  • 在 Azure AD 目录中启用同步。Enabling sync in the Azure AD directory.
  • 创建在 Azure AD 中用于持续同步操作的 Azure AD 连接器帐户。Creation of the Azure AD Connector account that is used for on-going sync operations in Azure AD.
  • 连接目录Connect your directories 要连接到 Azure AD 的每个林的本地 Active Directory 凭据On-premises Active Directory credentials for each forest that is connected to Azure AD 权限随所启用的功能而定,可在“创建 AD DS 连接器帐户”中查找The permissions depend on which features you enable and can be found in Create the AD DS Connector account 在同步期间,会使用此帐户读取和写入目录信息。This account is used to read and write directory information during synchronization.
    AD FS 服务器AD FS Servers 对于列表中的每个服务器,如果运行向导的用户的登录凭据权限不足,因而无法连接,则向导会收集凭据For each server in the list, the wizard collects credentials when the sign-in credentials of the user running the wizard are insufficient to connect 域管理员Domain Administrator 安装和配置 AD FS 服务器角色。Installation and configuration of the AD FS server role.
    Web 应用程序代理服务器Web application proxy servers 对于列表中的每个服务器,如果运行向导的用户的登录凭据权限不足,因而无法连接,则向导会收集凭据For each server in the list, the wizard collects credentials when the sign-in credentials of the user running the wizard are insufficient to connect 目标计算机上的本地管理员Local admin on the target machine 安装和配置 WAP 服务器角色。Installation and configuration of WAP server role.
    代理信任凭据Proxy trust credentials 联合身份验证服务信任凭据(代理用来注册 FS 信任证书的凭据)Federation service trust credentials (the credentials the proxy uses to enroll for a trust certificate from the FS 作为 AD FS 服务器本地管理员的域帐户Domain account that is a local administrator of the AD FS server 初始注册 FS-WAP 信任证书。Initial enrollment of FS-WAP trust certificate.
    “AD FS 服务帐户”页上的“使用域用户帐户选项”AD FS Service Account page, "Use a domain user account option" AD 用户帐户凭据AD user account credentials 域用户Domain user 提供了其凭据的 Azure AD 用户帐户用作 AD FS 服务的登录帐户。The Azure AD user account whose credentials are provided is used as the sign-in account of the AD FS service.

    创建 AD DS 连接器帐户Create the AD DS Connector account

    Important

    内部版本 1.1.880.0(发布于 2018 年 8 月)中引入了名为 ADSyncConfig.psm1 的新 PowerShell 模块,其中包括有助于为 Azure AD DS 连接器帐户配置正确 Active Directory 权限的 cmdlet 集合 。A new PowerShell Module named ADSyncConfig.psm1 was introduced with build 1.1.880.0 (released in August 2018) that includes a collection of cmdlets to help you configure the correct Active Directory permissions for the Azure AD DS Connector account.

    “连接目录” 页上指定的帐户必须在安装之前存在于 Active Directory 中。The account you specify on the Connect your directories page must be present in Active Directory prior to installation. Azure AD Connect 版本 1.1.524.0 及更高版本提供了相应选项,让 Azure AD Connect 向导创建用于连接 Active Directory 的 AD DS 连接器帐户 。Azure AD Connect version 1.1.524.0 and later has the option to let the Azure AD Connect wizard create the AD DS Connector account used to connect to Active Directory.

    还必须向它授予所需的权限。It must also have the required permissions granted. 安装向导不会验证权限,任何问题只能在同步期间发现。The installation wizard does not verify the permissions and any issues are only found during synchronization.

    需要哪些权限取决于启用的可选功能。Which permissions you require depends on the optional features you enable. 如果有多个域,则必须对林中的所有域授予权限。If you have multiple domains, the permissions must be granted for all domains in the forest. 如果未启用任何一项功能,默认的 域用户 权限就已足够。If you do not enable any of these features, the default Domain User permissions are sufficient.

    功能Feature 权限Permissions
    ms DS ConsistencyGuid 功能ms-DS-ConsistencyGuid feature 设计概念 - 使用 ms-DS-ConsistencyGuid 作为 sourceAnchor 中所述的 ms-DS-ConsistencyGuid 属性的写入权限。Write permissions to the ms-DS-ConsistencyGuid attribute documented in Design Concepts - Using ms-DS-ConsistencyGuid as sourceAnchor.
    密码哈希同步Password hash sync
  • 复制目录更改Replicate Directory Changes
  • 复制所有目录更改Replicate Directory Changes All
  • Exchange 混合部署Exchange hybrid deployment 针对用户、组和联系人的属性的写入权限,详见Exchange 混合写回Write permissions to the attributes documented in Exchange hybrid writeback for users, groups, and contacts.
    Exchange 邮件公共文件夹Exchange Mail Public Folder Exchange 邮件公共文件夹中所述的公共文件夹属性的读取权限。Read permissions to the attributes documented in Exchange Mail Public Folder for public folders.

    升级Upgrade

    从 Azure AD Connect 的一个版本升级到新版本时,需要拥有以下权限:When you upgrade from one version of Azure AD Connect to a new release, you need the following permissions:

    Important

    从版本 1.1.484 开始,Azure AD Connect 引入了一个回归 bug,导致需要 sysadmin 权限才能升级 SQL 数据库。Starting with build 1.1.484, Azure AD Connect introduced a regression bug which requires sysadmin permissions to upgrade the SQL database. 在内部版本 1.1.647 中解决了此 bug。This bug is corrected in build 1.1.647. 若要升级到此版本,需要 sysadmin 权限。If you are upgrading to this build, you will need sysadmin permissions. Dbo 权限是不够的。Dbo permissions are not sufficient. 如果尝试在没有 sysadmin 权限的情况下升级 Azure AD Connect,升级将失败,之后 Azure AD Connect 将不再正常工作。If you attempt to upgrade Azure AD Connect without having sysadmin permissions, the upgrade will fail and Azure AD Connect will no longer function correctly afterwards. Microsoft 已意识到此问题,并在努力更正此问题。Microsoft is aware of this and is working to correct this.

    主体Principal 所需的权限Permissions required 用途Used for
    运行安装向导的用户User running the installation wizard 本地服务器的管理员Administrator of the local server 更新二进制文件Update binaries.
    运行安装向导的用户User running the installation wizard ADSyncAdmins 的成员Member of ADSyncAdmins 对同步规则和其他配置进行更改。Make changes to Sync Rules and other configuration.
    运行安装向导的用户User running the installation wizard 如果使用完整的 SQL Server:需要同步引擎数据库的 DBO(或类似权限)If you use a full SQL server: DBO (or similar) of the sync engine database 进行数据库级别的更改,例如使用新列更新表。Make database level changes, such as updating tables with new columns.

    有关所创建帐户的详细信息More about the created accounts

    AD DS 连接器帐户AD DS Connector account

    如果使用快速设置,则会在 Active Directory 中创建用于同步的帐户。If you use express settings, then an account is created in Active Directory that is used for synchronization. 创建的帐户位于用户容器的林根域中,其名称前缀为 MSOL_The created account is located in the forest root domain in the Users container and has its name prefixed with MSOL_. 该帐户带有永不过期的长复杂密码。The account is created with a long complex password that does not expire. 如果域中有密码策略,请确保允许此帐户使用长密码和复杂密码。If you have a password policy in your domain, make sure long and complex passwords would be allowed for this account.

    AD 帐户

    如果使用自定义设置,则需要负责在开始安装之前创建帐户。If you use custom settings, then you are responsible for creating the account before you start the installation. 请参阅“创建 AD DS 连接器帐户”。See Create the AD DS Connector account.

    ADSync 服务帐户ADSync service account

    同步服务可在不同的帐户下运行。The sync service can run under different accounts. 它可以在虚拟服务帐户 (VSA)、组托管服务帐户 (gMSA/sMSA) 或普通用户帐户下运行。It can run under a Virtual Service Account (VSA), a Group Managed Service Account (gMSA/sMSA), or a regular user account. 2017 年 4 月版本的 Connect 的支持选项已更改(若进行全新安装)。The supported options were changed with the 2017 April release of Connect when you do a fresh installation. 如果从早期版本的 Azure AD Connect 升级,这些附加选项不可用。If you upgrade from an earlier release of Azure AD Connect, these additional options are not available.

    帐户的类型Type of account 安装选项Installation option 说明Description
    虚拟服务帐户Virtual Service Account 2017 年 4 月版和更高版本中的快速和自定义安装Express and custom, 2017 April and later 此选项适用于所有快速安装,在域控制器上的安装除外。This is the option used for all express installations, except for installations on a Domain Controller. 对于自定义安装,除非使用了其他选项,否则它便是默认选项。For custom, it is the default option unless another option is used.
    组托管服务帐户Group Managed Service Account 2017 年 4 月版和更高版本中的自定义安装Custom, 2017 April and later 如果使用远程 SQL Server,则建议使用组托管服务帐户。If you use a remote SQL server, then we recommend to use a group managed service account.
    用户帐户User account 2017 年 4 月版和更高版本中的快速和自定义安装Express and custom, 2017 April and later 仅当在 Windows Server 2008 和域控制器上安装时,才会在安装期间创建带有 AAD_ 前缀的用户帐户。A user account prefixed with AAD_ is only created during installation when installed on Windows Server 2008 and when installed on a Domain Controller.
    用户帐户User account 2017 年 3 月版和更低版本中的快速和自定义安装Express and custom, 2017 March and earlier 安装期间创建带有 AAD_ 前缀的本地帐户。A local account prefixed with AAD_ is created during installation. 使用自定义安装时,可以指定另一个帐户。When using custom installation, another account can be specified.

    如果配合 2017 年 3 月版或更低版本使用 Connect,则不应重置服务帐户中的密码,否则出于安全原因,Windows 会销毁加密密钥。If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the service account since Windows destroys the encryption keys for security reasons. 在不重新安装 Azure AD Connect 的情况下,无法将帐户更改为其他任何帐户。You cannot change the account to any other account without reinstalling Azure AD Connect. 如果从 2017 年 4 月版或更高版本升级到某个版本,则支持更改服务帐户的密码,但无法更改使用的帐户。If you upgrade to a build from 2017 April or later, then it is supported to change the password on the service account but you cannot change the account used.

    Important

    只能在首次安装时设置服务帐户。You can only set the service account on first installation. 安装完成后,不支持更改服务帐户。It is not supported to change the service account after the installation has completed.

    下面是同步服务帐户的默认、建议和支持的选项表格。This is a table of the default, recommended, and supported options for the sync service account.

    图例:Legend:

    • 粗体表示默认选项,在大多数情况下也是建议的选项。Bold indicates the default option and in most cases the recommended option.
    • 斜体指示建议的选项(如果不是默认的选项。Italic indicates the recommended option when it is not the default option.
    • 2008 - 在 Windows Server 2008 上安装时的默认选项2008 - Default option when installed on Windows Server 2008
    • 非粗体 - 支持的选项Non-bold - Supported option
    • 本地帐户 - 服务器上的本地用户帐户Local account - Local user account on the server
    • 域帐户 - 域用户帐户Domain account - Domain user account
    • sMSA - 独立的托管服务帐户sMSA - standalone Managed Service account
    • gMSA - 组托管服务帐户gMSA - group Managed Service account
    LocalDBLocalDB
    ExpressExpress
    LocalDB/LocalSQLLocalDB/LocalSQL
    “自定义”Custom
    远程 SQLRemote SQL
    “自定义”Custom
    独立/工作组计算机standalone/workgroup machine 不支持Not supported VSAVSA
    本地帐户 (2008)Local account (2008)
    本地帐户Local account
    不支持Not supported
    已加入域的计算机domain-joined machine VSAVSA
    本地帐户 (2008)Local account (2008)
    VSAVSA
    本地帐户 (2008)Local account (2008)
    本地帐户Local account
    域帐户Domain account
    sMSA,gMSAsMSA,gMSA
    gMSAgMSA
    域帐户Domain account
    域控制器Domain Controller 域帐户Domain account gMSAgMSA
    域帐户Domain account
    sMSAsMSA
    gMSAgMSA
    域帐户Domain account

    虚拟服务帐户Virtual service account

    虚拟服务帐户是一种特殊类型的帐户,它不带有密码,由 Windows 管理。A virtual service account is a special type of account that does not have a password and is managed by Windows.

    VSA

    VSA 适用于同步引擎与 SQL 位于同一台服务器上的场合。The VSA is intended to be used with scenarios where the sync engine and SQL are on the same server. 如果使用远程 SQL,则建议改用组托管服务帐户。If you use remote SQL, then we recommend to use a Group Managed Service Account instead.

    此功能需要 Windows Server 2008 R2 或更高版本。This feature requires Windows Server 2008 R2 or later. 如果在 Windows Server 2008 上安装 Azure AD Connect,则安装将回退以改用用户帐户If you install Azure AD Connect on Windows Server 2008, then the installation falls back to using a user account instead.

    组托管服务帐户Group managed service account

    如果使用远程 SQL Server,则建议使用组托管服务帐户If you use a remote SQL server, then we recommend to using a group managed service account. 若要详细了解如何为组托管服务帐户准备 Active Directory ,请参阅 Group Managed Service Accounts Overview(组托管服务帐户概述)。For more information on how to prepare your Active Directory for Group Managed Service account, see Group Managed Service Accounts Overview.

    若要使用此选项,请安装所需的组件页上选择“使用现有的服务帐户”,然后选择“托管服务帐户”。 To use this option, on the Install required components page, select Use an existing service account, and select Managed Service Account.
    VSAVSA
    也支持使用独立的托管服务帐户It is also supported to use a standalone managed service account. 但是,这些帐户只能在本地计算机上使用,因此使用这些帐户相对默认虚拟服务帐户而言并没有好处。However, these can only be used on the local machine and there is no benefit to use them over the default virtual service account.

    此功能需要 Windows Server 2012 或更高版本。This feature requires Windows Server 2012 or later. 如果需要使用早期的操作系统并使用远程 SQL,则必须使用用户帐户If you need to use an older operating system and use remote SQL, then you must use a user account.

    用户帐户User account

    本地服务帐户由安装向导创建(除非在自定义设置指定了要使用的帐户)。A local service account is created by the installation wizard (unless you specify the account to use in custom settings). 该帐户具有 AAD_ 前缀,可用作实际同步服务的运行帐户。The account is prefixed AAD_ and used for the actual sync service to run as. 如果在域控制器上安装 Azure AD Connect,则会在该域中创建帐户。If you install Azure AD Connect on a Domain Controller, the account is created in the domain. 在以下情况下,AAD_ 服务帐户必须位于域中:The AAD_ service account must be located in the domain if:

    • 使用运行 SQL Server 的远程服务器you use a remote server running SQL server
    • 使用需要身份验证的代理you use a proxy that requires authentication

    同步服务帐户

    该帐户带有永不过期的长复杂密码。The account is created with a long complex password that does not expire.

    此帐户用于以安全方式存储其他帐户的密码。This account is used to store the passwords for the other accounts in a secure way. 其他这些帐户密码会以加密形式存储在数据库中。These other accounts passwords are stored encrypted in the database. 通过使用 Windows 数据保护 API (DPAPI) 的密钥加密服务来保护加密密钥的私钥。The private keys for the encryption keys are protected with the cryptographic services secret-key encryption using Windows Data Protection API (DPAPI).

    如果使用完整的 SQL Server,服务帐户将是为同步引擎创建的数据库的 DBO。If you use a full SQL Server, then the service account is the DBO of the created database for the sync engine. 如果使用其他权限,服务无法按预期工作。The service will not function as intended with any other permissions. 此外会创建 SQL 登录名。A SQL login is also created.

    该帐户也会获取对文件、注册表项和与同步引擎相关的其他对象的权限。The account is also granted permissions to files, registry keys, and other objects related to the Sync Engine.

    Azure AD 连接器帐户Azure AD Connector account

    会在 Azure AD 中创建帐户供同步服务使用。An account in Azure AD is created for the sync service's use. 可以根据显示名称来识别此帐户。This account can be identified by its display name.

    AD 帐户

    使用该帐户的服务器名称可以根据用户名的第二个部分来识别。The name of the server the account is used on can be identified in the second part of the user name. 在上图中,服务器名称为 DC1。In the picture, the server name is DC1. 如果部署了暂存服务器,每个服务器都有自身的帐户。If you have staging servers, each server has its own account.

    该帐户带有永不过期的长复杂密码。The account is created with a long complex password that does not expire. 系统为其授予了特殊角色“目录同步帐户” ,该角色仅可执行目录同步任务。It is granted a special role Directory Synchronization Accounts that has only permissions to perform directory synchronization tasks. 此特殊内置角色不能在 Azure AD Connect 向导之外授予。This special built-in role cannot be granted outside of the Azure AD Connect wizard. Azure 门户显示具有“用户”角色 的此帐户。The Azure portal shows this account with the role User.

    Azure AD 将同步服务帐户数目限制为 20 个。There is a limit of 20 sync service accounts in Azure AD. 若要在 Azure AD 中获取现有 Azure AD 服务帐户的列表,请运行以下 Azure AD PowerShell cmdlet:Get-AzureADDirectoryRole | where {$_.DisplayName -eq "Directory Synchronization Accounts"} | Get-AzureADDirectoryRoleMemberTo get the list of existing Azure AD service accounts in your Azure AD, run the following Azure AD PowerShell cmdlet: Get-AzureADDirectoryRole | where {$_.DisplayName -eq "Directory Synchronization Accounts"} | Get-AzureADDirectoryRoleMember

    若要删除未使用的 Azure AD 服务帐户,请运行以下 Azure AD PowerShell cmdlet:Remove-AzureADUser -ObjectId <ObjectId-of-the-account-you-wish-to-remove>To remove unused Azure AD service accounts, run the following Azure AD PowerShell cmdlet: Remove-AzureADUser -ObjectId <ObjectId-of-the-account-you-wish-to-remove>

    Note

    在使用上述 PowerShell 命令之前,需要安装 Azure Active Directory PowerShell for Graph 模块并使用 Connect-AzureAD 连接到 Azure AD 实例Before you can use the above PowerShell commands you will need to install the Azure Active Directory PowerShell for Graph module and connect to your instance of Azure AD using Connect-AzureAD

    有关如何管理或重置 Azure AD Connect 帐户密码的更多信息,请参阅管理 Azure AD Connect 帐户For additional information on how to manage or reset the password for the Azure AD Connector account see Manage the Azure AD Connect account

    如果尚未阅读文档了解如何将本地标识与 Azure Active Directory 集成,请查看下表获取相关主题的链接。If you did not read the documentation on Integrating your on-premises identities with Azure Active Directory, the following table provides links to related topics.

    主题Topic 链接Link
    下载 Azure AD ConnectDownload Azure AD Connect 下载 Azure AD ConnectDownload Azure AD Connect
    使用快速设置安装Install using Express settings Azure AD Connect 的快速安装Express installation of Azure AD Connect
    使用自定义设置安装Install using Customized settings Azure AD Connect 的自定义安装Custom installation of Azure AD Connect
    从 DirSync 升级Upgrade from DirSync 从 Azure AD 同步工具 (DirSync) 升级Upgrade from Azure AD sync tool (DirSync)
    安装后After installation 验证安装并分配许可证Verify the installation and assign licenses

    后续步骤Next steps

    了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.