Azure Active Directory Connect 常见问题解答Azure Active Directory Connect FAQ

常规安装General installation

问:如何加强 Azure AD Connect 服务器以减少安全攻击面?Q: How can I harden my Azure AD Connect server to decrease the security attack surface?

Microsoft 建议强化 Azure AD Connect 服务器,以降低这一 IT 环境关键组件的安全攻击面。Microsoft recommends hardening your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. 遵循以下建议将减少组织面临的安全风险。Following the recommendations below will decrease the security risks to your organization.

  • 将 Azure AD Connect 部署在已加入域的服务器上,并仅限域管理员或其他严格受控的安全组进行管理性访问Deploy Azure AD Connect on a domain joined server and restrict administrative access to domain administrators or other tightly controlled security groups

若要了解更多信息,请参阅以下文章:To learn more, see:

问:如果 Azure Active Directory (Azure AD) 全局管理员已启用双重身份验证 (2FA),安装是否能够正常进行?Q: Will installation work if the Azure Active Directory (Azure AD) Global Admin has two-factor authentication (2FA) enabled?
2016 年 2 月版开始支持此方案。As of the February 2016 builds, this scenario is supported.

问:Azure AD Connect 是否提供无人值守安装方法?Q: Is there a way to install Azure AD Connect unattended?
仅支持使用安装向导来安装 Azure AD Connect。Azure AD Connect installation is supported only when you use the installation wizard. 不支持无人值守的静默安装。An unattended, silent installation is not supported.

问:我有一个林,但无法连接到其中的某个域。如何安装 Azure AD Connect?Q: I have a forest where one domain cannot be contacted. How do I install Azure AD Connect?
2016 年 2 月版开始支持此方案。As of the February 2016 builds, this scenario is supported.

问:Azure AD Connect 是否支持从两个域同步到一个 Azure AD?Q: Does Azure AD Connect support syncing from two domains to an Azure AD?
是的。支持此方案。Yes, this scenario is supported. 请参阅多个域Refer to Multiple Domains.

问:是否可对 Azure AD Connect 中的同一个 Active Directory 域使用多个连接器?Q: Can you have multiple connectors for the same Active Directory domain in Azure AD Connect?
否,不支持对同一个 AD 域使用多个连接器。No, multiple connectors for the same AD domain are not supported.

问:是否可将 Azure AD Connect 数据库从本地数据库移到远程 SQL Server 实例? Q: Can I move the Azure AD Connect database from the local database to a remote SQL Server instance?
是的,以下步骤提供了此操作的一般指导。Yes, the following steps provide general guidance on how to do this. 我们目前正在努力编写更详细的文档。We are currently working on a more detailed document.

  1. 备份 LocalDB ADSync 数据库。Back up the LocalDB ADSync database. 最简单的方法就是使用 Azure AD Connect 所在的同一台计算机上安装的 SQL Server Management Studio。The simplest way to do this is to use SQL Server Management Studio installed on the same machine as Azure AD Connect. 连接到 (LocalDb).\ADSync,然后备份 ADSync 数据库。Connect to (LocalDb).\ADSync, and then back up the ADSync database.

  2. 将 ADSync 数据库还原到远程 SQL Server 实例。Restore the ADSync database to your remote SQL Server instance.

  3. 针对现有的远程 SQL 数据库安装 Azure AD Connect。Install Azure AD Connect against the existing remote SQL database. 本文演示了如何改用本地 SQL 数据库。The article demonstrates how to migrate to using a local SQL database. 如果改用远程 SQL 数据库,则在此过程的步骤 5 中,还必须输入用于运行 Windows 同步服务的现有服务帐户。If you are migrating to using a remote SQL database, in step 5 of the process you must also enter an existing service account that the Windows Sync service will run as. 下面描述了此同步引擎服务帐户:This sync engine service account is described here:

    使用现有的服务帐户:默认情况下,Azure AD Connect 将虚拟服务帐户用于为要使用的同步服务。Use an existing service account: By default, Azure AD Connect uses a virtual service account for the synchronization services to use. 如果使用远程 SQL Server 实例或使用需要身份验证的代理,请使用托管服务帐户,或者使用域中的服务帐户并知道密码。If you use a remote SQL Server instance or use a proxy that requires authentication, use a managed service account or a service account in the domain, and know the password. 在这些情况下,请输入要使用的帐户。In those cases, enter the account to use. 确保运行安装的用户是 SQL 中的系统管理员,以便可以创建服务帐户的登录凭据。Make sure that users who are running the installation are system administrators in SQL so that login credentials for the service account can be created. 有关详细信息,请参阅 Azure AD Connect 帐户和权限For more information, see Azure AD Connect accounts and permissions.

    现在,在使用最新版本的情况下,可以由 SQL 管理员在带外进行数据库预配,然后由具有数据库所有者权限的 Azure AD Connect 管理员完成安装。With the latest build, provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights. 有关详细信息,请参阅使用 SQL 委派的管理员权限安装 Azure AD ConnectFor more information, see Install Azure AD Connect by using SQL delegated administrator permissions.

为简单起见,我们建议安装 Azure AD Connect 的用户是 SQL 中的系统管理员。To keep things simple, we recommend that users who install Azure AD Connect be system administrators in SQL. 但是,在最新的版本中,现在也可以根据使用 SQL 委派的管理员权限安装 Azure AD Connect 中所述,使用委派的 SQL 管理员。However, with recent builds you can now use delegated SQL administrators, as described in Install Azure AD Connect using SQL delegated administrator permissions.


问:我的防火墙、网络设备或其他软硬件会限制在网络上打开连接的时间。使用 Azure AD Connect 时,客户端超时阈值应设为多少?Q: I have a firewall, network device, or something else that limits the time that connections can stay open on my network. What should my client-side timeout threshold be when I use Azure AD Connect?
所有网络软件、物理设备或其他软硬件限制最长连接时间的阈值应该至少为 5 分钟 (300 秒),使装有 Azure AD Connect 客户端的服务器能够与 Azure Active Directory 连接。All networking software, physical devices, or anything else that limits the maximum time that connections can remain open should use a threshold of at least five minutes (300 seconds) for connectivity between the server where the Azure AD Connect client is installed and Azure Active Directory. 此项建议同样适用于以前发布的所有 Microsoft 标识同步工具。This recommendation also applies to all previously released Microsoft Identity synchronization tools.

问:是否支持单一标签域 (SLD)?Q: Are single label domains (SLDs) supported?
虽然我们强烈建议不要使用此网络配置(请参阅相关文章),但只要单级域的网络配置正常发挥作用,将 Azure AD Connect 同步与单标签域配合使用就是受支持的。While we strongly recommend against this network configuration (see article), using Azure AD Connect sync with a single label domain is supported, as long as the network configuration for the single level domain is functioning correctly.

问:是否支持具有非连续 AD 域的林?Q: Are Forests with disjoint AD domains supported?
Azure AD Connect 不支持包含非连续命名空间的本地林。No, Azure AD Connect does not support on-premises forests that contain disjoint namespaces.

问:是否支持包含句点的 NetBIOS 名称?Q: Are "dotted" NetBIOS names supported?
Azure AD Connect 不支持 NetBIOS 名称包含点号 (.) 的本地林或域。No, Azure AD Connect does not support on-premises forests or domains where the NetBIOS name contains a dot (.).

问:是否支持纯 IPv6 环境?Q: Is pure IPv6 environment supported?
Azure AD Connect 不支持纯 IPv6 环境。No, Azure AD Connect does not support a pure IPv6 environment.

问:我有一个多林环境,两个林之间的网络使用 NAT(网络地址转换)。是否支持在这两个林之间使用 Azure AD Connect?Q:I have a multi-forest environment and the network between the two forests is using NAT (Network Address Translation). Is using Azure AD Connect between these two forests supported?
否,不支持通过 NAT 使用 Azure AD Connect。No, using Azure AD Connect over NAT is not supported.


问:如果我收到一封电子邮件,要求我续订 Office 365 证书,该怎么办?Q: What do I do if I receive an email that asks me to renew my Office 365 certificate?
有关续订证书的指导,请参阅续订证书For guidance about renewing the certificate, see renew certificates.

问:我为 Office 365 信赖方设置了“自动更新信赖方”。当我的令牌签名证书自动滚动时,我是否需要采取任何措施?Q: I have "Automatically update relying party" set for the Office 365 relying party. Do I have to take any action when my token signing certificate automatically rolls over?
请参考续订证书一文中所述的指导。Use the guidance that's outlined in the article renew certificates.


问:安装 Azure AD Connect 之后,是否支持重命名服务器?Q: Is it supported to rename the server after Azure AD Connect has been installed?
否。No. 更改服务器名称将导致同步引擎无法连接到 SQL 数据库实例,并且服务将无法启动。Changing the server name renders the sync engine unable to connect to the SQL database instance, and the service cannot start.

问:已启用 FIPS 的计算机是否支持下一代加密 (NGC) 同步规则?Q: Are Next Generation Cryptographic (NGC) sync rules supported on a FIPS-enabled machine?
否。No. 不支持。They are not supported.

问:如果我在 Azure 门户中禁用了同步设备(例如:HAADJ),为什么要重新启用它?Q. If I disabled a synced device (for example: HAADJ) in the Azure portal, why it is re-enabled?
可以在本地创作或掌控同步设备。Synced devices might be authored or mastered on premises. 如果在本地启用了同步设备,即使管理员之前禁用了该设备,也可能会在 Azure 门户中重新启用它。If a synced device is enabled on premises, it might be re-enabled in the Azure portal even if was previously disabled by an administrator. 若要禁用同步设备,请使用本地 Active Directory 禁用计算机帐户。To disable a synced device, use the on-premises Active Directory to disable the computer account.

问:如果我阻止同步用户在 Office 365 或 Azure AD 门户上登录,为什么再次登录时会取消阻止?Q. If I block user sign-in at the Office 365 or Azure AD portal for synced users, why it is unblocked upon signing in again?
可以在本地创作或掌控同步用户。Synced users might be authored or mastered on premises. 如果在本地启用了该帐户,则可以取消管理员放置的登录阻止。If the account is enabled on premises, it can unblock the sign-in block placed by administrator.

标识数据Identity data

问:Azure AD 中的 userPrincipalName (UPN) 属性为何与本地 UPN 不匹配?Q: Why doesn't the userPrincipalName (UPN) attribute in Azure AD match the on-premises UPN?
有关信息,请参阅以下文章:For information, see these articles:

还可以根据 Azure AD Connect 同步服务功能中所述配置 Azure AD,以允许同步引擎更新 UPN。You can also configure Azure AD to allow the sync engine to update the UPN, as described in Azure AD Connect sync service features.

问:是否支持本地 Azure AD 组或联系人对象与现有 Azure AD 组或联系人对象的软匹配?Q: Is it supported to soft-match an on-premises Azure AD group or contact object with an existing Azure AD group or contact object?
是,这种软匹配取决于 proxyAddress。Yes, this soft match is based on the proxyAddress. 未启用邮件的组不支持软匹配。Soft matching is not supported for groups that are not mail-enabled.

问:是否支持手动设置现有 Azure AD 组或联系人对象的 ImmutableId 属性,以将其硬匹配到本地 Azure AD 组或联系人对象?Q: Is it supported to manually set the ImmutableId attribute on an existing Azure AD group or contact object to hard-match it to an on-premises Azure AD group or contact object?
目前不支持在现有的 Azure AD 组或联系人对象中手动设置 ImmutableId 属性,以硬匹配该对象。No, manually setting the ImmutableId attribute on an existing Azure AD group or contact object to hard-match it is currently not supported.

自定义配置Custom configuration

问:在哪里可以找到 Azure AD Connect 的 PowerShell cmdlet 介绍?Q: Where are the PowerShell cmdlets for Azure AD Connect documented?
仅支持客户使用本站点上介绍的 cmdlet,而不支持使用 Azure AD Connect 中的其他 PowerShell cmdlet。With the exception of the cmdlets that are documented on this site, other PowerShell cmdlets found in Azure AD Connect are not supported for customer use.

问:是否可以使用 Synchronization Service Manager 中的“服务器导出/服务器导入”选项在服务器之间移动配置?Q: Can I use the "Server export/server import" option that's found in Synchronization Service Manager to move the configuration between servers?
否。No. 此选项不会检索所有配置设置,因此不应使用。This option does not retrieve all configuration settings, and it should not be used. 请改用向导在第二台服务器上创建基础配置,并使用同步规则编辑器生成 PowerShell 脚本,如此即可在服务器之间移动任何自定义规则。Instead, use the wizard to create the base configuration on the second server, and use the sync rule editor to generate PowerShell scripts to move any custom rule between servers. 有关详细信息,请参阅交叉迁移For more information, see Swing migration.

问:是否可以为 Azure 登录页缓存密码,这是否会因为包含一个具有 autocomplete = "false" 属性的密码输入元素而阻止此缓存?Q: Can passwords be cached for the Azure sign-in page, and can this caching be prevented because it contains a password input element with the autocomplete = "false" attribute?
目前不支持修改“密码”字段的 HTML 属性,包括 autocomplete 标记。Currently, modifying the HTML attributes of the Password field, including the autocomplete tag, is not supported. 我们目前正在开发一种功能,它将允许使用自定义 JavaScript 向“密码”字段添加任何属性。We are currently working on a feature that allows for custom JavaScript, which lets you add any attribute to the Password field.

问:Azure 登录页会显示之前已成功登录的用户的用户名。此行为是否可以关闭?Q: The Azure sign-in page displays the usernames of users who have previously signed in successfully. Can this behavior be turned off?
目前不支持修改“密码”输入字段的 HTML 属性,包括 autocomplete 标记。Currently, modifying the HTML attributes of the Password input field, including the autocomplete tag, is not supported. 我们目前正在开发一种功能,它将允许使用自定义 JavaScript 向“密码”字段添加任何属性。We are currently working on a feature that allows for custom JavaScript, which lets you add any attribute to the Password field.

问:是否有方法来阻止并发会话?Q: Is there a way to prevent concurrent sessions?

自动升级Auto upgrade

问:使用自动升级有什么好处?其结果是什么?Q: What are the advantages and consequences of using auto upgrade?
建议所有客户为安装的 Azure AD Connect 启用自动升级。We are advising all customers to enable auto upgrade for their Azure AD Connect installation. 好处是客户可以一直接收最新的修补程序,包括在 Azure AD Connect 中发现的漏洞的安全更新。The benefit is that you always receive the latest patches, including security updates for vulnerabilities that have been found in Azure AD Connect. 升级过程很轻松,只要有新版本发布就会自动进行。The upgrade process is painless and happens automatically as soon as a new version is available. 每次发布新版本,成千上万的 Azure AD Connect 客户都会使用自动升级。Many thousands of Azure AD Connect customers use auto upgrade with every new release.

自动升级过程始终会先确定某个安装是否符合自动升级的条件。The auto-upgrade process always first establishes whether an installation is eligible for auto upgrade. 如果符合条件,则会执行并测试升级。If it is eligible, the upgrade is performed and tested. 此过程还包括查找对规则的自定义更改和特定的环境因素。The process also includes looking for custom changes to rules and specific environmental factors. 如果测试表明升级未成功,则会自动还原以前的版本。If the tests show that an upgrade is unsuccessful, the previous version is automatically restored.

根据环境大小,此过程可能需要数小时才能完成。Depending on the size of the environment, the process can take a couple of hours. 在升级过程中,不会在 Windows Server Active Directory 和 Azure AD 之间进行同步。While the upgrade is in progress, no sync between Windows Server Active Directory and Azure AD happens.

问:我收到一封电子邮件,指出我的自动升级失效,需安装新版本。为什么我需要这样做?Q: I received an email telling me that my auto upgrade no longer works and I need to install a new version. Why do I need to do this?
我们去年发布了一个 Azure AD Connect 版本,该版本在特定情况下会禁用服务器上的自动升级功能。Last year, we released a version of Azure AD Connect that, under certain circumstances, might have disabled the auto-upgrade feature on your server. Azure AD Connect 1.1.750.0 版中已修复此问题。We have fixed the issue in Azure AD Connect version 1.1.750.0. 如果你受此问题的影响,可通过以下方式进行缓解:运行一个 PowerShell 脚本来修复此问题,或者手动升级到最新版本的 Azure AD Connect。If you have been affected by the issue, you can mitigate it by running a PowerShell script to repair it or by manually upgrading to the latest version of Azure AD Connect.

若要运行该 PowerShell 脚本,请下载该脚本,并在 PowerShell 管理窗口中的 Azure AD Connect 服务器上运行该脚本。To run the PowerShell script, download the script and run it on your Azure AD Connect server in an administrative PowerShell window.

若要手动进行升级,必须下载并运行最新版的 AADConnect.msi 文件。To manually upgrade, you must download and run the latest version of the AADConnect.msi file.

  • 如果当前版本低于 1.1.750.0,请下载并升级到最新版本If your current version is older than 1.1.750.0, download and upgrade to the latest version.
  • 如果 Azure AD Connect 版本为 1.1.750.0 或更高,则不需要采取其他措施。If your Azure AD Connect version is 1.1.750.0 or later, no further action is required. 所用的版本已包含自动升级修复程序。You’re already using the version that contains the auto-upgrade fix.

问:我收到一封电子邮件,要求我升级到最新版本,以便重新启用自动升级。我使用的版本是 1.1.654.0,需要升级吗?Q: I received an email telling me to upgrade to the latest version to re-enable auto upgrade. I am using version 1.1.654.0. Do I need to upgrade?
需要。需要升级到 1.1.750.0 或更高版本才能重新启用自动升级。Yes, you need to upgrade to version 1.1.750.0 or later to re-enable auto upgrade. 下载并升级到最新版本Download and upgrade to the latest version.

问:我收到一封电子邮件,要求我升级到最新版本,以便重新启用自动升级。如果我已经通过 PowerShell 启用了自动升级,是否仍需安装最新版本?Q: I received an email telling me to upgrade to the latest version to re-enable auto upgrade. If I have used PowerShell to enable auto upgrade, do I still need to install the latest version?
是的,仍需要升级到 1.1.750.0 或更高版本。Yes, you still need to upgrade to version 1.1.750.0 or later. 通过 PowerShell 启用自动升级服务不会解决在 1.1.750.0 之前的版本中发现的自动升级问题。Enabling the auto-upgrade service with PowerShell does not mitigate the auto-upgrade issue found in versions before 1.1.750.0.

问:我想要升级到更高版本,但不确定谁安装了 Azure AD Connect,而且我们没有用户名和密码。我们需要该凭据吗?Q: I want to upgrade to a newer version but I’m not sure who installed Azure AD Connect, and we do not have the username and password. Do we need this? 不需要知道最初用来升级 Azure AD Connect 的用户名和密码。You don’t need to know the username and password that was initially used to upgrade Azure AD Connect. 可以使用任何具有全局管理员角色的 Azure AD 帐户。Use any Azure AD account that has the Global Administrator role.

问:如何确定所用 Azure AD Connect 的版本?Q: How can I find which version of Azure AD Connect I am using?
若要确定安装在服务器上的 Azure AD Connect 的具体版本,请转到“控制面板”,然后选择“程序” > “程序和功能”并找到已安装的 Azure AD Connect 版本,如下所示: To verify which version of Azure AD Connect is installed on your server, go to Control Panel and look up the installed version of Azure AD Connect by selecting Programs > Programs and Features, as shown here:

控制面板中的 Azure AD Connect 版本

问:如何升级到最新版本的 Azure AD Connect?Q: How do I upgrade to the latest version of Azure AD Connect?
若要了解如何升级到最新版本,请参阅 Azure AD Connect:从旧版升级到最新版本To learn how to upgrade to the latest version, see Azure AD Connect: Upgrade from a previous version to the latest.

问:我们去年已升级到最新版本的 Azure AD Connect。是否需要再次升级?Q: We already upgraded to the latest version of Azure AD Connect last year. Do we need to upgrade again?
Azure AD Connect 团队会对该服务进行频繁的更新。The Azure AD Connect team makes frequent updates to the service. 若要充分利用 Bug 修复、安全更新和新功能的优势,必须使用最新版本来保持服务器的最新状态。To benefit from bug fixes and security updates as well as new features, it is important to keep your server up to date with the latest version. 如果启用自动升级,则会自动更新软件版本。If you enable auto upgrade, your software version is updated automatically.

问:执行升级需要多长时间?对我的用户有什么影响?Q: How long does it take to perform the upgrade, and what is the impact on my users?
升级所需时间取决于租户大小。The time needed to upgrade depends on your tenant size. 对于大型组织而言,最好是在晚上或周末升级。For larger organizations, it might be best to perform the upgrade in the evening or weekend. 在升级期间不会发生同步活动。During the upgrade, no synchronization activity takes place.

问:我认为我升级到了 Azure AD Connect,但在 Office 门户中,仍然显示 DirSync。为什么会这样?Q: I believe I upgraded to Azure AD Connect, but the Office portal still mentions DirSync. Why is this?
Office 团队会更新 Office 门户,使之反映当前的产品名称。The Office team is working to get the Office portal updates to reflect the current product name. 它不会反映所用的同步工具。It does not reflect which sync tool you are using.

问:我的自动升级状态显示为“已暂停”。为什么是“已暂停”?我应该启用它吗?Q: My auto-upgrade status says, “Suspended." Why is it suspended? Should I enable it?
在以前的版本中存在一个 Bug,该 Bug 在特定情况下会将自动升级状态设置为“已暂停”。A bug was introduced in a previous version that, under certain circumstances, leaves the auto-upgrade status set to “Suspended.” 手动启用它在技术上是可行的,但需要执行多个复杂的步骤。Manually enabling it is technically possible but would require several complex steps. 最好是安装最新版本的 Azure AD Connect。The best thing you can do is install the latest version of Azure AD Connect.

问:我的公司有严格的更改管理要求,而我希望控制它的推出时间,我能控制自动升级的启动时间吗?Q: My company has strict change-management requirements, and I want to control when it’s pushed out. Can I control when auto upgrade is launched?
不能。目前没有此类功能。No, there is no such feature today. 我们正在评估是否在将来的版本中推出此功能。The feature is being evaluated for a future release.

问:如果自动升级失败,是否会通过电子邮件通知我?怎么才能知道升级成功?Q: Will I get an email if the auto upgrade failed? How will I know that it was successful?
你不会收到升级结果的通知。You will not be notified of the result of the upgrade. 我们正在评估是否在将来的版本中推出此功能。The feature is being evaluated for a future release.

问:你们是否也会自动升级暂存模式下的 Azure AD Connect 服务器?Q: Do you also auto-upgrade Azure AD Connect servers in staging mode?
是的,可以自动升级暂存模式下的 Azure AD Connect 服务器。Yes, you can auto-upgrade an Azure AD Connect server that is in staging mode.

问:如果自动升级失败而 Azure AD Connect 服务器无法启动,该怎么办?Q: If auto upgrade fails and my Azure AD Connect server does not start, what should I do?
Azure AD Connect 服务偶尔会在升级以后无法启动。In rare cases, the Azure AD Connect service does not start after you perform the upgrade. 在这种情况下,重新启动服务器通常就会解决问题。In these cases, rebooting the server usually fixes the issue. 如果 Azure AD Connect 服务仍然无法启动,请开具支持票证。If the Azure AD Connect service still does not start, open a support ticket. 有关详细信息,请参阅创建服务请求以联系 Office 365 支持部门For more information, see Create a service request to contact Office 365 support.

问:我不知道升级到新版 Azure AD Connect 后会有什么风险。你们能通过电话帮助我升级吗?Q: I’m not sure what the risks are when I upgrade to a newer version of Azure AD Connect. Can you call me to help me with the upgrade?
如果在升级到新版 Azure AD Connect 时需要帮助,请参阅创建服务请求以联系 Office 365 支持部门开具支持票证。If you need help upgrading to a newer version of Azure AD Connect, open a support ticket at Create a service request to contact Office 365 support.


问:如何获取有关 Azure AD Connect 的帮助?Q: How can I get help with Azure AD Connect?

搜索 Microsoft 知识库 (KB)Search the Microsoft Knowledge Base (KB)

  • 在知识库 (KB) 中搜索有关 Azure AD Connect 支持的常见故障维修服务问题的技术解决方案。Search the KB for technical solutions to common break-fix issues about support for Azure AD Connect.

有关 Azure Active Directory 的 Microsoft Q&A 问题页面Microsoft Q&A question page for Azure Active Directory

  • 转到 Azure AD 社区,搜索技术问题与答案,或提出自己的问题。Search for technical questions and answers or ask your own questions by going to the Azure AD community.

获取 Azure AD 支持Get support for Azure AD

问:为什么在同步步骤错误后出现事件 6311 和 6401?Q: Why am I seeing Events 6311 and 6401 occur after Sync Step Errors?

事件 6311 - 服务器在执行回叫时遇到意外错误,而 6401 - 管理代理控制器遇到意外错误 - 始终在同步步骤错误之后记录。The events 6311 - The server encountered an unexpected error while performing a callback and 6401 - The management agent controller encountered an unexpected error - are always logged after a synchronization step error. 若要解决这些错误,需要清除同步步骤错误。To resolve these errors, you need to clean up the synchronization step errors. 有关详细信息,请参阅对同步期间的错误进行故障排除使用 Azure AD Connect 同步进行对象同步故障排除For more information, see Troubleshooting errors during synchronization and Troubleshoot object synchronization with Azure AD Connect sync