Azure AD Connect:版本发行历史记录Azure AD Connect: Version release history

Azure Active Directory (Azure AD) 团队会定期更新 Azure AD Sync 的新特性和功能。The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. 并非所有的新增内容都适用于所有受众。Not all additions are applicable to all audiences.

本文旨在帮助你跟踪已发布的版本,并了解最新版本中的具体变化。This article is designed to help you keep track of the versions that have been released, and to understand what the changes are in the latest version.

下表列出了相关主题:This table is a list of related topics:

主题Topic 详细信息Details
从 Azure AD Connect 升级的步骤Steps to upgrade from Azure AD Connect 从旧版升级到最新版 Azure AD Connect 的不同方法。Different methods to upgrade from a previous version to the latest Azure AD Connect release.
所需的权限Required permissions 有关应用更新时所需的权限,请参阅帐户和权限For permissions required to apply an update, see accounts and permissions.

下载 | 下载 Azure AD ConnectDownload| Download Azure AD Connect.

Note

发布新版 Azure AD Connect 的过程要求采取多种质量控制措施来确保服务的功能正常运行,遵循此过程时,我们会更新新发行版的版本号以及发布状态,以反映最近的状态。Releasing a new version of Azure AD Connect is a process that requires several quality control step to ensure the operation functionality of the service, and while we go through this process the version number of a new release as well as the release status will be updated to reflect the most recent state. 遵循此过程时,发行版的版本号将以“X”形式显示在次要版本号位置,例如“1.3.X.0”- 这表示此文档中的发行说明适用于以“1.3”开头的所有版本。While we go through this process, the version number of the release will be shown with an "X" in the minor release number position, as in "1.3.X.0" - this indicates that the release notes in this document are valid for all versions beginning with "1.3.". 完成发布过程后,我们会立即将发行版本号更新为最近发布的版本,并将发布状态更新为“已发布供下载和自动升级”。As soon as we have finalized the release process the release version number will be updated to the most recently released version and the release status will be updated to "Released for download and auto upgrade". 并非所有版本的 Azure AD Connect 都可用于自动升级。Not all releases of Azure AD Connect will be made available for auto upgrade. 版本状态将指示版本是否可用于自动升级或仅供下载。The release status will indicate whether a release is made available for auto upgrade or for download only. 如果在 Azure AD Connect 服务器上启用了自动升级,那么该服务器将自动升级到针对自动升级发布的最新版 Azure AD Connect。If auto upgrade was enabled on your Azure AD Connect server then that server will automatically upgrade to the latest version of Azure AD Connect that is released for auto upgrade. 请注意,并非所有 Azure AD Connect 配置都有资格进行自动升级。Note that not all Azure AD Connect configurations are eligible for auto upgrade. 请点击此链接阅读有关自动升级的详细信息Please follow this link to read more about auto upgrade

1.4.X.01.4.X.0

版本状态Release status

9/10/2019:仅发布用于自动升级9/10/2019: Released for auto-upgrade only

新增功能和改进New features and improvements

  • 新的故障排除工具可帮助排查“用户未同步”、“组未同步”或“组成员未同步”问题。New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.
  • 在 AAD Connect 故障排除脚本中添加了对国家云的支持Add support for national clouds in AAD Connect troubleshooting script
  • 应通知客户 MIIS_Service 的已弃用 WMI 终结点现已删除。Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. 现在,任何 WMI 操作应通过 PS cmdlet 完成。Any WMI operations should now be done via PS cmdlets.
  • 通过重置 AZUREADSSOACC 对象中的约束委托来提高安全性Security improvement by resetting constrained delegation on AZUREADSSOACC object
  • 添加/编辑同步规则时,如果在规则中使用的任何属性位于未添加到连接器的连接器架构中,会自动将这些属性添加到连接器。When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes automatically added to the connector. 规则影响的对象类型也是如此。The same is true for the object type the rule affects. 如果在连接器中添加了任何内容,该连接器将标记为在下一个同步周期完全导入。If anything is added to the connector, the connector will be marked for full import on the next sync cycle.
  • 不再支持使用企业或域管理员作为连接器帐户。Using an Enterprise or Domain admin as the connector account is no longer supported.
  • 在同步管理器中,创建/编辑/删除规则时将运行完全同步。In the Synchronization Manager a full sync is run on rule creation/edit/deletion. 如果完全导入或完全同步操作将要运行,在发生任何规则更改时将弹出通知。A popup will appear on any rule change notifying the user if full import or full sync is going to be run.
  • 已将密码错误的缓解步骤添加到“连接器 > 属性 > 连接”页Added mitigation steps for password errors to 'connectors > properties > connectivity' page
  • 在连接器属性页上添加了同步服务管理器弃用警告。Added a deprecation warning for the sync service manager on the connector properties page. 此警告通知用户应通过 AADC 向导进行更改。This warning notifies the user that changes should be made through the AADC wizard.
  • 针对用户密码策略问题添加了新错误。Added new error for issues with a user's password policy.
  • 防止不当配置通过域和 OU 筛选器进行组筛选。Prevent misconfiguration of group filtering by domain and OU filters. 已筛选出输入组的域/OU 时,组筛选将显示一条错误消息,并在问题得到解决之前阻止用户继续操作。Group filtering will show an error when the domain/OU of the entered group is already filtered out and keep the user from moving forward until the issue is resolved.
  • 用户不再可以在旧 UI 中为 Active Directory 域服务或 Azure Active Directory 创建连接器。Users can no longer create a connector for Active Directory Domain Services or Azure Active Directory in the old UI.
  • 在同步服务管理器中修复了自定义 UI 控件的辅助功能Fixed accessibility of custom UI controls in the Sync Service Manager
  • 为 Azure AD Connect 中的所有登录方法启用了六个联合管理任务。Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (以前,所有登录只能使用“更新 AD FS SSL 证书”任务。)(Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
  • 添加了将登录方法从联合更改为 PHS 或 PTA 时的警告,指出所有 Azure AD 域和用户将转换为托管身份验证。Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.
  • 从“重置 Azure AD 和 AD FS 信任”任务中删除了令牌签名证书,并添加了单独的子任务来更新这些证书。Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
  • 添加了名为“管理证书”的新联合管理任务,其中包含用于更新 AD FS 场的 SSL 或令牌签名证书的子任务。Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
  • 添加了名为“指定主服务器”的新联合管理子任务,该任务可让管理员为 AD FS 场指定新的主服务器。Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
  • 添加了名为“管理服务器”的新联合管理任务,其中包含用于部署 AD FS 服务器、部署 Web 应用程序代理服务器和指定主服务器的子任务。Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
  • 添加了名为“查看联合配置”的新联合管理任务,它会显示当前 AD FS 设置。Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (由于添加了此任务,已从“查看解决方案”页中删除了 AD FS 设置。)(Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

修复的问题Fixed issues

  • 解决了当接管相应联系人对象的用户对象存在自我引用情况(例如,用户是其自己的管理员)时出现同步错误的问题。Resolved sync error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
  • “帮助”弹出窗口现在会在键盘焦点上显示。Help popups now show on keyboard focus.
  • 在自动升级期间,如果任何有冲突的应用运行了 6 小时,则会将其终止,然后继续升级。For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
  • 将客户在选择目录扩展时可选择的属性数限制为每个对象 100 个属性。Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. 这可以防止在导出过程中出错,因为 Azure 的最大限制为每个对象最多有 100 个扩展属性。This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
  • 修复了一个 bug,使 AD 连接脚本更可靠Fixed a bug to make the AD Connectivity script more robust
  • 修复了一个 bug,使得通过现有命名管道 WCF 服务在计算机上安装的 AADConnect 更可靠。Fixed a bug to make AADConnect install on a machine using an existing Named Pipes WCF service more robust.
  • 改进了在初始安装后不允许 ADSync 服务启动的组策略的诊断和故障排除。Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
  • 修复了一个 bug:Windows 计算机的显示名称拼写错误。Fixed a bug where display name for a Windows computer was written incorrectly.
  • 修复了一个 bug:Windows 计算机的 OS 类型拼写错误。Fix a bug where OS type for a Windows computer was written incorrectly.
  • 修复了一个 bug:非 Windows 10 计算机意外同步。Fixed a bug where non-Windows 10 computers were syncing unexpectedly. 请注意,此项更改的影响是,以前已同步的非 Windows 10 计算机现在将被删除。Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. 这不会影响任何功能,因为 Windows 计算机同步仅用于混合 Azure AD 域加入,而后者仅适用于 Windows 10 设备。This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
  • 修复了一个 bug:Windows 计算机的显示名称拼写错误。Fix a bug where display name for a Windows computer was written incorrectly.
  • 修复了一个 bug:Windows 计算机的 OS 类型拼写错误。Fix a bug where OS type for a Windows computer was written incorrectly.
  • 已将多个新的(内部)cmdlet 添加到 ADSync PowerShell 模块。Added several new (internal) cmdlets to the ADSync PowerShell module.

1.3.21.01.3.21.0

Important

将 Azure AD Connect 从早期版本升级到 1.3.21.0 存在一个已知问题,即,即使 Azure AD Connect 升级成功,O365 门户也不反映已更新版本。There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the O365 portal does not reflect the updated version even though Azure AD Connect upgraded successfully.

若要解决此问题,需要导入 AdSync 模块,然后在 Azure AD Connect 服务器上运行 Set-ADSyncDirSyncConfiguration powershell cmdlet。To resolve this you need to import the AdSync module and then run theSet-ADSyncDirSyncConfiguration powershell cmdlet on the Azure AD Connect server. 可以使用以下步骤:You can use the following steps:

  1. 在管理员模式下打开 PowershellOpen Powershell in administator mode
  2. 运行 Import-Module "ADSync"Run Import-Module "ADSync"
  3. 运行 Set-ADSyncDirSyncConfiguration -AnchorAttribute ""Run Set-ADSyncDirSyncConfiguration -AnchorAttribute ""

版本状态Release status

2019 年 5 月 14 日:已发布,供下载05/14/2019: Released for download

修复的问题Fixed issues

  • 修复了 Azure Active Directory Connect 内部版本 1.3.20.0 中存在的特权提升漏洞。Fixed an elevation of privilege vulnerability that exists in Azure Active Directory Connect build 1.3.20.0. 在某些情况下,此漏洞可能允许攻击者在特权帐户的上下文中执行两个 powershell cmdlet,并执行特权操作。This vulnerability, under certain conditions, may allow an attacker to execute two powershell cmdlets in the context of a privileged account, and perform privileged actions. 此安全更新通过禁用这些 cmdlet 来解决此问题。This security update addresses the issue by disabling these cmdlets. 有关详细信息,请参阅安全更新For more information see security update.

1.3.20.01.3.20.0

版本状态Release status

2019 年 4 月 24 日:已发布,供下载04/24/2019: Released for download

新增功能和改进New features and improvements

  • 添加了对域刷新的支持Add support for Domain Refresh
  • “Exchange 邮件公用文件夹”功能已推出正式版Exchange Mail Public Folders feature goes GA
  • 改进了发生服务故障时在向导中处理错误的方法Improve wizard error handling for service failures
  • 在连接器属性页上添加了旧 UI 的警告链接。Added warning link for old UI on connector properties page.
  • “统一组写回”功能现已推出正式版The Unified Groups Writeback feature is now GA
  • 改进了当 DC 缺少 LDAP 控制措施时显示的 SSPR 错误消息Improved SSPR error message when the DC is missing an LDAP control
  • 添加了在安装期间出现的 DCOM 注册表错误的诊断方法Added diagnostics for DCOM registry errors during install
  • 改进了 PHS RPC 错误跟踪Improved tracing of PHS RPC errors
  • 允许从子域添加 EA 凭据Allow EA creds from a child domain
  • 允许在安装期间输入数据库名称(默认名称为 ADSync)Allow database name to be entered during install (default name ADSync)
  • 升级到了 ADAL 3.19.8 以便对 Ping 执行 WS-Trust 修复,并添加了对新 Azure 实例的支持Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  • 修改了组同步规则,以便将声明所需的 samAccountName、DomainNetbios 和 DomainFQDN 传送到云中Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for claims
  • 修改了默认同步规则处理 - 在此处了解详细信息。Modified Default Sync Rule Handling - read more here.
  • 添加了一个作为 Windows 服务运行的新代理。Added a new agent running as a windows service. 此代理名为“管理代理”,可用于对 Azure AD Connect 服务器进行更深入的远程诊断,以帮助 Microsoft 工程师在收到支持案例时进行故障排除。This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. 默认情况下不会安装并启用此代理。This agent is not installed and enabled by default.
  • 更新了最终用户许可协议 (EULA)Updated the End User License Agreement (EULA)
  • 为使用 AD FS 作为登录类型的部署添加了自动升级支持。Added auto upgrade support for deployments that use AD FS as their login type. 借助此新增功能,在升级过程中不再需要更新 AD FS Azure AD 信赖方信任。This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  • 添加了一个 Azure AD 信任管理任务,该任务提供两个选项:分析/更新信任和重置信任。Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  • 更改了 AD FS Azure AD 信赖方信任行为,使其始终使用 -SupportMultipleDomain 开关(包括信任和 Azure AD 域更新)。Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  • 更改了“安装新 AD FS 场”的行为:删除了使用预装证书的选项,使该操作要求提供 .pfx 证书。Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  • 更新了“安装新 AD FS 场”工作流,使其只允许部署 1 个 AD FS 和 1 个 WAP 服务器。Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. 完成初始安装后,将配置所有附加服务器。All additional servers will be done after initial installation.

修复的问题Fixed issues

  • 修复了 SQL 重新连接 ADSync 服务逻辑的问题Fix the SQL reconnect logic for ADSync service
  • 修复后允许使用空的 SQL AOA DB 执行全新安装Fix to allow clean Install using an empty SQL AOA DB
  • 修复了 PS 权限脚本,以细化 GWB 权限Fix PS Permissions script to refine GWB permissions
  • 修复了 LocalDB 出现的 VSS 错误Fix VSS Errors with LocalDB
  • 修复了当对象类型不在范围内时出现的误导性错误消息Fix misleading error message when object type is not in scope
  • 更正了以下问题:在服务器上安装 Azure AD PowerShell 可能会导致某个程序集与 Azure AD Connect 相冲突。Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  • 修复了在旧 UI 中更新连接器凭据时,暂存服务器上出现的 PHS bug。Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  • 修复了一些内存泄漏问题Fixed some memory leaks
  • 其他自动升级修复Miscellaneous Autoupgrade fixes
  • 对导出和未确认的导入处理进行了其他修复Miscellaneous fixes to Export and Unconfirmed Import Processing
  • 修复了处理域和 OU 筛选中的反斜杠时存在的 bugFixed a bug with handling a backslash in Domain and OU filtering
  • 修复了以下问题:ADSync 服务需要 2 分钟以上才能停止,导致升级时出现问题。Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

1.2.70.01.2.70.0

版本状态Release status

12/18/2018:已发布,供下载12/18/2018: Released for download

修复的问题Fixed issues

此版本更新 Azure AD Connect 随附的非标准连接器(例如,泛型 LDAP 连接器和泛型 SQL 连接器)。This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Azure AD Connect. 有关适用连接器的详细信息,请参阅连接器版本发行历史记录中的版本 1.1.911.0。For more information on applicable connectors, see version 1.1.911.0 in Connector Version Release History.

1.2.69.01.2.69.0

版本状态Release status

12/11/2018:已发布,供下载12/11/2018: Released for download

修复的问题Fixed issues

此修补程序版本允许用户在启用设备写回时在指定林中为 RegisteredDevices 容器选择目标域。This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device writeback. 在包含新的设备选项功能的旧版本 (1.1.819.0 - 1.2.68.0) 中,RegisteredDevices 容器位置仅限林根,不允许子域。In the previous versions that contain the new Device Options functionality (1.1.819.0 - 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did not allow child domains. 此限制仅体现在新部署中,就地升级不受影响。This limitation only manifested itself on new deployments - in-place upgrades were unaffected.

如果已将包含已更新设备选项功能的版本部署到新的服务器且已启用设备写回,则在不希望容器位于林根中的情况下,需手动指定容器的位置。If any build containing the updated Device Options functionality was deployed to a new server and device writeback was enabled, you will need to manually specify the location of the container if you do not want it in the forest root. 为此,需禁用设备写回,然后重新启用它,以便在“写回林”页上指定容器位置。To do this, you need to disable device writeback and re-enable it which will allow you to specify the container location on the “Writeback forest” page.

1.2.68.01.2.68.0

版本状态Release status

11/30/2018:已发布,供下载11/30/2018: Released for download

修复的问题Fixed issues

此修补程序版本修复了一个冲突,出现该冲突时,由于同步服务器上有一个单独存在的 MSOnline PowerShell 库模块,可能会发生身份验证错误。This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the MSOnline PowerShell Gallery module on the synchronization server.

1.2.67.01.2.67.0

版本状态Release status

11/19/2018:已发布,供下载11/19/2018: Released for download

修复的问题Fixed issues

此修补程序版本修复了之前版本的回归问题:在 Windows Server 2008/R2 上使用 ADDS 域控制器时,密码写回失败。This hotfix build fixes a regression in the previous build where Password Writeback fails when using an ADDS Domain Controller on Windows Server 2008/R2.

1.2.65.01.2.65.0

版本状态Release status

10/25/2018:已发布供下载10/25/2018: released for download

新增功能和改进New features and improvements

  • 更改了属性写回的功能,以确保托管的语音邮件可按预期方式工作。Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. 在某些情况下,Azure AD 在使用 null 值写回期间,会覆盖 msExchUcVoicemailSettings 属性。Under certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. 如果未设置云值,Azure AD 现在不再会清除此属性的本地值。Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.
  • 在 Azure AD Connect 向导中添加了诊断,用于调查和识别 Azure AD 连接问题。Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD. 也可以使用 Test- AdSyncAzureServiceConnectivity Cmdlet 通过 Powershell 直接运行这些诊断。These same diagnostics can also be run directly through Powershell using the Test- AdSyncAzureServiceConnectivity Cmdlet.
  • 在 Azure AD Connect 向导中添加了诊断,用于调查和识别 AD 连接问题。Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. 也可以在 ADConnectivityTools Powershell 模块中使用 Start-ConnectivityValidation 函数,通过 Powershell 直接运行这些诊断。These same diagnostics can also be run directly through Powershell using the Start-ConnectivityValidation function in the ADConnectivityTools Powershell module. 有关详细信息,请参阅什么是 ADConnectivityTool PowerShell 模块?For more information see What is the ADConnectivityTool PowerShell Module?
  • 为混合 Azure Active Directory Join 和设备写回添加了 AD 架构版本预先检查Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back
  • 已将目录扩展页面属性搜索更改为不区分大小写。Changed the Directory Extension page attribute search to be non-case sensitive.
  • 添加了对 TLS 1.2 的完整支持。Added full support for TLS 1.2. 此版本支持所要禁用的其他所有协议,安装 Azure AD Connect 的计算机上只会启用 TLS 1.2。This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. 有关详细信息,请参阅对 Azure AD Connect 强制实施 TLS 1.2For more information see TLS 1.2 enforcement for Azure AD Connect

修复的问题Fixed issues

  • 修复了使用 SQL Always On 时 Azure AD Connect 升级失败的 bug。Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used.
  • 修复了一个 bug,现在可以正常分析包含正斜杠的 OU 名称。Fixed a bug to correctly parse OU names that contain a forward slash.
  • 修复了在过渡模式下执行全新安装时禁用直通身份验证的问题。Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode.
  • 修复了在运行故障排除工具时阻止加载 PowerShell 模块的 bugFixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools
  • 修复了阻止客户在主机名第一个字符中使用数字值的 bug。Fixed a bug that would block customers from using numeric values in the first character of a host name.
  • 修复了 Azure AD Connect 允许选择无效分区和容器的 bugFixed a bug where Azure AD Connect would allow invalid partitions and container selection
  • 修复了启用桌面 SSO 时出现“密码无效”错误消息的问题。Fixed the “Invalid Password” error message when Desktop SSO is enabled.
  • AD FS 信任管理的各项 Bug 修复Various Bug fixes for AD FS Trust Management
  • 配置设备写回时 - 修复了架构检查,现在可以查找 msDs-DeviceContainer 对象类(已在 WS2012 R2 中引入)When configuring Device Writeback - fixed the schema check to look for the msDs-DeviceContainer object class (introduced on WS2012 R2)

1.1.882.01.1.882.0

2018/9/7:已发布供下载,而不是自动升级版本9/7/2018: released for download, will not be release for auto upgrade

修复的问题Fixed issues

如果为 ADSync DB 配置了SQL Always On 可用性,则 Azure AD Connect 升级将失败。Azure AD Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. 此修补程序解决了此问题,并允许升级成功。This hotfix addresses this issue and allows Upgrade to succeed.

1.1.880.01.1.880.0

版本状态Release status

8/21/2018:已发布,用于下载和自动升级。8/21/2018: Released for download and auto upgrade.

新增功能和改进New features and improvements

  • Azure AD Connect 中的 Ping Federate 集成现已公开发布。The Ping Federate integration in Azure AD Connect is now available for General Availability. 深入了解如何将 Azure AD 与 Ping Federate 联合Learn more about how to federated Azure AD with Ping Federate
  • Azure AD Connect 现在每次更新时都可在 AD FS 中创建 Azure AD 信任的备份,并将其存储在单独的文件中以便轻松还原(如果需要)。Azure AD Connect now creates the backup of Azure AD trust in AD FS every time an update is made and stores it in a separate file for easy restore if required.
  • 新的故障排除工具有助于解决更改主要电子邮件地址和隐藏全局地址列表中的帐户的问题New troubleshooting tooling helps troubleshoot changing primary email address and hiding account from global address list
  • 已更新 Azure AD Connect,以包括最新版 SQL Server 2012 本机客户端Azure AD Connect was updated to include the latest SQL Server 2012 Native Client
  • 如果在“更改用户登录”任务中将用户登录切换为“密码哈希同步”或“直通身份验证”,将默认启用“无缝单一登录”复选框。When you switch user sign-in to Password Hash Synchronization or Pass-through Authentication in the "Change user sign-in" task, the Seamless Single Sign-On checkbox is enabled by default.
  • 添加了对 Windows Server Essentials 2019 的支持Added support for Windows Server Essentials 2019
  • Azure AD Connect Health 代理已更新到最新版 3.1.7.0The Azure AD Connect Health agent was updated to the latest version 3.1.7.0
  • 升级过程中,如果安装程序检测到对默认同步规则的更改,覆盖经修改的规则之前系统将对管理员进行警告。During an upgrade, if the installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. 这将允许用户采取纠正措施并稍后继续操作。This will allow the user to take corrective actions and resume later. 旧行为:如果存在任何经修改的现成规则,则手动升级将覆盖这些规则,而不会向用户发出任何警告,并且在不通知用户的情况下禁用同步计划程序。Old Behavior: If there was any modified out-of-box rule then manual upgrade was overwriting those rules without giving any warning to the user and sync scheduler was disabled without informing user. 新行为:覆盖经修改的现成同步规则之前,系统将警告用户。New Behavior: User will be prompted with warning before overwriting the modified out-of-box sync rules. 用户可以选择停止升级过程,并在采取纠正措施后继续操作。User will have choice to stop the upgrade process and resume later after taking corrective action.
  • 更好地处理 FIPS 符合性问题,提供针对符合 FIPS 的环境中的 MD5 哈希生成的错误消息和有关此问题解决办法的文档链接。Provide a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS compliant environment and a link to documentation that provides a work around for this issue.
  • UI 改进以改进向导中的联合任务,这些任务现位于单独的联合子组中。UI update to improve federation tasks in the wizard, which are now under a separate sub group for federation.
  • 现在,所有附加联合任务集中在单个子菜单下,易于使用。All federation additional tasks are now grouped under a single sub-menu for ease of use.
  • 包含新的 AD 权限函数的新改进的 ADSyncConfig Posh 模块 (AdSyncConfig.psm1) 从旧的 ADSyncPrep.psm1 移出(可能很快弃用)A new revamped ADSyncConfig Posh Module (AdSyncConfig.psm1) with new AD Permissions functions moved from the old ADSyncPrep.psm1 (which may be deprecated shortly)

修复的问题Fixed issues

  • 修复了以下 bug:在升级到 .NET 4.7.2 之后,AAD Connect 服务器显示 CPU 使用率高Fixed a bug where the AAD Connect server would show high CPU usage after upgrading to .NET 4.7.2
  • 修复了以下 bug:针对自动解决的 SQL 死锁问题间歇性生成错误消息Fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue
  • 修复了同步规则编辑器和 Sync Service Manager 的多个辅助功能问题Fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager
  • 修复了以下 bug:Azure AD Connect 无法获取注册表设置信息Fixed a bug where Azure AD Connect can not get registry setting information
  • 修复了以下 bug:用户在向导中前进/后退时会出现问题Fixed a bug that created issues when the user goes forward/back in the wizard
  • 修复了以下 bug:由于向导中多线程处理不正确而导致错误Fixed a bug to prevent an error happening due to incorrect multi-thread handing in the wizard
  • 当“组同步筛选”页在解析安全组时遇到 LDAP 错误,Azure AD Connect 现在会返回全保真度异常。When Group Sync Filtering page encounters an LDAP error when resolving security groups, Azure AD Connect now returns the exception with full fidelity. 引用异常的根本原因仍未知,并且将被其他 bug 解决。The root cause for the referral exception is still unknown and will be addressed by a different bug.
  • 修复了 STK 和 NGC 键(WHfB 的用户/设备对象的 ms-DS-KeyCredentialLink 属性)的权限设置出错这一 bug。Fixed a bug where permissions for STK and NGC keys (ms-DS-KeyCredentialLink attribute on User/Device objects for WHfB) were not correctly set.
  • 修复了以下 bug:错误调用“Set-ADSyncRestrictedPermissions”Fixed a bug where 'Set-ADSyncRestrictedPermissions’ was not called correctly
  • 添加对 AADConnect 安装向导中组写回权限授予的支持Adding support for permission granting on Group Writeback in AADConnect's installation wizard
  • 如果将登录方法从“密码哈希同步”更改为“AD FS”,不会禁用“密码哈希同步”。When changing sign in method from Password Hash Sync to AD FS, Password Hash Sync was not disabled.
  • 添加了对 AD FS 配置中的 IPv6 地址的验证Added verification for IPv6 addresses in AD FS configuration
  • 更新了通知消息,用于通知已存在一个现有配置。Updated the notification message to inform that an existing configuration exists.
  • 设备写回未能检测到不受信任林中的容器。Device writeback fails to detect container in untrusted forest. 已经对此进行更新,以提供更好的错误消息和相应文档链接This has been updated to provide a better error message and a link to the appropriate documentation
  • 取消选中 OU 后,该 OU 对应的同步/写回出现一般同步错误。Deselecting an OU and then synchronization/writeback corresponding to that OU gives a generic sync error. 已经对此进行更改,以创建更易于理解的错误消息。This has been changed to create a more understandable error message.

1.1.819.01.1.819.0

版本状态Release status

5/14/2018:已发布,用于自动升级和下载。5/14/2018: Released for auto upgrade and download.

新增功能和改进New features and improvements

新增功能和改进New features and improvements

  • 此版本包含 Azure AD Connect 中 PingFederate 集成的公共预览。This release includes the public preview of the integration of PingFederate in Azure AD Connect. 借助此版本,客户可以轻松可靠地将 Azure Active Directory 环境配置为,使用 PingFederate 作为联合身份验证提供程序。With this release, customers can easily, and reliably configure their Azure Active Directory environment to leverage PingFederate as their federation provider. 若要了解有关如何使用此新功能的详细信息,请访问我们的在线文档To learn more about how to use this new feature, please visit our online documentation.
  • 更新了 Azure AD Connect 向导疑难解答实用工具,现在可以分析更多错误方案,如链接邮箱和 AD 动态组。Updated the Azure AD Connect Wizard Troubleshooting Utility, where it now analyzes more error scenario’s, such as Linked Mailboxes and AD Dynamic Groups. 此处阅读有关疑难解答实用工具的详细信息。Read more about the troubleshooting utility here.
  • 设备写回配置现在仅在 Azure AD Connect 向导中进行管理。Device Writeback configuration is now managed solely within the Azure AD Connect Wizard.
  • 添加了名为 ADSyncTools.psm1 的新 PowerShell 模块,可用于 SQL 连接问题故障排除和各种其他疑难解答实用工具。A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity issues and various other troubleshooting utilities. 此处阅读有关 ADSyncTools 模块的详细信息。Read more about the ADSyncTools module here.
  • 添加了新的“配置设备选项”任务。A new additional task “Configure device options” has been added. 可使用该任务来配置以下两个操作:You can use the task to configure the following two operations:
    • 混合 Azure AD 加入:如果你的环境具有本地 AD 占用空间并且你希望利用 Azure Active Directory 提供的功能所带来的优势,则可选择实现混合 Azure AD 加入设备。Hybrid Azure AD join: If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. 这些设备同时加入到本地 Active Directory 和 Azure Active Directory。These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.

    • 设备写回:设备写回用于根据设备启用对 AD FS(2012 R2 或更高版本)保护的设备的条件访问Device writeback: Device writeback is used to enable Conditional Access based on devices to AD FS (2012 R2 or higher) protected devices

      Note

      • 通过自定义同步选项启用设备写回的选项将灰显。The option to enable device writeback from Customize synchronization options will be greyed out.
      • 适用于 ADPrep 的 PowerShell 模块在此版本中弃用。The PowerShell module for ADPrep is deprecated with this release.

修复的问题Fixed issues

  • 此版本将 SQL Server Express 安装更新为 SQL Server 2012 SP4,该版本及其他一些版本针对多个安全漏洞提供修补程序。This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others, provides fixes for several security vulnerabilities. 有关 SQL Server 2012 SP4 的详细信息,请参阅此处Please see here for more information about SQL Server 2012 SP4.
  • 同步规则处理:如果父同步规则不再适用,应取消应用没有联接条件的出站联接同步规则Sync Rule Processing: outbound Join sync rules with no Join Condition should be de-applied if the parent sync rule is no longer applicable
  • 多个可访问性修补程序已应用于 Synchronization Service Manager UI 和同步规则编辑器Several accessibility fixes have been applied to the Synchronization Service Manager UI and the Sync Rules Editor
  • Azure AD Connect 向导:Azure AD Connect 位于工作组中时,创建 AD 连接器帐户出错Azure AD Connect Wizard: Error creating AD Connector account when Azure AD Connect is in a workgroup
  • Azure AD Connect 向导:AD 域和 Azure AD 验证域存在任何不匹配时,在 Azure AD 登录页面上显示验证复选框Azure AD Connect Wizard: On the Azure AD Sign-in page display the verification checkbox whenever there is any mismatch in AD domains and Azure AD Verified domains
  • 自动升级 PowerShell 修补程序,以在尝试自动升级后的某些情况下正确设置自动升级状态。Auto-upgrade PowerShell fix to set auto upgrade state correctly in certain cases after auto upgrade attempted.
  • Azure AD Connect 向导:更新遥测以捕获之前缺失的信息Azure AD Connect Wizard: Updated telemetry to capture previously missing information
  • Azure AD Connect 向导:当使用“更改用户登录”任务从 AD FS 切换到直通身份验证时,已进行以下更改: Azure AD Connect Wizard: The following changes have been made when you use the Change user sign-in task to switch from AD FS to Pass-through Authentication:
    • 在我们将域从联盟域转换为托管域之前,直通身份验证代理已安装在 Azure AD Connect 服务器上,并且直通身份验证功能处于已启用状态。The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed.
    • 用户不再从联盟用户转换为托管用户。Users are no longer converted from federated to managed. 只有域会被转换。Only domain(s) are converted.
  • Azure AD Connect 向导:当用户 UPN 更新 ' 特殊字符正则表达式以支持特殊字符时,AD FS 多域正则表达式不正确Azure AD Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character Regex update to support special characters
  • Azure AD Connect 向导:在无更改时删除虚假的“配置源定位点属性”消息Azure AD Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change
  • Azure AD Connect 向导:对双联合方案的 AD FS 支持Azure AD Connect Wizard: AD FS support for the dual federation scenario
  • Azure AD Connect 向导:在将托管域转换为联合域时,AD FS 声明未针对添加的域进行更新Azure AD Connect Wizard: AD FS Claims are not updated for added domain when converting a managed domain to federated
  • Azure AD Connect 向导:在检测已安装的程序包期间,我们发现过时的 Dirsync/Azure AD Sync/Azure AD Connect 相关产品。Azure AD Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure AD Connect related products. 我们现在将尝试卸载过时的产品。We will now attempt to uninstall the stale products.
  • Azure AD Connect 向导:更正安装传递身份验证代理失败时的错误消息映射Azure AD Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication agent fails
  • Azure AD Connect 向导:从域 OU 筛选页面删除“配置”容器Azure AD Connect Wizard: Removed "Configuration" container from Domain OU Filtering page
  • 同步引擎安装:移除偶尔因同步引擎安装 msi 而失败的不必要的旧逻辑Sync Engine install: remove unnecessary legacy logic that occasionally failed from Sync Engine install msi
  • Azure AD Connect 向导:修复密码哈希同步的可选功能页面中的弹出帮助文本Azure AD Connect Wizard: Fix popup help text on Optional Features page for Password Hash Sync
  • 同步引擎运行时:修复 CS 对象具有导入的删除并且同步规则尝试重新预配对象的情况。Sync Engine runtime: Fix the scenario where a CS object has an imported delete and Sync Rules attempt to re-provision the object.
  • 同步引擎运行时:为导入错误事件日志添加联机连接疑难解答指南帮助链接Sync Engine runtime: Add help link for Online connectivity troubleshooting guide to the event log for an Import Error
  • 同步引擎运行时:枚举连接器时减少同步计划程序的内存使用量Sync Engine runtime: Reduced memory usage of Sync Scheduler when enumerating Connectors
  • Azure AD Connect 向导:解决解析无 AD 读取特权的自定义同步服务帐户时出现的问题Azure AD Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read privileges
  • Azure AD Connect 向导:改进对域和 OU 筛选选择的日志记录Azure AD Connect Wizard: Improve logging of Domain and OU filtering selections
  • Azure AD Connect 向导:AD FS 将默认声明添加到为 MFA 方案创建的联合信任Azure AD Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario
  • Azure AD Connect 向导:AD FS Deploy WAP:添加服务器后无法使用新证书Azure AD Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate
  • Azure AD Connect 向导:未针对域初始化 onPremCredentials 时出现 DSSO 异常Azure AD Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain
  • 优先从活动用户对象中流动 AD distinguishedName 属性。Preferentially flow the AD distinguishedName attribute from the Active User object.
  • 修复了以下显示错误:第一个 OOB 同步规则的优先级设置为 99,而不是 100Fixed a cosmetic bug were the Precedence of the first OOB Sync Rule was set to 99 instead of 100

1.1.751.01.1.751.0

4/12/2018 状态:已发布,仅供下载Status 4/12/2018: Released for download only

Note

此版本是 Azure AD Connect 的修补程序This release is a hotfix for Azure AD Connect

Azure AD Connect 同步Azure AD Connect sync

修复的问题Fixed issues

修复了以下问题:自动发现 Azure 实例有时会对中国区租户无效。Corrected an issue were automatic Azure instance discovery for China tenants was occasionally failing.

AD FS 管理AD FS Management

修复的问题Fixed issues

配置重试逻辑中存在一个问题,该问题将导致一个 ArgumentException,指出“已添加了具有相同键的项”。There was a problem in the configuration retry logic that would result in an ArgumentException stating “an item with the same key has already been added.” 这会导致所有重试操作失败。This would cause all retry operations to fail.

1.1.750.01.1.750.0

3/22/2018 状态:已发布,用于自动升级和下载。Status 3/22/2018: Released for auto-upgrade and download.

Note

完成到此新版本的升级以后,将会自动触发针对 Azure AD 连接器的完全同步和完全导入,以及针对 AD 连接器的完全同步。When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. 由于这可能需要一些时间(具体取决于 Azure AD Connect 环境的大小),因此请确保已采取必要的支持措施,否则需推迟升级,直至找到合适的升级时间。Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Note

“对于部署了高于 1.1.524.0 的版本的部分租户,自动升级功能错误地被禁用了。“AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. 若要确保你的 Azure AD Connect 实例依然可以进行自动升级,请运行以下 PowerShell cmdlet:“Set-ADSyncAutoUpgrade -AutoupGradeState Enabled”To ensure that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet: “Set-ADSyncAutoUpgrade -AutoupGradeState Enabled”

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issues

  • 如果自动升级状态设置为“已暂停”,则 Set-ADSyncAutoUpgrade cmdlet 以前会阻止自动升级。Set-ADSyncAutoUpgrade cmdlet would previously block Autoupgrade if auto-upgrade state is set to Suspended. 此功能现已更改为,不阻止自动升级未来版本。This functionality has now changed so it does not block AutoUpgrade of future builds.
  • 将“用户登录” 页选项“密码同步”更改为了“密码哈希同步”。Changed the User Sign-in page option "Password Synchronization" to "Password Hash Synchronization". Azure AD Connect 同步密码哈希值(而不是密码),因此这与实际发生的情况一致。Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. 有关详细信息,请参阅使用 Azure AD Connect 同步实现密码哈希同步For more information see Implement password hash synchronization with Azure AD Connect sync

1.1.749.01.1.749.0

状态:已发布给选定的客户Status: Released to select customers

Note

完成到此新版本的升级以后,将会自动触发针对 Azure AD 连接器的完全同步和完全导入,以及针对 AD 连接器的完全同步。When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. 由于这可能需要一定的时间(具体取决于 Azure AD Connect 环境的大小),因此请确保已采取必要的支持措施,否则需推迟升级,直至找到合适的升级时间。Since this may take some time, depending on the size of your Azure AD Connect environment, please make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issues

  • 修复了在切换到下一页时,“分区筛选”页的后台任务的计时窗口问题。Fix timing window on background tasks for Partition Filtering page when switching to next page.

  • 修复了在 ConfigDB 自定义操作过程中导致访问冲突的 Bug。Fixed a bug that caused Access violation during the ConfigDB custom action.

  • 修复了 Bug,因此可以从 SQL 连接超时恢复。Fixed a bug to recover from SQL connection timeout.

  • 修复了带 SAN 通配符的证书无法通过先决条件检查的 Bug。Fixed a bug where certificates with SAN wildcards failed a prerequisite check.

  • 修复了在 Azure AD 连接器导出过程中导致 miiserver.exe 崩溃的 Bug。Fixed a bug which causes miiserver.exe to crash during an Azure AD connector export.

  • 修复了在运行 Azure AD Connect 向导来更改配置时,可以通过不断地尝试密码登录 DC 的 Bug。Fixed a bug which bad password attempt logged on DC when running the Azure AD Connect wizard to change configuration.

新增功能和改进New features and improvements

  • 为一般数据保护条例 (GDPR) 添加隐私设置。Adding Privacy Settings for the General Data Protection Regulation (GDPR). 有关详细信息,请参阅此处的文章。For more information see the article here.

Note

本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

  • 应用程序遥测 - 管理员可以随意切换此类数据的开/关设置application telemetry - admin can switch this class of data on/off at will

  • Azure AD 运行状况数据 - 管理员必须访问运行状况门户才能控制其运行状况设置。Azure AD Health data - admin must visit the health portal to control their health settings. 等到服务策略更改以后,代理就会读取并强制实施它。Once the service policy has been changed, the agents will read and enforce it.

  • 添加了设备写回配置操作以及用于页面初始化的进度栏Added device write-back configuration actions and a progress bar for page initialization

  • 改进了 HTML 报表的常规诊断功能以及 ZIP-Text/HTML 报表的完整数据收集功能Improved General Diagnostics with HTML report and full data collection in a ZIP-Text / HTML Report

  • 提高了自动升级的可靠性并增加了更多的遥测,确保可以确定服务器的运行状况Improved the reliability of auto upgrade and added additional telemetry to ensure the health of the server can be determined

  • 限制提供给以 AD 连接器帐户为基础的特权帐户的权限Restrict permissions available to privileged accounts on AD Connector account

    • 进行全新安装时,向导会限制特权帐户拥有的针对 MSOL 帐户的权限(前提是 MSOL 帐户已创建)。For new installations, the wizard will restrict the permissions that privileged accounts have on the MSOL account after creating the MSOL account.

这些更改将针对以下事项:The changes will take care of following:

  1. 快速安装Express Installations
  2. 用于自动创建帐户的自定义安装Custom Installations with Auto-Create account
  3. 更改了安装程序,因此在进行 Azure AD Connect 的全新安装时,不需要 SA 权限Changed the installer so it doesn't require SA privilege on clean install of Azure AD Connect
  • 添加了新的实用程序,用于排查特定对象的同步问题。Added a new utility to troubleshoot synchronization issues for a specific object. 该实用程序位于 Azure AD Connect 向导的“排查其他任务的问题”的“排查对象同步问题”选项下。It is available under 'Troubleshoot Object Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task. 目前,该实用程序用于检查以下问题:Currently, the utility checks for the following:

    • Azure AD 租户中的已同步用户对象和用户帐户之间出现 UserPrincipalName 不匹配的情况。UserPrincipalName mismatch between synchronized user object and the user account in Azure AD Tenant.
    • 是否已通过域筛选将对象从同步中筛选出来If the object is filtered from synchronization due to domain filtering
    • 是否已通过组织单位 (OU) 筛选将对象从同步中筛选出来If the object is filtered from synchronization due to organizational unit (OU) filtering
  • 添加了一个新的实用程序,用于同步当前的密码哈希,该哈希存储在针对特定用户帐户的本地 Active Directory 中。Added a new utility to synchronize the current password hash stored in the on-premises Active Directory for a specific user account.

该实用程序不需要更改密码。The utility does not require a password change. 该实用程序位于 Azure AD Connect 向导的“排查其他任务的问题”的“排查密码哈希同步问题”选项下。It is available under 'Troubleshoot Password Hash Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task.

1.1.654.01.1.654.0

状态:2017 年 12 月 12 日Status: December 12th, 2017

Note

此版本是 Azure AD Connect 安全相关修补程序This release is a security related hotfix for Azure AD Connect

具有 Azure AD ConnectAzure AD Connect

已在 Azure AD Connect 版本 1.1.654.0(和更高版本)中添加改进项,以确保在 Azure AD Connect 创建 AD DS 帐户时,自动应用锁定对 AD DS 帐户的访问部分中所述的建议权限更改。An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section Lock down access to the AD DS account are automatically applied when Azure AD Connect creates the AD DS account.

  • 设置 Azure AD Connect 时,安装管理员可以提供现有的 AD DS 帐户,或者让 Azure AD Connect 自动创建帐户。When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. 权限更改将自动应用到安装期间由 Azure AD Connect 创建的 AD DS 帐户。The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. 这些更改不会应用到安装管理员提供的现有 AD DS 帐户。They are not applied to existing AD DS account provided by the installing administrator.
  • 对于已从旧版升级到 Azure AD Connect 1.1.654.0(或更高版本)的客户,权限更改不会以可追溯方式应用到升级之前创建的现有 AD DS 帐户,For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. 而只会应用到升级之后创建的新 AD DS 帐户。They will only be applied to new AD DS accounts created after the upgrade. 添加要同步到 Azure AD 的新 AD 林时,将应用这些更改。This occurs when you are adding new AD forests to be synchronized to Azure AD.

Note

此版本仅删除了 Azure AD Connect 新安装的漏洞,这些安装的服务帐户是由安装进程创建的。This release only removes the vulnerability for new installations of Azure AD Connect where the service account is created by the installation process. 对于现有安装,或者在自己提供帐户的情况下,你应该确保此漏洞不存在。For existing installations, or in cases where you provide the account yourself, you should ensure that this vulnerability does not exist.

锁定对 AD DS 帐户的访问Lock down access to the AD DS account

可以通过在本地 AD 中实现以下权限更改,来锁定对 AD DS 帐户的访问:Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD:

  • 禁用指定对象上的继承Disable inheritance on the specified object
  • 删除特定对象上的所有 ACE,但特定于 SELF 的 ACE 除外。Remove all ACEs on the specific object, except ACEs specific to SELF. 我们希望在处理 SELF 时默认权限保持不变。We want to keep the default permissions intact when it comes to SELF.
  • 分配以下特定权限:Assign these specific permissions:
类型Type NameName 访问Access 应用到Applies To
允许Allow SYSTEMSYSTEM 完全控制Full Control 此对象This object
允许Allow 企业管理员Enterprise Admins 完全控制Full Control 此对象This object
允许Allow 域管理员Domain Admins 完全控制Full Control 此对象This object
允许Allow 管理员Administrators 完全控制Full Control 此对象This object
允许Allow 企业域控制器Enterprise Domain Controllers 列出内容List Contents 此对象This object
允许Allow 企业域控制器Enterprise Domain Controllers 读取所有属性Read All Properties 此对象This object
允许Allow 企业域控制器Enterprise Domain Controllers 读取权限Read Permissions 此对象This object
允许Allow 经过身份验证的用户Authenticated Users 列出内容List Contents 此对象This object
允许Allow 经过身份验证的用户Authenticated Users 读取所有属性Read All Properties 此对象This object
允许Allow 经过身份验证的用户Authenticated Users 读取权限Read Permissions 此对象This object

若要收紧 AD DS 帐户的权限设置,可运行此 PowerShell 脚本To tighten the settings for the AD DS account you can run this PowerShell script. 该 PowerShell 脚本会将上述权限分配到 AD DS 帐户。The PowerShell script will assign the permissions mentioned above to the AD DS account.

用于收紧现有服务帐户权限的 PowerShell 脚本PowerShell script to tighten a pre-existing service account

若要使用 PowerShell 脚本将这些设置应用到现有的 AD DS 帐户(组织提供的帐户,或由先前的 Azure AD Connect 安装创建的帐户),请通过上述链接下载该脚本。To use the PowerShell script, to apply these settings, to a pre-existing AD DS account, (ether provided by your organization or created by a previous installation of Azure AD Connect, please download the script from the provided link above.

用法:Usage:
Set-ADSyncRestrictedPermissions -ObjectDN <$ObjectDN> -Credential <$Credential>

WhereWhere

$ObjectDN = 需要收紧其权限的 Active Directory 帐户。$ObjectDN = The Active Directory account whose permissions need to be tightened.

$Credential = 管理员凭据,拥有限制 $ObjectDN 帐户权限的必要特权。$Credential = Administrator credential that has the necessary privileges to restrict the permissions on the $ObjectDN account. 企业或域管理员通常拥有这些特权。These privileges are typically held by the Enterprise or Domain administrator. 使用管理员帐户的完全限定域名来避免帐户查找失败。Use the fully qualified domain name of the administrator account to avoid account lookup failures. 示例:contoso.com\admin。Example: contoso.com\admin.

Note

$credential.UserName 应采用“FQDN\用户名”格式。$credential.UserName should be in FQDN\username format. 示例:contoso.com\adminExample: contoso.com\admin

示例:Example:
Set-ADSyncRestrictedPermissions -ObjectDN "CN=TestAccount1,CN=Users,DC=bvtadwbackdc,DC=com" -Credential $credential 

是否已使用此漏洞获取未经授权的访问?Was this vulnerability used to gain unauthorized access?

若要确定是否已有人使用此漏洞盗取 Azure AD Connect 配置,应检查服务帐户的最后一次密码重置日期。To see if this vulnerability was used to compromise your Azure AD Connect configuration you should verify the last password reset date of the service account. 如果时间戳可疑,应通过事件日志对该密码重置事件做进一步的调查。If the timestamp in unexpected, further investigation, via the event log, for that password reset event, should be undertaken.

有关详细信息,请参阅 Microsoft 安全公告 4056318For more information, see Microsoft Security Advisory 4056318

1.1.649.01.1.649.0

状态:2017 年 10 月 27 日Status: October 27 2017

Note

不通过 Azure AD Connect 自动升级功能向客户提供此内部版本。This build is not available to customers through the Azure AD Connect Auto Upgrade feature.

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issue

  • 修复了 Azure AD Connect 与 Azure AD Connect Health 代理(用于同步)之间存在的版本兼容性问题。Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent (for sync). 此问题会影响要执行 Azure AD Connect 就地升级到版本 1.1.647.0,但当前 Health 代理版本为 3.0.127.0 的用户。This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. 升级之后,Health 代理不再能够将有关 Azure AD Connect 同步服务的运行状况数据发送到 Azure AD Health 服务。After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. 通过此修复,在 Azure AD Connect 就地升级过程中将安装 Health 代理版本 3.0.129.0。With this fix, Health Agent version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health 代理版本 3.0.129.0 与 Azure AD Connect 版本 1.1.649.0 没有兼容性问题。Health Agent version 3.0.129.0 does not have compatibility issue with Azure AD Connect version 1.1.649.0.

1.1.647.01.1.647.0

状态:2017 年 10 月 19 日Status: October 19 2017

Important

Azure AD Connect 版本 1.1.647.0 与 Azure AD Connect Health 代理(用于同步)版本 3.0.127.0 之间存在已知的兼容性问题。There is a known compatibility issue between Azure AD Connect version 1.1.647.0 and Azure AD Connect Health Agent (for sync) version 3.0.127.0. 此问题会阻止 Health 代理向 Azure AD Health 服务发送有关 Azure AD Connect 同步服务的运行状况数据(包括对象同步错误和运行历史记录数据)。This issue prevents the Health Agent from sending health data about the Azure AD Connect Synchronization Service (including object synchronization errors and run history data) to Azure AD Health Service. 将 Azure AD Connect 部署手动升级到版本 1.1.647.0 之前,请验证 Azure AD Connect 服务器上是否安装了最新版本的 Azure AD Connect Health 代理。Before manually upgrading your Azure AD Connect deployment to version 1.1.647.0, please verify the current version of Azure AD Connect Health Agent installed on your Azure AD Connect server. 为此,可以转到“控制面板”→“添加/删除程序”,并查找应用程序“用于同步的 Azure AD Connect Health 代理”。 如果其版本为 3.0.127.0,我们建议等到推出了下一个 Azure AD Connect 版本再升级。You can do so by going to Control Panel → Add Remove Programs and look for application Azure AD Connect Health Agent for Sync. If its version is 3.0.127.0, it is recommended that you wait for the next Azure AD Connect version to be available before upgrade. 如果 Health 代理版本不是 3.0.127.0,则可以继续进行手动就地升级。If the Health Agent version isn't 3.0.127.0, it is fine to proceed with the manual, in-place upgrade. 请注意,此问题不会影响交叉升级,也不影响执行 Azure AD Connect 全新安装的客户。Note that this issue does not affect swing upgrade or customers who are performing new installation of Azure AD Connect.

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issues

  • 修复了 Azure AD Connect 向导中的“更改用户登录”任务: Fixed an issue with the Change user sign-in task in Azure AD Connect wizard:

    • 如果存在一个已启用密码同步的现有 Azure AD Connect 部署,并尝试将用户登录方法设置为“直通身份验证”,则会发生此问题。 The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization enabled, and you are trying to set the user sign-in method as Pass-through Authentication. 在应用更改之前,向导会错误地显示“禁用密码同步”提示。 Before the change is applied, the wizard incorrectly shows the "Disable Password Synchronization" prompt. 但是,在应用更改之后,密码同步仍保持启用状态。However, Password Synchronization remains enabled after the change is applied. 通过这项修复,向导不再会显示该提示。With this fix, the wizard no longer shows the prompt.

    • 根据设计,在使用“更改用户登录”任务更新用户登录方法时,向导不会禁用密码同步。 By design, the wizard does not disable Password Synchronization when you update the user sign-in method using the Change user sign-in task. 这是为了避免干扰想要保留密码同步的客户,即使他们启用直通身份验证或联合身份验证作为其主要用户登录方法。This is to avoid disruption to customers who want to keep Password Synchronization, even though they are enabling Pass-through Authentication or federation as their primary user sign-in method.

    • 如果想要在更新用户登录方法后禁用密码同步,必须执行向导中的“自定义同步配置”任务。 If you wish to disable Password Synchronization after updating the user sign-in method, you must execute the Customize Synchronization Configuration task in the wizard. 导航到“可选功能”页后,取消选中“密码同步”选项。 When you navigate to the Optional features page, uncheck the Password Synchronization option.

    • 请注意,如果尝试启用/禁用无缝单一登录,也会发生同样的问题。Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. 具体而言,此时某个现有的 Azure AD Connect 部署启用了密码同步,同时用户登录方法已配置为“直通身份验证”。 Specifically, you have an existing Azure AD Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as Pass-through Authentication. 使用“更改用户登录”任务尝试选中/取消选中“启用无缝单一登录”选项,同时将用户登录方法保持配置为“直通身份验证”。 Using the Change user sign-in task, you try to check/uncheck the Enable Seamless Single Sign-On option while the user sign-in method remains configured as "Pass-through Authentication". 在应用更改之前,向导会错误地显示“禁用密码同步”提示。 Before the change is applied, the wizard incorrectly shows the "Disable Password Synchronization" prompt. 但是,在应用更改之后,密码同步仍保持启用状态。However, Password Synchronization remains enabled after the change is applied. 通过这项修复,向导不再显示该提示。With this fix, the wizard no longer shows the prompt.

  • 修复了 Azure AD Connect 向导中的“更改用户登录”任务: Fixed an issue with the Change user sign-in task in Azure AD Connect wizard:

    • 如果存在一个已禁用密码同步的现有 Azure AD Connect 部署,并尝试将用户登录方法设置为“直通身份验证”,则会发生此问题。 The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization disabled, and you are trying to set the user sign-in method as Pass-through Authentication. 在应用更改后,向导会同时启用直通身份验证和密码同步。When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. 通过这项修复,向导不再启用密码同步。With this fix, the wizard no longer enables Password Synchronization.

    • 过去,密码同步是启用直通身份验证的先决条件。Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication. 将用户登录方法设置为“直通身份验证”时,向导会同时启用直通身份验证和密码同步。 When you set the user sign-in method as Pass-through Authentication, the wizard would enable both Pass-through Authentication and Password Synchronization. 最近,已去除“密码同步”这项先决条件。Recently, Password Synchronization was removed as a pre-requisite. Azure AD Connect 版本 1.1.557.0 中对 Azure AD Connect 做了更改,在将用户登录方法设置为“直通身份验证”时,不会启用密码同步。 As part of Azure AD Connect version 1.1.557.0, a change was made to Azure AD Connect to not enable Password Synchronization when you set the user sign-in method as Pass-through Authentication. 但是,该项更改只会应用到 Azure AD Connect 安装。However, the change was only applied to Azure AD Connect installation. 通过这项修复,相同的更改也会应用到“更改用户登录”任务。 With this fix, the same change is also applied to the Change user sign-in task.

    • 请注意,如果尝试启用/禁用无缝单一登录,也会发生同样的问题。Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. 具体而言,此时某个现有的 Azure AD Connect 部署禁用了密码同步,同时用户登录方法已配置为“直通身份验证”。 Specifically, you have an existing Azure AD Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as Pass-through Authentication. 使用“更改用户登录”任务尝试选中/取消选中“启用无缝单一登录”选项,同时将用户登录方法保持配置为“直通身份验证”。 Using the Change user sign-in task, you try to check/uncheck the Enable Seamless Single Sign-On option while the user sign-in method remains configured as "Pass-through Authentication". 应用这项更改后,向导会启用密码同步。When the change is applied, the wizard enables Password Synchronization. 通过这项修复,向导不再启用密码同步。With this fix, the wizard no longer enables Password Synchronization.

  • 修复了一个导致 Azure AD Connect 升级失败并出现错误“无法升级同步服务”的问题。 Fixed an issue that caused Azure AD Connect upgrade to fail with error "Unable to upgrade the Synchronization Service". 此外,在出现事件错误“服务无法启动,因为数据库的版本比所安装的二进制文件的版本更新”时,同步服务不再能够启动。 Further, the Synchronization Service can no longer start with event error "The service was unable to start because the version of the database is newer than the version of the binaries installed". 当执行升级的管理员对 Azure AD Connect 所用的 SQL 服务器没有 sysadmin 特权时,将会出现此问题。The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. 通过这项修复,Azure AD Connect 只要求管理员在升级期间对 ADSync 数据库拥有 db_owner 特权。With this fix, Azure AD Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade.

  • 修复了一个会对已启用“无缝单一登录”的客户造成影响的 Azure AD Connect 升级问题。Fixed an Azure AD Connect Upgrade issue that affected customers who have enabled Seamless Single Sign-On. 升级 Azure AD Connect 之后,Azure AD Connect 向导中会错误地将无缝单一登录显示为已禁用,即使该功能保持已启用状态且完全正常。After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure AD Connect wizard, even though the feature remains enabled and fully functional. 通过这项修复,该功能现在会正确地在向导中显示为已启用。With this fix, the feature now appears correctly as enabled in the wizard.

  • 修复了一个导致 Azure AD Connect 向导始终在“已准备好配置”页上显示“配置源定位点”提示(即使未做出与源定位点相关的任何更改)的问题。 Fixed an issue that caused Azure AD Connect wizard to always show the “Configure Source Anchor” prompt on the Ready to Configure page, even if no changes related to Source Anchor were made.

  • 在执行 Azure AD Connect 的手动就地升级时,客户必须提供相应 Azure AD 租户的全局管理员凭据。When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. 过去,即使全局管理员凭据属于其他 Azure AD 租户,也能继续升级。Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Azure AD tenant. 尽管升级看上去已成功完成,但某些配置不会在升级时正确保留。While upgrade appears to complete successfully, certain configurations are not correctly persisted with the upgrade. 待此次变更生效后,如果提供的凭据与 Azure AD 租户不一致,向导会阻止继续升级。With this change, the wizard prevents the upgrade from proceeding if the credentials provided do not match the Azure AD tenant.

  • 删除了在开始手动升级时不必要地重启 Azure AD Connect Health 服务的多余逻辑。Removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of a manual upgrade.

新增功能和改进New features and improvements

  • 添加了逻辑来简化在 Microsoft 德国云中设置 Azure AD Connect 所要执行的步骤。Added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. 过去,我们必须按此文中所述更新 Azure AD Connect 服务器上的特定注册表项,才能让 Azure AD Connect 在 Microsoft 德国云中正常工作。Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. 现在,Azure AD Connect 可以根据安装期间提供的全局管理员凭据,自动检测租户是否在 Microsoft 德国云中。Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the global administrator credentials provided during setup.

Azure AD Connect SyncAzure AD Connect Sync

Note

注意:同步服务提供一个 WMI 接口让客户开发自己的自定义计划程序。Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. 此接口现已弃用,并会从 2018 年 6 月 30 日之后交付的后续 Azure AD Connect 版本中删除。This interface is now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. 想要自定义同步计划的客户应使用内置计划程序Customers who want to customize synchronization schedule should use the built-in scheduler.

修复的问题Fixed issues

  • 当 Azure AD Connect 向导创建从本地 Active Directory 同步更改所需的 AD 连接器帐户时,不会正确地向该帐户分配读取 PublicFolder 对象所需的权限。When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. 此问题会影响“快速”安装和“自定义”安装。This issue affects both Express installation and Custom installation. 此项更改修复了该问题。This change fixes the issue.

  • 修复了一个导致通过 Windows Server 2016 运行 Azure AD Connect 向导的管理员无法正常查看其故障排除页的问题。Fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for administrators running from Windows Server 2016.

新增功能和改进New features and improvements

  • 使用 Azure AD Connect 向导故障排除页排查密码同步问题时,故障排除页现在会返回特定于域的状态。When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status.

  • 过去,如果尝试启用密码哈希同步,Azure AD Connect 不会验证 AD 连接器帐户是否拥有从本地 AD 同步密码哈希所需的权限。Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect does not verify whether the AD Connector account has required permissions to synchronize password hashes from on-premises AD. 现在,Azure AD Connect 向导会验证权限,并在 AD 连接器帐户没有足够的权限时发出警告。Now, Azure AD Connect wizard will verify and warn you if the AD Connector account does not have sufficient permissions.

AD FS 管理AD FS Management

修复的问题Fixed issue

  • 修复了与将 ms-DS-ConsistencyGuid 用作源定位点功能的用法相关的问题。Fixed an issue related to the use of ms-DS-ConsistencyGuid as Source Anchor feature. 此问题会影响已将“使用 AD FS 进行联合身份验证”配置为用户登录方法的客户。 This issue affects customers who have configured Federation with AD FS as the user sign-in method. 执行向导中的“配置源定位点”任务时,Azure AD Connect 会改用 *ms-DS-ConsistencyGuid 作为 immutableId 的源属性。 When you execute Configure Source Anchor task in the wizard, Azure AD Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. 在应用此项更改的过程中,Azure AD Connect 会尝试更新 AD FS 中 ImmutableId 的声明规则。As part of this change, Azure AD Connect attempts to update the claim rules for ImmutableId in AD FS. 但是,由于 Azure AD Connect 无法提供配置 AD FS 所需的管理员凭据,此步骤失败。However, this step failed because Azure AD Connect did not have the administrator credentials required to configure AD FS. 通过这项修复,在执行“配置源定位点”任务时,Azure AD Connect 现在会提示输入 AD FS 的管理员凭据。 With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the Configure Source Anchor task.

1.1.614.01.1.614.0

状态:2017 年 9 月 5 日Status: September 05 2017

具有 Azure AD ConnectAzure AD Connect

已知问题Known issues

  • 有个已知问题会导致 Azure AD Connect 升级失败并出现错误“无法升级同步服务”的问题。 There is a known issue that is causing Azure AD Connect upgrade to fail with error "Unable to upgrade the Synchronization Service". 此外,在出现事件错误“服务无法启动,因为数据库的版本比所安装的二进制文件的版本更新”时,同步服务不再能够启动。 Further, the Synchronization Service can no longer start with event error "The service was unable to start because the version of the database is newer than the version of the binaries installed". 当执行升级的管理员对 Azure AD Connect 所用的 SQL 服务器没有 sysadmin 特权时,将会出现此问题。The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. Dbo 权限是不够的。Dbo permissions are not sufficient.

  • Azure AD Connect 升级存在已知问题,会对已启用无缝单一登录的客户造成影响。There is a known issue with Azure AD Connect Upgrade that is affecting customers who have enabled Seamless Single Sign-On. 升级 Azure AD Connect 后,功能会在向导中显示为已禁用,即使功能为启用状态也是如此。After Azure AD Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. 未来的发布中将提供对此问题的修复。A fix for this issue will be provided in future release. 担心此显示问题的客户可以手动修复此问题,方法是在向导中启用无缝单一登录。Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard.

修复的问题Fixed issues

  • 修复了以下问题:启用将 ms-DS-ConsistencyGuid 用作源定位点功能时,Azure AD Connect 无法更新本地 AD FS 中的声明规则。Fixed an issue that prevented Azure AD Connect from updating the claims rules in on-premises AD FS while enabling the ms-DS-ConsistencyGuid as Source Anchor feature. 如果尝试为将 AD FS 配置为登录方法的现有 Azure AD Connect 部署启用此功能,就会出现此问题。The issue occurs if you try to enable the feature for an existing Azure AD Connect deployment that has AD FS configured as the sign-in method. 之所以出现此问题是因为,向导在尝试更新 AD FS 中的声明规则前未提示输入 ADFS 凭据。The issue occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD FS.
  • 修复了本地 AD 林禁用 NTLM 后导致 Azure AD Connect 无法安装的问题。Fixed an issue that caused Azure AD Connect to fail installation if the on-premises AD forest has NTLM disabled. 此问题的起因是:创建 Kerberos 身份验证所需的安全上下文时,Azure AD Connect 向导未提供完全限定的凭据。The issue is due to Azure AD Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. 这将导致 Kerberos 身份验证失败并且 Azure AD Connect 向导将回退到使用 NTLM。This causes Kerberos authentication to fail and Azure AD Connect wizard to fall back to using NTLM.

Azure AD Connect SyncAzure AD Connect Sync

修复的问题Fixed issues

  • 修复了未填充标记属性时无法创建新同步规则的问题。Fixed an issue where new synchronization rule cannot be created if the Tag attribute isn’t populated.
  • 修复了即使 Kerberos 可用时,仍导致 Azure AD Connect 使用 NTLM 连接到本地 AD 进行密码同步的问题。Fixed an issue that caused Azure AD Connect to connect to on-premises AD for Password Synchronization using NTLM, even though Kerberos is available. 如果本地 AD 拓扑有一个或多个通过备份还原的域控制器,就会出现此问题。This issue occurs if the on-premises AD topology has one or more domain controllers that were restored from a backup.
  • 修复了导致升级后出现不必要完整同步步骤的问题。Fixed an issue that caused full synchronization steps to occur unnecessarily after upgrade. 一般情况下,如果现成的同步规则发生了更改,则升级后需要运行完整同步步骤。In general, running full synchronization steps is required after upgrade if there are changes to out-of-box synchronization rules. 此问题的起因是:更改检测逻辑中出现错误,当遇到具有换行字符的同步规则表达式时,此错误导致错误地检测到更改。The issue was due to an error in the change detection logic that incorrectly detected a change when encountering synchronization rule expression with newline characters. 已向同步规则表达式中插入了换行符来提升可读性。Newline characters are inserted into sync rule expression to improve readability.
  • 修复了可能导致自动升级后 Azure AD Connect 服务器无法正常工作的问题。Fixed an issue that can cause the Azure AD Connect server to not work correctly after Automatic Upgrade. 此问题会影响 1.1.443.0 版本(或更早版本)的 Azure AD Connect 服务器。This issue affects Azure AD Connect servers with version 1.1.443.0 (or earlier). 有关此问题的详细信息,请参阅文章自动升级后 Azure AD Connect 无法正常工作For details about the issue, refer to article Azure AD Connect is not working correctly after an automatic upgrade.
  • 修复了遇到错误后导致每 5 分钟重试自动升级的问题。Fixed an issue that can cause Automatic Upgrade to be retried every 5 minutes when errors are encountered. 通过此次修复,遇到错误时,自动升级重试次数将指数式下降。With the fix, Automatic Upgrade retries with exponential back-off when errors are encountered.
  • 修复了密码同步事件 611 在 Windows 应用程序事件日志中错误显示(显示为“信息”而不是“错误”)的问题 。Fixed an issue where password synchronization event 611 is incorrectly shown in Windows Application Event logs as informational instead of error. 只要密码同步出现问题,便会生成事件 611。Event 611 is generated whenever password synchronization encounters an issue.
  • 修复了 Azure AD Connect 向导中允许在未选择组写回所需的 OU 的情况下启用组写回功能的问题。Fixed an issue in the Azure AD Connect wizard that allows Group writeback feature to be enabled without selecting an OU required for Group writeback.

新增功能和改进New features and improvements

  • 在 Azure AD Connect 向导中的其他任务下添加了故障排除任务。Added a Troubleshoot task to Azure AD Connect wizard under Additional Tasks. 客户可以利用此任务解决与密码同步相关的问题并收集常规诊断信息。Customers can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. 未来,故障排除任务将扩展到能处理与目录同步相关的其他问题。In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues.
  • Azure AD Connect 现在支持名为“使用现有数据库”的新安装模式 。Azure AD Connect now supports a new installation mode called Use Existing Database. 在此安装模式下,客户可以安装指定现有 ADSync 数据库的 Azure AD Connect。This installation mode allows customers to install Azure AD Connect that specifies an existing ADSync database. 有关此功能的详细信息,请参阅文章使用现有数据库For more information about this feature, refer to article Use an existing database.
  • 为了提高安全性,Azure AD Connect 现在默认为使用 TLS1.2 连接到 Azure AD 进行目录同步。For improved security, Azure AD Connect now defaults to using TLS1.2 to connect to Azure AD for directory synchronization. 以前默认使用 TLS1.0。Previously, the default was TLS1.0.
  • Azure AD Connect 密码同步代理启动时,它将尝试连接到 Azure AD 的已知终结点进行密码同步。When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to Azure AD well-known endpoint for password synchronization. 成功连接后,它会重定向到特定于区域的终结点。Upon successful connection, it is redirected to a region-specific endpoint. 以前,除非重新启动,否则密码同步代理将一直缓存区域特定的终结点。Previously, the Password Synchronization Agent caches the region-specific endpoint until it is restarted. 现在,当遇到特定于区域的终结点的连接问题时,代理将清除缓存并重试连接已知终结点。Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. 此更改可确保已缓存的区域特定的终结点不再可用时,密码同步可以故障转移到其他区域特定的终结点。This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available.
  • 若要同步本地 AD 林中的更改,需要 AD DS 帐户。To synchronize changes from an on-premises AD forest, an AD DS account is required. 可以 (i) 自行创建 AD DS 帐户,并将其凭据提供给 Azure AD Connect,也可以 (ii) 提供企业管理员凭据,让 Azure AD Connect 为你创建 AD DS 帐户。You can either (i) create the AD DS account yourself and provide its credential to Azure AD Connect, or (ii) provide an Enterprise Admin's credentials and let Azure AD Connect create the AD DS account for you. 以前,(i) 是 Azure AD Connect 向导中的默认选项。Previously, (i) is the default option in the Azure AD Connect wizard. 现在,(ii) 是默认选项。Now, (ii) is the default option.

Azure AD Connect HealthAzure AD Connect Health

新增功能和改进New features and improvements

  • 添加了对 Azure 政府云和 Microsoft 云德国的支持。Added support for Azure Government Cloud and Microsoft Cloud Germany.

AD FS 管理AD FS Management

修复的问题Fixed issues

  • AD 准备 powershell 模块中的 Initialize-ADSyncNGCKeysWriteBack cmdlet 对设备注册容器错误地应用 ACL,因此只会继承现有权限。The Initialize-ADSyncNGCKeysWriteBack cmdlet in the AD prep powershell module was incorrectly applying ACLs to the device registration container and would therefore only inherit existing permissions. 已对此情况进行更新,以便同步服务帐户具有正确的权限。This was updated so that the sync service account has the correct permissions.

新增功能和改进New features and improvements

  • 已更新 AAD Connect 验证 ADFS 登录任务,以便它能验证针对 Microsoft Online 的登录名而不只是验证从 ADFS 检索到的令牌。The AAD Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online and not just token retrieval from ADFS.
  • 使用 AAD Connect 设置新 ADFS 场时,请求 ADFS 凭据的页面已经移动,现在此页面在要求用户提供 ADFS 和 WAP 服务器之前出现。When setting up a new ADFS farm using AAD Connect, the page asking for ADFS credentials was moved so that it now occurs before the user is asked to provide ADFS and WAP servers. 通过此更改,AAD Connect 可以检查指定帐户是否具有正确的权限。This allows AAD Connect to check that the account specified has the correct permissions.
  • AAD Connect 升级期间,如果 ADFS AAD 信任无法更新,升级将不会失败。During AAD Connect upgrade, we will no longer fail an upgrade if the ADFS AAD Trust fails to update. 如果发生此情况,用户将看到相应警告消息,并应通过其他 AAD Connect 任务继续重置信任。If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust via the AAD Connect additional task.

1.1.561.01.1.561.0

状态:2017 年 7 月 23 日Status: July 23 2017

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issue

  • 修复了导致现成的同步规则“Out to AD - User ImmutableId”被删除的一个问题:Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be removed:

    • 当升级 Azure AD Connect 时,或使用 Azure AD Connect 向导中的任务选项“更新同步配置”来更新 Azure AD Connect 同步配置时,会出现此问题。 The issue occurs when Azure AD Connect is upgraded, or when the task option Update Synchronization Configuration in the Azure AD Connect wizard is used to update Azure AD Connect synchronization configuration.

    • 此同步规则适用于启用了将 ms-DS-ConsistencyGuid 用作源定位点功能的客户。This synchronization rule is applicable to customers who have enabled the ms-DS-ConsistencyGuid as Source Anchor feature. 版本 1.1.524.0 及更高版本中引入了此功能。This feature was introduced in version 1.1.524.0 and after. 当删除此同步规则后,Azure AD Connect 无法再使用 ObjectGuid 属性值填充本地 AD ms-DS-ConsistencyGuid 属性。When the synchronization rule is removed, Azure AD Connect can no longer populate on-premises AD ms-DS-ConsistencyGuid attribute with the ObjectGuid attribute value. 它不会阻止将新用户预配到 Azure AD 中。It does not prevent new users from being provisioned into Azure AD.

    • 此修复可以确保在启用了该功能的情况下,在升级期间或者在更改配置期间不再会删除此功能。The fix ensures that the synchronization rule will no longer be removed during upgrade, or during configuration change, as long as the feature is enabled. 对于已受此问题影响的现有客户,此修复还可以确保在升级到此版本的 Azure AD Connect 之后将同步规则添加回来。For existing customers who have been affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading to this version of Azure AD Connect.

  • 修复了一个导致现成的同步规则的优先级值小于 100 的问题:Fixed an issue that causes out-of-box synchronization rules to have precedence value that is less than 100:

    • 通常,优先级值 0 - 99 是为自定义同步规则保留的。In general, precedence values 0 - 99 are reserved for custom synchronization rules. 在升级期间,现成的同步规则的优先级值进行了更新以适应同步规则更改。During upgrade, the precedence values for out-of-box synchronization rules are updated to accommodate sync rule changes. 由于此问题,可能会为现成的同步规则分配一个小于 100 的优先级值。Due to this issue, out-of-box synchronization rules may be assigned precedence value that is less than 100.

    • 此修复可以防止升级期间发生此问题。The fix prevents the issue from occurring during upgrade. 不过,对于已受此问题影响的现有客户,它不会还原优先级值。However, it does not restore the precedence values for existing customers who have been affected by the issue. 将来会提供一个单独的修复来帮助进行还原。A separate fix will be provided in the future to help with the restoration.

  • 修复了即使在启用了基于 OU 的筛选的情况下,Azure AD Connect 向导中的“域和 OU 筛选”屏幕也将“同步所有域和 OU”选项显示为已选中的问题。 Fixed an issue where the Domain and OU Filtering screen in the Azure AD Connect wizard is showing Sync all domains and OUs option as selected, even though OU-based filtering is enabled.

  • 修复了单击“刷新”按钮导致 Synchronization Service Manager 中的“配置目录分区”屏幕返回错误的问题。 Fixed an issue that caused the Configure Directory Partitions screen in the Synchronization Service Manager to return an error if the Refresh button is clicked. 错误消息为:“刷新域时遇到错误: 无法将 ‘System.Collections.ArrayList’ 类型的对象强制转换为 ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject’ 类型。”The error message is “An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.” 将新的 AD 域添加到现有 AD 林并尝试使用“刷新”按钮更新 Azure AD Connect 时出错。The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button.

新增功能和改进New features and improvements

  • 自动升级功能已经过扩展,为使用以下配置的客户提供支持:Automatic Upgrade feature has been expanded to support customers with the following configurations:

    • 已启用设备写回功能。You have enabled the device writeback feature.
    • 已启用组写回功能。You have enabled the group writeback feature.
    • 安装不是快速设置或 DirSync 升级。The installation is not an Express settings or a DirSync upgrade.
    • Metaverse 中的对象超过 100,000 个。You have more than 100,000 objects in the metaverse.
    • 正在连接到多个林。You are connecting to more than one forest. 快速安装只会连接到一个林。Express setup only connects to one forest.
    • AD 连接器帐户不再是默认的 MSOL_ 帐户。The AD Connector account is not the default MSOL_ account anymore.
    • 服务器已设置为过渡模式。The server is set to be in staging mode.
    • 已启用用户写回功能。You have enabled the user writeback feature.

    Note

    自动升级功能的范围扩展会影响使用 Azure AD Connect 1.1.105.0 和更高版本的客户。The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. 如果不希望自动升级 Azure AD Connect 服务器,必须在 Azure AD Connect 服务器上运行以下 cmdlet:Set-ADSyncAutoUpgrade -AutoUpgradeState disabledIf you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: Set-ADSyncAutoUpgrade -AutoUpgradeState disabled. 有关启用/禁用自动升级的详细信息,请参阅 Azure AD Connect:自动升级一文。For more information about enabling/disabling Automatic Upgrade, refer to article Azure AD Connect: Automatic upgrade.

1.1.558.01.1.558.0

状态:不会发布。Status: Will not be released. 版本 1.1.561.0 中包括了此内部版本中的更改。Changes in this build are included in version 1.1.561.0.

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issue

  • 修复了在更新基于 OU 的筛选配置时,导致需要删除“Out to AD - User ImmutableId”现成同步规则的问题。Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be removed when OU-based filtering configuration is updated. 此同步规则是将 ms-DS-ConsistencyGuid 用作源定位点功能所必需的。This synchronization rule is required for the ms-DS-ConsistencyGuid as Source Anchor feature.

  • 修复了即使在启用基于 OU 的筛选的情况下,Azure AD Connect 向导中的“域和 OU 筛选”屏幕也将“同步所有域和 OU”选项显示为选中状态的问题。 Fixed an issue where the Domain and OU Filtering screen in the Azure AD Connect wizard is showing Sync all domains and OUs option as selected, even though OU-based filtering is enabled.

  • 修复了单击“刷新”按钮导致 Synchronization Service Manager 中的“配置目录分区”屏幕返回错误的问题。 Fixed an issue that caused the Configure Directory Partitions screen in the Synchronization Service Manager to return an error if the Refresh button is clicked. 错误消息为:“刷新域时遇到错误: 无法将 ‘System.Collections.ArrayList’ 类型的对象强制转换为 ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject’ 类型。”The error message is “An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.” 将新的 AD 域添加到现有 AD 林并尝试使用“刷新”按钮更新 Azure AD Connect 时出错。The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button.

新增功能和改进New features and improvements

  • 自动升级功能已经过扩展,为使用以下配置的客户提供支持:Automatic Upgrade feature has been expanded to support customers with the following configurations:

    • 已启用设备写回功能。You have enabled the device writeback feature.
    • 已启用组写回功能。You have enabled the group writeback feature.
    • 安装不是快速设置或 DirSync 升级。The installation is not an Express settings or a DirSync upgrade.
    • Metaverse 中的对象超过 100,000 个。You have more than 100,000 objects in the metaverse.
    • 正在连接到多个林。You are connecting to more than one forest. 快速安装只会连接到一个林。Express setup only connects to one forest.
    • AD 连接器帐户不再是默认的 MSOL_ 帐户。The AD Connector account is not the default MSOL_ account anymore.
    • 服务器已设置为过渡模式。The server is set to be in staging mode.
    • 已启用用户写回功能。You have enabled the user writeback feature.

    Note

    自动升级功能的范围扩展会影响使用 Azure AD Connect 1.1.105.0 和更高版本的客户。The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. 如果不希望自动升级 Azure AD Connect 服务器,必须在 Azure AD Connect 服务器上运行以下 cmdlet:Set-ADSyncAutoUpgrade -AutoUpgradeState disabledIf you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: Set-ADSyncAutoUpgrade -AutoUpgradeState disabled. 有关启用/禁用自动升级的详细信息,请参阅 Azure AD Connect:自动升级一文。For more information about enabling/disabling Automatic Upgrade, refer to article Azure AD Connect: Automatic upgrade.

1.1.557.01.1.557.0

状态:2017 年 7 月Status: July 2017

Note

不通过 Azure AD Connect 自动升级功能向客户提供此内部版本。This build is not available to customers through the Azure AD Connect Auto Upgrade feature.

具有 Azure AD ConnectAzure AD Connect

修复的问题Fixed issue

  • 修复了 Initialize-ADSyncDomainJoinedComputerSync cmdlet 导致现有服务连接点对象上配置的已验证域发生变化的问题(即使该域仍是有效域)。Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it is still a valid domain. 当 Azure AD 租户中包含多个可用于配置服务连接点的已验证域时,会出现此问题。This issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring the service connection point.

新增功能和改进New features and improvements

  • 现已推出适用于 Azure 政府云与 Microsoft 云德语版的密码写回预览版。Password writeback is now available for preview with Azure Government cloud and Microsoft Cloud Germany. 有关 Azure AD Connect 对不同服务实例的支持的详细信息,请参阅 Azure AD Connect:有关实例的特殊注意事项一文。For more information about Azure AD Connect support for the different service instances, refer to article Azure AD Connect: Special considerations for instances.

  • Initialize-ADSyncDomainJoinedComputerSync cmdlet 现在有一个名为 AzureADDomain 的新可选参数。The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named AzureADDomain. 此参数可以指定要将哪个已验证域用于配置服务连接点。This parameter lets you specify which verified domain to be used for configuring the service connection point.

直通身份验证Pass-through Authentication

新增功能和改进New features and improvements

  • 直通身份验证所需的代理名称已从“Azure AD 应用程序代理连接器”更改为“Azure AD Connect 身份验证代理”。 The name of the agent required for Pass-through Authentication has been changed from Azure AD Application Proxy Connector to Azure AD Connect Authentication Agent.

  • 默认情况下,启用直通身份验证不再会启用密码哈希同步。Enabling Pass-through Authentication no longer enables Password Hash Synchronization by default.

1.1.553.01.1.553.0

状态:2017 年 6 月Status: June 2017

Important

此版本引入了架构和同步规则更改。There are schema and sync rule changes introduced in this build. Azure AD Connect 同步服务在升级后会触发完全导入和完全同步步骤。Azure AD Connect Synchronization Service will trigger Full Import and Full Synchronization steps after upgrade. 下面介绍了更改详细信息。Details of the changes are described below. 若要在升级后暂时推迟完全导入和完全同步步骤,请参阅如何在升级后推迟完全同步一文。To temporarily defer Full Import and Full Synchronization steps after upgrade, refer to article How to defer full synchronization after upgrade.

Azure AD Connect SyncAzure AD Connect Sync

已知问题Known issue

  • 有一个问题会影响将基于 OU 的筛选与 Azure AD Connect 同步配合使用的客户。在 Azure AD Connect 向导中导航到“域和 OU 筛选”页时,预期会出现以下行为:There is an issue that affects customers who are using OU-based filtering with Azure AD Connect sync. When you navigate to the Domain and OU Filtering page in the Azure AD Connect wizard, the following behavior is expected:
    • 如果启用了基于 OU 的筛选,“同步选定的域和 OU”选项会处于选中状态。 If OU-based filtering is enabled, the Sync selected domains and OUs option is selected.
    • 否则,“同步所有域和 OU”选项处于选中状态。 Otherwise, the Sync all domains and OUs option is selected.

发生的问题是,运行向导时始终会选择“同步所有域和 OU”选项。 The issue that arises is that the Sync all domains and OUs option is always selected when you run the Wizard. 即使之前已配置基于 OU 的筛选,也会发生此问题。This occurs even if OU-based filtering was previously configured. 在保存任何 AAD Connect 配置更改之前,请确保已选择“同步选定的域和 OU”选项,并确认所有需要同步的 OU 已重新启用。Before saving any AAD Connect configuration changes, make sure the Sync selected domains and OUs option is selected and confirm that all OUs that need to synchronize are enabled again. 否则,会禁用基于 OU 的筛选。Otherwise, OU-based filtering will be disabled.

修复的问题Fixed issues

  • 修复了密码写回允许 Azure AD 管理员重置本地 AD 特权用户帐户的密码的问题。Fixed an issue with Password writeback that allows an Azure AD Administrator to reset the password of an on-premises AD privileged user account. 通过特权帐户向 Azure AD Connect 授予“重置密码”权限时,会出现此问题。The issue occurs when Azure AD Connect is granted the Reset Password permission over the privileged account. 此 Azure AD Connect 版本已解决此问题:不再允许 Azure AD 管理员重置任意本地 AD 特权用户帐户的密码,除非该管理员是该帐户的所有者。The issue is addressed in this version of Azure AD Connect by not allowing an Azure AD Administrator to reset the password of an arbitrary on-premises AD privileged user account unless the administrator is the owner of that account. 有关详细信息,请参阅安全公告 4033453For more information, refer to Security Advisory 4033453.

  • 修复了与将 ms-DS-ConsistencyGuid 用作源定位点功能相关的一个问题,该问题导致 Azure AD Connect 不写回到本地 AD ms-DS-ConsistencyGuid 属性。Fixed an issue related to the ms-DS-ConsistencyGuid as Source Anchor feature where Azure AD Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. 如果已将多个本地 AD 林添加到 Azure AD Connect 并且已选择“用户标识跨多个目录存在”选项,则会出现此问题。 The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the User identities exist across multiple directories option is selected. 使用此类配置时,生成的同步规则不会填充 Metaverse 中的 sourceAnchorBinary 属性。When such configuration is used, the resultant synchronization rules do not populate the sourceAnchorBinary attribute in the Metaverse. sourceAnchorBinary 属性用作 ms-DS-ConsistencyGuid 属性的源属性。The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. 因此,不会写回到 ms-DSConsistencyGuid 属性。As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. 为了修复此问题,我们已更新以下同步规则,以确保始终填充 Metaverse 中的 sourceAnchorBinary 属性:To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated:

    • In from AD - InetOrgPerson AccountEnabled.xmlIn from AD - InetOrgPerson AccountEnabled.xml
    • In from AD - InetOrgPerson Common.xmlIn from AD - InetOrgPerson Common.xml
    • In from AD - User AccountEnabled.xmlIn from AD - User AccountEnabled.xml
    • In from AD - User Common.xmlIn from AD - User Common.xml
    • In from AD - User Join SOAInAAD.xmlIn from AD - User Join SOAInAAD.xml
  • 以前,即使未启用将 ms-DS-ConsistencyGuid 用作源定位点功能,也会将“Out to AD - User ImmutableId”同步规则添加到 Azure AD Connect。Previously, even if the ms-DS-ConsistencyGuid as Source Anchor feature isn’t enabled, the “Out to AD - User ImmutableId” synchronization rule is still added to Azure AD Connect. 这具有积极影响,且不会导致出现 ms-DS-ConsistencyGuid 属性写回情况。The effect is benign and does not cause writeback of ms-DS-ConsistencyGuid attribute to occur. 为避免混淆,我们添加了逻辑来确保仅当已启用该功能时才添加该同步规则。To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.

  • 修复了导致密码哈希同步失败并出现错误事件 611 的问题。Fixed an issue that caused password hash synchronization to fail with error event 611. 从本地 AD 中删除一个或多个域控制器后,会出现此问题。This issue occurs after one or more domain controllers have been removed from on-premises AD. 在每个密码同步周期结束时,本地 AD 发出的同步 Cookie 包含已删除的域控制器的调用 ID,其 USN(更新序列号)值为 0。At the end of each password synchronization cycle, the synchronization cookie issued by on-premises AD contains Invocation IDs of the removed domain controllers with USN (Update Sequence Number) value of 0. 密码同步管理器无法保存包含 0 值 USN 的同步 Cookie,同时会失败并出现错误事件 611。The Password Synchronization Manager is unable to persist synchronization cookie containing USN value of 0 and fails with error event 611. 在下一个同步周期,密码同步管理器会重复使用上次保存的、不包含 0 值 USN 的同步 Cookie。During the next synchronization cycle, the Password Synchronization Manager reuses the last persisted synchronization cookie that does not contain USN value of 0. 这将导致重新同步相同的密码更改。This causes the same password changes to be resynchronized. 应用此项修复后,密码同步管理器可正确保存同步 Cookie。With this fix, the Password Synchronization Manager persists the synchronization cookie correctly.

  • 以前,即使已使用 Set-ADSyncAutoUpgrade cmdlet 禁用自动升级,自动升级过程也仍会定期检查升级,并依赖于下载的安装程序来遵循禁用指令。Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement. 应用此项修复后,自动升级过程不再会定期检查升级。With this fix, the Automatic Upgrade process no longer checks for upgrade periodically. 执行此 Azure AD Connect 版本的升级安装程序一次,即可自动应用此项修复。The fix is automatically applied when upgrade installer for this Azure AD Connect version is executed once.

新增功能和改进New features and improvements

  • 以前,将 ms-DS-ConsistencyGuid 用作源定位点功能仅可用于新部署。Previously, the ms-DS-ConsistencyGuid as Source Anchor feature was available to new deployments only. 现在,该功能适用于现有部署。Now, it is available to existing deployments. 更具体地说:More specifically:

    • 若要访问该功能,请启动 Azure AD Connect 向导并选择“更新源定位点”选项。 To access the feature, start the Azure AD Connect wizard and choose the Update Source Anchor option.
    • 只有使用 objectGuid 作为 sourceAnchor 属性的现有部署才会显示此选项。This option is only visible to existing deployments that are using objectGuid as sourceAnchor attribute.
    • 配置此选项时,向导会验证本地 Active Directory 目录中 ms-DS-ConsistencyGuid 属性的状态。When configuring the option, the wizard validates the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. 如果未在目录中的任何用户对象上配置此属性,则向导会将 ms-DS-ConsistencyGuid 用作 sourceAnchor 属性。If the attribute isn't configured on any user object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. 如果已在目录中的一个或多个用户对象上配置该属性,向导就会认为该属性正由其他应用程序使用,不适合用作 sourceAnchor 属性,并且不允许源定位点更改继续进行。If the attribute is configured on one or more user objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute and does not permit the Source Anchor change to proceed. 如果确定该属性未由现有应用程序使用,则需联系支持部门,了解如何取消显示该错误。If you are certain that the attribute isn't used by existing applications, you need to contact Support for information on how to suppress the error.
  • 对于设备对象上的 userCertificate 属性,Azure AD Connect 现在会查找将已加入域的设备连接到 Azure AD for Windows 10 体验所需的证书值,并在同步到 Azure AD 之前筛选掉其他证书值。Specific to userCertificate attribute on Device objects, Azure AD Connect now looks for certificates values required for Connecting domain-joined devices to Azure AD for Windows 10 experience and filters out the rest before synchronizing to Azure AD. 为了启用此行为,我们已更新现成的同步规则“Out to AAD - Device Join SOAInAD”。To enable this behavior, the out-of-box sync rule “Out to AAD - Device Join SOAInAD” has been updated.

  • Azure AD Connect 现在支持将 Exchange Online cloudPublicDelegates 属性写回到本地 AD publicDelegates 属性。Azure AD Connect now supports writeback of Exchange Online cloudPublicDelegates attribute to on-premises AD publicDelegates attribute. 这样,就可以实现向使用本地 Exchange Online 邮箱的用户授予 SendOnBehalfTo 权限的方案。This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. 为了支持此功能,我们添加了新的现成同步规则“Out to AD - User Exchange Hybrid PublicDelegates writeback”。To support this feature, a new out-of-box sync rule “Out to AD - User Exchange Hybrid PublicDelegates writeback” has been added. 仅当已启用 Exchange 混合功能时,才会将此同步规则添加到 Azure AD Connect。This sync rule is only added to Azure AD Connect when Exchange Hybrid feature is enabled.

  • Azure AD Connect 现在支持从 Azure AD 同步 altRecipient 属性。Azure AD Connect now supports synchronizing the altRecipient attribute from Azure AD. 为了支持此项更改,我们已更新以下现成同步规则,并在其中包含所需的属性流:To support this change, following out-of-box sync rules have been updated to include the required attribute flow:

    • In from AD - User ExchangeIn from AD - User Exchange
    • Out to AAD - User ExchangeOnlineOut to AAD - User ExchangeOnline
  • Metaverse 中的 cloudSOAExchMailbox 属性指示给定的用户是否具有 Exchange Online 邮箱。The cloudSOAExchMailbox attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. 其定义已更新,现在包含设备和会议室邮箱等的其他 Exchange Online RecipientDisplayTypes。Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes. 为了启用此项更改,现成同步规则“In from AAD - User Exchange Hybrid”下的 cloudSOAExchMailbox 属性定义已从:To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule “In from AAD - User Exchange Hybrid”, has been updated from:

CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType],&amp;HFF) = 0))

... 更新为:... to the following:

CBool(
  IIF(IsPresent([cloudMSExchRecipientDisplayType]),(
    IIF([cloudMSExchRecipientDisplayType]=0,True,(
      IIF([cloudMSExchRecipientDisplayType]=2,True,(
        IIF([cloudMSExchRecipientDisplayType]=7,True,(
          IIF([cloudMSExchRecipientDisplayType]=8,True,(
            IIF([cloudMSExchRecipientDisplayType]=10,True,(
              IIF([cloudMSExchRecipientDisplayType]=16,True,(
                IIF([cloudMSExchRecipientDisplayType]=17,True,(
                  IIF([cloudMSExchRecipientDisplayType]=18,True,(
                    IIF([cloudMSExchRecipientDisplayType]=1073741824,True,(
                       IF([cloudMSExchRecipientDisplayType]=1073741840,True,False)))))))))))))))))))),False))

  • 添加了以下 X509Certificate2 兼容函数集,用于创建同步规则表达式来处理 userCertificate 属性中的证书值:Added the following set of X509Certificate2-compatible functions for creating synchronization rule expressions to handle certificate values in the userCertificate attribute:

    CertSubjectCertSubject CertIssuerCertIssuer CertKeyAlgorithmCertKeyAlgorithm
    CertSubjectNameDNCertSubjectNameDN CertIssuerOidCertIssuerOid CertNameInfoCertNameInfo
    CertSubjectNameOidCertSubjectNameOid CertIssuerDNCertIssuerDN IsCertIsCert
    CertFriendlyNameCertFriendlyName CertThumbprintCertThumbprint CertExtensionOidsCertExtensionOids
    CertFormatCertFormat CertNotAfterCertNotAfter CertPublicKeyOidCertPublicKeyOid
    CertSerialNumberCertSerialNumber CertNotBeforeCertNotBefore CertPublicKeyParametersOidCertPublicKeyParametersOid
    CertVersionCertVersion CertSignatureAlgorithmOidCertSignatureAlgorithmOid 选择Select
    CertKeyAlgorithmParamsCertKeyAlgorithmParams CertHashStringCertHashString WhereWhere
    WithWith
  • 引入了以下架构更改,使客户能够创建自定义同步规则来传送组对象的 sAMAccountName、domainNetBios 和 domainFQDN,以及用户对象的 distinguishedName:Following schema changes have been introduced to allow customers to create custom synchronization rules to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as distinguishedName for User objects:

    • 已将以下属性添加到 MV 架构:Following attributes have been added to MV schema:

      • 组:AccountNameGroup: AccountName
      • 组:domainNetBiosGroup: domainNetBios
      • 组:domainFQDNGroup: domainFQDN
      • 用户:distinguishedNamePerson: distinguishedName
    • 已将以下属性添加到 Azure AD 连接器架构:Following attributes have been added to Azure AD Connector schema:

      • 组:OnPremisesSamAccountNameGroup: OnPremisesSamAccountName
      • 组:NetBiosNameGroup: NetBiosName
      • 组:DnsDomainNameGroup: DnsDomainName
      • 用户:OnPremisesDistinguishedNameUser: OnPremisesDistinguishedName
  • ADSyncDomainJoinedComputerSync cmdlet 脚本现在有一个名为 AzureEnvironment 的新可选参数。The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment. 该参数用于指定相应的 Azure Active Directory 租户托管在哪个区域。The parameter is used to specify which region the corresponding Azure Active Directory tenant is hosted in. 有效值包括:Valid values include:

    • AzureCloud(默认值)AzureCloud (default)
    • AzureChinaCloudAzureChinaCloud
    • AzureGermanyCloudAzureGermanyCloud
    • USGovernmentUSGovernment
  • 已将同步规则编辑器更新为在创建同步规则期间使用 Join(而不是 Provision)作为链接类型的默认值。Updated Sync Rule Editor to use Join (instead of Provision) as the default value of link type during sync rule creation.

AD FS 管理AD FS management

修复的问题Issues fixed

  • 以下 URL 是 Azure AD 引入的新 WS 联合身份验证终结点,旨在提高发生身份验证中断后的复原能力;这些 URL 将添加到本地 AD FS 信赖方信任配置:Following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to on-premises AD FS replying party trust configuration:

  • 修复了导致 AD FS 为 IssuerID 生成错误声明值的问题。Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. 如果 Azure AD 租户中存在多个已验证的域,并且用于生成 IssuerID 声明的 userPrincipalName 属性的域后缀深度至少为 3 级(例如 johndoe@us.contoso.com),则会出现此问题。The issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). 此问题已通过更新声明规则使用的正则表达式得到解决。The issue is resolved by updating the regex used by the claim rules.

新增功能和改进New features and improvements

  • 以前,Azure AD connect 提供的 ADFS 证书管理功能仅适用于通过 Azure AD Connect 管理的 ADFS 场。Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with ADFS farms managed through Azure AD Connect. 现在,此功能也适用于不是使用 Azure AD Connect 管理的 ADFS 场。Now, you can use the feature with ADFS farms that are not managed using Azure AD Connect.

1.1.524.01.1.524.0

已发布:2017 年 5 月Released: May 2017

Important

此版本引入了架构和同步规则更改。There are schema and sync rule changes introduced in this build. Azure AD Connect 同步服务在升级后将触发完全导入和完全同步步骤。Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after upgrade. 下面介绍了更改详细信息。Details of the changes are described below.

已解决的问题:Fixed issues:

Azure AD Connect 同步Azure AD Connect sync

  • 修复了导致自动升级的问题,即使客户已禁用使用 Set-ADSyncAutoUpgrade cmdlet 的功能在 Azure AD Connect 服务器上发生。Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. 使用此修复后,服务器上的自动升级进程仍升级会定期检查,但下载安装程序自动升级的配置。With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
  • 在 DirSync 就地升级时,Azure AD Connect 创建由 Azure AD 连接器用于与 Azure AD 同步的 Azure AD 服务帐户。During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. 创建帐户后,Azure AD Connect 使用该帐户在 Azure AD 中进行身份验证。After the account is created, Azure AD Connect authenticates with Azure AD using the account. 有时,身份验证由于暂时性问题失败,而这又会导致 DirSync 就地升级失败,并出现错误 “执行配置 AAD 同步任务时出错:AADSTS50034:要登录到此应用程序,必须将帐户添加到 xxx.partner.onmschina.cn 目录。”Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error “An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.partner.onmschina.cn directory.” 为了提高 DirSync 升级的复原能力,Azure AD Connect 现在会重试身份验证步骤。To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
  • 版本 443 中的某个问题会导致 DirSync 就地升级成功,但不会创建目录同步所需的运行配置文件。There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization are not created. 此 Azure AD Connect 版本中包含修复逻辑。Healing logic is included in this build of Azure AD Connect. 客户升级到此版本时,Azure AD Connect 会检测缺少的运行配置文件并予以创建。When customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them.
  • 修复了导致无法启动密码同步过程并出现事件 ID 6900 和错误“已添加具有相同键的项”的问题。 Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error “An item with the same key has already been added”. 如果更新 OU 筛选配置以包含 AD 配置分区,则会出现此问题。This issue occurs if you update OU filtering configuration to include AD configuration partition. 为了修复此问题,密码同步过程现在只会从 AD 域分区同步密码更改。To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. 将跳过非域分区,例如配置分区。Non-domain partitions such as configuration partition are skipped.
  • 在快速安装期间,Azure AD Connect 会创建一个本地 AD DS 帐户,AD 连接器可使用该帐户来与本地 AD 通信。During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. 以前,创建的帐户在 user-Account-Control 属性中设置了 PASSWD_NOTREQD 标志,并在帐户中设置随机密码。Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. 现在,在帐户中设置密码后,Azure AD Connect 会显式删除 PASSWD_NOTREQD 标志。Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
  • 修复了当 mailNickname 属性出现在本地 AD 架构中但未绑定到 AD 用户对象类时,导致 DirSync 升级失败并出现错误“尝试获取应用程序锁时,SQL Server 中发生死锁”错误的问题。 Fixed an issue that causes DirSync upgrade to fail with error “a deadlock occurred in sql server which trying to acquire an application lock” when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.
  • 修复了当管理员使用 Azure AD Connect 向导更新 Azure AD Connect 同步配置时自动禁用设备写回功能的问题。Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Azure AD Connect sync configuration using Azure AD Connect wizard. 之所以出现此问题是因为,向导对本地 AD 中的现有设备写回配置执行先决条件检查,而检查失败。This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. 修复方法是跳过检查以前是否已启用设备写回。The fix is to skip the check if Device writeback is already enabled previously.
  • 若要配置 OU 筛选,可以使用 Azure AD Connect 向导或 Synchronization Service Manager。To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. 以前,如果使用 Azure AD Connect 向导配置 OU 筛选,则会包含以后新建的 OU 用于目录同步。Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. 如果不想要包含新 OU,则必须使用 Synchronization Service Manager 配置 OU 筛选。If you do not want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. 现在,可以获得相同的行为使用 Azure AD Connect 向导。Now, you can achieve the same behavior using Azure AD Connect wizard.
  • 修复了导致在安装管理架构而不是 dbo 架构下创建 Azure AD Connect 所需存储过程的问题。Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema.
  • 修复了问题导致省略 AAD 连接服务器事件日志中的 Azure AD 返回的 TrackingId 属性。Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the AAD Connect Server Event Logs. 如果 Azure AD Connect 从 Azure AD 收到了重定向消息,并且 Azure AD Connect 无法连接到提供的终结点,则会发生此问题。The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. TrackingId 由支持工程师用于在故障排除过程使用服务端日志关联。The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
  • Azure AD Connect 从 Azure AD 收到 LargeObject 错误时,会生成 EventID 为 6941 的事件,并返回消息“预配的对象太大。 请减少此对象上属性值的数目。”When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message “The provisioned object is too large. Trim the number of attribute values on this object.” 同时,Azure AD Connect 还会生成 EventID 为 6900 的误导性事件和消息“Microsoft.Online.Coexistence.ProvisionRetryException: 无法与 Azure Active Directory 服务通信。”At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message “Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Azure Active Directory service.” 为了尽量减少混淆,在收到 LargeObject 错误时,Azure AD Connect 不再生成后一种事件。To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received.
  • 修复了当尝试更新通用 LDAP 连接器的配置时,Synchronization Service Manager 无法响应的问题。Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for Generic LDAP connector.

新功能/改进:New features/improvements:

Azure AD Connect 同步Azure AD Connect sync

  • 同步规则更改 – 实现了以下同步规则更改:Sync Rule Changes - The following sync rule changes have been implemented:

    • 如果属性有 15 个以上的值,更新的默认同步规则设置为不导出属性 userCertificateuserSMIMECertificateUpdated default sync rule set to not export attributes userCertificate and userSMIMECertificate if the attributes have more than 15 values.
    • AD 属性 employeeIDmsExchBypassModerationLink 现在包含在默认同步规则集中。AD attributes employeeID and msExchBypassModerationLink are now included in the default sync rule set.
    • AD 属性 photo 已从默认同步规则集中删除。AD attribute photo has been removed from default sync rule set.
    • 已将 preferredDataLocation 添加到 Metaverse 架构和 AAD 连接器架构。Added preferredDataLocation to the Metaverse schema and AAD Connector schema. 想要在 Azure AD 中更新任一属性的客户可以实现自定义同步规则。Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
    • 已将 userType 添加到 Metaverse 架构和 AAD 连接器架构。Added userType to the Metaverse schema and AAD Connector schema. 客户想要在 Azure AD 中更新任一属性可以实现自定义同步规则,可以这样做。Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
  • Azure AD Connect 现在会自动启用 ConsistencyGuid 属性作为本地 AD 对象的源定位点属性。Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. 此外,Azure AD Connect 会使用 objectGuid 属性值填充 ConsistencyGuid 属性(如果为空)。Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it is empty. 此功能仅适用于新部署。This feature is applicable to new deployment only. 要了解有关此功能的详细信息,请参阅 Azure AD Connect:设计概念 - 将 ms-DS-ConsistencyGuid 用作 sourceAnchor 部分。To find out more about this feature, refer to article section Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor.

  • 已添加新的故障排除 cmdlet Invoke-ADSyncDiagnostics,以帮助诊断密码哈希同步相关的问题。New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues. 有关使用此 cmdlet 的信息,请参阅使用 Azure AD Connect 同步排查密码哈希同步问题For information about using the cmdlet, refer to article Troubleshoot password hash synchronization with Azure AD Connect sync.

  • Azure AD Connect 现在支持将启用邮件的公共文件夹对象从本地 AD 同步到 Azure AD。Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. 可以使用 Azure AD Connect 向导中的“可选功能”启用该功能。You can enable the feature using Azure AD Connect wizard under Optional Features. 若要了解有关此功能的详细信息,请参阅基于 Office 365 目录的边缘阻止对启用邮件的本地公共文件夹的支持一文。To find out more about this feature, refer to article Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders.

  • Azure AD Connect 要求从本地 AD 同步 AD DS 帐户。Azure AD Connect requires an AD DS account to synchronize from on-premises AD. 以前,如果使用“快速”模式安装了 Azure AD Connect,则可以提供企业管理员帐户的凭据,Azure AD Connect 会创建所需的 AD DS 帐户。Previously, if you installed Azure AD Connect using the Express mode, you could provide the credentials of an Enterprise Admin account and Azure AD Connect would create the AD DS account required. 但是,对于自定义安装以及要将林添加到现有部署的情况,必须提供 AD DS 帐户。However, for a custom installation and adding forests to an existing deployment, you were required to provide the AD DS account instead. 现在,还可以在自定义安装过程中选择提供企业管理员帐户的凭据,并让 Azure AD Connect 创建所需的 AD DS 帐户。Now, you also have the option to provide the credentials of an Enterprise Admin account during a custom installation and let Azure AD Connect create the AD DS account required.

  • Azure AD Connect 现在支持 SQL AOA。Azure AD Connect now supports SQL AOA. 安装 Azure AD Connect 之前,必须启用 SQL AOA。You must enable SQL AOA before installing Azure AD Connect. 在安装期间,Azure AD Connect 会检测是否已为提供的 SQL 实例启用 SQL AOA。During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. 如果启用了 SQL AOA,Azure AD Connect 进一步指出如果 SQL AOA 配置为使用同步复制或异步复制。If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. 设置可用性组侦听器时,我们建议将 RegisterAllProvidersIP 属性设置为 0。When setting up the Availability Group Listener, it is recommended that you set the RegisterAllProvidersIP property to 0. 之所以提供此建议是因为,Azure AD Connect 当前使用 SQL Native Client 连接到 SQL,并且 SQL Native Client 不支持使用 MultiSubNetFailover 属性。This recommendation is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.

  • 如果将 LocalDB 用作 Azure AD Connect 的数据库并且已达到该数据库的 10-GB 限制,同步服务不再启动。If you are using LocalDB as the database for your Azure AD Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. 以前,需要对 LocalDB 执行 ShrinkDatabase 操作,以回收足够的数据库空间来启动同步服务。Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. 后来,可以使用 Synchronization Service Manager 来删除运行历史记录,以回收更多的数据库空间。After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. 现在,可以使用 Start-ADSyncPurgeRunHistory cmdlet 从 LocalDB 中清除运行历史记录数据,以回收数据库空间。Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. 此外,此 cmdlet 支持脱机模式(通过指定 -offline 参数),同步服务未运行时可以使用该模式。Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. 注意:仅当同步服务未运行,并且使用的数据库为 LocalDB 时,才能使用脱机模式。Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.

  • 为了减少所需的存储空间量,Azure AD Connect 现在会先压缩同步错误详细信息,并将它们存储在 LocalDB/SQL 数据库中。To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. 从旧版 Azure AD Connect 升级到此版本时,Azure AD Connect 会针对现有的同步错误详细信息执行一次性压缩。When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.

  • 以前,在更新 OU 筛选配置后,必须手动运行完全导入才能确保在目录同步中正确包含/排除现有对象。Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. 现在,Azure AD Connect 会在下一个同步周期自动触发完全导入。Now, Azure AD Connect automatically triggers Full import during the next sync cycle. 此外,完全导入仅应用到受更新影响的 AD 连接器。Further, Full import is only be applied to the AD connectors affected by the update. 注意:此项改进仅适用于使用 Azure AD Connect 向导所做的 OU 筛选更新,Note: this improvement is applicable to OU filtering updates made using the Azure AD Connect wizard only. 而不适用于使用 Synchronization Service Manager 所做的 OU 筛选更新。It is not applicable to OU filtering update made using the Synchronization Service Manager.

  • 以前,基于组的筛选仅支持用户、组和联系人对象。Previously, Group-based filtering supports Users, Groups, and Contact objects only. 现在,基于组的筛选还支持计算机对象。Now, Group-based filtering also supports Computer objects.

  • 以前,可以删除连接器空间数据,而无需禁用 Azure AD Connect 同步计划程序。Previously, you can delete Connector Space data without disabling Azure AD Connect sync scheduler. 现在,如果 Synchronization Service Manager 检测到计划程序已启用,则会阻止删除连接器空间数据。Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. 此外,如果连接器空间数据已被删除,则还会返回警告,告知客户可能有数据丢失。Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted.

  • 以前,必须禁用 PowerShell 脚本才能让 Azure AD Connect 向导正常运行。Previously, you must disable PowerShell transcription for Azure AD Connect wizard to run correctly. 此问题已部分解决。This issue is partially resolved. 如果使用 Azure AD Connect 向导来管理同步配置,则可以启用 PowerShell 脚本。You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage sync configuration. 如果使用 Azure AD Connect 向导来管理 ADFS 配置,则必须禁用 PowerShell 脚本。You must disable PowerShell transcription if you are using Azure AD Connect wizard to manage ADFS configuration.

1.1.486.01.1.486.0

已发布:2017 年 4 月Released: April 2017

已解决的问题:Fixed issues:

  • 修复了 Azure AD Connect 无法在本地化版本的 Windows Server 上成功安装的问题。Fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server.

1.1.484.01.1.484.0

已发布:2017 年 4 月Released: April 2017

已知问题:Known issues:

  • 如果以下条件全部成立,则不能成功安装 Azure AD Connect 的此版本:This version of Azure AD Connect will not install successfully if the following conditions are all true:
    1. 正在执行 DirSync 的就地升级或 Azure AD Connect 的全新安装。You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect.
    2. 使用的是本地化版本的 Windows Server,该服务器上的内置 Administrator 组的名称不是“Administrators”。You are using a localized version of Windows Server where the name of built-in Administrator group on the server isn't "Administrators".
    3. 使用的是随 Azure AD Connect 一起安装的默认 SQL Server 2012 Express LocalDB,而不是自己的完整 SQL。You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of providing your own full SQL.

已解决的问题:Fixed issues:

Azure AD Connect 同步Azure AD Connect sync

  • 修复了当一个或多个连接器缺少某个同步步骤的运行配置文件时,同步计划程序会完全跳过这一同步步骤的问题。Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. 例如,使用 Synchronization Service Manager 手动添加了连接器,但没有为其创建增量导入运行配置文件。For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. 此项修复可确保同步计划程序继续运行其他连接器的增量导入。This fix ensures that the sync scheduler continues to run Delta Import for other connectors.
  • 修复了当 Synchronization Service 在运行步骤的其中一步遇到问题时,立即停止处理运行配置文件的问题。Fixed an issue where the Synchronization Service immediately stops processing a run profile when it is encounters an issue with one of the run steps. 此项修复可确保 Synchronization Service 会跳过该运行步骤,并继续处理其余步骤。This fix ensures that the Synchronization Service skips that run step and continues to process the rest. 例如,具有多个运行步骤的 AD 连接器的增量导入运行配置文件(每个本地 AD 域一个步骤)。For example, you have a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). 即使其中一个 AD 域出现网络连接问题,Synchronization Service 也会运行其他 AD 域的增量导入。The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.
  • 修复了自动升级期间会跳过 Azure AD 连接器更新的问题。Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.
  • 修复了安装过程中 Azure AD 连接器不能正确识别服务器是否是域控制器,进而导致 DirSync 升级失败的问题。Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.
  • 修复了 DirSync 就地升级不会为 Azure AD 连接器创建任何运行配置文件的问题。Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.
  • 修复了当尝试配置通用的 LDAP 连接器时,Synchronization Service Manager 用户界面无法响应的问题。Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector.

AD FS 管理AD FS management

  • 修复了如果 AD FS 主节点已移至其他服务器,Azure AD Connect 向导失败的问题。Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server.

桌面 SSODesktop SSO

  • 修复了 Azure AD Connect 向导中的问题,即在新的安装过程中,如果选择“密码同步”作为登录选项,则无法在登录屏幕中启用桌面 SSO 功能的问题。Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.

新功能/改进:New features/improvements:

Azure AD Connect 同步Azure AD Connect sync

  • Azure AD Connect Sync 现在支持使用虚拟服务帐户、托管服务帐户和组托管服务帐户作为其服务帐户。Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. 此功能仅适用于新安装的 Azure AD Connect。This applies to new installation of Azure AD Connect only. 安装 Azure AD Connect 时:When installing Azure AD Connect:
    • 默认情况下,Azure AD Connect 向导会创建一个虚拟服务帐户,并将其用作服务帐户。By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account.
    • 如果是在域控制器上进行安装,Azure AD Connect 会回退到之前的处理方式,即创建一个域用户帐户,并将其用作服务帐户。If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.
    • 可以通过提供以下帐户之一来替代默认的处理方式:You can override the default behavior by providing one of the following:
      • 组托管服务帐户A Group Managed Service Account
      • 托管服务帐户A Managed Service Account
      • 域用户帐户A domain user account
      • 本地用户帐户A local user account
  • 以前,如果升级到的 Azure AD Connect 新版本中更新了连接器或更改了同步规则,Azure AD Connect 将触发完全同步周期。Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. 现在,Azure AD Connect 有选择性地仅对进行了更新的连接器触发完全导入步骤,对更改了同步规则的连接器触发完全同步步骤。Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
  • 以前,导出删除阈值仅适用于通过同步计划程序触发的导出。Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. 现在,此功能扩展到了适用于客户使用 Synchronization Service Manager 手动触发导出的情况。Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.
  • Azure AD 租户有一个服务配置,该配置指示了是否已为租户启用密码同步功能。On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. 以前,同时拥有活动和暂存服务器时,Azure AD Connect 很容易错误配置服务配置。Previously, it is easy for the service configuration to be incorrectly configured by Azure AD Connect when you have an active and a staging server. 现在,Azure AD Connect 会尝试让服务配置只和活动 Azure AD Connect 服务器保持一致。Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.
  • 如果本地 AD 未启用 AD 回收站,Azure AD Connect 向导会检测并返回警告。Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.
  • 以前,如果批中的对象总大小超过特定阈值,导出到 Azure AD 会超时并失败。Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. 现在遇到此问题时,Synchronization Service 会再次尝试以较小批次单独重新发送对象。Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.
  • 已经将 Synchronization Service Key Management 应用程序从 Windows 开始菜单中删除。The Synchronization Service Key Management application has been removed from Windows Start Menu. 仍然支持使用 miiskmu.exe 通过命令行接口管理加密密钥。Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. 有关加密密钥的详细信息,请参阅弃用 Azure AD Connect 同步加密密钥一文。For information about managing encryption key, refer to article Abandoning the Azure AD Connect Sync encryption key.
  • 以前,如果更改了 Azure AD Connect 同步服务帐户密码,则无法正常启动 Synchronization Service,除非已弃用加密密钥并重新初始化 Azure AD Connect 同步服务帐户密码。Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. 现在不再需要执行此过程。Now, this process is no longer required.

桌面 SSODesktop SSO

  • 配置传递身份验证和桌面 SSO 时,Azure AD Connect 向导不再需要在网络上打开端口 9090。Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. 只需要端口 443。Only port 443 is required.

1.1.443.01.1.443.0

已发布:2017 年 3 月Released: March 2017

已解决的问题:Fixed issues:

Azure AD Connect 同步Azure AD Connect sync

  • 修复了在 Azure AD 连接器的显示名称没有包含分配给 Azure AD 租户的初始 onmicrosoft.com 域时,Azure AD Connect 向导会失败的问题。Fixed an issue which causes Azure AD Connect wizard to fail if the display name of the Azure AD Connector does not contain the initial partner.onmschina.cn domain assigned to the Azure AD tenant.
  • 修复了在同步服务帐户的密码包含特殊字符(如撇号、冒号和空格)的情况下,在与 SQL 数据库进行连接时,Azure AD Connect 向导会失败的问题。Fixed an issue which causes Azure AD Connect wizard to fail while making connection to SQL database when the password of the Sync Service Account contains special characters such as apostrophe, colon and space.
  • 修复了在暂时不同步某个本地 AD 对象,再将其进行同步后,暂存模式下的 Azure AD Connect 服务器上将出现“该映像具有不同于映像的定位点”错误的问题。Fixed an issue which causes the error “The image has an anchor that is different than the image” to occur on an Azure AD Connect server in staging mode, after you have temporarily excluded an on-premises AD object from syncing and then included it again for syncing.
  • 修复了在暂时不同步某个本地 AD 对象,再将其进行同步后,暂存模式下的 Azure AD Connect 服务器上将出现“DN 定位的对象是一个幻影”错误的问题。Fixed an issue which causes the error “The object located by DN is a phantom” to occur on an Azure AD Connect server in staging mode, after you have temporarily excluded an on-premises AD object from syncing and then included it again for syncing.

AD FS 管理AD FS management

  • 修复了在配置备用登录 ID 后,Azure AD Connect 向导不会更新 AD FS 配置并设置对信赖方信任的正确声明的问题。Fixed an issue where Azure AD Connect wizard does not update AD FS configuration and set the right claims on the relying party trust after Alternate Login ID is configured.
  • 修复了 Azure AD Connect 向导无法正确处理 AD FS 服务器(该服务器的服务帐户是通过 userPrincipalName 格式设置的,而不是 sAMAccountName 格式)的问题。Fixed an issue where Azure AD Connect wizard is unable to correctly handle AD FS servers whose service accounts are configured using userPrincipalName format instead of sAMAccountName format.

直通身份验证Pass-through Authentication

  • 修复了在选择了“直通身份验证”但其连接器注册失败时,Azure AD Connect 向导会失败的问题。Fixed an issue which causes Azure AD Connect wizard to fail if Pass Through Authentication is selected but registration of its connector fails.
  • 修复了在启用了桌面 SSO 功能时,Azure AD Connect 向导将绕过对所选登录方法的验证检查。Fixed an issue which causes Azure AD Connect wizard to bypass validation checks on sign-in method selected when Desktop SSO feature is enabled.

密码重置Password Reset

  • 修复了当连接已由防火墙或代理终止时,可能会导致 Azure AAD Connect 服务器不尝试重新连接的问题。Fixed an issue which may cause the Azure AAD Connect server to not attempt to re-connect if the connection was killed by a firewall or proxy.

新功能/改进:New features/improvements:

Azure AD Connect 同步Azure AD Connect sync

  • Get-ADSyncScheduler cmdlet 现在可返回一个名为 SyncCycleInProgress 的新的布尔属性。Get-ADSyncScheduler cmdlet now returns a new Boolean property named SyncCycleInProgress. 如果返回的值为 true,则意味着正在进行计划的同步周期。If the returned value is true, it means that there is a scheduled synchronization cycle in progress.
  • 已用于存储 Azure AD Connect 安装和安装程序日志的目标文件夹从 %localappdata%\AADConnect 移至 %programdata%\AADConnect,以提高日志文件的可访问性。Destination folder for storing Azure AD Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files.

AD FS 管理AD FS management

  • 添加了对更新 AD FS 场 SSL 证书的支持。Added support for updating AD FS Farm SSL Certificate.
  • 添加了对管理 AD FS 2016 的支持。Added support for managing AD FS 2016.
  • 现在可以在 AD FS 安装期间指定现有 gMSA(组托管服务帐户)。You can now specify existing gMSA (Group Managed Service Account) during AD FS installation.
  • 现在可以将 SHA-256 配置为 Azure AD 信赖方信任的签名哈希算法。You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust.

密码重置Password Reset

  • 引入了多项改进,以允许产品在具有更严格防火墙规则的环境中正常工作。Introduced improvements to allow the product to function in environments with more stringent firewall rules.
  • 提高了与 Azure 服务总线的连接可靠性。Improved connection reliability to Azure Service Bus.

1.1.380.01.1.380.0

已发布:2016 年 12 月Released: December 2016

修复的问题:Fixed issue:

  • 修复了本版本中缺少针对 Active Directory 联合身份验证服务 (AD FS) 的 issuerid 声明规则的问题。Fixed the issue where the issuerid claim rule for Active Directory Federation Services (AD FS) is missing in this build.

Note

不通过 Azure AD Connect 自动升级功能向客户提供此内部版本。This build is not available to customers through the Azure AD Connect Auto Upgrade feature.

1.1.371.01.1.371.0

已发布:2016 年 12 月Released: December 2016

已知问题:Known issue:

  • 本版本中缺少针对 AD FS 的 issuerid 声明规则。The issuerid claim rule for AD FS is missing in this build. 若要将多个域与 Azure Active Directory (Azure AD) 联合,需要使用 issuerid 声明规则。The issuerid claim rule is required if you are federating multiple domains with Azure Active Directory (Azure AD). 如果使用 Azure AD Connect 管理本地 AD FS 部署,则升级到此版本将从 AD FS 配置中删除现有 issuerid 声明规则。If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. 可在安装/升级后添加 issuerid 声明规则来解决此问题。You can work around the issue by adding the issuerid claim rule after the installation/upgrade. 有关添加 issuerid 声明规则的详细信息,请参阅与 Azure AD 联合的多域支持一文。For details on adding the issuerid claim rule, refer to this article on Multiple domain support for federating with Azure AD.

修复的问题:Fixed issue:

  • 如果未打开用于出站连接的端口 9090,Azure AD Connect 安装或升级会失败。If Port 9090 is not opened for the outbound connection, the Azure AD Connect installation or upgrade fails.

Note

不通过 Azure AD Connect 自动升级功能向客户提供此内部版本。This build is not available to customers through the Azure AD Connect Auto Upgrade feature.

1.1.370.01.1.370.0

已发布:2016 年 12 月Released: December 2016

已知问题:Known issues:

  • 本版本中缺少针对 AD FS 的 issuerid 声明规则。The issuerid claim rule for AD FS is missing in this build. 若要将多个域与 Azure AD 联合,需使用 issuerid 声明规则。The issuerid claim rule is required if you are federating multiple domains with Azure AD. 如果使用 Azure AD Connect 管理本地 AD FS 部署,则升级到此版本将从 AD FS 配置中删除现有 issuerid 声明规则。If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. 可在安装/升级后添加 issuerid 声明规则来解决此问题。You can work around the issue by adding the issuerid claim rule after installation/upgrade. 有关添加 issuerid 声明规则的详细信息,请参阅与 Azure AD 联合的多域支持一文。For details on adding issuerid claim rule, refer to this article on Multiple domain support for federating with Azure AD.
  • 必须打开用于出站连接的端口 9090 才能完成安装。Port 9090 must be open outbound to complete installation.

新功能:New features:

  • 直通身份验证(预览版)。Pass-through Authentication (Preview).

Note

不通过 Azure AD Connect 自动升级功能向客户提供此内部版本。This build is not available to customers through the Azure AD Connect Auto Upgrade feature.

1.1.343.01.1.343.0

已发布:2016 年 11 月Released: November 2016

已知问题:Known issue:

  • 本版本中缺少针对 AD FS 的 issuerid 声明规则。The issuerid claim rule for AD FS is missing in this build. 若要将多个域与 Azure AD 联合,需使用 issuerid 声明规则。The issuerid claim rule is required if you are federating multiple domains with Azure AD. 如果使用 Azure AD Connect 管理本地 AD FS 部署,则升级到此版本将从 AD FS 配置中删除现有 issuerid 声明规则。If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. 可在安装/升级后添加 issuerid 声明规则来解决此问题。You can work around the issue by adding the issuerid claim rule after installation/upgrade. 有关添加 issuerid 声明规则的详细信息,请参阅与 Azure AD 联合的多域支持一文。For details on adding issuerid claim rule, refer to this article on Multiple domain support for federating with Azure AD.

已解决的问题:Fixed issues:

  • 有时,由于无法创建密码符合组织密码策略指定的复杂性级别的本地服务帐户,安装 Azure AD Connect 失败。Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose password meets the level of complexity specified by the organization's password policy.
  • 解决了当连接器空间中的某个对象既在一个联接规则的范围以外,同时又在另一个联接规则的范围以内时,无法重新评估联接规则的问题。Fixed an issue where join rules are not reevaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. 如果两个或更多个联接规则的联接条件互斥,则可能会发生此问题。This can happen if you have two or more join rules whose join conditions are mutually exclusive.
  • 解决了当(Azure AD 中)不包含联接规则的入站同步规则的优先级值低于包含联接规则的入站同步规则时,不处理前一种规则的问题。Fixed an issue where inbound synchronization rules (from Azure AD), which do not contain join rules, are not processed if they have lower precedence values than those containing join rules.

改进:Improvements:

  • 添加了在 Windows Server 2016 标准版或更高版本上安装 Azure AD Connect 的支持。Added support for installing Azure AD Connect on Windows Server 2016 Standard or higher.
  • 添加了将 SQL Server 2016 用作 Azure AD Connect 远程数据库的支持。Added support for using SQL Server 2016 as the remote database for Azure AD Connect.

1.1.281.01.1.281.0

已发布:2016 年 8 月Released: August 2016

已解决的问题:Fixed issues:

  • 只有在下一个同步周期完成后,才对同步间隔进行更改。Changes to sync interval do not take place until after the next sync cycle is complete.
  • Azure AD Connect 向导不接受用户名开头为下划线 (_) 的 Azure AD 帐户。Azure AD Connect wizard does not accept an Azure AD account whose username starts with an underscore (_).
  • 如果帐户密码包含太多特殊字符,Azure AD Connect 向导无法对提供的 Azure AD 帐户进行身份验证。Azure AD Connect wizard fails to authenticate the Azure AD account if the account password contains too many special characters. 此时会返回错误消息“无法验证凭据。Error message "Unable to validate credentials. 发生意外错误”An unexpected error has occurred." is returned.
  • 卸载暂存服务器会在 Azure AD 租户中禁用密码同步,导致活动服务器的密码同步失败。Uninstalling staging server disables password synchronization in Azure AD tenant and causes password synchronization to fail with active server.
  • 在用户未存储密码哈希的罕见情况下,密码同步失败。Password synchronization fails in uncommon cases when there is no password hash stored on the user.
  • 当 Azure AD Connect 服务器启用暂存模式时,不会暂时禁用密码写回。When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled.
  • 当服务器处于暂存模式时,Azure AD Connect 向导不会显示实际的密码同步和密码写回配置,Azure AD Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. 而始终将这些配置显示为已禁用。It always shows them as disabled.
  • 当服务器处于暂存模式时,Azure AD Connect 向导不会保存密码同步和密码写回的配置更改。Configuration changes to password synchronization and password writeback are not persisted by Azure AD Connect wizard when server is in staging mode.

改进:Improvements:

  • 已更新 Start-ADSyncSyncCycle cmdlet,指出是否能够成功启动新的同步周期。Updated the Start-ADSyncSyncCycle cmdlet to indicate whether it is able to successfully start a new sync cycle or not.
  • 已添加 Stop-ADSyncSyncCycle cmdlet,终止当前正在进行的同步周期和操作。Added the Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation, which are currently in progress.
  • 已更新 Stop-ADSyncScheduler cmdlet,终止当前正在进行的同步周期和操作。Updated the Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation, which are currently in progress.
  • 在 Azure AD Connect 向导中配置目录扩展时,现在可选择“Teletex 字符串”类型的 Azure AD 属性。When configuring Directory extensions in Azure AD Connect wizard, the Azure AD attribute of type "Teletex string" can now be selected.

1.1.189.01.1.189.0

已发布:2016 年 6 月Released: June 2016

已解决的问题和改进:Fixed issues and improvements:

  • Azure AD Connect 现在可以安装于符合 FIPS 的服务器上。Azure AD Connect can now be installed on a FIPS-compliant server.
  • 已修复下列问题:NetBIOS 名称无法解析为 Active Directory 连接器中的 FQDN。Fixed an issue where a NetBIOS name could not be resolved to the FQDN in the Active Directory Connector.

1.1.180.01.1.180.0

已发布:2016 年 5 月Released: May 2016

新功能:New features:

  • 警告并帮助验证域(如果在运行 Azure AD Connect 之前未执行此操作)。Warns and helps you verify domains if you didn’t do it before running Azure AD Connect.

已解决的问题和改进:Fixed issues and improvements:

  • 在同步规则编辑器中添加了筛选功能以方便查找同步规则。Added filtering to the Sync Rule Editor to make it easy to find sync rules.
  • 改进了删除连接器空间时的性能。Improved performance when deleting a connector space.
  • 修复了在同一个运行轮次中同时删除和添加(称为删除/添加)同一个对象时出现的问题。Fixed an issue when the same object was both deleted and added in the same run (called delete/add).
  • 在升级或刷新目录架构时,已禁用的同步规则不再重新启用包含的对象和属性。A disabled sync rule no longer re-enables included objects and attributes on upgrade or directory schema refresh.

1.1.130.01.1.130.0

已发布:2016 年 4 月Released: April 2016

新功能:New features:

1.1.119.01.1.119.0

已发布:2016 年 3 月Released: March 2016

已解决的问题:Fixed issues:

  • 确定 Windows Server 2008(R2 之前的版本)上无法使用快速安装,因为此操作系统不支持密码同步。Made sure Express installation cannot be used on Windows Server 2008 (pre-R2) because password sync is not supported on this operating system.
  • 使用自定义筛选器配置从 DirSync 升级无法按预期进行。Upgrade from DirSync with a custom filter configuration did not work as expected.
  • 升级到较新版本且没有进行任何配置更改时,不应计划完全导入/同步。When upgrading to a newer release and there are no changes to the configuration, a full import/synchronization should not be scheduled.

1.1.110.01.1.110.0

已发布:2016 年 2 月Released: February 2016

已解决的问题:Fixed issues:

  • 如果安装不位于默认的 C:\Program Files 文件夹中,则无法从旧版升级。Upgrade from earlier releases does not work if the installation is not in the default C:\Program Files folder.
  • 如果进行安装,并在安装向导结束时清除“启动同步过程”,再次运行安装向导将不启用计划程序。 If you install and clear Start the synchronization process at the end of the installation wizard, running the installation wizard a second time will not enable the scheduler.
  • 在日期/时间格式并非美国英语的服务器上,计划程序将无法正常运行。The scheduler doesn't work as expected on servers where the US-en date/time format is not used. 此外,还会阻止 Get-ADSyncScheduler 返回正确的时间。It will also block Get-ADSyncScheduler to return correct times.
  • 如果以 AD FS 作为登录选项和升级来安装旧版 Azure AD Connect,便无法再次运行安装向导。If you installed an earlier release of Azure AD Connect with AD FS as the sign-in option and upgrade, you cannot run the installation wizard again.

1.1.105.01.1.105.0

已发布:2016 年 2 月Released: February 2016

新功能:New features:

从预览版升级到 GA 的功能:Features promoted from preview to GA:

新的预览功能:New preview features:

  • 新的默认同步周期间隔为 30 分钟。The new default sync cycle interval is 30 minutes. 过去所有旧版本都是 3 小时。Used to be three hours for all earlier releases. 添加了对更改计划程序行为的支持。Adds support to change the scheduler behavior.

已解决的问题:Fixed issues:

  • 验证 DNS 域页面不一定都能识别域。The verify DNS domains page didn't always recognize the domains.
  • 配置 AD FS 时出现域管理员凭据提示。Prompts for domain admin credentials when configuring AD FS.
  • 当本地 AD 帐户所在域的 DNS 树与根域不同时,安装向导无法识别这些帐户。The on-premises AD accounts are not recognized by the installation wizard if located in a domain with a different DNS tree than the root domain.

1.0.9131.01.0.9131.0

已发布:2015 年 12 月Released: December 2015

已解决的问题:Fixed issues:

  • 更改 Active Directory 域服务 (AD DS) 中的密码时,密码同步可能不会正常工作,但设置密码时可以正常工作。Password sync might not work when you change passwords in Active Directory Domain Services (AD DS), but works when you do set a password.
  • 如果设置了代理服务器,在安装期间或者在配置页上取消升级时,向 Azure AD 进行身份验证可能会失败。When you have a proxy server, authentication to Azure AD might fail during installation, or if an upgrade is canceled on the configuration page.
  • 如果不是 SQL Server 系统管理员 (SA),从装有完整 SQL Server 实例的旧版 Azure AD Connect 更新会失败。Updating from a previous release of Azure AD Connect with a full SQL Server instance fails if you are not a SQL Server system administrator (SA).
  • 从装有远程 SQL Server 的旧版 Azure AD Connect 更新时,会显示错误消息“无法访问 ADSync SQL 数据库”。Updating from a previous release of Azure AD Connect with a remote SQL Server shows the “Unable to access the ADSync SQL database” error.

1.0.9125.01.0.9125.0

已发布:2015 年 11 月Released: November 2015

新功能:New features:

  • 可将 AD FS 重新配置为 Azure AD 信任。Can reconfigure AD FS to Azure AD trust.
  • 可以刷新 Active Directory 架构和重新生成同步规则。Can refresh the Active Directory schema and regenerate sync rules.
  • 可以禁用同步规则。Can disable a sync rule.
  • 可将“AuthoritativeNull”定义为同步规则中的新文本。Can define "AuthoritativeNull" as a new literal in a sync rule.

新的预览功能:New preview features:

新的受支持方案:New supported scenario:

已解决的问题:Fixed issues:

  • 密码同步问题:Password synchronization issues:
    • 从范围外移到范围内的对象不会同步其密码。An object moved from out-of-scope to in-scope will not have its password synchronized. 这包括 OU 和属性筛选。This includes both OU and attribute filtering.
    • 选择要包含在同步中的新 OU 时不需要完全密码同步。Selecting a new OU to include in sync does not require a full password sync.
    • 启用已禁用的用户时密码不会同步。When a disabled user is enabled the password does not sync.
    • 密码重试队列是无限的,以前实施的 5,000 个对象限制已停用且已被删除。The password retry queue is infinite and the previous limit of 5,000 objects to be retired has been removed.
  • 无法连接到具有 Windows Server 2016 林功能级别的 Active Directory。Not able to connect to Active Directory with Windows Server 2016 forest-functional level.
  • 初始安装后,无法更改用于组筛选的组。Not able to change the group that is used for group filtering after the initial installation.
  • 对于在启用密码写回的情况下执行密码更改的每个用户,不再能够在 Azure AD Connect 服务器上创建新的用户配置文件。No longer creates a new user profile on the Azure AD Connect server for every user doing a password change with password writeback enabled.
  • 无法在同步规则范围内使用长整数值。Not able to use Long Integer values in sync rules scopes.
  • 如果有无法访问的域控制器,“设备写回”复选框将保持禁用状态。The check box "device writeback" remains disabled if there are unreachable domain controllers.

1.0.8667.01.0.8667.0

已发布:2015 年 8 月Released: August 2015

新功能:New features:

  • Azure AD Connect 安装向导现已本地化为所有 Windows Server 语言。The Azure AD Connect installation wizard is now localized to all Windows Server languages.
  • 添加了对在使用 Azure AD 密码管理时的帐户解锁支持。Added support for account unlock when using Azure AD password management.

已解决的问题:Fixed issues:

  • 如果另一位用户而不是第一位启动安装的人继续安装,则 Azure AD Connect 安装向导会崩溃。Azure AD Connect installation wizard crashes if another user continues installation rather than the person who first started the installation.
  • 如果 Azure AD Connect 的先前卸载操作无法将 Azure AD Connect Sync 完全卸载,则无法重新安装。If a previous uninstallation of Azure AD Connect fails to uninstall Azure AD Connect sync cleanly, it is not possible to reinstall.
  • 如果用户不在林的根域中或使用了非英文版 Active Directory,则无法使用快速安装选项安装 Azure AD Connect。Cannot install Azure AD Connect using Express installation if the user is not in the root domain of the forest or if a non-English version of Active Directory is used.
  • 如果无法解析 Active Directory 用户帐户的 FQDN,则会显示“无法提交架构”的误导性错误消息。If the FQDN of the Active Directory user account cannot be resolved, a misleading error message “Failed to commit the schema” is shown.
  • 如果 Active Directory 连接器上使用的帐户已在向导外部更改,向导在进行后续操作时会失败。If the account used on the Active Directory Connector is changed outside the wizard, the wizard fails on subsequent runs.
  • Azure AD Connect 有时无法在域控制器上安装。Azure AD Connect sometimes fails to install on a domain controller.
  • 如果添加了扩展属性,则无法启用和禁用“暂存模式”。Cannot enable and disable “Staging mode” if extension attributes have been added.
  • 由于 Active Directory 连接器上的密码不正确,某些配置中的密码写回失败。Password writeback fails in some configurations because of a bad password on the Active Directory Connector.
  • 如果属性筛选中使用可分辨名称 (DN),则无法升级 DirSync。DirSync cannot be upgraded if a distinguished name (DN) is used in attribute filtering.
  • 使用密码重置时 CPU 使用率过高。Excessive CPU usage when using password reset.

已删除的预览功能:Removed preview features:

1.0.8641.01.0.8641.0

已发布:2015 年 6 月Released: June 2015

Azure AD Connect 的初始版本。Initial release of Azure AD Connect.

名称从 Azure AD Sync 更改为 Azure AD Connect。Changed name from Azure AD Sync to Azure AD Connect.

新功能:New features:

1.0.494.05011.0.494.0501

已发布:2015 年 5 月Released: May 2015

新要求:New Requirement:

  • Azure AD Sync 现在要求安装 .NET framework 版本 4.5.1。Azure AD Sync now requires the .NET Framework version 4.5.1 to be installed.

已解决的问题:Fixed issues:

  • 从 Azure AD 进行密码写回失败并出现 Azure 服务总线连接错误。Password writeback from Azure AD is failing with an Azure Service Bus connectivity error.

1.0.491.04131.0.491.0413

已发布:2015 年 4 月Released: April 2015

已解决的问题和改进:Fixed issues and improvements:

  • 如果已启用回收站且林中存在多个域,Active Directory 连接器不会正确处理删除。The Active Directory Connector does not process deletes correctly if the recycle bin is enabled and there are multiple domains in the forest.
  • 对 Azure Active Directory 连接器的导入操作性能有所改进。The performance of import operations has been improved for the Azure Active Directory Connector.
  • 当某个组超过成员资格限制(默认情况下,此限制设置为 50,000 个对象)时,便会在 Azure Active Directory 中删除该组。When a group has exceeded the membership limit (by default, the limit is set to 50,000 objects), the group was deleted in Azure Active Directory. 新行为是不删除该组、引发错误且不导出新的成员身份更改。With the new behavior, the group is not deleted, an error is thrown, and new membership changes are not exported.
  • 如果连接器空间中已经存在 DN 相同的暂存删除,则无法设置新对象。A new object cannot be provisioned if a staged delete with the same DN is already present in the connector space.
  • 某些对象需在增量同步期间同步,即使对象上未暂存更改。Some objects are marked for synchronization during a delta sync even though there's no change staged on the object.
  • 强制密码同步还会删除首选的 DC 列表。Forcing a password sync also removes the preferred DC list.
  • CSExportAnalyzer 的某些对象状态存在问题。CSExportAnalyzer has problems with some objects states.

新功能:New features:

  • 联接现在可以连接到 MV 中的“任何”对象类型。A join can now connect to “ANY” object type in the MV.

1.0.485.02221.0.485.0222

已发布:2015 年 2 月Released: February 2015

改进:Improvements:

  • 改进了导入性能。Improved import performance.

已解决的问题:Fixed issues:

  • 密码同步具有属性筛选所用的 cloudFiltered 属性。Password Sync honors the cloudFiltered attribute that is used by attribute filtering. 已筛选的对象不再在密码同步范围中。Filtered objects are no longer in scope for password synchronization.
  • 在拓扑中有大量域控制器的极少数情况下,密码同步不起作用。In rare situations where the topology had many domain controllers, password sync doesn’t work.
  • 在 Azure AD/Intune 中启用设备管理后,在从 Azure AD 连接器导入时,“服务器停止”。“Stopped-server” when importing from the Azure AD Connector after device management has been enabled in Azure AD/Intune.
  • 从同一林中的多个域联接外部安全主体 (FSP) 会导致模糊联接错误。Joining Foreign Security Principals (FSPs) from multiple domains in same forest causes an ambiguous-join error.

1.0.475.12021.0.475.1202

已发布:2014 年 12 月Released: December 2014

新功能:New features:

  • 现在支持使用基于属性的筛选执行密码同步。Password synchronization with attribute-based filtering is now supported. 有关详细信息,请参阅使用筛选进行密码同步For more information, see Password synchronization with filtering.
  • ms-DS-ExternalDirectoryObjectID 属性将写回 Active Directory。The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. 此功能添加了对 Office 365 应用程序的支持。This feature adds support for Office 365 applications. 它使用 OAuth2 访问混合 Exchange 部署中的联机邮箱和本地邮箱。It uses OAuth2 to access Online and On-Premises mailboxes in a Hybrid Exchange Deployment.

修复了升级问题:Fixed upgrade issues:

  • 服务器上提供了登录助手的更新版本。A newer version of the sign-in assistant is available on the server.
  • 自定义安装路径用于安装 Azure AD Sync。A custom installation path was used to install Azure AD Sync.
  • 无效的自定义加入条件阻止了升级。An invalid custom join criterion blocks the upgrade.

其他修复:Other fixes:

  • 修复了 Office Pro Plus 的模板。Fixed the templates for Office Pro Plus.
  • 修复了以短划线开头的用户名导致的安装问题。Fixed installation issues caused by user names that start with a dash.
  • 修复了第二次运行安装向导时丢失 sourceAnchor 设置的问题。Fixed losing the sourceAnchor setting when running the installation wizard a second time.
  • 修复了用于密码同步的 ETW 跟踪。Fixed ETW tracing for password synchronization.

1.0.470.10231.0.470.1023

已发布:2014 年 10 月Released: October 2014

新功能:New features:

  • 从多个本地 Active Directory 到 Azure AD 的密码同步。Password synchronization from multiple on-premises Active Directory to Azure AD.
  • 已将安装 UI 本地化为所有的 Windows Server 语言。Localized installation UI to all Windows Server languages.

从 AADSync 1.0 正式版升级Upgrading from AADSync 1.0 GA

如果已安装 Azure AD Sync,则还必须执行另外一个步骤(考虑到可能已更改现成的同步规则)。If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box synchronization rules. 在升级到 1.0.470.1023 版之后,已修改的同步规则被复制。After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. 对于每个已修改的同步规则,请执行以下操作:For each modified sync rule, do the following:

  1. 找到已修改的同步规则,并记下所做的更改。Locate the sync rule you have modified and take a note of the changes.
  2. 删除同步规则。Delete the sync rule.
  3. 找到由 Azure AD Sync 创建的新同步规则,并重新应用所做的更改。Locate the new sync rule that is created by Azure AD Sync and then reapply the changes.

Active Directory 帐户的权限Permissions for the Active Directory account

必须为 Active Directory 帐户授予其他权限,才能从 Active Directory 读取密码哈希。The Active Directory account must be granted additional permissions to be able to read the password hashes from Active Directory. 要授予的权限称为“复制目录更改”和“复制目录更改所有项”。The permissions to grant are named “Replicating Directory Changes” and “Replicating Directory Changes All.” 需要这两个权限才能读取密码哈希。Both permissions are required to be able to read the password hashes.

1.0.419.09111.0.419.0911

已发布:2014 年 9 月Released: September 2014

Azure AD Sync 的初始版本。Initial release of Azure AD Sync.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.