您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure Active Directory 域服务?What is Azure Active Directory Domain Services?

Azure Active Directory 域服务 (Azure AD DS) 提供与 Windows Server Active Directory 完全兼容的托管域服务,例如域加入、组策略、轻型目录访问协议 (LDAP) 和 Kerberos/NTLM 身份验证。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory. 无需在云中部署、管理和修补域控制器即可使用这些域服务。You use these domain services without the need to deploy, manage, and patch domain controllers in the cloud. Azure AD DS 与现有 Azure AD 租户集成,因此用户可使用其现有凭据登录。Azure AD DS integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials. 此外,也可使用现有的组和用户帐户安全访问资源,确保更顺畅地将本地资源直接迁移到 Azure。You can also use existing groups and user accounts to secure access to resources, which provides a smoother lift-and-shift of on-premises resources to Azure.

Azure AD DS 从 Azure AD 中复制标识信息,因此,适用于仅限云的 Azure AD 租户,或与本地 Active Directory 域服务 (AD DS) 环境同步的租户。Azure AD DS replicates identity information from Azure AD, so works with Azure AD tenants that are cloud-only, or synchronized with an on-premises Active Directory Domain Services (AD DS) environment. 对于这两种环境,都存在相同的一组 Azure AD DS 功能。The same set of Azure AD DS features exist for both environments.

  • 如果有现有的本地 AD DS 环境,则可以同步用户帐户信息,为用户提供一致的标识。If you have an existing on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users.
  • 对于仅限云的环境,则不需要传统的本地 AD DS 环境来使用 Azure AD DS 的集中标识服务。For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Azure AD DS.

以下视频概述了 Azure AD DS 如何与应用程序和工作负载集成以在云中提供标识服务:The following video provides an overview of how Azure AD DS integrates with your applications and workloads to provide identity services in the cloud:


在云中提供标识解决方案的常见方法Common ways to provide identity solutions in the cloud

将现有工作负载迁移到云时,目录感知的应用程序可以使用 LDAP 对本地 AD DS 目录进行读取或写入访问。When you migrate existing workloads to the cloud, directory-aware applications may use LDAP for read or write access to an on-premises AD DS directory. Windows Server 上运行的应用程序通常部署在已加入域的虚拟机 (VM) 上,因此可以使用组策略安全地对其进行管理。Applications that run on Windows Server are typically deployed on domain-joined virtual machines (VMs) so they can be managed securely using Group Policy. 若要对最终用户进行身份验证,应用程序还可能依赖于 Windows 集成的身份验证,如 Kerberos 或 NTLM 身份验证。To authenticate end users, the applications may also rely on Windows-integrated authentication, such as Kerberos or NTLM authentication.

IT 管理员通常使用以下某一解决方案为 Azure 中运行的应用程序提供标识服务:IT administrators often use one of the following solutions to provide an identity service to applications that run in Azure:

  • 在 Azure 中运行的工作负载与本地 AD DS 环境之间配置站点到站点 VPN 连接。Configure a site-to-site VPN connection between workloads that run in Azure and an on-premises AD DS environment.
    • 然后,本地域控制器通过 VPN 连接提供身份验证。The on-premises domain controllers then provide authentication via the VPN connection.
  • 使用 Azure 虚拟机 (VM) 创建副本域控制器来从本地扩展 AD DS 域/林。Create replica domain controllers using Azure virtual machines (VMs) to extend the AD DS domain / forest from on-premises.
    • 在 Azure VM 上运行的域控制器提供身份验证,并在本地 AD DS 环境之间复制目录信息。The domain controllers that run on Azure VMs provide authentication, and replicate directory information between the on-premises AD DS environment.
  • 使用 Azure VM 上运行的域控制器在 Azure 中部署独立的 AD DS 环境。Deploy a standalone AD DS environment in Azure using domain controllers that run on Azure VMs.
    • 在 Azure VM 上运行的域控制器提供身份验证,但是没有复制自本地 AD DS 环境的目录信息。The domain controllers that run on Azure VMs provide authentication, but there's no directory information replicated from an on-premises AD DS environment.

借助这些方法,与本地目录的 VPN 连接使得应用程序容易发生暂时性网络问题或中断。With these approaches, VPN connections to the on-premises directory make applications vulnerable to transient network glitches or outages. 如果使用 Azure 中的 VM 部署域控制器,IT 团队必须管理 VM,然后对其进行保护、修补、监视、备份和故障排除。If you deploy domain controllers using VMs in Azure, the IT team must manage the VMs, then secure, patch, monitor, backup, and troubleshoot them.

Azure AD DS 提供了替代方法,由此能够创建返回到本地 AD DS 环境的 VPN 连接,或在 Azure 中运行和管理 VM 以提供标识服务。Azure AD DS offers alternatives to the need to create VPN connections back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. 作为托管服务,Azure AD DS 降低了为混合环境和仅限云环境创建集成标识解决方案的复杂性。As a managed service, Azure AD DS reduces the complexity to create an integrated identity solution for both hybrid and cloud-only environments.

Azure AD DS 功能和优点Azure AD DS features and benefits

为了向云中的应用程序和 VM 提供标识服务,Azure AD DS 与传统的 AD DS 环境完全兼容,可用于域加入、安全 LDAP (LDAPS)、组策略和 DNS 管理以及 LDAP 绑定和读取支持等操作。To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy and DNS management, and LDAP bind and read support. LDAP 写入支持适用于在 Azure AD DS 托管域中创建的对象,但不适用于从 Azure AD 同步的资源。LDAP write support is available for objects created in the Azure AD DS managed domain, but not resources synchronized from Azure AD. Azure AD DS 的以下功能简化了部署和管理操作:The following features of Azure AD DS simplify deployment and management operations:

  • 简化的部署体验: 在 Azure 门户中使用单个向导为 Azure AD 租户启用 Azure AD DS。Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
  • 与 Azure AD 集成: 可从 Azure AD 租户自动获得用户帐户、组成员身份和凭据。Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. 新用户、组或者对 Azure AD 租户或本地 AD DS 环境中的属性所做的更改会自动同步到 Azure AD DS。New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
    • 链接到 Azure AD 的外部目录中的帐户不可用于 Azure AD DS。Accounts in external directories linked to your Azure AD aren't available in Azure AD DS. 凭据不可用于这些外部目录,因此无法同步到 Azure AD DS 托管域。Credentials aren't available for those external directories, so can't be synchronized into an Azure AD DS managed domain.
  • 使用企业凭据/密码: Azure AD DS 中的用户密码与 Azure AD 租户中的用户密码相同。Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. 用户可以使用其企业凭据将计算机加入域,以交互方式或通过远程桌面登录,以及针对 Azure AD DS 托管域进行身份验证。Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the Azure AD DS managed domain.
  • NTLM 和 Kerberos 身份验证: 借助对 NTLM 和 Kerberos 身份验证的支持,可以部署依赖于 Windows 集成身份验证的应用程序。NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
  • 高可用性: Azure AD DS 包括多个域控制器,这些域控制器为托管域提供高可用性。High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. 这种高可用性保证了服务运行时间和故障恢复能力。This high availability guarantees service uptime and resilience to failures.
    • 在支持 Azure 可用性区域的区域中,这些域控制器也跨区域分布,以提升复原能力。In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.

Azure AD DS 托管域的一些关键方面包括:Some key aspects of an Azure AD DS managed domain include the following:

  • Azure AD DS 托管域是独立的域。The Azure AD DS managed domain is a stand-alone domain. 它不是本地域的扩展。It isn't an extension of an on-premises domain.
  • 你的 IT 团队无需管理、修补或监视此 Azure AD DS 托管域的域控制器。Your IT team doesn't need to manage, patch, or monitor domain controllers for this Azure AD DS managed domain.

对于运行本地 AD DS 的混合环境,无需管理到 Azure AD DS 托管域的 AD 复制。For hybrid environments that run AD DS on-premises, you don't need to manage AD replication to the Azure AD DS managed domain. 本地目录中的用户帐户、组成员身份和凭据通过 Azure AD Connect 同步到 Azure AD。User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via Azure AD Connect. 这些用户帐户、组成员身份和凭据在 Azure AD DS 托管域中自动可用。These user accounts, group memberships, and credentials are automatically available within the Azure AD DS managed domain.

Azure AD DS 如何工作?How does Azure AD DS work?

为了提供标识服务,Azure 会在所选的虚拟网络上创建一个 AD DS 实例。To provide identity services, Azure creates an AD DS instance on a virtual network of your choice. 在后台,会创建在 Azure VM 上运行的一对 Windows Server 域控制器。Behind the scenes, a pair of Windows Server domain controllers is created that run on Azure VMs. 你不需要管理、配置或更新这些域控制器。You don't need to manage, configure, or update these domain controllers. Azure 平台将域控制器作为 Azure AD DS 服务的一部分进行管理。The Azure platform manages the domain controllers as part of the Azure AD DS service.

Azure AD DS 托管域配置为从 Azure AD 执行单向同步,以提供对一组集中用户、组和凭据的访问。The Azure AD DS managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. 你可以直接在 Azure AD DS 托管域中创建资源,但它们不会同步回 Azure AD。You can create resources directly in the Azure AD DS managed domain, but they aren't synchronized back to Azure AD. 然后,Azure 中连接到此虚拟网络的应用程序、服务和 VM 便可使用常见 AD DS 功能,如域加入、组策略、LDAP 和 Kerberos/NTLM 身份验证。Applications, services, and VMs in Azure that connect to this virtual network can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

在具有本地 AD DS 环境的混合环境中,Azure AD Connect 会将标识信息与 Azure AD 同步,后者随后将同步到 Azure AD DS。In a hybrid environment with an on-premises AD DS environment, Azure AD Connect synchronizes identity information with Azure AD, which is then synchronized to Azure AD DS.

使用 AD Connect 将 Azure AD 域服务与 Azure AD 和本地 Active Directory 域服务同步

若要查看 Azure AD DS 的运行情况,请查看几个示例:To see Azure AD DS in action, let's look at a couple of examples:

混合组织的 Azure AD DSAzure AD DS for hybrid organizations

许多组织都运行有一个包含云和本地应用程序工作负载的混合基础结构。Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. 按照直接迁移策略迁移到 Azure 的旧版应用程序可能使用传统的 LDAP 连接来提供标识信息。Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. 若要支持此混合基础结构,可以将本地 AD DS 环境中的标识信息同步到 Azure AD 租户。To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to an Azure AD tenant. 然后,Azure AD DS 使用标识源在 Azure 中提供这些旧版应用程序,而无需配置和管理应用程序与本地目录服务的连接。Azure AD DS then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services.

让我们看一个 Litware Corporation 的示例,这是一个同时运行本地和 Azure 资源的混合组织:Let's look at an example for Litware Corporation, a hybrid organization that runs both on-premises and Azure resources:

适用于包含本地同步的混合组织的 Azure Active Directory 域服务

  • 需要域服务的应用程序和服务器工作负载部署在 Azure 的虚拟网络中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
    • 这可能包括迁移到 Azure(作为直接迁移策略的一部分)的旧版应用程序。This may include legacy applications migrated to Azure as part of a lift and shift strategy.
  • 为了将标识信息从其本地目录同步到其 Azure AD 租户,Litware Corporation 部署了 Azure AD ConnectTo synchronize identity information from their on-premises directory to their Azure AD tenant, Litware Corporation deploys Azure AD Connect.
    • 同步的标识信息包括用户帐户和组成员身份。Identity information that is synchronized includes user accounts and group memberships.
  • Litware 的 IT 团队在此虚拟网络中或在对等互连的虚拟网络中为其 Azure AD 租户启用 Azure AD DS。Litware's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 然后,在 Azure 虚拟网络中部署的应用程序和 VM 便可使用 Azure AD DS 功能,如域加入、LDAP 读取、LDAP 绑定、NTLM、Kerberos 身份验证以及组策略等。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在 Azure AD DS 托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in an Azure AD DS managed domain to synchronize objects back to Azure AD.

仅限云的组织的 Azure AD DSAzure AD DS for cloud-only organizations

仅限云的 Azure AD 租户没有本地标识源。A cloud-only Azure AD tenant doesn't have an on-premises identity source. 例如,用户帐户和组成员身份是直接在 Azure AD 中创建和管理的。User accounts and group memberships, for example, are created and managed directly in Azure AD.

现在,让我们看看 Contoso 的一个示例,这是一个使用 Azure AD 来管理标识的纯云组织。Now let's look at an example for Contoso, a cloud-only organization that uses Azure AD for identity. 所有用户标识、其凭据和组成员身份都在 Azure AD 中进行创建和管理。All user identities, their credentials, and group memberships are created and managed in Azure AD. Azure AD Connect 未配置任何其他内容来同步本地目录中的任何标识信息。There is no additional configuration of Azure AD Connect to synchronize any identity information from an on-premises directory.

仅限云的组织的 Azure Active Directory 域服务(无本地同步)

  • 需要域服务的应用程序和服务器工作负载部署在 Azure 的虚拟网络中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
  • Contoso 的 IT 团队在此虚拟网络中或在对等互连的虚拟网络中为其 Azure AD 租户启用 Azure AD DS。Contoso's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 然后,在 Azure 虚拟网络中部署的应用程序和 VM 便可使用 Azure AD DS 功能,如域加入、LDAP 读取、LDAP 绑定、NTLM、Kerberos 身份验证以及组策略等。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

后续步骤Next steps

若要详细了解 Azure AD DS 与其他标识解决方案以及同步的工作原理,请参阅以下文章:To learn more about Azure AD DS compares with other identity solutions and how synchronization works, see the following articles:

若要开始,请使用 Azure 门户创建 Azure AD DS 托管域To get started, create an Azure AD DS managed domain using the Azure portal.