您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

以受控方式验证混合 Azure AD 加入Controlled validation of hybrid Azure AD join

当所有先决条件都准备就绪后, Windows 设备将自动作为 Azure AD 租户中的设备进行注册。When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. Azure AD 中这些设备标识的状态称为 "混合 Azure AD 联接"。The state of these device identities in Azure AD is referred as hybrid Azure AD join. 有关本文中所述概念的详细信息, 请参阅Azure Active Directory 中的设备管理简介计划混合 Azure Active Directory 加入实现More information about the concepts covered in this article can be found in the articles Introduction to device management in Azure Active Directory and Plan your hybrid Azure Active Directory join implementation.

在整个组织中同时启用混合 Azure AD 联接之前, 组织可能需要对其进行控制验证。Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. 本文将介绍如何实现混合 Azure AD 联接的受控验证。This article will explain how to accomplish a controlled validation of hybrid Azure AD join.

Windows 当前设备上的混合 Azure AD 联接的受控验证Controlled validation of hybrid Azure AD join on Windows current devices

对于运行 Windows 桌面操作系统的设备,支持的版本是 Windows 10 周年更新(版本 1607)或更高版本。For devices running the Windows desktop operating system, the supported version is the Windows 10 Anniversary Update (version 1607) or later. 最佳做法是升级到最新版本的 Windows 10。As a best practice, upgrade to the latest version of Windows 10.

若要在 Windows 当前设备上对混合 Azure AD 联接进行受控验证, 需执行以下操作:To do a controlled validation of hybrid Azure AD join on Windows current devices, you need to:

  1. 清除 Active Directory (AD) 中的服务连接点 (SCP) 项 (如果存在)Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists
  2. 使用组策略对象 (GPO) 为已加入域的计算机上的 SCP 配置客户端注册表设置Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO)
  3. 如果使用的是 AD FS, 还必须在 AD FS 服务器上使用 GPO 配置 SCP 的客户端注册表设置If you are using AD FS, you must also configure the client-side registry setting for SCP on your AD FS server using a GPO

清除 AD 中的 SCPClear the SCP from AD

使用 Active Directory 服务接口编辑器 (ADSI 编辑器) 来修改 AD 中的 SCP 对象。Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.

  1. 以企业管理员身份从和管理工作站或域控制器启动ADSI 编辑器桌面应用程序。Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
  2. 连接到域的配置命名上下文Connect to the Configuration Naming Context of your domain.
  3. 浏览到CN = Configuration, dc = contoso, dc = com > CN = Services > CN = 设备注册配置Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration
  4. 右键单击 " CN = 设备注册配置" 下的叶对象, 然后选择 "属性"Right click on the leaf object under CN=Device Registration Configuration and select Properties
    1. 从 "属性编辑器" 窗口中选择关键字, 然后单击 "编辑"Select keywords from the Attribute Editor window and click Edit
    2. 选择azureADIdazureADName的值 (一次一个) 并单击 "删除"Select the values of azureADId and azureADName (one at a time) and click Remove
  5. 关闭ADSI 编辑器Close ADSI Edit

为 SCP 配置客户端注册表设置Configure client-side registry setting for SCP

使用以下示例创建一个组策略对象 (GPO) 来部署注册表设置, 在设备的注册表中配置 SCP 条目。Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices.

  1. 打开组策略管理控制台并在你的域中创建新的组策略对象。Open a Group Policy Management console and create a new Group Policy Object in your domain.
    1. 为新创建的 GPO 提供一个名称 (例如, ClientSideSCP)。Provide your newly created GPO a name (for example, ClientSideSCP).
  2. 编辑 GPO 并找到以下路径:计算机配置 > 选项 > Windows 设置注册表 > Edit the GPO and locate the following path: Computer Configuration > Preferences > Windows Settings > Registry
  3. 右键单击注册表, 然后选择 "新建 > 注册表项"Right-click on the Registry and select New > Registry Item
    1. 在 "常规" 选项卡上, 配置以下各项On the General tab, configure the following
      1. 操作:更新Action: Update
      2. 义项HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
      3. 密钥路径:SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AADKey Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. 值名称:TenantIdValue name: TenantId
      5. 值类型:REG_SZValue type: REG_SZ
      6. 值数据:Azure AD 实例的 GUID 或目录 id (此值可在Azure 门户 > Azure Active Directory > 属性 > 目录 ID) 中找到Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
    2. 单击 “确定”Click OK
  4. 右键单击注册表, 然后选择 "新建 > 注册表项"Right-click on the Registry and select New > Registry Item
    1. 在 "常规" 选项卡上, 配置以下各项On the General tab, configure the following
      1. 操作:更新Action: Update
      2. 义项HKEY_LOCAL_MACHINEHive: HKEY_LOCAL_MACHINE
      3. 密钥路径:SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AADKey Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. 值名称:TenantNameValue name: TenantName
      5. 值类型:REG_SZValue type: REG_SZ
      6. 值数据:如果你使用的是联合环境 (如 AD FS), 则已验证的域名Value data: Your verified domain name if you are using federated environment such as AD FS. 已验证的域名或你的 onmicrosoft.com 域名例如, contoso.onmicrosoft.com如果你使用的是托管环境Your verified domain name or your onmicrosoft.com domain name for example, contoso.onmicrosoft.com if you are using managed environment
    2. 单击 “确定”Click OK
  5. 关闭新创建的 GPO 的编辑器Close the editor for the newly created GPO
  6. 将新创建的 GPO 链接到包含已加入域的计算机的所需 OU, 该 OU 属于你的受控推出群体Link the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population

配置 AD FS 设置Configure AD FS settings

如果使用的是 AD FS, 则首先需要使用上述说明配置客户端 SCP, 但将 GPO 链接到 AD FS 服务器。If you are using AD FS, you first need to configure client-side SCP using the instructions mentioned above but linking the GPO to your AD FS servers. SCP 对象定义设备对象的授权来源。The SCP object defines the source of authority for device objects. 它可以是本地的, 也可以是 Azure AD。It can be on-premises or Azure AD. 为 AD FS 配置此配置时, 设备对象的源将建立为 Azure AD。When this is configured for AD FS, the source for device objects is established as Azure AD.

备注

如果无法在 AD FS 服务器上配置客户端 SCP, 则设备标识的源将被视为在本地, AD FS 会在规定期限后开始从本地目录中删除设备对象。If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-premises, and AD FS would start deleting device objects from on-premises directory after a stipulated period.

Windows 下层设备上的混合 Azure AD 联接的受控验证Controlled validation of hybrid Azure AD join on Windows down-level devices

若要注册 Windows 下层设备,组织必须安装 Microsoft 下载中心提供的适用于 Windows 10 计算机的 Microsoft 工作区加入To register Windows down-level devices, organizations must install Microsoft Workplace Join for non-Windows 10 computers available on the Microsoft Download Center.

可以使用  System Center Configuration Manager 等软件分发系统部署该包。You can deploy the package by using a software distribution system like System Center Configuration Manager. 此包支持使用标准无提示安装选项(包含 quiet 参数)。The package supports the standard silent installation options with the quiet parameter. Configuration Manager 的 Current Branch 提供优于早期版本的优势,例如可以跟踪已完成的注册。The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations.

安装程序会在系统上创建一项计划任务,该任务会在用户的上下文中运行。The installer creates a scheduled task on the system that runs in the user context. 当用户登录到 Windows 时触发该任务。The task is triggered when the user signs in to Windows. 通过 Azure AD 进行身份验证后,该任务以无提示方式使用用户凭据将设备联接到 Azure AD。The task silently joins the device with Azure AD with the user credentials after authenticating with Azure AD.

要控制设备注册, 应将 Windows Installer 包部署到所选的 Windows 下层设备组。To control the device registration, you should deploy the Windows Installer package to your selected group of Windows down-level devices.

备注

如果在 AD 中未配置 SCP, 则应遵循与使用组策略对象 (GPO) 在已加入域的计算机上配置 scp 的客户端注册表设置相同的方法。If a SCP is not configured in AD, then you should follow the same approach as described to Configure client-side registry setting for SCP) on your domain-joined computers using a Group Policy Object (GPO).

验证所有内容是否按预期运行后, 可以通过使用 Azure AD Connect 配置 SCP, 使用 Azure AD 自动注册 Windows 当前和下层设备的其余部分。After you verify that everything works as expected, you can automatically register the rest of your Windows current and down-level devices with Azure AD by configuring SCP using Azure AD Connect.

后续步骤Next steps

计划混合 Azure Active Directory 加入实现Plan your hybrid Azure Active Directory join implementation