您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

排查已加入混合 Azure Active Directory 的下层设备问题Troubleshooting hybrid Azure Active Directory joined down-level devices

本文仅适用于以下设备:This article is applicable only to the following devices:

  • Windows 7Windows 7
  • Windows 8.1Windows 8.1
  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2012 R2Windows Server 2012 R2

对于 Windows 10 或 Windows Server 2016,请参阅排查已加入混合 Azure Active Directory 的 Windows 10 和 Windows Server 2016 设备问题For Windows 10 or Windows Server 2016, see Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices.

本文假设你已配置已加入混合 Azure Active Directory 的设备,以支持以下方案:This article assumes that you have configured hybrid Azure Active Directory joined devices to support the following scenarios:

  • 基于设备的条件性访问Device-based Conditional Access

本文提供有关如何解决潜在问题的故障排除指导。This article provides you with troubleshooting guidance on how to resolve potential issues.

应了解的内容:What you should know:

  • 下层 Windows 设备混合 Azure AD 加入的工作方式与它在 Windows 10 中的工作方式略有不同。Hybrid Azure AD join for downlevel Windows devices works slightly differently than it does in Windows 10. 许多客户没有意识到他们需要配置 AD FS(对于联合域)或无缝 SSO(对于托管域)。Many customers do not realize that they need AD FS (for federated domains) or Seamless SSO configured (for managed domains).
  • 对于具有联合域的客户,如果服务连接点 (SCP) 配置为指向托管域名(例如 contoso.onmicrosoft.com 而非 contoso.com),则下层 Windows 设备混合 Azure AD 加入不会工作。For customers with federated domains, if the Service Connection Point (SCP) was configured such that it points to the managed domain name (for example, contoso.onmicrosoft.com, instead of contoso.com), then Hybrid Azure AD Join for downlevel Windows devices will not work.
  • 每个用户的最大设备数也适用于加入了混合 Azure AD 的下层设备。The maximum number of devices per user currently also applies to downlevel hybrid Azure AD joined devices.
  • 当有多个域用户登录到加入了混合 Azure AD 的下层设备时,同一物理设备在 Azure AD 中出现多次。The same physical device appears multiple times in Azure AD when multiple domain users sign-in the downlevel hybrid Azure AD joined devices. 例如:如果 jdoejharnett 登录到某个设备,会在“用户信息” 选项卡中为其中每个用户单独创建一个注册 (DeviceID)。For example, if jdoe and jharnett sign-in to a device, a separate registration (DeviceID) is created for each of them in the USER info tab.
  • 由于操作系统的重新安装或手动重新注册,在用户信息选项卡上也可能会出现同一设备的多个条目。You can also get multiple entries for a device on the user info tab because of a reinstallation of the operating system or a manual re-registration.
  • 设备的初始注册/加入配置为在登录或锁定/解锁时执行尝试。The initial registration / join of devices is configured to perform an attempt at either sign-in or lock / unlock. 可能会有 5 分钟的延迟,由任务计划程序任务触发。There could be 5-minute delay triggered by a task scheduler task.
  • 对于 Windows 7 SP1 或 Windows Server 2008 R2 SP1,请确保安装 KB4284842Make sure KB4284842 is installed, in case of Windows 7 SP1 or Windows Server 2008 R2 SP1. 此更新可防止将来因客户更改密码后无法访问受保护密钥而导致身份验证失败。This update prevents future authentication failures due to customer's access loss to protected keys after changing password.

步骤 1:检索注册状态Step 1: Retrieve the registration status

验证注册状态:To verify the registration status:

  1. 使用已执行混合 Azure AD 加入的用户帐户登录。Sign on with the user account that has performed a hybrid Azure AD join.
  2. 打开命令提示符Open the command prompt
  3. 键入 "%programFiles%\Microsoft Workplace Join\autoworkplace.exe" /iType "%programFiles%\Microsoft Workplace Join\autoworkplace.exe" /i

此命令会显示一个对话框,其中提供了有关加入状态的详细信息。This command displays a dialog box that provides you with details about the join status.

适用于 Windows 的工作区加入

步骤 2:评估混合 Azure AD 加入状态Step 2: Evaluate the hybrid Azure AD join status

如果设备未加入混合 Azure AD,则可以通过单击“加入”按钮来尝试执行混合 Azure AD 加入。If the device was not hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. 如果尝试执行混合 Azure AD 加入失败,则会显示关于失败的详细信息。If the attempt to do hybrid Azure AD join fails, the details about the failure will be shown.

最常见的问题包括:The most common issues are:

  • AD FS 或 Azure AD 配置不当或网络存在问题A misconfigured AD FS or Azure AD or Network issues

    适用于 Windows 的工作区加入

    • Autoworkplace.exe 无法以无提示方式通过 Azure AD 或 AD FS 进行身份验证。Autoworkplace.exe is unable to silently authenticate with Azure AD or AD FS. 可能的原因如下:AD FS 缺少或配置不当(对于联合域)、Azure AD 无缝单一登录缺少或配置不当(对于托管域)或者网络存在问题。This could be caused by missing or misconfigured AD FS (for federated domains) or missing or misconfigured Azure AD Seamless Single Sign-On (for managed domains) or network issues.
    • 它可能是多重身份验证 (MFA) 是为用户启用/配置和 WIAORMULTIAUTHN 没有在 AD FS 服务器上配置。It could be that multi-factor authentication (MFA) is enabled/configured for the user and WIAORMULTIAUTHN is not configured at the AD FS server.
    • 另一种可能性是主领域发现 (HRD) 页面正在等待用户交互,从而阻止了 autoworkplace.exe 以无提示方式请求令牌。Another possibility is that home realm discovery (HRD) page is waiting for user interaction, which prevents autoworkplace.exe from silently requesting a token.
    • 客户端的 IE 的 intranet 区域中可能缺少 AD FS 和 Azure AD URL。It could be that AD FS and Azure AD URLs are missing in IE's intranet zone on the client.
    • 网络连接问题可能阻止 autoworkplace.exe 访问 AD FS 或 Azure AD URL。Network connectivity issues may be preventing autoworkplace.exe from reaching AD FS or the Azure AD URLs.
    • Autoworkplace.exe要求客户端具有直接视距从客户端到组织的本地 AD 域控制器,这意味着该混合 Azure AD 联接成功仅客户端连接到组织的 intranet。Autoworkplace.exe requires the client to have direct line of sight from the client to the organization's on-premises AD domain controller, which means that hybrid Azure AD join succeeds only when the client is connected to organization's intranet.
    • 你的组织使用 Azure AD 无缝单一登录,设备的 IE intranet 设置中不存在 https://autologon.microsoftazuread-sso.comhttps://aadg.windows.net.nsatc.net,未对 Intranet 区域启用“允许通过脚本更新状态栏” 。Your organization uses Azure AD Seamless Single Sign-On, https://autologon.microsoftazuread-sso.com or https://aadg.windows.net.nsatc.net are not present on the device's IE intranet settings, and Allow updates to status bar via script is not enabled for the Intranet zone.
  • 登录身份不是域用户You are not signed on as a domain user

    适用于 Windows 的工作区加入

    以下几种不同原因可能会导致此问题:There are a few different reasons why this can occur:

    • 已登录的用户不是域用户(例如,本地用户)。The signed in user is not a domain user (for example, a local user). 低级别设备上的混合 Azure AD 联接仅支持域用户。Hybrid Azure AD join on down-level devices is supported only for domain users.
    • 客户端无法连接到域控制器。The client is not able to connect to a domain controller.
  • 已达到配额A quota has been reached

    适用于 Windows 的工作区加入

  • 服务未响应The service is not responding

    适用于 Windows 的工作区加入

还可以在以下路径下的事件日志中找到状态信息:Applications and Services Log\Microsoft-Workplace JoinYou can also find the status information in the event log under: Applications and Services Log\Microsoft-Workplace Join

混合 Azure AD 加入失败的最常见原因是:The most common causes for a failed hybrid Azure AD join are:

  • 计算机既没有连接到组织的内部网络,也没有连接到与本地 AD 域控制器建立连接的 VPN。Your computer is not connected to your organization’s internal network or to a VPN with a connection to your on-premises AD domain controller.
  • 使用本地计算机帐户登录到了计算机。You are logged on to your computer with a local computer account.
  • 服务配置问题:Service configuration issues:
    • AD FS 服务器未配置为支持 WIAORMULTIAUTHNThe AD FS server has not been configured to support WIAORMULTIAUTHN.
    • 在 Azure AD 中,计算机的林内没有指向已验证域名的“服务连接点”对象Your computer's forest has no Service Connection Point object that points to your verified domain name in Azure AD
    • 或者,如果你的域是托管的,则无缝 SSO 未配置或未在工作。Or if your domain is managed, then Seamless SSO was not configured or working.
    • 用户已达到设备限制。A user has reached the limit of devices.

后续步骤Next steps

如有问题,请参阅设备管理常见问题解答For questions, see the device management FAQ