为实现到 Microsoft 365 的目录同步做好准备Prepare for directory synchronization to Microsoft 365

本文适用于 Microsoft 365 企业版和 Office 365 企业版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

您的组织的混合标识和目录同步的好处包括:The benefits to hybrid identity and directory synchronization your organization include:

  • 减少组织中的管理程序Reducing the administrative programs in your organization
  • (可选)启用单一登录方案Optionally enabling single sign-on scenario
  • 在 Microsoft 365 中自动执行帐户更改Automating account changes in Microsoft 365

有关使用目录同步的优势的详细信息,请参阅Microsoft 365 的适用azure Active DIRECTORY (azure AD) 和混合标识的混合标识。For more information about the advantages of using directory synchronization, see hybrid identity with Azure Active Directory (Azure AD) and hybrid identity for Microsoft 365.

但是,目录同步需要进行规划和准备,以确保 Active Directory 域服务 (AD DS) 同步到 Microsoft 365 订阅的 Azure AD 租户,并具有最少的错误。However, directory synchronization requires planning and preparation to ensure that your Active Directory Domain Services (AD DS) synchronizes to the Azure AD tenant of your Microsoft 365 subscription with a minimum of errors.

请按照以下步骤操作,以获得最佳效果。Follow these steps in order for the best results.

1. 目录清理任务1. Directory cleanup tasks

在将 AD DS 同步到 Azure AD 租户之前,需要清理 AD DS。Before you synchronize your AD DS to your Azure AD tenant, you need to clean up your AD DS.

重要

如果在同步之前不执行 AD DS 清理,则可能会导致部署过程产生严重的负面影响。If you don't perform AD DS cleanup before you synchronize, it can lead to a significant negative impact on the deployment process. 可能需要数天甚至数周才能完成目录同步的循环、识别错误和重新同步。It might take days, or even weeks, to go through the cycle of directory synchronization, identifying errors, and re-synchronization.

在 AD DS 中,为每个要分配了 Microsoft 365 许可证的用户帐户完成以下清理任务:In your AD DS, complete the following clean-up tasks for each user account that will be assigned a Microsoft 365 license:

  1. 确保 proxyAddresses 属性中有一个有效且唯一的电子邮件地址。Ensure a valid and unique email address in the proxyAddresses attribute.

  2. 删除 proxyAddresses 属性中的任何重复值。Remove any duplicate values in the proxyAddresses attribute.

  3. 如果可能,请确保用户的 用户 对象中的 userPrincipalName 属性具有有效且唯一的值。If possible, ensure a valid and unique value for the userPrincipalName attribute in the user's user object. 为了获得最佳同步体验,请确保 AD DS UPN 与 Azure AD UPN 相匹配。For the best synchronization experience, ensure that the AD DS UPN matches the Azure AD UPN. 如果用户不具有 userPrincipalName 属性的值,则 user 对象必须包含 sAMAccountName 属性的有效且唯一的值。If a user does not have a value for the userPrincipalName attribute, then the user object must contain a valid and unique value for the sAMAccountName attribute. 删除 userPrincipalName 属性中的任何重复值。Remove any duplicate values in the userPrincipalName attribute.

  4. 若要最佳地使用全局地址列表 (GAL) ,请确保 AD DS 用户帐户的以下属性中的信息正确:For optimal use of the global address list (GAL), ensure the information in the following attributes of the AD DS user account is correct:

    • givenNamegivenName
    • surnamesurname
    • displayNamedisplayName
    • 职务Job Title
    • 部门Department
    • 办公室Office
    • 办公室电话Office Phone
    • 移动电话Mobile Phone
    • 传真号码Fax Number
    • 街道地址Street Address
    • 市/县City
    • 省/自治区/直辖市State or Province
    • 邮政编码Zip or Postal Code
    • 国家或地区Country or Region

2. 目录对象和属性准备2. Directory object and attribute preparation

AD DS 和 Microsoft 365 之间的目录同步成功需要正确准备 AD DS 属性。Successful directory synchronization between your AD DS and Microsoft 365 requires that your AD DS attributes are properly prepared. 例如,您需要确保在与 Microsoft 365 环境同步的某些属性中不使用特定字符。For example, you need to ensure that specific characters aren't used in certain attributes that are synchronized with the Microsoft 365 environment. 意外字符不会导致目录同步失败,但可能会返回警告。Unexpected characters do not cause directory synchronization to fail but might return a warning. 无效字符将导致目录同步失败。Invalid characters will cause directory synchronization to fail.

如果某些 AD DS 用户具有一个或多个重复的属性,则目录同步也会失败。Directory synchronization will also fail if some of your AD DS users have one or more duplicate attributes. 每个用户都必须具有唯一的属性。Each user must have unique attributes.

您需要准备的属性如下所示:The attributes that you need to prepare are listed here:

  • displayNamedisplayName

    • 如果该属性存在于用户对象中,它将与 Microsoft 365 同步。If the attribute exists in the user object, it will be synchronized with Microsoft 365.
    • 如果此属性存在于 user 对象中,则它必须具有值。If this attribute exists in the user object, there must be a value for it. 也就是说,属性不得为空。That is, the attribute must not be blank.
    • 最大字符数:256Maximum number of characters: 256
  • givenNamegivenName

    • 如果该属性存在于用户对象中,它将与 Microsoft 365 同步,但 Microsoft 365 不需要或使用它。If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
    • 最大字符数:64Maximum number of characters: 64
  • 信箱mail

    • 属性值在目录中必须是唯一的。The attribute value must be unique within the directory.

      备注

      如果存在重复值,则将同步第一个值为的用户。If there are duplicate values, the first user with the value is synchronized. 随后的用户不会出现在 Microsoft 365 中。Subsequent users will not appear in Microsoft 365. 您必须修改 Microsoft 365 中的值或修改 AD DS 中的两个值,以使这两个用户都显示在 Microsoft 365 中。You must modify either the value in Microsoft 365 or modify both of the values in AD DS in order for both users to appear in Microsoft 365.

  • mailNickname (Exchange 别名) mailNickname (Exchange alias)

    • 属性值不能以句点 ( 开头。 ) 。The attribute value cannot begin with a period (.).

    • 属性值在目录中必须是唯一的。The attribute value must be unique within the directory.

      备注

      在同步名称中 ( "" ) 的下划线表示此属性的原始值包含无效字符。Underscores ("") in the synchronized name indicates that the original value of this attribute contains invalid characters. 有关此属性的详细信息,请参阅 Exchange alias 属性For more information on this attribute, see Exchange alias attribute.

  • proxyAddressesproxyAddresses

    • 多值属性Multiple-value attribute

    • 每个值的最大字符数:256Maximum number of characters per value: 256

    • 属性值不能包含空格。The attribute value must not contain a space.

    • 属性值在目录中必须是唯一的。The attribute value must be unique within the directory.

    • 无效字符: < > ( ) ;,[] ""Invalid characters: < > ( ) ; , [ ] " '

      请注意,无效字符适用于类型分隔符后面的字符和 ":",因此允许 SMTP:User@contso.com,但 SMTP:user:M@contoso.com 不是。Note that the invalid characters apply to the characters following the type delimiter and ":", such that SMTP:User@contso.com is allowed, but SMTP:user:M@contoso.com is not.

      重要

      所有简单邮件传输协议 (SMTP) 地址应符合电子邮件邮件传递标准。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards. 删除重复的或不需要的地址(如果存在)。Remove duplicate or unwanted addresses if they exist.

  • sAMAccountNamesAMAccountName

    • 最大字符数:20Maximum number of characters: 20
    • 属性值在目录中必须是唯一的。The attribute value must be unique within the directory.
    • 无效字符: [\ "|,/: < > + =;?Invalid characters: [ \ " | , / : < > + = ; ? * ']* ']
    • 如果用户具有无效的 sAMAccountName 属性,但具有有效的 userPrincipalName 属性,则将在 Microsoft 365 中创建用户帐户。If a user has an invalid sAMAccountName attribute but has a valid userPrincipalName attribute, the user account is created in Microsoft 365.
    • 如果 sAMAccountNameuserPrincipalName 都无效,则必须更新 AD DS userPrincipalName 属性。If both sAMAccountName and userPrincipalName are invalid, the AD DS userPrincipalName attribute must be updated.
  • sn (姓) sn (surname)

    • 如果该属性存在于用户对象中,它将与 Microsoft 365 同步,但 Microsoft 365 不需要或使用它。If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
  • targetAddresstargetAddress

    需要 targetAddress 属性 (例如,为用户填充的 SMTP:tom@contoso.com) 必须出现在 MICROSOFT 365 GAL 中。It's required that the targetAddress attribute (for example, SMTP:tom@contoso.com) that's populated for the user must appear in the Microsoft 365 GAL. 在第三方邮件迁移方案中,这将需要用于 AD DS 的 Microsoft 365 架构扩展。In third-party messaging migration scenarios, this would require the Microsoft 365 schema extension for the AD DS. Microsoft 365 架构扩展还将添加其他有用的属性来管理使用 AD DS 中的目录同步工具填充的 Microsoft 365 对象。The Microsoft 365 schema extension would also add other useful attributes to manage Microsoft 365 objects that are populated by using a directory synchronization tool from AD DS. 例如,将添加用于管理隐藏邮箱或通讯组的 msExchHideFromAddressLists 属性。For example, the msExchHideFromAddressLists attribute to manage hidden mailboxes or distribution groups would be added.

    • 最大字符数:256Maximum number of characters: 256
    • 属性值不能包含空格。The attribute value must not contain a space.
    • 属性值在目录中必须是唯一的。The attribute value must be unique within the directory.
    • 无效字符: \ < > ( ) ;,[] "Invalid characters: \ < > ( ) ; , [ ] "
    • 所有简单邮件传输协议 (SMTP) 地址应符合电子邮件邮件传递标准。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
  • userPrincipalNameuserPrincipalName

    • UserPrincipalName 属性必须采用 Internet 样式登录格式,其中用户名后面跟有 at 符号 ( @ ) 和域名:例如,user@contoso.com。The userPrincipalName attribute must be in the Internet-style sign-in format where the user name is followed by the at sign (@) and a domain name: for example, user@contoso.com. 所有简单邮件传输协议 (SMTP) 地址应符合电子邮件邮件传递标准。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
    • UserPrincipalName 属性的最大字符数为113。The maximum number of characters for the userPrincipalName attribute is 113. 在 at 符号 ( @ ) 之前和之后允许使用特定数量的字符,如下所示:A specific number of characters are permitted before and after the at sign (@), as follows:
    • 在 at 符号前的用户名的最大字符数 ( @ ) :64Maximum number of characters for the username that is in front of the at sign (@): 64
    • At 符号后面的域名的最大字符数 ( @ ) :48Maximum number of characters for the domain name following the at sign (@): 48
    • 无效字符: % & * +/=?Invalid characters: \ % & * + / = ? { } | < > ( ) ; : , [ ] "{ } | < > ( ) ; : , [ ] "
    • 允许的字符: A – Z、a-z、0–9、"。Characters allowed: A – Z, a - z, 0 – 9, ' . - _ !- _ ! # ^ ~# ^ ~
    • 带有变音标记的字母(如元音变音、重音符号和颚化符)是无效字符。Letters with diacritical marks, such as umlauts, accents, and tildes, are invalid characters.
    • 每个 userPrincipalName 值中都需要 @ 字符。The @ character is required in each userPrincipalName value.
    • @ 符在每个 userPrincipalName 值中不能作为第一个字符。The @ character cannot be the first character in each userPrincipalName value.
    • 用户名的结尾不能以句点 ( ) 、与号 (&) 、空格或 at 符号 ( @ ) 。The username cannot end with a period (.), an ampersand (&), a space, or an at sign (@).
    • 用户名不能包含任何空格。The username cannot contain any spaces.
    • 必须使用可路由的域;例如,不能使用本地或内部域。Routable domains must be used; for example, local or internal domains cannot be used.
    • Unicode 将转换为下划线字符。Unicode is converted to underscore characters.
    • userPrincipalName 不能包含目录中的任何重复值。userPrincipalName cannot contain any duplicate values in the directory.

3. 准备 userPrincipalName 属性3. Prepare the userPrincipalName attribute

Active Directory 旨在允许组织中的最终用户使用 sAMAccountNameuserPrincipalName 登录到您的目录。Active Directory is designed to allow the end users in your organization to sign in to your directory by using either sAMAccountName or userPrincipalName. 同样,最终用户可以使用用户主体名称 (UPN) 的工作或学校帐户登录到 Microsoft 365。Similarly, end users can sign in to Microsoft 365 by using the user principal name (UPN) of their work or school account. 目录同步尝试使用 AD DS 中的同一个 UPN 在 Azure Active Directory 中创建新用户。Directory synchronization attempts to create new users in Azure Active Directory by using the same UPN that's in your AD DS. UPN 的格式类似于电子邮件地址。The UPN is formatted like an email address.

在 Microsoft 365 中,UPN 是用于生成电子邮件地址的默认属性。In Microsoft 365, the UPN is the default attribute that's used to generate the email address. 在 AD DS 和 Azure AD 中获取 userPrincipalName (很容易,) 并将 proxyAddresses 中的主电子邮件地址设置为不同的值。It's easy to get userPrincipalName (in AD DS and in Azure AD) and the primary email address in proxyAddresses set to different values. 当它们设置为不同的值时,管理员和最终用户可能会感到困惑。When they are set to different values, there can be confusion for administrators and end users.

最好对齐这些属性以减少混淆。It's best to align these attributes to reduce confusion. 若要符合使用 Active Directory 联合身份验证服务的单一登录要求 (AD FS) 2.0,您需要确保 Azure Active Directory 和 AD DS 中的 Upn 匹配且使用有效的域命名空间。To meet the requirements of single sign-on with Active Directory Federation Services (AD FS) 2.0, you need to ensure that the UPNs in Azure Active Directory and your AD DS match and are using a valid domain namespace.

4. 向 AD DS 添加备用 UPN 后缀4. Add an alternative UPN suffix to AD DS

您可能需要添加其他 UPN 后缀以将用户的公司凭据与 Microsoft 365 环境相关联。You may need to add an alternative UPN suffix to associate the user's corporate credentials with the Microsoft 365 environment. UPN 后缀是 @ 字符右侧的 UPN 的一部分。A UPN suffix is the part of a UPN to the right of the @ character. 用于单一登录的 UPN 可能包含字母、数字、句点、短划线和下划线,但不包含任何其他类型的字符。UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

有关如何将其他 UPN 后缀添加到 Active Directory 的详细信息,请参阅 Prepare for Directory 同步For more information on how to add an alternative UPN suffix to Active Directory, see Prepare for directory synchronization.

5. 将 AD DS UPN 与 Microsoft 365 UPN 匹配5. Match the AD DS UPN with the Microsoft 365 UPN

如果已设置目录同步,则用户的 Microsoft 365 UPN 可能与 AD DS 中定义的用户的 AD DS UPN 不匹配。If you've already set up directory synchronization, the user's UPN for Microsoft 365 may not match the user's AD DS UPN that's defined in your AD DS. 如果在验证域前已为用户分配了许可证,则可能发生这种情况。This can occur when a user was assigned a license before the domain was verified. 若要解决此问题,请使用 PowerShell 修复重复的 upn 以更新用户的 upn,以确保 MICROSOFT 365 UPN 与公司用户名和域相匹配。To fix this, use PowerShell to fix duplicate UPN to update the user's UPN to ensure that the Microsoft 365 UPN matches the corporate user name and domain. 如果要在 AD DS 中更新 UPN,并希望它与 Azure Active Directory 标识同步,则需要先在 Microsoft 365 中删除用户的许可证,然后再在 AD DS 中进行更改。If you are updating the UPN in the AD DS and would like it to synchronize with the Azure Active Directory identity, you need to remove the user's license in Microsoft 365 prior to making the changes in AD DS.

此外,还请参阅 如何准备不可路由的域 (例如,用于目录同步的本地域) Also see How to prepare a non-routable domain (such as .local domain) for directory synchronization.

后续步骤Next steps

如果您执行了上面的步骤1到步骤5,请参阅 设置目录同步If you have done steps 1 through 5 above, see Set up directory synchronization.