SharePoint 迁移工具的工作原理How the SharePoint Migration Tool works

SharePoint 迁移工具会对目标租户进行身份验证,然后提示你选择要进行文件迁移的源文件位置和目标 SharePoint 网站集。The SharePoint Migration Tool authenticates to the destination tenant after which you are prompted for the source file location and destination SharePoint site collection where you want the files to be migrated. 选择“ 迁移 ”以提交迁移作业后,将对提供进行迁移的所有文件并行执行扫描、打包、上传和导入步骤。After you submit the migration jobs by selecting Migrate , the scanning, packaging, uploading, and importing steps are performed in parallel across all the files provided for migration.

备注

当提示输入凭据时,在目标 SharePoint 网站上使用网站集管理员帐户。Use a Site Collection administrator account on the target SharePoint site when prompted for credentials.

身份验证: 打开工具后,需要做的第一件事是对目标(要将文件迁移到的租户)进行身份验证。AUTHENTICATION: After opening the tool, the first thing you must do is authenticate to the destination -- the tenant where you will be migrating your files. 向租户提供用户名和密码会将你提交的迁移作业关联到此帐户。Providing your username and password to the tenant associates the migration jobs you submit to this account. 这样,你就可在需要时通过使用相同的凭据登录,从另一台计算机恢复迁移。This allows you to resume your migration from another computer if needed by logging in with the same credentials. 此帐户应是希望迁移的目标的网站集管理员。This account should be a site collection administrator of the destination you want to migrate. 支持下列身份验证方法:The following authentication methods are supported:

  • NTLMNTLM
  • KerberosKerberos
  • FormsForms
  • ADFSADFS
  • 多重身份验证Multi-factor authentication
  • 基于 SAML 的声明SAML based claims
  • 客户端证书身份验证Client certificate authentication

重要

如果在本地 SharePoint Web 应用程序中启用了多种身份验证方法(包括 NTLM 或 Kerberos),则 SharePoint 迁移工具不支持 NTLM 和Kerberos 身份验证。If multiple authentication methods, including NTLM or Kerberos, are enabled in the on-premises SharePoint Web Application, NTLM and Kerberos authentication are not supported by the SharePoint Migration Tool. 请使用辅助身份验证方式,或将 Web 应用程序转换为仅使用 NTLM 和/或 Kerberos 身份验证。Please use a secondary form of authentication or convert the Web Application to use NTLM and/or Kerberos authentication only.

扫描 :选择“ 迁移 ”后,将始终对每个文件执行扫描,即使你决定不迁移文件也是如此(详见“高级设置”)。SCAN : After you select Migrate , a scan will always be performed on every file, even if you decide not to migrate your files (see Advanced Settings). 扫描证实对数据源具有访问权限,对 SharePoint 目标具有写权限。The scan verifies that there is access to the data source and write access to the SharePoint destination. 它还会扫描文件以查找已知的潜在问题。It also scans the files for known potential issues.

打包: 在打包阶段,将创建一个包含清单的内容包。PACKAGING: In the packaging stage, a content package is created that contains a manifest.

上传: 在上传阶段,会将内容包与清单一起上传到 Azure。UPLOAD: In the upload stage, the content package is uploaded to Azure with the manifest. 从 SharePoint 提供的 Azure 容器接受迁移作业前,须使用 AES-256-CBC 标准对文件和清单进行静态加密。Before a migration job can be accepted from a SharePoint-provided Azure container, the files and manifest are encrypted at rest using the AES-256-CBC standard.

导入: 在导入阶段的时候,会向 SharePoint SAS 提供密钥。IMPORT: During the import phase, the key is provided to SharePoint SAS. 只有 Azure 和 SharePoint 进行交互以获取数据并将数据迁移到目标。Only Azure and SharePoint are interacting to fetch and migrate the data to the destination. 此流程基于计时器作业,但不会阻止其他作业排队。This process is a timer job-based but does not prevent other jobs from being queued up. 导入过程中,会在工作文件夹中创建一份报告并实时更新。During the import, a report is created in the working folder, and live updates are made. 迁移作业完成后,将日志存储在 Azure 容器中,并创建最终报告。After the migration job is completed, the log is stored in the Azure container and a final report is created.

会话和恢复: 在执行迁移时,该工具会将会话信息保存在用户 OneDrive 的隐藏列表中。SESSION AND RESUME: While the migration is being performed, the tool saves information of the session in a hidden list on the user's OneDrive. 这允许迁移工具恢复任何先前的迁移会话。This allows the migration tool to resume any previous migration sessions.

加密和安全Encryption and security

在上传和导入阶段,数据将进行加密,且生成 Azure 容器和密钥。During the upload and import phases, data is encrypted and Azure containers and keys are generated.

重要

Sharepoint 服务和部分工程师可以对它们运行维护命令,但不能直接访问这些帐户。The SharePoint service and a select number of engineers can run maintenance commands against them, but they do not have direct access to the accounts. 数据中心技术员不具备如何在磁盘上排布数据的知识,并且不能访问装载磁盘的设备。Datacenter technicians are not prepped with knowledge of how data is laid out on disk and do not have ready access to equipment to mount disks. 离开数据中心前,所有硬盘都将被物理销毁。All drives are physically destroyed before leaving the datacenter. 我们的所有数据中心也实施了物理安全策略。Physical security is also in place across all of our datacenters.

每个容器都专用于客户,并且不能重复使用。Each container is dedicated to the customer and not reused. 在删除数据后的 4 到 30 天内,会将数据存储在 Azure blob 中。The data is stored in the Azure blob anywhere from 4 to 30 days after which it is deleted. 删除数据时,会取消链接文件,然后从磁盘软删除。When the data is deleted, the files are de-linked and later soft-deleted from disk. 多个服务器之间可能会共享帐户中和磁盘上的某个文件。A file in an account and on-disk may be shared across many servers. 请对副本执行相同的流程,包括备份副本(异地复制数据(如果适用))。The same process is used for replicas, including backup copies (geo-replicated data if applicable).

系统会以编程方式生成随机的一次性默认容器密钥,并且有效期只有 3 天。The random, single-use default container key is generated programmatically and is only valid for three days. 此密钥是访问容器的唯一途径。This key is the only way to gain access to the container. SharePoint 从不存储该密钥。SharePoint never stores the key.

容器本身的生存时间比密钥长。The container itself lives longer than the key. 将在容器创建日期之后的 30 至 90 天内清除容器。The container is purged anywhere from 30 to 90 days from its creation date. 容器被安置在租户外的共享 Microsoft 存储中,但在区域范围以内,并使用容器密钥进行保护。The container is housed in a shared Microsoft storage outside the tenant but within the region and is protected using the container key. 对于多地理位置客户,根据目标 URL 生成容器来指示要它要存储在哪个地理位置。For multi-Geo customers, The containers are generated based on the destination URL to dictate in what Geo it will be stored.

如果你的密钥丢失或者其他人得到你的密钥,可以实施两种防御措施来保护你的密钥。If your key is lost or obtained by someone else, there are two defenses in place that protect you. 首先,容器只允许进行读/写操作。First, the container only enables read/write operations. 容器没有列表,这意味着需要知道容器中存储的文件的详细信息才能进行读写操作。The container has no list, which means you would need to know the details of the files stored in the container in order to read or write to them. 其次,使用 AES-256-CBC 对文件进行静态加密。Secondly, the files are encrypted at rest with AES-256-CBC.

重要

只有拥有密钥的人员才能访问容器。Only those who have the key have access to the container. 订阅或租户中的其他用户不能访问。Other users in the subscription or the tenant do not have access.

备注

SharePoint 迁移工具 不适用于由世纪互联在中国运营的 Office 365 的用户。The SharePoint Migration Tool is not available for users of Office 365 operated by 21Vianet in China. 同样,使用以 德国电信 为数据托管方的德国云的 Microsoft 365 用户也无法使用该工具。It is also not available for users of Microsoft 365 with the German cloud using the data trustee, German Telekom. 但是,其数据位置不在德国数据中心的身处德国的用户可以使用它。However, it is supported for users in Germany whose data location is not in the German data center.