SharePoint 迁移标识映射:Active Directory 标识扫描SharePoint Migration Identity Mapping: Active Directory Identity Scan

概述Overview

Active Directory 扫描将查找在客户的 Active Directory 中的源 SharePoint 环境中找到的任何 Windows 标识。The Active Directory scan will look up any Windows identities that were found in the source SharePoint environment in the customer's Active Directory.

如果没有 Windows 标识,则此扫描将不会执行任何工作。If there are no Windows identities, this scan will not perform any work.

此评估扫描有两个不同的步骤:There are 2 distinct steps to this assessment scan:

  • 发现可用的 Active Directory 林。Discover the Active Directory Forests that are available.

  • 查找 Active Directory 中的标识。Lookup the identities in Active Directory.

发现 Active Directory 林Discover the Active Directory Forests

我们找到 SharePoint server 连接到的林。We find the forest the SharePoint server is connected to. 然后,枚举信任以查找所有受信任的林。We then enumerate trusts to locate all the trusted Forests. 找到受信任的林后,我们将枚举林中的所有域。Once we've found the trusted forests, we enumerate all the domains in the forests.

如果当前登录的用户没有读取请求的林的能力,此过程可能会提示输入凭据。This process may prompt for credentials if the currently logged on user does not have the ability to read the requested forest. 我们将重试连接3次,因此,如果您输入无效凭据,将会多次尝试。We will retry connections 3 times, so if you enter invalid credentials there will be multiple attempts. 该工具将缓存为当前执行输入的凭据。The tool will cache the credentials entered for the current execution.

Active Directory 中的查找标识Lookup identities in Active Directory

在我们发现了林之后,我们将使用缓存的凭据在 Active Directory 中使用安全标识符 [SID] 查找用户/组。After we have discovered the forests, we will use the cached credentials to lookup users/groups in Active Directory using the Security Identifier [SID]. 此信息不是身份映射所需的100%。This information is not 100% needed for identity mapping. 但是,如果有标记为 NoMatch 或 PartialMatch 的标识,则此信息对跟踪标识的其他信息很有用。However, if you have identities flagged as NoMatch or PartialMatch, this information is useful to track down additional information for the identity. 例如,您的用户在 SharePoint 中显示为活动状态,但在 Active Directory 中显示为 "已禁用"。For example, you have a user that is showing as Active in SharePoint, but is showing as Disabled in Active Directory. 在 NoMatch 中查看此用户时应为,因为用户不可能 sync'ed 到 Azure Active Directory。Seeing this user with NoMatch is expected as the user is not likely to be sync'ed to Azure Active Directory.

应用场景Scenarios

加入林 SharePoint 和用户林之间的双向信任。Two-way trust between the forest SharePoint is joined to and the user forests. 用户使用域帐户登录到 SharePoint 计算机。Users logs into the SharePoint machine using a domain account. 在这种情况下,不大可能提示操作员,因为其域凭据应该能够读取相关域。In this scenario, the operator is unlikely to be prompted as their domain credentials should be able to read the associated domains.

加入林 SharePoint 和用户林之间的单向信任。One-way trust between the forest SharePoint is joined to and the user forests. 所有用户林相互信任。All the user forests trust each other. 在这种情况下,用户以 SharePoint 林中的帐户登录到 SharePoint。In this scenario, the user logs into SharePoint as an account in the SharePoint forest. 查询林时,我们将提示凭据以读取第一个用户林。When querying for Forests, we will prompt for credentials to read the first user Forest. 我们将缓存这些凭据并将其用于其余林。We will cache those credentials and use them for the remaining forests. 在这种情况下,操作员将看到一条登录提示。In this scenario, the operator will see one logon prompt.

加入林 SharePoint 和用户林之间的单向信任。One-way trust between the forest SharePoint is joined to and the user forests. 用户林彼此不信任。The user forests do not trust each other. 在这种情况下,用户以 SharePoint 林中的帐户登录到 SharePoint。In this scenario, the user logs into SharePoint as an account in the SharePoint forest. 查询林时,系统将提示每个林。When querying for Forests, we will prompt for each forest. 如果有20个没有相互信任的用户林,则可能会看到20个登录提示。If there are 20 user forests that don't trust each other you would expect to see 20 logon prompts.