Azure Active Directory Domain Services 的資源樹系概念及功能Resource forest concepts and features for Azure Active Directory Domain Services

Azure Active Directory Domain Services (Azure AD DS)提供舊版、內部部署、企業營運應用程式的登入體驗。Azure Active Directory Domain Services (Azure AD DS) provides a sign-in experience for legacy, on-premises, line-of-business applications. 內部部署和雲端使用者的使用者、群組和密碼雜湊都會同步處理到 Azure AD DS 受控網域。Users, groups, and password hashes of on-premises and cloud users are synchronized to the Azure AD DS managed domain. 這些已同步處理的密碼雜湊會提供使用者一組認證,其可用於內部部署 AD DS、Office 365 和 Azure Active Directory。These synchronized password hashes are what gives users a single set of credentials they can use for the on-premises AD DS, Office 365, and Azure Active Directory.

雖然這些使用者密碼雜湊能夠保護並提供額外的安全性優勢,但有些組織卻無法將其同步處理至 Azure AD 或 Azure AD DS。Although secure and provides additional security benefits, some organizations can't synchronize those user passwords hashes to Azure AD or Azure AD DS. 組織中的使用者因為只使用智慧卡驗證,所以不知道自己的密碼。Users in an organization may not know their password because they only use smart card authentication. 這些限制讓有些組織無法使用 Azure AD DS 將內部部署傳統應用程式隨即轉移至 Azure。These limitations prevent some organizations from using Azure AD DS to lift and shift on-premises classic applications to Azure.

若要解決這些需求和限制,您可以建立使用資源樹系的受控網域。To address these needs and restrictions, you can create a managed domain that uses a resource forest. 這篇概念性文章會說明何謂樹系,以及其如何信任其他資源以提供安全的驗證方法。This conceptual article explains what forests are, and how they trust other resources to provide a secure authentication method.

樹系是什麼?What are forests?

「樹系」是 Active Directory Domain Services (AD DS) 用以分組一或多個「網域」的邏輯建構。A forest is a logical construct used by Active Directory Domain Services (AD DS) to group one or more domains. 然後,這些網域就會儲存使用者或群組的物件,並提供驗證服務。The domains then store objects for user or groups, and provide authentication services.

在 Azure AD DS 受控網域中,樹系只會包含一個網域。In an Azure AD DS managed domain, the forest only contains one domain. 但內部部署 AD DS 樹系通常會包含許多網域。On-premises AD DS forests often contain many domains. 在大型組織中,特別是併購後,會有多個內部部署樹系,每個樹系又包含多個網域。In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains.

根據預設,受控網域會建立為使用者樹系。By default, a managed domain is created as a user forest. 這種類型的樹系會同步 Azure AD 中的所有物件,包括在內部部署 AD DS 環境中建立的任何使用者帳戶。This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. 使用者帳戶可以直接對受控網域進行驗證,例如登入已加入網域的 VM。User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. 當可同步處理密碼雜湊,但使用者不使用獨佔式登入方法 (例如智慧卡驗證) 時,使用者樹系即可發揮功能。A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication.

在受控網域資源樹系中,使用者會從其內部部署 AD DS 進行單向樹系信任的驗證。In a managed domain resource forest, users authenticate over a one-way forest trust from their on-premises AD DS. 使用此方法時,使用者物件和密碼雜湊不會同步處理至受控網域。With this approach, the user objects and password hashes aren't synchronized to the managed domain. 使用者物件和認證僅存在於內部部署 AD DS。The user objects and credentials only exist in the on-premises AD DS. 這種方法可讓企業裝載 Azure 中依賴 LDAPS、Kerberos 或 NTLM 等傳統驗證的資源和應用程式平台,但會移除所有驗證問題或顧慮。This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed.

資源樹系也提供一次隨即轉移一個應用程式元件的功能。Resource forests also provide the capability to lift-and-shift your applications one component at a time. 許多舊版內部部署應用程式都是多層式的,通常使用網頁伺服器或前端加上許多與資料庫相關的元件。Many legacy on-premises applications are multi-tiered, often using a web server or front end and many database-related components. 這些層級使得難以使用一個步驟來將整個應用程式隨即轉移到雲端。These tiers make it hard to lift-and-shift the entire application to the cloud in one step. 利用資源樹系,您可分階段將應用程式提升至雲端,其可供輕鬆地將應用程式移至 Azure。With resource forests, you can lift your application to the cloud in phased approach, which makes it easier to move your application to Azure.

信任是什麼?What are trusts?

具有一個以上網域的組織通常需要使用者在不同網域中存取共用資源。Organizations that have more than one domain often need users to access shared resources in a different domain. 存取這些共用資源需要使用者在一個網域中向另一個網域驗證。Access to these shared resources requires that users in one domain authenticate to another domain. 為將這些驗證和授權功能提供給不同網域的用戶端和伺服器,這兩個網域之間必須有「信任」。To provide these authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains.

具有網域信任,每個網域的驗證機制就可信任來自另一個網域其驗證。With domain trusts, the authentication mechanisms for each domain trust the authentications coming from the other domain. 信任透過驗證連入驗證要求是否來自信任授權 (「信任的」網域),以協助控制對資源網域 (「要信任的」網域) 中共用資源的存取。Trusts help provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). 信任的作用是銜接不同網域,以只允許通過驗證的驗證要求往來於網域之間。Trusts act as bridges that only allow validated authentication requests to travel between domains.

信任如何通過驗證要求取決於其設定方式。How a trust passes authentication requests depends on how it's configured. 信任的設定方式有下列幾種:Trusts can be configured in one of the following ways:

  • 單向:從信任網域存取要信任網域的資源。One-way - provides access from the trusted domain to resources in the trusting domain.
  • 雙向:每個網域都可存取其他網域的資源。Two-way - provides access from each domain to resources in the other domain.

信任也可設定為以下列其中一項方式來處理其他信任關係:Trusts are also be configured to handle additional trust relationships in one of the following ways:

  • 不可轉移:信任只存在於兩個信任夥伴的網域之間。Nontransitive - The trust exists only between the two trust partner domains.
  • 可轉移:信任會自動擴展至任一夥伴信任的任何其他網域。Transitive - Trust automatically extends to any other domains that either of the partners trusts.

在某些情況下,建立網域時即會自動建立信任關係。In some cases, trust relationships are automatically established when domains are created. 其他時候,您必須選擇一種信任類型,並明確建立適當的關聯性。Other times, you must choose a type of trust and explicitly establish the appropriate relationships. 使用的特定信任類型以及這些信任關係的結構,取決於如何組織 AD DS 目錄,以及是否在網路上共存不同版本的 Windows。The specific types of trusts used and the structure of those trust relationships depend on how the AD DS directory is organized, and whether different versions of Windows coexist on the network.

兩個樹系之間的信任Trusts between two forests

您可手動建立單向或雙向樹系信任,以將單一樹系中的網域信任擴展至另一個樹系。You can extend domain trusts within a single forest to another forest by manually creating a one-way or two-way forest trust. 樹系信任是僅存在於樹系根網域和第二樹系根網域之間的可轉移信任。A forest trust is a transitive trust that exists only between a forest root domain and a second forest root domain.

  • 單向樹系信任允許一個樹系中的所有使用者信任其他樹系中的所有網域。A one-way forest trust allows all users in one forest to trust all domains in the other forest.
  • 雙向樹系信任則會形成兩個樹系中,每個網域之間都是可轉移的信任關係。A two-way forest trust forms a transitive trust relationship between every domain in both forests.

樹系信任的轉移能力僅限於兩個樹系合作夥伴。The transitivity of forest trusts is limited to the two forest partners. 樹系信任不會擴展到這兩個合作夥伴中任一個信任的其他樹系。The forest trust doesn't extend to additional forests trusted by either of the partners.

從 Azure AD DS 到內部部署 AD DS 的樹系信任圖表

您可以根據組織的 AD DS 結構,建立不同的網域和樹系信任設定。You can create different domain and forest trust configurations depending on the AD DS structure of the organization. Azure AD DS 僅支援單向樹系信任。Azure AD DS only supports a one-way forest trust. 在此設定中,受控網域中的資源可以信任內部部署樹系中的所有網域。In this configuration, resources in the managed domain can trust all domains in an on-premises forest.

支援信任的技術Supporting technology for trusts

信任會使用各種服務和功能,例如使用 DNS 來尋找合作樹系中的網域控制站。Trusts use various services and features, such as DNS to locate domain controllers in partnering forests. 信任也取決於 NTLM 和 Kerberos 驗證通訊協定,以及 Windows 型授權和存取控制機制,以協助在 AD DS 網域和樹系之間提供安全的通訊基礎結構。Trusts also depend on NTLM and Kerberos authentication protocols and on Windows-based authorization and access control mechanisms to help provide a secured communications infrastructure across AD DS domains and forests. 下列服務和功能協助支援成功的信任關係。The following services and features help support successful trust relationships.

DNSDNS

AD DS 需要使用 DNS 定位和命名網域控制站 (DC)。AD DS needs DNS for domain controller (DC) location and naming. DNS 提供下列支援,其可讓 AD DS 成功運作:The following support from DNS is provided for AD DS to work successfully:

  • 名稱解析服務,其可讓網路主機和服務找到 DC。A name resolution service that lets network hosts and services to locate DCs.
  • 命名結構,其可讓企業在目錄服務網域的名稱中反映組織結構。A naming structure that enables an enterprise to reflect its organizational structure in the names of its directory service domains.

通常會部署的 DNS 網域命名空間,其可鏡像 AD DS 網域命名空間。A DNS domain namespace is usually deployed that mirrors the AD DS domain namespace. 如果 AD DS 部署之前有現有的 DNS 命名空間,則 DNS 命名空間通常會針對 AD DS 進行分割,並建立 AD DS 樹系根目錄的 DNS 子域和委派。If there's an existing DNS namespace before the AD DS deployment, the DNS namespace is typically partitioned for AD DS, and a DNS subdomain and delegation for the AD DS forest root is created. 接著,會為每個 AD DS 子域新增額外的 DNS 功能變數名稱。Additional DNS domain names are then added for each AD DS child domain.

DNS 也用來支援 AD DS Dc 的位置。DNS is also used to support the location of AD DS DCs. DNS 區域會填入 DNS 資源記錄,讓網路主機和服務找出 AD DS Dc。The DNS zones are populated with DNS resource records that enable network hosts and services to locate AD DS DCs.

應用程式和 Net LogonApplications and Net Logon

應用程式和 Net Logon 服務都是 Windows 分散式安全性通道模型的元件。Both applications and the Net Logon service are components of the Windows distributed security channel model. 與 Windows Server 和 AD DS 整合的應用程式會使用驗證通訊協定與 Net Logon 服務進行通訊,因此可以建立安全的路徑來進行驗證。Applications integrated with Windows Server and AD DS use authentication protocols to communicate with the Net Logon service so that a secured path can be established over which authentication can occur.

驗證通訊協定Authentication Protocols

AD DS Dc 會使用下列其中一種通訊協定來驗證使用者和應用程式:AD DS DCs authenticate users and applications using one of the following protocols:

  • Kerberos 第 5 版驗證通訊協定Kerberos version 5 authentication protocol

    • Kerberos 第5版通訊協定是執行 Windows 及支援協力廠商作業系統的內部部署電腦所使用預設驗證通訊協定。The Kerberos version 5 protocol is the default authentication protocol used by on-premises computers running Windows and supporting third-party operating systems. 此通訊協定是在 RFC 1510 中指定,並且與 AD DS、伺服器訊息區(SMB)、HTTP 和遠端程序呼叫(RPC),以及使用這些通訊協定的用戶端和伺服器應用程式完全整合。This protocol is specified in RFC 1510 and is fully integrated with AD DS, server message block (SMB), HTTP, and remote procedure call (RPC), as well as the client and server applications that use these protocols.
    • 使用 Kerberos 通訊協定時,伺服器不必連絡 DC。When the Kerberos protocol is used, the server doesn't have to contact the DC. 而是由用戶端向伺服器帳戶網域中 DC 提出要求來取得伺服器的票證。Instead, the client gets a ticket for a server by requesting one from a DC in the server account domain. 然後,伺服器會驗證票證,而不用諮詢任何其他授權單位。The server then validates the ticket without consulting any other authority.
    • 如有任何一部交易相關電腦不支援 Kerberos 第 5 版通訊協定,則使用 NTLM 通訊協定。If any computer involved in a transaction doesn't support the Kerberos version 5 protocol, the NTLM protocol is used.
  • NTLM 驗證通訊協定NTLM authentication protocol

    • NTLM 通訊協定是舊版作業系統使用的傳統網路驗證通訊協定。The NTLM protocol is a classic network authentication protocol used by older operating systems. 基於相容性的理由,AD DS 網域會使用它來處理來自針對舊版 Windows 用戶端和伺服器和協力廠商作業系統所設計之應用程式的網路驗證要求。For compatibility reasons, it's used by AD DS domains to process network authentication requests that come from applications designed for earlier Windows-based clients and servers, and third-party operating systems.
    • 在用戶端與伺服器之間使用 NTLM 通訊協定時,伺服器必須連絡 DC 上的網域驗證服務,以驗證用戶端認證。When the NTLM protocol is used between a client and a server, the server must contact a domain authentication service on a DC to verify the client credentials. 伺服器會將用戶端認證轉送至用戶端帳戶網域中的 DC,以驗證用戶端。The server authenticates the client by forwarding the client credentials to a DC in the client account domain.
    • 當兩個 AD DS 網域或樹系由信任連接時,會路由使用這些通訊協定所提出的驗證要求,以提供這兩個樹系中資源的存取權。When two AD DS domains or forests are connected by a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests.

授權和存取控制Authorization and access control

授權和信任技術共同合作,在 AD DS 網域或樹系之間提供安全的通訊基礎結構。Authorization and trust technologies work together to provide a secured communications infrastructure across AD DS domains or forests. 授權會決定使用者對網域中資源所擁有的存取層級。Authorization determines what level of access a user has to resources in a domain. 信任會提供一個路徑來驗證其他網域中的使用者,使其對這些網域中的共用資源要求可獲得授權,藉此促進跨網域的使用者授權。Trusts facilitate cross-domain authorization of users by providing a path for authenticating users in other domains so their requests to shared resources in those domains can be authorized.

當信任網域要驗證信任網域所提出的驗證要求時,此要求會被傳遞至目標資源。When an authentication request made in a trusting domain is validated by the trusted domain, it's passed to the target resource. 然後,目標資源會根據其存取控制設定來決定是否授權由信任網域的使用者、服務或電腦所提出特定要求。The target resource then determines whether to authorize the specific request made by the user, service, or computer in the trusted domain based on its access control configuration.

信任提供此機制來驗證傳遞至信任網域的驗證要求。Trusts provide this mechanism to validate authentication requests that are passed to a trusting domain. 資源電腦上存取控制機制會決定授與信任網域中要求者的最終存取層級。Access control mechanisms on the resource computer determine the final level of access granted to the requestor in the trusted domain.

後續步驟Next steps

若要深入了解信任,請參閱樹系信任如何在 Azure AD DS 中工作?To learn more about trusts, see How do forest trusts work in Azure AD DS?

若要開始建立具有資源樹系的受控網域,請參閱建立和設定 AZURE AD DS 受控網域To get started with creating a managed domain with a resource forest, see Create and configure an Azure AD DS managed domain. 接著,您可以建立內部部署網域的輸出樹系信任You can then Create an outbound forest trust to an on-premises domain.