什麼是 Azure Active Directory Domain Services?What is Azure Active Directory Domain Services?

Azure Active Directory Domain Services (Azure AD DS) 提供受控網域服務,例如,網域加入、群組原則、輕量型目錄存取通訊協定 (LDAP) 與 Kerberos / NTLM 驗證。Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. 您可以使用這些網域服務,而不需要在雲端部署、管理及修補網域控制站 (DC)。You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

受控網域是 DNS 命名空間和相符目錄。A managed domain is a DNS namespace and matching directory. 此受控網域會與您現有的 Azure AD 租用戶整合,讓使用者能夠使用其現有認證登入。The managed domain integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials. 您也可以使用現有的群組與使用者帳戶,安全地存取資源,這樣能更順暢地將內部部署資源隨即轉移至 Azure。You can also use existing groups and user accounts to secure access to resources, which provides a smoother lift-and-shift of on-premises resources to Azure.

Azure AD DS 會與您現有的 Azure AD 租用戶整合。Azure AD DS integrates with your existing Azure AD tenant. 此整合可讓使用者使用其現有的認證,登入已與受控網域連線的服務與應用程式。This integration lets users sign in to service and applications connected to the managed domain using their existing credentials. 您也可以使用現有的群組與使用者帳戶安全地存取資源。You can also use existing groups and user accounts to secure access to resources. 這些功能可讓您更順暢地將內部部署資源隨即轉移至 Azure。These features provide a smoother lift-and-shift of on-premises resources to Azure.

Azure AD DS 會從 Azure AD 複寫身分識別資訊,因此適用於僅限雲端的 Azure AD 租用戶,或與內部部署 Active Directory Domain Services (AD DS) 環境同步處理的 Azure AD 租用戶。Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises Active Directory Domain Services (AD DS) environment. 這兩個環境都有一組相同的 Azure AD DS 功能。The same set of Azure AD DS features exists for both environments.

  • 如果您有現有的內部部署 AD DS 環境,您可以同步使用者帳戶資訊,為使用者提供一致的身分識別。If you have an existing on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users. 若要深入了解,請參閱如何在受控網域中同步處理物件和認證 (部分機器翻譯)。To learn more, see How objects and credentials are synchronized in a managed domain.
  • 針對僅限雲端環境,您不需要傳統內部部署 AD DS 環境,就能使用 Azure AD DS 的集中式識別服務。For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Azure AD DS.

若要了解如何管理受控網域,請參閱 Azure AD DS 中的使用者帳戶、密碼和管理的管理概念 (部分機器翻譯)。To learn how to administrator a managed domain, see management concepts for user accounts, passwords, and administration in Azure AD DS.

下列影片概述如何將 Azure AD DS 與您的應用程式和工作負載整合,以在雲端提供識別服務:The following video provides an overview of how Azure AD DS integrates with your applications and workloads to provide identity services in the cloud:


在雲端提供身分識別解決方案的常見方式Common ways to provide identity solutions in the cloud

當您將現有的工作負載移轉至雲端時,目錄感知應用程式可能會將 LDAP 用於內部部署 AD DS 目錄的讀取或寫入存取權。When you migrate existing workloads to the cloud, directory-aware applications may use LDAP for read or write access to an on-premises AD DS directory. 在 Windows Server 上執行的應用程式通常都會部署在已加入網域的虛擬機器 (VM) 上,因此只要使用群組原則就能安全地加以管理。Applications that run on Windows Server are typically deployed on domain-joined virtual machines (VMs) so they can be managed securely using Group Policy. 若要驗證終端使用者,應用程式也可以依賴 Windows 整合式驗證,例如 Kerberos 或 NTLM 驗證。To authenticate end users, the applications may also rely on Windows-integrated authentication, such as Kerberos or NTLM authentication.

IT 系統管理員通常會使用下列其中一個解決方案,將識別服務提供給在 Azure 中執行的應用程式:IT administrators often use one of the following solutions to provide an identity service to applications that run in Azure:

  • 在於 Azure 中和內部部署 AD DS 環境中執行的工作負載之間設定站對站 VPN 連線。Configure a site-to-site VPN connection between workloads that run in Azure and an on-premises AD DS environment.
    • 然後內部部署網域控制站會透過 VPN 連線提供驗證。The on-premises domain controllers then provide authentication via the VPN connection.
  • 使用 Azure 虛擬機器 (VM) 建立複本網域控制站,從內部部署環境延伸 AD DS 網域 / 樹系。Create replica domain controllers using Azure virtual machines (VMs) to extend the AD DS domain / forest from on-premises.
    • 在 Azure VM 上執行的網域控制站會提供驗證,並複寫內部部署 AD DS 環境之間的目錄資訊。The domain controllers that run on Azure VMs provide authentication, and replicate directory information between the on-premises AD DS environment.
  • 使用在 Azure VM 上執行的網域控制站,在 Azure 中部署獨立 AD DS 環境。Deploy a standalone AD DS environment in Azure using domain controllers that run on Azure VMs.
    • 在 Azure VM 上執行的網域控制站會提供驗證,但不會從內部部署 AD DS 環境複寫任何目錄資訊。The domain controllers that run on Azure VMs provide authentication, but there's no directory information replicated from an on-premises AD DS environment.

使用這些方法,連線到內部部署目錄的 VPN 連線,會讓應用程式容易受暫時性網路問題或中斷影響。With these approaches, VPN connections to the on-premises directory make applications vulnerable to transient network glitches or outages. 如果您在 Azure 中使用 VM 部署網域控制站,則 IT 小組必須管理 VM,然後保護、修補、監視及備份網域控制站,以及對其進行疑難排解。If you deploy domain controllers using VMs in Azure, the IT team must manage the VMs, then secure, patch, monitor, backup, and troubleshoot them.

Azure AD DS 提供的替代方案適用於建立連線回內部部署 AD DS 環境的 VPN 連線,或在 Azure 中執行及管理 VM 以提供識別服務的需求。Azure AD DS offers alternatives to the need to create VPN connections back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. 因為 Azure AD DS 是受控服務,所以可降低為混合式和僅限雲端環境建立整合式身分識別解決方案的複雜性。As a managed service, Azure AD DS reduces the complexity to create an integrated identity solution for both hybrid and cloud-only environments.

Azure AD DS 如何運作?How does Azure AD DS work?

為了提供識別服務,Azure 會在您所選的虛擬網路上建立 AD DS 受控網域。To provide identity services, Azure creates an AD DS managed domain on a virtual network of your choice. 在幕後會建立一對在 Azure VM 上執行的 Windows Server 網域控制站。Behind the scenes, a pair of Windows Server domain controllers is created that run on Azure VMs. 您不需要管理、設定或更新這些網域控制站。You don't need to manage, configure, or update these domain controllers. Azure 平台會管理網域控制站,作為 Azure AD DS 服務的一部分。The Azure platform manages the domain controllers as part of the Azure AD DS service.

此受控網域已設定為從 Azure AD 執行單向同步,以提供對一組集中式使用者、群組與認證的存取權。The managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. 您可以直接在此受控網域中建立資源,但系統不會將其同步處理回到 Azure AD。You can create resources directly in the managed domain, but they aren't synchronized back to Azure AD. Azure 中連線到此虛擬網路的應用程式、服務與 VM 接著可以使用常見的 AD DS 功能,例如,網域加入、群組原則、LDAP 與 Kerberos / NTLM 驗證。Applications, services, and VMs in Azure that connect to this virtual network can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

在具有內部部署 AD DS 環境的混合式環境中,Azure AD Connect 會與 Azure AD 同步身分識別資訊,該資訊會接著同步至 Azure AD DS。In a hybrid environment with an on-premises AD DS environment, Azure AD Connect synchronizes identity information with Azure AD, which is then synchronized to Azure AD DS.

使用 AD Connect 讓 Azure AD Domain Services 與 Azure AD 和內部部署 Active Directory Domain Services 進行同步

為查看 Azure AD DS 運作,讓我們來看幾個範例:To see Azure AD DS in action, let's look at a couple of examples:

混合式組織的 Azure AD DSAzure AD DS for hybrid organizations

許多組織都執行包含雲端與內部部署應用程式工作負載的混合式基礎結構。Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. 隸屬於隨即轉移策略且移轉至 Azure 的繼承應用程式,可使用傳統 LDAP 連線來提供身分識別資訊。Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. 為了支援此混合式基礎結構,來自內部部署 AD DS 環境的身分識別資訊可同步至 Azure AD 租用戶。To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to an Azure AD tenant. Azure AD DS 接著可以使用身分識別來源在 Azure 中提供這些繼承應用程式,而不需要設定及管理對內部部署目錄服務的應用程式連線能力。Azure AD DS then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services.

讓我們看看 Litware Corporation 的範例,此混合式組織執行內部部署與 Azure 資源:Let's look at an example for Litware Corporation, a hybrid organization that runs both on-premises and Azure resources:

包含內部部署同步之混合式組織的 Azure Active Directory Domain Services

  • 需要網域服務的應用程式與伺服器工作負載會部署在 Azure 中的虛擬網路中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
    • 這可能包含作為隨即轉移策略一部分移轉至 Azure 的繼承應用程式。This may include legacy applications migrated to Azure as part of a lift and shift strategy.
  • 為了從其內部部署目錄同步身分識別資訊到其 Azure AD 租用戶,Litware Corporation 部署了 Azure AD ConnectTo synchronize identity information from their on-premises directory to their Azure AD tenant, Litware Corporation deploys Azure AD Connect.
    • 同步的身分識別資訊包括使用者帳戶與群組成員資格。Identity information that is synchronized includes user accounts and group memberships.
  • Litware 的 IT 小組為在此 (或對等的) 虛擬網路中的 Azure AD 租用戶啟用 Azure AD DS。Litware's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 部署在 Azure 虛擬網路中的應用程式與 VM 之後可以使用網域加入、LDAP 讀取、LDAP 繫結、NTLM 與 Kerberos 驗證,以及群組原則等 Azure AD DS 功能。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

重要

Azure AD Connect 應該只會為了與內部部署 AD DS 環境同步處理而安裝和設定。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支援在此受控網域中安裝 Azure AD Connect,以將物件同步處理回 Azure AD。It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

僅限雲端的組織的 Azure AD DSAzure AD DS for cloud-only organizations

僅限雲端的 Azure AD 租用戶沒有內部部署身分識別來源。A cloud-only Azure AD tenant doesn't have an on-premises identity source. 例如,使用者帳戶與群組成員資格都可直接在 Azure AD 中建立和管理。User accounts and group memberships, for example, are created and managed directly in Azure AD.

現在,讓我們看 Contoso 的範例,此僅限雲端的組織會使用 Azure AD 來進行身分識別驗證。Now let's look at an example for Contoso, a cloud-only organization that uses Azure AD for identity. 所有使用者身分識別、其認證與群組成員資格都是在 Azure AD 中建立及管理的。All user identities, their credentials, and group memberships are created and managed in Azure AD. 不需要進行任何額外的 Azure AD Connect 設定,就能從內部部署目錄同步任何身分識別資訊。There is no additional configuration of Azure AD Connect to synchronize any identity information from an on-premises directory.

不含內部部署同步之僅限雲端組織的 Azure Active Directory Domain Services

  • 需要網域服務的應用程式與伺服器工作負載會部署在 Azure 中的虛擬網路中。Applications and server workloads that require domain services are deployed in a virtual network in Azure.
  • Contoso 的 IT 小組為在此 (或對等的) 虛擬網路中的 Azure AD 租用戶啟用 Azure AD DS。Contoso's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network.
  • 部署在 Azure 虛擬網路中的應用程式與 VM 之後可以使用網域加入、LDAP 讀取、LDAP 繫結、NTLM 與 Kerberos 驗證,以及群組原則等 Azure AD DS 功能。Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.

Azure AD DS 的功能與優點Azure AD DS features and benefits

為了為雲端中的應用程式與 VM 提供識別服務,Azure AD DS 完全相容於傳統 AD DS 環境的作業,例如,網域加入、安全 LDAP (LDAPS)、群組原則、DNS 管理,以及 LDAP 繫結和讀取支援。To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP 寫入支援可供在 Azure AD DS 受控網域中建立的物件使用,但不可供從 Azure AD 同步的資源使用。LDAP write support is available for objects created in the Azure AD DS managed domain, but not resources synchronized from Azure AD.

若要詳細了解身分識別選項,比較 Azure AD DS 與 Azure AD、Azure VM 上的 Active Directory Domain Services,以及 Active Directory Domain Services 內部部署To learn more about your identity options, compare Azure AD DS with Azure AD, Active Directory Domain Services on Azure VMs, and Active Directory Domain Services on-premises.

Azure AD DS 的下列功能簡化了部署與管理作業:The following features of Azure AD DS simplify deployment and management operations:

  • 簡化的部署體驗: 使用 Azure 入口網站中的單一精靈為您的 Azure AD 租用戶啟用 Azure AD DS。Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
  • 與 Azure AD 整合: 使用者帳戶、群組成員資格與認證,都自動可從您的 Azure AD 租用戶取得。Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. 新使用者、群組,或 Azure AD 租用戶或內部部署 AD DS 環境中的屬性變更,都會自動同步到 Azure AD DS。New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
    • 外部目錄中連結至 Azure AD 的帳戶無法在 Azure AD DS 中使用。Accounts in external directories linked to your Azure AD aren't available in Azure AD DS. 這些外部目錄無法使用認證,因此無法同步處理到 Azure AD DS 受控網域。Credentials aren't available for those external directories, so can't be synchronized into an Azure AD DS managed domain.
  • 使用公司認證/密碼: Azure AD DS 中使用者的密碼與您 Azure AD 租用戶中使用者的密碼相同。Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. 使用者可以使用其公司認證來將機器加入網域,以互動方式或透過遠端桌面登入,以及向 Azure AD DS 受控網域驗證。Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the Azure AD DS managed domain.
  • NTLM 和 Kerberos 驗證: 利用對 NTLM 與 Kerberos 驗證的支援,您就能部署依賴 Windows 整合式驗證的應用程式。NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
  • 高可用性: Azure AD DS 包含多個網域控制站,為您的受控網域提供高可用性。High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. 此高可用性可保證服務執行時間,且可從失敗復原。This high availability guarantees service uptime and resilience to failures.
    • 在支援 Azure 可用性區域的區域中,這些網域控制站也會分散到多個區域,以提高復原能力。In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.

Azure AD DS 受控網域的一些關鍵層面如下:Some key aspects of an Azure AD DS managed domain include the following:

  • Azure AD DS 受控網域是獨立網域。The Azure AD DS managed domain is a stand-alone domain. 它不是內部部署網域的延伸。It isn't an extension of an on-premises domain.
  • 您的 IT 小組不需要管理、修補或監視此 Azure AD DS 受控網域的網域控制站。Your IT team doesn't need to manage, patch, or monitor domain controllers for this Azure AD DS managed domain.

針對執行 AD DS 內部部署的混合式環境,您不需要管理對 Azure AD DS 受控網域的 AD 複寫。For hybrid environments that run AD DS on-premises, you don't need to manage AD replication to the Azure AD DS managed domain. 使用者帳戶、群組成員資格與來自您內部部署目錄的認證會透過 Azure AD Connect 同步到 Azure AD。User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via Azure AD Connect. 這些使用者帳戶、群組成員資格與認證,都會自動在 Azure AD DS 受控網域中提供。These user accounts, group memberships, and credentials are automatically available within the Azure AD DS managed domain.

後續步驟Next steps

若要深入了解 Azure AD DS 與其身分識別解決方案的比較,以及同步的運作方式,請參閱下列文章:To learn more about Azure AD DS compares with other identity solutions and how synchronization works, see the following articles:

若要開始使用,請使用 Azure 入口網站建立受控網域To get started, create a managed domain using the Azure portal.