如何在 Azure Active Directory Domain Services 受控網域中同步處理物件和認證How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain

Azure Active Directory Domain Services (Azure AD DS)受控網域中的物件和認證可以在網域內的本機建立,或從 Azure Active Directory (Azure AD)租使用者進行同步處理。Objects and credentials in an Azure Active Directory Domain Services (Azure AD DS) managed domain can either be created locally within the domain, or synchronized from an Azure Active Directory (Azure AD) tenant. 當您第一次部署 Azure AD DS 時,會設定並啟動自動單向同步處理,以從 Azure AD 複寫物件。When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. 這個單向同步處理會繼續在背景中執行,讓 Azure AD DS 受控網域與 Azure AD 的任何變更保持最新狀態。This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD. 從 Azure AD DS 回到 Azure AD 不會進行任何同步處理。No synchronization occurs from Azure AD DS back to Azure AD.

在混合式環境中,來自內部部署 AD DS 網域的物件和認證,可以使用 Azure AD Connect 同步處理至 Azure AD。In a hybrid environment, objects and credentials from an on-premises AD DS domain can be synchronized to Azure AD using Azure AD Connect. 一旦這些物件成功同步處理到 Azure AD,自動背景同步處理就會將這些物件和認證提供給使用受控網域的應用程式。Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.

下圖說明 Azure AD DS、Azure AD 和選擇性內部部署 AD DS 環境之間的同步處理運作方式:The following diagram illustrates how synchronization works between Azure AD DS, Azure AD, and an optional on-premises AD DS environment:

Azure AD Domain Services 受控網域的同步處理總覽

從 Azure AD 同步處理至 Azure AD DSSynchronization from Azure AD to Azure AD DS

使用者帳戶、群組成員資格及認證雜湊會以一種方式從 Azure AD 同步處理到 Azure AD DS。User accounts, group memberships, and credential hashes are synchronized one way from Azure AD to Azure AD DS. 此同步處理程序是自動執行的。This synchronization process is automatic. 您不需要設定、監視或管理此同步處理常式。You don't need to configure, monitor, or manage this synchronization process. 根據 Azure AD 目錄中的物件數目而定,初始同步處理可能需要數小時到幾天的時間。The initial synchronization may take a few hours to a couple of days, depending on the number of objects in the Azure AD directory. 完成初始同步處理之後,Azure AD 中進行的變更(例如密碼或屬性變更),就會自動同步處理到 Azure AD DS。After the initial synchronization is complete, changes that are made in Azure AD, such as password or attribute changes, are then automatically synchronized to Azure AD DS.

在 Azure AD 中建立使用者時,他們會在 Azure AD 中變更其密碼之前,不會同步處理至 Azure AD DS。When a user is created in Azure AD, they're not synchronized to Azure AD DS until they change their password in Azure AD. 此密碼變更程序會在 Azure AD 中產生並儲存 Kerberos 和 NTLM 驗證的密碼雜湊。This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. 需要密碼雜湊才能成功驗證 Azure AD DS 中的使用者。The password hashes are needed to successfully authenticate a user in Azure AD DS.

同步處理常式的設計是單向/單向。The synchronization process is one way / unidirectional by design. 不會將 Azure AD DS 的變更反向同步處理回 Azure AD。There's no reverse synchronization of changes from Azure AD DS back to Azure AD. 受控網域主要是唯讀的,但您可以建立的自訂 Ou 除外。A managed domain is largely read-only except for custom OUs that you can create. 您無法對受控網域內的使用者屬性、使用者密碼或群組成員資格進行變更。You can't make changes to user attributes, user passwords, or group memberships within a managed domain.

Azure AD DS 的屬性同步處理和對應Attribute synchronization and mapping to Azure AD DS

下表列出一些常見的屬性,以及它們如何同步處理至 Azure AD DS。The following table lists some common attributes and how they're synchronized to Azure AD DS.

Azure AD DS 中的屬性Attribute in Azure AD DS 來源Source 備註Notes
UPNUPN Azure AD 租使用者中的使用者UPN屬性User's UPN attribute in Azure AD tenant Azure AD 租使用者的 UPN 屬性會依相同方式同步處理,以 Azure AD DS。The UPN attribute from the Azure AD tenant is synchronized as-is to Azure AD DS. 登入受控網域最可靠的方式是使用 UPN。The most reliable way to sign in to a managed domain is using the UPN.
SAMAccountNameSAMAccountName Azure AD 租使用者中的使用者mailNickname屬性或自動產生User's mailNickname attribute in Azure AD tenant or autogenerated SAMAccountName屬性是源自 Azure AD 租使用者中的mailNickname屬性。The SAMAccountName attribute is sourced from the mailNickname attribute in the Azure AD tenant. 如果有多個使用者帳戶具有相同的mailNickname屬性,則會自動產生SAMAccountNameIf multiple user accounts have the same mailNickname attribute, the SAMAccountName is autogenerated. 如果使用者的mailNicknameUPN前置詞超過20個字元,則會自動產生samaccountname以符合samaccountname屬性的20個字元限制。If the user's mailNickname or UPN prefix is longer than 20 characters, the SAMAccountName is autogenerated to meet the 20 character limit on SAMAccountName attributes.
密碼Passwords Azure AD 租使用者的使用者密碼User's password from the Azure AD tenant NTLM 或 Kerberos 驗證所需的舊版密碼雜湊會從 Azure AD 租使用者進行同步處理。Legacy password hashes required for NTLM or Kerberos authentication are synchronized from the Azure AD tenant. 如果 Azure AD 租使用者已設定為使用 Azure AD Connect 進行混合式同步處理,這些密碼雜湊就源自內部部署 AD DS 環境。If the Azure AD tenant is configured for hybrid synchronization using Azure AD Connect, these password hashes are sourced from the on-premises AD DS environment.
主要使用者/群組 SIDPrimary user/group SID 自動產生Autogenerated 使用者/群組帳戶的主要 SID 會在 Azure AD DS 中自動產生。The primary SID for user/group accounts is autogenerated in Azure AD DS. 此屬性不符合內部部署 AD DS 環境中物件的主要使用者/群組 SID。This attribute doesn't match the primary user/group SID of the object in an on-premises AD DS environment. 這種不相符的原因是受控網域具有與內部部署 AD DS 網域不同的 SID 命名空間。This mismatch is because the managed domain has a different SID namespace than the on-premises AD DS domain.
使用者和群組的 SID 歷程記錄SID history for users and groups 內部部署主要使用者和群組 SIDOn-premises primary user and group SID Azure AD DS 中使用者和群組的SidHistory屬性會設定為符合內部部署 AD DS 環境中對應的主要使用者或群組 SID。The SidHistory attribute for users and groups in Azure AD DS is set to match the corresponding primary user or group SID in an on-premises AD DS environment. 這項功能有助於將內部部署應用程式隨即轉移至 Azure AD DS,因為您不需要重新 ACL 資源。This feature helps make lift-and-shift of on-premises applications to Azure AD DS easier as you don't need to re-ACL resources.

提示

*使用 UPN 格式登入受控網域***SAMAccountName AADDSCONTOSO\driley 可能會針對受控網域中的某些使用者帳戶自動產生 SAMAccountName 屬性(例如)。Sign in to the managed domain using the UPN format The SAMAccountName attribute, such as AADDSCONTOSO\driley, may be auto-generated for some user accounts in a managed domain. 使用者自動產生的SAMAccountName可能與其 UPN 前置詞不同,因此不一定是可靠的登入方式。Users' auto-generated SAMAccountName may differ from their UPN prefix, so isn't always a reliable way to sign in.

例如,如果有多個使用者具有相同的mailNickname屬性,或使用者的 UPN 前置詞太長,可能會自動產生這些使用者的SAMAccountNameFor example, if multiple users have the same mailNickname attribute or users have overly long UPN prefixes, the SAMAccountName for these users may be auto-generated. 使用 UPN 格式(例如 driley@aaddscontoso.com )來可靠地登入受控網域。Use the UPN format, such as driley@aaddscontoso.com, to reliably sign in to a managed domain.

使用者帳戶的屬性對應Attribute mapping for user accounts

下表說明如何將 Azure AD 中使用者物件的特定屬性同步處理至 Azure AD DS 中的對應屬性。The following table illustrates how specific attributes for user objects in Azure AD are synchronized to corresponding attributes in Azure AD DS.

Azure AD 中的使用者屬性User attribute in Azure AD Azure AD DS 中的使用者屬性User attribute in Azure AD DS
accountEnabledaccountEnabled userAccountControl (設定或清除 ACCOUNT_DISABLED 位元)userAccountControl (sets or clears the ACCOUNT_DISABLED bit)
citycity ll
countrycountry coco
departmentdepartment departmentdepartment
displayNamedisplayName displayNamedisplayName
employeedIdemployeedId employeeIdemployeeId
facsimileTelephoneNumberfacsimileTelephoneNumber facsimileTelephoneNumberfacsimileTelephoneNumber
givenNamegivenName givenNamegivenName
jobTitlejobTitle titletitle
mailmail mailmail
mailNicknamemailNickname msDS-AzureADMailNicknamemsDS-AzureADMailNickname
mailNicknamemailNickname SAMAccountName (有時可能會自動產生)SAMAccountName (may sometimes be autogenerated)
managermanager managermanager
mobilemobile mobilemobile
objectidobjectid msDS-AzureADObjectIdmsDS-AzureADObjectId
onPremiseSecurityIdentifieronPremiseSecurityIdentifier sidHistorysidHistory
passwordPoliciespasswordPolicies userAccountControl (設定或清除 DONT_EXPIRE_PASSWORD 位元)userAccountControl (sets or clears the DONT_EXPIRE_PASSWORD bit)
physicalDeliveryOfficeNamephysicalDeliveryOfficeName physicalDeliveryOfficeNamephysicalDeliveryOfficeName
postalCodepostalCode postalCodepostalCode
preferredLanguagepreferredLanguage preferredLanguagepreferredLanguage
proxyAddressesproxyAddresses proxyAddressesproxyAddresses
statestate stst
streetAddressstreetAddress streetAddressstreetAddress
surnamesurname snsn
telephoneNumbertelephoneNumber telephoneNumbertelephoneNumber
userPrincipalNameuserPrincipalName userPrincipalNameuserPrincipalName

群組的屬性對應Attribute mapping for groups

下表說明如何將 Azure AD 中群組物件的特定屬性同步處理至 Azure AD DS 中的對應屬性。The following table illustrates how specific attributes for group objects in Azure AD are synchronized to corresponding attributes in Azure AD DS.

Azure AD 中的群組屬性Group attribute in Azure AD Azure AD DS 中的群組屬性Group attribute in Azure AD DS
displayNamedisplayName displayNamedisplayName
displayNamedisplayName SAMAccountName (有時可能會自動產生)SAMAccountName (may sometimes be autogenerated)
mailmail mailmail
mailNicknamemailNickname msDS-AzureADMailNicknamemsDS-AzureADMailNickname
objectidobjectid msDS-AzureADObjectIdmsDS-AzureADObjectId
onPremiseSecurityIdentifieronPremiseSecurityIdentifier sidHistorysidHistory
proxyAddressesproxyAddresses proxyAddressesproxyAddresses
securityEnabledsecurityEnabled groupTypegroupType

從內部部署 AD DS 同步處理至 Azure AD 和 Azure AD DSSynchronization from on-premises AD DS to Azure AD and Azure AD DS

Azure AD Connect 可用來將使用者帳戶、群組成員資格及認證雜湊從內部部署 AD DS 環境同步處理至 Azure AD。Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. 使用者帳戶的屬性(例如 UPN 和內部部署安全識別碼(SID))會進行同步處理。Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized. 若要使用 Azure AD DS 登入,NTLM 和 Kerberos 驗證所需的舊版密碼雜湊也會同步處理至 Azure AD。To sign in using Azure AD DS, legacy password hashes required for NTLM and Kerberos authentication are also synchronized to Azure AD.

重要

Azure AD Connect 應該只會為了與內部部署 AD DS 環境同步處理而安裝和設定。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支援在此受控網域中安裝 Azure AD Connect,以將物件同步處理回 Azure AD。It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

如果您設定回寫,Azure AD 的變更會同步處理回內部部署 AD DS 環境。If you configure write-back, changes from Azure AD are synchronized back to the on-premises AD DS environment. 例如,如果使用者使用 Azure AD 自助式密碼管理來變更其密碼,則會在內部部署 AD DS 環境中更新密碼。For example, if a user changes their password using Azure AD self-service password management, the password is updated back in the on-premises AD DS environment.

注意

請一律使用最新版的 Azure AD Connect 版本,以確保您已具備所有已知問題的修正。Always use the latest version of Azure AD Connect to ensure you have fixes for all known bugs.

從多樹系內部部署環境同步處理Synchronization from a multi-forest on-premises environment

許多組織都有一個非常複雜的內部部署 AD DS 環境,其中包含多個樹系。Many organizations have a fairly complex on-premises AD DS environment that includes multiple forests. Azure AD Connect 支援將使用者、群組和認證雜湊從多樹系環境同步處理至 Azure AD。Azure AD Connect supports synchronizing users, groups, and credential hashes from multi-forest environments to Azure AD.

Azure AD 具有更簡單和一般的命名空間。Azure AD has a much simpler and flat namespace. 若要讓使用者可靠地存取受 Azure AD 保護的應用程式,請解決不同樹系中各個使用者帳戶之間的 UPN 衝突。To enable users to reliably access applications secured by Azure AD, resolve UPN conflicts across user accounts in different forests. 受控網域會使用類似 Azure AD 的平面 OU 結構。Managed domains use a flat OU structure, similar to Azure AD. 即使您已在內部部署環境中設定階層式 OU 結構,所有使用者帳戶和群組都會儲存在AADDC Users容器中(儘管已從不同的內部部署網域或樹系進行同步處理)。All user accounts and groups are stored in the AADDC Users container, despite being synchronized from different on-premises domains or forests, even if you've configured a hierarchical OU structure on-premises. 受控網域會壓平合併任何階層式 OU 結構。The managed domain flattens any hierarchical OU structures.

如先前所述,不會從 Azure AD DS 回到 Azure AD 的同步處理。As previously detailed, there's no synchronization from Azure AD DS back to Azure AD. 您可以在 Azure AD DS 中建立自訂群組織單位(OU) ,然後在這些自訂 ou 內建立使用者、群組或服務帳戶。You can create a custom Organizational Unit (OU) in Azure AD DS and then users, groups, or service accounts within those custom OUs. 在自訂 Ou 中建立的任何物件都不會同步處理回 Azure AD。None of the objects created in custom OUs are synchronized back to Azure AD. 這些物件只能在受控網域內使用,而且不會使用 Azure AD PowerShell Cmdlet、Microsoft Graph API,或使用 Azure AD 管理 UI 來顯示。These objects are available only within the managed domain, and aren't visible using Azure AD PowerShell cmdlets, Microsoft Graph API, or using the Azure AD management UI.

什麼不會同步處理至 Azure AD DSWhat isn't synchronized to Azure AD DS

下列物件或屬性不會從內部部署 AD DS 環境同步處理至 Azure AD 或 Azure AD DS:The following objects or attributes aren't synchronized from an on-premises AD DS environment to Azure AD or Azure AD DS:

  • 排除的屬性: 您可以使用 Azure AD Connect,選擇排除特定屬性,使其無法從內部部署 AD DS 環境同步處理至 Azure AD。Excluded attributes: You can choose to exclude certain attributes from synchronizing to Azure AD from an on-premises AD DS environment using Azure AD Connect. 這些排除的屬性接著不會在 Azure AD DS 中提供。These excluded attributes aren't then available in Azure AD DS.
  • 群組原則: 在內部部署 AD DS 環境中設定的群組原則不會同步處理至 Azure AD DS。Group Policies: Group Policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS.
  • Sysvol 資料夾: 內部部署 AD DS 環境中Sysvol資料夾的內容不會同步處理至 Azure AD DS。Sysvol folder: The contents of the Sysvol folder in an on-premises AD DS environment aren't synchronized to Azure AD DS.
  • 電腦物件: 加入內部部署 AD DS 環境之電腦的電腦物件不會同步處理至 Azure AD DS。Computer objects: Computer objects for computers joined to an on-premises AD DS environment aren't synchronized to Azure AD DS. 這些電腦沒有與受控網域之間的信任關係,而且僅屬於內部部署 AD DS 環境。These computers don't have a trust relationship with the managed domain and only belong to the on-premises AD DS environment. 在 Azure AD DS 中,只會顯示已明確加入受控網域之電腦的電腦物件。In Azure AD DS, only computer objects for computers that have explicitly domain-joined to the managed domain are shown.
  • 使用者和群組的 SidHistory 屬性: 內部部署 AD DS 環境中的主要使用者和主要群組 Sid 會同步處理到 Azure AD DS。SidHistory attributes for users and groups: The primary user and primary group SIDs from an on-premises AD DS environment are synchronized to Azure AD DS. 不過,使用者和群組的現有SidHistory屬性不會從內部部署 AD DS 環境同步處理至 Azure AD DS。However, existing SidHistory attributes for users and groups aren't synchronized from the on-premises AD DS environment to Azure AD DS.
  • 組織單位(OU)結構: 內部部署 AD DS 環境中定義的組織單位不會同步處理至 Azure AD DS。Organization Units (OU) structures: Organizational Units defined in an on-premises AD DS environment don't synchronize to Azure AD DS. Azure AD DS 中有兩個內建 Ou-一個供使用者,另一個用於電腦。There are two built-in OUs in Azure AD DS - one for users, and one for computers. 受控網域具有單層的 OU 結構。The managed domain has a flat OU structure. 您可以選擇在您的受控網域中建立自訂 OUYou can choose to create a custom OU in your managed domain.

密碼雜湊同步處理和安全性考量Password hash synchronization and security considerations

當您啟用 Azure AD DS 時,必須要有 NTLM + Kerberos 驗證的舊版密碼雜湊。When you enable Azure AD DS, legacy password hashes for NTLM + Kerberos authentication are required. Azure AD 不會儲存純文字密碼,因此無法為現有的使用者帳戶自動產生這些雜湊。Azure AD doesn't store clear-text passwords, so these hashes can't be automatically generated for existing user accounts. 一旦產生並儲存,NTLM 和 Kerberos 相容的密碼雜湊一律會以加密的方式儲存在 Azure AD 中。Once generated and stored, NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Azure AD.

加密金鑰對每個 Azure AD 租使用者而言是唯一的。The encryption keys are unique to each Azure AD tenant. 這些雜湊會進行加密,因此只有 Azure AD DS 可以存取解密金鑰。These hashes are encrypted such that only Azure AD DS has access to the decryption keys. Azure AD 中沒有任何其他服務或元件具有解密金鑰的存取權。No other service or component in Azure AD has access to the decryption keys.

然後,舊版密碼雜湊會從 Azure AD 同步處理至受控網域的網域控制站。Legacy password hashes are then synchronized from Azure AD into the domain controllers for a managed domain. Azure AD DS 中這些受管理網域控制站的磁片會進行待用加密。The disks for these managed domain controllers in Azure AD DS are encrypted at rest. 這些密碼雜湊會儲存在這些網域控制站上並受到保護,類似于在內部部署 AD DS 環境中儲存和保護密碼的方式。These password hashes are stored and secured on these domain controllers similar to how passwords are stored and secured in an on-premises AD DS environment.

對於僅限雲端的 Azure AD 環境,使用者必須重設/變更其密碼,才能產生必要的密碼雜湊,並將其儲存在 Azure AD 中。For cloud-only Azure AD environments, users must reset/change their password in order for the required password hashes to be generated and stored in Azure AD. 針對在啟用 Azure AD Domain Services 之後於 Azure AD 中建立的任何雲端使用者帳戶,以 NTLM 和 Kerberos 相容的格式產生並儲存密碼雜湊。For any cloud user account created in Azure AD after enabling Azure AD Domain Services, the password hashes are generated and stored in the NTLM and Kerberos compatible formats. 所有雲端使用者帳戶都必須變更其密碼,才會同步處理到 Azure AD DS。All cloud user accounts must change their password before they're synchronized to Azure AD DS.

針對使用 Azure AD Connect 從內部部署 AD DS 環境同步的混合式使用者帳戶,您必須將 Azure AD Connect 設定為以 NTLM 和 Kerberos 相容的格式同步處理密碼雜湊For hybrid user accounts synced from on-premises AD DS environment using Azure AD Connect, you must configure Azure AD Connect to synchronize password hashes in the NTLM and Kerberos compatible formats.

後續步驟Next steps

如需有關密碼同步化細節的詳細資訊,請參閱密碼雜湊同步處理如何與 Azure AD Connect 搭配運作For more information on the specifics of password synchronization, see How password hash synchronization works with Azure AD Connect.

若要開始使用 Azure AD DS,請建立受控網域To get started with Azure AD DS, create a managed domain.