自訂 Azure AD Connect 安裝Custom installation of Azure AD Connect

當您想要更多安裝選項時,可使用 Azure AD Connect 自訂設定Azure AD Connect Custom settings is used when you want more options for the installation. 如果您有多個樹系,或如果您想要設定未涵蓋在快速安裝中的選用功能,可使用它。It is used if you have multiple forests or if you want to configure optional features not covered in the express installation. 只要是快速安裝選項不能滿足部署或拓撲的情況,就可使用它。It is used in all cases where the express installation option does not satisfy your deployment or topology.

在開始安裝 Azure AD Connect 之前,請務必要下載 Azure AD Connect 並完成 Azure AD Connect:硬體和必要條件中的必要條件步驟。Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-requisite steps in Azure AD Connect: Hardware and prerequisites. 另外,也請確定您具有 Azure AD Connect 帳戶與權限中所述的必要帳戶。Also make sure you have required accounts available as described in Azure AD Connect accounts and permissions.

如果自訂的設定不符合拓撲,例如若要升級 DirSync,請參閱相關文件中的其他案例。If customized settings does not match your topology, for example to upgrade DirSync, see related documentation for other scenarios.

Azure AD Connect 的自訂設定安裝Custom settings installation of Azure AD Connect

快速設定Express Settings

在此頁面上,按一下 [自訂] 以啟動自訂設定安裝。On this page, click Customize to start a customized settings installation.

安裝必要的元件Install required components

安裝同步處理服務時,您可以將選用組態區段保持未核取狀態,Azure AD Connect 會自動設定所有項目。When you install the synchronization services, you can leave the optional configuration section unchecked and Azure AD Connect sets up everything automatically. 它會設定 SQL Server 2012 Express LocalDB 執行個體、建立適當的群組,以及指派權限。It sets up a SQL Server 2012 Express LocalDB instance, create the appropriate groups, and assign permissions. 如果您想要變更預設值,則可以使用下表了解可用的選用組態選項。If you wish to change the defaults, you can use the following table to understand the optional configuration options that are available.

必要的元件

選用組態Optional Configuration 描述Description
使用現有的 SQL ServerUse an existing SQL Server 可讓您指定 SQL Server 名稱和執行個體名稱。Allows you to specify the SQL Server name and the instance name. 如果您已經有想要使用的 ad 資料庫伺服器,請選擇這個選項。Choose this option if you already have a database server that you would like to use. 如果您的 SQL Server 未啟用瀏覽,請在 [執行個體名稱] 中輸入執行個體名稱加上逗號及連接埠號碼。Enter the instance name followed by a comma and port number in Instance Name if your SQL Server does not have browsing enabled. 然後指定 Azure AD Connect 資料庫的名稱。Then specify the name of the Azure AD Connect database. 您的 SQL 權限會決定是否將建立一個新的資料庫或 SQL 系統管理員必須事先建立資料庫。Your SQL privileges determine whether a new database will be created or your SQL administrator must create the database in advance. 如果您有 SQL SA 權限,請參閱如何使用現有的資料庫安裝If you have SQL SA permissions see How to install using an existing database. 如果您已經被委派的權限 (DBO) 看到使用 SQL 委派的系統管理員權限安裝 Azure AD ConnectIf you have been delegated permissions (DBO) see Install Azure AD Connect with SQL delegated administrator permissions.
使用現有的服務帳戶Use an existing service account Azure AD Connect 預設會使用虛擬服務帳戶,以供同步處理服務使用。By default Azure AD Connect uses a virtual service account for the synchronization services to use. 如果您是使用遠端 SQL Server 或需要驗證的 Proxy,則需要使用受控服務帳戶,或使用網域中知道密碼的服務帳戶。If you use a remote SQL server or use a proxy that requires authentication, you need to use a managed service account or use a service account in the domain and know the password. 在這類情況下,請輸入要使用的帳戶。In those cases, enter the account to use. 請確定執行安裝的使用者為 SQL 中的 SA,才可建立服務帳戶的登入。Make sure the user running the installation is an SA in SQL so a login for the service account can be created. 請參閱 Azure AD Connect 帳戶與權限See Azure AD Connect accounts and permissions.
使用最新的組建,SQL 管理員即可執行頻外資料庫佈建,然後由具有資料庫擁有者權限的 Azure AD Connect 管理員進行安裝。With the latest build, provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights. 如需詳細資訊,請參閱使用 SQL 委派的管理員權限安裝 Azure AD ConnectFor more information see Install Azure AD Connect using SQL delegated administrator permissions.
指定自訂同步群組Specify custom sync groups Azure AD Connect 預設會在安裝同步處理服務時,建立四個伺服器的本機群組。By default Azure AD Connect creates four groups local to the server when the synchronization services are installed. 這些群組如下:系統管理員群組、操作員群組、瀏覽群組和密碼重設群組。These groups are: Administrators group, Operators group, Browse group, and the Password Reset Group. 您可以在此指定自己的群組。You can specify your own groups here. 群組必須位於伺服器本機上,不能位於網域中。The groups must be local on the server and cannot be located in the domain.

使用者登入User sign-in

在安裝必要元件後,系統會要求您選取使用者的單一登入方法。After installing the required components, you are asked to select your users single sign-on method. 下表提供可用選項的簡短說明。The following table provides a brief description of the available options. 如需登入方法的完整說明,請參閱使用者登入For a full description of the sign-in methods, see User sign-in.

使用者登入

單一登入選項Single Sign On option 描述Description
密碼雜湊同步處理Password Hash Sync 使用者可使用他們在內部部署網路中使用的相同密碼登入 Microsoft Cloud 服務,例如 Office 365。Users are able to sign in to Microsoft cloud services, such as Office 365, using the same password they use in their on-premises network. 使用者密碼會以密碼雜湊的形式同步至 Azure AD,並在雲端中進行驗證。The users passwords are synchronized to Azure AD as a password hash and authentication occurs in the cloud. 如需詳細資訊,請參閱密碼雜湊同步處理See Password hash synchronization for more information.
傳遞驗證Pass-through Authentication 使用者可使用他們在內部部署網路中使用的相同密碼登入 Microsoft Cloud 服務,例如 Office 365。Users are able to sign in to Microsoft cloud services, such as Office 365, using the same password they use in their on-premises network. 使用者密碼會傳遞至內部部署 Active Directory 網域控制站進行驗證。The users password is passed through to the on-premises Active Directory domain controller to be validated.
與 AD FS 同盟Federation with AD FS 使用者可使用他們在內部部署網路中使用的相同密碼登入 Microsoft Cloud 服務,例如 Office 365。Users are able to sign in to Microsoft cloud services, such as Office 365, using the same password they use in their on-premises network. 系統會將使用者重新導向至他們的內部部署 AD FS 執行個體以進行登入,並在內部部署中進行驗證。The users are redirected to their on-premises AD FS instance to sign in and authentication occurs on-premises.
與 PingFederate 同盟Federation with PingFederate 使用者可使用他們在內部部署網路中使用的相同密碼登入 Microsoft Cloud 服務,例如 Office 365。Users are able to sign in to Microsoft cloud services, such as Office 365, using the same password they use in their on-premises network. 系統會將使用者重新導向至他們的內部部署 PingFederate 執行個體以進行登入,並在內部部署中進行驗證。The users are redirected to their on-premises PingFederate instance to sign in and authentication occurs on-premises.
請勿設定Do not configure 不會安裝和設定任何使用者登入功能。No user sign-in feature is installed and configured. 如果您已經有第三方的同盟伺服器或另一個現有的適當方案,請選擇此選項。Choose this option if you already have a 3rd party federation server or another existing solution in place.
啟用單一登入Enable Single Sign on 此選項同時適用於密碼雜湊同步處理和傳遞驗證,並可為公司網路上的桌上型電腦使用者提供單一登入體驗。This options is available with both password hash sync and pass-through authentication and provides a single sign on experience for desktop users on the corporate network. 如需詳細資訊,請參閱單一登入See Single sign-on for more information.
請注意,AD FS 客戶無法使用此選項,因為 AD FS 已提供相同層級的單一登入。Note for AD FS customers this option is not available because AD FS already offers the same level of single sign on.

連接至 Azure ADConnect to Azure AD

在 [連接至 Azure AD] 畫面中,輸入全域系統管理員的帳戶和密碼。On the Connect to Azure AD screen, enter a global admin account and password. 如果您在前一個頁面選取 [與 AD FS 同盟] ,請勿以您打算啟用同盟的網域中的帳戶登入。If you selected Federation with AD FS on the previous page, do not sign in with an account in a domain you plan to enable for federation. 建議使用 Azure AD 租用戶內預設 onmicrosoft.com 網域中的帳戶。A recommendation is to use an account in the default onmicrosoft.com domain, which comes with your Azure AD tenant.

此帳戶只會用來在 Azure AD 中建立服務帳戶,而且在精靈完成後便不會使用。This account is only used to create a service account in Azure AD and is not used after the wizard has completed.
使用者登入

如果您的全域管理員帳戶已啟用 MFA,您需要在登入快顯視窗中再次提供密碼,並完成 MFA 認證。If your global admin account has MFA enabled, then you need to provide the password again in the sign-in popup and complete the MFA challenge. 認證可能是提供驗證碼或撥打電話。The challenge could be a providing a verification code or a phone call.
使用者登入 MFA

全域管理員帳戶也可以啟用 Privileged Identity ManagementThe global admin account can also have Privileged Identity Management enabled.

如果您收到錯誤訊息,而且有連線問題,請參閱針對連線問題進行疑難排解If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.

[同步] 一節下的頁面Pages under the Sync section

連接您的目錄Connect your directories

若要連線到您的 Active Directory 網域服務,Azure AD Connect 需要樹系名稱和具有足夠權限的帳戶認證。To connect to your Active Directory Domain Service, Azure AD Connect needs the forest name and credentials of an account with sufficient permissions.

連線目錄

輸入樹系名稱並按一下 [新增目錄] 之後,快顯對話方塊隨即出現並提示您使用下列選項︰After entering the forest name and clicking Add Directory, a pop-up dialog appears and prompts you with the following options:

選項Option 描述Description
建立新帳戶Create new account 如果您想要 Azure AD Connect 精靈建立 Azure AD Connect 在目錄同步處理期間連線至 AD 樹系所需的 AD DS 帳戶,請選取此選項。Select this option if you want Azure AD Connect wizard to create the AD DS account required by Azure AD Connect for connecting to the AD forest during directory synchronization. 選取此選項後,輸入企業管理帳戶的使用者名稱和密碼。When this option is selected, enter the username and password for an enterprise admin account. Azure AD Connect 精靈將會使用提供的企業管理帳戶來建立所需的 AD DS 帳戶。The enterprise admin account provided will be used by Azure AD Connect wizard to create the required AD DS account. 您可以用 NetBios 或 FQDN 格式輸入網域部分,也就是 FABRIKAM\administrator 或 fabrikam.com\administrator。You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\administrator or fabrikam.com\administrator.
使用現有帳戶Use existing account 如果您想要提供現有的 AD DS 帳戶,以便 Azure AD Connect 在目錄同步處理期間用於連線至 AD 樹系,請選取此選項。Select this option if you want to provide an existing AD DS account to be used Azure AD Connect for connecting to the AD forest during directory synchronization. 您可以用 NetBios 或 FQDN 格式輸入網域部分,也就是 FABRIKAM\syncuser 或 fabrikam.com\syncuser。You can enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\syncuser or fabrikam.com\syncuser. 此帳戶可以是一般使用者帳戶,因為我們只需要預設的讀取權限。This account can be a regular user account because it only needs the default read permissions. 不過,視您的情況而定,也可能需要更多權限。However, depending on your scenario, you may need more permissions. 如需詳細資訊,請參閱 Azure AD Connect 帳戶與權限For more information, see Azure AD Connect Accounts and permissions.

連線目錄

Azure AD 登入組態Azure AD sign-in configuration

此頁面可讓您檢閱內部部署 AD DS 中存在的 UPN 網域,以及已在 Azure AD 中驗證的 UPN 網域。This page allows you to review the UPN domains present in on-premises AD DS and which have been verified in Azure AD. 此頁面也可讓您設定要用於 userPrincipalName 的屬性。This page also allows you to configure the attribute to use for the userPrincipalName.

未驗證的網域Unverified domains
檢閱每一個標示為未新增未驗證的網域。Review every domain marked Not Added and Not Verified. 確定您所使用的網域皆已在 Azure AD 中完成驗證。Make sure those domains you use have been verified in Azure AD. 驗證好網域時,按一下 [重新整理] 符號。Click the Refresh symbol when you have verified your domains. 如需詳細資訊,請參閱新增並驗證網域For more information, see add and verify the domain

UserPrincipalName :屬性 userPrincipalName 是使用者登入 Azure AD 和 Office 365 時會使用的屬性。UserPrincipalName - The attribute userPrincipalName is the attribute users use when they sign in to Azure AD and Office 365. 使用的網域 (也稱為 UPN 尾碼),應該會在同步處理使用者前於 Azure AD 中進行驗證。The domains used, also known as the UPN-suffix, should be verified in Azure AD before the users are synchronized. Microsoft 建議保留預設屬性 userPrincipalName。Microsoft recommends to keep the default attribute userPrincipalName. 如果此屬性不可路由傳送且無法驗證,則可以選取另一個屬性。If this attribute is non-routable and cannot be verified, then it is possible to select another attribute. 例如,您可以選取電子郵件做為保存登入識別碼的屬性。You can for example select email as the attribute holding the sign-in ID. 使用 userPrincipalName 之外的其他屬性稱為 替代 IDUsing another attribute than userPrincipalName is known as Alternate ID. 替代 ID 屬性值必須遵循 RFC822 標準。The Alternate ID attribute value must follow the RFC822 standard. 替代 ID 可與密碼雜湊同步處理、傳遞驗證和同盟搭配使用。An Alternate ID can be used with password hash sync, pass-through authentication, and federation. 此屬性不得在 Active Directory 中定義為多重值 (即使它只有單一值)。The attribute must not be defined in Active Directory as multi-valued, even if it only has a single value.

注意

當您啟用傳遞驗證時,您必須至少有一個已驗證網域才能繼續執行精靈。When you enable Pass-through Authentication you must have at least one verified domain in order to continue through the wizard.

警告

使用替代 ID 會與所有 Office 365 工作負載不相容。Using an Alternate ID is not compatible with all Office 365 workloads. 如需詳細資訊,請參閱 設定替代的登入 IDFor more information, refer to Configuring Alternate Login ID.

網域和 OU 篩選Domain and OU filtering

預設會同步所有網域和 OU。By default all domains and OUs are synchronized. 如果您不想將部分網域或 OU 同步處理至 Azure AD,您可以取消選取這些網域和 OU。If there are some domains or OUs you do not want to synchronize to Azure AD, you can unselect these domains and OUs.
DomainOU 篩選DomainOU filtering
精靈的這個頁面會設定網域型和 OU 型篩選。This page in the wizard is configuring domain-based and OU-based filtering. 如果您打算進行變更,那麼在進行這些變更之前,請參閱網域型篩選OU 型篩選If you plan to make changes, then see domain-based filtering and ou-based filtering before you make these changes. 某些 OU 對此功能而言是必要的,因此必須加以選取。Some OUs are essential for the functionality and should not be unselected.

如果您使用 OU 型篩選搭配 1.1.524.0 版之前的 Azure AD Connect,預設會同步處理稍後新增的 OU。If you use OU-based filtering with Azure AD Connect version before 1.1.524.0, new OUs added later are synchronized by default. 如果您希望不要同步處理新的 OU,則可以在精靈完成 OU 型篩選後加以設定。If you want the behavior that new OUs should not be synchronized, then you can configure it after the wizard has completed with ou-based filtering. 對於 Azure AD Connect 1.1.524.0 版或之後的版本,您可以指出是否想要同步處理新的 OU。For Azure AD Connect version 1.1.524.0 or after, you can indicate whether you want new OUs to be synchronized or not.

如果您打算使用群組型篩選,則確定已包含具有群組的 OU 包含且不會使用 OU 篩選進行篩選。If you plan to use group-based filtering, then make sure the OU with the group is included and not filtered with OU-filtering. OU 篩選會在群組型篩選之前評估。OU filtering is evaluated before group-based filtering.

由於防火牆限制,也可能無法連線到某些網域。It is also possible that some domains are not reachable due to firewall restrictions. 依預設不會選取這些網域,而且會有警告。These domains are unselected by default and have a warning.
無法連線到網域
如果您看到此警告,請確定這些網域確實無法連線,因此預期會有警告。If you see this warning, make sure that these domains are indeed unreachable and the warning is expected.

唯一識別您的使用者Uniquely identifying your users

選取在內部部署目錄中要如何識別使用者Select how users should be identified in your on-premises directories

跨樹系比對功能可讓您定義 AD DS 樹系中的使用者在 Azure AD 中的顯示方式。The Matching across forests feature allows you to define how users from your AD DS forests are represented in Azure AD. 使用者可能會在整個樹系中只顯示一次,或是具有啟用和停用帳戶的組合。A user might either be represented only once across all forests or have a combination of enabled and disabled accounts. 使用者也可能顯示為某些樹系中的連絡人。The user might also be represented as a contact in some forests.

唯一

設定Setting 描述Description
使用者在所有樹系中只會顯示一次Users are only represented once across all forests 在 Azure AD 中,所有使用者會都建立為個別物件。All users are created as individual objects in Azure AD. 在 Metaverse 中這些物件不會聯結。The objects are not joined in the metaverse.
郵件屬性Mail attribute 如果郵件屬性在不同樹系中具有相同的值,則此選項就會聯結使用者和連絡人。This option joins users and contacts if the mail attribute has the same value in different forests. 如果已透過 GALSync 建立了您的連絡人,請使用此選項。Use this option when your contacts have been created using GALSync. 如果選擇此選項,則不會將未填入其 Mail 屬性的 User 物件同步處理至 Azure AD。If this option is chosen, User objects whose Mail attribute aren't populated will not be synchronized to Azure AD.
ObjectSID 與 msExchangeMasterAccountSID/ msRTCSIP-OriginatorSidObjectSID and msExchangeMasterAccountSID/ msRTCSIP-OriginatorSid 此選項會聯結帳戶樹系中已啟用的使用者與資源樹系中已停用的使用者。This option joins an enabled user in an account forest with a disabled user in a resource forest. 在 Exchange 中,此組態稱為連結信箱。In Exchange, this configuration is known as a linked mailbox. 如果您只使用 Lync 而 Exchange 不存在資源樹系中,也可以使用此選項。This option can also be used if you only use Lync and Exchange is not present in the resource forest.
sAMAccountName 與 MailNickNamesAMAccountName and MailNickName 此選項會在預期可以找到使用者登入 ID 的屬性中聯結。This option joins on attributes where it is expected the sign-in ID for the user can be found.
特定的屬性A specific attribute 此選項可讓您選取您的屬性。This option allows you to select your own attribute. 如果選擇此選項,則不會將未填入其 (已選取) 屬性的 User 物件同步處理至 Azure AD。If this option is chosen, User objects whose (selected) attribute aren't populated will not be synchronized to Azure AD. 限制: 確定選擇的是已可在 Metaverse 中找到的屬性。Limitation: Make sure to pick an attribute that already can be found in the metaverse. 如果您選擇自訂屬性 (並非在 Metaverse 中),精靈將無法完成。If you pick a custom attribute (not in the metaverse), the wizard cannot complete.

選取要如何使用 Azure AD 識別使用者 - 來源錨點Select how users should be identified with Azure AD - Source Anchor

屬性 sourceAnchor 是使用者物件存留期間都不會變更的屬性。The attribute sourceAnchor is an attribute that is immutable during the lifetime of a user object. 它是連結內部部署使用者與 Azure AD 中使用者的主要金鑰。It is the primary key linking the on-premises user with the user in Azure AD.

設定Setting 描述Description
讓 Azure 為我管理來源錨點Let Azure manage the source anchor for me 如果您想要 Azure AD 為您挑選屬性,請選取此選項。Select this option if you want Azure AD to pick the attribute for you. 如果您選取此選項,Azure AD Connect 精靈會套本文的以下一節所說明的 sourceAnchor 屬性選取邏輯:Azure AD Connect︰設計概念 - 使用 ms-DS-ConsistencyGuid 作為 sourceAnchorIf you select this option, Azure AD Connect wizard applies the sourceAnchor attribute selection logic described in article section Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor. 自訂安裝完成之後,此精靈會通知您哪些屬性已被選為來源錨點屬性。The wizard informs you which attribute has been picked as the Source Anchor attribute after Custom installation completes.
特定的屬性A specific attribute 如果您希望指定現有的 AD 屬性作為 sourceAnchor 屬性,請選取此選項。Select this option if you wish to specify an existing AD attribute as the sourceAnchor attribute.

因為無法改變屬性,所以您必須規劃並使用好的屬性。Since the attribute cannot be changed, you must plan for a good attribute to use. objectGUID 就是不錯的選項。A good candidate is objectGUID. 只要使用者帳戶沒有在樹系/網域之間移動,此屬性就不會改變。This attribute is not changed, unless the user account is moved between forests/domains. 請避免使用會在某人結婚或變更指派時改變的屬性。Avoid attributes that would change when a person marries or change assignments. 因為不可以使用帶有 @-sign 的屬性,所以無法使用 email 和 userPrincipalName。You cannot use attributes with an @-sign, so email and userPrincipalName cannot be used. 屬性也有區分大小寫,因此在樹系間移動物件時,請務必保留大寫/小寫。The attribute is also case-sensitive so when you move an object between forests, make sure to preserve the upper/lower case. 二進位屬性會以 base64 編碼,但其他屬性類型則會維持未編碼狀態。Binary attributes are base64-encoded, but other attribute types remain in its unencoded state. 在同盟情況以及部分 Azure AD 介面中,此屬性也稱為 immutableID。In federation scenarios and some Azure AD interfaces, this attribute is also known as immutableID. 您可以在設計概念中找到關於來源錨點的詳細資訊。More information about the source anchor can be found in the design concepts.

根據群組進行同步處理篩選Sync filtering based on groups

篩選群組功能可讓您只同步處理一小部分的物件來進行試驗。The filtering on groups feature allows you to sync only a small subset of objects for a pilot. 若要使用這項功能,請在內部部署 Active Directory 中建立此目的專用的群組。To use this feature, create a group for this purpose in your on-premises Active Directory. 然後新增應該同步處理至 Azure AD 做為直接成員的使用者和群組。Then add users and groups that should be synchronized to Azure AD as direct members. 您稍後可以在此群組中新增和移除使用者,藉此維護應該要顯示在 Azure AD 中的物件清單。You can later add and remove users to this group to maintain the list of objects that should be present in Azure AD. 所有您想要同步處理的物件,都必須是直接隸屬於群組的成員。All objects you want to synchronize must be a direct member of the group. 使用者、群組、連絡人及電腦/裝置全都必須是直接成員。Users, groups, contacts, and computers/devices must all be direct members. 系統不會解析巢狀群組成員資格。Nested group membership is not resolved. 當您新增群組做為成員時,只會新增群組本身而不會新增其成員。When you add a group as a member, only the group itself is added and not its members.

同步處理篩選

警告

這項功能僅適用於支援試驗部署。This feature is only intended to support a pilot deployment. 請勿將其用於成熟的生產部署。Do not use it in a full-blown production deployment.

在成熟的生產部署中,維護含有所有要同步處理之物件的單一群組將非常困難。In a full-blown production deployment, it is going to be hard to maintain a single group with all objects to synchronize. 您應該改用設定篩選中的其中一種方法。Instead you should use one of the methods in Configure filtering.

選用功能Optional Features

此畫面可讓您針對特定情況選取選用功能。This screen allows you to select the optional features for your specific scenarios.

警告

Azure AD Connect 1.0.8641.0 版和較舊版本會依賴 Azure 存取控制服務來進行密碼回寫。Azure AD Connect versions 1.0.8641.0 and older rely on the Azure Access Control service for password writeback. 這項服務將於 2018 年 11 月 7 日淘汰。This service will be retired on November 7th 2018. 如果您使用上述任何版本的 Azure AD Connect 並已啟用密碼回寫,當服務淘汰後,使用者可能會無法變更或重設其密碼。If you are using any of these versions of Azure AD Connect and have enabled password writeback, users may lose the ability to change or reset their passwords once the service is retired. 我們不會在這些版本的 Azure AD Connect 上支援密碼回寫。Password writeback with these versions of Azure AD Connect will not be supported.

如需 Azure 存取控制服務的詳細資訊,請參閱操作說明:從 Azure 存取控制服務移轉For more information on the Azure Access Control service see How to: Migrate from the Azure Access Control service

若要下載最新版的 Azure AD Connect,請按一下這裡To download the latest version of Azure AD Connect click here.

選用功能

警告

如果您目前啟用 DirSync 或 Azure AD Sync,請不要在 Azure AD Connect 中啟動任何回寫功能。If you currently have DirSync or Azure AD Sync active, do not activate any of the writeback features in Azure AD Connect.

選用功能Optional Features 描述Description
Exchange 混合部署Exchange Hybrid Deployment Exchange 混合部署功能允許在內部部署和 Office 365 中並存 Exchange 信箱。The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect 會將一組特定的屬性從 Azure AD 同步處理回內部部署目錄。Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory.
Exchange 郵件公用資料夾Exchange Mail Public Folders 「Exchange 郵件公用資料夾」功能可讓您將擁有郵件功能的公用資料夾物件從內部部署 Active Directory 同步處理到 Azure AD。The Exchange Mail Public Folders feature allows you to synchronize mail-enabled Public Folder objects from your on-premises Active Directory to Azure AD.
Azure AD 應用程式和屬性篩選Azure AD app and attribute filtering 透過啟用 Azure AD 應用程式和屬性篩選,即可調整這組同步處理的屬性。By enabling Azure AD app and attribute filtering, the set of synchronized attributes can be tailored. 這個選項會在精靈中另外新增兩個組態頁面。This option adds two more configuration pages to the wizard. 如需詳細資訊,請參閱 Azure AD 應用程式和屬性篩選For more information, see Azure AD app and attribute filtering.
密碼雜湊同步處理Password hash synchronization 如果您選取同盟做為登入解決方案,您可以啟用此選項。If you selected federation as the sign-in solution, then you can enable this option. 密碼雜湊同步處理可作為備份選項。Password hash synchronization can then be used as a backup option. 如需其他資訊,請參閱密碼雜湊同步處理For additional information, see Password hash synchronization.
如果您已選取傳遞驗證,則預設也會啟用此選項,確保能夠支援舊版用戶端並作為備用選項。If you selected Pass-through Authentication this option can also be enabled to ensure support for legacy clients and as a backup option. 如需其他資訊,請參閱密碼雜湊同步處理For additional information, see Password hash synchronization.
密碼回寫Password writeback 透過啟用密碼回寫,在 Azure AD 中產生的密碼變更會回寫至內部部署目錄。By enabling password writeback, password changes that originate in Azure AD is written back to your on-premises directory. 如需詳細資訊,請參閱開始使用密碼管理For more information, see Getting started with password management.
群組回寫Group writeback 如果您使用 [Office 365 群組] 功能,就可以在內部部署的 Active Directory 中顯示這些群組。If you use the Office 365 Groups feature, then you can have these groups represented in your on-premises Active Directory. 只有當您內部部署的 Active Directory 中已經有 Exchange 時,才能使用此選項。This option is only available if you have Exchange present in your on-premises Active Directory. 如需詳細資訊,請參閱群組回寫For more information, see Group writeback.
裝置回寫Device writeback 可讓您在內部部署 Active directory 條件式存取案例的 Azure AD 中裝置物件回寫。Allows you to writeback device objects in Azure AD to your on-premises Active Directory for Conditional Access scenarios. 如需詳細資訊,請參閱在 Azure AD Connect 中啟用裝置回寫For more information, see Enabling device writeback in Azure AD Connect.
目錄擴充屬性同步處理Directory extension attribute sync 透過啟用目錄擴充屬性同步處理,指定的屬性將會同步處理至 Azure AD。By enabling directory extensions attribute sync, attributes specified are synced to Azure AD. 如需詳細資訊,請參閱目錄擴充For more information, see Directory extensions.

Azure AD 應用程式和屬性篩選Azure AD app and attribute filtering

如果您想要限制要將哪些屬性同步處理至 Azure AD,請先選取您將會使用的服務。If you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using. 如果您在此頁面上進行組態變更,則必須重新執行安裝精靈來明確選取新的服務。If you make configuration changes on this page, a new service has to be selected explicitly by rerunning the installation wizard.

選用功能應用程式

根據在上一個步驟中選取的服務,此頁面會顯示將同步處理的所有屬性。Based on the services selected in the previous step, this page shows all attributes that are synchronized. 這份清單是正在同步處理的所有物件類型的組合。This list is a combination of all object types being synchronized. 如果其中有一些您不需要同步處理的特定屬性,您可以取消選取那些屬性。If there are some particular attributes you need to not synchronize, you can unselect those attributes.

選用功能屬性

警告

移除可能影響功能的屬性。Removing attributes can impact functionality. 如需最佳做法和建議,請參閱同步處理的屬性For best practices and recommendations, see attributes synchronized.

目錄擴充屬性同步處理Directory Extension attribute sync

您可以使用組織新增的自訂屬性或 Active Directory 中的其他屬性在 Azure AD 中擴充結構描述。You can extend the schema in Azure AD with custom attributes added by your organization or other attributes in Active Directory. 若要使用這項功能,請選取 [選用功能] 頁面上的 [目錄擴充屬性同步處理] 。To use this feature, select Directory Extension attribute sync on the Optional Features page. 您可以在此頁面上選取更多要同步處理的屬性。You can select more attributes to sync on this page.

注意

[可用屬性] 方塊會區分大小寫。The Available attributes box is case sensitive.

目錄擴充

如需詳細資訊,請參閱目錄擴充For more information, see Directory extensions.

啟用單一登入 (SSO)Enabling Single sign on (SSO)

設定單一登入以用於密碼同步處理或傳遞驗證是一道簡單的程序,您只需要對每個要同步至 Azure AD 的樹系完成一次即可。Configuring single sign-on for use with Password Synchronization or Pass-through authentication is a simple process that you only need to complete once for each forest that is being synchronized to Azure AD. 設定程序包含兩個步驟,如下所示︰Configuration involves two steps as follows:

  1. 在內部部署 Active Directory 中建立所需的電腦帳戶。Create the necessary computer account in your on-premises Active Directory.
  2. 設定用戶端機器的內部網路區域,以支援單一登入。Configure the intranet zone of the client machines to support single sign on.

在 Active Directory 中建立電腦帳戶Create the computer account in Active Directory

對於在 Azure AD Connect 中新增的每個樹系,您必須提供網域系統管理員認證,才能在每個樹系中建立電腦帳戶。For each forest that has been added in Azure AD Connect, you will need to supply Domain Administrator credentials so that the computer account can be created in each forest. 認證只會用來建立帳戶,不會存放或用於其他任何作業。The credentials are only used to create the account and are not stored or used for any other operation. 只需在 Azure AD Connect 精靈的 [啟用單一登入] 頁面上新增認證,如下所示︰Simply add the credentials on the Enable Single sign on page of the Azure AD Connect wizard as shown:

啟用單一登入

注意

如果您不想對特定樹系使用單一登入,您可以略過該樹系。You can skip a particular forest if you do not wish to use Single sign on with that forest.

設定用戶端機器的內部網路區域Configure the Intranet Zone for client machines

若要確保用戶端登入時會自動在內部網路區域中,您需要請確定 URL 屬於內部網路區域。To ensure that the client sign-ins automatically in the intranet zone you need to ensure that the URL is part of the intranet zone. 這可確保加入網域的電腦會在連接到公司網路時自動將 Kerberos 票證傳送至 Azure AD。This ensures that the domain joined computer automatically sends a Kerberos ticket to Azure AD when it is connected to the corporate network. 在具有群組原則管理工具的電腦上。On a computer that has the Group Policy management tools.

  1. 開啟 [群組原則管理工具]Open the Group Policy Management tools

  2. 編輯會套用至所有使用者的群組原則。Edit the Group policy that will be applied to all users. 例如,預設網域原則。For example, the Default Domain Policy.

  3. 瀏覽至 User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page,並根據下圖選取 [指派網站到區域清單] 。Navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page and select Site to Zone Assignment List per the image below.

  4. 啟用原則,並在對話方塊中輸入下列項目。Enable the policy, and enter the following item in the dialog box.

    Value: `https://autologon.microsoftazuread-sso.com`  
    Data: 1  
    
  5. 看起來應該會像下面這樣:It should look similar to the following:
    內部網路區域

  6. 按兩次 [確定] 。Click Ok twice.

設定與 AD FS 同盟Configuring federation with AD FS

使用 Azure AD Connect 設定 AD FS 的作業很簡單,只需要按幾下就能完成。Configuring AD FS with Azure AD Connect is simple and only requires a few clicks. 進行設定之前必須先具備下列項目。The following is required before the configuration.

  • 做為同盟伺服器的 Windows Server 2012 R2 或更新版本伺服器,且已啟用遠端管理A Windows Server 2012 R2 or later server for the federation server with remote management enabled
  • 做為 Web 應用程式 Proxy 伺服器的 Windows Server 2012 R2 或更新版本伺服器,且已啟用遠端管理A Windows Server 2012 R2 or later server for the Web Application Proxy server with remote management enabled
  • 您想要使用的 Federation Service 名稱 (例如 sts.contoso.com) 的 SSL 憑證An SSL certificate for the federation service name you intend to use (for example sts.contoso.com)

注意

即使您未使用 Azure AD Connect 來管理您的同盟信任,您也可以使用 Azure AD Connect 更新 AD FS 伺服器陣列的 SSL 憑證。You can update SSL certificate for your AD FS farm using Azure AD Connect even if you do not use it to manage your federation trust.

AD FS 組態必要條件AD FS configuration pre-requisites

若要使用 Azure AD Connect 設定 AD FS 伺服器陣列,請確定已在遠端伺服器啟用 WinRM。To configure your AD FS farm using Azure AD Connect, ensure WinRM is enabled on the remote servers. 確定您已完成同盟必要條件中的其他工作。Make sure you have completed the other tasks in federation prerequisites. 此外,請完成表 3 - Azure AD Connect 和同盟伺服器/WAP 中列出的連接埠需求。In addition, go through the ports requirement listed in Table 3 - Azure AD Connect and Federation Servers/WAP.

建立新的 AD FS 伺服器陣列或使用現有的 AD FS 伺服器陣列Create a new AD FS farm or use an existing AD FS farm

您可以使用現有的 AD FS 伺服器陣列,或選擇建立新的 AD FS 伺服器陣列。You can use an existing AD FS farm or you can choose to create a new AD FS farm. 如果您選擇建立新的伺服器陣列,就必須提供 SSL 憑證。If you choose to create a new one, you are required to provide the SSL certificate. 如果 SSL 憑證有密碼保護,則系統會提示您輸入密碼。If the SSL certificate is protected by a password, you are prompted for the password.

AD FS 伺服器陣列

如果您選擇使用現有的 AD FS 伺服器陣列,將會前往設定 AD FS 與 Azure AD 之間信任關係的畫面。If you choose to use an existing AD FS farm, you are taken directly to the configuring the trust relationship between AD FS and Azure AD screen.

注意

Azure AD Connect 僅可用於管理一個 AD FS 伺服器陣列。Azure AD Connect can be used to manage only one AD FS farm. 如果您與 Azure AD 的現有同盟信任是設定在選取的 AD FS 伺服器陣列上,則 Azure AD Connect 會從頭建立一次信任。If you have existing federation trust with Azure AD configured on the selected AD FS farm, the trust will be re-created again from scratch by Azure AD Connect.

指定 AD FS 伺服器Specify the AD FS servers

輸入想要在其中安裝 AD FS 的伺服器。Enter the servers that you want to install AD FS on. 您可以根據容量規劃需求,加入一或多部伺服器。You can add one or more servers based on your capacity planning needs. 請先將所有 AD FS 伺服器 (WAP 伺服器則不必) 加入 Active Directory,再執行這項設定。Join all AD FS servers (not required for the WAP servers) to Active Directory before you perform this configuration. Microsoft 建議安裝一部專門用於測試和試驗部署的 AD FS 伺服器。Microsoft recommends installing a single AD FS server for test and pilot deployments. 然後在完成初始設定之後透過再次執行 Azure AD Connect,新增及部署更多伺服器以符合您的調整需求。Then add and deploy more servers to meet your scaling needs by running Azure AD Connect again after initial configuration.

注意

請先確認所有伺服器均已加入 AD 網域,再執行這項設定。Ensure that all your servers are joined to an AD domain before you do this configuration.

AD FS 伺服器

指定 Web 應用程式 Proxy 伺服器Specify the Web Application Proxy servers

輸入您要做為 Web 應用程式 Proxy 伺服器的伺服器。Enter the servers that you want as your Web Application proxy servers. Web 應用程式 Proxy 伺服器會部署在您的 DMZ (外部網路對應) 中,且支援來自外部網路的驗證要求。The web application proxy server is deployed in your DMZ (extranet facing) and supports authentication requests from the extranet. 您可以根據容量規劃需求,加入一或多部伺服器。You can add one or more servers based on your capacity planning needs. Microsoft 建議安裝一部專門用於測試和試驗部署的 Web 應用程式 Proxy 伺服器。Microsoft recommends installing a single Web application proxy server for test and pilot deployments. 然後在完成初始設定之後透過再次執行 Azure AD Connect,新增及部署更多伺服器以符合您的調整需求。Then add and deploy more servers to meet your scaling needs by running Azure AD Connect again after initial configuration. 我們建議準備同樣數目的 Proxy 伺服器,以滿足來自內部網路的驗證需求。We recommend having an equivalent number of proxy servers to satisfy authentication from the intranet.

注意

  • 如果您使用的帳戶不是 WAP 伺服器上的本機系統管理員,則系統會提示您提供系統管理員認證。If the account you use is not a local admin on the WAP servers, then you are prompted for admin credentials.
  • 執行此步驟之前,請確認 Azure AD Connect 伺服器和 Web 應用程式 Proxy 伺服器之間有 HTTP/HTTPS 連線。Ensure that there is HTTP/HTTPS connectivity between the Azure AD Connect server and the Web Application Proxy server before you run this step.
  • 請確認 Web 應用程式伺服器和 AD FS 伺服器之間的 HTTP/HTTPS 連線是否允許流入驗證要求。Ensure that there is HTTP/HTTPS connectivity between the Web Application Server and the AD FS server to allow authentication requests to flow through.
  • Web 應用程式

    系統會提示您輸入認證,讓 Web 應用程式伺服器可以建立與 AD FS 伺服器的安全連線。You are prompted to enter credentials so that the web application server can establish a secure connection to the AD FS server. 這些認證必須是 AD FS 伺服器上的本機系統管理員。These credentials need to be a local administrator on the AD FS server.

    Proxy

    指定 AD FS 服務的服務帳戶Specify the service account for the AD FS service

    AD FS 服務需要網域服務帳戶來驗證使用者,以及在 Active Directory 中查閱使用者資訊。The AD FS service requires a domain service account to authenticate users and lookup user information in Active Directory. 它可支援兩種類型的服務帳戶:It can support two types of service accounts:

    • 群組受控服務帳戶 :在 Windows Server 2012 的 Active Directory 網域服務中導入。Group Managed Service Account - Introduced in Active Directory Domain Services with Windows Server 2012. 此類型的帳戶可為 AD FS 之類的服務提供單一帳戶,而不需要定期更新帳戶密碼。This type of account provides services, such as AD FS, a single account without needing to update the account password regularly. 如果您在 AD FS 伺服器所屬的網域中已經有 Windows Server 2012 網域控制站,請使用此選項。Use this option if you already have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.
    • 網域使用者帳戶 :此類型的帳戶會要求您提供密碼,並在密碼變更或到期時定期更新密碼。Domain User Account - This type of account requires you to provide a password and regularly update the password when the password changes or expires. 只有當您在 AD FS 伺服器所屬的網域中沒有 Windows Server 2012 網域控制站時,才能使用此選項。Use this option only when you do not have Windows Server 2012 domain controllers in the domain that your AD FS servers belong to.

    如果您選取了 [群組受控服務帳戶],而這項功能從未在 Active Directory 中使用過,系統會提示您輸入企業系統管理員認證。If you selected Group Managed Service Account and this feature has never been used in Active Directory, you are prompted for Enterprise Admin credentials. 這些認證會用來啟動金鑰存放區,並在 Active Directory 中啟用這項功能。These credentials are used to initiate the key store and enable the feature in Active Directory.

    注意

    Azure AD Connect 會執行檢查,以偵測 AD FS 服務是否已經註冊為網域中的 SPN。Azure AD Connect performs a check to detect if the AD FS service is already registered as a SPN in the domain. AD DS 不允許同時註冊重複的 SPN。AD DS will not allow duplicate SPN’s to be registered at once. 如果找到重複的 SPN,請先移除此 SPN,才能繼續執行。If a duplicate SPN is found, you will not be able to proceed further until the SPN is removed.

    AD FS 服務帳戶

    選取您想要建立同盟的 Azure AD 網域Select the Azure AD domain that you wish to federate

    此組態會用來設定 AD FS 與 Azure AD 之間的同盟關係。This configuration is used to setup the federation relationship between AD FS and Azure AD. 它會設定 AD FS 將安全性權杖簽發給 Azure AD,並將 Azure AD 設定為信任來自此特定 AD FS 執行個體的權杖。It configures AD FS to issue security tokens to Azure AD and configures Azure AD to trust the tokens from this specific AD FS instance. 此頁面只能讓您在初始安裝中設定單一網域。This page only allows you to configure a single domain in the initial installation. 您可稍後再次執行 Azure AD Connect 以設定其他網域。You can configure more domains later by running Azure AD Connect again.

    Azure AD 網域

    驗證所選取用於同盟的 Azure AD 網域Verify the Azure AD domain selected for federation

    當您選取要同盟的網域時,Azure AD Connect 會提供您所需資訊以供您驗證尚未驗證的網域。When you select the domain to be federated, Azure AD Connect provides you with necessary information to verify an unverified domain. 請參閱新增並驗證網域以了解如何使用這項資訊。See Add and verify the domain for how to use this information.

    Azure AD 網域

    注意

    AD Connect 會嘗試在設定階段驗證網域。AD Connect tries to verify the domain during the configure stage. 如果您繼續進行設定,但未加入必要的 DNS 記錄,精靈將無法完成設定。If you continue to configure without adding the necessary DNS records, the wizard is not able to complete the configuration.

    設定與 PingFederate 的同盟Configuring federation with PingFederate

    使用 Azure AD Connect 設定 PingFederate 的作業很簡單,只需要按幾下就能完成。Configuring PingFederate with Azure AD Connect is simple and only requires a few clicks. 但您必須符合下列必要條件。However, the following prerequisites are required.

    驗證網域Verify the domain

    選取 [與 PingFederate 同盟] 後,系統會要求您驗證要建立同盟的網域。After selecting Federation with PingFederate, you will be asked to verify the domain you want to federate. 從下拉式方塊中選取網域。Select the domain from the drop-down box.

    驗證網域

    匯出 PingFederate 設定Export the PingFederate settings

    PingFederate 必須設定為每個同盟 Azure 網域的同盟伺服器。PingFederate must be configured as the federation server for each federated Azure domain. 按一下 [匯出設定] 按鈕,然後與 PingFederate 管理員共用這項資訊。Click the Export Settings button and share this information with your PingFederate administrator. 同盟伺服器管理員會更新組態,然後提供 PingFederate 伺服器的 URL 和連接埠號碼,讓 Azure AD Connect 能夠驗證中繼資料設定。The federation server administrator will update the configuration, then provide the PingFederate server URL and port number so Azure AD Connect can verify the metadata settings.

    驗證網域

    若有任何驗證問題,請連絡您的 PingFederate 管理員加以解決。Contact your PingFederate administrator to resolve any validation issues. 下列範例說明與 Azure 之間沒有有效信任關係的 PingFederate 伺服器:The following is an example of a PingFederate server that does not have a valid trust relationship with Azure:

    信任

    驗證同盟連線能力Verify federation connectivity

    Azure AD Connect 會嘗試驗證在上一個步驟中從 PingFederate 中繼資料擷取的驗證端點。Azure AD Connect will attempt to validate the authentication endpoints retrieved from the PingFederate metadata in the previous step. Azure AD Connect 會先嘗試使用本機 DNS 伺服器解析這些端點。Azure AD Connect will first attempt to resolve the endpoints using your local DNS servers. 接著,它會嘗試使用外部 DNS 提供者解析端點。Next it will attempt to resolve the endpoints using an external DNS provider. 若有任何驗證問題,請連絡您的 PingFederate 管理員加以解決。Contact your PingFederate administrator to resolve any validation issues.

    驗證連線能力

    驗證同盟登入Verify federation login

    最後,您可以藉由登入同盟網域,來驗證新設定的同盟登入流程。Finally, you can verify the newly configured federated login flow by signing in to the federated domain. 如果登入成功,即表示與 PingFederate 的同盟已成功設定。When this succeeds, the federation with PingFederate is successfully configured. 驗證登入Verify login

    設定並確認頁面Configure and verify pages

    設定會在此頁面上進行。The configuration happens on this page.

    注意

    在繼續安裝之前,如果已設定同盟,請確定您已設定同盟伺服器的名稱解析Before you continue installation and if you configured federation, make sure that you have configured Name resolution for federation servers.

    準備設定

    預備模式Staging mode

    您可以在預備模式下同時設定新的同步處理伺服器。It is possible to setup a new sync server in parallel with staging mode. 僅支援將一部同步處理伺服器匯出到雲端中的一個目錄。It is only supported to have one sync server exporting to one directory in the cloud. 但如果您想要從另一部伺服器移動,例如執行 DirSync 的伺服器,可以啟用預備模式中的 Azure AD Connect。But if you want to move from another server, for example one running DirSync, then you can enable Azure AD Connect in staging mode. 啟用時,同步處理引擎會照常匯入和同步處理資料,但它不會將任何項目匯出至 Azure AD 或 AD。When enabled, the sync engine import and synchronize data as normal, but it does not export anything to Azure AD or AD. 在預備模式下,將會停用功能密碼同步處理和密碼回寫。The features password sync and password writeback are disabled while in staging mode.

    預備模式

    在預備模式中,可以對同步處理引擎進行所需的變更,並檢閱要匯出的項目。While in staging mode, it is possible to make required changes to the sync engine and review what is about to be exported. 當此組態看起來設定良好時,請再次執行安裝精靈,並停用預備模式。When the configuration looks good, run the installation wizard again and disable staging mode. 資料現在會從這個伺服器匯出至 Azure AD。Data is now exported to Azure AD from this server. 同時請務必停用其他伺服器,如此才能只讓一部伺服器主動匯出。Make sure to disable the other server at the same time so only one server is actively exporting.

    如需詳細資訊,請參閱預備模式For more information, see Staging mode.

    驗證同盟組態Verify your federation configuration

    當您按一下 [驗證] 按鈕時,Azure AD Connect 會為您驗證 DNS 設定。Azure AD Connect verifies the DNS settings for you when you click the Verify button.

    內部網路連線能力檢查Intranet connectivity checks

    • 解析同盟 FQDN:Azure AD Connect 會檢查 DNS 是否可以解析同盟 FQDN,以確保連線能力。Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to ensure connectivity. 如果 Azure AD Connect 無法解析 FQDN,驗證將會失敗。If Azure AD Connect cannot resolve the FQDN, the verification will fail. 確保同盟服務 FQDN 有 DNS 記錄存在,才能成功完成驗證。Ensure that a DNS record is present for the federation service FQDN in order to successfully complete the verification.
    • DNS A 記錄:Azure AD Connect 會檢查您的同盟服務是否有 A 記錄。DNS A record: Azure AD Connect checks if there is an A record for your federation service. 如果沒有使用 A 記錄,驗證將會失敗。In the absence of an A record, the verification will fail. 為您的同盟 FQDN 建立 A 記錄 (而非 CNAME 記錄),才能成功完成驗證。Create an A record and not CNAME record for your federation FQDN in order to successfully complete the verification.

    外部網路連線能力檢查Extranet connectivity checks

    • 解析同盟 FQDN:Azure AD Connect 會檢查 DNS 是否可以解析同盟 FQDN,以確保連線能力。Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to ensure connectivity.

    完成

    驗證

    若要驗證端對端驗證已成功執行,您應手動執行下列一或多項測試:To validate end-to-end authentication is successful you should manually perform one or more the following tests:

    • 在同步處理完成後,請使用「在 Azure AD Connect 中驗證同盟登入的其他工作」,對您選擇的內部部署使用者帳戶進行驗證。Once synchronization in complete, use the Verify federated login additional task in Azure AD Connect to verify authentication for an on-premises user account of your choice.
    • 驗證您可以在內部網路中從已加入網域的機器使用瀏覽器進行登入:連線至 https://myapps.microsoft.com ,並使用您已登入的帳戶驗證登入。Validate that you can sign in from a browser from a domain joined machine on the intranet: Connect to https://myapps.microsoft.com and verify the sign-in with your logged in account. 內建的 AD DS 系統管理員帳戶未同步處理,不能用於驗證。The built-in AD DS administrator account is not synchronized and cannot be used for verification.
    • 驗證您可以從外部網路的裝置登入。Validate that you can sign in from a device from the extranet. 在家用電腦或行動裝置上連線至 https://myapps.microsoft.com ,並提供您的認證。On a home machine or a mobile device, connect to https://myapps.microsoft.com and supply your credentials.
    • 驗證豐富型用戶端登入。Validate rich client sign-in. 連線至 https://testconnectivity.microsoft.com ,選擇 [Office 365] 索引標籤,然後選擇 [Office 365 單一登入測試] 。Connect to https://testconnectivity.microsoft.com, choose the Office 365 tab and chose the Office 365 Single Sign-On Test.

    疑難排解Troubleshooting

    下一節包含遇到 Azure AD Connect 安裝問題時,您可以使用的疑難排解和資訊。The following section contains troubleshooting and information that you can use if you encounter an issue installing Azure AD Connect.

    「ADSync 資料庫已包含資料,而且無法覆寫」“The ADSync database already contains data and cannot be overwritten”

    如果您使用 Azure AD Connect 自訂安裝,並在 [安裝必要元件] 頁面上選取 [使用現有 SQL 伺服器] 選項,則可能會出現錯誤,其中指出 ADSync 資料庫已包含資料,而且無法覆寫。請移除現有資料庫,然後再試一次。When you custom install Azure AD Connect and select the option Use an existing SQL server on the Install required components page, you might encounter an error that states The ADSync database already contains data and cannot be overwritten. Please remove the existing database and try again.

    Error

    這是因為對於上述文字方塊中指定的 SQL 伺服器而言,其 SQL 執行個體上已經有名為 ADSync 的現有資料庫。This is because there is already an existing database named ADSync on the SQL instance of the SQL server, which you specified in the above textboxes.

    這通常會在您解除安裝 Azure AD Connect 之後發生。This typically occurs after you have uninstalled Azure AD Connect. 當您解除安裝時,資料庫不會從 SQL Server 中刪除。The database will not be deleted from the SQL Server when you uninstall.

    若要修正此問題,請先確認 Azure AD Connect 在解除安裝前所使用的 ADSync 資料庫已不會再使用。To fix this issue, first verify that the ADSync database that was used by Azure AD Connect prior to being uninstalled, is no longer being used.

    接下來,建議您在刪除資料庫前先加以備份。Next, it is recommended that you backup the database prior to deleting it.

    最後,您必須刪除資料庫。Finally, you need to delete the database. 您可以使用 Microsoft SQL Server Management Studio 並連線至 SQL 執行個體,來完成此動作。You can do this by using Microsoft SQL Server Management Studio and connect to the SQL instance. 尋找 ADSync 資料庫,以滑鼠右鍵按一下該項目,然後從捷徑功能表中選取 [刪除] 。Find the ADSync database, right click on it, and select Delete from the context menu. 按一下 [確定] 按鈕來將其刪除。Then click OK button to delete it.

    Error

    當您刪除 ADSync 資料庫之後,您可以按一下 [安裝] 按鈕來重試安裝。After you delete the ADSync database, you can click the install button, to retry installation.

    後續步驟Next steps

    安裝完成之後,請先登出 Windows 再重新登入,才能使用 Synchronization Service Manager 或同步處理規則編輯器。After the installation has completed, sign out and sign in again to Windows before you use Synchronization Service Manager or Synchronization Rule Editor.

    安裝了 Azure AD Connect 之後,您可以 驗證安裝和指派授權Now that you have Azure AD Connect installed you can verify the installation and assign licenses.

    深入了解這些在安裝時啟用的功能︰防止意外刪除Azure AD Connect HealthLearn more about these features, which were enabled with the installation: Prevent accidental deletes and Azure AD Connect Health.

    深入了解這些常見主題︰排程器和如何觸發同步處理Learn more about these common topics: scheduler and how to trigger sync.

    深入了解 整合內部部署身分識別與 Azure Active DirectoryLearn more about Integrating your on-premises identities with Azure Active Directory.