整合內部部署 Active Directory 網域與 Azure Active DirectoryIntegrate on-premises Active Directory domains with Azure Active Directory

Azure Active Directory (Azure AD) 是以雲端為基礎的多租使用者目錄和身分識別服務。Azure Active Directory (Azure AD) is a cloud-based multi-tenant directory and identity service. 此參考架構會顯示最佳做法,供您整合內部部署 Active Directory 網域與 Azure AD 以提供雲端式身分識別驗證。This reference architecture shows best practices for integrating on-premises Active Directory domains with Azure AD to provide cloud-based identity authentication. 部署這個解決方案Deploy this solution.

使用 Azure Active Directory 的雲端身分識別架構

下載這個架構的 Visio 檔案Download a Visio file of this architecture.

注意

為求簡化,此圖只顯示與 Azure AD 直接相關的連線,而不顯示可能會在驗證和身分識別同盟期間發生的通訊協定相關流量。For simplicity, this diagram only shows the connections directly related to Azure AD, and not protocol-related traffic that may occur as part of authentication and identity federation. 例如,Web 應用程式可能會將網頁瀏覽器重新導向為透過 Azure AD 驗證要求。For example, a web application may redirect the web browser to authenticate the request through Azure AD. 通過驗證之後,即可將要求傳回給 Web 應用程式,其中會具有適當的身分識別資訊。Once authenticated, the request can be passed back to the web application, with the appropriate identity information.

此參少架構的典型使用案例包括:Typical uses for this reference architecture include:

  • 部署在 Azure 中的 Web 應用程式,其可存取隸屬於貴組織的遠端使用者。Web applications deployed in Azure that provide access to remote users who belong to your organization.
  • 為使用者實作自助式功能,例如重設其密碼,以及委派群組管理。Implementing self-service capabilities for end-users, such as resetting their passwords, and delegating group management. 這需要 Azure AD Premium 版。This requires Azure AD Premium edition.
  • 內部部署網路和應用程式的 Azure VNet 未使用 VPN 通道或 ExpressRoute 線路連線的架構。Architectures in which the on-premises network and the application's Azure VNet are not connected using a VPN tunnel or ExpressRoute circuit.

注意

Azure AD 可以驗證存在於組織目錄中的使用者和應用程式的身分識別。Azure AD can authenticate the identity of users and applications that exist in an organization's directory. 某些應用程式和服務 (例如 SQL Server) 可能需要電腦驗證,但這並非此解決方案的適用情況。Some applications and services, such as SQL Server, may require computer authentication, in which case this solution is not appropriate.

如需其他考慮,請參閱 選擇整合內部部署 Active Directory 與 Azure 的解決方案For additional considerations, see Choose a solution for integrating on-premises Active Directory with Azure.

架構Architecture

此架構具有下列元件。The architecture has the following components.

  • Azure AD 的租 使用者。Azure AD tenant. 這是貴組織所建立之 Azure AD 的執行個體。An instance of Azure AD created by your organization. 它可以儲存從內部部署 Active Directory 所複製過來的物件以作為雲端應用程式的目錄服務,並且也可以提供識別服務。It acts as a directory service for cloud applications by storing objects copied from the on-premises Active Directory and provides identity services.

  • Web 層子網路Web tier subnet. 此子網路會保存執行 Web 應用程式的 VM。This subnet holds VMs that run a web application. Azure AD 可作為此應用程式的身分識別 Broker。Azure AD can act as an identity broker for this application.

  • 內部部署 AD DS 伺服器On-premises AD DS server. 內部部署目錄和身分識別服務。An on-premises directory and identity service. AD DS 目錄可以與 Azure AD 同步處理,讓它能夠驗證內部部署使用者。The AD DS directory can be synchronized with Azure AD to enable it to authenticate on-premises users.

  • Azure AD Connect 同步伺服器Azure AD Connect sync server. 執行 Azure AD Connect 同步處理服務的內部部署電腦。An on-premises computer that runs the Azure AD Connect sync service. 此服務會將保留在內部部署 Active Directory 的資訊同步處理至 Azure AD。This service synchronizes information held in the on-premises Active Directory to Azure AD. 例如,如果您佈建或取消佈建內部部署群組和使用者,這些變更會傳播至 Azure AD。For example, if you provision or deprovision groups and users on-premises, these changes propagate to Azure AD.

    注意

    為求安全,Azure AD 會將使用者的密碼儲存為雜湊。For security reasons, Azure AD stores user's passwords as a hash. 如果使用者需要重設密碼,這必須在內部部署環境中執行,而且必須將新的雜湊傳送至 Azure AD。If a user requires a password reset, this must be performed on-premises and the new hash must be sent to Azure AD. Azure AD Premium 版本有功能可自動執行這項工作,讓使用者能夠重設自己的密碼。Azure AD Premium editions include features that can automate this task to enable users to reset their own passwords.

  • 多層式架構 (N-tier) 應用程式的 VMVMs for N-tier application. 此部署包含多層式架構應用程式的基礎結構。The deployment includes infrastructure for an N-tier application. 如需這些資源的詳細資訊,請參閱執行多層式架構的 VMFor more information about these resources, see Run VMs for an N-tier architecture.

建議Recommendations

下列建議適用於大部分的案例。The following recommendations apply for most scenarios. 除非您有特定的需求會覆寫它們,否則請遵循下列建議。Follow these recommendations unless you have a specific requirement that overrides them.

Azure AD Connect 同步處理服務Azure AD Connect sync service

Azure AD Connect 同步處理服務可確保雲端中儲存的身分識別資訊,會與保留在內部部署環境中的資訊一致。The Azure AD Connect sync service ensures that identity information stored in the cloud is consistent with that held on-premises. 您可以使用 Azure AD Connect 軟體安裝此服務。You install this service using the Azure AD Connect software.

在實作 Azure AD Connect 同步處理之前,請判斷貴組織的同步處理需求。Before implementing Azure AD Connect sync, determine the synchronization requirements of your organization. 例如,要同步處理哪些項目、從哪個網域,以及多久進行一次。For example, what to synchronize, from which domains, and how frequently. 如需詳細資訊,請參閱判斷目錄同步處理需求For more information, see Determine directory synchronization requirements.

您可以在 VM 或裝載於內部部署環境的電腦上,執行 Azure AD Connect 同步處理服務。You can run the Azure AD Connect sync service on a VM or a computer hosted on-premises. 根據 Active Directory 目錄中資訊的變動性,在首次與 Azure AD 同步處理之後,Azure AD Connect 同步處理服務的負載不會太高。Depending on the volatility of the information in your Active Directory directory, the load on the Azure AD Connect sync service is unlikely to be high after the initial synchronization with Azure AD. 在 VM 上執行服務,可讓您在需要時輕鬆地調整伺服器。Running the service on a VM makes it easier to scale the server if needed. 請依照<監視考量>一節所述監視 VM 上的活動,以判斷是否有必要調整。Monitor the activity on the VM as described in the Monitoring considerations section to determine whether scaling is necessary.

如果您的樹系中有多個內部部署網域,建議您將整個樹系的資訊儲存起來,並同步處理至單一 Azure AD 租用戶。If you have multiple on-premises domains in a forest, we recommend storing and synchronizing information for the entire forest to a single Azure AD tenant. 篩選在多個網域中出現之身分識別的資訊,讓每個身分識別只在 Azure AD 中出現一次,而不是重複出現。Filter information for identities that occur in more than one domain, so that each identity appears only once in Azure AD, rather than being duplicated. 重複出現會導致同步處理資料時發生不一致的情形。Duplication can lead to inconsistencies when data is synchronized. 如需詳細資訊,請參閱下面的<拓撲>一節。For more information, see the Topology section below.

使用篩選,以便只將必要的資料儲存在 Azure AD。Use filtering so that only necessary data is stored in Azure AD. 例如,貴組織可能不會想要將非使用中帳戶的相關資訊儲存在 Azure AD 中。For example, your organization might not want to store information about inactive accounts in Azure AD. 您可以進行群組型、網域型、組織單位 (OU) 型或屬性型篩選。Filtering can be group-based, domain-based, organization unit (OU)-based, or attribute-based. 您可以結合多個篩選器,以產生更複雜的規則。You can combine filters to generate more complex rules. 例如,您可以對網域所保有、在選取的屬性中具有特定值的物件進行同步處理。For example, you could synchronize objects held in a domain that have a specific value in a selected attribute. 如需詳細資訊,請參閱 Azure AD Connect 同步處理:設定篩選For detailed information, see Azure AD Connect sync: Configure Filtering.

若要為 AD Connect 同步處理服務實作高可用性功能,請執行次要的預備伺服器。To implement high availability for the AD Connect sync service, run a secondary staging server. 如需詳細資訊,請參閱<拓撲建議>一節。For more information, see the Topology recommendations section.

安全性建議Security recommendations

使用者密碼管理User password management. Azure AD Premium 版本支援密碼回寫,此功能可讓您的內部部署使用者從 Azure 入口網站內執行自助式密碼重設作業。The Azure AD Premium editions support password writeback, enabling your on-premises users to perform self-service password resets from within the Azure portal. 只有在審查您組織的密碼安全性原則之後,才應啟用這項功能。This feature should be enabled only after reviewing your organization's password security policy. 例如,您可以限制哪些使用者可以變更其密碼,並可以量身打造密碼管理體驗。For example, you can restrict which users can change their passwords, and you can tailor the password management experience. 如需詳細資訊,請參閱自訂密碼管理以符合您的組織的需求For more information, see Customizing Password Management to fit your organization's needs.

保護可從外部存取的內部部署應用程式。Protect on-premises applications that can be accessed externally. 使用 Azure AD 應用程式 Proxy 可對外部使用者提供透過 Azure AD 存取內部部署 Web 應用程式的服務,且其存取權會受到控制。Use the Azure AD Application Proxy to provide controlled access to on-premises web applications for external users through Azure AD. 只有擁有您 Azure 目錄有效認證的使用者有權使用應用程式。Only users that have valid credentials in your Azure directory have permission to use the application. 如需詳細資訊,請參閱在 Azure 入口網站中啟用應用程式 Proxy一文。For more information, see the article Enable Application Proxy in the Azure portal.

主動監視 Azure AD 中是否有可疑活動的跡象。Actively monitor Azure AD for signs of suspicious activity. 請考慮使用 Azure AD Premium P2 版本,其包含 Azure AD Identity Protection。Consider using Azure AD Premium P2 edition, which includes Azure AD Identity Protection. Identity Protection 會使用調適性機器學習服務演算法和啟發學習法,來偵測異常以及可能表示身分識別已遭入侵的風險事件。Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk events that may indicate that an identity has been compromised. 例如,它可以偵測到潛在的不尋常活動,例如異常登入活動、從不明來源或從具有可疑活動之 IP 位址進行的登入,或是從可能受感染的裝置進行的登入。For example, it can detect potentially unusual activity such as irregular sign-in activities, sign-ins from unknown sources or from IP addresses with suspicious activity, or sign-ins from devices that may be infected. Identity Protection 會使用此資料來產生報告和警示,讓您調查這些風險事件並採取適當動作。Using this data, Identity Protection generates reports and alerts that enables you to investigate these risk events and take appropriate action. 如需詳細資訊,請參閱 Azure Active Directory Identity ProtectionFor more information, see Azure Active Directory Identity Protection.

您可以在 Azure 入口網站中使用 Azure AD 的報告功能,監視系統中所發生的安全性相關活動。You can use the reporting feature of Azure AD in the Azure portal to monitor security-related activities occurring in your system. 如需如何使用這些報告的詳細資訊,請參閱 Azure Active Directory 報告指南For more information about using these reports, see Azure Active Directory Reporting Guide.

拓撲建議Topology recommendations

請設定 Azure AD Connect,以實作與貴組織的需求最相符的拓撲。Configure Azure AD Connect to implement a topology that most closely matches the requirements of your organization. Azure AD Connect 支援的拓撲包括:Topologies that Azure AD Connect supports include:

  • 單一樹系、單一 Azure AD 目錄Single forest, single Azure AD directory. 在此拓撲中,Azure AD Connect 會將物件和身分識別資訊從單一內部部署樹系中的一或多個網域,同步處理至單一 Azure AD 租用戶。In this topology, Azure AD Connect synchronizes objects and identity information from one or more domains in a single on-premises forest into a single Azure AD tenant. 這是 Azure AD Connect 的快速安裝會實作的預設拓撲。This is the default topology implemented by the express installation of Azure AD Connect.

    注意

    除非您要以預備模式執行伺服器,否則請勿使用多個 Azure AD Connect 同步處理伺服器將相同內部部署樹系中的不同網域連線到相同的 Azure AD 租用戶,如下所述。Don't use multiple Azure AD Connect sync servers to connect different domains in the same on-premises forest to the same Azure AD tenant, unless you are running a server in staging mode, described below.

  • 多個樹系、單一 Azure AD 目錄Multiple forests, single Azure AD directory. 在此拓撲中,Azure AD Connect 會將物件和身分識別資訊從多個樹系同步處理至單一 Azure AD 租用戶。In this topology, Azure AD Connect synchronizes objects and identity information from multiple forests into a single Azure AD tenant. 如果貴組織有多個內部部署樹系,請使用此拓撲。Use this topology if your organization has more than one on-premises forest. 您可以合併身分識別資訊,讓每個唯一的使用者只會在 Azure AD 目錄中顯示一次,即使同一名使用者存在於多個樹系亦然。You can consolidate identity information so that each unique user is represented once in the Azure AD directory, even if the same user exists in more than one forest. 所有樹系都會使用相同的 Azure AD Connect 同步處理伺服器。All forests use the same Azure AD Connect sync server. Azure AD Connect 同步處理伺服器不必屬於任何網域,但必須可從所有樹系加以連線。The Azure AD Connect sync server does not have to be part of any domain, but it must be reachable from all forests.

    注意

    在此拓撲中,請勿使用不同的 Azure AD Connect 同步處理伺服器將每個內部部署樹系連線至單一 Azure AD 租用戶。In this topology, don't use separate Azure AD Connect sync servers to connect each on-premises forest to a single Azure AD tenant. 如果使用者出現在多個樹系中,這可能會導致 Azure AD 中有重複的身分識別資訊。This can result in duplicated identity information in Azure AD if users are present in more than one forest.

  • 多個樹系,個別拓撲Multiple forests, separate topologies. 此拓撲會將不同樹系的身分識別資訊合併至單一 Azure AD 租用戶,將所有樹系視為不同的實體。This topology merges identity information from separate forests into a single Azure AD tenant, treating all forests as separate entities. 如果您要合併不同組織的樹系,而且每個使用者的身分識別資訊只保留在一個樹系中,此拓撲會很實用。This topology is useful if you are combining forests from different organizations and the identity information for each user is held in only one forest.

    注意

    如果每個樹系中的全域通訊清單 (GAL) 都進行同步處理,某個樹系中的使用者可能會出現在另一個樹系中作為連絡人。If the global address lists (GAL) in each forest are synchronized, a user in one forest may be present in another as a contact. 如果貴組織已使用 Forefront Identity Manager 2010 或 Microsoft Identity Manager 2016 實作 GALSync,便可能發生此情形。This can occur if your organization has implemented GALSync with Forefront Identity manager 2010 or Microsoft Identity Manager 2016. 在此案例中,您可以指定應該以 Mail 屬性識別使用者。In this scenario, you can specify that users should be identified by their Mail attribute. 您也可以使用 ObjectSIDmsExchMasterAccountSID 屬性比對身分。You can also match identities using the ObjectSID and msExchMasterAccountSID attributes. 如果您的一或多個資源樹系具有已停用的帳戶,則此拓撲很實用。This is useful if you have one or more resource forests with disabled accounts.

  • 預備伺服器Staging server. 在此組態中,您會以平行方式,連同第一個執行個體來執行 Azure AD Connect 同步處理伺服器的第二個執行個體。In this configuration, you run a second instance of the Azure AD Connect sync server in parallel with the first. 此結構支援的案例如下:This structure supports scenarios such as:

    • 高可用性。High availability.

    • 測試和部署 Azure AD Connect 同步處理伺服器的新組態。Testing and deploying a new configuration of the Azure AD Connect sync server.

    • 引進新伺服器,並解除舊組態。Introducing a new server and decommissioning an old configuration.

      在這些案例中,第二個執行個體會以「預備模式」執行。In these scenarios, the second instance runs in staging mode. 伺服器會記錄其資料庫中所匯入的物件和同步處理資料,但不會將資料傳遞至 Azure AD。The server records imported objects and synchronization data in its database, but does not pass the data to Azure AD. 如果您停用預備模式,伺服器會開始將資料寫入到 Azure AD,並且還會在情況合適時,執行將密碼回寫到內部部署目錄的作業。If you disable staging mode, the server starts writing data to Azure AD, and also starts performing password write-backs into the on-premises directories where appropriate. 如需詳細資訊,請參閱 Azure AD Connect 同步處理:作業工作和考量For more information, see Azure AD Connect sync: Operational tasks and considerations.

  • 多個 Azure AD 目錄Multiple Azure AD directories. 雖然我們會建議您為組織建立單一的 Azure AD 目錄,但有時候您可能需要將資訊分割到不同的 Azure AD 目錄。It is recommended that you create a single Azure AD directory for an organization, but there may be situations where you need to partition information across separate Azure AD directories. 在此情況下,請避免發生同步處理和密碼回寫問題,方法是確保內部部署樹系的每個物件只會出現在一個 Azure AD 目錄。In this case, avoid synchronization and password write-back issues by ensuring that each object from the on-premises forest appears in only one Azure AD directory. 若要實作此案例,請為每個 Azure AD 目錄設定不同的 Azure AD Connect 同步處理伺服器,並使用篩選功能,讓每個 Azure AD Connect 同步處理伺服器在一組互斥的物件上運作。To implement this scenario, configure separate Azure AD Connect sync servers for each Azure AD directory, and use filtering so that each Azure AD Connect sync server operates on a mutually exclusive set of objects.

如需這些拓撲的詳細資訊,請參閱 Azure AD Connect 的拓撲For more information about these topologies, see Topologies for Azure AD Connect.

使用者驗證User authentication

根據預設,Azure AD Connect 同步伺服器會在內部部署網域與 Azure AD 之間設定密碼雜湊同步處理,且 Azure AD 服務會假設使用者是藉由提供他們在內部部署環境中使用的相同密碼進行驗證。By default, the Azure AD Connect sync server configures password hash synchronization between the on-premises domain and Azure AD, and the Azure AD service assumes that users authenticate by providing the same password that they use on-premises. 對許多組織來說,這是適當的方式,但您也應該考慮到組織現有的原則和基礎結構。For many organizations, this is appropriate, but you should consider your organization's existing policies and infrastructure. 例如:For example:

  • 貴組織的安全性原則可能會禁止將密碼雜湊同步處理至雲端。The security policy of your organization may prohibit synchronizing password hashes to the cloud. 在此情況下,您的組織應該考慮 傳遞驗證In this case, your organization should consider pass-through authentication.
  • 您可能會要求使用者在從公司網路上已加入網域的機器中存取雲端資源時,使用無縫式單一登入 (SSO)。You might require that users experience seamless single sign-on (SSO) when accessing cloud resources from domain-joined machines on the corporate network.
  • 您的組織可能已部署 Active Directory 同盟服務 (AD FS) 或協力廠商同盟提供者。Your organization might already have Active Directory Federation Services (AD FS) or a third-party federation provider deployed. 您可以將 Azure AD 設定為使用此基礎結構,以實作驗證和 SSO,而不是使用雲端中保留的密碼資訊。You can configure Azure AD to use this infrastructure to implement authentication and SSO rather than by using password information held in the cloud.

如需詳細資訊,請參閱 Azure AD Connect 使用者登入選項For more information, see Azure AD Connect User Sign-on options.

Azure AD 應用程式 ProxyAzure AD application proxy

使用 Azure AD 提供內部部署應用程式的存取權。Use Azure AD to provide access to on-premises applications.

請使用 Azure AD 應用程式 Proxy 元件所管理的應用程式 Proxy 連接器,公開您的內部部署 Web 應用程式。Expose your on-premises web applications using application proxy connectors managed by the Azure AD application proxy component. 應用程式 Proxy 連接器會開啟連往 Azure AD 應用程式 Proxy 的輸出網路連線,而且遠端使用者的要求會透過此連線,從 Azure AD 往回路由傳送至 Web 應用程式。The application proxy connector opens an outbound network connection to the Azure AD application proxy, and remote users' requests are routed back from Azure AD through this connection to the web apps. 這可讓您不再需要於內部部署防火牆開啟輸入連接埠,並減少貴組織所暴露的受攻擊面。This removes the need to open inbound ports in the on-premises firewall and reduces the attack surface exposed by your organization.

如需詳細資訊,請參閱使用 Azure AD 應用程式 Proxy 發佈應用程式For more information, see Publish applications using Azure AD Application proxy.

物件同步處理Object synchronization

Azure AD Connect 的預設設定會根據在 [ 同步處理:瞭解預設設定] Azure AD Connect 文章中指定的規則,同步處理本機 Active Directory 目錄中的物件。The default configuration for Azure AD Connect synchronizes objects from your local Active Directory directory based on the rules specified in the article Azure AD Connect sync: Understanding the default configuration. 符合這些規則的物件會進行同步處理,其他所有物件則會予以忽略。Objects that satisfy these rules are synchronized while all other objects are ignored. 以下是某些範例規則:Some example rules:

  • 使用者物件必須有唯一的 sourceAnchor 屬性,且必須填入 accountEnabled 屬性。User objects must have a unique sourceAnchor attribute and the accountEnabled attribute must be populated.
  • 使用者物件必須具有 sAMAccountName 屬性,且開頭的文字不可以是「Azure AD_」或「MSOL_」。User objects must have a sAMAccountName attribute and cannot start with the text Azure AD_ or MSOL_.

Azure AD Connect 會對使用者、連絡人、群組、ForeignSecurityPrincipal 和電腦等物件套用數個規則。Azure AD Connect applies several rules to User, Contact, Group, ForeignSecurityPrincipal, and Computer objects. 如果您需要修改一組預設規則,請使用隨 Azure AD Connect 一起安裝的同步處理規則編輯器。Use the Synchronization Rules Editor installed with Azure AD Connect if you need to modify the default set of rules. 如需詳細資訊,請參閱 Azure AD Connect 同步處理:了解預設組態For more information, see Azure AD Connect sync: Understanding the default configuration).

您也可以定義您自己的篩選,以限制要依網域或 OU 同步處理的物件。You can also define your own filters to limit the objects to be synchronized by domain or OU. 或者,您也可以實作更複雜的自訂篩選,例如 Azure AD Connect 同步處理:設定篩選所述的篩選。Alternatively, you can implement more complex custom filtering such as that described in Azure AD Connect sync: Configure Filtering.

監視Monitoring

下列安裝在內部部署環境的代理程式會執行健康情況監視:Health monitoring is performed by the following agents installed on-premises:

  • Azure AD Connect 會安裝代理程式以擷取同步處理作業的相關資訊。Azure AD Connect installs an agent that captures information about synchronization operations. 使用 Azure 入口網站中的 [Azure AD Connect Health] 刀鋒視窗,來監視其健康情況和效能。Use the Azure AD Connect Health blade in the Azure portal to monitor its health and performance. 如需詳細資訊,請參閱使用 Azure AD Connect Health 進行同步處理For more information, see Using Azure AD Connect Health for sync.
  • 若要從 Azure 監視 AD DS 網域和目錄的健康情況,請在位於內部部署網域內的機器上安裝 AD DS 代理程式的 Azure AD Connect Health。To monitor the health of the AD DS domains and directories from Azure, install the Azure AD Connect Health for AD DS agent on a machine within the on-premises domain. 使用 Azure 入口網站中的 [Azure Active Directory Connect Health] 刀鋒視窗來監視健康情況。Use the Azure Active Directory Connect Health blade in the Azure portal for health monitoring. 如需詳細資訊,請參閱在 AD DS 使用 Azure AD Connect HealthFor more information, see Using Azure AD Connect Health with AD DS
  • 安裝 AD FS 代理程式的 Azure AD Connect Health 來監視於內部部署環境上執行之服務的健康情況,並使用 Azure 入口網站中的 [Azure Active Directory Connect Health] 刀鋒視窗來監視 AD FS。Install the Azure AD Connect Health for AD FS agent to monitor the health of services running on on-premises, and use the Azure Active Directory Connect Health blade in the Azure portal to monitor AD FS. 如需詳細資訊,請參閱在 AD FS 使用 Azure AD Connect HealthFor more information, see Using Azure AD Connect Health with AD FS

如需安裝 AD Connect Health 代理程式和其需求的詳細資訊,請參閱 Azure AD Connect Health 代理程式安裝For more information on installing the AD Connect Health agents and their requirements, see Azure AD Connect Health Agent Installation.

延展性考量Scalability considerations

Azure AD 服務會根據複本支援延展性,其具有單一主要複本可處理寫入作業,以及多個次要的唯讀複本。The Azure AD service supports scalability based on replicas, with a single primary replica that handles write operations plus multiple read-only secondary replicas. Azure AD 會明確地將針對次要複本所嘗試的寫入,重新導向至主要複本,並提供最終一致性。Azure AD transparently redirects attempted writes made against secondary replicas to the primary replica and provides eventual consistency. 針對主要複本進行的所有變更都會傳播到次要複本。All changes made to the primary replica are propagated to the secondary replicas. 此架構可順暢調整,因為針對 Azure AD 進行的大多數作業都是讀取,而不是寫入。This architecture scales well because most operations against Azure AD are reads rather than writes. 如需詳細資訊,請參閱 Azure AD:異地備援、高可用性、分散式雲端目錄的幕後For more information, see Azure AD: Under the hood of our geo-redundant, highly available, distributed cloud directory.

針對 Azure AD Connect 同步處理伺服器,請決定您可能要從本機目錄同步處理多少物件。For the Azure AD Connect sync server, determine how many objects you are likely to synchronize from your local directory. 如果您的物件少於 100,000 個,您可以使用 Azure AD Connect 所提供的預設 SQL Server Express LocalDB 軟體。If you have less than 100,000 objects, you can use the default SQL Server Express LocalDB software provided with Azure AD Connect. 如果您有大量物件,則應該安裝 SQL Server 的生產版本,並執行 Azure AD Connect 的自訂安裝,以指定其應該使用現有的 SQL Server 執行個體。If you have a larger number of objects, you should install a production version of SQL Server and perform a custom installation of Azure AD Connect, specifying that it should use an existing instance of SQL Server.

可用性考量Availability considerations

Azure AD 服務會進行地理位置分散,並在具有自動容錯移轉的世界各地的多個資料中心執行。The Azure AD service is geo-distributed and runs in multiple datacenters spread around the world with automated failover. 如果資料中心變得無法使用,Azure AD 可確保您的目錄資料在至少兩個地區分散的資料中心內可以存取實例。If a datacenter becomes unavailable, Azure AD ensures that your directory data is available for instance access in at least two more regionally dispersed datacenters.

注意

Microsoft 365 Apps AD 層和 Premium 服務的服務等級協定 (SLA) 保證至少有99.9% 的可用性。The service level agreement (SLA) for the Microsoft 365 Apps AD tier and Premium services guarantees at least 99.9% availability. Azure AD 免費層則沒有 SLA。There is no SLA for the Free tier of Azure AD. 如需詳細資訊,請參閱 Azure Active Directory 的 SLAFor more information, see SLA for Azure Active Directory.

請考慮以預備模式佈建 Azure AD Connect 同步處理伺服器的第二個執行個體以提高可用性,如<拓撲建議>一節所述。Consider provisioning a second instance of Azure AD Connect sync server in staging mode to increase availability, as discussed in the topology recommendations section.

如果您未使用 Azure AD Connect 隨附的 SQL Server Express LocalDB 執行個體,請考慮使用 SQL 叢集以實現高可用性。If you are not using the SQL Server Express LocalDB instance that comes with Azure AD Connect, consider using SQL clustering to achieve high availability. Azure AD Connect 不支援鏡像和 Always On 之類的解決方案。Solutions such as mirroring and Always On are not supported by Azure AD Connect.

如需實現 Azure AD Connect 同步處理伺服器高可用性的其他考量,以及要了解如何在失敗後復原,請參閱 Azure AD Connect 同步處理:作業工作和考量 - 災害復原For additional considerations about achieving high availability of the Azure AD Connect sync server and also how to recover after a failure, see Azure AD Connect sync: Operational tasks and considerations - Disaster Recovery.

管理性考量Manageability considerations

Azure AD 的管理有兩個層面:There are two aspects to managing Azure AD:

  • 管理雲端中的 Azure AD。Administering Azure AD in the cloud.
  • 維護 Azure AD Connect 同步處理伺服器。Maintaining the Azure AD Connect sync servers.

Azure AD 提供了下列選項供您管理雲端中的網域和目錄:Azure AD provides the following options for managing domains and directories in the cloud:

  • Azure Active Directory PowerShell 模組Azure Active Directory PowerShell Module. 如果您需要為常見的 Azure AD 管理工作 (例如,使用者管理、網域管理和設定單一登入) 編寫指令碼,請使用此模組Use this module if you need to script common Azure AD administrative tasks such as user management, domain management, and configuring single sign-on.
  • Azure 入口網站中的 [Azure AD 管理] 刀鋒視窗Azure AD management blade in the Azure portal. 此刀鋒視窗會提供互動式的目錄管理檢視,可讓您控制及設定 Azure AD 的大多數層面。This blade provides an interactive management view of the directory, and enables you to control and configure most aspects of Azure AD.

Azure AD Connect 會安裝下列工具,以從您的內部部署機器維護 Azure AD Connect 同步處理服務:Azure AD Connect installs the following tools to maintain Azure AD Connect sync services from your on-premises machines:

  • Microsoft Azure Active Directory Connect 主控台Microsoft Azure Active Directory Connect console. 此工具可讓您修改 Azure AD 同步處理伺服器的組態、自訂進行同步處理的方式、啟用或停用預備模式,以及切換使用者登入模式。This tool enables you to modify the configuration of the Azure AD Sync server, customize how synchronization occurs, enable or disable staging mode, and switch the user sign-in mode. 您可以使用內部部署基礎結構來啟用 Active Directory FS 登入。You can enable Active Directory FS sign-in using your on-premises infrastructure.
  • Synchronization Service ManagerSynchronization Service Manager. 使用此工具中的 [作業] 索引標籤來管理同步處理程序,以及偵測處理程序是否有任何部分失敗。Use the Operations tab in this tool to manage the synchronization process and detect whether any parts of the process have failed. 您可以使用此工具來手動觸發同步處理。You can trigger synchronizations manually using this tool. [連接器] 索引標籤可讓您控制同步處理引擎所連結之網域的連線。The Connectors tab enables you to control the connections for the domains that the synchronization engine is attached to.
  • 同步處理規則編輯器Synchronization Rules Editor. 使用此工具來自訂物件於內部部署目錄和 Azure AD 之間進行複製時的轉換方式。Use this tool to customize the way objects are transformed when they are copied between an on-premises directory and Azure AD. 此工具可讓您指定同步處理的其他屬性及物件,然後執行篩選以判斷哪些物件應該或不應該同步處理。This tool enables you to specify additional attributes and objects for synchronization, then executes filters to determine which objects should or should not be synchronized. 如需詳細資訊,請參閱 Azure AD Connect 同步處理:了解預設組態文件中的<同步處理規則編輯器>一節。For more information, see the Synchronization Rule Editor section in the document Azure AD Connect sync: Understanding the default configuration.

如需管理 Azure AD Connect 的詳細資訊和秘訣,請參閱 Azure AD Connect 同步處理:變更預設組態的最佳做法For more information and tips for managing Azure AD Connect, see Azure AD Connect sync: Best practices for changing the default configuration.

安全性考量Security considerations

使用條件式存取控制來拒絕非預期來源所提出的驗證要求:Use conditional access control to deny authentication requests from unexpected sources:

  • 如果使用者嘗試從不受信任的位置(例如跨網際網路)(而不是受信任的網路)連線,則觸發 Azure Multi-Factor Authentication (MFA) Trigger Azure Multi-Factor Authentication (MFA) if a user attempts to connect from a untrusted location such as across the Internet instead of a trusted network.

  • 使用使用者的裝置平台類型 (iOS、Android、Windows Mobile、Windows) 來判斷應用程式和功能的存取原則。Use the device platform type of the user (iOS, Android, Windows Mobile, Windows) to determine access policy to applications and features.

  • 記錄使用者裝置的啟用/停用狀態,並將這項資訊合併到存取原則檢查。Record the enabled/disabled state of users' devices, and incorporate this information into the access policy checks. 例如,如果使用者的電話遺失或遭竊,則應該將它記錄為停用,以防止有人使用它獲得存取權。For example, if a user's phone is lost or stolen it should be recorded as disabled to prevent it from being used to gain access.

  • 根據群組成員資格來控制使用者的資源存取權。Control user access to resources based on group membership. 使用 Azure AD 動態成員資格規則 來簡化群組管理。Use Azure AD dynamic membership rules to simplify group administration. 如需其運作方式的簡短概觀,請參閱群組動態成員資格簡介For a brief overview of how this works, see Introduction to Dynamic Memberships for Groups.

  • 使用條件式存取風險原則與 Azure AD Identity Protection,以根據異常登入活動或其他事件來提供進階保護。Use conditional access risk policies with Azure AD Identity Protection to provide advanced protection based on unusual sign-in activities or other events.

如需詳細資訊,請參閱 Azure Active Directory 條件式存取For more information, see Azure Active Directory conditional access.

DevOps 考量DevOps considerations

如需 DevOps 的考慮,請參閱 DevOps:將 Active Directory Domain Services (AD DS) 延伸至 AzureFor DevOps considerations, see DevOps: Extending Active Directory Domain Services (AD DS) to Azure.

成本考量Cost considerations

使用 Azure 定價計算機來估計成本。Use the Azure pricing calculator to estimate costs. Microsoft Azure Well-Architected Framework的「成本」一節中會說明其他考慮。Other considerations are described in the Cost section in Microsoft Azure Well-Architected Framework.

以下是此架構中使用之服務的成本考慮。Here are cost considerations for the services used in this architecture.

Azure AD ConnectAzure AD Connect

如需 Azure Active Directory 所提供版本的詳細資訊,請參閱 Azure AD 定價For information about the editions offered by Azure Active Directory, see Azure AD pricing. AD Connect 同步處理功能適用于所有版本。The AD Connect sync feature is available in all editions.

適用于多層式應用程式的 VmVMs for N-Tier application

此部署包含多層式架構應用程式的基礎結構。The deployment includes infrastructure for an N-tier application. 如需有關這些資源的成本資訊,請 執行多層式架構的 vmFor cost information about these resources, Run VMs for an N-tier architecture.

部署解決方案Deploy the solution

GitHub 中有實作這些建議和考量的參考架構部署。A deployment for a reference architecture that implements these recommendations and considerations is available on GitHub. 此參考架構會在 Azure 中部署模擬的內部部署網路,供您進行測試和實驗。This reference architecture deploys a simulated on-premises network in Azure that you can use to test and experiment. 若要部署解決方案,請參閱 GitHub 上的 讀我檔案To deploy the solution, see the readme on GitHub.