從 Microsoft Cloud Deutschland 進行遷移的 AD FS 遷移步驟AD FS migration steps for the migration from Microsoft Cloud Deutschland

在第2階段開始之前,必須套用此設定變更。This configuration change needs to be applied any time before phase 2 is starting. 當階段2完成之後,設定變更便可運作,而且您可以透過 Office 365 全域端點(例如)登入 https://portal.office.comOnce phase 2 is completed the configuration change will work and you are able to sign in via Office 365 Global endpoints such as https://portal.office.com. 如果您要在第2階段之前實施設定變更,Office 365 全域端點仍會 運作 ,但新的信賴憑證者信任仍是 Active Directory Federation SERVICES (AD FS) 設定的一部分。If you are implementing the configuration change before phase 2, the Office 365 Global endpoints will not yet work but the new relying party trust is still part of your Active Directory Federation Services (AD FS) configuration.

使用同盟驗證搭配 Active Directory Federation Services (AD FS 的客戶) 不應該對使用內部部署 Active Directory 網域服務之所有驗證的發行人 URIs 進行變更,以進行遷移時 (AD DS) 。Customers who use federated authentication with Active Directory Federation Services (AD FS) shouldn't make changes to issuer URIs that are used for all authentications with on-premises Active Directory Domain Services (AD DS) during migration. 變更簽發者 URIs 會導致網域中的使用者驗證失敗。Changing issuer URIs will lead to authentication failures for users in the domain. 簽發者 URIs 可以直接在 AD FS 中變更,或將網域從 managed 轉換成 同盟,反之亦然Issuer URIs can be changed directly in AD FS or when a domain is converted from managed to federated and vice-versa. 建議您不要在已遷移的 Azure AD 租使用者中新增、移除或轉換同盟網域。We recommend that you do not add, remove, or convert a federated domain in the Azure AD tenant that has been migrated. 在遷移完全完成後,可以變更發行者 URIs。Issuer URIs can be changed after the migration is fully complete.

若要準備用於從 Microsoft Cloud Deutschland 進行遷移的 AD FS 伺服器陣列,請執行下列步驟:To prepare your AD FS farm for the migration from Microsoft Cloud Deutschland perform the following steps:

  1. 使用 下列步驟備份您的 AD FS 設定,包括現有的 Microsoft Cloud Deutschland 信賴憑證者信任。Back up your AD FS settings, including the existing Microsoft Cloud Deutschland Relying Party trust, with these steps. 命名備份 MicrosoftCloudDeutschlandOnly ,以表示它只具有 Microsoft Cloud Deutschland 租使用者資訊。Name the backup MicrosoftCloudDeutschlandOnly to indicate it only has the Microsoft Cloud Deutschland tenant info.

    注意

    此備份不僅會包含適用于 Microsoft Cloud Deutschland 的現有 Office 365 信賴憑證者信任,還會在各自的 AD FS 伺服器陣列上顯示所有其他信賴憑證方信任。The backup will not only contain the existing Office 365 Relying Party Trust for Microsoft Cloud Deutschland, but also all other Relying Party Trusts present on the respective AD FS farm.

  2. 使用 MicrosoftCloudDeutschlandOnly 備份測試還原,AD FS 伺服器陣列應繼續以 Microsoft Cloud Deutschland 的方式運作。Test the restore using the MicrosoftCloudDeutschlandOnly backup, The AD FS farm should continue to operate as Microsoft Cloud Deutschland only.

完成並測試 AD FS 備份後,請執行下列步驟,以將新的信賴憑證者信任新增至 ADFS 設定:Once you have completed and tested the AD FS backup, perform the following steps to add a new relying party trust to your ADFS configuration:

  1. 開啟 [AD FS 管理主控台]。Open the AD FS management console.

  2. 在 ADFS 管理主控台的左窗格中,流覽至 [ 信賴 憑證者信任] 功能表。In the left pane of the ADFS management console navigate to the Relying Party Trusts menu.

  3. 在右窗格中,選取 [新增信賴憑證者信任 ... ]。In the right pane, select Add Relying Party Trust...

  4. 在 [新增信賴憑證者信任] 嚮導的 [歡迎] 頁面上,選取 [啟動]。Select Start on the Welcome page of the Add Relying Party Trust wizard.

  5. 在 [ 選取資料來源 ] 頁面上,選取 [匯 入已發佈線上或本機網路上的信賴憑證者相關資料]。On the Select Data Source page, select Import data about the relying party published online or on a local network. (主機名稱或 URL) 值的同盟中繼資料位址 必須設定為 https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xmlThe Federation metadata address (host name or URL) value must be set to https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml. 按 [下一步 ]Click Next.

  6. 在 [ 指定顯示名稱 ] 頁面上,輸入顯示名稱,例如「 全球通用的 Microsoft Office 365 身分識別平臺」。On the Specify Display Name page, type the display name such as Microsoft Office 365 Identity Platform WorldWide. 按 [下一步 ]Click Next.

  7. 如果您是在 Windows Server 2012 中使用 ADFS,請在 [嚮導] 頁面上的 [ 立即設定多重要素驗證?] 中,根據您的驗證需求選取適當的選項。If you are using ADFS in Windows Server 2012, on the wizard page Configure Multi-factor Authentication Now?, select the appropriate choice according to your authentication requirements. 如果您堅持使用預設值,請選取 [ 我不想要設定此信賴憑證者信任的多重要素驗證設定]。If you stick with the default, select I don't want to configure multi-factor authentication settings for this relying party trust at this time. 您可以稍後在需要時變更此設定。You can change this setting later if you want to.

  8. 針對 AD FS 2012:在 [ 選擇發行授權規則] 上,[保留 允許所有使用者存取此信賴憑證方 ],然後按 [下一步]For AD FS 2012: On the Choose Issuance Authorization Rules, keep Permit all users to access this relying party selected and click Next.

  9. 針對 AD FS 2016 和 AD FS 2019:在 [ 選擇存取控制原則 ] 頁面上,選取適當的存取控制原則,然後按 [下一步]For AD FS 2016 and AD FS 2019: On the Choose Access Control Policy page, select the appropriate access control policy and click Next. 若未選擇 [無],信賴憑證者信任將 無法 運作。If none is chosen, the Relying Party Trust will NOT work.

  10. 在 [準備新增信任] 頁面上,按一下 [下一步] 完成該嚮導。Click Next on the Ready to Add Trust page to complete the wizard.

  11. 按一下 [完成] 頁面上的 [關閉]。Click Close on the Finish page.

關閉嚮導後,就會建立與 Office 365 泛型服務的信賴憑證者信任。By closing the wizard, the Relying Party Trust with the Office 365 Global service is established. 不過,尚未設定發行轉換規則。However, no Issuance Transform rules are configured yet.

您可以使用 AD FS 説明 產生正確的發行轉換規則。You can use AD FS Help to generate the correct Issuance Transform rules. 您可以透過 AD FS 管理主控台或 PowerShell,手動新增以 AD FS 協助所產生的宣告規則。The generated claim rules created with AD FS Help can either be manually added through the AD FS management console or with PowerShell. AD FS 説明會產生必要執行的必要 PowerShell 腳本。AD FS Help will generate the necessary PowerShell scripts that need to be executed.

注意

AD FS 説明 會產生產品隨附的標準發行轉換規則。AD FS Help will generate the standard issuance transform rules that ship with the product. 不過,如果在 Microsoft 雲端 Deutschland 信賴憑證者信任 (中使用自訂發行轉換規則,例如,自訂發行者 URIs、非標準不彈性識別碼s 或任何其他自訂) ,必須修改 AD FS 説明所產生的規則,使其符合目前就地適用于 Microsoft Cloud Deutschland 信賴憑證者信任的自訂邏輯。However, if custom issuance transform rules are in place in the Microsoft Cloud Deutschland Relying Party Trust (for example, custom issuer URIs, non-standard immutable IDs, or any other customizations), the rules generated by AD FS help must be modified in a way that they fit the custom logic currently in place for the Microsoft Cloud Deutschland relying party trust. 如果這些自訂未在透過 AD FS說明所產生的規則內整合,則 全球的 Microsoft Office 365 身分識別平臺 驗證很可能 無法 用於您的同盟身分識別。If these customizations are not integrated in the rules generated via AD FS Help, authentication to Microsoft Office 365 Identity Platform WorldWide will most likely not work for your federated identities.

  1. Run 在 AD FS說明上執行 [產生宣告],並使用腳本右上角的 [複製] 選項來複製 PowerShell 腳本。Run Generate Claims on AD FS Help and copy the PowerShell script using the Copy option on the right upper corner of the script.

  2. 請遵循在 Ad fs 伺服器陣列中執行 PowerShell 腳本以產生全域信賴憑證者信任的 AD fs 說明中所述的步驟。Follow the steps outlined at AD FS Help on how to run the PowerShell script in your AD FS farm to generate the global Relying Party Trust. 在執行腳本之前,請將下列程式程式碼取代產生的腳本,如下所示:Before you run the script, replace the following code lines in the generated script as outlined below:

    # AD FS Help generated value
    $claims = Get-AdfsRelyingPartyTrust -Identifier $(Get-RpIdentifier) | Select-Object IssuanceTransformRules;
    # replace with
    $claims = Get-AdfsRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline | Select-Object IssuanceTransformRules;
    
    # AD FS Help generated value
    Set-AdfsRelyingPartyTrust -TargetIdentifier $(Get-RpIdentifier) -IssuanceTransformRules $RuleSet.ClaimRulesString;
    # replace with
    Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $RuleSet.ClaimRulesString;
    
  3. 確認有兩個信賴 PartyTtrusts 存在;一個用於 Microsoft Cloud Deutschland,另一個適用于 Office 365 全域服務。Verify that two Relying PartyTtrusts are present; one for Microsoft Cloud Deutschland and one for the Office 365 Global service. 您可以利用下列命令進行檢查。The following command can be leveraged for the check. 它應傳回兩列以及各自的名稱和識別碼。It should return two rows and the respective names and identifiers.

    Get-AdfsRelyingPartyTrust | Where-Object {$_.Identifier -like 'urn:federation:MicrosoftOnline*'} | Select-Object Name, Identifier
    
  4. 使用 下列步驟,備份您的完整遷移設定,包括信賴憑證者信任。Backup your full migration configuration, including both Relying Party trusts, using these steps. 使用名稱 MicrosoftCloudDeutschlandAndWorldwide 進行儲存。Save it with the name MicrosoftCloudDeutschlandAndWorldwide.

  5. 當您的租使用者處於遷移時,請定期確認 AD FS 驗證使用的是 Microsoft Cloud Deutschland and Microsoft Global Cloud in 各種支援的遷移步驟。While your tenant is in migration, regularly verify that AD FS authentication is working with Microsoft Cloud Deutschland and Microsoft Global cloud in the various supported migration steps.

(WID 資料庫) 的 AD FS 災難修復AD FS Disaster Recovery (WID Database)

若要在嚴重損壞的 ad fs 伺服器陣列中還原 ad fs 伺服器陣列,您必須加以利用。To restore the AD FS farm in a disaster AD FS Rapid Restore Tool needs to be leveraged. 因此,必須先下載工具,並在開始進行遷移之前,必須先建立備份,並安全地儲存備份。Therefore, the tool must be downloaded and before the start of the migration a backup must be created and safely stored. 在此範例中,已執行下列命令來備份在 WID 資料庫上執行的伺服器陣列:In this example, the following commands have been run to back up a farm running on a WID database:

備份 AD FS 伺服器陣列Back up an AD FS Farm

  1. 在主要 AD FS 伺服器上安裝 AD FS 快速還原工具。Install the AD FS Rapid Restore Tool on the primary AD FS server.

  2. 使用此命令,匯入 PowerShell 會話中的模組。Import the module in a PowerShell session with this command.

    Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"
    
  3. 執行備份命令:Run the backup command:

    Backup-ADFS -StorageType "FileSystem" -storagePath "<Storage path of backup>" -EncryptionPassword "<password>" -BackupComment "Restore Doku" -BackupDKM
    
  4. 將備份安全地儲存在所需的目的地。Store the backup safely on a desired destination.

還原 AD FS 伺服器陣列Restore an AD FS Farm

如果您的伺服器陣列完全失敗,且無法返回舊的伺服器陣列,請執行下列動作。If your farm failed completely and there is no way to return to the old farm, do the following.

  1. 將先前產生及儲存的備份移至新的主要 AD FS 伺服器。Move the previously generated and stored backup to the new primary AD FS server.

  2. 執行下列 Restore-ADFS PowerShell 命令。Run the following Restore-ADFS PowerShell command. 如有必要,請預先匯入 AD FS SSL 憑證。If necessary, import the AD FS SSL certificate beforehand.

    Restore-ADFS -StorageType "FileSystem" -StoragePath "<Path to Backup>" -DecryptionPassword "<password>" -GroupServiceAccountIdentifier "<gMSA>" -DBConnectionString "WID" -RestoreDKM
    
  3. 將新的 DNS 記錄或負載平衡器指向新的 AD FS 伺服器。Point your new DNS records or load balancer to the new AD FS servers.

其他相關資訊More information

開始:Getting started:

在轉換中移動:Moving through the transition:

雲端應用程式:Cloud apps: