SharePoint 移轉識別對應:Active Directory 識別掃描SharePoint Migration Identity Mapping: Active Directory Identity Scan

概觀Overview

Active Directory 掃描會在客戶的 Active Directory 的來源 SharePoint 環境中,尋找任何已找到的 Windows 身分識別。The Active Directory scan will look up any Windows identities that were found in the source SharePoint environment in the customer's Active Directory.

如果沒有任何 Windows 身分識別,此掃描將不會執行任何工作。If there are no Windows identities, this scan will not perform any work.

這種評估掃描有兩個不同的步驟:There are 2 distinct steps to this assessment scan:

  • 探索可用的 Active Directory 樹系。Discover the Active Directory Forests that are available.

  • 查閱 Active Directory 中的識別碼。Lookup the identities in Active Directory.

探索 Active Directory 樹系Discover the Active Directory Forests

我們找到 SharePoint 伺服器所連接的樹系。We find the forest the SharePoint server is connected to. 接著,我們會列舉信任,以尋找所有受信任的樹系。We then enumerate trusts to locate all the trusted Forests. 找到信任的樹系之後,我們會列舉樹系中的所有網域。Once we've found the trusted forests, we enumerate all the domains in the forests.

如果目前登入的使用者沒有讀取要求樹系的能力,此程式可能會提示您輸入認證。This process may prompt for credentials if the currently logged on user does not have the ability to read the requested forest. 我們會重試連線3次,因此,如果您輸入不正確認證,將會有多次嘗試。We will retry connections 3 times, so if you enter invalid credentials there will be multiple attempts. 工具會快取針對目前執行所輸入的認證。The tool will cache the credentials entered for the current execution.

Active Directory 中的查閱識別碼Lookup identities in Active Directory

在探索樹系之後,我們會使用快取的認證,以使用安全性識別碼 [SID] 來查閱 Active Directory 中的使用者/群組。After we have discovered the forests, we will use the cached credentials to lookup users/groups in Active Directory using the Security Identifier [SID]. 此資訊不是身分識別對應所需的100%。This information is not 100% needed for identity mapping. 不過,如果您有標示為 NoMatch 或 PartialMatch 的身分識別,此資訊可用於追蹤身分識別的額外資訊。However, if you have identities flagged as NoMatch or PartialMatch, this information is useful to track down additional information for the identity. 例如,您的使用者在 SharePoint 中顯示為作用中,但在 Active Directory 中會顯示為停用狀態。For example, you have a user that is showing as Active in SharePoint, but is showing as Disabled in Active Directory. 若使用者不太可能 sync'ed 至 Azure Active Directory,請查看此使用者與 NoMatch。Seeing this user with NoMatch is expected as the user is not likely to be sync'ed to Azure Active Directory.

案例Scenarios

會加入樹系 SharePoint 和使用者樹系之間的雙向信任。Two-way trust between the forest SharePoint is joined to and the user forests. 使用者使用網域帳戶登入 SharePoint 機器。Users logs into the SharePoint machine using a domain account. 在此情況下,不太可能提示操作員,因為其網域認證應該可以讀取相關聯的網域。In this scenario, the operator is unlikely to be prompted as their domain credentials should be able to read the associated domains.

樹系 SharePoint 之間的單向信任會加入和使用者樹系之間。One-way trust between the forest SharePoint is joined to and the user forests. 所有的使用者樹系彼此信任。All the user forests trust each other. 在此案例中,使用者會登入 SharePoint 為 SharePoint 樹系中的帳戶。In this scenario, the user logs into SharePoint as an account in the SharePoint forest. 當查詢樹系時,系統會提示您輸入第一個使用者樹系的認證。When querying for Forests, we will prompt for credentials to read the first user Forest. 我們將會快取這些認證,並將它們用於其餘的樹系。We will cache those credentials and use them for the remaining forests. 在此情況下,操作員會看到一個登入提示。In this scenario, the operator will see one logon prompt.

樹系 SharePoint 之間的單向信任會加入和使用者樹系之間。One-way trust between the forest SharePoint is joined to and the user forests. 使用者樹系並非彼此信任。The user forests do not trust each other. 在此案例中,使用者會登入 SharePoint 為 SharePoint 樹系中的帳戶。In this scenario, the user logs into SharePoint as an account in the SharePoint forest. 當查詢樹系時,系統會提示您輸入每個樹系。When querying for Forests, we will prompt for each forest. 如果有20個使用者樹系不信任對方,您期望看到20個登入提示。If there are 20 user forests that don't trust each other you would expect to see 20 logon prompts.