適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

裝置登記技術參考Device Registration Technical Reference

裝置登記服務 (DRS) 是新的 Windows 服務中所包含的 Active Directory 同盟服務角色 Windows Server 2012 R2 上。The Device Registration Service (DRS) is a new Windows service that is included with the Active Directory Federation Service Role on Windows Server 2012 R2. DRS 必須安裝和設定的所有 AD FS 陣列中聯盟伺服器上。The DRS must be installed and configured on all of the federation servers in your AD FS farm. 適用於部署 DRS 資訊,請查看設定聯盟伺服器裝置登記服務與For information on deploying DRS, see Configure a federation server with Device Registration Service.

建立係裝置時的 active Directory 物件Active Directory objects created when a device is registered

下列 Active Directory 物件的建成裝置登記服務的一部分。The following Active Directory objects are created as part of Device Registration Service.

裝置登記設定Device Registration Configuration

裝置登記設定會儲存在 Active Directory 樹系的組態命名操作。The Device Registration Configuration is stored in the Configuration naming context of the Active Directory forest. \ (例如,CN\ = 裝置登記組態 CN\ = 服務 < 操作-naming\ configuration->)。(For example, CN=Device Registration Configuration,CN=Services,<configuration-naming-context>). 此物件會建立時 Active Directory 樹系 initialed 的裝置登記。This object is created when the Active Directory forest is initialed for Device Registration.

裝置登記設定包括下列項目:The Device Registration Configuration includes the following elements:

  • 發行者鍵Issuer keys

    用來發行 X.509 憑證,且已裝置相關聯的公開和私人金鑰。The public and private keys used to issue the X.509 certificate that is associated with a registered device. 私密金鑰是 DKM 受保護。The private keys are DKM protected.

  • 裝置登記服務設定Device Registration Service Configuration

    與裝置登記服務相關的原則。Policies relating to the Device Registration Service.

且已的裝置容器Registered devices container

裝置物件的容器在其中一個網域中建立 Active Directory 樹系。The device object container is created under one of the domains in the Active Directory forest. 此物件的容器會包含所有的裝置的樹系 Active Directory 物件。This object container will contain all of the device objects for the Active Directory forest.

根據預設,AD FS 相同的網域中建立容器。By default, the container is created in the same domain as AD FS. \ (例如,CN\ = RegisteredDevices,DC\ = < 操作-naming\ default->)。此物件會建立時 Active Directory 樹系 initialed 的裝置登記。(For example, CN=RegisteredDevices,DC=<default-naming-context>).This object is created when the Active Directory forest is initialed for Device Registration.

且已的裝置Registered devices

裝置物件的 Active Directory 中新的輕量減重物件。Device objects are new, light weight objects in Active Directory. 它們用來表示之間的關係:使用者、裝置和公司。They are used to represent the relationship between: a user, a device, and the company. 裝置物件使用定位邏輯裝置中的物件 Active Directory 實體裝置,AD FS 簽署的憑證。Device objects use a certificate signed by AD FS to anchor the physical device to the logical device object in Active Directory.

且已的裝置包括下列項目:Registered devices includes the following elements:

  • 顯示名稱Display Name

    裝置的易記名稱。Friendly name of the device. 適用於 windows 的裝置,這是主機電腦的名稱。For windows devices, this is the host name of the computer.

  • 裝置 IdDevice Id

    GUID 所裝置登記伺服器。A GUID that is generated by the Device Registration server.

  • 憑證指紋Certificate Thumbprint

    憑證指紋 X.509 憑證,且已裝置搭配使用。The certificate thumbprint of the X.509 certificate that is used with the registered device.

  • OS 類型OS Type

    作業系統類型的裝置上。The operating system type on the device.

  • 作業系統版本OS Version

    在裝置上的作業系統版本。The version of the operating system on the device.

  • 已支援Is Enabled

    布林值,表示裝置是否尚未在 Active Directory 中。A Boolean that indicates if the device is enabled in Active Directory. 只有讓的裝置已獲授權存取服務。Only enabled devices are allowed to access to services.

  • 大約上次的使用時間Approximate Last Use Time

    大約時間存取資源使用該裝置。The approximate time the device was used to access a resource. 若要限制複寫流量,這才會更新一次每個 14 天。To limit replication traffic, this is only updated once every 14 days.

  • 且已擁有者Registered Owner

    安全性身分 (SID) 工作場所加入此裝置的使用者。The Security Identity (SID) of the user that joined this device to the workplace.

廣告 FS\ 日 DRS 伺服器 SSL 憑證撤銷檢查AD FS/DRS Server SSL certificate revocation checking

加入的工作地點 client 檢查有效的 AD FS 伺服器 SSL 憑證。The Workplace Join client checks the validity of the AD FS Server SSL certificate. AD FS 伺服器 SSL 憑證包含撤銷的憑證清單 (CRL) 端點,如果 client 必須瑞曲之戰指定驗證憑證的端點。If the AD FS Server SSL certificate includes a Certificate Revocation List (CRL) endpoint, the client must be able to reach the endpoint specified to validate the certificate.

如果您正在使用的測試環境並測試憑證授權單位 (CA) 然後您可以選擇不包含 CA 所發行的伺服器憑證中的端點 CRL 發行伺服器 SSL 憑證。If you are using a test environment and a test certificate authority (CA) to issue your server SSL certificates then you can choose to not include the CRL endpoint in the server certificates issued by your CA. 這樣可讓地點加入 client 略過 CRL 檢查。Doing so will allow the Workplace Join client to bypass the CRL check.

警告

不建議這樣 production 系統This is never recommended for production systems