我正在尝试开始部署并学习如何在 Azure 中使用 AD DS,这样我就可以看看是否可以摆脱对运行域服务的专用 VM 的要求。我在第一步就遇到了困难,因为我试图设置客户的域,该域的长度超过 15 个字符。我之前已经在本地设置了大量域控制器,对于长度超过 15 个字符的可路由域,没有任何问题。
这是 Azure 中 AD DS 的某种特殊性吗?我希望使用一个域名,与公司域名相同,以便与网站、电子邮件等保持一致...我真的不想使用与之不同的域名。
有什么想法吗?谢谢!
答案1
实际上,您可以使用 powershell 来解决这个问题。我能够按照此页面上的说明绕过 15 个字符的限制:
如果页面消失,则脚本如下:
# Change the following values to match your deployment.
$AaddsAdminUserUpn = "[email protected]"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "contoso100.com"
$ResourceGroupName = "ContosoAaddsRg"
$VnetName = "DomainServicesVNet_WUS"
$AzureLocation = "westus"
# Connect to your Azure AD directory.
Connect-AzureAD
# Login to your Azure subscription.
Connect-AzAccount
# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
# Create the delegated administration group for AAD Domain Services.
New-AzureADGroup -DisplayName "AAD DC Administrators" `
-Description "Delegated group to administer Azure AD Domain Services" `
-SecurityEnabled $true -MailEnabled $false `
-MailNickName "AADDCAdministrators"
# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
-Filter "DisplayName eq 'AAD DC Administrators'" | `
Select-Object ObjectId
# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
Select-Object ObjectId
# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
# Create the resource group.
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $AzureLocation
# Create the dedicated subnet for AAD Domain Services.
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name DomainServices `
-AddressPrefix 10.0.0.0/24
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name Workloads `
-AddressPrefix 10.0.1.0/24
# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-Name $VnetName `
-AddressPrefix 10.0.0.0/16 `
-Subnet $AaddsSubnet,$WorkloadSubnet
# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
-Location $AzureLocation `
-Properties @{"DomainName"=$ManagedDomainName; `
"SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
-ApiVersion 2017-06-01 -Force -Verbose
答案2
Azure AD DS 中的域名前缀限制为 15 个字符:https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started。
域前缀限制:您指定的域名的前缀(例如,contoso100在里面contoso100.com托管域的前缀长度不得超过 15 个字符,不能创建前缀长度超过 15 个字符的托管域。
潜在的技术原因可能与 NetBIOS 名称限制有关;每个 AD 域也都有一个 NetBIOS 名称,该名称通常与域前缀(完整域名中第一个“。”的部分)相同;这可以在“真实”AD 中进行自定义,从而允许您使用不同的、较短的 NetBIOS 名称创建具有较长前缀的域;看起来这个限制是在 Azure AD DS 中强制执行的。