我目前正在设置 AD Connect 以将我的用户从 AD 同步到 AzureAD 以及反之亦然。
也许我没有正确理解整个事情。在我看来,AD Conncet Synchronisation 的作用如下(非常基本的解释,我知道它的作用还有很多,但本质上是这样):
- 如果我在本地 AD 中的用户上添加或更改某些内容,它会更新相应的 Azure AD 用户
- 如果我在 Azure AD 用户上添加或更改某些内容,它会更新相应的本地 AD 用户。
所以基本上它应该连接两个 AD
无论如何,我在本地 AD 中设置了一个测试 OU,目前仅同步此 OU。在此 OU 中,有一个已存在于 Azure AD 中的用户(相同的 UPN、相同的 ProxyAddresses)。在我看来,应该发生的是,他们基本上“连接”了,并且 Azure AD 用户属性会使用本地 AD 用户属性进行更新。
但是,同步工具在尝试导出 Azure AD 用户时总是引发以下错误。
无法更新此对象,因为与此对象关联的以下属性的值可能已与本地目录服务中的另一个对象关联:[ProxyAddresses SMTP:[电子邮件保护]]。请更正或删除本地目录中的重复值。请参阅 http://support.microsoft.com/kb/2647098有关识别具有重复属性值的对象的更多信息。
跟踪 ID:b2b7b30e-dc56-4e2a-ad3d-17c89226eb51 ExtraErrorDetails:[{“Key”:“ObjectId”,“Value”:[“bcc86eef-4fcc-453c-a513-ac0ba12f834f”]},{“Key”:“ObjectIdInConflict”,“Value”:[“f501c6e5-4e4f-4d19-bbcb-5925a71c7cac”]},{“Key”:“AttributeConflictName”,“Value”:[“ProxyAddresses”]},{“Key”:“AttributeConflictValues”,“Value”:[“SMTP:[电子邮件保护]"]}]
根据以下链接,当您设置相同的 UPN 和 ProxyAddresses 时,它应该将本地 AD 用户软匹配到 Azure AD 用户并且这两者建立起了联系。
一旦我从本地 AD 用户中删除 ProxyAddress 属性,同步就会起作用,但是,它会创建一个我不想要的全新 Azure AD 用户。
如何连接我的本地 AD 和 Azure AD 用户,而不是创建新的 Azure AD 用户?
编辑:SourceAnchor 是 userPrincipalName。这是我导出的 AD Connect 配置:
{
"policyMetadata": {
"author": "DOMAIN\\ADMIN",
"timeCreated": "2022-09-09 08:15:59Z",
"azureADConnectVersion": "2.1.16.0",
"policySchemaVersion": "1.0.0.0"
},
"deploymentMetadata": {
"hostName": "server.fqdn",
"serviceAccount": "NT SERVICE\\ADSync",
"serviceAccountType": "VirtualServiceAccount",
"databaseType": "SqlExpress"
},
"authenticationPolicy": [
"PasswordHashSynchronization",
"DesktopSingleSignOn"
],
"selfServicePasswordReset": true,
"identityMappingPolicy": {
"azureSourceAnchorAttribute": "mS-DS-ConsistencyGuid",
"userPrincipalNameAttribute": "userPrincipalName",
"userMatchingPolicy": "AlwaysProvision"
},
"azureDirectoryPolicy": {
"administrator": "[email protected]",
"tenantId": "xxx",
"exportDeletionLimit": "500",
"standardSynchronizationRules": [
{
"Name": "In from AAD - User Join",
"uniqueIdentifier": "5dac9e96-6e4b-4a54-a96e-b5cf2c91222a",
"immutableTag": "Microsoft.InfromAADUserJoin.005",
"precedence": 116
},
{
"Name": "In from AAD - Contact Join",
"uniqueIdentifier": "45b565c5-fed4-4078-8d06-735a166cfbd9",
"immutableTag": "Microsoft.InfromAADContactJoin.004",
"precedence": 117
},
{
"Name": "In from AAD - Group Join",
"uniqueIdentifier": "ef5e0557-4133-4ce6-8318-7f8fd5606506",
"immutableTag": "Microsoft.InfromAADGroupJoin.004",
"precedence": 118
},
{
"Name": "In from AAD - User NGCKey",
"uniqueIdentifier": "f2ab76f5-a87b-4151-8713-af7b86468f41",
"immutableTag": "Microsoft.InfromAADUserNGCKey.001",
"precedence": 119
},
{
"Name": "Out to AAD - User Join",
"uniqueIdentifier": "20bbc6da-1bf6-4ea3-be56-963faa6c8526",
"immutableTag": "Microsoft.OuttoAADUserJoin.010",
"precedence": 120
},
{
"Name": "Out to AAD - User Identity",
"uniqueIdentifier": "bafcffa3-2508-47af-9008-773ed175e07b",
"immutableTag": "Microsoft.OuttoAADUserIdentity.006",
"precedence": 121
},
{
"Name": "Out to AAD - User ExchangeOnline",
"uniqueIdentifier": "c8ffa191-c9c5-48d1-8fd6-28075b5e484b",
"immutableTag": "Microsoft.OuttoAADUserExchangeOnline.008",
"precedence": 122
},
{
"Name": "Out to AAD - User DynamicsCRM",
"uniqueIdentifier": "4389a50e-fc8f-4a72-bc7e-e1c400e1de23",
"immutableTag": "Microsoft.OuttoAADUserDynamicsCRM.004",
"precedence": 123
},
{
"Name": "Out to AAD - User Intune",
"uniqueIdentifier": "6e3b2ac7-6058-489b-aa43-bebb228274ca",
"immutableTag": "Microsoft.OuttoAADUserIntune.004",
"precedence": 124
},
{
"Name": "Out to AAD - User LyncOnline",
"uniqueIdentifier": "93a9d9da-cd33-4394-8a21-cc157c3b8ce0",
"immutableTag": "Microsoft.OuttoAADUserLyncOnline.004",
"precedence": 125
},
{
"Name": "Out to AAD - User SharePointOnline",
"uniqueIdentifier": "510b3932-3039-41cc-8749-a7ffa38b2f8b",
"immutableTag": "Microsoft.OuttoAADUserSharePointOnline.004",
"precedence": 126
},
{
"Name": "Out to AAD - User AzureRMS",
"uniqueIdentifier": "d9ae0f12-93e3-4359-a8ec-48552bf91d5c",
"immutableTag": "Microsoft.OuttoAADUserAzureRMS.004",
"precedence": 127
},
{
"Name": "Out to AAD - Contact Join",
"uniqueIdentifier": "8a110e5a-5888-426e-85e8-d90d3952d68e",
"immutableTag": "Microsoft.OuttoAADContactJoin.003",
"precedence": 128
},
{
"Name": "Out to AAD - Contact Identity",
"uniqueIdentifier": "8ba9bd1e-b2c4-4650-bb3b-7ab888450e15",
"immutableTag": "Microsoft.OuttoAADContactIdentity.003",
"precedence": 129
},
{
"Name": "Out to AAD - Contact ExchangeOnline",
"uniqueIdentifier": "08a877ce-1139-4277-95ff-eee6a23e416b",
"immutableTag": "Microsoft.OuttoAADContactExchangeOnline.006",
"precedence": 130
},
{
"Name": "Out to AAD - Contact DynamicsCRM",
"uniqueIdentifier": "ab487dfa-2ab3-4cdb-863a-1c956826a156",
"immutableTag": "Microsoft.OuttoAADContactDynamicsCRM.004",
"precedence": 131
},
{
"Name": "Out to AAD - Contact Intune",
"uniqueIdentifier": "7fab8e44-4675-452b-9894-5919681fe90f",
"immutableTag": "Microsoft.OuttoAADContactIntune.003",
"precedence": 132
},
{
"Name": "Out to AAD - Contact LyncOnline",
"uniqueIdentifier": "f3e668e1-622e-4a12-ba47-eb2b65e00902",
"immutableTag": "Microsoft.OuttoAADContactLyncOnline.006",
"precedence": 133
},
{
"Name": "Out to AAD - Contact SharePointOnline",
"uniqueIdentifier": "7f3a8ae9-e30a-4f6e-aec9-880e2d617b43",
"immutableTag": "Microsoft.OuttoAADContactSharePointOnline.003",
"precedence": 134
},
{
"Name": "Out to AAD - Contact AzureRMS",
"uniqueIdentifier": "b326bb9d-0450-433f-b209-b040db5b3946",
"immutableTag": "Microsoft.OuttoAADContactAzureRMS.003",
"precedence": 135
},
{
"Name": "Out to AAD - Group Join",
"uniqueIdentifier": "bdd76fad-6835-45ca-a264-0ae92e4969f9",
"immutableTag": "Microsoft.OuttoAADGroupJoin.009",
"precedence": 136
},
{
"Name": "Out to AAD - Group Writeup Member Limit",
"uniqueIdentifier": "e161bdb8-8427-4735-8cb5-ced71c2b08fc",
"immutableTag": "Microsoft.OuttoAADGroupWriteupMemberLimit.003",
"precedence": 137
},
{
"Name": "Out to AAD - Group Identity",
"uniqueIdentifier": "1fda3330-9c4f-4e72-9863-06a57b02f61b",
"immutableTag": "Microsoft.OuttoAADGroupIdentity.005",
"precedence": 138
},
{
"Name": "Out to AAD - Group ExchangeOnline",
"uniqueIdentifier": "c047f7a6-db47-47de-8f53-0630879b8c20",
"immutableTag": "Microsoft.OuttoAADGroupExchangeOnline.006",
"precedence": 139
},
{
"Name": "Out to AAD - Group DynamicsCRM",
"uniqueIdentifier": "4456c09e-6b0b-47d6-ab5b-9dd8649d7a5b",
"immutableTag": "Microsoft.OuttoAADGroupDynamicsCRM.004",
"precedence": 140
},
{
"Name": "Out to AAD - Group Intune",
"uniqueIdentifier": "3ee358a6-6cc3-4c13-8bf4-3a80b1cf34d0",
"immutableTag": "Microsoft.OuttoAADGroupIntune.004",
"precedence": 141
},
{
"Name": "Out to AAD - Group LyncOnline",
"uniqueIdentifier": "33a32e40-1111-4123-b60e-1513ce084d8b",
"immutableTag": "Microsoft.OuttoAADGroupLyncOnline.004",
"precedence": 142
},
{
"Name": "Out to AAD - Group SharePointOnline",
"uniqueIdentifier": "f3338173-678f-43c7-b8aa-afd1516d58db",
"immutableTag": "Microsoft.OuttoAADGroupSharePointOnline.004",
"precedence": 143
},
{
"Name": "Out to AAD - Group AzureRMS",
"uniqueIdentifier": "be8ef687-abd2-4d14-88b2-95f4065bca23",
"immutableTag": "Microsoft.OuttoAADGroupAzureRMS.004",
"precedence": 144
},
{
"Name": "Out to AAD - User OfficeProPlus",
"uniqueIdentifier": "4b993ef9-912d-409b-894d-c71936317d00",
"immutableTag": "Microsoft.OuttoAADUserOfficeProPlus.004",
"precedence": 145
},
{
"Name": "In from AAD - Device Common",
"uniqueIdentifier": "b1ba74be-1cdf-45bf-9b7f-8ec165657536",
"immutableTag": "Microsoft.InfromAADDeviceCommon.004",
"precedence": 147
},
{
"Name": "Out to AAD - Device Join SOAInAD",
"uniqueIdentifier": "7d6edc6f-3ded-4d36-8f7e-37285bce0ac3",
"immutableTag": "Microsoft.OuttoAADJoinSOAInAD.008",
"precedence": 149
}
]
},
"onpremisesDirectoryPolicy": [
{
"friendlyName": "FQDN",
"uniqueIdentifier": "bfae4a2c-cf49-4add-936f-eb1d294f5c9d",
"fullyQualifiedDomainName": "FQDN",
"onPremisesDirectoryAccount": "FQDN\\MSOL_fda726098513",
"partitionFilters": [
{
"fullyQualifiedDomainName": "FQDN",
"distinguishedName": "DC=prefix,DC=domain,DC=tld",
"containerInclusions": [
"OU=AzConTest,OU=OU2,OU=OU3,DC=prefix,DC=domain,DC=tld"
],
"containerExclusions": [
"CN=LostAndFound,DC=prefix,DC=domain,DC=tld",
"DC=prefix,DC=domain,DC=tld"
]
}
],
"standardSynchronizationRules": [
{
"Name": "In from AD - User Join",
"uniqueIdentifier": "e3428571-8759-4331-a79f-dad06f6b7781",
"immutableTag": "Microsoft.InfromADUserJoin.006",
"precedence": 100
},
{
"Name": "In from AD - InetOrgPerson Join",
"uniqueIdentifier": "5b884743-5011-46a4-b1c8-299f49ec1909",
"immutableTag": "Microsoft.InfromADInetOrgPersonJoin.004",
"precedence": 101
},
{
"Name": "In from AD - User AccountEnabled",
"uniqueIdentifier": "61edc9f9-394b-4285-966e-eae2bad1c5d1",
"immutableTag": "Microsoft.InfromADUserAccountEnabled.008",
"precedence": 102
},
{
"Name": "In from AD - InetOrgPerson AccountEnabled",
"uniqueIdentifier": "8dde5041-391d-415d-912a-1a492b87c0a3",
"immutableTag": "Microsoft.InfromADInetOrgPersonAccountEnabled.006",
"precedence": 103
},
{
"Name": "In from AD - User Common from Exchange",
"uniqueIdentifier": "1a0726e1-5be7-41c7-8d1a-f3703f939da7",
"immutableTag": "Microsoft.InfromADUserCommonfromExchange.006",
"precedence": 104
},
{
"Name": "In from AD - InetOrgPerson Common from Exchange",
"uniqueIdentifier": "ed60d659-8896-473b-8996-7bb27a882d3e",
"immutableTag": "Microsoft.InfromADInetOrgPersonCommonfromExchange.006",
"precedence": 105
},
{
"Name": "In from AD - User Common",
"uniqueIdentifier": "51aebaf8-574f-48e7-a3d1-e1dd1505ccee",
"immutableTag": "Microsoft.InfromADUserCommon.009",
"precedence": 106
},
{
"Name": "In from AD - InetOrgPerson Common",
"uniqueIdentifier": "95af2b43-5638-490b-b82b-bbb22448370b",
"immutableTag": "Microsoft.InfromADInetOrgPersonCommon.008",
"precedence": 107
},
{
"Name": "In from AD - User Exchange",
"uniqueIdentifier": "65586d4b-f50b-4c9f-b4df-9dcfdc3aa406",
"immutableTag": "Microsoft.InfromADUserExchange.004",
"precedence": 108
},
{
"Name": "In from AD - InetOrgPerson Exchange",
"uniqueIdentifier": "cc461f23-4203-4d2f-bcde-e1c859d8b22c",
"immutableTag": "Microsoft.InfromADInetOrgPersonExchange.003",
"precedence": 109
},
{
"Name": "In from AD - Group Join",
"uniqueIdentifier": "24ff4605-cacf-46a0-8e41-5cdcd5666cd9",
"immutableTag": "Microsoft.InfromADGroupJoin.006",
"precedence": 110
},
{
"Name": "In from AD - Group Exchange",
"uniqueIdentifier": "a26f6c6e-6747-46bd-bb63-aad745b66f26",
"immutableTag": "Microsoft.InfromADGroupExchange.004",
"precedence": 111
},
{
"Name": "In from AD - Group Common",
"uniqueIdentifier": "d0887028-0625-46f5-9f4f-790b2f4f9e57",
"immutableTag": "Microsoft.InfromADGroupCommon.008",
"precedence": 112
},
{
"Name": "In from AD - Contact Join",
"uniqueIdentifier": "a6ade885-fb70-4d02-8e57-faca781ad815",
"immutableTag": "Microsoft.InfromADContactJoin.004",
"precedence": 113
},
{
"Name": "In from AD - Contact Common",
"uniqueIdentifier": "21d5aa3e-cc7f-4981-bd4f-fafd71ab583c",
"immutableTag": "Microsoft.InfromADContactCommon.006",
"precedence": 114
},
{
"Name": "In from AD - ForeignSecurityPrincipal Join User",
"uniqueIdentifier": "58a761d3-9319-4dc8-a55c-820775e509a2",
"immutableTag": "Microsoft.InfromADForeignSecurityPrincipalJoinUser.001",
"precedence": 115
},
{
"Name": "Out to AD - User Join SOAInAD",
"uniqueIdentifier": "435cf548-3952-447b-b9d2-2b1372ee5f65",
"immutableTag": "Microsoft.OuttoADUserJoinSOAInAD.004",
"precedence": 146
},
{
"Name": "In from AD - Computer Join",
"uniqueIdentifier": "834193e7-7f81-4289-9c36-5bc99e990dc5",
"immutableTag": "Microsoft.InfromADComputerJoin.006",
"precedence": 148
},
{
"Name": "In from AD - Device Common",
"uniqueIdentifier": "43618d59-1136-4174-9c50-110d1159286c",
"immutableTag": "Microsoft.InfromADDeviceCommon.002",
"precedence": 150
},
{
"Name": "Out to AD - User NGCKey",
"uniqueIdentifier": "ae1ccd37-2976-4d3a-b922-836cb58c5987",
"immutableTag": "Microsoft.OuttoADUserNGCKey.001",
"precedence": 151
},
{
"Name": "Out to AD - Device STKKey",
"uniqueIdentifier": "08929880-7415-4c00-816c-c321a1659279",
"immutableTag": "Microsoft.OuttoADDeviceSTKKey.001",
"precedence": 152
},
{
"Name": "Out to AD - User ImmutableId",
"uniqueIdentifier": "034d8c62-fca9-4bb0-ba21-74b0c8e353b2",
"immutableTag": "Microsoft.OuttoADUserImmutableId.003",
"precedence": 153
}
]
}
]
}
答案1
让我们从基础开始:
如果我在 Azure AD 用户上添加或更改某些内容,它会更新相应的本地 AD 用户。
这完全是错误的。同步是单向的,从 AD 到 AAD。
有一些例外(特别是密码写回),但在绝大多数情况下,您会发现您无法在 AAD 中对同步对象进行更改;您只会收到一条错误消息,指出该对象已同步,因此您无法直接修改它,而应该在 AD 中进行更改并让 ADConnect 复制它们。
也就是说,软匹配应该可以工作;如果你在 AD 中创建一个新用户帐户,并且该帐户的 UPN 和主电子邮件地址与现有 AAD 用户相同,则同步过程应该匹配它们并接管 AAD 对象,使其成为同步对象。但这可能因多种原因而失败。
请添加有关 ADConnect 配置的详细信息;最重要的是用作源锚点的属性。
此外,当您尝试将其与现有 AAD 用户匹配时,请确保在 AD 中创建一个新的用户帐户;其中包括:
- 不要更改现有 AD 用户的属性以匹配 AAD 用户
- 不要将现有用户移入同步的 OU
当同步开始时,AD 中已经存在的对象会被 ADConnect 发现和识别,即使它们实际上尚未同步,如果您稍后尝试同步它们,ADConnect 将不会对它们执行软匹配。