简体繁体 English

Azure上的Active Directory域控制器-反向设置

[英]Active Directory Domain Controller on Azure - Reverse setup

原文 2013-04-15 15:54:01 1 1 azure

I'm looking to setup AD for our company. 我正在为我们公司设置广告。 We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. 我们开发了一个基于云的应用程序，该应用程序需要强大的权限功能，AD可以轻松处理这些功能。 The app is bases out of Heroku which runs on AWS. 该应用程序基于在AWS上运行的Heroku。 I really need AD to manage logins and organizational hierarchy. 我真的需要AD来管理登录名和组织层次结构。

I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. 我想使用基于云的服务充当主要的域控制器，并且将来会设置本地服务器以提供本地身份验证来管理文件/打印和计算机服务。 This is a secondary need to the authentication needs for our app. 这是我们应用程序的身份验证需求的第二需求。

Does anyone know if this architecture is possible? 有谁知道这种架构是否可行？ That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? 就是说，Azure中的AD的DC在以后有向其他本地服务器复制服务的功能？ This seems to be the reverse of most setups in Azure. 这似乎与Azure中大多数安装程序相反。 I'm ok with using other cloud services than Azure. 我可以使用Azure以外的其他云服务。 It just seems they have the most documentation for cloud AD setups. 似乎他们拥有有关云AD设置的最多文档。

Any thoughts or help would be greatly appreciated. 任何想法或帮助将不胜感激。

Thanks, AT 谢谢，AT

1 个解决方案

Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you: 尽管我不希望Cloud成为我的主要DC，但以下一些准则可能会为您提供帮助：

In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? 为了完全验证您的方案，您如何将Heroku计算机加入域控制器？ Because joining the server where your application runs will make the total sense of what you are trying to achieve. 因为加入应用程序运行所在的服务器将完全了解您要实现的目标。

If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure. 如果您只想提供从应用程序到主DC的LDAP访问，而您的应用程序不是域的一部分，那么在Azure中安装AD是没有意义的 。

If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API . 如果您打算仅查询AD的组织结构，我强烈建议您看一下Windows Azure Active Directory及其Graph API 。 this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller. 这是您所需要的，因为您不会将任何计算机加入域，因为Windows Azure Active Directory 不是域控制器。

UPDATE 更新

Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. 请使用更好的描述来更新您的问题， simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here. -恐怕我无法真正理解此处的应用程序体系结构和用户登录流程。