域范围的架构更新Domain-wide schema updates

适用于:Windows ServerApplies To: Windows Server

你可以查看以下更改集,以帮助了解并准备 Windows Server 中的 adprep/domainprep 执行的架构更新。You can review the following set of changes to help understand and prepare for the schema updates that are performed by adprep /domainprep in Windows Server.

从 Windows Server 2012 开始,在 AD DS 安装过程中,将根据需要自动运行 Adprep 命令。Beginning in Windows Server 2012, Adprep commands run automatically as needed during AD DS installation. 它们还可以在 AD DS 安装之前单独运行。They can also be run separately in advance of AD DS installation. 有关详细信息,请参阅运行 Adprep.exeFor more information, see Running Adprep.exe.

有关如何 (ACE) 字符串解释访问控制项的详细信息,请参阅 ace 字符串For more information about how to interpret the access control entry (ACE) strings, see ACE strings. 有关如何将安全 ID 解释 (SID) 字符串的详细信息,请参阅 sid 字符串For more information about how to interpret the security ID (SID) strings, see SID strings.

Windows Server (半年通道) :全域性更新Windows Server (Semi-Annual Channel): Domain-wide updates

在 Windows Server 2016 中的 " 域准备 " 执行的操作完成后 (操作 89) 完成,Cn = 都,Cn = DOMAINUPDATES,Cn = SYSTEM,DC = ForestRootDomain 对象的 修订 属性设置为 16After the operations that are performed by domainprep in Windows Server 2016 (operation 89) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 16.

操作编号和 GUIDOperations number and GUID 说明Description 权限Permissions
操作 89: {A0C238BA-9E30-4EE6-80A6-43F731E9A5CD}Operation 89: {A0C238BA-9E30-4EE6-80A6-43F731E9A5CD} 删除向企业密钥管理员授予完全控制权限的 ACE,并添加 ACE 授予企业密钥管理员只需完全控制 msdsKeyCredentialLink 属性。Delete the ACE granting Full Control to Enterprise Key Admins and add an ACE granting Enterprise Key Admins Full Control over just the msdsKeyCredentialLink attribute. 删除 (;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;企业密钥管理员) Delete (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)

添加 (OA;CIRPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;企业密钥管理员) Add (OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;Enterprise Key Admins)

Windows Server 2016:全域性更新Windows Server 2016: Domain-wide updates

在 Windows Server (2016 中的 " 中的都" 执行的操作完成后,操作 82-88) 完成,Cn =,Cn = DOMAINUPDATES,Cn = SYSTEM,DC = ForestRootDomain 对象的 修订 属性设置为 15After the operations that are performed by domainprep in Windows Server 2016 (operations 82-88) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 15.

操作编号和 GUIDOperations number and GUID 说明Description 属性Attributes 权限Permissions
操作 82: {83C53DA7-427E-47A4-A07A-A324598B88F7}Operation 82: {83C53DA7-427E-47A4-A07A-A324598B88F7} 在域的根目录创建 CN = Keys 容器Create CN=Keys container at root of domain -objectClass:容器- objectClass: container
-description:密钥凭据对象的默认容器- description: Default container for key credential objects
-ShowInAdvancedViewOnly: TRUE- ShowInAdvancedViewOnly: TRUE
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;D一个) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;DD) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DD)
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;ED) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;ED)
操作 83: {C81FC9CC-0130-4FD1-B272-634D74818133}Operation 83: {C81FC9CC-0130-4FD1-B272-634D74818133} 添加完全控制允许 "domain\Key Admins" 和 "rootdomain\Enterprise Key Admins" 的 "CN = Keys" 容器的 ace。Add Full Control allow aces to CN=Keys container for "domain\Key Admins" and "rootdomain\Enterprise Key Admins". 不适用N/A (;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;密钥管理员) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Key Admins)
(;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;企业密钥管理员) (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)
操作 84: {E5F9E791-D96D-4FC9-93C9-D53E1DC439BA}Operation 84: {E5F9E791-D96D-4FC9-93C9-D53E1DC439BA} 修改 otherWellKnownObjects 属性,使其指向 CN = Keys 容器。Modify otherWellKnownObjects attribute to point to the CN=Keys container. -otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981: CN = Keys,% ws- otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,%ws 不适用N/A
操作 85: {e6d5fd00-385d-4e65-b02d-9da3493ed850}Operation 85: {e6d5fd00-385d-4e65-b02d-9da3493ed850} 修改域 NC,以允许 "domain\Key Admins" 和 "rootdomain\Enterprise Key Admins" 修改 KeyCredentialLink 特性。Modify the domain NC to permit "domain\Key Admins" and "rootdomain\Enterprise Key Admins" to modify the msds-KeyCredentialLink attribute. 不适用N/A (OA;CIRPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;密钥管理员) (OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;Key Admins)
(OA;CIRPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;根域中的企业密钥管理员,但在非根域中,产生了一个具有不可解析-527 SID 的虚假域相对 ACE) (OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;Enterprise Key Admins in root domain, but in non-root domains resulted in a bogus domain-relative ACE with a non-resolvable -527 SID)
操作 86: {3a6b3fbf-3168-4312-a10d-dd5b3393952d}Operation 86: {3a6b3fbf-3168-4312-a10d-dd5b3393952d} 向 creator 所有者和自助授予 DS 验证的写入计算机车载Grant the DS-Validated-Write-Computer CAR to creator owner and self 不适用N/A (OA;CIIO; SW; 9b026da6-0d3c-465c-8bee-5199d7165cba; bf967a86-0de6-11d0-a285-00aa003049e2; PS) (OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
(OA;CIIO; SW; 9b026da6-0d3c-465c-8bee-5199d7165cba; bf967a86-0de6-11d0-a285-00aa003049e2; CO) (OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
操作 87: {7F950403-0AB3-47F9-9730-5D7B0269F9BD}Operation 87: {7F950403-0AB3-47F9-9730-5D7B0269F9BD} 删除 ACE "向不正确的域相对企业密钥管理员组授予完全控制",并向企业密钥管理员组添加 ACE "授予完全控制权限"。Delete the ACE granting Full Control to the incorrect domain-relative Enterprise Key Admins group, and add an ACE granting Full Control to Enterprise Key Admins group. 不适用N/A 删除 (;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;企业密钥管理员) Delete (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)

添加 (;CIRPWPCRLCLOCCDCRCWDWOSDDTSW;;;企业密钥管理员) Add (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)
操作 88: {434bb40d-dbc9-4fe7-81d4-d57229f7b080}Operation 88: {434bb40d-dbc9-4fe7-81d4-d57229f7b080} 在域 NC 对象上添加 "ExpirePasswordsOnSmartCardOnlyAccounts" 并将默认值设置为 FALSEAdd "msDS-ExpirePasswordsOnSmartCardOnlyAccounts" on the domain NC object and set default value to FALSE 不适用N/A 不适用N/A

仅在 Windows Server 2016 域控制器升级后创建企业密钥管理员和密钥管理员组,并接管 PDC 仿真器 FSMO 角色。The Enterprise Key Admins and Key Admins groups are only created after a Windows Server 2016 Domain Controller is promoted and takes over the PDC Emulator FSMO role.

Windows Server 2012 R2:全域性更新Windows Server 2012 R2: Domain-wide updates

尽管 Windows Server 2012 R2 中的 "完成" 操作不会执行任何操作,但在命令完成后,Cn = 都,Cn = DOMAINUPDATES,Cn = SYSTEM,DC = ForestRootDomain 对象的 修订 属性设置为 10Although no operations are performed by domainprep in Windows Server 2012 R2, after the command completes, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 10.

Windows Server 2012:全域性更新Windows Server 2012: Domain-wide updates

在 Windows Server (2012 中的 " 中的都" 执行的操作完成后,操作78、79、80和 81) 完成,Cn =,Cn = DOMAINUPDATES,Cn = SYSTEM,DC = ForestRootDomain 对象的 修订 属性设置为 9After the operations that are performed by domainprep in Windows Server 2012 (operations 78, 79, 80, and 81) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 9.

操作编号和 GUIDOperations number and GUID 说明Description 属性Attributes 权限Permissions
操作 78: {c3c927a6-cc1d-47c0-966b-be8f9b63d991}Operation 78: {c3c927a6-cc1d-47c0-966b-be8f9b63d991} 创建新的对象 CN = 域分区中的 TPM 设备。Create a new object CN=TPM Devices in the Domain partition. 对象类: Mstpm-ownerinformation-InformationObjectsContainerObject class: msTPM-InformationObjectsContainer 不适用N/A
操作 79: {54afcfb9-637a-4251-9f47-4d50e7021211}Operation 79: {54afcfb9-637a-4251-9f47-4d50e7021211} 创建了 TPM 服务的访问控制项。Created an access control entry for the TPM service. 不适用N/A (OA;CIIO;WP; ea1b7b93-5e48-46d5-bc6c-4df4fda78a35; bf967a86-0de6-11d0-a285-00aa003049e2; PS) (OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
操作 80: {f4728883-84dd-483c-9897-274f2ebcf11e}Operation 80: {f4728883-84dd-483c-9897-274f2ebcf11e} 可克隆域控制器 组授予 "克隆 DC" 的扩展权限Grant "Clone DC" extended right to Cloneable Domain Controllers group 不适用N/A (OA;;CR; 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;域 SID-522) (OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;domain SID-522)
操作 81: {ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff}Operation 81: {ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff} 在所有对象上向主体自助授予对等的、允许的、其他身份操作。Grant ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity to Principal Self on all objects. 不适用N/A (OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS) (OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)