AD DS 简化管理AD DS Simplified Administration

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主题介绍 Windows Server 2012 域控制器部署和管理的功能和优势,以及以前的操作系统 DC 部署和新的 Windows Server 2012 实现之间的差异。This topic explains the capabilities and benefits of Windows Server 2012 domain controller deployment and administration, and the differences between previous operating system DC deployment and the new Windows Server 2012 implementation.

Windows Server 2012 引进了下一代 Active Directory 域服务简化的管理,并且是自 Windows 2000 服务器以来最根式的域重新构想。Windows Server 2012 introduced the next generation of Active Directory Domain Services Simplified Administration, and was the most radical domain re-envisioning since Windows 2000 Server. AD DS 简化管理吸取 Active Directory 十二年的经验,为架构师和管理员创造更加可支持、更灵活、更直观的管理体验。AD DS Simplified Administration takes lessons learned from twelve years of Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators. 这意味着创建现有技术的新版本以及扩展在 Windows Server 2008 R2 中发布的组件的功能。This meant creating new versions of existing technologies as well as extending the capabilities of components released in Windows Server 2008 R2.

AD DS 简化管理是对域部署的重构。AD DS Simplified Administration is a reimagining of domain deployment.

  • AD DS 角色部署现在是新服务器管理器体系结构的一部分,并且允许远程安装AD DS role deployment is now part of the new Server Manager architecture and allows remote installation
  • 即使在使用新的 AD DS 配置向导时,Windows PowerShell 现在仍是 AD DS 部署和配置引擎。The AD DS deployment and configuration engine is now Windows PowerShell, even when using the new AD DS Configuration Wizard
  • 架构扩展、林准备和域准备自动成为域控制器升级的一部分,并且不再需要特殊服务器(例如架构主机)上的单独任务。Schema extension, forest preparation, and domain preparation are automatically part of domain controller promotion and no longer require separate tasks on special servers such as the Schema Master
  • 升级现在包括先决条件检查,它可验证林和域对新域控制器的准备情况,并降低升级失败的概率Promotion now includes prerequisite checking that validates forest and domain readiness for the new domain controller, lowering the chance of failed promotions
  • Windows PowerShell 的 Active Directory 模块现在包括用于复制拓扑管理、动态访问控制以及其他操作的 cmdletActive Directory module for Windows PowerShell now includes cmdlets for replication topology management, Dynamic Access Control, and other operations
  • Windows Server 2012 林功能级别不实现新功能,只有一部分新 Kerberos 功能需要域功能级别,这使管理员无需频繁地需要相似的域控制器环境The Windows Server 2012 forest functional level does not implement new features and domain functional level is required only for a subset of new Kerberos features, relieving administrators of the frequent need for a homogenous domain controller environment
  • 添加对虚拟化域控制器的完全支持,以包括自动化部署和回滚保护Full support added for Virtualized Domain Controllers, to include automated deployment and rollback protection

此外,还有很多管理和维护方面的改进:In addition, there are many administrative and maintenance improvements:

  • Active Directory 管理中心包括图形 Active Directory 回收站、细化密码策略管理和 Windows PowerShell 历史记录查看器The Active Directory Administrative Center includes a graphical Active Directory Recycle Bin, Fine-Grained Password Policy management, and Windows PowerShell history viewer
  • 新的服务器管理器有特定于 AD DS 的接口,用于性能监视、最佳实践分析、关键服务以及事件日志The new Server Manager has AD DS-specific interfaces into performance monitoring, best practice analysis, critical services, and the event logs
  • 组托管服务帐户支持使用相同安全主体的多台计算机Group Managed Service Accounts support multiple computers using the same security principals
  • 在相对标识符 (RID) 颁发和监视方面的改进,可用于提高成熟 Active Directory 域中的可管理性Improvements in Relative Identifier (RID) issuance and monitoring for better manageability in mature Active Directory domains

AD DS Windows Server 2012 中包含的其他新功能的利润,如:AD DS profits from other new features included in Windows Server 2012, such as:

  • NIC 组合和数据中心桥接NIC teaming and Datacenter Bridging
  • 启动后的 DNS 安全性和更快的 AD 集成区域可用性DNS Security and faster AD-integrated zone availability after boot
  • Hyper-V 可靠性和可扩展性改进Hyper-V reliability and scalability improvements
  • BitLocker 网络解锁BitLocker Network Unlock
  • 其他 Windows PowerShell 组件管理模块Additional Windows PowerShell component administration modules

ADPREP 集成ADPREP Integration

Active Directory 林架构扩展和域准备现在将集成到域控制器配置过程中。Active Directory forest schema extension and domain preparation now integrate into the domain controller configuration process. 如果将新域控制器升级到现有林,则进程会检测升级状态且架构扩展和林准备将自动进行。If you promote a new domain controller into an existing forest, the process detects upgrade status and the schema extension and domain preparation phases occur automatically. 安装第一个 Windows Server 2012 域控制器的用户必须仍然是是企业管理员或架构管理员,或提供有效的备用凭据。The user installing the first Windows Server 2012 domain controller must still be an Enterprise Admin and Schema Admin or provide valid alternate credentials.

Adprep.exe 保留在 DVD 上以用于单独林和域准备。Adprep.exe remains on the DVD for separate forest and domain preparation. Windows Server 2012 中包含的工具版本可以向后兼容到 Windows Server 2008 x64 和 Windows Server 2008 R2。The version of the tool included with Windows Server 2012 is backwards compatible to Windows Server 2008 x64 and Windows Server 2008 R2. Adprep.exe 还支持远程 forestprep 和 domainprep,就像基于 ADDSDeployment 的域控制器配置工具一样。Adprep.exe also supports remote forestprep and domainprep, just like the ADDSDeployment-based domain controller configuration tools.

有关 Adprep 和以前的操作系统林准备的信息,请参阅运行 Adprep (Windows Server 2008 R2)For information about Adprep and previous operating system forest preparation, see Running Adprep (Windows Server 2008 R2).

服务器管理器 AD DS 集成Server Manager AD DS Integration

简化的管理

服务器管理器可充当服务器管理任务的中心。Server Manager acts as a hub for server management tasks. 它仪表板样式的外观会定期刷新已安装角色和远程服务器组的视图。Its dashboard-style appearance periodically refreshes views of installed roles and remote server groups. 服务器管理器提供本地和远程服务器的集中式管理,而无需访问控制台。Server Manager provides centralized management of local and remote servers, without the need for console access.

Active Directory 域服务是这些中心角色之一;通过在域控制器上运行服务器管理器或在 Windows 8 上运行远程服务器管理工具,你将看到林中域控制器上的重要最近问题。Active Directory Domain Services is one of those hub roles; by running Server Manager on a domain controller or the Remote Server Administration Tools on a Windows 8, you see important recent issues on domain controllers in your forest.

这些视图包括:These views include:

  • 服务器可用性Server availability
  • 有关 CPU 和内存使用率过高的性能监视器警报Performance monitor alerts for high CPU and memory usage
  • 特定于 AD DS 的 Windows 服务的状态The status of Windows services specific to AD DS
  • 事件目录中最近与目录服务相关的警告和错误条目Recent Directory Services-related warning and error entries in the event log
  • 根据一组 Microsoft 建议的规则进行的域控制器最佳实践分析Best Practice analysis of a domain controller against a set of Microsoft-recommended rules

Active Directory 管理中心回收站Active Directory Administrative Center Recycle Bin

简化的管理

Windows Server 2008 R2 引入了 Active Directory 回收站,它可恢复已删除的 Active Directory 对象,而无需从备份还原、重新启动 AD DS 服务或重新启动域控制器。Windows Server 2008 R2 introduced the Active Directory Recycle Bin, which recovers deleted Active Directory objects without restoring from backup, restarting the AD DS service, or rebooting domain controllers.

Windows Server 2012 使用 Active Directory 管理中心中的图形界面增强了基于 Windows PowerShell 的现有还原功能。Windows Server 2012 enhances the existing Windows PowerShell-based restore capabilities with a new graphical interface in the Active Directory Administrative Center. 这样,管理员可以启用回收站并在林的域上下文中找到或还原已删除对象,所有操作均无需直接运行 Windows PowerShell cmdlet。This allows administrators to enable the Recycle Bin and locate or restore deleted objects in the domain contexts of the forest, all without directly running Windows PowerShell cmdlets. Active Directory 管理中心和 Active Directory 回收站仍然在内部使用 Windows PowerShell,因此以前的脚本和过程仍然有价值。The Active Directory Administrative Center and Active Directory Recycle Bin still use Windows PowerShell under the covers, so previous scripts and procedures are still valuable.

有关 Active Directory 回收站的信息,请参阅 Active Directory 回收站分步指南 (Windows Server 2008 R2)For information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (Windows Server 2008 R2).

Active Directory 管理中心细化密码策略Active Directory Administrative Center Fine-Grained Password Policy

简化的管理

Windows Server 2008 引入了细化密码策略,它允许管理员为每个域配置多个密码和帐户锁定策略。Windows Server 2008 introduced the Fine-Grained Password policy, which allows administrators to configure multiple password and account lockout policies per domain. 这使域可以根据用户和组执行灵活的解决方案以强制执行较严格或较宽松的密码规则。This allows domains a flexible solution to enforce more or less restrictive password rules, based on users and groups. 它没有管理界面,而且需要管理员使用 Ldp.exe 或 Adsiedit.msc 配置它。It had no managerial interface and required administrators to configure it using Ldp.exe or Adsiedit.msc. Windows Server 2008 R2 引入了 Windows PowerShell 的 Active Directory 模块,它向管理员提供 FGPP 的命令行界面。Windows Server 2008 R2 introduced the Active Directory module for Windows PowerShell, which granted administrators a command-line interface to FGPP.

Windows Server 2012 对细化密码策略提供了一个图形界面。Windows Server 2012 brings a graphical interface to Fine-Grained Password Policy. Active Directory 管理中心是此新对话框的主页,这将向所有管理员提供简化的 FGPP 管理。The Active Directory Administrative Center is the home of this new dialog, which brings simplified FGPP management to all administrators.

有关细化密码策略的信息,请参阅 AD DS 细化密码和帐户锁定策略分步指南 (Windows Server 2008 R2)For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).

Active Directory 管理中心 Windows PowerShell 历史记录查看器Active Directory Administrative Center Windows PowerShell History Viewer

简化的管理

Windows Server 2008 R2 引入了 Active Directory 管理中心,它取代了 Windows 2000 中创建的较早版本的 Active Directory 用户和计算机管理单元。Windows Server 2008 R2 introduced the Active Directory Administrative Center, which superseded the older Active Directory Users and Computers snap-in created in Windows 2000. Active Directory 管理中心向当时全新的 Windows PowerShell 的 Active Directory 模块创建图形管理界面。The Active Directory Administrative Center creates a graphical administrative interface to the then-new Active Directory module for Windows PowerShell.

尽管 Active Directory 模块包含上百种 cmdlet,但对于管理员来说,学习曲线可能很陡峭。While the Active Directory module contains over a hundred cmdlets, the learning curve for an administrator can be steep. 由于 Windows PowerShell 很大程度上集成到 Windows 管理的策略,Active Directory 管理中心现在包括可支持你在图形界面中查看 cmdlet 执行的查看器。Since Windows PowerShell integrates heavily into the strategy of Windows administration, the Active Directory Administrative Center now includes a viewer that enables you to see the cmdlet execution in the graphical interface. 你可以使用简单的界面搜索、复制、清除历史记录以及添加注释。You can search, copy, clear history, and add notes with a simple interface. 其目的是使管理员使用图形界面来创建和修改对象,然后在历史记录查看器中查看它们以了解 Windows PowerShell 脚本的详细信息并修改这些示例。The intent is for an administrator to use the graphical interface to create and modify objects, and then review them in the history viewer to learn more about Windows PowerShell scripting and modify the examples.

AD 复制 Windows PowerShellAD Replication Windows PowerShell

简化的管理

Windows Server 2012 将其他 Active Directory 复制 cmdlet 添加到 Active Directory Windows PowerShell 模块。Windows Server 2012 adds additional Active Directory replication cmdlets to the Active Directory Windows PowerShell module. 这些函数允许配置新的或现有的站点、子网、连接、站点链接和网桥。These allow configuration of new or existing sites, subnets, connections, site links, and bridges. 它们还返回 Active Directory 复制元数据、复制状态、队列和最新版本向量信息。They also return Active Directory replication metadata, replication status, queuing, and up-to-dateness version vector information. 复制 cmdlet 的引入(结合部署和其他现有 AD DS cmdlet)使单独使用 Windows PowerShell 管理林成为可能。The introduction of the replication cmdlets - combined with the deployment and other existing AD DS cmdlets - makes it possible to administer a forest using Windows PowerShell alone. 这将为希望在没有图形界面的情况下设置和管理 Windows Server 2012 的管理员创造新的机会,这将进而减少操作系统的攻击面并降低服务要求。This creates new opportunities for administrators wishing to provision and manage Windows Server 2012 without a graphical interface, which then reduces the operating system's attack surface and servicing requirements. 这在将服务器部署到高安全性网络(例如保密 Internet 协议路由器 (SIPR) 和企业 DMZ)中时尤其重要。This is especially important when deploying servers into high security networks such as Secret Internet Protocol Router (SIPR) and corporate DMZs.

有关 AD DS 站点拓扑和复制的详细信息,请参阅 Windows Server 技术参考For more information about AD DS site topology and replication, see the Windows Server Technical Reference.

RID 管理和颁发改进RID Management and Issuance Improvements

Windows 2000 Active Directory 引入了 RID 主机,可将相对标识符的池颁发到域控制器,以创建安全信任项(例如用户、组和计算机)的安全标识符。Windows 2000 Active Directory introduced the RID Master, which issues pools of relative identifiers to domain controllers, in order to create security identifiers (SIDs) of security trustees like users, groups, and computers. 默认情况下,此全局 RID 控件限制为在域中创建的共 230(或 1,073,741,823)个 SID。By default, this global RID space is limited to 230 (or 1,073,741,823) total SIDs created in a domain. SID 无法返回到池或重新颁发。SIDs cannot return to the pool or reissue. 随着时间推移,大型域可能开始在 RID 上低效运行,或者事故可能会导致不必要的 RID 消耗并最终耗尽。Over time, a large domain may begin to run low on RIDs, or accidents may lead to unnecessary RID depletion and eventual exhaustion.

Windows Server 2012 处理了自 1999 年第一批 Active Directory 域创建以来的大量 RID 颁发和管理问题,随着 AD DS 日渐成熟,客户和 Microsoft 客户支持发现了这些问题。Windows Server 2012 addresses a number of RID issuance and management issues uncovered by customers and Microsoft Customer Support as AD DS matured since the creation of the first Active Directory domains in 1999. 其中包括:These include:

  • 定期 RID 消耗警告将写入事件日志Periodic RID consumption warnings are written to the event log
  • 管理员验证 RID 池时的事件日志Events log when an administrator invalidates a RID pool
  • 现在已对 RID 策略 RID 块大小强制执行最大上限A maximum cap on the RID policy RID Block Size is now enforced
  • 当全局 RID 空间不足时,将强制执行并记录人工 RID 上限,使管理员可以在全局空间耗尽前采取行动。Artificial RID ceilings are now enforced and logged when the global RID space is low, allowing an administrator to take action before the global space is exhausted
  • 全局 RID 空间现在可以增加一位,将大小加倍为 231 (2,147,483,648 SID)The global RID space can now be increased by one bit, doubling the size to 231 (2,147,483,648 SIDs)

有关 RID 和 RID 主机的详细信息,请查看安全标识符的工作原理For more information about RIDs and the RID Master, review How Security Identifiers Work.

AD DS 角色部署和管理体系结构AD DS Role Deployment and Management Architecture

在部署或管理 AD DS 角色时,服务器管理器和 ADDSDeployment Windows PowerShell 依赖以下核心程序集发挥功能:Server Manager and ADDSDeployment Windows PowerShell rely on the following core assemblies for functionality when deploying or managing the AD DS role:

  • Microsoft.ADroles.Aspects.dllMicrosoft.ADroles.Aspects.dll
  • Microsoft.ADroles.Instrumentation.dllMicrosoft.ADroles.Instrumentation.dll
  • Microsoft.ADRoles.ServerManager.Common.dllMicrosoft.ADRoles.ServerManager.Common.dll
  • Microsoft.ADRoles.UI.Common.dllMicrosoft.ADRoles.UI.Common.dll
  • Microsoft.DirectoryServices.Deployment.Types.dllMicrosoft.DirectoryServices.Deployment.Types.dll
  • Microsoft.DirectoryServices.ServerManager.dllMicrosoft.DirectoryServices.ServerManager.dll
  • Addsdeployment.psm1Addsdeployment.psm1
  • Addsdeployment.psd1Addsdeployment.psd1

都依赖 Windows PowerShell 及其远程调用命令来实现远程角色安装和配置。Both rely on Windows PowerShell and its remote invoke-command for remote role installation and configuration.

简化的管理

Windows Server 2012 还从 LSASS.EXE 重构出大量以前的升级操作,作为以下对象的一部分:Windows Server 2012 also refactors a number of previous promotion operations out of LSASS.EXE, as part of:

  • DS 角色服务器服务 (DsRoleSvc)DS Role Server Service (DsRoleSvc)
  • DSRoleSvc.dll(由 DsRoleSvc 服务加载)DSRoleSvc.dll (loaded by DsRoleSvc service)

为了升级、降级或克隆虚拟域控制器,此服务必须存在并且正在运行。This service must be present and running in order to promote, demote, or clone virtual domain controllers. 默认情况下,AD DS 角色安装添加此服务并设置“手动”的开始类型。AD DS role installation adds this service and sets a start type of Manual, by default. 不要禁用此服务。Do not disable this service.

ADPrep 和先决条件检查体系结构ADPrep and Prerequisite Checking Architecture

Adprep 不再要求在架构主机上运行。Adprep no longer requires running on the schema master. 它可从运行 Windows Server 2008 x64 或更高版本的计算机远程运行。It can be run remotely from a computer that runs Windows Server 2008 x64 or later.

备注

如果架构主机的连接在导入时丢失,Adprep 使用 LDAP 导入 Schxx.ldf 文件并且不会自动重新连接。Adprep uses LDAP to import Schxx.ldf files and does not automatically reconnect if the connection to the schema master is lost during import. 作为导入过程的一部分,架构主机设置为特定模式而且禁用自动重新连接,因为如果 LDAP 在连接丢失后重新连接,重新建立的连接将不会处于特定模式下。As part of the import process, the schema master is set in a specific mode and automatic reconnection is disabled because if LDAP reconnects after the connection is lost, the re-established connection would not be in the specific mode. 在该情况下,架构将不会正确更新。In that case, the schema would not be updated correctly.

先决条件检查可确保某些条件为 true。Prerequisite checking ensures that certain conditions are true. 这些条件是成功安装 AD DS 所必需的条件。These conditions are required for successful AD DS installation. 如果未满足某些所需的条件,可以在继续安装之前解决它们。If some required conditions are not true, they can be resolved before continuing the installation. 它还检测林或域尚未准备就绪,因此 Adprep 部署代码可自动运行。It also detects that a forest or domain are not yet prepared, so that the Adprep deployment code runs automatically.

ADPrep 可执行文件、DLL、LDF、文件ADPrep Executables, DLLs, LDFs, files

  • ADprep.dllADprep.dll
  • Ldifde.dllLdifde.dll
  • Csvde.dllCsvde.dll
  • Sch14.ldf - Sch56.ldfSch14.ldf - Sch56.ldf
  • Schupgrade.catSchupgrade.cat
  • *dcpromo.csv*dcpromo.csv

以前位于 ADprep.exe 中的 AD 准备代码将重构到 adprep.dll 中。The AD Preparation code formerly housed in ADprep.exe is refactored into adprep.dll. 这使 ADPrep.exe 和 ADDSDeployment Windows PowerShell 模块可以将库用于相同的任务并具有相同的功能。This allows both ADPrep.exe and the ADDSDeployment Windows PowerShell module to use the library for the same tasks and have the same capabilities. Adprep.exe 包括在安装媒体中,但是自动化进程不直接调用它 - 只有管理员手动运行它。Adprep.exe is included with the installation media but automated processes do not call it directly - only an Administrator runs it manually. 它仅可以在 Windows Server 2008 x64 和更高版本的操作系统上运行。It can only run on Windows Server 2008 x64 and later operating systems. Ldifde.exe 和 csvde.exe 同样已将版本重构为 DLL,它们由准备进程加载。Ldifde.exe and csvde.exe also have refactored versions as DLLs that are loaded by the preparation process. 架构扩展仍然使用通过签名验证的 LDF 文件,和在以前的操作系统版本中一样。Schema extension still uses the signature-verified LDF files, like in previous operating system versions.

简化的管理

重要

Windows Server 2012 没有 32 位 Adprep32.exe 工具。There is no 32-bit Adprep32.exe tool for Windows Server 2012. 若要准备林或域,你必须有至少一个 Windows Server 2008 x64、Windows Server 2008 R2 或 Windows Server 2012 计算机,且该计算机作为域控制器、成员服务器运行或在工作组中运行。You must have at least one Windows Server 2008 x64, Windows Server 2008 R2, or Windows Server 2012 computer, running as a domain controller, member server, or in a workgroup, to prepare the forest and domain. Adprep.exe 不在 Windows Server 2003 x64 上运行。Adprep.exe does not run on Windows Server 2003 x64.

先决条件检查Prerequisite Checking

根据操作,内置于 ADDSDeployment Windows PowerShell 托管代码的先决条件检查系统在不同模式下工作。The prerequisite checking system built into ADDSDeployment Windows PowerShell managed code works in different modes, based on the operation. 以下表格介绍了每项测试以及使用它的时间,并说明了它的验证原理和对象。The tables below describe each test, when it is used, and an explanation of how and what it validates. 在出现验证失败且错误不足以解决该问题时的情况时,这些表格非常有用。These tables may be useful if there are issues where the validation fails and the error is not sufficient to troubleshoot the problem.

这些测试始终作为事件 ID 103 登录任务类别核心下的 DirectoryServices-Deployment 操作事件日志通道。These tests log in the DirectoryServices-Deployment operational event log channel under the Task Category Core, always as Event ID 103.

先决条件 Windows PowerShellPrerequisite Windows PowerShell

所有域控制器部署 cmdlet 都有 ADDSDeployment Windows PowerShell cmdlet。There are ADDSDeployment Windows PowerShell cmdlets for all of the domain controller deployment cmdlets. 它们具有与关联 cmdlet 基本相同的参数。They have approximately the same arguments as their associated cmdlets.

  • Test-ADDSDomainControllerInstallationTest-ADDSDomainControllerInstallation
  • Test-ADDSDomainControllerUninstallationTest-ADDSDomainControllerUninstallation
  • Test-ADDSDomainInstallationTest-ADDSDomainInstallation
  • Test-ADDSForestInstallationTest-ADDSForestInstallation
  • Test-ADDSReadOnlyDomainControllerAccountCreationTest-ADDSReadOnlyDomainControllerAccountCreation

通常无需运行这些 cmdlet;它们已默认使用部署 cmdlet 自动执行。There is no need to run these cmdlets, ordinarily; they already automatically execute with the deployment cmdlets by default.

先决条件测试Prerequisite Tests

测试名称Test Name 协议Protocols

已使用used

说明和备注Explanation and notes
VerifyAdminTrustedVerifyAdminTrusted

ForDelegationProviderForDelegationProvider

LDAPLDAP 验证你在现有伙伴域控制器上有“使计算机和用户帐户可以受信任且可以委派”(SeEnableDelegationPrivilege) 权限。Validates that you have the "Enable computer and user accounts to be trusted for delegation" (SeEnableDelegationPrivilege) privilege on the existing partner domain controller. 这需要你构造的 tokenGroups 属性的访问权限。This requires access to your constructed tokenGroups attribute.

在联系 Windows Server 2003 域控制器时不使用。Not used when contacting Windows Server 2003 domain controllers. 你必须在升级前手动确认此权限You must manually confirm this privilege prior to promotion

VerifyADPrepVerifyADPrep

先决条件(林)Prerequisites (forest)

LDAPLDAP 使用 rootDSE namingContexts 属性和架构命名上下文 fsmoRoleOwner 属性发现并联系架构主机。Discovers and contacts the Schema Master using the rootDSE namingContexts attribute and Schema naming context fsmoRoleOwner attribute. 确定 AD DS 安装需要哪些预备操作(forestprep、domainprep 或 rodcprep)。Determines which preparatory operations (forestprep, domainprep, or rodcprep) are required for AD DS installation. 验证架构 objectVersion 是否和预料的一样以及它是否需要进一步扩展。Validates the schema objectVersion is expected and if it requires further extension.
VerifyADPrepVerifyADPrep

先决条件(域和 RODC)Prerequisites (domain and RODC)

LDAPLDAP 使用 rootDSE namingContexts 属性和基础结构容器 fsmoRoleOwner 属性发现并联系基础结构主机。Discovers and contacts the Infrastructure Master using the rootDSE namingContexts attribute and the Infrastructure container fsmoRoleOwner attribute. 对于 RODC 安装,此测试发现域命名主机,并确保它处于联机状态。In the case of an RODC installation, this test discovers the domain naming master and make sure it is online.
CheckGroupCheckGroup

MembershipMembership

LDAP、LDAP,

RPC over SMB (LSARPC)RPC over SMB (LSARPC)

根据操作验证用户是 Domain Admins 还是 Enterprise Admins 组的成员(添加或降级域控制器对应 DA,添加或删除域则对应 EA)Validate the user is a member of Domain Admins or Enterprise Admins group, depending on the operation (DA for adding or demoting a domain controller, EA for adding or removing a domain)
CheckForestPrepCheckForestPrep

GroupMembershipGroupMembership

LDAP、LDAP,

RPC over SMB (LSARPC)RPC over SMB (LSARPC)

验证用户是 Schema Admins 和 Enterprise Admins 组的成员,并且在现有域控制器上具有管理审核和安全事件日志 (SesScurityPrivilege) 权限Validate the user is a member of Schema Admins and Enterprise Admins groups and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
CheckDomainPrepCheckDomainPrep

GroupMembershipGroupMembership

LDAP、LDAP,

RPC over SMB (LSARPC)RPC over SMB (LSARPC)

验证用户是 Domain Admins 组的成员并且在现有域控制器上有管理审核和安全事件日志 (SesScurityPrivilege) 权限Validate the user is a member of Domain Admins group and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
CheckRODCPrepCheckRODCPrep

GroupMembershipGroupMembership

LDAP、LDAP,

RPC over SMB (LSARPC)RPC over SMB (LSARPC)

验证用户是 Enterprise Admins 组的成员并且在现有域控制器上有管理审核和安全事件日志 (SesScurityPrivilege) 权限Validate the user is a member of Enterprise Admins group and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
VerifyInitSyncVerifyInitSync

AfterRebootAfterReboot

LDAPLDAP 通过在 rootDSE 属性 becomeSchemaMaster 上设置一个虚拟值,验证架构主机已在其重新启动后至少复制一次Validate that the Schema Master has replicated at least once since it restarted by setting a dummy value on rootDSE attribute becomeSchemaMaster
VerifySFUHotFixVerifySFUHotFix

已应用Applied

LDAPLDAP 验证现有林架构不包含具有 OID 1.2.840.113556.1.4.7000.187.102 的 UID 属性的已知问题 SFU2 扩展Validate the existing forest schema does not contain known problem SFU2 extension for the UID attribute with OID 1.2.840.113556.1.4.7000.187.102

(https://support.microsoft.com/kb/821732)(https://support.microsoft.com/kb/821732)

VerifyExchangeVerifyExchange

SchemaFixedSchemaFixed

LDAP、WMI、DCOM、RPCLDAP, WMI, DCOM, RPC 验证现有林架构是否仍未包含问题 Exchange 2000 扩展 Ms-exch-labeleduri,Ms-exch-labeleduri-Ms-exch-labeleduri 和 Ms-exch-labeleduri 内部标识符 (的名称) https://support.microsoft.com/kb/314649) Validate the existing forest schema does not still contain problem Exchange 2000 extensions ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-Identifier (https://support.microsoft.com/kb/314649)
VerifyWin2KSchemaVerifyWin2KSchema

一致性Consistency

LDAPLDAP 验证现有林架构具有一致的(未由第三方错误修改)核心属性和类。Validate the existing forest schema has consistent (not incorrectly modified by a third party) core attributes and classes.
DCPromoDCPromo DRSR over RPC、DRSR over RPC,

LDAP、LDAP,

DNSDNS

RPC over SMB (SAMR)RPC over SMB (SAMR)

验证命令行语法已传递到升级代码和测试升级。Validate the command-line syntax passed to the promotion code and test promotion. 在新建时,验证林或域尚不存在。Validate the forest or domain does not already exist if creating new.
VerifyOutboundVerifyOutbound

ReplicationEnabledReplicationEnabled

LDAP、DRSR over SMB、RPC over SMB (LSARPC)LDAP, DRSR over SMB, RPC over SMB (LSARPC) 通过针对 NTDS 设置对象的选项属性检查 NTDSDSA_OPT_DISABLE_OUTBOUND_REPL (0x00000004) 来验证指定为复制伙伴的现有域控制器已启用出站复制。Validate the existing domain controller specified as the replication partner has outbound replication enabled by checking the NTDS Settings object's options attribute for NTDSDSA_OPT_DISABLE_OUTBOUND_REPL (0x00000004)
VerifyMachineAdminVerifyMachineAdmin

密码Password

DRSR over RPC、DRSR over RPC,

LDAP、LDAP,

DNSDNS

RPC over SMB (SAMR)RPC over SMB (SAMR)

验证 DSRM 的安全模式密码集符合域复杂性要求。Validate the safe mode password set for DSRM meets domain complexity requirements.
VerifySafeModePasswordVerifySafeModePassword 不适用N/A 验证本地管理员密码集符合计算机安全策略复杂性要求。Validate the local Administrator password set meets computer security policy complexity requirements.