执行初始恢复Perform initial recovery

适用于: Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

此部分包括下列步骤:This section includes the following steps:

还原每个域中的第一个可写域控制器Restore the first writeable domain controller in each domain

从目录林根级域中的可写 DC 开始,完成此部分中的步骤,以便还原第一个 DC。Beginning with a writeable DC in the forest root domain, complete the steps in this section in order to restore the first DC. 目录林根级域很重要,因为它存储 Schema Admins 和 Enterprise Admins 组。The forest root domain is important because it stores the Schema Admins and Enterprise Admins groups. 它还有助于维护林中的信任层次结构。It also helps maintain the trust hierarchy in the forest. 此外,目录林根级域通常保存林的 DNS 命名空间的 DNS 根服务器。In addition, the forest root domain usually holds the DNS root server for the forest's DNS namespace. 因此,该域的 Active Directory 集成 DNS 区域包含林中所有其他 Dc 的别名 (CNAME) 资源记录 (对于复制) 和全局编录 DNS 资源记录是必需的。Consequently, the Active Directory–integrated DNS zone for that domain contains the alias (CNAME) resource records for all other DCs in the forest (which are required for replication) and the global catalog DNS resource records.

恢复目录林根级域后,重复相同的步骤来恢复林中的其余域。After you recover the forest root domain, repeat the same steps to recover the remaining domains in the forest. 可以同时恢复多个域;但是,在恢复子域之前始终恢复父域,以防止信任层次结构中的任何中断或 DNS 名称解析。You can recover more than one domain simultaneously; however, always recover a parent domain before recovering a child to prevent any break in the trust hierarchy or DNS name resolution.

对于恢复的每个域,只从备份还原一个可写 DC。For each domain that you recover, restore only one writeable DC from backup. 这是恢复的最重要部分,因为 DC 必须有一个数据库,该数据库未受到导致林失败的任何影响。This is the most important part of the recovery because the DC must have a database that has not been influenced by whatever caused the forest to fail. 在将受信任的备份引入生产环境之前,必须对其进行全面测试,这一点非常重要。It is important to have a trusted backup that is thoroughly tested before it is introduced into the production environment.

然后,执行以下步骤。Then perform the following steps. AD 林恢复-过程中提供了执行某些步骤的过程。Procedures for performing certain steps are in AD Forest Recovery - Procedures.

  1. 如果你计划还原物理服务器,请确保目标 DC 的网络电缆未连接,因此未连接到生产网络。If you plan to restore a physical server, ensure that the network cable of the target DC is not attached and therefore is not connected to the production network. 对于虚拟机,你可以删除网络适配器,或使用附加到另一个网络的网络适配器,在该网络上,你可以在与生产网络隔离的情况下测试恢复过程。For a virtual machine, you can remove the network adapter or use a network adapter that is attached to another network where you can test the recovery process while isolated from the production network.

  2. 由于这是域中的第一个可写 DC,因此你必须对 AD DS 执行非权威还原,并执行 SYSVOL 的权威还原。Because this is the first writeable DC in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL. 还原操作必须使用 Active Directory 感知的备份和还原应用程序完成,如 Windows Server 备份 (也就是说,不应使用不受支持的方法(如还原 VM 快照) )来还原 DC。The restore operation must be completed by using an Active Directory-aware backup and restore application, such as Windows Server Backup (that is, you should not restore the DC by using unsupported methods such as restoring a VM snapshot).

    • 需要对 SYSVOL 进行权威还原,因为在从灾难中恢复后,必须启动 SYSVOL 已复制文件夹的复制。An authoritative restore of SYSVOL is required because replication of the SYSVOL replicated folder must be started after you recover from a disaster. 添加到域中的所有后续 Dc 必须重新同步其 SYSVOL 文件夹,其中包含已被选为权威文件夹的文件夹副本,然后才能播发该文件夹。All subsequent DCs that are added in the domain must resynchronize their SYSVOL folder with a copy of the folder that has been selected to be authoritative before the folder can be advertised.

    注意

    仅对要在目录林根级域中还原的第一个 DC 执行权威 (或主) 还原操作。Perform an authoritative (or primary) restore operation of SYSVOL only for the first DC to be restored in the forest root domain. 在其他 Dc 上错误地执行 SYSVOL 的主还原操作会导致 SYSVOL 数据的复制冲突。Incorrectly performing primary restore operations of the SYSVOL on other DCs leads to replication conflicts of SYSVOL data.

  3. 还原并重新启动可写 DC 后,验证失败是否不会影响 DC 上的数据。After you restore and restart the writeable DC, verify that the failure did not affect the data on the DC. 如果 DC 数据已损坏,请使用不同的备份重复步骤2。If the DC data is damaged, then repeat step 2 with a different backup.

    • 如果还原的域控制器承载操作主机角色,则你可能需要添加以下注册表项,以避免在完成对可写目录分区的复制之后 AD DS 不可用:If the restored domain controller hosts an operations master role, you may need to add the following registry entry to avoid AD DS being unavailable until it has completed replication of a writeable directory partition:

      HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl 执行初始同步HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations

      创建数据类型为的项 REG_DWORD 和值 0Create the entry with the data type REG_DWORD and a value of 0. 完全恢复林后,可以将此项的值重置为 1,这需要一个域控制器,该控制器重启并保留操作主机角色,使其能够成功地 AD DS 入站和出站复制与其已知的副本伙伴,然后才会将其自身播发为域控制器并开始为客户端提供服务。After the forest is recovered completely, you can reset the value of this entry to 1, which requires a domain controller that restarts and holds operations master roles to have successful AD DS inbound and outbound replication with its known replica partners before it advertises itself as domain controller and starts providing services to clients. 有关初始同步要求的详细信息,请参阅知识库文章 305476For more information about initial synchronization requirements, see KB article 305476.

      仅在还原并验证数据之后以及将此计算机加入到生产网络之前,才继续执行后续步骤。Continue to the next steps only after you restore and verify the data and before you join this computer to the production network.

  4. 如果怀疑林范围的故障与网络入侵或恶意攻击相关,请重置所有管理帐户的帐户密码,包括 Enterprise Admins、Domain Admins、Schema Admins、Server Operators、Account Operators 组等成员。If you suspect that the forest-wide failure was related to network intrusion or malicious attack, reset the account passwords for all administrative accounts, including members of the Enterprise Admins, Domain Admins, Schema Admins, Server Operators, Account Operators groups, and so on. 在林恢复的下一个阶段安装其他域控制器之前,应先完成重置管理帐户密码。The reset of administrative account passwords should be completed before additional domain controllers are installed during the next phase of the forest recovery.

  5. 在目录林根级域中的第一个还原 DC 上,获取所有全域性和全林性操作主机角色。On the first restored DC in the forest root domain, seize all domain-wide and forest-wide operations master roles. 需要企业管理员和架构管理员凭据才能占用林范围的操作主机角色。Enterprise Admins and Schema Admins credentials are needed to seize forest-wide operations master roles.

    在每个子域中,占用域范围内的操作主机角色。In each child domain, seize domain-wide operations master roles. 尽管你可能只是暂时保留已还原 DC 上的操作主机角色,但占用这些角色可确保你在林恢复过程中的哪个 DC 上托管这些角色。Although you might retain the operations master roles on the restored DC only temporarily, seizing these roles assures you regarding which DC hosts them at this point in the forest recovery process. 作为恢复后过程的一部分,你可以根据需要重新分发操作主机角色。As part of your post-recovery process, you can redistribute the operations master roles as needed. 有关占用操作主机角色的详细信息,请参阅 占用操作主机角色For more information about seizing operations master roles, see Seizing an operations master role. 有关在何处放置操作主机角色的建议,请参阅 什么是操作主机?For recommendations about where to place operations master roles, see What Are Operations Masters?.

  6. 清除目录林根级域中除此第一个 DC) 之外的所有其他可写 Dc 的元数据, (域中所有可写 Dc。Clean up metadata of all other writeable DCs in the forest root domain that you are not restoring from backup (all writeable DCs in the domain except for this first DC). 如果使用 Windows Server 2008 或更高版本附带的 Active Directory 用户和计算机或 Active Directory 站点和服务的版本,或 Windows Vista 或更高版本的 RSAT,则在删除 DC 对象时将自动执行元数据清除。If you use the version of Active Directory Users and Computers or Active Directory Sites and Services that is included with Windows Server 2008 or later or RSAT for Windows Vista or later, metadata cleanup is performed automatically when you delete a DC object. 此外,还会自动删除已删除 DC 的服务器对象和计算机对象。In addition, the server object and computer object for the deleted DC are also deleted automatically. 有关详细信息,请参阅 清除已删除可写 dc 的元数据For more information, see Cleaning metadata of removed writable DCs.

    如果将 AD DS 安装在另一个站点中的 DC 上,则清除元数据可防止可能出现的 NTDS 设置对象重复。Cleaning up metadata prevents possible duplication of NTDS-settings objects if AD DS is installed on a DC in a different site. 这可能还会将知识一致性检查器保存 (KCC) 在 Dc 本身可能不存在时创建复制链接的过程。Potentially, this could also save the Knowledge Consistency Checker (KCC) the process of creating replication links when the DCs themselves might not be present. 此外,在元数据清理过程中,将从 DNS 中删除域中所有其他 Dc 的 DC 定位程序 DNS 资源记录。Moreover, as part of metadata cleanup, DC Locator DNS resource records for all other DCs in the domain will be deleted from DNS.

    在删除域中所有其他 Dc 的元数据之前,此 DC (如果在恢复之前是 RID 主机)不会采用 RID 主机角色,因此将无法颁发新 Rid。Until the metadata of all other DCs in the domain is removed, this DC, if it were a RID master before recovery, will not assume the RID master role and therefore will not be able to issue new RIDs. 你可能会在系统日志中看到事件 ID 16650,事件查看器指示此失败的原因,但你应看到事件 ID 16648,指示在清除元数据后的成功。You might see event ID 16650 in the System log in Event Viewer indicating this failure, but you should see event ID 16648 indicating success a little while after you have cleaned the metadata.

  7. 如果你的 DNS 区域存储在 AD DS 中,请确保本地 DNS 服务器服务已安装并在已还原的 DC 上运行。If you have DNS zones that are stored in AD DS, ensure that the local DNS Server service is installed and running on the DC that you have restored. 如果在林失败之前,此 DC 不是 DNS 服务器,则必须安装和配置 DNS 服务器。If this DC was not a DNS server before the forest failure, you must install and configure the DNS server.

    备注

    如果还原的 DC 运行 Windows Server 2008,则需要在知识库文章 975654 中安装此修补程序,或者暂时将服务器连接到隔离的网络,以便安装 DNS 服务器。If the restored DC runs Windows Server 2008, you need to install the hotfix in KB article 975654 or connect the server to an isolated network temporarily in order to install DNS server. 任何其他版本的 Windows Server 都不需要此修补程序。The hotfix is not required for any other versions of Windows Server.

    在目录林根级域中,使用其自己的 IP 地址 (或环回地址(如 127.0.0.1) 作为其首选 DNS 服务器)配置还原的 DC。In the forest root domain, configure the restored DC with its own IP address (or a loopback address, such as 127.0.0.1) as its preferred DNS server. 你可以在局域网 (LAN) 适配器的 TCP/IP 属性中配置此设置。You can configure this setting in the TCP/IP properties of the local area network (LAN) adapter. 这是林中的第一个 DNS 服务器。This is the first DNS server in the forest. 有关详细信息,请参阅 将 Tcp/ip 配置为使用 DNSFor more information, see Configure TCP/IP to use DNS.

    在每个子域中,用目录林根级域中的第一个 DNS 服务器的 IP 地址配置还原的 DC 作为其首选 DNS 服务器。In each child domain, configure the restored DC with the IP address of the first DNS server in the forest root domain as its preferred DNS server. 可以在 LAN 适配器的 TCP/IP 属性中配置此设置。You can configure this setting in the TCP/IP properties of the LAN adapter. 有关详细信息,请参阅 将 Tcp/ip 配置为使用 DNSFor more information, see Configure TCP/IP to use DNS.

    在 "_msdcs" 和 "域" DNS 区域中,删除清除元数据后不再存在的 Dc 的 NS 记录。In the _msdcs and domain DNS zones, delete NS records of DCs that no longer exist after metadata cleanup. 检查是否已删除清理的 Dc 的 SRV 记录。Check if the SRV records of the cleaned up DCs have been removed. 若要加快删除 DNS SRV 记录的速度,请运行:To help speed up DNS SRV record removal, run:

    nltest.exe /dsderegdns:server.domain.tld
    
  8. 将可用 RID 池的值提升100000。Raise the value of the available RID pool by 100,000. 有关详细信息,请参阅 提高可用 RID 池的值For more information, see Raising the value of available RID pools. 如果有理由相信,100000使 RID 池不足以满足你的特定情况,你应该确定仍然可安全使用的最小增长。If you have reason to believe that raising the RID Pool by 100,000 is insufficient for your particular situation, you should determine the lowest increase that is still safe to use. Rid 是一种有限的资源,不应不必要地使用。RIDs are a finite resource that should not be used up needlessly.

    如果在用于还原的备份后在域中创建了新的安全主体,则这些安全主体可能对某些对象具有访问权限。If new security principals were created in the domain after the time of the backup that you use for the restore, these security principals might have access rights on certain objects. 恢复后这些安全主体不再存在,因为恢复已还原到备份;但是,它们的访问权限可能仍然存在。These security principals no longer exist after recovery because the recovery has reverted to the backup; however, their access rights might still exist. 如果在还原后未引发可用的 RID 池,则在林恢复之后创建的新用户对象可能会 (Sid) 获取相同的安全 Id,并且可能有权访问这些对象,这些对象最初并未设计。If the available RID pool is not raised after a restore, new user objects that are created after the forest recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended.

    为了说明这一点,请考虑简介中提到的名为 "张瑾雯" 的新员工的示例。To illustrate, consider the example of the new employee named Amy that was mentioned in the introduction. 在还原操作之后,张瑾雯的用户对象已不存在,因为它是在用于还原域的备份之后创建的。The user object for Amy no longer exists after the restore operation because it was created after the backup that was used to restore the domain. 但是,在还原操作之后,分配给该用户对象的任何访问权限都可能会保持。However, any access rights that were assigned to that user object might persist after the restore operation. 如果在执行还原操作之后,该用户对象的 SID 已重新分配给新对象,则新的对象将获得这些访问权限。If the SID for that user object is reassigned to a new object after the restore operation, the new object would obtain those access rights.

  9. 使当前 RID 池无效。Invalidate the current RID pool. 当前 RID 池在系统状态还原后失效。The current RID pool is invalidated after a system state restore. 但是,如果未执行系统状态还原,则当前 RID 池需要失效,以防止还原的 DC 从创建备份时分配的 RID 池中重新颁发 Rid。But if a system state restore was not performed, the current RID pool needs to be invalidated to prevent the restored DC from re-issuing RIDs from the RID pool that was assigned at the time the backup was created. 有关详细信息,请参阅 使当前 RID 池失效For more information, see Invalidating the current RID pool.

    备注

    在使 RID 池无效后,首次尝试使用 SID 创建对象时,会收到错误。The first time that you attempt to create an object with a SID after you invalidate the RID pool you will receive an error. 尝试创建对象会触发对新 RID 池的请求。The attempt to create an object triggers a request for a new RID pool. 重试操作成功,因为将分配新的 RID 池。Retry of the operation succeeds because the new RID pool will be allocated.

  10. 重置此 DC 的计算机帐户密码两次。Reset the computer account password of this DC twice. 有关详细信息,请参阅 重置域控制器的计算机帐户密码For more information, see Resetting the computer account password of the domain controller.

  11. 重置 krbtgt 密码两次。Reset the krbtgt password twice. 有关详细信息,请参阅 重置 krbtgt 密码For more information, see Resetting the krbtgt password.

    由于 krbtgt 密码历史记录是两个密码,请重置密码两次,以从密码历史记录中删除原始 (prefailure) 密码。Because the krbtgt password history is two passwords, reset passwords twice to remove the original (prefailure) password from password history.

    备注

    如果林恢复需要响应安全漏洞,则还可以重置信任密码。If the forest recovery is in response to a security breach, you may also reset the trust passwords. 有关详细信息,请参阅 重置信任一方的信任密码For more information, see Resetting a trust password on one side of the trust.

  12. 如果林中有多个域,并且还原的 DC 是发生故障之前的全局编录服务器,请清除 "NTDS 设置" 属性中的 " 全局编录 " 复选框,以从 DC 中删除全局编录。If the forest has multiple domains and the restored DC was a global catalog server before the failure, clear the Global catalog check box in the NTDS Settings properties to remove the global catalog from the DC. 此规则的例外情况是仅有一个域的林的常见情况。The exception to this rule is the common case of a forest with just one domain. 在这种情况下,不需要删除全局编录。In this case, it is not required to remove the global catalog. 有关详细信息,请参阅 删除全局编录For more information, see Removing the global catalog.

    通过从备份中还原全局编录,该备份比其他域中用于还原 Dc 的其他备份要新。By restoring a global catalog from a backup that is more recent than other backups that are used to restore DCs in other domains, you might introduce lingering objects. 请考虑以下示例。Consider the following example. 在域 A 中,DC1 是从在时间 T1 拍摄的备份中还原的。In domain A, DC1 is restored from a backup that was taken at time T1. 在域 B 中,DC2 从在时间 T2 拍摄的全局编录备份还原。In domain B, DC2 is restored from a global catalog backup that was taken at time T2. 假设 T2 比 T1 更近,并且某些对象是在 T1 和 T2 之间创建的。Suppose T2 is more recent than T1, and some objects were created between T1 and T2. 还原这些 Dc 后,DC2 (这是一个全局编录)会保留域 A 的部分副本的更新数据,而不是域 A 本身。After these DCs are restored, DC2, which is a global catalog, holds newer data for domain A's partial replica than domain A holds itself. 在这种情况下,DC2 保存了延迟对象,因为 DC1 上不存在这些对象。DC2, in this case, holds lingering objects because these objects are not present on DC1.

    延迟对象的存在可能导致问题。The presence of lingering objects can lead to problems. 例如,可能无法将电子邮件发送到用户对象在域之间移动的用户。For instance, e-mail messages might not be delivered to a user whose user object was moved between domains. 使过时的 DC 或全局编录服务器重新联机后,该用户对象的两个实例都将显示在全局目录中。After you bring the outdated DC or global catalog server back online, both instances of the user object appear in the global catalog. 这两个对象具有相同的电子邮件地址;因此无法传递电子邮件。Both objects have the same e-mail address; therefore, e-mail messages cannot be delivered.

    第二个问题是,不存在的用户帐户可能仍会出现在全局地址列表中。A second problem is that a user account that no longer exists might still appear in the global address list. 第三个问题是:已不存在的通用组可能仍会出现在用户的访问令牌中。A third problem is that a universal group that no longer exists might still appear in a user's access token.

    如果你确实还原了作为全局编录的 DC,无论是不小心还是因为这是你信任的孤立备份,我们建议你在还原操作完成后立即禁用全局编录,以防止发生延迟对象。If you did restore a DC that was a global catalog—either inadvertently or because that was the solitary backup that you trusted—we recommend that you prevent the occurrence of lingering objects by disabling the global catalog soon after the restore operation is complete. 禁用全局编录标志将导致计算机丢失其所有部分副本 (分区) 并 relegating 自身为常规 DC 状态。Disabling the global catalog flag will result in the computer losing all its partial replicas (partitions) and relegating itself to regular DC status.

  13. 配置 Windows 时间服务。Configure Windows Time Service. 在目录林根级域中,将 PDC 仿真器配置为从外部时间源同步时间。In the forest root domain, configure the PDC emulator to synchronize time from an external time source. 有关详细信息,请参阅在 林根域中的 PDC 模拟器上配置 Windows 时间服务For more information, see Configure the Windows Time service on the PDC emulator in the Forest Root Domain.

将每个还原的可写域控制器重新连接到公共网络Reconnect each restored writeable domain controller to a common network

在此阶段,你应在目录林根级域和每个剩余域中) 执行 (和恢复步骤。At this stage you should have one DC restored (and recovery steps performed) in the forest root domain and in each of the remaining domains. 将这些 Dc 加入到与环境的其余部分隔离的公共网络,并完成以下步骤以验证林的运行状况和复制。Join these DCs to a common network that is isolated from the rest of the environment and complete the following steps in order to validate forest health and replication.

备注

将物理 Dc 加入到隔离的网络时,可能需要更改其 IP 地址。When you join the physical DCs to an isolated network, you may need to change their IP addresses. 因此,DNS 记录的 IP 地址将会出错。As a result, the IP addresses of DNS records will be wrong. 由于全局编录服务器不可用,因此 DNS 的安全动态更新将会失败。Because a global catalog server is not available, secure dynamic updates for DNS will fail. 在这种情况下,虚拟 Dc 更有利,因为它们可以加入到新的虚拟网络,而不会更改其 IP 地址。Virtual DCs are more advantageous in this case because they can be joined to a new virtual network without changing their IP addresses. 这就是为什么建议在林恢复期间还原第一个域控制器的一个原因。This is one reason why virtual DCs are recommended as the first domain controllers to be restored during forest recovery.

验证后,将 Dc 加入生产网络并完成验证林复制运行状况的步骤。After validation, Join the DCs to the production network and complete the steps to verify forest replication health.

  • 若要修复名称解析,请根据需要创建 DNS 委托记录并配置 DNS 转发和根提示。To fix name resolution, create DNS delegation records and configure DNS forwarding and root hints as needed. 运行 repadmin/replsum 以检查域控制器之间的复制。Run repadmin /replsum to check replication between DCs.
  • 如果还原的 DC 不是直接复制伙伴,则通过在它们之间创建临时连接对象,可以更快地进行复制恢复。If the restored DC's are not direct replication partners, replication recovery will be much faster by creating temporary connection objects between them.
  • 若要验证元数据清除,请运行**Repadmin/viewlist \ *** 获取林中所有 dc 的列表。To validate metadata cleanup, run Repadmin /viewlist \* for a list of all DCs in the forest. 运行Nltest/DCList: *<域 > * ,获取域中所有 dc 的列表。Run Nltest /DCList: <domain> for a list of all DCs in the domain.
  • 若要检查 DC 和 DNS 运行状况,请运行 DCDiag/v 报告林中所有 Dc 上的错误。To check DC and DNS health, run DCDiag /v to report errors on all DCs in the forest.

将全局编录添加到目录林根级域中的域控制器Add the global catalog to a domain controller in the forest root domain

需要全局编录,原因如下:A global catalog is required for these and other reasons:

  • 为用户启用登录。To enable logons for users.
  • 若要启用在每个子域中的 Dc 上运行的 Net Logon 服务,在根域中的 DNS 服务器上注册和删除记录。To enable the Net Logon service running on the DCs in each child domain to register and remove records on the DNS server in the root domain.

虽然目录林根 DC 可以成为全局编录,但可以选择任何已还原的 Dc 来成为全局编录。Although it is preferred that the forest root DC become a global catalog, it is possible to elect any of the restored DCs to become a global catalog.

备注

在完全同步林中的所有目录分区之前,不会将 DC 播发为全局编录服务器。A DC will not be advertised as a global catalog server until it has completed a full synchronization of all directory partitions in the forest. 因此,应强制 DC 与林中的每个已还原 Dc 进行复制。Therefore, the DC should be forced to replicate with each of the restored DCs in the forest.

监视事件查看器事件 ID 1119 的目录服务事件日志,该日志指示此 DC 是全局编录服务器,或验证以下注册表项的值是否为1:Monitor the Directory Service event log in Event Viewer for event ID 1119, which indicates that this DC is a global catalog server, or verify the following registry key has a value of 1:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global 目录升级完成HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion Complete

有关详细信息,请参阅 添加全局编录For more information, see Adding the global catalog.

在此阶段,你应该具有一个稳定的林,其中每个域有一个 DC,并且林中有一个全局编录。At this stage you should have a stable forest, with one DC for each domain and one global catalog in the forest. 应为刚还原的每个 Dc 创建新的备份。You should make a new backup of each of the DCs that you have just restored. 你现在可以通过安装 AD DS 来开始重新部署林中的其他 Dc。You can now begin to redeploy other DCs in the forest by installing AD DS.

后续步骤Next Steps