AD DS 安裝並移除精靈頁面描述AD DS Installation and Removal Wizard Page Descriptions

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題提供描述 AD DS 伺服器角色安裝和移除在伺服器管理員中包含下列精靈頁面上的控制項。This topic provides descriptions for the controls on the following wizard pages that comprise the AD DS server role installation and removal in Server Manager.

部署設定Deployment Configuration

伺服器管理員會開始使用每個網域控制站安裝部署組態頁面。Server Manager begins every domain controller installation with the Deployment Configuration page. 剩餘的選項與所需的欄位變更此頁面上,後續的部署操作根據您選擇的頁面。The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select. 例如,如果您建立新的樹系,準備選項頁面上未顯示,但如果您在執行 Windows Server 2012 現有的樹系或網域中的第一個網域控制站安裝,如此。For example, if you create a new forest, the Preparation Options page does not appear, but it does if you install the first domain controller that runs Windows Server 2012 in an existing forest or domain.

在這個頁面上,以及稍後再試一次的一部分必要條件檢查執行一些驗證測試。Some validations tests are performed on this page, and again later as part of prerequisite checks. 例如,如果您嘗試重新安裝 Windows 2000 的功能層級的森林中的第一個 Windows Server 2012 網域控制站,此頁面上會出現錯誤。For example, if you try to install the first Windows Server 2012 domain controller in a forest that has Windows 2000 functional level, an error appears on this page.

當您建立新的樹系時,會顯示下列選項。The following options appear when you create a new forest.

AD DS 安裝

  • 當您建立新的樹系時,您必須指定樹系根網域的名稱。When you create a new forest, you must specify a name for the forest root domain. 單一標示無法森林根網域名稱(例如,它必須」contoso.com「取代"contoso")。The forest root domain name cannot be single-labeled (for example, it must be "contoso.com" instead of "contoso"). 允許的 DNS 網域命名規格必須使用。It must use allowed DNS domain naming conventions. 您可以指定國際化網域名稱 (IDN)。You can specify an Internationalized Domain Name (IDN). 如需 DNS 網域命名規格的詳細資訊,請查看KB 909264For more information about DNS domain naming conventions, see KB 909264.

  • 無法建立新的 Active Directory 森林與您的外接式 DNS 名稱相同的名稱。Do not create new Active Directory forests with the same name as your external DNS name. 例如 http://contoso.com DNS URL 網際網路時,您必須選擇不同的名稱為內部樹系避免未來的相容性問題。For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. 唯一和的網路流量,例如 corp.contoso.com,應該該名稱。That name should be unique and unlikely for web traffic, such as corp.contoso.com.

  • 您必須是您想要用來建立新的樹系的伺服器上的系統管理員群組成員。You must be a member of Administrators group on the server where you want to create a new forest.

如需如何建立的樹系的詳細資訊,請查看安裝新 Windows Server 2012 Active Directory 樹系和 #40;層級 200 和 #41;.For more information about how to create a forest, see Install a New Windows Server 2012 Active Directory Forest (Level 200).

當您建立新的網域時,會顯示下列選項。The following options appear when you create a new domain.

AD DS 安裝

注意

如果您建立新的網域樹,您需要家長網域中,而森林根網域名稱指定但其餘的精靈及選項相同。If you create a new tree domain, you need to specify the name of the forest root domain instead of the parent domain, but the remaining wizard pages and options are the same.

  • 按一下選擇來瀏覽至父系網域或 Active Directory 樹,或輸入有效的父網域或樹名稱。Click Select to browse to the parent domain or Active Directory tree, or type a valid parent domain or tree name. 然後輸入名稱的新的網域中的新的網域名稱Then type the name of the new domain in New domain name.

  • 樹網域:提供有效的、完整根網域名稱。必須使用 DNS 網域名稱需求和不是單一標記名稱。Tree domain: provide a valid, fully qualified root domain name; the name cannot be single-labeled and must use DNS domain name requirements.

  • 子女網域:提供有效的、單一標籤子女網域名稱。名稱必須使用 DNS 網域名稱需求。Child domain: provide a valid, single-label child domain name; the name must use DNS domain name requirements.

  • Active Directory Domain Services 組態精靈會提示您輸入網域認證如果您目前的憑證並非來自網域。The Active Directory Domain Services Configuration Wizard prompts you for domain credentials if your current credentials are not from the domain. 按一下變更提供網域認證。Click Change to provide domain credentials.

如需如何建立網域的詳細資訊,請查看安裝新 Windows Server 2012 Active Directory 子女或樹網域和 #40;層級 200 和 #41;.For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).

當您現有的網域新增新的網域控制站出現下列選項。The following options appear when you add a new domain controller to an existing domain.

AD DS 安裝

  • 按一下選擇來瀏覽至網域,或輸入正確的網域名稱。Click Select to browse to the domain, or type a valid domain name.

  • 伺服器管理員會提示您輸入正確的認證視。Server Manager prompts you for valid credentials if needed. 安裝其他網域控制站需要網域系統管理員群組成員資格。Installing an additional domain controller requires membership in the Domain Admins group.

    此外,安裝 Windows Server 2012 上執行的樹系的第一個網域控制站需要包含群組成員資格群組企業系統管理員和架構系統管理員認證。In addition, installing the first domain controller that runs Windows Server 2012 in a forest requires credentials that include group memberships in both the Enterprise Admins and Schema Admins groups. Active Directory Domain Services 組態精靈會提示您稍後如果您目前的認證,不需要的適當權限或群組成員資格。The Active Directory Domain Services Configuration Wizard prompts you later if your current credentials do not have adequate permissions or group memberships.

如需有關如何將現有的網域網域控制站的詳細資訊,請查看安裝複本 Windows Server 2012 網域控制站在現有的網域和 #40;層級 200 和 #41;.For more information about how to add a domain controller to an existing domain, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).

網域控制站選項Domain Controller Options

如果您要建立新的樹系,網域控制站選項] 頁面就會有這些選項:If you are creating a new forest, the Domain Controller Options page has these options:

AD DS 安裝

  • 樹系和網域功能層級設定為 Windows Server 2012 預設。The forest and domain functional levels are set to Windows Server 2012 by default.

    還有一個新功能可網域層級 Windows Server 2012 功能:支援動態存取控制和 Kerberos 保護 \ [KDC 系統管理範本原則有兩種設定(永遠提供宣告和失敗護身的驗證要求)需要 Windows Server 2012 網域功能層級。There is one new feature available at the Windows Server 2012 domain functional level: the Support for Dynamic Access Control and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. 如需詳細資訊,看到「支援宣告、複合驗證以及 Kerberos 保護 ] F:kerberos 驗證中的新功能For more information, see "Support for claims, compound authentication and Kerberos armoring" in What's new in Kerberos Authentication.
    Windows Server 2012 森林功能層級不提供任何新的功能,但確保任何新的網域建立森林中將會自動操作網域層級 Windows Server 2012 正常運作。The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any new domain created in the forest will automatically operate at the Windows Server 2012 domain functional level. Windows Server 2012 網域功能等級不提供任何新旁邊動態存取控制和 Kerberos 保護 \,支援其他功能,但確保網域中的任何網域控制站執行 Windows Server 2012。The Windows Server 2012 domain functional level does not provide any new other features beside support for Dynamic Access Control and Kerberos armoring, but it ensures that any domain controller in the domain runs Windows Server 2012 . 如需有關其他功能,可正常運作的不同層級,請查看Active Directory Domain Services 了解 (AD DS) 功能的層級For more information about other features that are available at different functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.

    功能層級以外執行 Windows Server 2012」的網域控制站提供並不適用於執行較舊版本的 Windows Server 的網域控制站的額外功能。Beyond functional levels, a domain controller that runs Windows Server 2012 provides additional features that are not available on a domain controller that runs an earlier version of Windows Server. 例如,執行 Windows Server 2012」的網域控制站可用於 virtual 網域控制站複製,而無法執行較舊版本的 Windows Server 的網域控制站。For example, a domain controller that runs Windows Server 2012 can be used for virtual domain controller cloning, whereas a domain controller that runs an earlier version of Windows Server cannot.

  • 當您建立新的樹系預設會選取 DNS 伺服器。DNS server is selected by default when you create a new forest. 森林中的第一個網域控制站必須通用 (GC) 伺服器,並無法讀取只有網域控制站 (RODC)。The first domain controller in the forest must be a global catalog (GC) server, and it cannot be a read only domain controller (RODC).

  • 為了 AD DS 不執行為網域控制站登入需要 Directory 服務還原模式 (DSRM) 密碼。The Directory Services Restore Mode (DSRM) password is needed in order to log on to a domain controller where AD DS is not running. 指定的密碼必須遵守密碼原則套用到伺服器,預設不需要穩固密碼。僅限非空白密碼。The password you specify must adhere to the password policy applied to the server, which by default does not require a strong password; only a non-blank password. 隨時複雜的密碼或最好複雜密碼。Always choose a strong, complex password or preferably, a passphrase. 有關如何使用密碼的使用者核對同步 DSRM 密碼,請查看KB 961320For information about how to synchronize the DSRM password with the password of a domain user account, see KB 961320.

如需如何建立的樹系的詳細資訊,請查看安裝新 Windows Server 2012 Active Directory 樹系和 #40;層級 200 和 #41;.For more information about how to create a forest, see Install a New Windows Server 2012 Active Directory Forest (Level 200).

如果您的子女網域,網域控制站選項] 頁面就會有這些選項:If you are creating a child domain, the Domain Controller Options page has these options:

AD DS 安裝

  • 網域功能等級到 Windows Server 2012 預設設定。The domain functional level is set to Windows Server 2012 by default. 您可以指定至少值的樹系功能等級或更高的任何其他值。You can specify any other value that is at least the value of the forest functional level or higher.

  • 包含可設定的網域控制站選項的 DNS 伺服器通用。您無法在新的網域中的第一個網域控制站設定唯讀網域控制站。The configurable domain controller options include DNS server and Global Catalog; you cannot configure read-only domain controller as the first domain controller in a new domain.

    Microsoft 建議的所有網域控制站都提供 DNS 和通用服務的可用性分散式的環境中,這是精靈可讓這些選項預設建立新的網域時的原因。Microsoft recommends that all domain controllers provide DNS and global catalog services for high availability in distributed environments, which is why the wizard enables these options by default when creating a new domain.

  • 網域控制站選項頁面上也可讓您選擇適當的 Active Directory 邏輯網站名稱的樹系設定。The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the forest configuration. 根據預設,它會選取最正確的子網路的網站。By default, it selects the site with the most correct subnet. 只有一個網站時,它會選取該網站自動。If there is only one site, it selects that site automatically.

    重要

    如果伺服器不屬於 Active Directory 子網路,而且有一個以上的網站,就選取任何項目和下一步按鈕,才可使用網站從清單中選擇。If the server does not belong to an Active Directory subnet and there is more than one site, nothing is selected and the Next button is unavailable until you choose a site from the list.

如需如何建立網域的詳細資訊,請查看安裝新 Windows Server 2012 Active Directory 子女或樹網域和 #40;層級 200 和 #41;.For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).

如果您的網域控制站加入網域,網域控制站選項] 頁面就會有這些選項:If you are adding a domain controller to a domain, the Domain Controller Options page has these options:

AD DS 安裝

  • 包含可設定的網域控制站選項的 DNS 伺服器通用,並唯讀網域控制站The configurable domain controller options include DNS server and Global Catalog, and Read-only domain controller.

    Microsoft 建議的所有網域控制站都提供 DNS 和通用服務的可用性分散式的環境中,這是精靈預設讓這些選項的原因。Microsoft recommends that all domain controllers provide DNS and global catalog services for high availability in distributed environments, which is why the wizard enables these options by default. 如需部署 Rodc 的相關資訊,請查看唯讀網域控制站規劃和部署指南For more information about deploying RODCs, see Read-Only Domain Controller Planning and Deployment Guide.

如需有關如何將現有的網域網域控制站的詳細資訊,請查看安裝複本 Windows Server 2012 網域控制站在現有的網域和 #40;層級 200 和 #41;.For more information about how to add a domain controller to an existing domain, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).

DNS 選項DNS Options

如果您安裝的 DNS 伺服器,下列DNS 選項頁面上會出現:If you install DNS server, the following DNS Options page appears:

AD DS 安裝

當您安裝的 DNS 伺服器時的 DNS 伺服器區授權按一下委派記錄中建立家長網域名稱系統」(DNS) 區域。When you install DNS server, delegation records that point to the DNS server as authoritative for the zone should be created in the parent Domain Name System (DNS) zone. 委派記錄傳輸名稱解析授權,並提供給其他 DNS 伺服器和固定的新的伺服器來做為新的區域授權正確推薦。Delegation records transfer name resolution authority and provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone. 這些資源記錄包含下列類型:These resource records include the following:

  • 可讓委派生效名稱(奈秒)伺服器資源記錄。A name server (NS) resource record to effect the delegation. 此資源記錄通知 ns1.na.example.microsoft.com 指定的伺服器會委派子授權伺服器。This resource record advertises that the server named ns1.na.example.microsoft.com is an authoritative server for the delegated subdomain.

  • 主機(或 AAAA)資源記錄也就是黏附記錄必須要有解析為其 IP 位址名稱(奈秒)伺服器資源記錄中指定的伺服器的名稱。A host (A or AAAA) resource record also known as a glue record must be present to resolve the name of the server that is specified in the name server (NS) resource record to its IP address. 在這個資源記錄主機名稱解析委派 DNS 伺服器的名稱(奈秒)伺服器資源記錄中的程序是有時稱為「黏住搜尋」。The process of resolving the host name in this resource record to the delegated DNS server in the name server (NS) resource record is sometimes referred to as "glue chasing."

您可以讓 Active Directory Domain 服務設定精靈會自動建立它們。You can have the Active Directory Domain Services Configuration Wizard create them automatically. 精靈會驗證適當的記錄存在家長 DNS 區域之後,您可以按一下下一步網域控制站選項頁面。The wizard verifies that the appropriate records exist in the parent DNS zone after you click Next on the Domain Controller Options page. 如果精靈無法確認記錄存在家長網域中,為您提供的選項來建立新的網域新增 DNS 委派(或更新現有委派)自動精靈,並繼續使用新的網域控制站安裝。If the wizard cannot verify that the records exist in the parent domain, the wizard provides you with the option to create a new DNS delegation for a new domain (or update the existing delegation) automatically and continue with the new domain controller installation.

或者,您可以建立這些 DNS 委派記錄之前您安裝的 DNS 伺服器。Alternatively, you can create these DNS delegation records before you install DNS server. 若要建立區域委派,請打開DNS 管理員,家長網域中,按一下滑鼠右鍵,然後按一下新增委派To create a zone delegation, open DNS Manager, right-click the parent domain, and then click New Delegation. 請依照下列步驟建立委派新委派精靈中。Follow the steps in the New Delegation Wizard to create the delegation.

建立確定主機,包括網域控制站和成員電腦子 DNS 網域中的其他網域中的電腦可以解析 DNS 查詢委派嘗試安裝程序。The installation process tries to create the delegation to ensure that computers in other domains can resolve DNS queries for hosts, including domain controllers and member computers, in the DNS subdomain. 請注意委派記錄可以自動建立僅在 Microsoft DNS 伺服器。Note that the delegation records can be automatically created only on Microsoft DNS servers. 如果家長 DNS 網域區域位於像是結第三方 DNS 伺服器,建立 DNS 委派記錄失敗的相關警告顯示必要條件核取頁面上。If the parent DNS domain zone resides on third party DNS servers such as BIND, a warning about the failure to create DNS delegation records appears on the Prerequisites check page. 如需警告,請查看的已知問題,適用於安裝 AD DSFor more information about the warning, see Known issues for installing AD DS.

建立和驗證前後安裝父系網域之間升級子委派。Delegations between the parent domain and the subdomain being promoted can be created and validated before or after the installation. 還有延遲新的網域控制站安裝,因為您無法建立或更新 DNS 委派理由。There is no reason to delay the installation of a new domain controller because you cannot create or update the DNS delegation.

如需委派的詳細資訊,請查看了解區域委派(http://go.microsoft.com/fwlink/?LinkId=164773)。For more information about delegation, see Understanding Zone Delegation (http://go.microsoft.com/fwlink/?LinkId=164773). 區域委派不能在您的情形,如果您可能會考慮提供您的網域中的主機從其他網域名稱解析其他方法。If zone delegation is not possible in your situation, you might consider other methods for providing name resolution from other domains to the hosts in your domain. 例如的另一個網域 DNS 系統管理員可設定條件轉寄、stub 區域或第二個才能在您的網域名稱解析區域。For example, the DNS administrator of another domain could configure conditional forwarding, stub-zones, or secondary zones in order to resolve names in your domain. 如需詳細資訊,下列主題:For more information, see the following topics:

RODC 選項RODC Options

當您安裝唯讀網域控制站 (RODC) 時,會顯示下列選項。The following options appear when you install a read-only domain controller (RODC).

AD DS 安裝

  • 帳號委派的系統管理員取得 RODC 本機系統管理員權限。Delegated administrator accounts gain local administrative permissions to the RODC. 這些使用者可以運作權限相當於在本機電腦的系統管理員」群組。These users can operate with privileges equivalent to the local computer's Administrators group. 他們並不網域系統管理員」的網域建系統管理員群組成員。They are not members of the Domain Admins or the domain built-in Administrators groups. 這個選項適用於分支 office 的管理委派不提供網域系統管理員權限。This option is useful for delegating branch office administration without giving out domain administrative permissions. 設定的管理委派就不需要的。Configuring delegation of administration is not required. 如需詳細資訊,請查看系統管理員角色分離For more information, see Administrator Role Separation.

  • 密碼複寫原則做為存取控制 (ACL) 清單中。The Password Replication Policy acts as an access control list (ACL). 它會判斷是否應該 RODC 允許快取的密碼。It determines if an RODC should be permitted to cache a password. RODC 收到的驗證的使用者或電腦的登入要求之後,它是指密碼複寫原則,以判斷是否應該快取 account 的密碼。After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. 相同 account 然後可以更有效率地執行後續登入。The same account can then perform subsequent logons more efficiently.

    密碼複寫原則 (PRP) 列出帳號,允許快取,其密碼及密碼明確的快取的拒絕的帳號。The Password Replication Policy (PRP) lists the accounts whose passwords are allowed to be cached, and accounts whose passwords are explicitly denied from being cached. 使用者和電腦帳號,允許快取的清單,並不代表 RODC 一定有快取那些帳號的密碼。The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. 系統管理員的身分,例如,指定事先任何帳號,RODC 會快取。An administrator can, for example, specify in advance any accounts that an RODC will cache. 如此一來,RODC 可以進行驗證那些帳號,即使 WAN 連結中樞網站離線。This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

    所有的使用者或電腦都不允許(包括隱含)或拒絕的執行快取他們的密碼。Any users or computers who are not allowed (including implicit) or denied do not cache their password. 如果那些使用者或電腦不能存取寫入網域控制站到,他們無法存取 AD DS 提供資源或功能。If those users or computers do not have access to a writable domain controller, they cannot access AD DS-provided resources or functionality. 如需 PRP 的詳細資訊,請查看密碼複寫原則For more information about the PRP, see Password Replication Policy. 如需有關管理 PRP 的詳細資訊,請查看管理密碼原則複製For more information about managing the PRP, see Administering the Password Replication Policy.

如需有關安裝 Rodc 的詳細資訊,請安裝 Windows Server 2012 Active Directory Read-Only 網域控制站和 #40;RODC 和 #41;與 #40;層級 200 和 #41;.For more information about installing RODCs, see Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200).

其他選項Additional Options

下列選項會出現在的其他選項頁面上,如果您要建立新的網域:The following option appears on the Additional Options page if you are creating a new domain:

AD DS 安裝

下列選項會出現在的其他選項頁面上,如果您安裝其他網域控制站現有網域中:The following options appear on the Additional Options page if you install an additional domain controller in an existing domain:

AD DS 安裝

  • 您可以指定網域控制站為複寫來源,或讓選擇做為來源複寫任何網域控制站精靈。You can either specify a domain controller as the replication source, or allow the wizard to choose any domain controller as the replication source.

  • 您也可以選擇備份使用安裝媒體 (IFM) 選項從媒體安裝網域控制站使用。You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. 如果在本機儲存的安裝媒體安裝媒體路徑的選項可讓您瀏覽到檔案的位置。If the installation media is stored locally, the Install from media Path option allows you to browse to the file location. 瀏覽] 選項不適用於遠端安裝。The browse option is not available for a remote installation. 您可以按一下確認以確保所提供有效的媒體。You can click Verify to ensure the provided path is valid media. 必須與 Windows Server 備份或 Ntdsutil.exe 建立媒體由 IFM 選項,從另一部現有 Windows Server 2012 電腦您無法建立 Windows Server 2012 網域控制站媒體使用 Windows Server 2008 R2 或先前的作業系統。Media used by the IFM option must be created with Windows Server Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller. 如果 SYSKEY 受保護的媒體,伺服器管理員會在驗證期間影像的密碼提示。If the media is protected with a SYSKEY, Server Manager prompts for the image's password during verification.

如需如何建立網域的詳細資訊,請查看安裝新 Windows Server 2012 Active Directory 子女或樹網域和 #40;層級 200 和 #41;.For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200). 如需有關如何將現有的網域網域控制站的詳細資訊,請查看安裝複本 Windows Server 2012 網域控制站在現有的網域和 #40;層級 200 和 #41;.For more information about how to add a domain controller to an existing domain, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).

路徑Paths

下列選項會出現在路徑頁面。The following options appear on the Paths page.

AD DS 安裝

  • 路徑頁面上,可讓您覆寫預設資料夾位置的 AD DS 資料庫中資料庫交易登,並 SYSVOL 分享。The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. 預設位置都隱藏資料夾中。The default locations are always in %systemroot%.

指定的位置 AD DS 資料庫 (NTDS.DIT)、檔案和 SYSVOL 登入。Specify the location for the AD DS database (NTDS.DIT), log files, and SYSVOL. 本機安裝,您可以瀏覽至您想要用來儲存檔案的位置。For a local installation, you can browse to the location where you want to store the files.

準備選項Preparation Options

AD DS 安裝

如果您不目前登入認證執行 adprep.exe 命令不足的 adprep,才能執行才能完成 AD DS 安裝,以提供認證來執行 adprep.exe 會提示您。If you are not currently logged on with sufficient credentials to run adprep.exe commands and adprep is required to run in order to complete the AD DS installation, you are prompted to supply credentials to run adprep.exe. Adprep,才能執行以新增到現有的網域或森林執行 Windows Server 2012 的第一個網域控制站。Adprep is required to run in order to add the first domain controller that runs Windows Server 2012 to an existing domain or forest. 更多尤其是:More specifically:

  • Adprep /forestprep 必須執行以新增第一次執行 Windows Server 2012 現有的樹系的網域控制站。Adprep /forestprep must be run to add the first domain controller that runs Windows Server 2012 to an existing forest. 必須執行這個命令的企業系統管理員群組、架構管理群組和網域系統管理員群組網域裝載架構主機的成員。This command must be run by a member of the Enterprise Admins group, the Schema Admins group, and the Domain Admins group of the domain that hosts the schema master. 成功完成,此命令必須連接您執行的命令的電腦之間的樹系主機。For this command to complete successfully, there must be connectivity between the computer where you run the command and the schema master for the forest.

  • Adprep /domainprep 必須執行以新增第一次執行 Windows Server 2012 現有網域控制站。Adprep /domainprep must be run to add the first domain controller that runs Windows Server 2012 to an existing domain. 必須執行這個命令的網域安裝執行 Windows Server 2012」的網域控制站的網域管理群組成員。This command must be run by a member of the Domain Admins group of the domain where you are installing the domain controller that runs Windows Server 2012 . 成功完成,此命令必須連接您執行的命令的電腦之間的基礎結構網域主機。For this command to complete successfully, there must be connectivity between the computer where you run the command and the infrastructure master for the domain.

  • Adprep /rodcprep 加入現有的樹系的第一個 RODC 必須執行。Adprep /rodcprep must be run to add the first RODC to an existing forest. 必須執行這個命令的企業系統管理員群組成員。This command must be run by a member of the Enterprise Admins group. 成功完成,此命令必須連接您執行的命令的電腦之間的基礎結構主機森林中的每個應用程式 directory 磁碟分割。For this command to complete successfully, there must be connectivity between the computer where you run the command and the infrastructure master for each application directory partition in the forest.

如需 Adprep.exe 的詳細資訊,請查看Adprep.exe 整合,並查看執行 Adprep.exeFor more information about Adprep.exe, see Adprep.exe integration and see Running Adprep.exe.

檢視選項Review Options

AD DS 安裝

  • 評論選項頁面上可讓您驗證您的設定,並確保您開始安裝之前,先其符合您的需求。The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. 這不是一個機會停止使用伺服器管理員安裝。This is not the last opportunity to stop the installation using Server Manager. 此頁面上可讓您檢查並確認您的設定,才能繼續設定。This page simply enables you to review and confirm your settings before continuing the configuration.

  • 評論選項在伺服器管理員頁面也提供選擇性檢視指令碼按鈕,以建立包含目前 ADDSDeployment 設定成單一的 Windows PowerShell 指令碼 Unicode 文字檔案。The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. 這可讓您在伺服器管理員圖形介面作為 Windows PowerShell 部署 studio。This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. 若要設定選項,匯出設定,然後取消精靈使用 Active Directory Domain Services 組態精靈。Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. 此程序會建立進一步修改或直接使用有效且語法正確範例。This process creates a valid and syntactically correct sample for further modification or direct use.

必要條件核取Prerequisites Check

AD DS 安裝

此頁面會顯示警告包括:Some of the warnings that appear on this page include:

  • 執行 Windows Server 2008 或以上版本的 [允許密碼編譯演算法反白 4 相容」的預設設定,以避免較弱密碼編譯演算法,建立安全通道工作階段時的網域控制站。Domain controllers that run Windows Server 2008 or later have a default setting for "Allow cryptography algorithms compatible with Windows NT 4" that prevents weaker cryptography algorithms when establishing secure channel sessions. 如需有關潛在的影響,因應措施,查看知識庫文章942564For more information about the potential impact and a workaround, see KB article 942564.

  • DNS 委派無法建立或更新。DNS delegation could not be created or updated. 如需詳細資訊,請查看DNS 選項For more information, see DNS Options.

  • 必要條件檢查需要 WMI 通話。The prerequisite check requires WMI calls. 如果他們會封鎖的防火牆規則封鎖,並傳回 RPC 伺服器它們可能會失敗無法使用的錯誤。They can fail if they are blocked firewall rules block, and return an RPC server unavailable error.

適用於特定的必要條件檢查 AD DS 安裝所執行的相關詳細資訊,請查看必要條件測試For more information about the specific prerequisite checks that are performed for AD DS installation, see Prerequisite Tests.

結果Results

AD DS 安裝

在這個頁面上,您可以檢視安裝的結果。On this page, you can review the results of the installation.

您也可以選取重新開機目標伺服器後完成精靈,但如果成功安裝,伺服器便會一律重新開機無論您是否選擇該選項。You can also select to restart the target server after the wizard completes, but if the installation succeeds, the server will always restart regardless of whether you select that option. 有時候未加入網域,在安裝之前目標伺服器上的精靈完成之後,系統狀態目標伺服器的可以讓伺服器無法存取網路上或系統狀態可讓您有權限管理的遠端伺服器。In some cases after the wizard completes on a target server that was not joined to the domain before the installation, the system state of the target server can make the server unreachable on the network, or the system state can prevent you from having permissions to manage the remote server.

如果目標伺服器無法在這種情形下重新開機,您必須手動重新。If the target server fails to restart in this case, you must manually restart it. 工具,例如 shutdown.exe 或 Windows PowerShell 無法將它重新開機。Tools such as shutdown.exe or Windows PowerShell cannot restart it. 您可以使用遠端桌面服務來登入,並從遠端關機目標伺服器。You can use Remote Desktop Services to log on and remotely shut down the target server.

角色移除認證Role Removal credentials

AD DS 安裝

您在設定降級選項認證頁面。You configure demotion options on the Credentials page. 提供從下列清單執行降級所需的認證:Provide the credentials necessary to perform the demotion from the following list:

  • 降級額外的網域控制站需要網域管理員認證。Demoting an additional domain controller requires Domain Admin credentials. 選取 [強制網域控制站的將網域控制站降級不 Active Directory 中移除網域控制站物件中繼資料。Selecting Force removal of the domain controller demotes the domain controller without removing the domain controller object's metadata from Active Directory.

    重要

    請勿選取此選項,除非網域控制站無法連絡其他網域控制站和有未合理的方式解析該網路的問題。Do not select this option unless the domain controller cannot contact other domain controllers and there is no reasonable way to resolve that network issue. 強制的降級離開單獨中繼資料在 Active Directory 中,在森林中的其餘網域控制站。Forced demotion leaves orphaned metadata in Active Directory on the remaining domain controllers in the forest. 此外,所有複製未變更密碼] 或 [新增使用者帳號,例如該網域控制站,將會遺失永遠。In addition, all un-replicated changes on that domain controller, such as passwords or new user accounts, are lost forever. 單獨中繼資料是在 Microsoft 客戶支援案例的重大百分比 AD DS,Exchange、SQL,及其他軟體的根本原因。Orphaned metadata is the root cause in a significant percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software. 如果您強制降級網域控制站您必須以手動方式立即執行中繼資料清除。If you forcibly demote a domain controller, you must manually perform metadata cleanup immediately. 步驟,檢視全新向上伺服器中繼資料For steps, review Clean Up Server Metadata.

  • 降級網域中的最後一個網域控制站需要企業系統管理員群組成員資格,因為這會移除網域(如果這是在森林中的最後一個網域,這會移除樹系)。Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself (if this is the last domain in the forest, this removes the forest). 如果目前的網域控制站網域中的最後一個網域控制站伺服器管理員會通知您。Server Manager informs you if the current domain controller is the last domain controller in the domain. 選取 [網域中的最後一個網域控制站確認網域控制站是網域中的最後一個網域控制站。Select Last domain controller in the domain to confirm the domain controller is the last domain controller in the domain.

如需有關移除 AD DS,請查看移除 Active Directory Domain Services (層級 100)降級網域控制站和網域和 #40;層級 200 和 #41;.For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and Demoting Domain Controllers and Domains (Level 200).

AD DS 移除選項與警告AD DS Removal Options and Warnings

如果您需要協助的 [檢視選項] 頁面,查看評論選項If you need help with the Review Options page, see Review Options

如果您的網域控制站裝載額外的角色,例如 DNS 伺服器角色或通用伺服器,下列警告頁面就會出現:If the domain controller hosts additional roles, such as DNS server role or global catalog server, the following Warning page appears:

AD DS 安裝

您必須按移除繼續以確認您的其他角色將不會提供之前,您可以按一下 [繼續。You must click Proceed with removal in order to acknowledge that the additional roles will no longer be available before you can click Next to continue.

如果您強制網域控制站移除,已經不會複寫網域中的其他網域控制站任何 Active Directory 物件變更將會遺失。If you force the removal of a domain controller, any Active Directory object changes that have not replicated to other domain controllers in the domain will be lost. 此外,如果網域控制站裝載作業主機角色、通用或 DNS 伺服器角色,網域森林中的重要操作可能會受到影響,如下所示。Additionally, if the domain controller hosts operation master roles, the global catalog, or DNS server role, critical operations in the domain and forest may be impacted as follows. 移除網域控制站裝載任何作業主角之前,請試著轉移到另一個網域控制站。Before you remove a domain controller that hosts any operations master role, try to transfer the role to another domain controller. 如果您不能傳送的角色,先將 Active Directory Domain Services 移除此電腦],然後使用 Ntdsutil.exe 抓取角色。If it is not possible to transfer the role, first remove Active Directory Domain Services from this computer, and then use Ntdsutil.exe to seize the role. 使用 Ntdsutil 網域控制站想要抓取角色。如果可能,請使用這個網域控制站做的最近複寫合作夥伴相同的網站。Use Ntdsutil on the domain controller that you plan to seize the role to; if possible, use a recent replication partner in the same site as this domain controller. 為抓取操作主機角色及傳送的相關詳細資訊,請查看文章 255504 Microsoft 知識庫中。For more information about transferring and seizing operations master roles, see article 255504 in the Microsoft Knowledge Base. 如果網域控制站裝載作業主角無法判斷精靈中,執行 netdom.exe 命令,判斷是否這個網域控制站會執行任何操作主機角色。If the wizard cannot determine if the domain controller host an operations master role, run netdom.exe command to determine whether this domain controller performs any operations master roles.

  • 通用:使用者可能無法登入森林中的網域。Global catalog: Users might have trouble logging on to domains in the forest. 移除通用伺服器之前,確定不足,無法通用伺服器此樹系和網站,以服務的使用者登入。Before you remove a global catalog server, ensure that enough global catalog servers are in this forest and site to service user logons. 必要時,將另一個通用伺服器指定和更新戶端和應用程式的新資訊。If necessary, designate another global catalog server and update clients and applications with the new information.

  • DNS 伺服器:DNS 資料儲存在 Active Directory 整合區域中的所有會遺失。DNS server: All of the DNS data that is stored in Active Directory-integrated zones will be lost. 移除 AD DS 之後,此 DNS 伺服器將無法執行名稱解析已 Active Directory 整合 DNS 區域。After you remove AD DS, this DNS server will not be able to perform name resolution for the DNS zones that were Active Directory-integrated. 因此,我們建議您更新的所有電腦目前正在參照的名稱解析此 DNS 伺服器的 IP 位址的新的 DNS 伺服器的 IP 位址 DNS 設定。Therefore, we recommend that you update the DNS configuration of all computers that currently refer to the IP address of this DNS server for name resolution with the IP address of a new DNS server.

  • 基礎結構主機:戶端網域中的可能不容易找到其他網域中的物件。Infrastructure master: clients in the domain might have difficulty locating objects in other domains. 您繼續之前,請傳送基礎結構主角網域控制站的不是一個通用伺服器。Before you continue, transfer the infrastructure master role to a domain controller that is not a global catalog server.

  • RID 的主要:您可能有問題建立新的使用者帳號,電腦帳號,並安全性群組。RID master: you might have problems creating new user accounts, computer accounts, and security groups. 請您繼續之前,請傳送 RID 主角網域控制站在這個網域控制站相同的網域。Before you continue, transfer the RID master role to a domain controller in the same domain as this domain controller.

  • 主要網域控制站 (PDC) 模擬器:作業執行的肯定,例如「群組原則更新密碼重設為非 AD DS 帳號,將無法正確運作。Primary domain controller (PDC) emulator: operations that are performed by the PDC emulator, such as Group Policy updates and password resets for non-AD DS accounts, will not function properly. 請您繼續之前,請傳送 PDC 模擬器主角網域控制站在這個網域控制站相同的網域中的。Before you continue, transfer the PDC emulator master role to a domain controller that is in the same domain as this domain controller.

  • 架構主機:不再無法修改這個樹系的結構描述。Schema master: you will no longer be able to modify the schema for this forest. 您繼續之前,請傳送架構主角根樹系網域中的網域控制站。Before you continue, transfer the schema master role to a domain controller in the root domain in the forest.

  • 網域命名主機:不再將能加入網域,或移除此樹系的網域。Domain naming master: you will no longer be able to add domains to or remove domains from this forest. 您繼續之前,請傳送命名主角根樹系網域中的網域控制站的網域。Before you continue, transfer the domain naming master role to a domain controller in the root domain in the forest.

  • 這個 Active Directory 網域控制站在所有應用程式 directory 磁碟分割都將移除。All application directory partitions on this Active Directory domain controller will be removed. 如果網域控制站保留最後一個的一或多個應用程式 directory 磁碟分割複本移除操作完成時,將不會存在的磁碟分割。If a domain controller holds the last replica of one or more application directory partitions, when the removal operation is complete, those partitions will no longer exist.

請注意網域將不會存在您的網域中的最後一個網域控制站解除安裝 Active Directory Domain Services 之後。Be aware that the domain will no longer exist after you uninstall Active Directory Domain Services from the last domain controller in the domain.

如果網域控制站是委派給管理 DNS 區域 DNS 伺服器,下列網頁將會提供移除 DNS 區域委派 DNS 伺服器的選項。If the domain controller is a DNS server that is delegated to host the DNS zone, the following page will provide the option to remove the DNS server from the DNS zone delegation.

AD DS 安裝

如需有關移除 AD DS,請查看移除 Active Directory Domain Services (層級 100)降級網域控制站和網域和 #40;層級 200 和 #41;.For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and Demoting Domain Controllers and Domains (Level 200).

新的系統管理員密碼New Administrator Password

系統管理員的新密碼頁面會要求您提供建本機電腦的系統管理員帳號,密碼之後,請降級完成時,電腦就會網域成員伺服器或工作群組的電腦。The New Administrator Password page requires you to provide a password for the built-in local computer's Administrator account, once the demotion completes and the computer becomes a domain member server or workgroup computer.

AD DS 安裝

如需有關移除 AD DS,請查看移除 Active Directory Domain Services (層級 100)降級網域控制站和網域和 #40;層級 200 和 #41;.For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and Demoting Domain Controllers and Domains (Level 200).

檢視選項Review Options

評論選項頁面上提供您要匯出降級的組態設定 Windows PowerShell 指令碼,讓您可以將其他降級的機會。The Review Options page provides you the chance to export the configuration settings for demotion to a Windows PowerShell script so you can automate additional demotions. 按一下降級若要移除 AD DS。Click Demote to remove AD DS.

AD DS 安裝