全網域更新Domain-Wide Updates

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以檢視的下列設定的變更,以了解和準備由 adprep 架構更新協助 /domainprep Windows Server 2012 中。You can review the following set of changes to help understand and prepare for the schema updates that are performed by adprep /domainprep in Windows Server 2012. 執行任何全網域作業準備網域在 Windows Server 2012 R2 的命令。There are no domain-wide operations performed by the domainprep command in Windows Server 2012 R2.

Adprep 命令開始在 Windows Server 2012,視 AD DS 安裝期間自動執行。Beginning in Windows Server 2012, Adprep commands run automatically as needed during AD DS installation. 它們也可以用分開之前 AD DS 安裝。They can also be run separately in advance of AD DS installation. 如需詳細資訊,請查看執行 Adprep.exeFor more information, see Running Adprep.exe.

如需如何解譯存取控制項目 (A) 字串,請查看字串 aFor more information about how to interpret the access control entry (ACE) strings, see ACE strings. 如需如何解譯安全性 ID (SID) 字串,請查看字串 SIDFor more information about how to interpret the security ID (SID) strings, see SID strings.

Windows Server 2016:全網域更新Windows Server 2016: Domain-wide updates

後所執行作業準備網域在 Windows Server 2016(作業 82-88)完成,修訂屬性 DATA-CN = ActiveDirectoryUpdate,DATA-CN = DomainUpdates,DATA-CN = 系統特區 = 的 ForestRootDomain 物件為15After the operations that are performed by domainprep in Windows Server 2016 (operations 82-88) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 15.

作業數字和 GUIDOperations number and GUID 描述Description 屬性Attributes 權限Permissions
操作 82: {83C53DA7-427E-47A4-A07A-A324598B88F7}Operation 82: {83C53DA7-427E-47A4-A07A-A324598B88F7} 建立 DATA-CN = 金鑰容器的網域根。Create CN=Keys container at root of domain -objectClass:容器- objectClass: container
-描述:預設鍵認證物件的容器- description: Default container for key credential objects
-ShowInAdvancedViewOnly: TRUE- ShowInAdvancedViewOnly: TRUE
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;EA)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;; DA)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;; DD)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DD)
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;ED)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;ED)
操作 83: {C81FC9CC-0130-4FD1-B272-634D74818133}Operation 83: {C81FC9CC-0130-4FD1-B272-634D74818133} 新增完全控制允許 a 到 DATA-CN = 金鑰容器的「domain\Key 系統管理員」及「rootdomain\Enterprise 鍵系統管理員」。Add Full Control allow aces to CN=Keys container for "domain\Key Admins" and "rootdomain\Enterprise Key Admins". 不適用N/A (A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;重要的系統管理員)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Key Admins)
(A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;企業金鑰系統管理員」)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)
操作 84: {E5F9E791-D96D-4FC9-93C9-D53E1DC439BA}Operation 84: {E5F9E791-D96D-4FC9-93C9-D53E1DC439BA} 修改 otherWellKnownObjects 屬性,指向 [DATA-CN = 金鑰容器。Modify otherWellKnownObjects attribute to point to the CN=Keys container. -otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN = 按鍵,%ws- otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,%ws 不適用N/A
操作 85: {e6d5fd00-385d-4e65-b02d-9da3493ed850}Operation 85: {e6d5fd00-385d-4e65-b02d-9da3493ed850} 修改網域 NC 允許」domain\Key 系統管理員」及「rootdomain\Enterprise 鍵系統管理員」修改 msds-KeyCredentialLink 屬性。Modify the domain NC to permit "domain\Key Admins" and "rootdomain\Enterprise Key Admins" to modify the msds-KeyCredentialLink attribute. 不適用N/A (OA;CI;RPWP; 5b47d60f-6090-40b2-9f37-2a4de88f3063;重要的系統管理員)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;Key Admins)
(OA;CI;RPWP; 5b47d60f-6090-40b2-9f37-2a4de88f3063;企業鍵系統管理員根網域中,而非根網域導致非解析-527 sid 假網域相對 a)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;Enterprise Key Admins in root domain, but in non-root domains resulted in a bogus domain-relative ACE with a non-resolvable -527 SID)
操作 86: {3a6b3fbf-3168-4312-a10d-dd5b3393952d}Operation 86: {3a6b3fbf-3168-4312-a10d-dd5b3393952d} 建立者擁有者和自我 DS 驗證-寫入-電腦車上的授權Grant the DS-Validated-Write-Computer CAR to creator owner and self 不適用N/A (OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
操作 87: {7F950403-0AB3-47F9-9730-5D7B0269F9BD}Operation 87: {7F950403-0AB3-47F9-9730-5D7B0269F9BD} Delete a 完全控制授與的正確網域相對企業鍵系統管理員群組中,並新增 a 完全控制授與企業鍵系統管理員」群組。Delete the ACE granting Full Control to the incorrect domain-relative Enterprise Key Admins group, and add an ACE granting Full Control to Enterprise Key Admins group. 不適用N/A Delete (A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;企業金鑰系統管理員」)Delete (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)

[新增 (A。CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;企業金鑰系統管理員」)Add (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;Enterprise Key Admins)
操作 88: {434bb40d-dbc9-4fe7-81d4-d57229f7b080}Operation 88: {434bb40d-dbc9-4fe7-81d4-d57229f7b080} 「MsDS ExpirePasswordsOnSmartCardOnlyAccounts」加入網域 NC 物件和預設值為 \ [false]Add "msDS-ExpirePasswordsOnSmartCardOnlyAccounts" on the domain NC object and set default value to FALSE 不適用N/A 不適用N/A

Windows Server 2016 網域控制站升級後接管 PDC 模擬器 FSMO 的角色,才會建立企業鍵系統管理員和金鑰系統管理員」群組。The Enterprise Key Admins and Key Admins groups are only created after a Windows Server 2016 Domain Controller is promoted and takes over the PDC Emulator FSMO role.

Windows Server 2012 R2:全網域更新Windows Server 2012 R2: Domain-wide updates

雖然不作業,準備網域Windows Server 2012 R2 命令後,在修訂屬性 DATA-CN = ActiveDirectoryUpdate,DATA-CN = DomainUpdates,DATA-CN = 系統特區 = 的 ForestRootDomain 物件為10Although no operations are performed by domainprep in Windows Server 2012 R2, after the command completes, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 10.

Windows Server 2012:全網域更新Windows Server 2012: Domain-wide updates

後所執行作業準備網域Windows Server 2012 中(作業 78、79、80 和 81)完成,修訂屬性 DATA-CN = ActiveDirectoryUpdate,DATA-CN = DomainUpdates,DATA-CN = 系統特區 = 的 ForestRootDomain 物件為9After the operations that are performed by domainprep in Windows Server 2012 (operations 78, 79, 80, and 81) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 9.

作業數字和 GUIDOperations number and GUID 描述Description 屬性Attributes 權限Permissions
操作 78: {c3c927a6-cc1d-47c0-966b-be8f9b63d991}Operation 78: {c3c927a6-cc1d-47c0-966b-be8f9b63d991} 建立新物件 DATA-CN = 網域磁碟分割中的 TPM 裝置。Create a new object CN=TPM Devices in the Domain partition. 物件課程:msTPM-InformationObjectsContainerObject class: msTPM-InformationObjectsContainer 不適用N/A
操作 79: {54afcfb9-637a-4251-9f47-4d50e7021211}Operation 79: {54afcfb9-637a-4251-9f47-4d50e7021211} 建立 TPM 服務存取控制項目。Created an access control entry for the TPM service. 不適用N/A (OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)
操作 80: {f4728883-84dd-483c-9897-274f2ebcf11e}Operation 80: {f4728883-84dd-483c-9897-274f2ebcf11e} 授與延伸由右至「複製俠」的網域控制站複製群組Grant "Clone DC" extended right to Cloneable Domain Controllers group 不適用N/A (OA;CR; 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;網域 SID-522)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;domain SID-522)
操作 81: {ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff}Operation 81: {ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff} 原則本身 MS-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity 授上所有的物件。Grant ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity to Principal Self on all objects. 不適用N/A (OA;CIOI;RPWP; 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;PS)(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)