安裝新的 Windows Server 2012 Active Directory 子女或樹網域 (層級 200)Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題如何現有的 Windows Server 2012 森林,使用伺服器管理員及 Windows PowerShell 來新增子女和樹網域。This topic explains how to add child and tree domains to an existing Windows Server 2012 forest, using Server Manager or Windows PowerShell.

子女和樹網域工作流程Child and Tree Domain Workflow

下圖顯示 Active Directory Domain Services 設定程序,當您之前已經安裝 AD DS 角色,以及您已經開始進行 Active Directory Domain Services 設定精靈使用伺服器管理員中現有的樹系建立新的網域。The following diagram illustrates the Active Directory Domain Services configuration process when you previously installed the AD DS role and you have started the Active Directory Domain Services Configuration Wizard using Server Manager to create a new domain in an existing forest.

安裝新的廣告子

子女及樹網域 Windows PowerShellChild and Tree Domain Windows PowerShell

ADDSDeployment CmdletADDSDeployment Cmdlet 引數 (粗體所需的引數。Arguments (Bold arguments are required. 斜體引數可以使用 Windows PowerShell 或 AD DS 設定精靈指定。)Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)
安裝-AddsDomainInstall-AddsDomain -SkipPreChecks-SkipPreChecks

-NewDomainName-NewDomainName

-ParentDomainName-ParentDomainName

-SafeModeAdministratorPassword-SafeModeAdministratorPassword

-ADPrepCredential-ADPrepCredential

-AllowDomainReinstall-AllowDomainReinstall

-確認-Confirm

-CreateDNSDelegation-CreateDNSDelegation

認證-Credential

-DatabasePath-DatabasePath

-DNSDelegationCredential-DNSDelegationCredential

-NoDNSOnNetwork-NoDNSOnNetwork

-DomainMode-DomainMode

-DomainType-DomainType

-推動-Force

-InstallDNS-InstallDNS

-LogPath-LogPath

-NewDomainNetBIOSName-NewDomainNetBIOSName

-NoGlobalCatalog-NoGlobalCatalog

-NoNorebootoncompletion-NoNorebootoncompletion

-ReplicationSourceDC-ReplicationSourceDC

-站台名稱-SiteName

-SkipAutoConfigureDNS-SkipAutoConfigureDNS

-SYSVOLPath-SYSVOLPath

-Whatif-Whatif

注意

-認證引數只有需要當您未目前登入的企業系統管理員群組成員。-NewDomainNetBIOSName如果您想要變更自動根據 DNS 網域名稱前置詞的 15 字元名稱或名稱超過 15 字元,則需要引數。The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins group.The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name prefix or if the name exceeds 15 characters.

部署Deployment

部署設定Deployment Configuration

下圖顯示 [新增子女網域的選項:The following screenshot shows the options for adding a child domain:

安裝新的廣告子

下圖顯示 [加入網域樹的選項:The following screenshot shows the options for adding a tree domain:

安裝新的廣告子

伺服器管理員會開始使用每個網域控制站升級部署組態頁面。Server Manager begins every domain controller promotion with the Deployment Configuration page. 剩餘的選項與所需的欄位變更此頁面上,後續的部署操作根據您選擇的頁面。The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select.

本主題結合了特定兩項作業: 子女網域促銷和樹網域升級。This topic combines two discrete operations: child domain promotion and tree domain promotion. 只有不同兩項作業時您選擇建立網域型。The only difference between the two operations is the domain type that you choose to create. 所有其他步驟都相同之間兩項作業。All of the other steps are identical between the two operations.

  • 建立網域新的子女,請按現有的樹系加入網域,然後選擇 [子網域To create a new child domain, click Add a domain to an existing Forest and choose Child Domain. 適用於家長網域名稱、 輸入,或選取父系網域名稱。For Parent domain name, type or select the name of the parent domain. 然後輸入名稱的新的網域中的新的網域名稱方塊。Then type the name of the new domain in the New domain name box. 提供有效的、 單一標籤子女網域名稱。名稱必須使用 DNS 網域名稱需求。Provide a valid, single-label child domain name; the name must use DNS domain name requirements.

  • 若要建立樹網域現有的樹系中,按一下現有的樹系加入網域,然後選擇 [樹網域To create a tree domain within an existing forest, click Add a domain to an existing Forest and choose Tree Domain. 輸入的樹系根網域名稱,然後輸入新的網域名稱。Type the name of the forest root domain, and then type the name of the new domain. 提供有效的、 完整根網域名稱。必須使用 DNS 網域名稱需求和不是單一標記名稱。Provide a valid, fully qualified root domain name; the name cannot be single-labeled and must use DNS domain name requirements.

如需 DNS 名稱,請查看適用於電腦、 網域、 網站及 Ou 命名 Active Directory 規格For more information about DNS names, see Naming conventions in Active Directory for computers, domains, sites, and OUs.

伺服器管理員 Active Directory Domain Services 組態精靈會提示您輸入網域認證如果您目前的憑證並非來自網域。The Server Manager Active Directory Domain Services Configuration Wizard prompts you for domain credentials if your current credentials are not from the domain. 按一下變更提供網域認證升級操作。Click Change to provide domain credentials for the promotion operation.

部署設定 ADDSDeployment cmdlet 和引數︰The Deployment Configuration ADDSDeployment cmdlet and arguments are:

Install-AddsDomain  
-domaintype <{childdomain | treedomain}>  
-parentdomainname <string>  
-newdomainname <string>  
-credential <pscredential>  

網域控制站選項Domain Controller Options

安裝新的廣告子

網域控制站選項頁面上指定的新的網域控制站的網域控制站選項。The Domain Controller Options page specifies the domain controller options for the new domain controller. 包含可設定的網域控制站選項的 DNS 伺服器通用。您無法在新的網域中的第一個網域控制站設定唯讀網域控制站。The configurable domain controller options include DNS server and Global Catalog; you cannot configure read-only domain controller as the first domain controller in a new domain.

Microsoft 建議所有網域控制站都提供 DNS 和 GC 服務的可用性分散式環境中。Microsoft recommends that all domain controllers provide DNS and GC services for high availability in distributed environments. 根據預設,則會選取 GC 和 DNS 網域目前已在 [開始] 畫面的授權單位查詢為基礎的網域控制站 DNS 如果已選取預設。GC is always selected by default and DNS is selected by default if the current domain hosts DNS already on its DCs, based on a Start-of-Authority query. 您還必須指定網域功能等級You must also specify a Domain functional level. 預設功能層級是 Windows Server 2012,以及您可以選擇任何其他等於或大於目前的樹系功能層級的值。The default functional level is Windows Server 2012, and you can choose any other value that is equal to or greater than the current forest functional level.

網域控制站選項頁面上也可讓您選擇適當的 Active Directory 邏輯網站名稱的樹系設定。The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the forest configuration. 根據預設,選取最正確的子網路的網站。By default, the site with the most correct subnet is selected. 只有一個網站時,它會自動選取。If there is only one site, it is selected automatically.

重要

如果伺服器不屬於 Active Directory 子網路,而且有一個以上的 Active Directory 網站,就選取任何項目和下一步按鈕,即表示,直到您選擇的網站清單。If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is selected and the Next button is unavailable until you choose a site from the list.

指定Directory 服務還原模式密碼必須遵守密碼原則套用到伺服器。The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. 隨時複雜的密碼或最好複雜密碼。Always choose a strong, complex password or preferably, a passphrase.

網域控制站選項ADDSDeployment cmdlet 引數:The Domain Controller Options ADDSDeployment cmdlet arguments are:

-InstallDNS <{$false | $true}>  
-NoGlobalCatalog <{$false | $true}>  
-DomainMode <{Win2003 | Win2008 | Win2008R2 | Win2012 | Default}>  
-Sitename <string>  
-SafeModeAdministratorPassword <secure string>  
-Credential <pscredential>  

重要

網站名稱必須存在時提供的值為站台名稱引數。The site name must already exist when provided as a value to the sitename argument. 安裝-AddsDomainController cmdlet 不會建立網站名稱。The install-AddsDomainController cmdlet does not create site names. 您可以使用新 adreplicationsite cmdlet 來建立新的網站。You can use the new-adreplicationsite cmdlet to create new sites.

安裝-ADDSDomainController如果您不指定 cmdlet 引數請遵循相同的預設值為伺服器管理員。The Install-ADDSDomainController cmdlet arguments follow the same defaults as Server Manager if not specified.

SafeModeAdministratorPassword引數的作業會特殊:The SafeModeAdministratorPassword argument's operation is special:

  • 如果未指定引數,cmdlet 會提示您輸入並確認遮罩的密碼。If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. 執行 cmdlet 互動時,這是慣用的使用方式。This is the preferred usage when running the cmdlet interactively.

    例如,建立新的子女網域名北美 Contoso.com 森林中的和會提示您輸入並確認密碼遮罩:For example, to create a new child domain named NorthAmerica in the Contoso.com forest and be prompted to enter and confirm a masked password:

    Install-ADDSDomain "NewDomainName NorthAmerica "ParentDomainName Contoso.com "DomainType Child  
    
  • 如果指定的值,,值必須安全字串。If specified with a value, the value must be a secure string. 執行 cmdlet 互動時,這是不慣用的使用方式。This is not the preferred usage when running the cmdlet interactively.

例如,您可以手動提示密碼使用朗讀主機cmdlet 提示安全字串的使用者:For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)  

警告

在前一個選項不會確認密碼、 小心謹慎: 看不到密碼。As the previous option does not confirm the password, use extreme caution: the password is not visible.

您也可以提供安全字串為轉換明文變數,雖然這是非常不建議使用。You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.

-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)  

最後,您可能會將模糊的密碼儲存在檔案,並再重複使用之後,清除文字並不會顯示密碼。Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. 例如:For example:

$file = "c:\pw.txt"  
$pw = read-host -prompt "Password:" -assecurestring  
$pw | ConvertFrom-SecureString | Set-Content $file  

-safemodeadministratorpassword (Get-Content $File | ConvertTo-SecureString)  

警告

不建議提供或儲存清除或模糊文字密碼。Providing or storing a clear or obfuscated text password is not recommended. 任何人指令碼執行這個命令或在您身邊尋找知道網域控制站 DSRM 的密碼。Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. 任何人的存取權檔案無法反向模糊的密碼。Anyone with access to the file could reverse that obfuscated password. 有了這個認知,他們可以登入以 DSRM 開始 DC 及最後模擬網域控制站本身他們的權限提高 AD 森林中的最高層級。With that knowledge, they can logon to a DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. 步驟使用另一組System.Security.Cryptography來將檔案加密資料建議但是超出範圍。An additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. 最好的做法是完全避免儲存的密碼。The best practice is to totally avoid password storage.

ADDSDeployment 模組提供略過 DNS client 設定、 轉送程式,以及根提示自動設定的其他選項。The ADDSDeployment module offers an additional option to skip automatic configuration of DNS client settings, forwarders, and root hints. 這不是可使用伺服器管理員。This is not configurable when using Server Manager. 此引數重要只有當您已經安裝之前設定的網域控制站的 DNS 伺服器服務:This argument matters only if you already installed the DNS Server service prior to configuring the domain controller:

-SkipAutoConfigureDNS  

DNS 選項],然後 DNS 的認證委派DNS Options and DNS Delegation Credentials

安裝新的廣告子

DNS 選項頁面上,可讓您提供其他 DNS 管理員認證委派。The DNS Options page enables you to provide alternate DNS Admin credentials for delegation.

安裝新的網域中的現有的樹系-上選取 DNS 安裝網域控制站選項頁面-您不能設定的任何選項。自動並 irrevocably,就會發生委派。When installing a new domain in an existing forest - where you selected DNS installation on the Domain Controller Options page - you cannot configure any options; the delegation happens automatically and irrevocably. 您有提供權限來更新該結構替代 DNS 管理認證的選項。You have the option to provide alternate DNS administrative credentials with rights to update that structure.

DNS 選項ADDSDeployment Windows PowerShell 引數:The DNS Options ADDSDeployment Windows PowerShell arguments are:

-creatednsdelegation   
-dnsdelegationcredential <pscredential>  

如需 DNS 委派的詳細資訊,請查看了解區域委派For more information about DNS delegation, see Understanding Zone Delegation.

其他選項Additional Options

安裝新的廣告子

的其他選項頁面顯示 NetBIOS 的網域名稱,可讓您撤銷它。The Additional Options page shows the NetBIOS name of the domain and enables you to override it. 根據預設,NetBIOS 網域名稱符合上所提供的完整的網域名稱的最左邊標籤部署組態頁面。By default, the NetBIOS domain name matches the left-most label of the fully qualified domain name provided on the Deployment Configuration page. 例如,如果您提供 corp.contoso.com 的完整的網域名稱,預設 NetBIOS 網域名稱是 CORP.For example, if you provided the fully qualified domain name of corp.contoso.com, the default NetBIOS domain name is CORP.

如果 15 字元名稱或較少並不會衝突另一個 NetBIOS 名稱,這是不變。If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. 如果它能與其他 NetBIOS 名稱衝突,數字會附加的名稱。If it does conflict with another NetBIOS name, a number is appended to the name. 如果超過 15 字元名稱,精靈將會提供唯一、 被截斷的建議。If the name is more than 15 characters, the wizard provides a unique, truncated suggestion. 不論,精靈先驗證名稱未在使用透過 WINS 查詢,NetBIOS 廣播。In either case, the wizard first validates the name is not already in use via a WINS lookup and NetBIOS broadcast.

如需 DNS 名稱,請查看適用於電腦、 網域、 網站及 Ou 命名 Active Directory 規格For more information about DNS names, see Naming conventions in Active Directory for computers, domains, sites, and OUs.

安裝-AddsDomain如果您不指定引數請遵循相同的預設值為伺服器管理員。The Install-AddsDomain arguments follow the same defaults as Server Manager if not specified. DomainNetBIOSName是特殊的操作:The DomainNetBIOSName operation is special:

  1. 如果NewDomainNetBIOSName未使用 NetBIOS 的網域名稱和單一標籤前置詞網域中的名稱指定引數網域名稱、 15 字元或較少,然後升級繼續使用自動的名稱。If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName argument is 15 characters or fewer, then promotion continues with an automatically generated name.

  2. 如果NewDomainNetBIOSName未使用 NetBIOS 的網域名稱和單一標籤前置詞網域中的名稱指定引數網域名稱、 16 字元或更多,然後升級失敗。If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName argument is 16 characters or more, then promotion fails.

  3. 如果NewDomainNetBIOSName指定引數 NetBIOS 網域名稱的 15 字元或較少,然後升級繼續指定名稱。If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 15 characters or fewer, then promotion continues with that specified name.

  4. 如果NewDomainNetBIOSName指定引數字元 16 NetBIOS 網域名稱或更多,然後升級失敗。If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 16 characters or more, then promotion fails.

的其他選項ADDSDeployment cmdlet 引數是:The Additional Options ADDSDeployment cmdlet argument is:

-newdomainnetbiosname <string>  

路徑Paths

安裝新的廣告子

路徑頁面上可讓您將會覆寫預設資料夾 AD DS 資料庫、 和的位置資料基底交易登,SYSVOL 共用。The Paths page enables you to override the default folder locations of the AD DS database, the data base transaction logs, and the SYSVOL share. 預設位置都之隱藏資料夾中。The default locations are always in subdirectories of %systemroot%.

路徑ADDSDeployment cmdlet 引數:The Paths ADDSDeployment cmdlet arguments are:

-databasepath <string>  
-logpath <string>  
-sysvolpath <string>  

檢視選項],然後檢視指令碼Review Options and View Script

安裝新的廣告子

評論選項頁面上可讓您驗證您的設定,並確保您開始安裝之前,先符合您的需求。The Review Options page enables you to validate your settings and ensure they meet your requirements before you start the installation. 這不是一個機會停止使用伺服器管理員安裝。This is not the last opportunity to stop the installation when using Server Manager. 這是只要之前繼續進行設定,請先確認您的設定選項This is simply an option to confirm your settings before continuing the configuration

評論選項在伺服器管理員頁面也提供選擇性檢視指令碼按鈕,以建立包含目前 ADDSDeployment 設定成單一的 Windows PowerShell 指令碼 Unicode 文字檔案。The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. 這可讓您在伺服器管理員圖形介面作為 Windows PowerShell 部署 studio。This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. 若要設定選項,匯出設定,然後取消精靈使用 Active Directory Domain Services 組態精靈。Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. 此程序會建立進一步修改或直接使用有效且語法正確範例。This process creates a valid and syntactically correct sample for further modification or direct use. 例如:For example:

#  
# Windows PowerShell Script for AD DS Deployment  
#  

Import-Module ADDSDeployment  
Install-ADDSDomain `  
-NoGlobalCatalog:$false `  
-CreateDNSDelegation `  
-Credential (Get-Credential) `  
-DatabasePath "C:\Windows\NTDS" `  
-DomainMode "Win2012" `  
-DomainType "ChildDomain" `  
-InstallDNS:$true `  
-LogPath "C:\Windows\NTDS" `  
-NewDomainName "research" `  
-NewDomainNetBIOSName "RESEARCH" `  
-ParentDomainName "corp.contoso.com" `  
-Norebootoncompletion:$false `  
-SiteName "Default-First-Site-Name" `  
-SYSVOLPath "C:\Windows\SYSVOL"  
-Force:$true  

注意

伺服器管理員通常會填入所有引升級後不會依賴預設值 (因為它們可能會改變之間未來版本 Windows 的 service pack) 的值。Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of Windows or service packs). 有一個例外此-safemodeadministratorpassword (在故意的指令碼省略) 引數。The one exception to this is the -safemodeadministratorpassword argument (which is deliberately omitted from the script). 若要強制確認的提示,請執行 cmdlet 互動時省略值。To force a confirmation prompt, omit the value when running cmdlet interactively.

使用選擇性Whatif以引數安裝-ADDSForest cmdlet 檢視設定的資訊。Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information. 這可讓您查看 cmdlet 引數明確和隱含的值。This enables you to see the explicit and implicit values of the arguments for a cmdlet.

安裝新的廣告子

必要條件核取Prerequisites Check

安裝新的廣告子

請必要條件是 AD DS 網域設定中的新功能。The Prerequisites Check is a new feature in AD DS domain configuration. 這個新階段驗證伺服器設定不支援 AD DS 新的網域。This new phase validates that the server configuration is capable of supporting a new AD DS domain.

當您安裝新的樹系根網域,伺服器管理員 Active Directory Domain Services 組態精靈會叫用一系列序列化模組測試。When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests. 這些測試提醒建議的修復選項。These tests alert you with suggested repair options. 您可以視需要執行測試。You can run the tests as many times as required. 無法繼續網域控制站程序,直到所有必要條件測試傳遞。The domain controller process cannot continue until all prerequisite tests pass.

請必要條件也會呈現相關資訊,例如安全性變更會影響較舊的作業系統。The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.

如需有關的特定的必要條件檢查的詳細資訊,請查看必要條件檢查For more information on the specific prerequisite checks, see Prerequisite Checking.

您無法略過必要條件檢查時使用伺服器管理員中,但您可以跳過此程序使用 [使用下列引數 AD DS 部署 cmdlet 時:You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the following argument:

-skipprechecks  

警告

Microsoft 會阻礙重覆它會導致部分網域控制站升級或損壞 AD DS 森林略過必要條件檢查。Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.

按一下安裝若要開始網域控制站升級程序。Click Install to begin the domain controller promotion process. 這是最後取消安裝的機會。This is last opportunity to cancel the installation. 開始後,您就無法取消升級程序。You cannot cancel the promotion process once it begins. 電腦將會在升級,無論促銷結果結尾自動重新開機。The computer will reboot automatically at the end of promotion, regardless of the promotion results.

安裝Installation

安裝新的廣告子

安裝頁面會顯示,網域控制站設定開始和無法終止或取消。When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. 詳細的作業會顯示在此頁面上,而且寫入登:Detailed operations display on this page and are written to logs:

  • %systemroot%\debug\dcpromo.log%systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log%systemroot%\debug\dcpromoui.log

若要安裝新的 Active Directory domain 使用 ADDSDeployment 模組,使用下列 cmdlet:To install a new Active Directory domain using the ADDSDeployment module, use the following cmdlet:

Install-addsdomain  

查看子女及樹網域 Windows PowerShell選用和引數。安裝-addsdomain cmdlet 僅有兩個階段 (必要條件檢查並安裝)。See Child and Tree Domain Windows PowerShell for required and optional arguments.The Install-addsdomain cmdlet only has two phases (prerequisite checking and installation). 下列兩個數據會顯示安裝階段檔最低的-domaintype-newdomainname-parentdomainname,和-認證The two figures below show the installation phase with the minimum required arguments of -domaintype, -newdomainname, -parentdomainname, and -credential. 請注意,就像伺服器管理員中,安裝-ADDSDomain ,升級將會自動重新開機伺服器提醒您。Note how, just like Server Manager, Install-ADDSDomain reminds you that promotion will reboot the server automatically.

安裝新的廣告子

安裝新的廣告子

若要自動接受重新開機命令提示字元中,使用-強制-確認: $false的任何 ADDSDeployment Windows PowerShell cmdlet 引數。To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. 若要防止伺服器促銷結尾自動重新開機,使用-norebootoncompletion引數。To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.

警告

建議您不要覆寫在重新開機。Overriding the reboot is not recommended. 網域控制站必須重新開機才能正常運作The domain controller must reboot to function correctly

結果Results

安裝新的廣告子

結果頁面會顯示成功或失敗的升級與管理的任何重要資訊。The Results page shows the success or failure of the promotion and any important administrative information. 網域控制站將會自動重新開機之後 10 秒。The domain controller will automatically reboot after 10 seconds.