安裝 Windows Server 2012 Active Directory Read-Only 網域控制站 (RODC) (層級 200)Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題如何建立分段的 RODC 帳號,並 RODC 安裝期間然後附加至該 account 的伺服器。This topic explains how to create a staged RODC account and then attach a server to that account during RODC installation. 此主題也如何安裝 RODC 不需要執行階段的安裝。This topic also explains how to install an RODC without performing a staged installation.

階段 RODC 工作流程Stage RODC Workflow

分段獨立的兩個階段中朗讀只網域控制站 (RODC) 安裝運作:A staged read only domain controller (RODC) installation works in two discrete phases:

  1. 執行位置的電腦 accountStaging an unoccupied computer account

  2. 升級時,將 RODC 附加至該 accountAttaching an RODC to that account during promotion

下圖顯示 Active Directory Domain Services 唯讀網域控制站臨時程序地方 Active Directory 管理中心 (Dsac.exe) 網域中建立空 RODC 電腦帳號。The following diagram illustrates the Active Directory Domain Services Read-Only Domain Controller staging process, where you create an empty RODC computer account in the domain using the Active Directory Administrative Center (Dsac.exe).

安裝 RODC

階段 RODC Windows PowerShellStage RODC Windows PowerShell

ADDSDeployment CmdletADDSDeployment Cmdlet 引數 (粗體所需的引數。Arguments (Bold arguments are required. 斜體引數可以使用 Windows PowerShell 或 AD DS 設定精靈指定。)Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)
新增 addsreadonlydomaincontrolleraccountAdd-addsreadonlydomaincontrolleraccount -SkipPreChecks-SkipPreChecks

-DomainControllerAccountName-DomainControllerAccountName

-網域名稱-DomainName

-站台名稱-SiteName

-AllowPasswordReplicationAccountName-AllowPasswordReplicationAccountName

認證-Credential

-DelegatedAdministratorAccountName-DelegatedAdministratorAccountName

-DenyPasswordReplicationAccountName-DenyPasswordReplicationAccountName

-NoGlobalCatalog-NoGlobalCatalog

-InstallDNS-InstallDNS

-ReplicationSourceDC-ReplicationSourceDC

注意

-認證引數只有需要如果您不已登入以網域管理群組成員。The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.

連接 RODC 工作流程Attach RODC Workflow

下圖顯示 Active Directory Domain Services 設定程序地方您已安裝的角色 AD DS,您暫存 RODC 帳號,並開始使用這個網域控制站伺服器升級,將它附加到分段的電腦 account 現有網域中建立新的 RODC 使用伺服器管理員。The diagram below illustrates the Active Directory Domain Services configuration process, where you already installed the AD DS role, you staged the RODC account, and started Promote this Server to a Domain Controller using Server Manager to create a new RODC in an existing domain, attaching it to the staged computer account.

安裝 RODC

連接 RODC Windows PowerShellAttach RODC Windows PowerShell

ADDSDeployment CmdletADDSDeployment Cmdlet 引數 (粗體所需的引數。Arguments (Bold arguments are required. 斜體引數可以使用 Windows PowerShell 或 AD DS 設定精靈指定。)Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)
安裝-AddsDomaincontrollerInstall-AddsDomaincontroller -SkipPreChecks-SkipPreChecks

-網域名稱-DomainName

-SafeModeAdministratorPassword-SafeModeAdministratorPassword

-ApplicationPartitionsToReplicate-ApplicationPartitionsToReplicate

-CreateDNSDelegation-CreateDNSDelegation

認證-Credential

-CriticalReplicationOnly-CriticalReplicationOnly

-DatabasePath-DatabasePath

-DNSDelegationCredential-DNSDelegationCredential

-InstallationMediaPath-InstallationMediaPath

-LogPath-LogPath

-Norebootoncompletion-Norebootoncompletion

-ReplicationSourceDC-ReplicationSourceDC

-SystemKey-SystemKey

-SYSVOLPath-SYSVOLPath

-UseExistingAccount-UseExistingAccount

注意

-認證引數只有需要如果您不已登入以網域管理群組成員。The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.

臨時Staging

安裝 RODC

您執行的唯讀網域控制站電腦 account 臨時操作打開 Active Directory 管理中心 (Dsac.exe)。You perform the staging operation of a read-only domain controller computer account by opening the Active Directory Administrative Center (Dsac.exe). 按一下瀏覽窗格中的網域名稱。Click the name of the domain in the navigation pane. 按兩下網域控制站在 [管理] 清單。Double-click Domain Controllers in the management list. 按一下預先建立唯讀網域控制站帳號在 [工作] 窗格中。Click Pre-create a Read-only domain controller account in the tasks pane.

如需有關 Active Directory 管理中心的詳細資訊,請查看進階 AD DS 使用 Active Directory 系統管理中心和 #40;層級 200 和 #41;和檢視Active Directory 管理中心: 開始For more information about the Active Directory Administrative Center, see Advanced AD DS Management Using Active Directory Administrative Center (Level 200) and review Active Directory Administrative Center: Getting Started.

如果您尚未建立唯讀網域控制站的體驗,您將會發現在安裝精靈具有相同圖形介面如下所示時使用的是較舊的 Active Directory 使用者與電腦嵌入式管理單元從 Windows Server 2008,並使用相同的程式碼,其中包括匯出設定中的過時帶領所使用的自動安裝檔案格式。If you have experience creating read-only domain controllers, you will discover that the installation wizard has the same graphical interface as seen when using the older Active Directory Users and Computers snap-in from Windows Server 2008 and uses the same code, which includes exporting the configuration in the unattend file format used by the obsolete dcpromo.

Windows Server 2012 引入新 ADDSDeployment cmdlet 階段 RODC 電腦帳號,但精靈不使用 cmdlet 來執行作業。Windows Server 2012 introduces a new ADDSDeployment cmdlet to stage RODC computer accounts, but the wizard does not use the cmdlet for its operation. 下列區段會顯示等 cmdlet 和引數為了讓相關聯的資訊以了解每個變得更容易。The following sections display the equivalent cmdlet and arguments in order to make the information associated with each easier to understand.

預先建立唯讀網域控制站帳號連結在 Active Directory 管理中心的窗格相當於 ADDSDeployment Windows PowerShell cmdlet:The Pre-create a Read-only domain controller account link in the Active Directory Administrative Center's task pane is equivalent to the ADDSDeployment Windows PowerShell cmdlet:

Add-addsreadonlydomaincontrolleraccount  

歡迎使用Welcome

安裝 RODC

歡迎 Active Directory Domain Services 安裝精靈對話方塊有一個選項名為進階模式安裝使用The Welcome to the Active Directory Domain Services Installation Wizard dialog has one option named Use advanced mode installation. 選取這個選項,然後按一下下一步來顯示複寫密碼原則選項。Select this option and click Next to show password replication policy options. 清除此選項以使用密碼 (這討論深入稍後在本區段中) 的複寫原則選項預設值。Clear this option to use the default values for password replication policy options (this is discussed in further detail later in this section).

網路認證Network Credentials

安裝 RODC

網域名稱] 選項在網路認證對話方塊預設會顯示 [的 Active Directory 管理中心目標的網域。The domain name option in the Network Credentials dialog displays the domain targeted by the Active Directory Administrative Center by default. 預設會使用您目前的認證。Your current credentials are used by default. 如果他們未包含成員資格群組網域系統管理員 」 中,按一下 [替代認證,按一下 [設定精靈提供使用者名稱與密碼網域系統管理員 」 的成員。If they do not include membership in the Domain Admins group, click Alternate Credentials, and click Set to provide the wizard with a user name and password that is a member of Domain Admins.

相當於 ADDSDeployment Windows PowerShell 引數是:The equivalent ADDSDeployment Windows PowerShell argument is:

-credential <pscredential>  

請記住,臨時系統會直接從 Windows Server 2008 R2 連接埠,並不提供 Adprep 的新功能。Keep in mind that the staging system is a direct port from Windows Server 2008 R2 and does not provide the new Adprep functionality. 如果您打算部署分段的 RODC 帳號,您必須第一次部署未分段的 RODC 網域中,讓執行自動 rodcprep 作業,或手動執行 adprep.exe /rodcprep 第一次。If you plan to deploy staged RODC accounts, you must either first deploy an un-staged RODC in that domain so that the automatic rodcprep operation runs, or manually run adprep.exe /rodcprep first.

否則,您會收到錯誤 「 您將無法安裝唯讀網域控制站在這個網域中,因為 「 adprep /rodcprep 」 尚未執行 」。Otherwise, you will receive error "You will not be able to install a read-only domain controller in this domain because "adprep /rodcprep" was not yet run".

安裝 RODC

指定的電腦名稱Specify the Computer Name

安裝 RODC

電腦名稱指定對話方塊要求您輸入單一標籤電腦名稱的網域控制站不存在。The Specify the Computer Name dialog requires you to enter the single-label Computer name of a domain controller that does not exist. 設定並附加此過去之後的網域控制站必須具有相同的名稱,或升級操作將不會偵測分段的 account。The domain controller you configure and attach to this account later must have the same name, or the promotion operation will not detect the staged account.

相當於 ADDSDeployment Windows PowerShell 引數是:The equivalent ADDSDeployment Windows PowerShell argument is:

-domaincontrolleraccountname <string>  

選取 [網站Select a Site

安裝 RODC

選擇網站對話方塊中顯示目前的樹系的 Active Directory 網站清單。The Select a Site dialog shows a list of Active Directory sites for the current forest. 分段唯讀網域控制站操作需要單一網站從清單中選取。The staged read-only domain controller operation requires you to select a single site from the list. RODC 設定磁碟分割中建立它 NTDS 設定的物件,並加入本身正確的網站以開始之後部署第一次時使用此資訊。The RODC uses this information to create its NTDS Settings object in the Configuration partition and join itself to the correct site when it starts for the first time after being deployed.

相當於 ADDSDeployment Windows PowerShell 引數是:The equivalent ADDSDeployment Windows PowerShell argument is:

-sitename <string>  

其他網域控制站選項Additional Domain Controller Options

安裝 RODC

其他網域控制站選項對話方塊可讓您在指定的包含執行為網域控制站的 DNS 伺服器通用The Additional Domain Controller Options dialog enables you to specify that a domain controller include running as a DNS Server and a Global Catalog. Microsoft 建議唯讀網域控制站提供 DNS 和 GC 服務,同時預設會安裝的;RODC 角色的一個用意是分公司案例,其中可能無法使用的寬形區域網路與這些 DNS 和通用服務、 分支中的電腦不能使用 AD DS 資源及功能。Microsoft recommends that read-only domain controllers provide DNS and GC services, so both are installed by default; one intention of the RODC role is branch office scenarios where the wide area network may not be available and without those DNS and global catalog services, computers in the branch will not be able to use AD DS resources and functionality.

唯讀網域控制站 (RODC)選項預先選取且無法停用。The Read-only domain controller (RODC) option is pre-selected and cannot be disabled. 相當於 ADDSDeployment Windows PowerShell 引數︰The equivalent ADDSDeployment Windows PowerShell arguments are:

-installdns <string>  
-NoGlobalCatalog <{$true | $false}>  

注意

根據預設, -NoGlobalCatalog價值,是 $false,這表示如果您不指定引數網域控制站將會通用伺服器。By default, the -NoGlobalCatalog value is $false, which means the domain controller will be a global catalog server if the argument is not specified.

指定密碼複寫原則Specify the Password Replication Policy

安裝 RODC

指定密碼原則複製對話方塊,可讓您修改預設清單帳號,允許快取這個唯讀網域控制站其密碼。The Specify the Password Replication Policy dialog enables you to modify the default list of accounts that are allowed to cache their passwords on this read-only domain controller. 在設定清單中的帳號拒絕或不在清單 (隱含) 不要快取他們的密碼。Accounts in the list configured with Deny or that are not in the list (implicit) do not cache their password. 帳號,不受允許快取 RODC 密碼和無法連接寫入網域控制站驗證無法存取資源或 Active Directory 所提供的功能。Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active Directory.

重要

精靈會顯示此對話方塊只是否您選取 [使用進階模式安裝核取方塊,在歡迎畫面。The wizard shows this dialog only if you select the Use Advanced Mode Installation check box on the welcome screen. 如果您要清除此核取方塊,然後精靈會使用下列預設的群組及值:If you clear this check box, then the wizard uses following default groups and values:

  • 系統管理員-拒絕Administrators - Deny
  • 伺服器電信業者-拒絕Server Operators - Deny
  • 備份電信業者-拒絕Backup Operators - Deny
  • 考慮電信業者-拒絕Account Operators - Deny
  • 拒絕 RODC 密碼複寫群組-拒絕Denied RODC Password Replication Group - Deny
  • 允許 RODC 密碼複寫群組-允許Allowed RODC Password Replication Group - Allow

相當於 ADDSDeployment Windows PowerShell 引數︰The equivalent ADDSDeployment Windows PowerShell arguments are:

-allowpasswordreplicationaccountname <string []>  
-denypasswordreplicationaccountname <string []>  

安裝 RODC

RODC 安裝及管理委派Delegation of RODC Installation and Administration

安裝 RODC

RODC 委派安裝及管理對話方塊,可讓您設定的使用者或群組包含伺服器連接 RODC 電腦過去允許的使用者。The Delegation of RODC Installation and Administration dialog enables you to configure a user or group containing users who are allowed to attach the server to the RODC computer account. 按一下設定來瀏覽的使用者或群組的網域。Click Set to browse the domain for a user or group. 使用者或群組中此對話方塊提高可及範圍本機系統管理員權限 RODC 指定。The user or group specified in this dialog gains local administrative permissions to the RODC. 指定的使用者或群組成員可以執行的權限等於電腦的系統管理員群組 RODC 作業。The specified user or members of the specified group can perform operations on the RODC with privileges equivalent to the computer's Administrators group. 它們的網域系統管理員 」 的網域建系統管理員群組成員。They are not members of the Domain Admins or domain built-in Administrators groups.

使用此選項分支 office 管理委派不分支系統管理員的資格授與的網域系統管理員 」 群組。Use this option to delegate branch office administration without granting the branch administrator membership to the Domain Admins group. RODC 管理委派就不需要的。Delegating RODC administration is not required.

相當於 ADDSDeployment Windows PowerShell 引數是:The equivalent ADDSDeployment Windows PowerShell argument is:

-delegatedadministratoraccountname <string>  

摘要Summary

安裝 RODC

摘要對話方塊,可讓您以確認您的設定。The Summary dialog enables you to confirm your settings. 這是一個停止安裝精靈會建立分段的 account 之前機會。This is the last opportunity to stop the installation before the wizard creates the staged account. 按一下下一步當您已經準備好建立分段的 RODC 電腦帳號。Click Next when you are ready to create the staged RODC computer account. 按一下匯出設定以儲存回應檔案中的過時帶領自動安裝檔案格式。Click Export Settings to save an answer file in the obsolete dcpromo unattend file format.

建立Creation

安裝 RODC

Active Directory Domain Services 安裝精靈在 Active Directory 中建立分段唯讀網域控制站。The Active Directory Domain Services Installation Wizard creates the staged read-only domain controller in Active Directory. 開始後,您就無法取消這項操作。You cannot cancel this operation after it starts.

安裝 RODC

使用下列 cmdlet 階段使用 ADDSDeployment Windows PowerShell 模組唯讀網域控制站電腦 account:Use the following cmdlet to stage a read-only domain controller computer account using the ADDSDeployment Windows PowerShell module:

Add-addsreadonlydomaincontrolleraccount  

查看階段 RODC Windows PowerShell選用和引數。See Stage RODC Windows PowerShell for required and optional arguments.

因為新增-addsreadonlydomaincontrolleraccount只有一個動作以兩個階段 (必要條件檢查並安裝),下列螢幕擷取畫面顯示最低檔安裝階段。Because Add-addsreadonlydomaincontrolleraccount only has one action with two phases (prerequisite checking and installation), the following screen shots show the installation phase with the minimum required arguments.

安裝 RODC

安裝 RODC

階段 RODC 作業建立 RODC 電腦 account Active Directory 中。The stage RODC operation creates the RODC computer account in Active Directory. Active Directory 管理中心會顯示網域控制站類型位置網域控制站 AccountThe Active Directory Administrative Center shows the Domain Controller Type as an Unoccupied Domain Controller Account. 這個網域控制站類型表示分段的 RODC account 是供讀取只網域控制站附加至該伺服器。This domain controller types indicates that staged RODC account is ready for a server to attach to it as a read only domain controller.

安裝 RODC

重要

Active Directory 管理中心不再需要附加電腦 account 唯讀網域控制站伺服器。The Active Directory Administrative Center is no longer required to attach a server to a read-only domain controller computer account. 使用伺服器管理員或 Active Directory Domain Services 組態精靈 ADDSDeployment Windows PowerShell 模組 cmdlet安裝-AddsDomainController新的 RODC 連接其分段過去。Use Server Manager and the Active Directory Domain Services Configuration Wizard or the ADDSDeployment Windows PowerShell module cmdlet Install-AddsDomainController to attach a new RODC to its staged account. 步驟相當類似新增新的寫入網域控制站現有網域,除了分段的 RODC 電腦 account 包含認為您暫存 RODC 電腦 account 同時設定選項。The steps are similar to adding a new writable domain controller to an existing domain, with the exception that the staged RODC computer account contains configuration options decided at the time you staged the RODC computer account.

附加Attaching

部署設定Deployment Configuration

安裝 RODC

伺服器管理員會開始使用每個網域控制站升級部署組態頁面。Server Manager begins every domain controller promotion with the Deployment Configuration page. 剩餘的選項與所需的欄位變更此頁面上,後續的部署操作根據您選擇的頁面。The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select.

唯讀網域控制站加入現有的網域中,選取 [現有的網域中加入的網域控制站,按一下 [選取 [按鈕指定這個網域的網域資訊To add a read-only domain controller to an existing domain, select Add a domain controller to an existing domain and click the Select button to Specify the domain information for this domain. 伺服器管理員自動提示您輸入有效的憑證,或者您可以按一下變更Server Manager automatically prompts you for valid credentials, or you can click Change.

附加 RODC 需要 Windows Server 2012 中網域管理員群組成員資格。Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. Active Directory Domain Services 組態精靈會提示您稍後如果您目前的認證,不需要的適當權限或群組成員資格。The Active Directory Domain Services Configuration Wizard prompts you later if your current credentials do not have adequate permissions or group memberships.

部署組態ADDSDeployment Windows PowerShell cmdlet 和引數:The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:

Install-AddsDomainController  
-domainname <string>   
-credential <pscredential>  

網域控制站選項Domain Controller Options

安裝 RODC

網域控制站選項頁面會顯示網域控制站新的網域控制站的選項。The Domain Controller Options page shows the domain controller options for the new domain controller. 這個頁面載入時,Active Directory Domain Services 組態精靈會傳送到現有的網域控制站檢查位置帳號 LDAP 查詢。When this page loads, the Active Directory Domain Services Configuration Wizard sends an LDAP query to an existing domain controller to check for unoccupied accounts. 如果查詢位置的網域控制站尋找電腦的那個共用相同的名稱為目前的電腦,然後精靈會顯示在讀取頁面頂端的訊息]存在於 directory 預先建立的 RODC account 符合 target 伺服器的名稱。選擇是否要使用此現有 RODC 帳號,或重新安裝這個網域控制站。 」If the query finds an unoccupied domain controller computer account that shares the same name as the current computer, then the wizard displays an informational message at the top of the page that reads "A Pre-created RODC account that matches the name of the target server exists in the directory. Choose whether to use this existing RODC account or reinstall this domain controller." 精靈會使用使用現有 RODC account做為預設設定。The wizard uses the Use existing RODC account as the default configuration.

重要

您可以使用重新安裝這個網域控制站選項時網域控制站發生問題實體無法傳回功能。You can use the Reinstall this domain controller option when a domain controller has suffered a physical problem and cannot return to functionality. 這也可以節省時間設定更換網域控制站保留網域控制站 account 電腦時,以及物件中繼資料在 Active Directory 中。This saves time when configuring the replacement domain controller, by leaving the domain controller computer account and object metadata in Active Directory. 安裝新的電腦與名稱相同,並將它升級為網域控制站網域中。Install the new computer with the same name, and promote it as a domain controller in the domain. 重新安裝這個網域控制站選項,即表示如果您的網域控制站物件中繼資料移除 Active Directory (中繼資料清除)。The Reinstall this domain controller option is unavailable if you removed the domain controller object's metadata from Active Directory (metadata cleanup).

當您正在附加伺服器 RODC 電腦過去,您無法設定網域控制站選項。You cannot configure domain controller options when you are attaching a server to an RODC computer account. 當您建立分段的 RODC 電腦帳號,您可以設定網域控制站選項。You configure domain controller options when you create the staged RODC computer account.

指定Directory 服務還原模式密碼必須遵守密碼原則套用到伺服器。The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. 隨時複雜的密碼或最好複雜密碼。Always choose a strong, complex password or preferably, a passphrase.

網域控制站選項ADDSDeployment Windows PowerShell 引數:The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:

-UseExistingAccount <{$true | $false}>  
-SafeModeAdministratorPassword <secure string>  

重要

網站名稱必須存在時引數提供-站台名稱The site name must already exist when provided as an argument to -sitename. 安裝-AddsDomainController cmdlet 不會建立網站名稱。The install-AddsDomainController cmdlet does not create site names. 您可以使用 cmdlet新 adreplicationsite來建立新的網站。You can use cmdlet new-adreplicationsite to create new sites.

安裝-ADDSDomainController如果您不指定引數請遵循相同的預設值為伺服器管理員。The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.

SafeModeAdministratorPassword引數的作業會特殊:The SafeModeAdministratorPassword argument's operation is special:

  • 如果未指定引數,cmdlet 會提示您輸入並確認遮罩的密碼。If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. 執行 cmdlet 互動時,這是慣用的使用方式。This is the preferred usage when running the cmdlet interactively.

    例如,建立新的 RODC corp.contoso.com,並提示您輸入並確認密碼遮罩:For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a masked password:

    Install-ADDSDomainController -DomainName corp.contoso.com -credential (get-credential)  
    
  • 如果指定的值,,值必須安全字串。If specified with a value, the value must be a secure string. 執行 cmdlet 互動時,這是不慣用的使用方式。This is not the preferred usage when running the cmdlet interactively.

例如,您可以手動提示密碼使用朗讀主機cmdlet 提示安全字串的使用者:For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)  

警告

在前一個選項不會確認密碼、 小心謹慎: 看不到密碼。As the previous option does not confirm the password, use extreme caution: the password is not visible.

您也可以提供安全字串為轉換明文變數,雖然這是非常不建議使用。You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.

-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)  

最後,您可能會將模糊的密碼儲存在檔案,並再重複使用之後,清除文字並不會顯示密碼。Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. 例如:For example:

$file = "c:\pw.txt"  
$pw = read-host -prompt "Password:" -assecurestring  
$pw | ConvertFrom-SecureString | Set-Content $file  

-safemodeadministratorpassword (Get-Content $File | ConvertTo-SecureString)  

警告

不建議提供或儲存清除或模糊文字密碼。Providing or storing a clear or obfuscated text password is not recommended. 任何人指令碼執行這個命令或在您身邊尋找知道網域控制站 DSRM 的密碼。Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. 任何人的存取權檔案無法反向模糊的密碼。Anyone with access to the file could reverse that obfuscated password. 有了這個認知,他們可以登入以 DSRM 開始 DC 及最後模擬網域控制站本身他們的權限提高 AD 森林中的最高層級。With that knowledge, they can logon to a DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. 步驟使用另一組System.Security.Cryptography來將檔案加密資料建議但是超出範圍。An additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. 最好的做法是完全避免儲存的密碼。The best practice is to totally avoid password storage.

其他選項Additional Options

安裝 RODC

的其他選項頁面上提供設定選項,來命名網域控制站為複寫來源,或您可以使用任何網域控制站為複寫來源。The Additional Options page provides configuration options to name a domain controller as the replication source, or you can use any domain controller as the replication source.

您也可以選擇備份使用安裝媒體 (IFM) 選項從媒體安裝網域控制站使用。You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. 安裝媒體的核取方塊提供選取一次瀏覽] 選項,您必須按驗證以確保所提供有效的媒體。The Install from media checkbox provides a browse option once selected and you must click Verify to ensure the provided path is valid media. 從其他現有 Windows Server 2012 電腦; IFM 選項使用媒體建立與 Windows Server 備份或 Ntdsutil.exe您無法建立 Windows Server 2012 網域控制站媒體使用 Windows Server 2008 R2 或先前的作業系統。Media used by the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller. 如需變更 IFM 的詳細資訊,請查看Ntdsutil.exe 安裝媒體變更的For more information about changes in IFM, see Ntdsutil.exe Install from Media Changes. 如果使用的 media 受 SYSKEY,伺服器管理員會在驗證期間影像的密碼提示。If using media protected with a SYSKEY, Server Manager prompts for the image's password during verification.

安裝 RODC

的其他選項ADDSDeployment cmdlet 引數:The Additional Options ADDSDeployment cmdlet arguments are:

-replicationsourcedc <string>  
-installationmediapath <string>  
-systemkey <secure string>  

路徑Paths

安裝 RODC

路徑頁面上,可讓您覆寫預設資料夾位置的 AD DS 資料庫中資料庫交易登,並 SYSVOL 分享。The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. 預設位置都之隱藏資料夾中。The default locations are always in subdirectories of %systemroot%. 路徑ADDSDeployment cmdlet 引數:The Paths ADDSDeployment cmdlet arguments are:

-databasepath <string>  
-logpath <string>  
-sysvolpath <string>  

檢視選項],然後檢視指令碼Review Options and View Script

安裝 RODC

評論選項頁面上可讓您驗證您的設定,並確保您開始安裝之前,先其符合您的需求。The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. 這不是一個機會停止使用伺服器管理員安裝。This is not the last opportunity to stop the installation using Server Manager. 此頁面上可讓您檢查並確認您的設定,才能繼續設定。This page simply enables you to review and confirm your settings before continuing the configuration. 評論選項在伺服器管理員頁面也提供選擇性檢視指令碼按鈕,以建立包含目前 ADDSDeployment 設定成單一的 Windows PowerShell 指令碼 Unicode 文字檔案。The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. 這可讓您在伺服器管理員圖形介面作為 Windows PowerShell 部署 studio。This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. 若要設定選項,匯出設定,然後取消精靈使用 Active Directory Domain Services 組態精靈。Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. 此程序會建立進一步修改或直接使用有效且語法正確範例。This process creates a valid and syntactically correct sample for further modification or direct use. 例如:For example:

#  
# Windows PowerShell Script for AD DS Deployment  
#  

Import-Module ADDSDeployment  
Install-ADDSDomainController `  
-Credential (Get-Credential) `  
-CriticalReplicationOnly:$false `  
-DatabasePath "C:\Windows\NTDS" `  
-DomainName "corp.contoso.com" `  
-LogPath "C:\Windows\NTDS" `  
-SYSVOLPath "C:\Windows\SYSVOL" `  
-UseExistingAccount:$true `  
-Norebootoncompletion:$false  
-Force:$true  

注意

伺服器管理員通常會填入所有引升級後不會依賴預設值 (因為它們可能會改變之間未來版本 Windows 的 service pack) 的值。Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of Windows or service packs). 有一個例外此-safemodeadministratorpassword引數。The one exception to this is the -safemodeadministratorpassword argument. 若要強制確認提示忽略值執行 cmdlet 互動時To force a confirmation prompt omit the value when running cmdlet interactively

使用選擇性Whatif以引數安裝-ADDSDomainController cmdlet 檢視設定的資訊。Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. 這可讓您查看 cmdlet 引數明確和隱含的值。This enables you to see the explicit and implicit values of the arguments for a cmdlet.

安裝 RODC

必要條件核取Prerequisites Check

安裝 RODC

請必要條件是 AD DS 網域設定中的新功能。The Prerequisites Check is a new feature in AD DS domain configuration. 這個新階段驗證伺服器設定可以新 AD DS 樹系的支援。This new phase validates that the server configuration is capable of supporting a new AD DS forest.

當您安裝新的樹系根網域,伺服器管理員 Active Directory Domain Services 組態精靈會叫用一系列序列化模組測試。When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests. 這些測試提醒建議的修復選項。These tests alert you with suggested repair options. 您可以視需要執行測試。You can run the tests as many times as required. 無法繼續網域控制站的安裝程序,直到所有必要條件測試傳遞。The domain controller installation process cannot continue until all prerequisite tests pass.

請必要條件也會呈現相關資訊,例如安全性變更會影響較舊的作業系統。The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems. 如需的必要條件檢查,請查看必要條件檢查For more information about the prerequisite checks, see Prerequisite Checking.

您無法略過必要條件檢查時使用伺服器管理員中,但您可以跳過此程序使用 [使用下列引數 AD DS 部署 cmdlet 時:You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the following argument:

-skipprechecks  

警告

Microsoft 會阻礙重覆它會導致部分網域控制站升級或損壞 AD DS 森林略過必要條件檢查。Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.

按一下安裝若要開始網域控制站升級程序。Click Install to begin the domain controller promotion process. 這是最後取消安裝的機會。This is last opportunity to cancel the installation. 開始後,您就無法取消升級程序。You cannot cancel the promotion process once it begins. 電腦將會在升級,無論促銷結果結尾自動重新開機。The computer will reboot automatically at the end of promotion, regardless of the promotion results.

安裝Installation

安裝 RODC

[安裝] 頁面顯示時,網域控制站設定開始和無法終止或取消。When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. 詳細的作業會顯示在此頁面上,而且寫入登:Detailed operations display on this page and are written to logs:

  • %systemroot%\debug\dcpromo.log%systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log%systemroot%\debug\dcpromoui.log

若要安裝新的 Active Directory 森林使用 ADDSDeployment 模組,使用下列 cmdlet:To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:

Install-addsdomaincontroller  

查看連接 RODC Windows PowerShell選用和引數。See Attach RODC Windows PowerShell for required and optional arguments.

安裝-addsdomaincontroller cmdlet 僅有兩個階段 (必要條件檢查並安裝)。The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). 下方的兩個圖表顯示安裝階段檔最低的的網域名稱-useexistingaccount,並-認證The two figures below show the installation phase with the minimum required arguments of -domainname, -useexistingaccount, and -credential. 請注意,就像伺服器管理員中,安裝-ADDSDomainController ,升級將會自動重新開機伺服器提醒您:Note how, just like Server Manager, Install-ADDSDomainController reminds you that promotion will reboot the server automatically:

安裝 RODC

安裝 RODC

若要自動接受重新開機命令提示字元中,使用-強制-確認: $false的任何 ADDSDeployment Windows PowerShell cmdlet 引數。To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. 若要防止伺服器促銷結尾自動重新開機,使用-norebootoncompletion引數。To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.

警告

覆寫在重新開機,建議。Overriding the reboot is discouraged. 網域控制站必須重新開機才能正確運作。The domain controller must reboot to function correctly.

結果Results

安裝 RODC

結果頁面會顯示成功或失敗的升級與管理的任何重要資訊。The Results page shows the success or failure of the promotion and any important administrative information. 網域控制站將會自動重新開機之後 10 秒。The domain controller will automatically reboot after 10 seconds.

RODC 而不需要執行工作流程RODC without Staging Workflow

下圖顯示 Active Directory Domain Services 設定程序,當您之前已經安裝 AD DS 角色,以及您已經開始進行 Active Directory Domain Services 組態精靈使用現有的 Windows Server 2012 網域中建立新的非暫存唯讀網域控制站伺服器管理員。The following diagram illustrates the Active Directory Domain Services configuration process, when you previously installed the AD DS role and you have started the Active Directory Domain Services Configuration Wizard using Server Manager to create a new non-staged read-only domain controller in an existing Windows Server 2012 domain.

安裝 RODC

不需要執行 Windows PowerShell RODCRODC without Staging Windows PowerShell

ADDSDeployment CmdletADDSDeployment Cmdlet 引數 (粗體所需的引數。Arguments (Bold arguments are required. 斜體引數可以使用 Windows PowerShell 或 AD DS 設定精靈指定。)Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)
安裝-AddsDomainControllerInstall-AddsDomainController -SkipPreChecks-SkipPreChecks

-網域名稱-DomainName

-SafeModeAdministratorPassword-SafeModeAdministratorPassword

-站台名稱-SiteName

-ApplicationPartitionsToReplicate-ApplicationPartitionsToReplicate

-CreateDNSDelegation-CreateDNSDelegation

認證-Credential

-CriticalReplicationOnly-CriticalReplicationOnly

-DatabasePath-DatabasePath

-DNSDelegationCredential-DNSDelegationCredential

-DNSOnNetwork-DNSOnNetwork

-InstallationMediaPath-InstallationMediaPath

-InstallDNS-InstallDNS

-LogPath-LogPath

-MoveInfrastructureOperationMasterRoleIfNecessary-MoveInfrastructureOperationMasterRoleIfNecessary

-NoGlobalCatalog-NoGlobalCatalog

-Norebootoncompletion-Norebootoncompletion

-ReplicationSourceDC-ReplicationSourceDC

-SkipAutoConfigureDNS-SkipAutoConfigureDNS

-SystemKey-SystemKey

-SYSVOLPath-SYSVOLPath

-AllowPasswordReplicationAccountName-AllowPasswordReplicationAccountName

-DelegatedAdministratorAccountName-DelegatedAdministratorAccountName

-DenyPasswordReplicationAccountName-DenyPasswordReplicationAccountName

-ReadOnlyReplica-ReadOnlyReplica

注意

-認證引數只有需要如果您不已登入以網域管理群組成員。The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.

不臨時部署 RODCRODC without Staging Deployment

部署設定Deployment Configuration

安裝 RODC

伺服器管理員會開始使用每個網域控制站升級部署組態頁面。Server Manager begins every domain controller promotion with the Deployment Configuration page. 剩餘的選項與所需的欄位變更此頁面上,後續的部署操作根據您選擇的頁面。The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select.

未接移唯讀網域控制站加入現有的 Windows Server 2012 網域中,選取 [現有的網域中加入的網域控制站,按一下 [選取 [按鈕指定這個網域的網域資訊To add an un-staged read-only domain controller to an existing Windows Server 2012 domain, select Add a domain controller to an existing domain and click the Select button to Specify the domain information for this domain. 伺服器管理員自動提示您輸入有效的憑證,或者您可以按一下變更Server Manager automatically prompts you for valid credentials, or you can click Change.

附加 RODC 需要 Windows Server 2012 中網域管理員群組成員資格。Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. Active Directory Domain Services 組態精靈會提示您稍後如果您目前的認證,不需要的適當權限或群組成員資格。The Active Directory Domain Services Configuration Wizard prompts you later if your current credentials do not have adequate permissions or group memberships.

部署組態ADDSDeployment Windows PowerShell cmdlet 和引數:The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:

Install-AddsDomainController  
-domainname <string>   
-credential <pscredential>  

網域控制站選項Domain Controller Options

安裝 RODC

網域控制站選項頁面上指定的新的網域控制站的網域控制站功能。The Domain Controller Options page specifies the domain controller capabilities for the new domain controller. 可設定的網域控制站功能的的 DNS 伺服器通用,並唯讀網域控制站The configurable domain controller capabilities are DNS server, Global Catalog, and Read-only domain controller. Microsoft 建議所有網域控制站都提供 DNS 和 GC 服務的可用性分散式環境中。Microsoft recommends that all domain controllers provide DNS and GC services for high availability in distributed environments. GC 隨時選取預設,如果現有的網域主機已經在其 Dc DNS 根據授權起始查詢預設選取 DNS 伺服器。GC is always selected by default and DNS server is selected by default if the current domain hosts DNS already on its DCs based on Start of Authority query.

網域控制站選項頁面上也可讓您選擇適當的 Active Directory 邏輯網站名稱的樹系設定。The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the forest configuration. 根據預設,它會選取最正確的子網路的網站。By default, it selects the site with the most correct subnet. 只有一個網站時,它會選取該網站自動。If there is only one site, it selects that site automatically.

重要

如果伺服器不屬於 Active Directory 子網路,而且有一個以上的 Active Directory 網站,就選取任何項目和下一步按鈕,即表示,直到您選擇的網站清單。If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is selected and the Next button is unavailable until you choose a site from the list.

指定Directory 服務還原模式密碼必須遵守密碼原則套用到伺服器。The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. 隨時複雜的密碼或最好複雜密碼。網域控制站選項ADDSDeployment Windows PowerShell 引數:Always choose a strong, complex password or preferably, a passphrase.The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:

-UseExistingAccount <{$true | $false}>  
-SafeModeAdministratorPassword <secure string>  

重要

網站名稱必須存在時引數提供-站台名稱The site name must already exist when provided as an argument to -sitename. 安裝-AddsDomainController cmdlet 不會建立網站名稱。The install-AddsDomainController cmdlet does not create site names. 您可以使用 cmdlet新 adreplicationsite來建立新的網站。You can use cmdlet new-adreplicationsite to create new sites.

安裝-ADDSDomainController如果您不指定引數請遵循相同的預設值為伺服器管理員。The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.

SafeModeAdministratorPassword引數的作業會特殊:The SafeModeAdministratorPassword argument's operation is special:

  • 如果未指定引數,cmdlet 會提示您輸入並確認遮罩的密碼。If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. 執行 cmdlet 互動時,這是慣用的使用方式。This is the preferred usage when running the cmdlet interactively.

    例如,建立新的 RODC corp.contoso.com,並提示您輸入並確認密碼遮罩:For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a masked password:

    Install-ADDSDomainController -DomainName corp.contoso.com -credential (get-credential)  
    
  • 如果指定的值,,值必須安全字串。If specified with a value, the value must be a secure string. 執行 cmdlet 互動時,這是不慣用的使用方式。This is not the preferred usage when running the cmdlet interactively.

例如,您可以手動提示密碼使用朗讀主機cmdlet 提示安全字串的使用者:For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)  

警告

在前一個選項不會確認密碼、 小心謹慎: 看不到密碼。As the previous option does not confirm the password, use extreme caution: the password is not visible.

您也可以提供安全字串為轉換明文變數,雖然這是非常不建議使用。You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.

-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)  

最後,您可能會將模糊的密碼儲存在檔案,並再重複使用之後,清除文字並不會顯示密碼。Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. 例如:For example:

$file = "c:\pw.txt"  
$pw = read-host -prompt "Password:" -assecurestring  
$pw | ConvertFrom-SecureString | Set-Content $file  

-safemodeadministratorpassword (Get-Content $File | ConvertTo-SecureString)  

警告

不建議提供或儲存清除或模糊文字密碼。Providing or storing a clear or obfuscated text password is not recommended. 任何人指令碼執行這個命令或在您身邊尋找知道網域控制站 DSRM 的密碼。Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. 任何人的存取權檔案無法反向模糊的密碼。Anyone with access to the file could reverse that obfuscated password. 有了這個認知,他們可以登入以 DSRM 開始 DC 及最後模擬網域控制站本身他們的權限提高 AD 森林中的最高層級。With that knowledge, they can logon to a DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. 步驟使用另一組System.Security.Cryptography來將檔案加密資料建議但是超出範圍。An additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. 最好的做法是完全避免儲存的密碼。The best practice is to totally avoid password storage.

RODC 選項RODC Options

安裝 RODC

RODC 選項頁面上,可讓您修改設定:The RODC Options page enables you to modify the settings:

  • 委派的管理員Delegated Administrator Account

  • 帳號允許 rodc 複寫密碼Accounts that are allowed to replicate passwords to the RODC

  • 無法從 rodc 複寫密碼帳號Accounts that are denied from replicating passwords to the RODC

帳號委派的系統管理員取得 RODC 本機系統管理員權限。Delegated administrator accounts gain local administrative permissions to the RODC. 這些使用者可以運作權限相當於在本機電腦的系統管理員」群組。These users can operate with privileges equivalent to the local computer's Administrators group. 他們並不網域系統管理員」的網域建系統管理員群組成員。They are not members of the Domain Admins or the domain built-in Administrators groups. 這個選項適用於分支 office 的管理委派不提供網域系統管理員權限。This option is useful for delegating branch office administration without giving out domain administrative permissions. 設定的管理委派就不需要的。Configuring delegation of administration is not required.

相當於 ADDSDeployment Windows PowerShell 引數是:The equivalent ADDSDeployment Windows PowerShell argument is:

-delegatedadministratoraccountname <string>  

帳號,不受允許快取 RODC 密碼和無法連接寫入網域控制站驗證無法存取資源或 Active Directory 所提供的功能。Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active Directory.

重要

如果不修改,會使用的預設群組和設定:If not modified, the default groups and settings are used:

  • 系統管理員-拒絕Administrators - Deny
  • 伺服器電信業者-拒絕Server Operators - Deny
  • 備份電信業者-拒絕Backup Operators - Deny
  • 考慮電信業者-拒絕Account Operators - Deny
  • 拒絕 RODC 密碼複寫群組-拒絕Denied RODC Password Replication Group - Deny
  • 允許 RODC 密碼複寫群組-允許Allowed RODC Password Replication Group - Allow

相當於 ADDSDeployment Windows PowerShell 引數︰The equivalent ADDSDeployment Windows PowerShell arguments are:

-allowpasswordreplicationaccountname <string []>  
-denypasswordreplicationaccountname <string []>  

安裝 RODC

其他選項Additional Options

安裝 RODC

的其他選項頁面上提供設定選項,來命名網域控制站為複寫來源,或您可以使用任何網域控制站為複寫來源。The Additional Options page provides configuration options to name a domain controller as the replication source, or you can use any domain controller as the replication source.

您也可以選擇備份使用安裝媒體 (IFM) 選項從媒體安裝網域控制站使用。You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. 安裝媒體的核取方塊提供選取一次瀏覽] 選項,您必須按驗證以確保所提供有效的媒體。The Install from media checkbox provides a browse option once selected and you must click Verify to ensure the provided path is valid media. 從其他現有 Windows Server 2012 電腦; IFM 選項使用媒體建立與 Windows Server 備份或 Ntdsutil.exe您無法建立 Windows Server 2012 網域控制站媒體使用 Windows Server 2008 R2 或先前的作業系統。Media used by the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller. 附錄 IFM 變更提供更多的資訊。The Appendices provides more information on changes in IFM. 如果使用的 media 受 SYSKEY,伺服器管理員會在驗證期間影像的密碼提示。If using media protected with a SYSKEY, Server Manager prompts for the image's password during verification.

安裝 RODC

其他選項 ADDSDeployment cmdlet 引數︰The Additional Options ADDSDeployment cmdlet arguments are:

-replicationsourcedc <string>  
-installationmediapath <string>  
-systemkey <secure string>  

路徑Paths

安裝 RODC

路徑頁面上,可讓您覆寫預設資料夾位置的 AD DS 資料庫中資料庫交易登,並 SYSVOL 分享。The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. 預設位置都之隱藏資料夾中。The default locations are always in subdirectories of %systemroot%. 路徑ADDSDeployment cmdlet 引數:The Paths ADDSDeployment cmdlet arguments are:

-databasepath <string>  
-logpath <string>  
-sysvolpath <string>  

準備選項Preparation Options

安裝 RODC

準備選項頁面上,系統會通知您 AD DS 設定,包括擴充架構 (forestprep) 及更新的網域 (準備網域)。The Preparation Options page alerts you that the AD DS configuration includes extending the Schema (forestprep) and updating the domain (domainprep). 樹系或網域尚未準備手動執行 Adprep.exe 或上一個 Windows Server 2012 網域控制站安裝時,只會看到此頁面。You only see this page when the forest or domain has not been prepared by previous Windows Server 2012 domain controller installation or from manually running Adprep.exe. 例如,Active Directory Domain Services 組態精靈會如果現有的 Windows Server 2012 樹系根網域中新增新的複本網域控制站隱藏此頁面。For example, the Active Directory Domain Services Configuration Wizard suppresses this page if you add a new replica domain controller to an existing Windows Server 2012 forest root domain.

延伸架構和更新網域不會發生當您按一下下一步Extending the Schema and updating the domain do not occur when you click Next. 只有在安裝期間發生這些事件。These events occur only during the installation phase. 此頁面只要帶來在安裝之後會發生的事件有關感知。This page simply brings awareness about the events that will occur later in the installation.

這個頁面也驗證的目前使用者的認證管理員架構與企業系統管理員群組成員您需要成員資格擴充架構或準備網域這些群組中。This page also validates that the current user credentials are members of the Schema Admin and Enterprise Admins groups, as you need membership in these groups to extend the schema or prepare a domain. 按一下變更頁面會通知您目前的憑證,並不提供不足權限時,提供的適當的使用者的認證。Click Change to provide the adequate user credentials if the page informs you that the current credentials do not provide sufficient permissions.

其他選項 ADDSDeployment cmdlet 引數是:The Additional Options ADDSDeployment cmdlet argument is:

-adprepcredential <pscredential>  

重要

為使用舊版的 Windows Server、 Windows Server 2012 」 的網域自動的準備不會執行 GPPREP。As with previous versions of Windows Server, Windows Server 2012's automated domain preparation does not run GPPREP. 執行adprep.exe /gpprep以手動方式的所有先前已未準備適用於 Windows Server 2003、Windows Server 2008 或 Windows Server 2008 R2 的網域。Run adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. 您應該先執行一次 GPPrep 歷史不是每份升級與加入網域中。You should run GPPrep only once in the history of a domain, not with every upgrade. Adprep.exe 不會執行 /gpprep 自動因為其作業都可能造成所有檔案和資料夾重新複寫所有網域控制站 SYSVOL 資料夾中。Adprep.exe does not run /gpprep automatically because its operation can cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.

當您升級第一階段未 RODC 網域中的,將會執行自動 RODCPrep。Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. 不是當您第一次的寫入 Windows Server 2012 網域控制站升級。It does not occur when you promote the first writeable Windows Server 2012 domain controller. 您也仍然以手動方式可以執行adprep.exe /rodcprep如果您要部署唯讀網域控制站計劃。You can also still manually run adprep.exe /rodcprep if you plan to deploy read-only domain controllers.

檢視選項],然後檢視指令碼Review Options and View Script

安裝 RODC

評論選項頁面上可讓您驗證您的設定,並確保您開始安裝之前,先其符合您的需求。The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. 這不是一個機會停止使用伺服器管理員安裝。This is not the last opportunity to stop the installation using Server Manager. 此頁面上可讓您檢查並確認您的設定,才能繼續設定。This page simply enables you to review and confirm your settings before continuing the configuration.

評論選項在伺服器管理員頁面也提供選擇性檢視指令碼按鈕,以建立包含目前 ADDSDeployment 設定成單一的 Windows PowerShell 指令碼 Unicode 文字檔案。The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. 這可讓您在伺服器管理員圖形介面作為 Windows PowerShell 部署 studio。This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. 若要設定選項,匯出設定,然後取消精靈使用 Active Directory Domain Services 組態精靈。Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. 此程序會建立進一步修改或直接使用有效且語法正確範例。This process creates a valid and syntactically correct sample for further modification or direct use. 例如:For example:

#  
# Windows PowerShell Script for AD DS Deployment  
#  

Import-Module ADDSDeployment  
Install-ADDSDomainController `  
-AllowPasswordReplicationAccountName @("CORP\Allowed RODC Password Replication Group", "CORP\Chicago RODC Admins", "CORP\Chicago RODC Users and Computers") `  
-Credential (Get-Credential) `  
-CriticalReplicationOnly:$false `  
-DatabasePath "C:\Windows\NTDS" `  
-DelegatedAdministratorAccountName "CORP\Chicago RODC Admins" `  
-DenyPasswordReplicationAccountName @("BUILTIN\Administrators", "BUILTIN\Server Operators", "BUILTIN\Backup Operators", "BUILTIN\Account Operators", "CORP\Denied RODC Password Replication Group") `  
-DomainName "corp.contoso.com" `  
-InstallDNS:$true `  
-LogPath "C:\Windows\NTDS" `  
-ReadOnlyReplica:$true `  
-SiteName "Default-First-Site-Name" `  
-SYSVOLPath "C:\Windows\SYSVOL"  
-Force:$true  

注意

伺服器管理員通常會填入所有引升級後不會依賴預設值 (因為它們可能會改變之間未來版本 Windows 的 service pack) 的值。Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of Windows or service packs). 有一個例外此-safemodeadministratorpassword引數。The one exception to this is the -safemodeadministratorpassword argument. 若要強制確認的提示,請執行 cmdlet 互動時省略值。To force a confirmation prompt, omit the value when running cmdlet interactively.

安裝-ADDSDomainController cmdlet 選擇性 Whatif 引數使用檢視設定的資訊。Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. 這可讓您查看 cmdlet 引數明確和隱含的值。This enables you to see the explicit and implicit values of the arguments for a cmdlet.

安裝 RODC

必要條件核取Prerequisites Check

安裝 RODC

請必要條件是 AD DS 網域設定中的新功能。The Prerequisites Check is a new feature in AD DS domain configuration. 這個新階段驗證伺服器設定可以新 AD DS 樹系的支援。This new phase validates that the server configuration is capable of supporting a new AD DS forest.

當您安裝新的樹系根網域,伺服器管理員 Active Directory Domain Services 組態精靈會叫用一系列序列化模組測試。When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests. 這些測試提醒建議的修復選項。These tests alert you with suggested repair options. 您可以視需要執行測試。You can run the tests as many times as required. 無法繼續網域控制站程序,直到所有必要條件測試傳遞。The domain controller process cannot continue until all prerequisite tests pass.

請必要條件也會呈現相關資訊,例如安全性變更會影響較舊的作業系統。The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.

您無法略過必要條件檢查時使用伺服器管理員中,但您可以跳過此程序使用 [使用下列引數 AD DS 部署 cmdlet 時:You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the following argument:

-skipprechecks  

按一下安裝若要開始網域控制站升級程序。Click Install to begin the domain controller promotion process. 這是最後取消安裝的機會。This is last opportunity to cancel the installation. 開始後,您就無法取消升級程序。You cannot cancel the promotion process once it begins. 電腦將會在升級,無論促銷結果結尾自動重新開機。The computer will reboot automatically at the end of promotion, regardless of the promotion results.

安裝Installation

安裝 RODC

安裝頁面會顯示,網域控制站設定開始和無法終止或取消。When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. 詳細的作業會顯示在此頁面上,而且寫入登:Detailed operations display on this page and are written to logs:

  • %systemroot%\debug\dcpromo.log%systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log%systemroot%\debug\dcpromoui.log

若要安裝新的 Active Directory 森林使用 ADDSDeployment 模組,使用下列 cmdlet:To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:

Install-addsdomaincontroller  

查看ADDSDeployment Cmdlet在此區域的選擇性和引數 begininng 表。See the ADDSDeployment Cmdlet table at the begininng of this section for required and optional arguments.

安裝-addsdomaincontroller cmdlet 僅有兩個階段 (必要條件檢查並安裝)。The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). 下方的兩個圖表顯示安裝階段檔最低的的網域名稱-readonlyreplica-站台名稱,和-credentialThe two figures below show the installation phase with the minimum required arguments of -domainname, -readonlyreplica, -sitename, and -credential. 請注意,就像伺服器管理員中,安裝-ADDSDomainController ,升級將會自動重新開機伺服器提醒您:Note how, just like Server Manager, Install-ADDSDomainController reminds you that promotion will reboot the server automatically:

安裝 RODC

安裝 RODC

若要自動接受重新開機命令提示字元中,使用-強制-確認: $false的任何 ADDSDeployment Windows PowerShell cmdlet 引數。To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. 若要防止伺服器促銷結尾自動重新開機,使用-norebootoncompletion引數。To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.

警告

建議您不要覆寫在重新開機。Overriding the reboot is not recommended. 網域控制站必須重新開機才能正確運作。The domain controller must reboot to function correctly. 如果您的網域控制站關閉登入,您無法登入互動方式直到您重新開機。If you log off the domain controller, you cannot log back on interactively until you restart it.

結果Results

安裝 RODC

結果頁面會顯示成功或失敗的升級與管理的任何重要資訊。The Results page shows the success or failure of the promotion and any important administrative information. 網域控制站將會自動重新開機之後 10 秒。The domain controller will automatically reboot after 10 seconds.