功能與 #39; Active Directory 網域中的新 s 服務安裝並移除What's New in Active Directory Domain Services Installation and Removal

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題涵蓋:This topic covers:

Windows Server 2012 中的 active Directory Domain Services (AD DS) deployment 是更簡單且更快,比舊版本的 Windows Server。Active Directory Domain Services (AD DS) deployment in Windows Server 2012 is simpler and faster than previous versions of Windows Server. AD DS 安裝程序 Windows PowerShell 現在建置,並整合伺服器管理員使用。The AD DS installation process is now built on Windows PowerShell and is integrated with Server Manager. 減少的網域控制站引入現有的 Active Directory 環境所需的步驟。The number of steps required to introduce domain controllers into an existing Active Directory environment is reduced. 這樣可建立新的 Active Directory 環境更簡單且更有效率的程序。This makes the process for creating a new Active Directory environment simpler and more efficient. 新 AD DS 部署程序最小化有否則封鎖安裝程式錯誤的機會。The new AD DS deployment process minimizes the chances of errors that would have otherwise blocked installation.

此外,您可以在此同時在多部伺服器上安裝 AD DS 伺服器角色二進位 (亦即伺服器角色 AD DS)。In addition, you can install the AD DS server role binaries (that is the AD DS server role) on multiple servers at the same time. 您也可以從遠端執行 AD DS 安裝精靈中的個人伺服器上。You can also run the AD DS installation wizard remotely on an individual server. 這些改良功能提供更大的網域控制站的大型、 全球部署許多網域控制站要部署至分公司不同地區執行 Windows Server 2012,尤其是用來部署彈性。These improvements provide more flexibility for deploying domain controllers that run Windows Server 2012 , especially for large-scale, global deployments where many domain controllers need to be deployed to offices in different regions.

AD DS 安裝包含下列功能:AD DS installation includes the following features:

  • Adprep.exe 整合到 AD DS 安裝程序。Adprep.exe integration into the AD DS installation process. 麻煩步驟準備現有 Active Directory,例如使用各種不同的認證,複製 Adprep.exe 檔案或特定的網域控制站在登入需要所需的所有的簡化或自動執行。The cumbersome steps required to prepare an existing Active Directory, such as the need to use a variety of different credentials, copy the Adprep.exe files, or log on to specific domain controllers, are all simplified or occur automatically. 這會減少安裝 AD DS 所需的時間,並減少否則可能會封鎖網域控制站升級的錯誤。This reduces the time required to install AD DS and reduces the chances for errors that might otherwise block domain controller promotion.

    針對環境中執行 adprep.exe 命令新的網域控制站安裝之前,最好使用時,您仍可以執行 adprep.exe 命令分開從 AD DS 安裝。For environments where it is preferable to run adprep.exe commands in advance of a new domain controller installation, you can still execute adprep.exe commands separately from the AD DS installation. Windows Server 2012 版本的 adprep.exe 執行遠端電腦上,因此您可以從執行 64 位元版本的 Windows Server 2008,或更新版本的伺服器來執行所需的所有命令。The Windows Server 2012 version of adprep.exe runs remotely, so you can execute all necessary commands from a server that runs a 64-bit version of Windows Server 2008 or later.

  • 新 AD DS 安裝 Windows PowerShell 上建置,可以從遠端叫用。The new AD DS installation is built on Windows PowerShell and can be invoked remotely. 新的 AD DS 安裝整合的伺服器管理員中,讓您可以使用相同的介面安裝 AD DS,您可以使用當您安裝其他伺服器角色。The new AD DS installation is integrated with Server Manager, so you can use the same interface to install AD DS that you use when installing other server roles. Windows PowerShell 使用者,AD DS 部署 cmdlet 提供更大的功能與彈性。For Windows PowerShell users, the AD DS deployment cmdlets provide greater functionality and flexibility. 在命令列還有功能同位與 GUI 安裝選項。There is functional parity between command-line and GUI installation options.

  • 新的 AD DS 安裝包含必要條件驗證。The new AD DS installation includes prerequisite validation. 開始安裝之前,都會任何可能的錯誤。Any potential errors are identified before the installation begins. 它們發生而不需顧慮所造成的部分完成升級之前,您可以更正錯誤條件。You can correct error conditions before they occur without the concerns resulting from a partially complete upgrade. 例如 adprep /domainprep 需要執行時,如果在安裝精靈會驗證使用者具有權執行作業。For example, if adprep /domainprep needs to be run, the installation wizard verifies that the user has sufficient rights to execute the operation.

  • 設定頁面的群組順序鏡射最常見的升級選項以使用較少精靈] 頁面中相關的選項的需求。Configuration pages are grouped in a sequence that mirrors the requirements of the most common promotion options with related options grouped in fewer wizard pages. 這提供更好的操作讓安裝選項。This provides better context for making installation choices.

  • 您可以將匯出包含所有選項圖形安裝期間所指定的 Windows PowerShell 指令碼。You can export a Windows PowerShell script that contains all the options that were specified during the graphical installation. 在安裝或移除結尾,您可以使用的自動執行相同作業 Windows PowerShell 指令碼匯出設定。At the end of an installation or removal, you can export the settings to a Windows PowerShell script for use with automating the same operation.

  • 僅限重要複寫早重新開機。Only critical replication occurs before reboot. 新的切換控制允許複寫嚴重的資料,再重新開機。New switch to allow replication of non-critical data before reboot. 如需詳細資訊,請查看ADDSDeployment cmdlet 引數For more information, see ADDSDeployment cmdlet arguments.

Active Directory Domain Services 設定精靈The Active Directory Domain Services Configuration Wizard

開始使用 Windows Server 2012,Active Directory Domain Services 組態精靈會取代為使用者介面 (UI) 選項指定設定當您安裝的網域控制站舊版 Active Directory Domain Services 安裝精靈。Beginning with Windows Server 2012 , the Active Directory Domain Services Configuration Wizard replaces the legacy Active Directory Domain Services Installation Wizard as the user interface (UI) option to specify settings when you install a domain controller. Active Directory Domain Services 組態精靈會開始新增角色精靈完成後。The Active Directory Domain Services Configuration Wizard begins after Add Roles Wizard is finished.

警告

開始使用 Windows Server 2012,被取代舊版 Active Directory Domain Services 安裝精靈 (dcpromo.exe)。The legacy Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning with Windows Server 2012 .

安裝 「 Active Directory Domain Services 和 #40;層級 100 和 #41;,顯示如何開始新增角色精靈安裝 AD DS 伺服器角色二進位檔 UI 程序,並執行 Active Directory Domain Services 設定精靈完成網域控制站安裝。In Install Active Directory Domain Services (Level 100), the UI procedures show how to start the Add Roles Wizard to install the AD DS server role binaries and then run the Active Directory Domain Services Configuration Wizard to complete the domain controller installation. Windows PowerShell 範例顯示如何完成使用 AD DS 部署 cmdlet 這兩個步驟。The Windows PowerShell examples show how to complete both steps using an AD DS deployment cmdlet.

Adprep.exe 整合Adprep.exe integration

開始使用 Windows Server 2012,還有 Adprep.exe 只有一個版本 (還有不 32 位元版本 adprep32.exe)。Beginning with Windows Server 2012 , there is only one version of Adprep.exe (there is no 32-bit version, adprep32.exe). 視需要您安裝的網域控制站現有 Active Directory domain 或樹系執行 Windows Server 2012 時自動執行 Adprep 的命令。Adprep commands are run automatically as needed when you install a domain controller that runs Windows Server 2012 to an existing Active Directory domain or forest.

Adprep 作業就會自動執行,但您可以執行 Adprep.exe 另行購買。Although adprep operations are run automatically, you can run Adprep.exe separately. 例如,不群組成員的企業系統管理員 」,才能執行 Adprep /forestprep 所需的安裝 AD DS 的使用者如果然後您可能需要執行 「 命令另行購買。For example, if the user who installs AD DS is not a member of the Enterprise Admins group, which is required in order to run Adprep /forestprep, then you might need to run the command separately. 但是,您只需要執行 adprep.exe 如果您打算就地升級第一個 Windows Server 2012 網域控制站 (亦即,您計畫就地升級執行 Windows Server 2012 」 的網域控制站的作業系統)。But, you only have to run adprep.exe if you are planning to in-place upgrade your first Windows Server 2012 domain controller (in other words, you plan to in-place upgrade the operating system of a domain controller that runs Windows Server 2012 ).

Adprep.exe 位於 \support\adprep 資料夾中的 Windows Server 2012 安裝光碟。Adprep.exe is located in the \support\adprep folder of the Windows Server 2012 installation disc. Windows Server 2012 的 adprep 版本遠端執行的功能。The Windows Server 2012 version of adprep is capable of executing remotely.

Windows Server 2012 執行的版本 adprep.exe 可執行 64 位元版本的 Windows Server 2008,或更新版本的任何伺服器上。The Windows Server 2012 version of adprep.exe can run on any server that runs a 64-bit version of Windows Server 2008 or later. 伺服器必須網路連接到架構主機樹系與基礎結構主機您想要加入的網域控制站的網域。The server needs network connectivity to the schema master for the forest and the infrastructure master of the domain where you want to add a domain controller. 如果在執行 Windows Server 2003 的伺服器上的角色是裝載,然後 adprep 必須執行遠端。If either of those roles is hosted on a server that runs Windows Server 2003, then adprep must be run remotely. 執行 adprep 的伺服器不需要為網域控制站。The server where you run adprep does not need to be a domain controller. 它可以加入或工作群組中的網域。It can be domain joined or in a workgroup.

注意

如果您嘗試執行 adprep.exe 新版 Windows Server 2012 上執行 Windows Server 2003 的伺服器,會顯示下列錯誤:If you try to run the Windows Server 2012 version of adprep.exe on a server that runs Windows Server 2003, the following error appears:

Adprep.exe 不是有效的 Win32 應用程式。Adprep.exe is not a valid Win32 application.

新功能

如解析傳回 Adprep.exe 其他錯誤相關資訊,請查看的已知問題For information about resolving other errors returned by Adprep.exe, see Known issues.

針對 Windows Server 2003 操作主機角色群組成員資格核取Group membership check against Windows Server 2003 operations master roles

針對每個命令 (日 forestprep,/domainprep 或 /rodcprep),Adprep 執行群組成員資格檢查以判斷是否指定的憑證表示 account 特定群組中的。For each command (/forestprep, /domainprep, or /rodcprep), Adprep performs a group membership check to determine whether the specified credential represents an account in certain groups. 若要執行此核取,Adprep 連絡人主角擁有者作業。To perform this check, Adprep contacts the operations master role owner. 操作主機執行的 Windows Server 2003,如果您需要指定 /user 與 /userdomain 命令列參數,如果您執行 Adprep.exe 以確保所有案例中執行群組成員資格檢查。If the operations master is running Windows Server 2003, you need to specify the /user and /userdomain command line parameters if you run Adprep.exe to ensure the group membership check is performed in all cases.

/User 和 /userdomain 是 Adprep.exe Windows Server 2012 中的新參數。The /user and /userdomain are new parameters for Adprep.exe in Windows Server 2012 . 這些參數指定的 account 的使用者名稱和使用者網域的使用者身分執行 adprep 的命令。These parameters specify the user account name and user domain, respectively, of the user who runs the adprep command. 命令列 Adprep.exe 公用程式會封鎖指定 /userdomain 和 /user 但省略另一個。The Adprep.exe command-line utility blocks specifying one of /userdomain and /user but omitting the other.

不過,Adprep 作業也可以使用 Windows PowerShell 或伺服器管理員 AD DS 安裝的一部分執行。However, Adprep operations can also be run as part of an AD DS installation using Windows PowerShell or Server Manager. 這些體驗共用相同 adprep.exe 為基礎實作 (adprep.dll)。Those experiences share the same underlying implementation (adprep.dll) as adprep.exe. Windows PowerShell 和伺服器管理員體驗有輸入時,這會不加相同的需求為 adprep.exe 他們不同的認證。The Windows PowerShell and Server Manager experiences have their separate credentials input, which does not impose the same requirements as by adprep.exe. 使用 Windows PowerShell 或伺服器管理員 」,則可能傳送 adprep.dll /user,但不 /userdomain 值。Using Windows PowerShell or Server Manager, it is possible to pass a value for /user but not /userdomain to adprep.dll. 如果指定 /user,但未指定 /userdomain,本機電腦的網域用來執行檢查。If /user is specified but /userdomain is not specified, the local machine's domain is used to perform the check. 如果您未加入網域的電腦,就無法檢查群組成員資格。If the machine is not domain joined, group membership cannot be checked.

當群組成員資格無法檢查時、 Adprep adprep 登入檔案中會顯示一則警告訊息,並持續:When group membership cannot be checked, Adprep shows a warning message in the adprep log files and continues:

Adprep was unable to check the specified user's group membership. This could happen if the FSMO role owner <DNS host name of operations master> is running Windows Server 2003 or lower version of Windows.  

如果您不需要指定 /user 和 /userdomain 參數執行 Adprep.exe 操作主機執行 Windows Server 2003,Adprep.exe 連絡人網域控制站的目前登入的使用者網域中。If you run Adprep.exe without specifying the /user and /userdomain parameters and the operations master is running Windows Server 2003, Adprep.exe contacts a domain controller in the domain of the current logon user. 如果不核對目前登入的使用者,Adprep.exe 無法執行群組成員資格檢查。If the current logon user is not a domain account, Adprep.exe cannot perform the group membership check. Adprep.exe 也無法執行群組成員資格檢查是否使用智慧卡上的憑證,即使您指定 /user 和 /userdomain。Adprep.exe also cannot perform the group membership check if smartcard credentials are used, even if you do specify both /user and /userdomain.

如果 Adprep 成功完成,就不需要執行任何動作。If Adprep finishes successfully, there is no action required. 如果 Adprep 失敗的錯誤存取執行期間,帳號提供正確的資格。If Adprep fails during execution with access errors, provide an account with the correct membership. 如需詳細資訊,請查看認證需求執行 Adprep.exe 並安裝 Active Directory Domain ServicesFor more information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.

Windows Server 2012 中 Adprep 語法Syntax for Adprep in Windows Server 2012

使用下列語法 adprep 執行分開 AD DS 安裝:Use the following syntax to run adprep separately from an AD DS installation:

Adprep.exe /forestprep /forest <forest name> /userdomain <user domain name> /user <user name> /password *  

使用命令中 /logdsid 產生詳細登入。Use /logdsid in the command in order to generate more detailed logging. 準備這個網域位於 %windir%\System32\Debug\Adprep\Logs。The adprep.log is located in %windir%\System32\Debug\Adprep\Logs.

執行 adprep 使用智慧卡Running adprep using smartcard

Adprep.exe 的 Windows Server 2012 版本的運作方式使用智慧卡認證,但不容易指定智慧卡憑證透過命令列。The Windows Server 2012 version of adprep.exe works using smartcard as credentials, but there is no easy way to specify the smart card credential through the command line. 一個方法是取得透過 PowerShell cmdlet 取得認證智慧卡認證。One way to do it is to obtain the smart card credential through PowerShell cmdlet Get-Credential. 使用的使用者名稱傳回 PSCredential 物件,會顯示為@@...Then use the user name of the returned PSCredential object, which appears as @@.... 密碼不智慧卡的 pin 碼。The password is the PIN of the smart card.

如果指定 /user Adprep.exe 會需要 /userdomain。Adprep.exe requires /userdomain if /user is specified. 智慧卡認證,/userdomain 應該由智慧卡基礎帳號的網域。For smartcard credentials, the /userdomain should be the domain of the underlying user account represented by the smartcard.

不會自動執行 Adprep /domainprep /gpprep 命令Adprep /domainprep /gpprep command is not run automatically

不是執行 adprep /domainprep /gpprep 命令 AD DS 安裝的一部分。The adprep /domainprep /gpprep command is not run as part of AD DS installation. 這個命令設定所需的結果設定的原則 (RSOP) 權限計劃模式功能。This command sets permissions that are required for Resultant Set of Policy (RSOP) planning mode functionality. 如需有關這個命令時,請查看Microsoft 知識庫文章 324392For more information about this command, see Microsoft Knowledge Base article 324392. 如果需要執行 Active Directory 網域中的命令,可以從 AD DS 安裝分開執行它。If the command needs to be run in your Active Directory domain, you can run it separately from the AD DS installation. 如果您已經準備部署執行 Windows Server 2003 SP1 網域控制站的執行命令或更新版本,命令不需要再執行一次。If the command has already been run in preparation of deploying domain controllers that run Windows Server 2003 SP1 or later, the command does not need to be run again.

您可以放心地加入網域控制站的現有執行 adprep /domainprep /gpprep,而網域執行 Windows Server 2012,但 RSOP 計劃模式無法正確運作。You can safely add domain controllers that run Windows Server 2012 to an existing domain without running adprep /domainprep /gpprep, but RSOP planning mode will not function properly.

AD DS 安裝必要驗證AD DS installation prerequisite validation

AD DS 安裝精靈會檢查開始安裝之前,符合下列必要條件。The AD DS installation wizard checks that the following prerequisites are met before the installation begins. 這提供您機會修正這些問題可以可能會封鎖安裝程式。This provides you with a chance to correct issues that can potentially block installation.

例如,Adprep 相關必要條件包括:For example, Adprep-related prerequisites include:

  • Adprep 認證驗證: 如果 adprep 需要執行,安裝精靈中驗證使用者有權來執行所需的 Adprep 作業。Adprep credential verification: If adprep needs to be run, the installation wizard verifies that the user has sufficient rights to execute the required Adprep operations.

  • 架構主要可用性檢查: 如果安裝精靈判斷該 adprep /forestprep 必須執行時,它會確認架構主機是 online 否則失敗。Schema master availability check: If the installation wizard determines that adprep /forestprep needs to be run, it verifies that the schema master is online and fails otherwise.

  • 基礎結構主要可用性核取: 如果安裝精靈判斷該 adprep /domainprep 必須執行時,它會確認基礎結構主機是 online 否則失敗。Infrastructure master availability check: If the installation wizard determines that adprep /domainprep needs to be run, it verifies that the infrastructure master is online and fails otherwise.

其他必要條件檢查發展從舊版 Active Directory 安裝精靈 (dcpromo.exe),包括:Other prerequisite checks that are carried forward from the legacy Active Directory Installation Wizard (dcpromo.exe) include:

  • 樹系名稱驗證: 確保樹系名稱無效的而且目前不存在。Forest name verification: Ensures that the forest name is valid and does not currently exist.

  • NetBIOS 命名驗證: 檢查有效 NetBIOS 名稱,且不會衝突隨附現有的名稱。NetBIOS name verification: Checks that provided NetBIOS name is valid and does not conflict with existing names.

  • 元件路徑驗證︰ 有效 Active Directory 資料庫、 登,和 SYSVOL 路徑為何,還有磁碟空間不足,無法為他們提供確認。Component path verification: Verifies that paths for the Active Directory database, logs, and SYSVOL are valid and that there is enough disk space available for them.

  • 子女的網域名稱驗證: 確保是有效的父系和新的子女的網域名稱和,它們不會衝突現有的網域。Child domain name verification: Ensures that the parent and new child domain names are valid and that they do not conflict with existing domains.

  • 樹狀網域名稱驗證: 確保指定的樹名稱有效,而該它目前不存在。Tree domain name verification: Ensures that the specified tree name is valid and that it does not currently exist.

系統需求System requirements

不會變更從 Windows Server 2008 R2 的 Windows Server 2012 系統需求。System requirements for Windows Server 2012 are unchanged from Windows Server 2008 R2. 如需詳細資訊,請查看Windows Server 2008 R2 SP1 的系統需求與(http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx)。For more information, see Windows Server 2008 R2 with SP1 System Requirements (http://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx).

部分功能可能的額外需求。Some features can have additional requirements. 例如,virtual 網域控制站複製功能需要,肯定執行 Windows Server 2012 和已安裝於 HYPER-V 的角色執行 Windows Server 2012 的電腦。For example, the virtual domain controller cloning feature requires that the PDC emulator run Windows Server 2012 and a computer running Windows Server 2012 with the Hyper-V role installed.

已知的問題Known issues

本節列出的已知問題影響 AD DS 安裝 Windows Server 2012 中的部分。This section lists some of the known issues that affect AD DS installation in Windows Server 2012 . 其他的已知問題,請查看進行疑難排解的網域控制站部署For additional known issues, see Troubleshooting Domain Controller Deployment.

  • WMI 存取架構主機封鎖 Windows 防火牆 adprep /forestprep 遠端執行時,如果下列錯誤被登入,%systemroot%\system32\debug\adprep adprep 登入中:If WMI access to the schema master is blocked by Windows Firewall when you remotely run adprep /forestprep, the following error is logged in the adprep log at %systemroot%\system32\debug\adprep:

    Adprep encountered a Win32 error.   
    Error code: 0x6ba Error message: The RPC server is unavailable.  
    

    若是如此,您可以在錯誤由任一執行 adprep /forestprep 直接架構主機上,或您可以執行下列命令,讓 Windows 防火牆 WMI 流量的其中一個。In this case, you can work around the error by either running adprep /forestprep directly on the schema master, or you can run one of the following commands to allow WMI traffic through Windows Firewall.

    Windows Server 2008 或更新版本:For Windows Server 2008 or later:

    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes  
    

    適用於 Windows Server 2003:For Windows Server 2003:

    netsh firewall set service RemoteAdmin enable  
    

    Adprep 完成之後,您可以執行其中一項下列命令,再試一次封鎖 WMI 流量:After adprep finishes you can run either of the following commands to block WMI traffic again:

    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no  
    
    netsh firewall set service remoteadmin disable  
    
  • Ctrl + C 取消安裝-ADDSForest cmdlet,您可以輸入。You can type Ctrl + C to cancel the Install-ADDSForest cmdlet. 取消停止安裝,並會還原伺服器的狀態所做的任何變更。The cancellation stops the installation and any changes that were made to the state of the server are reverted. 但發出取消命令之後,控制項不回到 Windows PowerShell,並可無限期停止回應 cmdlet。But after the cancellation command is issued, control is not returned to Windows PowerShell, and the cmdlet can hang indefinitely.

  • 如果您未加入網域安裝之前目標伺服器使用智慧卡認證其他網域控制站安裝將會失敗。Installation of an additional domain controller using smart card credentials fails if the target server is not joined to the domain before installation.

    此時會傳回的錯誤訊息:The error message returned in this case is:

    無法連接到複寫來源網域控制站來源網域控制站名稱Unable to connect to the replication source domain controller source domain controller name. (例外: Logonfailure: 不明的使用者名稱或錯誤密碼)(Exception: Logonfailure: unknown user name or bad password)

    如果您加入網域的目標伺服器,並執行安裝使用智慧卡,完成安裝。If you join the target server to the domain and then perform the installation using a smart card, the installation succeeds.

  • 在 32 位元處理程序無法執行 ADDSDeployment 模組。The ADDSDeployment module does not run under 32-bit processes. 如果您想自動化部署與 Windows Server 2012 使用指令碼,其中包含 ADDSDeployment cmdlet 與任何其他 cmdlet 不支援原生 64 位元處理程序,設定,指令碼可能會失敗,且會發生錯誤,指出 ADDSDeployment cmdlet 找不到。If you are automating deployment and configuration of Windows Server 2012 using a script that includes an ADDSDeployment cmdlet and any other cmdlet that does not support native 64-bit processes, the script can fail with an error that indicates the ADDSDeployment cmdlet cannot be found.

    若是如此,您需要執行 ADDSDeployment cmdlet 分開 cmdlet 不支援原生 64 位元處理程序。In this case, you need to run the ADDSDeployment cmdlet separately from the cmdlet that does not support native 64-bit processes.

  • 還有名復原檔案系統的 Windows Server 2012 中的新檔案系統。There is a new file system in Windows Server 2012 named Resilient File System. 不要使用復原檔案系統 (ReFS) 格式化是資料磁碟區上儲存 Active Directory 資料庫、 登入檔案或 SYSVOL。Do not store the Active Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS). 如需 ReFS 的詳細資訊,請查看上的下一代檔案系統建置適用於 Windows: ReFSFor more information about ReFS, see Building the next generation file system for Windows: ReFS.

  • 在伺服器管理員中,執行 AD DS 或其他伺服器角色 Server Core 安裝上並已升級至 Windows Server 2012,伺服器伺服器角色才會出現的紅色狀態,即使事件和狀態,會收集如預期般運作。In Server Manager, servers that run AD DS or other server roles on a Server Core installation and have been upgraded to Windows Server 2012 , the server role can appear with red status, even though events and status are collected as expected. 執行 Windows Server 2012 可能也會受到影響預備版 Server Core 安裝的伺服器。Servers that run a Server Core installation of a preliminary release Windows Server 2012 can also be impacted.

如果發生錯誤而無法重要複寫的 active Directory Domain Services 安裝無回應Active Directory Domain Services installation hangs if an error prevents critical replication

如果 AD DS 安裝重要複寫階段期間發生錯誤,安裝可無限期停止回應。If the AD DS installation encounters an error during the critical replication phase, the installation can hang indefinitely. 例如,如果網路錯誤避免重要複寫完成時,將不會繼續安裝。For example, if networking errors prevent critical replication from completing, the installation will not proceed.

如果您使用伺服器管理員安裝,您可能會看到安裝進度頁面維持開放的但不錯誤報告,在畫面上,和進度可能不會變更大約 15 分鐘。If you are installing using Server Manager, you may see the installation progress page remain open, but there is no error reported on screen, and the progress may not change for about 15 minutes. 如果您使用 Windows PowerShell,超過 15 分鐘的時間不會變更 Windows PowerShell 視窗中顯示的進度。If you are using Windows PowerShell, the progress shown in the Windows PowerShell window will not change for more than 15 minutes.

如果您遇到這個問題,請檢查 dcpromo.log 資料夾中的檔案 %systemroot%\debug 目標伺服器上。If you experience this problem, check the dcpromo.log file in the %systemroot%\debug folder on the target server. 登入檔案通常會指出重複複寫失敗。The log file will typically indicate repeated failures to replicate. 是部分已知的原因,此問題:Some known causes for this problem are:

  • 網路問題避免複寫來源網域控制站伺服器升級目標之間的重大複寫。Networking problems prevent critical replication between the target server being promoted and the replication source domain controller.

    例如,會顯示 dcpromo.log:For example, the dcpromo.log shows:

    
      05/02/2012 14:16:46 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963  
      Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.  
    Process ID:   
    500  
    Reported error information:  
    Error value:   
    Could not find the domain controller for this domain. (1908)  
    directory service:   
    <domain>.com  
    Extensive error information:  
    Error value:   
    A security package specific error occurred. 1825  
    directory service:   
    <DC Name>  
    

    安裝程序重試重要複寫不斷,因為網域控制站安裝進行如果解析網路問題。Because the installation process retries critical replication indefinitely, the domain controller installation proceeds if the underlying network problems are resolved. 調查使用工具,例如 ipconfig、 nslookup,以及 netmon 所需的網路問題。Investigate the networking problem using tools such as ipconfig, nslookup, and netmon as needed. 確定連接存在之間升級您的網域控制站,並 AD DS 安裝時,選取複寫合作夥伴。Ensure connectivity exists between the domain controller you are promoting and the replication partner selected during the AD DS installation. 也會確保名稱解析正常運作。Also make sure name resolution is working.

    開始安裝之前必要條件檢查會驗證網路連接名稱解析 AD DS 安裝需求。AD DS installation requirements for network connectivity and name resolution are validated during the prerequisite check before the installation begins. 但一些錯誤條件會的時間後必要條件驗證發生,在安裝完成之前,例如如果複寫合作夥伴無法在安裝期間發生。But some error conditions can arise in the time after prerequisite validation occurs and before the installation completes, such as if the replication partner becomes unavailable during installation.

  • 複本網域控制站在安裝期間,對於安裝認證指定的本機目標伺服器的和本機的密碼和網域管理員 account 的密碼。During replica domain controller installation, the local Administrator account of the target server is specified for the installation credentials and the password of the local Administrator account matches the password of a Domain Admin account. 若是如此,您可以完成安裝精靈中,並開始安裝之前,您會遇到 「 存取 「 失敗。In this case, you can complete the installation wizard and begin the installation before you encounter the "Access is denied" failure.

    例如,會顯示 dcpromo.log:For example, the dcpromo.log shows:

    
    03/30/2012 11:36:51 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC2.contoso.com...  
    03/30/2012 11:36:51 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963Internal event: The following local directory service received an exception from a remote procedure call (RPC) connection. Extensive RPC information was requested. This is intermediate information and might not contain a possible cause.  
    Process ID:   
    508  
    Reported error information:  
    Error value:   
    Access is denied. (5)  
    directory service:   
    DC2.contoso.com  
    

    如果發生錯誤的原因是指定本機系統管理員 account 和密碼,以便復原您需要重新安裝作業系統,執行的清除中繼資料以完成安裝並再試一次使用網域管理員認證 AD DS 安裝失敗的網域控制站的帳號。If the error is caused by specifying a local Administrator account and password, in order to recover you need to reinstall the operating system, perform metadata cleanup of the account for the domain controller that failed to complete installation, and then retry the AD DS installation using Domain Admin credentials. 重新伺服器會不修正錯誤因為伺服器也會指出 AD DS,即使安裝未成功完成安裝。Restarting the server will not correct this error condition because the server will indicate that AD DS is installed even though the installation did not finish successfully.

Active Directory Domain Services 組態精靈會警告指定的時的非標準化 DNS 名稱Active Directory Domain Services Configuration Wizard warns when a non-normalized DNS name is specified

如果您建立新的網域,或樹系和您指定 DNS 網域名稱包含不標準化國際化的字元,Active Directory Domain Services 組態精靈會顯示警告的 DNS 名稱查詢可以失敗。If you create a new domain or forest and you specify a DNS domain name that includes internationalized characters that are not normalized, then the Active Directory Domain Services Configuration Wizard displays a warning that DNS queries for the name can fail. 指定 DNS 網域名稱中部署設定] 頁面,雖然必要條件檢查稍後精靈中的畫面上會出現的警告。Although the DNS domain name is specified in the Deployment Configuration page, the warning appears on the Prerequisites Check page later in the wizard.

如果您使用像是 füßball.com 或 'ΣΤ'.com 未標準化名稱指定 DNS 網域名稱 (標準化版本: füssball.com 和 βστα.com),嘗試使用 WinHTTP 存取 client 應用程式將會之前通話名稱解析 Api 標準化名稱。If a DNS domain name is specified using an un-normalized name like füßball.com or 'ΣΤ'.com (the normalized versions are: füssball.com and βστα.com), client applications that try to access it with WinHTTP will normalize the name before calling name resolution APIs. 如果使用者在某些對話方塊 」 'ΣΤ'.com 」,如 「 βστα.com 」 並不 DNS 伺服器會使其符合資源記錄 「 'ΣΤ'.com 」 的使用將被傳送 DNS 查詢。If the user types "'ΣΤ'.com" on some dialog, the DNS query will be sent as "βστα.com" and no DNS server will match it with a resource record for "'ΣΤ'.com". 使用者無法解析名稱。The user will be unable to resolve name.

下列範例解釋時使用的不標準化 IDN 名稱可能會發生的問題之一:The following example explains one of the issues that can happen when using an IDN name that is not normalized:

  1. 建立並登記 dns 伺服器上的網域使用非標準化名稱: füßball.comThe domain using a non-normalized name is created and registered on dns server: füßball.com

  2. 已經加入網域的電腦 」 nps 」,並取得登記其名稱: nps.füßball.comMachine "nps" is joined to the domain and gets its name registered: nps.füßball.com

  3. 連接到伺服器 nps.füßball.com 嘗試 client 應用程式A client application tries to connect to the server nps.füßball.com

  4. Client 應用程式嘗試解析名稱 nps.füßball.com 撥打名稱解析 Api。The client application tries to resolve the name nps.füßball.com calling name resolution APIs.

  5. 標準化,因為名稱取得轉換成 nps.füssball.com 和查詢透過 nps.füßball.com 為網路Due to normalization, the name gets converted to nps.füssball.com and is queried over the wire as nps.füßball.com

  6. Client 應用程式的名稱解析因為且已的名稱 nps.füßball.com 無法The client application is unable to resolve the name since the registered name is nps.füßball.com

如果警告出現在 Active Directory Domain Services 組態精靈中的 [必要條件檢查] 頁面,返回 [部署設定] 頁面,然後指定標準化的 DNS 網域名稱。If the warning appears in the Prerequisites Check page in the Active Directory Domain Services Configuration Wizard, return to the Deployment Configuration page and specify a normalized DNS domain name. 如果您安裝新的網域使用 Windows PowerShell,指定標準化的 DNS 名稱的網域名稱] 選項。If you are installing a new domain using Windows PowerShell, specify a normalized DNS name for the -DomainName option.

如需 Idn 的詳細資訊,請查看處理國際化的網域名稱 (Idn)For more information about IDNs, see Handling Internationalized Domain Names (IDNs).