AD DS 簡化管理AD DS Simplified Administration

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋的新功能和 Windows Server 2012 網域控制站部署及管理和之前的作業系統俠部署新的 Windows Server 2012 實作不同的好處。This topic explains the new capabilities and benefits of Windows Server 2012 domain controller deployment and administration, and the differences between previous operating system DC deployment and the new Windows Server 2012 implementation.

Windows Server 2012 導入下一代 Active Directory Domain 服務簡化管理的而且最根本網域重新構想自 Windows 2000 Server。Windows Server 2012 introduces the next generation of Active Directory Domain Services Simplified Administration, and is the most radical domain re-envisioning since Windows 2000 Server. AD DS 簡化管理拍下全家 Active directory 12 年來,並讓更多可支援、更具彈性、更直覺管理體驗 architects 和系統管理員。AD DS Simplified Administration takes lessons learned from twelve years of Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators. 這是建立現有的技術,以及擴充功能的元件在 Windows Server 2008 R2 推出的最新版本。This meant creating new versions of existing technologies as well as extending the capabilities of components released in Windows Server 2008 R2.

AD DS 簡化管理是 reimagining 網域部署。AD DS Simplified Administration is a reimagining of domain deployment.

  • AD DS 角色部署現在已經成為伺服器管理員架構新的一部分,並允許遠端安裝AD DS role deployment is now part of the new Server Manager architecture and allows remote installation

  • AD DS 部署和設定引擎時,現在 Windows PowerShell,甚至使用新的 AD DS 設定精靈The AD DS deployment and configuration engine is now Windows PowerShell, even when using the new AD DS Configuration Wizard

  • 架構延伸模組、樹系準備,網域準備就會自動網域控制站升級的一部分並不需要特殊伺服器例如架構主機上不同的工作Schema extension, forest preparation, and domain preparation are automatically part of domain controller promotion and no longer require separate tasks on special servers such as the Schema Master

  • 立即升級包含必要條件查看確認新的網域控制站,降低失敗促銷活動的機會樹系和網域整備Promotion now includes prerequisite checking that validates forest and domain readiness for the new domain controller, lowering the chance of failed promotions

  • Windows PowerShell 中的 active Directory 模組現在包含 cmdlet 複寫拓撲管理、動態存取控制和其他作業Active Directory module for Windows PowerShell now includes cmdlets for replication topology management, Dynamic Access Control, and other operations

  • Windows Server 2012 樹系層級尚未實作新功能和網域功能等級為僅針對新 Kerberos 功能,減輕常用的系統管理員子集需要的功能需要質網域控制站環境The Windows Server 2012 forest functional level does not implement new features and domain functional level is required only for a subset of new Kerberos features, relieving administrators of the frequent need for a homogenous domain controller environment

  • 新增擬化檔案網域控制站,包含自動化的部署和復原保護完整支援Full support added for Virtualized Domain Controllers, to include automated deployment and rollback protection

如需有關模擬的網域控制站的詳細資訊,請查看Active Directory Domain Services 和 #40; 簡介 AD DS 和 #41;模擬與 #40;層級 100 和 #41;.For more information about virtualized domain controllers, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).

除此之外,有許多系統及維護改良功能:In addition, there are many administrative and maintenance improvements:

  • Active Directory 管理中心包含的圖形 Active Directory 資源回收筒]、Fine-Grained 密碼原則管理及 Windows PowerShell 歷史檢視器The Active Directory Administrative Center includes a graphical Active Directory Recycle Bin, Fine-Grained Password Policy management, and Windows PowerShell history viewer

  • 新的伺服器管理員已監視效能、最佳做法分析、重要的服務,以及事件登 AD DS 特定介面The new Server Manager has AD DS-specific interfaces into performance monitoring, best practice analysis, critical services, and the event logs

  • 群組管理服務帳號支援多部電腦使用相同的安全性原則Group Managed Service Accounts support multiple computers using the same security principals

  • 中相關識別碼 (RID) 發行及監視好性成熟 Active Directory 網域中的改進Improvements in Relative Identifier (RID) issuance and monitoring for better manageability in mature Active Directory domains

最後,AD DS 獲利包含 Windows Server 2012,其他新功能:Finally, AD DS profits from other new features included in Windows Server 2012, such as:

  • NIC 小組與資料中心橋接NIC teaming and Datacenter Bridging

  • DNS 安全性和之後開機更快的廣告整合區域可用性DNS Security and faster AD-integrated zone availability after boot

  • HYPER-V 可靠性和延展性改良功能Hyper-V reliability and scalability improvements

  • BitLocker 網路解除鎖定BitLocker Network Unlock

  • 其他 Windows PowerShell 元件管理模組Additional Windows PowerShell component administration modules

技術概觀Technical Overview

ADPREP 整合ADPREP Integration

Active Directory 森林架構擴充功能,以及網域準備現在整合網域控制站設定程序。Active Directory forest schema extension and domain preparation now integrate into the domain controller configuration process. 如果您將新的網域控制站升級現有的樹系插入,程序偵測到的升級狀態並架構擴充功能,以及網域準備工作階段將會自動。If you promote a new domain controller into an existing forest, the process detects upgrade status and the schema extension and domain preparation phases occur automatically. 安裝的第一個 Windows Server 2012 網域控制站使用者必須仍然企業管理和架構管理員或提供有效的替代認證。The user installing the first Windows Server 2012 domain controller must still be an Enterprise Admin and Schema Admin or provide valid alternate credentials.

Adprep.exe 會保留在不同的樹系和網域準備 DVD。Adprep.exe remains on the DVD for separate forest and domain preparation. 隨附 Windows Server 2012 版本是工具的 Windows Server 2008 x64 和 Windows Server 2008 R2 回溯相容性。The version of the tool included with Windows Server 2012 is backwards compatible to Windows Server 2008 x64 and Windows Server 2008 R2. Adprep.exe 也支援遠端 forestprep 及準備網域,就像 ADDSDeployment 根據網域控制站設定工具。Adprep.exe also supports remote forestprep and domainprep, just like the ADDSDeployment-based domain controller configuration tools.

如 Adprep 和先前的作業系統樹系準備有關,請查看執行 Adprep (Windows Server 2008 R2)For information about Adprep and previous operating system forest preparation, see Running Adprep (Windows Server 2008 R2).

伺服器管理員 AD DS 整合Server Manager AD DS Integration

簡化的管理

伺服器管理員做為中樞伺服器管理工作。Server Manager acts as a hub for server management tasks. 儀表板樣式外觀定期重新整理] 檢視已安裝的角色,以及遠端伺服器的群組。Its dashboard-style appearance periodically refreshes views of installed roles and remote server groups. 伺服器管理員提供的集中的管理本機與遠端伺服器,而不需要主機存取。Server Manager provides centralized management of local and remote servers, without the need for console access.

Active Directory Domain Services 是一個中樞角色。執行伺服器管理員網域控制站或遠端伺服器管理工具,在 Windows 8,您會看到重要最近問題網域控制站在您的樹系上。Active Directory Domain Services is one of those hub roles; by running Server Manager on a domain controller or the Remote Server Administration Tools on a Windows 8, you see important recent issues on domain controllers in your forest.

這些檢視包括:These views include:

  • 伺服器的可用性Server availability

  • 效能監視器警示高 CPU 和記憶體使用量Performance monitor alerts for high CPU and memory usage

  • AD DS 特定 Windows 服務的狀態The status of Windows services specific to AD DS

  • 最近 Directory 服務相關的警告與錯誤中的項目事件登入Recent Directory Services-related warning and error entries in the event log

  • 最佳做法分析網域控制站針對一組 Microsoft 建議規則Best Practice analysis of a domain controller against a set of Microsoft-recommended rules

系統管理員中心的 active Directory 資源回收筒Active Directory Administrative Center Recycle Bin

簡化的管理

Windows Server 2008 R2 引進了 Active Directory 資源回收桶,而不需要從備份還原、重新 AD DS 服務,或重新開機一次網域控制站復原刪除 Active Directory 物件的。Windows Server 2008 R2 introduced the Active Directory Recycle Bin, which recovers deleted Active Directory objects without restoring from backup, restarting the AD DS service, or rebooting domain controllers.

Windows Server 2012 美化 Active Directory 管理中心中新的圖形介面現有 Windows PowerShell 型還原功能。Windows Server 2012 enhances the existing Windows PowerShell-based restore capabilities with a new graphical interface in the Active Directory Administrative Center. 這可讓系統管理員讓資源回收筒],尋找或還原刪除在之子-森林,但不直接執行 Windows PowerShell cmdlet 所有網域環境中的物件。This allows administrators to enable the Recycle Bin and locate or restore deleted objects in the domain contexts of the forest, all without directly running Windows PowerShell cmdlets. Active Directory 管理中心和 Active Directory 資源回收桶仍然使用 Windows PowerShell 在保護蓋,使仍然寶貴先前的指令碼與程序。The Active Directory Administrative Center and Active Directory Recycle Bin still use Windows PowerShell under the covers, so previous scripts and procedures are still valuable.

如需有關 Active Directory 資訊資源回收筒],查看 Active Directory 資源回收桶 Step-by-Step 指南 (Windows Server 2008 R2)For information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (Windows Server 2008 R2).

Active Directory 系統管理員中心精細密碼原則Active Directory Administrative Center Fine-Grained Password Policy

簡化的管理

Windows Server 2008 導入了 Fine-Grained 密碼原則,可讓系統管理員設定多個密碼及 account 鎖定原則每個網域。Windows Server 2008 introduced the Fine-Grained Password policy, which allows administrators to configure multiple password and account lockout policies per domain. 這可讓網域彈性方案執行更多或較少限制根據使用者和群組的密碼規則。This allows domains a flexible solution to enforce more or less restrictive password rules, based on users and groups. 它已有任何管理介面及使用 Ldp.exe 或 Adsiedit.msc 設定所需的系統管理員。It had no managerial interface and required administrators to configure it using Ldp.exe or Adsiedit.msc. Windows Server 2008 R2 的 Windows PowerShell,授與系統管理員 FGPP 命令列介面引進 Active Directory 模組。Windows Server 2008 R2 introduced the Active Directory module for Windows PowerShell, which granted administrators a command-line interface to FGPP.

Windows Server 2012 帶來圖形介面 Fine-Grained 密碼的原則。Windows Server 2012 brings a graphical interface to Fine-Grained Password Policy. Active Directory 管理中心為主要的這個新的對話方塊,讓簡化的 FGPP 管理所有的系統管理員。The Active Directory Administrative Center is the home of this new dialog, which brings simplified FGPP management to all administrators.

有關 Fine-Grained 密碼原則,請查看AD DS Fine-Grained 密碼,以及 Account 鎖定原則 Step-by-Step 指南 (Windows Server 2008 R2)For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).

Active Directory 系統管理員中心 Windows PowerShell 歷史檢視器Active Directory Administrative Center Windows PowerShell History Viewer

簡化的管理

Windows Server 2008 R2 引進了 Active Directory 管理中心,取代較舊的 Active Directory 使用者和電腦嵌入式管理單元建立 Windows 2000 的。Windows Server 2008 R2 introduced the Active Directory Administrative Center, which superseded the older Active Directory Users and Computers snap-in created in Windows 2000. Active Directory 管理中心建立新然後 Active Directory 模組管理圖形介面的 Windows PowerShell。The Active Directory Administrative Center creates a graphical administrative interface to the then-new Active Directory module for Windows PowerShell.

Active Directory 模組包含數百 cmdlet 上,同時可能陡峭的系統管理員的身分學習。While the Active Directory module contains over a hundred cmdlets, the learning curve for an administrator can be steep. Windows PowerShell 經驗整合到 Windows 管理的策略,因為 Active Directory 管理中心現在包含檢視器,可讓您查看 cmdlet 執行中的圖形介面。Since Windows PowerShell integrates heavily into the strategy of Windows administration, the Active Directory Administrative Center now includes a viewer that enables you to see the cmdlet execution in the graphical interface. 您可以搜尋、複製、清除歷史,以及加上的筆記與簡單介面。You can search, copy, clear history, and add notes with a simple interface. 用意是系統管理員可以使用的圖形介面建立及修改物件,並再會面深入了解 Windows PowerShell 指令碼,並修改範例歷史檢視器中。The intent is for an administrator to use the graphical interface to create and modify objects, and then review them in the history viewer to learn more about Windows PowerShell scripting and modify the examples.

廣告複寫 Windows PowerShellAD Replication Windows PowerShell

簡化的管理

Windows Server 2012 新增額外的 Active Directory 複寫 cmdlet Active Directory Windows PowerShell 模組。Windows Server 2012 adds additional Active Directory replication cmdlets to the Active Directory Windows PowerShell module. 這些允許設定新的或現有的網站、子網路、連接、網站的連結和橋樑。These allow configuration of new or existing sites, subnets, connections, site links, and bridges. 它們也會傳回 Active Directory 複寫中繼資料、複寫狀態,佇列,和最新版本向量資訊。They also return Active Directory replication metadata, replication status, queuing, and up-to-dateness version vector information. 複寫 cmdlet-加上部署及其他現有的 AD DS cmdlet-導入可讓您可以使用 Windows PowerShell 只樹系的管理。The introduction of the replication cmdlets - combined with the deployment and other existing AD DS cmdlets - makes it possible to administer a forest using Windows PowerShell alone. 這會建立新的系統管理員想要提供,以及圖形介面,然後減少作業系統的攻擊 surface 不管理 Windows Server 2012 和維護需求的機會。This creates new opportunities for administrators wishing to provision and manage Windows Server 2012 without a graphical interface, which then reduces the operating system's attack surface and servicing requirements. 伺服器部署到密碼網際網路通訊協定路由器 (SIPR) 和公司 Dmz 高安全性網路時,這是非常重要。This is especially important when deploying servers into high security networks such as Secret Internet Protocol Router (SIPR) and corporate DMZs.

如需有關 AD DS 網站拓撲複寫,請查看Windows Server Technical 參考For more information about AD DS site topology and replication, see the Windows Server Technical Reference.

RID 的管理和發行改良功能RID Management and Issuance Improvements

Windows 2000 Active Directory 引進了移除主機,使用者、群組和電腦,例如網域控制站,以建立安全性識別碼 (Sid) 的安全性信任者相關 id 哪些問題集區。Windows 2000 Active Directory introduced the RID Master, which issues pools of relative identifiers to domain controllers, in order to create security identifiers (SIDs) of security trustees like users, groups, and computers. 根據預設,這全球 RID 名額有限 230(或 1073741823)網域中建立的總 Sid。By default, this global RID space is limited to 230 (or 1,073,741,823) total SIDs created in a domain. Sid 無法傳回集區或是重新發出。SIDs cannot return to the pool or reissue. 隨著時間大型網域可能會開始 Rid,過低或事故可能會導致不必要 RID 耗盡和最終耗盡。Over time, a large domain may begin to run low on RIDs, or accidents may lead to unnecessary RID depletion and eventual exhaustion.

Windows Server 2012 發現的針對和 Microsoft 客戶支援為 AD DS RID 發行和管理問題的一些成熟自從第一次 Active Directory 網域建立在 1999 年地址。Windows Server 2012 addresses a number of RID issuance and management issues uncovered by customers and Microsoft Customer Support as AD DS matured since the creation of the first Active Directory domains in 1999. 這些功能包括:These include:

  • 事件登入寫入定期 RID 消耗警告Periodic RID consumption warnings are written to the event log

  • 當系統管理員的身分失效 RID 集區的事件登入Events log when an administrator invalidates a RID pool

  • 清除 [封鎖大小會立即執行 RID 原則上最大端點A maximum cap on the RID policy RID Block Size is now enforced

  • 現在執行並登入的全域 RID 空間不足時,讓系統管理員身分執行動作前的全球空間用盡人造 RID 天花板Artificial RID ceilings are now enforced and logged when the global RID space is low, allowing an administrator to take action before the global space is exhausted

  • 現在可以的全域 RID 空間增加一位元,加倍 2 大小31 (2147483648 Sid)The global RID space can now be increased by one bit, doubling the size to 231 (2,147,483,648 SIDs)

如需有關 Rid 移除主機,請檢查如何安全性識別碼工作For more information about RIDs and the RID Master, review How Security Identifiers Work.

新 AD DS 部署架構New AD DS Deployment Architecture

AD DS 角色部署及管理架構AD DS Role Deployment and Management Architecture

伺服器管理員和 ADDSDeployment Windows PowerShell 依賴的功能時,將部署或管理 AD DS 角色下列核心組件:Server Manager and ADDSDeployment Windows PowerShell rely on the following core assemblies for functionality when deploying or managing the AD DS role:

  • Microsoft.ADroles.Aspects.dllMicrosoft.ADroles.Aspects.dll

  • Microsoft.ADroles.Instrumentation.dllMicrosoft.ADroles.Instrumentation.dll

  • Microsoft.ADRoles.ServerManager.Common.dllMicrosoft.ADRoles.ServerManager.Common.dll

  • Microsoft.ADRoles.UI。Common.dllMicrosoft.ADRoles.UI.Common.dll

  • Microsoft.DirectoryServices.Deployment.Types.dllMicrosoft.DirectoryServices.Deployment.Types.dll

  • Microsoft.DirectoryServices.ServerManager.dllMicrosoft.DirectoryServices.ServerManager.dll

  • Addsdeployment.psm1Addsdeployment.psm1

  • Addsdeployment.psd1Addsdeployment.psd1

兩者都使用 Windows PowerShell 和遠端叫用-命令安裝遠端角色與設定。Both rely on Windows PowerShell and its remote invoke-command for remote role installation and configuration.

簡化的管理

Windows Server 2012 也來不及退出 LSASS.EXE 的一部分:Windows Server 2012 also refactors a number of previous promotion operations out of LSASS.EXE, as part of:

  • DS 角色伺服器服務 (DsRoleSvc)DS Role Server Service (DsRoleSvc)

  • DSRoleSvc.dll(載入 DsRoleSvc 服務)DSRoleSvc.dll (loaded by DsRoleSvc service)

這項服務必須並升級、降級,或是複製 virtual 網域控制站才能執行。This service must be present and running in order to promote, demote, or clone virtual domain controllers. 安裝 AD DS 角色將這項服務,並設定預設手動] 的 [開始] 畫面類型。AD DS role installation adds this service and sets a start type of Manual, by default. 不要停用此服務。Do not disable this service.

ADPrep 和必要條件檢查架構ADPrep and Prerequisite Checking Architecture

Adprep 不再需要的架構主機上執行。Adprep no longer requires running on the schema master. 它可以是執行 Windows Server 2008 x64 的電腦從遠端執行或更新版本。It can be run remotely from a computer that runs Windows Server 2008 x64 or later.

注意

Adprep 使用 LDAP 匯入 Schxx.ldf 檔案,並不會自動重新連接,當架構主機遺失期間匯入。Adprep uses LDAP to import Schxx.ldf files and does not automatically reconnect if the connection to the schema master is lost during import. 匯入程序的一部分,架構主機設定中的特定模式,並自動重新已停用,因為如果 LDAP 重新連接之後遺失,重新建立的連接不會在特定模式。As part of the import process, the schema master is set in a specific mode and automatic reconnection is disabled because if LDAP reconnects after the connection is lost, the re-established connection would not be in the specific mode. 如此一來,不會正確更新結構描述。In that case, the schema would not be updated correctly.

必要條件檢查確保某些條件為 true。Prerequisite checking ensures that certain conditions are true. 這些條件安裝所需成功 AD DS。These conditions are required for successful AD DS installation. 如果無法為 true 一些需要的條件,他們可以解析之前繼續安裝。If some required conditions are not true, they can be resolved before continuing the installation. 它還可以偵測的樹系或網域尚未尚未備好,好讓自動 Adprep 部署程式碼執行。It also detects that a forest or domain are not yet prepared, so that the Adprep deployment code runs automatically.

ADPrep 可執行檔,Dll,LDFs 檔案ADPrep Executables, DLLs, LDFs, files

  • ADprep.dllADprep.dll

  • Ldifde.dllLdifde.dll

  • Csvde.dllCsvde.dll

  • Sch14.ldf Sch56.ldfSch14.ldf - Sch56.ldf

  • Schupgrade.catSchupgrade.cat

  • dcpromo.csvdcpromo.csv

前身為位於 ADprep.exe AD 準備程式碼被重構 adprep.dll 插入。The AD Preparation code formerly housed in ADprep.exe is refactored into adprep.dll. 這可以讓 windows ADPrep.exe 和 ADDSDeployment Windows PowerShell 模組媒體櫃使用相同的工作,並具有相同的功能。This allows both ADPrep.exe and the ADDSDeployment Windows PowerShell module to use the library for the same tasks and have the same capabilities. Adprep.exe 隨附的安裝媒體,但自動程序進行不會直接呼叫-系統管理員身分執行它以手動方式。Adprep.exe is included with the installation media but automated processes do not call it directly - only an Administrator runs it manually. 它只可在 Windows Server 2008 x64 或更新版本作業系統上執行。It can only run on Windows Server 2008 x64 and later operating systems. Ldifde.exe 和 csvde.exe 為載入準備程序的 Dll 有重構也版本。Ldifde.exe and csvde.exe also have refactored versions as DLLs that are loaded by the preparation process. 架構延伸模組仍然會使用像是簽章驗證 LDF 檔案,在舊版的作業系統。Schema extension still uses the signature-verified LDF files, like in previous operating system versions.

簡化的管理

重要

還有 32 位元的 Windows Server 2012 Adprep32.exe 工具。There is no 32-bit Adprep32.exe tool for Windows Server 2012. 您必須至少一個 Windows Server 2008 x64、Windows Server 2008 R2 或 Windows Server 2012 電腦準備的樹系和網域執行為網域控制站伺服器成員,或工作群組中。You must have at least one Windows Server 2008 x64, Windows Server 2008 R2, or Windows Server 2012 computer, running as a domain controller, member server, or in a workgroup, to prepare the forest and domain. 在 Windows Server 2003 x64 Adprep.exe 無法執行。Adprep.exe does not run on Windows Server 2003 x64.

必要條件檢查Prerequisite Checking

必要條件檢查 [系統管理 ADDSDeployment Windows PowerShell 驗證碼到建置適用於不同的模式,根據作業。The prerequisite checking system built into ADDSDeployment Windows PowerShell managed code works in different modes, based on the operation. 下表描述每個測試,使用時,如何解釋及驗證功能。The tables below describe each test, when it is used, and an explanation of how and what it validates. 這些表格可能有的問題,其中驗證失敗和錯誤不足,在問題的疑難排解才有用。These tables may be useful if there are issues where the validation fails and the error is not sufficient to troubleshoot the problem.

這些測試登入對部署工作分類下的操作事件登入通道核心、永遠 263 為103These tests log in the DirectoryServices-Deployment operational event log channel under the Task Category Core, always as Event ID 103.

必要條件 Windows PowerShellPrerequisite Windows PowerShell

有 ADDSDeployment Windows PowerShell cmdlet 提供網域控制站部署 cmdlet。There are ADDSDeployment Windows PowerShell cmdlets for all of the domain controller deployment cmdlets. 它們有約相同引數與他們相關 cmdlet。They have approximately the same arguments as their associated cmdlets.

  • Test-ADDSDomainControllerInstallationTest-ADDSDomainControllerInstallation

  • Test-ADDSDomainControllerUninstallationTest-ADDSDomainControllerUninstallation

  • Test-ADDSDomainInstallationTest-ADDSDomainInstallation

  • Test-ADDSForestInstallationTest-ADDSForestInstallation

  • Test-ADDSReadOnlyDomainControllerAccountCreationTest-ADDSReadOnlyDomainControllerAccountCreation

執行下列 cmdlet,通常; 不需要他們已經自動執行部署 cmdlet 使用預設。There is no need to run these cmdlets, ordinarily; they already automatically execute with the deployment cmdlets by default.

必要條件測試Prerequisite Tests
測試名稱Test Name 通訊協定Protocols

使用used
解釋和筆記Explanation and notes
VerifyAdminTrustedVerifyAdminTrusted

ForDelegationProviderForDelegationProvider
LDAPLDAP 確認您擁有的 [讓電腦和使用者帳號受信任的委派」(SeEnableDelegationPrivilege) 上的現有的合作夥伴網域控制站的權限。Validates that you have the "Enable computer and user accounts to be trusted for delegation" (SeEnableDelegationPrivilege) privilege on the existing partner domain controller. 這需要存取您的建構的 tokenGroups 屬性。This requires access to your constructed tokenGroups attribute.

與 Windows Server 2003 網域控制站連絡時,無法使用。Not used when contacting Windows Server 2003 domain controllers. 您必須手動確認此升級之前的權限You must manually confirm this privilege prior to promotion
VerifyADPrepVerifyADPrep

必要條件(樹系)Prerequisites (forest)
LDAPLDAP 探索和使用進行 rootDSE namingContexts 屬性和架構命名操作 fsmoRoleOwner 屬性主機的連絡人。Discovers and contacts the Schema Master using the rootDSE namingContexts attribute and Schema naming context fsmoRoleOwner attribute. 判斷哪一個準備作業(forestprep、準備網域或 rodcprep)安裝所需 AD DS。Determines which preparatory operations (forestprep, domainprep, or rodcprep) are required for AD DS installation. 驗證架構係會如預期般和是否需要進一步擴充功能。Validates the schema objectVersion is expected and if it requires further extension.
VerifyADPrepVerifyADPrep

必要條件(網域和 RODC)Prerequisites (domain and RODC)
LDAPLDAP 探索和使用進行 rootDSE namingContexts 屬性與基礎結構容器 fsmoRoleOwner 屬性基礎結構主機的連絡人。Discovers and contacts the Infrastructure Master using the rootDSE namingContexts attribute and the Infrastructure container fsmoRoleOwner attribute. 如果是 RODC 安裝這項測試探索網域命名主機和確定它已 online。In the case of an RODC installation, this test discovers the domain naming master and make sure it is online.
CheckGroupCheckGroup

成員資格Membership
LDAP」,LDAP,

RPC 透過 SMB (LSARPC)RPC over SMB (LSARPC)
驗證使用者屬於網域系統管理員或企業管理員群組中,根據操作 (DA 新增或降級網域控制站 EA 新增或移除網域中)Validate the user is a member of Domain Admins or Enterprise Admins group, depending on the operation (DA for adding or demoting a domain controller, EA for adding or removing a domain)
CheckForestPrepCheckForestPrep

GroupMembershipGroupMembership
LDAP」,LDAP,

RPC 透過 SMB (LSARPC)RPC over SMB (LSARPC)
驗證使用者是架構系統管理員」的成員企業系統管理員群組和有管理稽核並現有的網域控制站權限的安全性事件登 (SesScurityPrivilege)Validate the user is a member of Schema Admins and Enterprise Admins groups and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
CheckDomainPrepCheckDomainPrep

GroupMembershipGroupMembership
LDAP」,LDAP,

RPC 透過 SMB (LSARPC)RPC over SMB (LSARPC)
驗證使用者網域管理群組成員並已管理稽核現有的網域控制站權限的安全性事件登 (SesScurityPrivilege)Validate the user is a member of Domain Admins group and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
CheckRODCPrepCheckRODCPrep

GroupMembershipGroupMembership
LDAP」,LDAP,

RPC 透過 SMB (LSARPC)RPC over SMB (LSARPC)
驗證使用者的企業系統管理員群組成員並已管理稽核現有的網域控制站權限的安全性事件登 (SesScurityPrivilege)Validate the user is a member of Enterprise Admins group and has the Manage Audit and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers
VerifyInitSyncVerifyInitSync

AfterRebootAfterReboot
LDAPLDAP 因為它來進行 rootDSE 屬性 becomeSchemaMaster 上設定假價值重新啟動架構主機已至少一次覆寫的驗證Validate that the Schema Master has replicated at least once since it restarted by setting a dummy value on rootDSE attribute becomeSchemaMaster
VerifySFUHotFixVerifySFUHotFix

套用Applied
LDAPLDAP 驗證現有的樹系架構不包含 UID 屬性 OID 1.2.840.113556.1.4.7000.187.102 的已知的問題 SFU2 擴充功能Validate the existing forest schema does not contain known problem SFU2 extension for the UID attribute with OID 1.2.840.113556.1.4.7000.187.102

(http://support.microsoft.com/kb/821732)(http://support.microsoft.com/kb/821732)
VerifyExchangeVerifyExchange

SchemaFixedSchemaFixed
LDAP、WMI、DCOM RPCLDAP, WMI, DCOM, RPC 驗證現有的樹系架構不仍然包含問題 Exchange 2000 擴充功能 ms-Exch-小幫手」-名稱 ms-Exch-LabeledURI,與 ms Exch-館識別碼 (http://support.microsoft.com/kb/314649)Validate the existing forest schema does not still contain problem Exchange 2000 extensions ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-Identifier (http://support.microsoft.com/kb/314649)
VerifyWin2KSchemaVerifyWin2KSchema

一致性Consistency
LDAPLDAP 驗證現有的樹系架構已一致(不正確的第三方修改)屬性和類別核心。Validate the existing forest schema has consistent (not incorrectly modified by a third party) core attributes and classes.
帶領DCPromo 透過 RPC,DRSRDRSR over RPC,

LDAP」,LDAP,

DNSDNS

RPC 透過 SMB (SAMR)RPC over SMB (SAMR)
驗證命令列語法傳遞至促銷代碼並測試升級。Validate the command-line syntax passed to the promotion code and test promotion. 驗證樹系或網域並不存在如果建立新。Validate the forest or domain does not already exist if creating new.
VerifyOutboundVerifyOutbound

ReplicationEnabledReplicationEnabled
LDAP,DRSR 透過 SMB RPC 透過 SMB (LSARPC)LDAP, DRSR over SMB, RPC over SMB (LSARPC) 驗證現有的網域控制站指定為複寫合作夥伴已輸出複寫檢查選項的設定 NTDS 物件的屬性 NTDSDSA_OPT_DISABLE_OUTBOUND_REPL (0x00000004) 的支援Validate the existing domain controller specified as the replication partner has outbound replication enabled by checking the NTDS Settings object's options attribute for NTDSDSA_OPT_DISABLE_OUTBOUND_REPL (0x00000004)
VerifyMachineAdminVerifyMachineAdmin

密碼Password
透過 RPC,DRSRDRSR over RPC,

LDAP」,LDAP,

DNSDNS

RPC 透過 SMB (SAMR)RPC over SMB (SAMR)
驗證設定 DSRM 符合網域複雜需求的安全模式下密碼。Validate the safe mode password set for DSRM meets domain complexity requirements.
VerifySafeModePasswordVerifySafeModePassword 不適用N/A 驗證本機系統管理員密碼設定符合的電腦安全性原則複雜需求。Validate the local Administrator password set meets computer security policy complexity requirements.