執行初始復原Perform initial recovery

適用於: Windows Server 2016、 Windows Server 2012 和 2012 R2、 Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

這一節包含下列步驟:This section includes the following steps:

還原在每個網域中的第一個寫入的網域控制站Restore the first writeable domain controller in each domain

開頭寫入 DC 森林根網域中,若要還原的第一個 DC 完成本節中的步驟操作。Beginning with a writeable DC in the forest root domain, complete the steps in this section in order to restore the first DC. 森林根網域很重要,因為它存放區結構描述管理員和企業系統管理員 」 群組。The forest root domain is important because it stores the Schema Admins and Enterprise Admins groups. 這也有助於維護信任的樹系階層。It also helps maintain the trust hierarchy in the forest. 此外,森林根網域通常會保留根的 DNS 伺服器的樹系 DNS 命名空間。In addition, the forest root domain usually holds the DNS root server for the forest’s DNS namespace. 因此,該網域 Active Directory – 整合 DNS 區域包含別名 (CNAME) 資源森林 (所需的複寫),與通用 DNS 資源記錄所有其他網域控制站。Consequently, the Active Directory–integrated DNS zone for that domain contains the alias (CNAME) resource records for all other DCs in the forest (which are required for replication) and the global catalog DNS resource records.

您可以復原森林根網域之後,請重複執行相同的步驟來復原森林中的其餘的網域。After you recover the forest root domain, repeat the same steps to recover the remaining domains in the forest. 您也可以同時; 復原一個以上的網域不過,一律復原家長網域之前復原的一位子女來防止任何信任階層或 DNS 名稱解析中斷。You can recover more than one domain simultaneously; however, always recover a parent domain before recovering a child to prevent any break in the trust hierarchy or DNS name resolution.

針對每個您復原網域,從備份還原只有一個寫入俠。For each domain that you recover, restore only one writeable DC from backup. 這是最重要復原的一部分,因為 DC 必須具有已不受到導致樹系失敗資料庫。This is the most important part of the recovery because the DC must have a database that has not been influenced by whatever caused the forest to fail. 請務必讓您有備無患信任完全引入 production 環境之前測試。It is important to have a trusted backup that is thoroughly tested before it is introduced into the production environment.

然後執行下列步驟。Then perform the following steps. 來執行特定步驟程序會在AD 樹系修復程序Procedures for performing certain steps are in AD Forest Recovery - Procedures.

  1. 如果您想要還原實體伺服器,確定俠未連接,因此未連接到 production 網路目標的網路線。If you plan to restore a physical server, ensure that the network cable of the target DC is not attached and therefore is not connected to the production network. 一樣,您可以移除網路介面卡,或使用的網路介面卡連接到其他網路位置,您可以測試隔離的實際執行網路時的修復程序。For a virtual machine, you can remove the network adapter or use a network adapter that is attached to another network where you can test the recovery process while isolated from the production network.

  2. 因為這是第一個寫入 DC 網域中的,您必須執行 AD ds 未授權的還原和 SYSVOL 授權。Because this is the first writeable DC in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL. 還原操作必須完成使用 Active Directory 感知備份及還原應用程式,例如 「 Windows 備份伺服器 (也就是,您應該不 DC 使用還原不支援的方法,例如還原 VM 快照)。The restore operation must be completed by using an Active Directory-aware backup and restore application, such as Windows Server Backup (that is, you should not restore the DC by using unsupported methods such as restoring a VM snapshot).

    授權 SYSVOL 是因為 SYSVOL 複寫複寫之後從損壞您復原必須開始進行] 資料夾。An authoritative restore of SYSVOL is required because replication of the SYSVOL replicated folder must be started after you recover from a disaster. 加入網域中的所有後續 Dc 必須先授權可將通知資料夾已選取的資料夾一份與他們 SYSVOL 資料夾重新同步處理。All subsequent DCs that are added in the domain must resynchronize their SYSVOL folder with a copy of the folder that has been selected to be authoritative before the folder can be advertised.

    警告

    操作僅會針對還原森林根網域中的第一個 DC SYSVOL 授權 (或主要) 還原。Perform an authoritative (or primary) restore operation of SYSVOL only for the first DC to be restored in the forest root domain. 會導致複寫衝突 SYSVOL 資料的正確執行其他網域控制站 SYSVOL 的主要還原操作。Incorrectly performing primary restore operations of the SYSVOL on other DCs leads to replication conflicts of SYSVOL data.

    有兩個選項執行 AD ds 未授權的還原和授權 SYSVOL:There are two options perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL:

  3. 您還原並寫入俠重新開機之後,請確認該失敗不會影響 DC 上的資料。After you restore and restart the writeable DC, verify that the failure did not affect the data on the DC. 如果已損壞俠資料,再使用不同的備份重複步驟 2。If the DC data is damaged, then repeat step 2 with a different backup.

    如果還原的網域控制站裝載作業主角,您可能需要新增避免 AD DS 無法使用,直到完成寫入 directory 磁碟分割的複寫登錄下列項目:If the restored domain controller hosts an operations master role, you may need to add the following registry entry to avoid AD DS being unavailable until it has completed replication of a writeable directory partition:

    HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl 執行初始同步處理HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations

    建立的資料類型的項目呼叫完成並為0Create the entry with the data type REG_DWORD and a value of 0. 樹系復原完全之後,您可以重設值的此項目,以1、 輸入這需要重新開機,並保留作業有主機角色成功的網域控制站 AD DS 和戶端輸出複寫已知的複本合作之前為網域控制站通知本身並開始提供服務。After the forest is recovered completely, you can reset the value of this entry to 1, which requires a domain controller that restarts and holds operations master roles to have successful AD DS inbound and outbound replication with its known replica partners before it advertises itself as domain controller and starts providing services to clients. 如需有關初始同步需求,查看知識庫文章305476For more information about initial synchronization requirements, see KB article 305476.

    只有還原和驗證資料之後,這台電腦加入 production 網路之前,請繼續接下來的步驟。Continue to the next steps only after you restore and verify the data and before you join this computer to the production network.

  4. 如果您懷疑的樹系的失敗相關網路入侵或惡意攻擊,重設密碼管理帳號,包括成員企業系統管理員,網域系統管理員,架構系統管理員,伺服器電信業者、 Account 電信業者群組,等等。If you suspect that the forest-wide failure was related to network intrusion or malicious attack, reset the account passwords for all administrative accounts, including members of the Enterprise Admins, Domain Admins, Schema Admins, Server Operators, Account Operators groups, and so on. 管理 account 密碼重設應該額外的網域控制站安裝下一個階段的樹系復原之前完成。The reset of administrative account passwords should be completed before additional domain controllers are installed during the next phase of the forest recovery.

  5. 森林根網域中的第一次還原 DC、 上抓取所有網域全和樹系作業主機角色。On the first restored DC in the forest root domain, seize all domain-wide and forest-wide operations master roles. 抓取樹系操作主要的角色所需企業系統管理員 」 及架構管理員認證。Enterprise Admins and Schema Admins credentials are needed to seize forest-wide operations master roles.

    在每個子女網域中抓取全網域操作主機角色。In each child domain, seize domain-wide operations master roles. 雖然您可能會保留操作主機角色還原 DC 只能暫時、 上的抓取這些角色可確保您哪些俠主控它們此時中的樹系的修復程序。Although you might retain the operations master roles on the restored DC only temporarily, seizing these roles assures you regarding which DC hosts them at this point in the forest recovery process. 您後修復程序的一部分,您可以將套件轉操作主機角色視。As part of your post-recovery process, you can redistribute the operations master roles as needed. 如需有關抓取操作主機角色資訊,請查看抓取作業主角For more information about seizing operations master roles, see Seizing an operations master role. 放置操作主機角色建議,請查看操作主機有哪些?.For recommendations about where to place operations master roles, see What Are Operations Masters?.

  6. 清除所有其他寫入網域控制站的樹系根網域中,您不從 (除了此第一次 DC 網域中的所有寫入 Dc) 的備份還原中繼資料。Clean up metadata of all other writeable DCs in the forest root domain that you are not restoring from backup (all writeable DCs in the domain except for this first DC). 如果您使用的 Active Directory 使用者和電腦或 Active Directory 網站和服務會包含 Windows Server 2008,或更新版本或 RSAT 適用於 Windows Vista 版本或更新版本,清除中繼資料會自動執行當您 delete DC 物件。If you use the version of Active Directory Users and Computers or Active Directory Sites and Services that is included with Windows Server 2008 or later or RSAT for Windows Vista or later, metadata cleanup is performed automatically when you delete a DC object. 此外,伺服器物件與電腦物件的刪除俠也會刪除自動。In addition, the server object and computer object for the deleted DC are also deleted automatically. 如需詳細資訊,請查看清潔中繼資料中移除寫入 DcFor more information, see Cleaning metadata of removed writable DCs.

    如果已安裝在不同的網站 DC AD DS,清除中繼資料會防止可能重複的物件 NTDS 設定。Cleaning up metadata prevents possible duplication of NTDS-settings objects if AD DS is installed on a DC in a different site. 潛在,這可能也儲存知識一致性檢查程式 (KCC) 網域控制站本身可能不會出現時,建立複製連結的程序。Potentially, this could also save the Knowledge Consistency Checker (KCC) the process of creating replication links when the DCs themselves might not be present. 此外,中繼資料清理] 中,部分俠定位 DNS 網域中的所有其他 Dc 資源記錄繼續嗎 DNS 從。Moreover, as part of metadata cleanup, DC Locator DNS resource records for all other DCs in the domain will be deleted from DNS.

    已移除網域中的所有其他 Dc 中繼資料,除非此 DC,它就像之前復原 RID 主機將假設 RID 主角和因此將無法發出新 Rid。Until the metadata of all other DCs in the domain is removed, this DC, if it were a RID master before recovery, will not assume the RID master role and therefore will not be able to issue new RIDs. 您可能會看到 263 16650 系統木頭中的指示此錯誤,事件檢視器中,但您應該會看到 263 16648 表示成功有點時之後您已清除中繼資料。You might see event ID 16650 in the System log in Event Viewer indicating this failure, but you should see event ID 16648 indicating success a little while after you have cleaned the metadata.

  7. 如果您擁有的儲存在 AD DS DNS 區域,請確定本機 DNS 伺服器服務安裝並還原您的 DC 上執行。If you have DNS zones that are stored in AD DS, ensure that the local DNS Server service is installed and running on the DC that you have restored. 如果此俠不是樹系失敗前的 DNS 伺服器,您必須安裝和設定的 DNS 伺服器。If this DC was not a DNS server before the forest failure, you must install and configure the DNS server.

    注意

    還原網域控制站執行 Windows Server 2008,如果您需要知識庫文章 hotfix 975654或連接伺服器隔離網路暫時才能安裝 DNS 伺服器。If the restored DC runs Windows Server 2008, you need to install the hotfix in KB article 975654 or connect the server to an isolated network temporarily in order to install DNS server. 不需要任何其他版本的 Windows Server hotfix。The hotfix is not required for any other versions of Windows Server.

    在 [樹系根網域中,設定還原網域控制站具有其本身的 IP 位址 (或回送地址,例如 127.0.0.1) 做為其慣用 DNS 伺服器。In the forest root domain, configure the restored DC with its own IP address (or a loopback address, such as 127.0.0.1) as its preferred DNS server. 您可以設定此設定中的區域網路 (區域網路) 介面卡 TCP/IP 屬性。You can configure this setting in the TCP/IP properties of the local area network (LAN) adapter. 這是森林中的第一個 DNS 伺服器。This is the first DNS server in the forest. 如需詳細資訊,請查看設定 TCP/IP 使用 DNSFor more information, see Configure TCP/IP to use DNS.

    在每個子女網域中的樹系根網域中的第一個 DNS 伺服器的 IP 位址設定還原網域控制站做為其慣用 DNS 伺服器。In each child domain, configure the restored DC with the IP address of the first DNS server in the forest root domain as its preferred DNS server. 您可以設定此設定中的區域網路介面卡 TCP/IP 屬性。You can configure this setting in the TCP/IP properties of the LAN adapter. 如需詳細資訊,請查看設定 TCP/IP 使用 DNSFor more information, see Configure TCP/IP to use DNS.

    _Msdcs 和網域 DNS 區域中 delete 奈秒記錄的網域控制站的中繼資料清除之後已不存在。In the _msdcs and domain DNS zones, delete NS records of DCs that no longer exist after metadata cleanup. 檢查是否已移除 SRV 記錄向上已清除網域控制站。Check if the SRV records of the cleaned up DCs have been removed. 為了加快 DNS-SRV 使用碼表進行移除,請執行:To help speed up DNS SRV record removal, run:

    nltest.exe /dsderegdns:server.domain.tld  
    
  8. 透過 100000 提高提供 RID 集區的值。Raise the value of the available RID pool by 100,000. 如需詳細資訊,請查看引發的值提供 RID 集區的For more information, see Raising the value of available RID pools. 如果您認為調高移除集區 100000 是不足特定遭遇問題的原因,您應該會判斷使用仍然安全最低增加。If you have reason to believe that raising the RID Pool by 100,000 is insufficient for your particular situation, you should determine the lowest increase that is still safe to use. Rid 提供有限應該不會用完不必要的資源。RIDs are a finite resource that should not be used up needlessly.

    如果您用來還原備份的時間後網域中建立新的安全性原則,這些安全性原則可能會有特定物件的存取權限。If new security principals were created in the domain after the time of the backup that you use for the restore, these security principals might have access rights on certain objects. 這些安全性原則找不到修復之後因為復原已還原備份。不過,可能仍然存在其存取權。These security principals no longer exist after recovery because the recovery has reverted to the backup; however, their access rights might still exist. 如果不使用 RID 集區引發還原之後,新的使用者會物件所建立的樹系復原可能會取得的相同的安全 Id (Sid) 之後,而且可能會原本不這些物件,存取。If the available RID pool is not raised after a restore, new user objects that are created after the forest recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended.

    若要闡述,請考慮員工名張瑾所述導入新的範例。To illustrate, consider the example of the new employee named Amy that was mentioned in the introduction. 因為它用來還原網域備份後建立的使用者張瑾物件不存在之後還原操作。The user object for Amy no longer exists after the restore operation because it was created after the backup that was used to restore the domain. 不過,可能會還原後仍然存在任何存取權限已指派給使用者物件。However, any access rights that were assigned to that user object might persist after the restore operation. 如果使用者物件的 SID 會還原操作之後將指派給新的物件,新物件會取得的存取權限。If the SID for that user object is reassigned to a new object after the restore operation, the new object would obtain those access rights.

  9. 使目前 RID 集區。Invalidate the current RID pool. 目前 RID 集區系統狀態還原後失效。The current RID pool is invalidated after a system state restore. 但無法執行系統還原狀態,如果需要失效防止還原網域控制站重新 RID 集區中已建立備份之同時指派發行 Rid 目前 RID 集區。But if a system state restore was not performed, the current RID pool needs to be invalidated to prevent the restored DC from re-issuing RIDs from the RID pool that was assigned at the time the backup was created. 如需詳細資訊,請查看失效目前 RID 集區For more information, see Invalidating the current RID pool.

    注意

    第一次嘗試使用 SID 建立物件之後您使 RID 集區,,您會收到一則錯誤。The first time that you attempt to create an object with a SID after you invalidate the RID pool you will receive an error. 嘗試將建立物件觸發 RID 新集區的要求。The attempt to create an object triggers a request for a new RID pool. 重試作業的成功因為將配置 RID 新集區。Retry of the operation succeeds because the new RID pool will be allocated.

  10. 重設電腦 account 密碼此 dc 兩次。Reset the computer account password of this DC twice. 如需詳細資訊,請查看重設電腦密碼的網域控制站的For more information, see Resetting the computer account password of the domain controller.

  11. 重設 krbtgt 密碼兩次。Reset the krbtgt password twice. 如需詳細資訊,請查看krbtgt 密碼重設For more information, see Resetting the krbtgt password.

    因為 krbtgt 密碼歷史兩個的密碼,請重設密碼兩次,以移除密碼歷史原始 (prefailure) 密碼。Because the krbtgt password history is two passwords, reset passwords twice to remove the original (prefailure) password from password history.

    注意

    如果樹系復原是的回應安全性漏洞,您也可能會重設信任的密碼。If the forest recovery is in response to a security breach, you may also reset the trust passwords. 如需詳細資訊,請查看重設密碼信任一方信任的For more information, see Resetting a trust password on one side of the trust.

  12. 如果樹系有多個網域還原網域控制站是一個通用伺服器失敗之前,清除 [通用核取方塊,在通用移除 DC NTDS 設定屬性。If the forest has multiple domains and the restored DC was a global catalog server before the failure, clear the Global catalog check box in the NTDS Settings properties to remove the global catalog from the DC. 此規則例外是一個網域的樹系的常見案例。The exception to this rule is the common case of a forest with just one domain. 若是如此,不需要移除通用。In this case, it is not required to remove the global catalog. 如需詳細資訊,請查看移除通用For more information, see Removing the global catalog.

    藉由從更多的備份還原通用最近比其他備份用來還原網域控制站在其他網域中,您可能會介紹延遲物件。By restoring a global catalog from a backup that is more recent than other backups that are used to restore DCs in other domains, you might introduce lingering objects. 請參考下列範例。Consider the following example. 在 A 網域中,從次 T1 拍攝的備份還原 DC1。In domain A, DC1 is restored from a backup that was taken at time T1. 網域 B,DC2 會從拍攝次 T2 通用備份還原。In domain B, DC2 is restored from a global catalog backup that was taken at time T2. 假設 T2 T1,比新,而且某些物件建立 T1 之間 T2。Suppose T2 is more recent than T1, and some objects were created between T1 and T2. 還原這些 Dc 之後,DC2,首先,保留較新的資料網域 A 對比網域 A 的部分複本本身。After these DCs are restored, DC2, which is a global catalog, holds newer data for domain A's partial replica than domain A holds itself. 因為這些物件未出現在 DC1 DC2,這種情形下,會保留延遲物件。DC2, in this case, holds lingering objects because these objects are not present on DC1.

    出現的 [延遲物件可能會造成問題。The presence of lingering objects can lead to problems. 例如,電子郵件可能不會傳遞給使用者的使用者物件網域之間移動。For instance, e-mail messages might not be delivered to a user whose user object was moved between domains. 您將過時的俠或通用伺服器回 online 後,使用者物件兩個出現在通用。After you bring the outdated DC or global catalog server back online, both instances of the user object appear in the global catalog. 這兩個物件有相同的電子郵件地址。因此,您無法傳送電子郵件訊息。Both objects have the same e-mail address; therefore, e-mail messages cannot be delivered.

    第二個問題時,不存在帳號可能仍會出現在全球地址清單。A second problem is that a user account that no longer exists might still appear in the global address list. 第三個問題,不存在通用群組中的使用者存取權杖可能仍會出現。A third problem is that a universal group that no longer exists might still appear in a user's access token.

    如果您未還原是通用俠-「 不小心或,因為您信任的孤獨備份,我們建議您避免即將還原作業完成之後,停用通用延遲物件的項目。If you did restore a DC that was a global catalog—either inadvertently or because that was the solitary backup that you trusted—we recommend that you prevent the occurrence of lingering objects by disabling the global catalog soon after the restore operation is complete. 停用通用旗標,會導致遺失所有其部分複本 (分割),並將本身一般俠狀態的電腦。Disabling the global catalog flag will result in the computer losing all its partial replicas (partitions) and relegating itself to regular DC status.

  13. 設定 Windows 時間服務。Configure Windows Time Service. 在森林根網域中,設定肯定同步處理時間時間外部來源。In the forest root domain, configure the PDC emulator to synchronize time from an external time source. 如需詳細資訊,請查看上的樹系根網域中肯定設定 Windows 時間服務For more information, see Configure the Windows Time service on the PDC emulator in the Forest Root Domain.

重新連接常見網路每個還原寫入網域控制站Reconnect each restored writeable domain controller to a common network

在這個階段您應該會有一個俠還原 (和修復的步驟執行) 森林根網域中,並在每個剩餘網域。At this stage you should have one DC restored (and recovery steps performed) in the forest root domain and in each of the remaining domains. 加入這些網域控制站常見的環境中的其餘部分隔離的網路,以驗證樹系健康和複寫完成下列步驟。Join these DCs to a common network that is isolated from the rest of the environment and complete the following steps in order to validate forest health and replication.

注意

當您加入網域控制站實體隔離的網路時,您可能需要變更其 IP 位址。When you join the physical DCs to an isolated network, you may need to change their IP addresses. 如此一來,您將會錯誤 DNS 記錄的 IP 位址。As a result, the IP addresses of DNS records will be wrong. 因為通用伺服器無法使用,DNS 安全的動態更新將會失敗。Because a global catalog server is not available, secure dynamic updates for DNS will fail. 因為加入新的網路 virtual 而不會變更其 IP 位址,會在這種情形下更多的優點 virtual Dc。Virtual DCs are more advantageous in this case because they can be joined to a new virtual network without changing their IP addresses. 這就是 virtual 網域控制站原因做的第一個網域控制站建議樹系修復時需要還原。This is one reason why virtual DCs are recommended as the first domain controllers to be restored during forest recovery.

驗證之後加入網域控制站 production 網路,並完成步驟以確認 [樹系複寫健康。After validation, Join the DCs to the production network and complete the steps to verify forest replication health.

  • 若要修正名稱解析,建立 DNS 委派記錄並設定 DNS 轉寄和根提示視。To fix name resolution, create DNS delegation records and configure DNS forwarding and root hints as needed. 執行repadmin /replsum來檢查複寫之間網域控制站。Run repadmin /replsum to check replication between DCs.

  • 如果還原網域控制站不複寫直接合作夥伴,請複寫復原將會更快地建立之間暫時連接物件。If the restored DC’s are not direct replication partners, replication recovery will be much faster by creating temporary connection objects between them.

  • 如果要驗證清除中繼資料,執行Repadmin /viewlist \ ***森林中的所有網域控制站的清單。To validate metadata cleanup, run **Repadmin /viewlist \* for a list of all DCs in the forest. 執行Nltest /DCList: < domain\ >的網域中的所有網域控制站的清單。Run Nltest /DCList: <domain> for a list of all DCs in the domain.

  • 若要檢查 DC 和 DNS 的健康狀態,來報告錯誤森林中的所有網域控制站上執行 DCDiag /v。To check DC and DNS health, run DCDiag /v to report errors on all DCs in the forest.

通用加入網域控制站森林根網域中Add the global catalog to a domain controller in the forest root domain

首先,才能這些和其他原因:A global catalog is required for these and other reasons:

  • 若要讓使用者登入。To enable logons for users.

  • 若要讓每個子女網域中的 dc 登記並移除根網域中的 DNS 伺服器上的記錄執行網路登入服務。To enable the Net Logon service running on the DCs in each child domain to register and remove records on the DNS server in the root domain.

    雖然它慣用的樹系根俠變得通用,就可以選擇任何還原網域控制站成為通用。Although it is preferred that the forest root DC become a global catalog, it is possible to elect any of the restored DCs to become a global catalog.

注意

直到完成完整的同步處理森林中的所有 directory 磁碟分割,DC 不會通知為通用伺服器。A DC will not be advertised as a global catalog server until it has completed a full synchronization of all directory partitions in the forest. 因此,DC 應該被迫複寫還原網域控制站森林中的每個。Therefore, the DC should be forced to replicate with each of the restored DCs in the forest.

監視 Directory 服務事件登入事件檢視器的事件編號 1119,這表示在這個網域控制站是通用伺服器,或驗證下列機碼會有 1 的值:Monitor the Directory Service event log in Event Viewer for event ID 1119, which indicates that this DC is a global catalog server, or verify the following registry key has a value of 1:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog 升級完成HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion Complete

如需詳細資訊,請查看新增通用For more information, see Adding the global catalog.

在此階段您應該會有一個網域控制站的每個網域與穩定森林和一個通用森林中。At this stage you should have a stable forest, with one DC for each domain and one global catalog in the forest. 您應該讓每個您只要還原 Dc 新備份。You should make a new backup of each of the DCs that you have just restored. 您現在可以重新安裝 AD DS 部署森林中的其他 Dc 開始。You can now begin to redeploy other DCs in the forest by installing AD DS.

後續步驟Next Steps