安装 Active Directory 域服务（级别 100）

适用于： Windows Server 2012 R2,Windows Server 2012

<_caps3a_sxs _xmlns3a_caps="https://schemas.microsoft.com/build/caps/2013/11"><_caps3a_sxstarget locale="zh-CN">本主题讲解如何使用任何以下任一方法在 Windows Server 2012 中安装 AD DS：Credential requirements to run Adprep.exe and install Active Directory Domain Services Installing AD DS by Using Windows PowerShell Installing AD DS by using Server Manager Performing a Staged RODC Installation using the Graphical User Interface 运行 Adprep.exe 和安装 Active Directory 域服务的凭据要求需要以下凭据才能运行 Adprep.exe 和安装 AD DS。若要安装新林，必须以该计算机的本地管理员身份登录。若要安装新子域或新域树，必须以 Enterprise Admins 组成员身份登录。若要在现有域中安装其他域控制器，必须是 Domain Admins 组的成员。如果未单独运行 adprep.exe 命令，且要在现有域或林中安装运行 Windows Server 2012 的第一个域控制器，系统将提示你提供凭据以运行 Adprep 命令。 凭据要求如下：若要在林中推出第一个 Windows Server 2012 域控制器，需要提供托管架构主机的域中的 Enterprise Admins 组、Schema Admins 组和 Domain Admins 组的成员凭据。若要在域中推出第一个 Windows Server 2012 域控制器，需要提供 Domain Admins 组的成员凭据。若要在林中推出第一个只读域控制器 (RODC)，需要提供 Enterprise Admins 组的成员凭据。如果已在 Windows Server 2008 或 Windows Server 2008 R2 中运行 adprep /rodcprep，则无需针对 Windows Server 2012 重新运行。使用 Windows PowerShell 安装 AD DS从 Windows Server 2012 开始，可以使用 Windows PowerShell 安装 AD DS。 Dcpromo.exe 自 Windows Server 2012 起开始弃用，但仍可以使用应答文件（dcpromo /unattend:<answerfile> 或 dcpromo /answer:<answerfile>）运行 dcpromo.exe。 可使用应答文件继续运行 dcpromo.exe 的功能让在现有自动化方面具有资源投入的组织有时间将自动化从 dcpromo.exe 转换为 Windows PowerShell。 有关使用应答文件运行 dcpromo.exe 的详细信息，请参阅 https://support.microsoft.com/kb/947034https://support.microsoft.com/kb/947034。有关使用 Windows PowerShell 删除 AD DS 的详细信息，请参阅Remove AD DS using Windows PowerShell。开始使用 Windows PowerShell 添加角色。 此命令将安装 AD DS 服务器角色并安装 AD DS 和 AD LDS 服务器管理工具，包括基于 GUI 的工具（如 Active Directory 用户和计算机）和命令行工具（如 dcdia.exe）。 使用 Windows PowerShell 时，默认情况下不安装服务器管理工具。 你需要指定 –IncludeManagementTools 来管理本地服务器或安装远程服务器管理工具https://www.microsoft.com/download/details.aspx?id=28972，以管理远程服务器。Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools <<Windows PowerShell cmdlet and arguments>>仅当 AD DS 安装完成后，才需要重新启动。接着，可以运行此命令来查看 ADDSDeployment 模块中的可用 cmdlet。Get-command –module ADDSDeployment若要查看可为 cmdlet 指定的参数及其语法的列表，请执行下列操作： Get-help <cmdlet name>例如，若要查看用于创建未占用的只读域控制器 (RODC) 帐户的参数，请键入Get-help Add-ADDSReadOnlyDomainControllerAccount可选参数将显示在方括号中。你也可以下载 Windows PowerShell cmdlet 的最新帮助示例和概念。 有关详细信息，请参阅 about_Updatable_Helphttps://technet.microsoft.com/library/hh847735.aspx。你可以针对远程服务器运行 Windows PowerShell cmdlet： 在 Windows PowerShell 中，将 invoke-command 与 ADDSDeployment cmdlet 配合使用。 例如，若要在 contoso.com 域中名为 ConDC3 的远程服务器上安装 AD DS，请键入：invoke-command {install-addsdomaincontroller –domainname contoso.com –credential (get-credential) –computername condc3-或者-在服务器管理器中，创建包括远程服务器的服务器组。 右键单击远程服务器的名称，再单击“Windows PowerShell”。以下几个部分将讲解如何运行 ADDSDeployment 模块 cmdlet 以安装 AD DS。ADDSDeployment cmdlet arguments Specifying Windows PowerShell Credentials Using test cmdlets Installing a new forest root domain using Windows PowerShell Installing a new child or tree domain using Windows PowerShell Installing an additional (replica) domain controller using Windows PowerShell ADDSDeployment cmdlet 参数以下表格列出了 Windows PowerShell 中 ADDSDeployment cmdlet 的参数。 以粗体显示的参数为必填的。 如果在 Windows PowerShell 中命名方式不同，dcpromo.exe 的等效参数将列在括号中。Windows PowerShell 开关接受 $TRUE 或 $FALSE 参数。 默认情况下不需要指定 $True 参数。若要覆盖默认值，可以使用 $False 值指定参数。 例如，由于未指定时将为新林安装自动运行 -installdns，因此安装新林时阻止 DNS 安装的唯一方法是使用：-InstallDNS:$false同样，由于在不托管 Windows Server DNS 服务器的环境中安装域控制器时 –installdns 具有默认值 $False，因此需要指定以下参数才能安装 DNS 服务器：-InstallDNS:$true参数说明ADPrepCredential <PS 凭据>如果在域或林中安装第一个 Windows Server 2012 域控制器且当前用户的凭据不足以执行操作，则为必填项。指定具有 Enterprise Admins 和 Schema Admins 组成员身份的帐户，以根据 Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx 和 PSCredential 对象的规则准备林。如果未指定值，将使用 –credential 参数的值。AllowDomainControllerReinstall指定在检测到具有相同名称的其他可写域控制器帐户的情况下是否继续安装此可写域控制器。仅当确定其他可写域控制器当前未使用帐户时，才使用 $True。默认值为 $False。此参数不适用于 RODC。AllowDomainReinstall指定是否重新创建现有域。默认值为 $False。AllowPasswordReplicationAccountName <字符串 []>指定密码可复制到此 RODC 的用户帐户、组帐户和计算机帐户的名称。 如果要将值留空，请使用空字符串 ""。 默认情况下，仅允许 “Allowed RODC Password Replication Group”，且其原始创建时为空。提供值作为字符串数组。 例如：-AllowPasswordReplicationAccountName "JSmith","JSmithPC","Branch Users"ApplicationPartitionsToReplicate <字符串 []>UI 中无等效选项。 如果使用 UI 或 IFM 安装，则将复制所有应用程序分区。指定要复制的应用程序目录分区。 仅当指定从媒体安装 (IFM) 的 -InstallationMediaPath 参数时，才能应用此参数。 默认情况下，所有应用程序分区都将根据自己的作用域进行复制。提供值作为字符串数组。 例如：-ApplicationPartitionsToReplicate "partition1","partition2","partition3"Confirm运行 cmdlet 之前提示你进行确认。CreateDnsDelegation运行 Add-ADDSReadOnlyDomainController cmdlet 时，无法指定此参数。指示是否创建引用与域控制器一同安装的新 DNS 服务器的 DNS 委派。 仅对 Active Directory 集成的 DNS 有效。 只能在联机且可访问的 Microsoft DNS 服务器上创建委派记录。 对于直接从属于顶级域的域，如 .com、gov、.biz、.edu 或 .nz 和 .au 等两个字母的国家/地区代码域，不能创建委派记录。将根据环境自动计算默认值。Credential <PS 凭据>仅当当前用户的凭据不足以执行操作时，才为必填项。根据 Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx 和 PSCredential 对象的规则，指定可登录域的域帐户。如果未指定任何值，将使用当前用户的凭据。CriticalReplicationOnly指定 AD DS 安装操作是否仅在重新启动前执行关键复制，然后继续。 将在安装完成且计算机重新启动之后进行非关键复制。不建议使用此参数。用户界面 (UI) 无等效选项。DatabasePath <字符串>指定指向本地计算机（包含域数据库）固定磁盘上目录的完全限定的非通用命名约定 (UNC) 路径，例如，C:\Windows\NTDS默认值为 %SYSTEMROOT%\NTDS。将 AD DS 数据库和日志文件存储到使用复原文件系统 (ReFS) 格式化的数据卷上时，对于在 ReFS 上存放 AD DS 没有特别益处，不过，对于存放在 ReFS 的任何数据，你都可以获得正常的弹性能力优势。DelegatedAdministratorAccountName <字符串>指定将安装和管理 RODC 的用户或组的名称。默认情况下，仅 Domain Admins 组的成员可以管理 RODC。DenyPasswordReplicationAccountName <字符串 []>指定密码不复制到此 RODC 的用户帐户、组帐户和计算机帐户的名称。 如果你不希望拒绝复制任何用户或计算机的凭据，请使用空字符串 ""。 默认情况下，拒绝 Administrators、Server Operators、Backup Operators、Account Operators 和 Denied RODC Password Replication Group。 默认情况下，Denied RODC Password Replication Group 包括 Cert Publishers、Domain Admins、Enterprise Admins、Enterprise Domain Controllers、Enterprise Read-Only Domain Controllers、Group Policy Creator Owners、krbtgt 帐户和 Schema Admins。提供值作为字符串数组。 例如：-DenyPasswordReplicationAccountName "RegionalAdmins","AdminPCs"DnsDelegationCredential <PS 凭据>运行 Add-ADDSReadOnlyDomainController cmdlet 时，无法指定此参数。根据 Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx 和 PSCredential 对象的规则，指定用于创建 DNS 委派的用户名和密码。DomainMode <域模式> {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}或DomainMode <域模式> {2 | 3 | 4 | 5 | 6}在新域创建期间指定域功能级别。域功能级别不能低于林控制级别，但可以高于林控制级别。默认值将自动计算并设置为现有林功能级别或为 -ForestMode 设置的值。DomainName对于 Install-ADDSForest 和 Install-ADDSDomainController cmdlet，为必填项。指定要在其中安装其他域控制器的域的 FQDN。DomainNetbiosName <字符串>如果 FQDN 前缀名称长于 15 个字符，则对于 Install-ADDSForest 为必填项。与 Install-ADDSForest 配合使用。 将 NetBIOS 名称分配给新林根域。DomainType <域类型> {ChildDomain | TreeDomain} 或 {child | tree}指示要创建的域类型：现有林中的新域树、现有域的子域或新林。DomainType 默认值为 ChildDomain。Force指定此参数时，将抑制通常在安装和添加域控制器时可能显示的任何警告，以允许 cmdlet 完成执行。 制作安装脚本时，包括此参数将很有用。ForestMode <林模式> {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}或ForestMode <林模式> {2 | 3 | 4 | 5 | 6}创建新林时，指定林功能级别。默认值为 Win2012。InstallationMediaPath指明用于安装新域控制器的安装介质的位置。InstallDns指定是否应该在域控制器上安装和配置 DNS 服务器服务。对于新林，默认值为 $True 并安装 DNS 服务器。对于新子域或域树，如果父域（或域树的林根域）已托管和存储域的 DNS 名称，则此参数的默认值为 $True。对于现有域中的域控制器安装，如果未指定此参数且当前域已托管和存储域的 DNS 名称，则此参数的默认值为 $True。 否则，如果在 Active Directory 外部托管 DNS 域名，默认值为 $False 且不安装 DNS 服务器。LogPath <字符串>指定指向本地计算机（包含域日志文件）固定磁盘上目录的完全限定的非 UNC 路径，例如，C:\Windows\Logs。默认值为 %SYSTEMROOT%\NTDS。请勿将 Active Directory 日志文件存储到使用复原文件系统 (ReFS) 格式化的数据卷上。MoveInfrastructureOperationMasterRoleIfNecessary指定是否将基础结构主机操作主机角色（也称为灵活单主机操作或 FSMO）传输到要创建的域控制器（如果已托管在全局目录服务器上），以及是否计划将要创建的域控制器设为全局目录服务器。 指定此参数将在需要传输时将基础结构主机角色传输到要创建的域控制器；在这种情况下，如果要将基础结构主机角色保留在原位置，则指定 NoGlobalCatalog 选项。NewDomainName <字符串>仅对于 Install-ADDSDomain 才为必填项。指定新域的单域名。例如，如果要创建名为 emea.corp.fabrikam.com 的新子域，则应该指定 emea 作为此参数的值。NewDomainNetbiosName <字符串>如果 FQDN 前缀名称长于 15 个字符，则对于 Install-ADDSDomain 为必填项。与 Install-ADDSDomain 配合使用。 将 NetBIOS 名称分配给新域。 默认值派生自 –NewDomainName 的值。NoDnsOnNetwork指定 DNS 服务在网络上不可用。 仅当未使用用于名称解析的 DNS 服务器的名称来配置此计算机的网络适配器的 IP 设置时，才使用此参数。 它表明此 DNS 服务器将安装在用于名称解析的计算机上。 否则，必须先使用 DNS 服务器的地址配置网络适配器的 IP 设置。忽略此参数（默认值）表示此服务器计算机上的网络适配器的 TCP/IP 客户端设置将用于联系 DNS 服务器。 因此，如果未指定此参数，请确保先使用首选 DNS 服务器地址配置 TCP/IP 客户端设置。NoGlobalCatalog指定不希望域控制器成为全局编录服务器。默认情况下，使用全局目录安装运行 Windows Server 2012 的 Domain controllers。 换言之，这将在未计算的情况下自动运行，除非指定：-NoGlobalCatalogNoRebootOnCompletion指定命令完成后（无论是否成功）是否重新启动计算机。 默认情况下，计算机将重新启动。 若要防止服务器重新启动，请指定：-NoRebootOnCompletion:$True用户界面 (UI) 无等效选项。ParentDomainName <字符串>对于 Install-ADDSDomain cmdlet，为必填项指定现有父域的 FQDN。 安装子域或新域树时，将使用此参数。例如，如果要创建名为 emea.corp.fabrikam.com 的新子域，则应该指定 corp.fabrikam.com 作为此参数的值。ReadOnlyReplica指定是否安装只读域控制器 (RODC)。ReplicationSourceDC <字符串>指示从中复制域信息的伙伴域控制器的 FQDN。 默认值将自动计算。SafeModeAdministratorPassword <安全字符串>以安全模式或安全模式的变体（如目录服务还原模式）启动计算机时，提供管理员帐户的密码。默认值为空密码。 你必须提供密码。 密码必须以 System.Security.SecureString 格式提供，如 read-host -assecurestring 或 ConvertTo-SecureString 提供的格式。SafeModeAdministratorPassword 参数的操作特殊：如果未指定为参数，cmdlet 将提示你输入并确认掩蔽密码。 以交互方式运行 cmdlet 时，这是首选用法。如果未指定值，且 cmdlet 未指定其他参数，cmdlet 将提示你输入掩蔽密码而予以确认。 以交互方式运行 cmdlet 时，这不是首选用法。如果指定值，则该值必须是安全字符串。 以交互方式运行 cmdlet 时，这不是首选用法。例如，通过使用 Read-Host cmdlet 提示用户提供安全字符串，可手动提示输入密码：-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring) 你也可以提供安全字符串作为转换的明文变量，尽管强烈不建议这样做。 -safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)SiteName <字符串>对于 Add-addsreadonlydomaincontrolleraccount cmdlet，为必填项指定将安装域控制器的站点。 运行 Install-ADDSForest 时，无 –sitename 参数，因为创建的第一个站点是 Default-First-Site-Name。作为参数提供给 -sitename 时，此站点名称必须已存在。 cmdlet 不会创建站点。SkipAutoConfigureDNS跳过 DNS 客户端设置、转发器和根提示的自动配置。 仅当 DNS 服务器服务已安装或已使用 -InstallDNS 自动安装时，此参数才会生效。SystemKey <字符串>指定从中复制数据的介质的系统密钥。默认值为 none。数据必须采用 read-host -assecurestring 或 ConvertTo-SecureString 提供的格式。SysvolPath <字符串>指定指向本地计算机固定磁盘上目录的完全限定的非 UNC 路径，例如，C:\Windows\SYSVOL。默认值为 %SYSTEMROOT%\SYSVOL。不能将 SYSVOL 存储到使用恢复文件系统 (ReFS) 格式化的数据卷上。SkipPreChecks在开始安装前，不运行先决条件检查。 不建议使用此设置。WhatIf显示如果运行 cmdlet 则会发生什么情况。 cmdlet 未运行。指定 Windows PowerShell 凭据通过使用 Get-credentialhttps://technet.microsoft.com/library/dd315327.aspx，可以指定凭据，且不在屏幕上以纯文本形式透露它们。-SafeModeAdministratorPassword 和 LocalAdministratorPassword 参数的操作特殊：如果未指定为参数，cmdlet 将提示你输入并确认掩蔽密码。 以交互方式运行 cmdlet 时，这是首选用法。如果指定值，则该值必须是安全字符串。 以交互方式运行 cmdlet 时，这不是首选用法。例如，通过使用 Read-Host cmdlet 提示用户提供安全字符串，可手动提示输入密码。-safemodeadministratorpassword (read-host -prompt "DSRM Password:" -assecurestring)由于上个选项未确认密码，请务必十分谨慎：密码不可见。你也可以提供安全字符串作为转换的明文变量，尽管强烈不建议这样做：-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)不建议提供或存储明文密码。 任何在脚本中运行此命令或看到的人员都知道该域控制器的 DSRM 密码。 知道密码后，他们就可以模拟域控制器本身并将权限提升到 Active Directory 林中的最高级别。使用测试 cmdlet每个 ADDSDeployment cmdlet 都具有对应的测试 cmdlet。 测试 cmdlet 仅针对安装操作运行先决条件检查；不会配置任何安装设置。 每个测试 cmdlet 的参数都与对应安装 cmdlet 的相同，但 –SkipPreChecks 不可用于测试 cmdlet。测试 cmdlet 说明Test-ADDSForestInstallation运行安装新 Active Directory 林的前提条件。Test-ADDSDomainInstallation运行在 Active Directory 中安装新域的先决条件。Test-ADDSDomainControllerInstallation运行在 Active Directory 中安装域控制器的先决条件。Test-ADDSReadOnlyDomainControllerAccountCreation运行添加只读域控制器 (RODC) 帐户的先决条件。使用 Windows PowerShell 安装新林根域安装新林的命令语法如下。 可选参数将显示在方括号内。Install-ADDSForest [-SkipPreChecks] –DomainName <string> -SafeModeAdministratorPassword <SecureString> [-CreateDNSDelegation] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-DomainMode <DomainMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [-DomainNetBIOSName <string>] [-ForestMode <ForestMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [-InstallDNS] [-LogPath <string>] [-NoRebootOnCompletion] [-SkipAutoConfigureDNS] [-SYSVOLPath] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]如果要更改根据 DNS 域名前缀自动生成的 15 字符名称或名称超过 15 个字符，则需要 -DomainNetBIOSName 参数。例如，若要安装名为 corp.contoso.com 的新林并让系统安全提示提供 DSRM 密码，请键入： Install-ADDSForest –domainname "corp.contoso.com" 运行 Install-ADDSForest 时，默认情况下会安装 DNS 服务器。若要安装名为 corp.contoso.com 的新林，在 contoso.com 域中创建 DNS 委派，将域功能级别设置为 Windows Server 2008 R2 并将林功能级别设置为 Windows Server 2008，在 D:\ 驱动器上安装 Active Directory 数据库和 SYSVOL，在 E:\ 驱动器上安装日志文件，以及让系统提示提供目录服务还原模式密码，请键入：Install-ADDSForest –DomainName corp.contoso.com –CreateDNSDelegation –DomainMode Win2008 –ForestMode Win2008R2 –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" 使用 Windows PowerShell 安装新子域或树域安装新域的命令语法如下。 可选参数将显示在方括号内。Install-ADDSDomain [-SkipPreChecks] –NewDomainName <string> -ParentDomainName <string> -SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-AllowDomainReinstall] [-CreateDNSDelegation] [-Credential <PS Credential>] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-DomainMode <DomainMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [DomainType <DomainType> {Child Domain | TreeDomain} [-InstallDNS] [-LogPath <string>] [-NoGlobalCatalog] [-NewDomainNetBIOSName <string>] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SiteName <string>] [-SkipAutoConfigureDNS] [-Systemkey <SecureString>] [-SYSVOLPath] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]仅当当前以 Enterprise Admins 组成员身份登录，才需要 -credential 参数。如果要更改根据 DNS 域名前缀自动生成的 15 字符名称或名称超过 15 个字符，需要 -NewDomainNetBIOSName 参数。例如，若要使用 corp\EnterpriseAdmin1 的凭据创建名为 child.corp.contoso.com 的新子域，安装 DNS 服务器，在 corp.contoso.com 域中创建 DNS 委派，将域功能级别设置为 Windows Server 2003，将域控制器设为名为 Houston 的域中的全局目录服务器，将 DC1.corp.contoso.com 用作复制源域控制器，在 D:\ 驱动器上安装 Active Directory 数据库和 SYSVOL，在 E:\ 驱动器上安装日志文件，并让系统提示提供目录服务还原模式密码但不提示确认命令，请键入：Install-ADDSDomain –SafeModeAdministratorPassword –credential (get-credential corp\EnterpriseAdmin1) –NewDomainName child –ParentDomainName corp.contoso.com –InstallDNS –CreateDNSDelegation –DomainMode Win2003 –ReplicationSourceDC DC1.corp.contoso.com –SiteName Houston –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" –Confirm:$False使用 Windows PowerShell 安装附加（副本）域控制器安装其他域控制器的命令语法如下。 可选参数将显示在方括号内。Install-ADDSDomainController -DomainName <string> [-SkipPreChecks] –SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-AllowDomainControllerReinstall] [-ApplicationPartitionsToReplicate <string[]>] [-CreateDNSDelegation] [-Credential <PS Credential>] [-CriticalReplicationOnly] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-NoGlobalCatalog] [-InstallationMediaPath <string>] [-InstallDNS] [-LogPath <string>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SiteName <string>] [-SkipAutoConfigureDNS] [-SystemKey <SecureString>] [-SYSVOLPath <string>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]若要在 corp.contoso.com 域中安装域控制器和 DNS 服务器并让系统提示提供域管理员凭据和 DSRM 密码，请键入： Install-ADDSDomainController -credential (get-credential corp\administrator) -domainname "corp.contoso.com" 如果计算机已加入域且你是 Domain Admins 组的成员，则可以使用：Install-ADDSDomainController -domainname "corp.contoso.com"若要让系统提示提供域名，请键入：Install-ADDSDomainController -credential (get-credential) -domainname (read-host "Domain to promote into")以下命令将使用 Contoso\EnterpriseAdmin1 的凭据在名为 Boston 的站点中安装可写域控制器和全局编录服务器，安装 DNS 服务器，在 contoso.com 域中创建 DNS 委派，从存储在 c:\ADDS IFM 文件夹中的媒体安装，在 D:\ 驱动器上安装 Active Directory 数据库和 SYSVOL，在 E:\ 驱动器上安装日志文件，让服务器在 AD DS 安装完成后自动重新启动，以及让系统提示提供目录服务还原模式密码：Install-ADDSDomainController –Credential (get-credential contoso\EnterpriseAdmin1) –CreateDNSDelegation –DomainName corp.contoso.com –SiteName Boston –InstallationMediaPath "c:\ADDS IFM" –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" 使用 Windows PowerShell 执行 RODC 分步安装创建 RODC 帐户的命令语法如下。 可选参数将显示在方括号内。Add-ADDSReadOnlyDomainControllerAccount [-SkipPreChecks] –DomainControllerAccuntName <string> -DomainName <string> -SiteName <string> [-AllowPasswordReplicationAccountName <string []>] [-NoGlobalCatalog] [-Credential <PS Credential>] [-DelegatedAdministratorAccountName <string>] [-DenyPasswordReplicationAccountName <string []>] [-InstallDNS] [-ReplicationSourceDC <string>] [-Force] [-WhatIf] [-Confirm] [<Common Parameters>]将服务器连接到 RODC 帐户的命令语法如下。 可选参数将显示在方括号内。Install-ADDSDomainController -DomainName <string> [-SkipPreChecks] –SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-ApplicationPartitionsToReplicate <string[]>] [-Credential <PS Credential>] [-CriticalReplicationOnly] [-DatabasePath <string>] [-NoDNSOnNetwork] [-InstallationMediaPath <string>] [-InstallDNS] [-LogPath <string>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SkipAutoConfigureDNS] [-SystemKey <SecureString>] [-SYSVOLPath <string>] [-UseExistingAccount] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]例如，若要创建名为 RODC1 的 RODC 帐户，请键入： Add-ADDSReadOnlyDomainControllerAccount –DomainControllerAccountName RODC1 –DomainName corp.contoso.com –SiteName Boston DelegatedAdministratoraccountName PilarA然后在要连接到 RODC1 帐户的服务器上运行以下命令。 服务器无法加入域。 首先，安装 AD DS 服务器角色和管理工具：install-windowsfeature –name AD-Domain-Services -includemanagementtools然后运行下列命令以创建 RODC：Install-ADDSDomainController –DomainName corp.contoso.com –SafeModeAdministratorPassword (read-host –prompt "DSRM Password:" –assecurestring) –credential (get-credential Corp\PilarA) -useexistingaccount按 Y 确认或包含 –confirm 参数阻止确认提示出现。使用服务器管理器安装 AD DS依次使用服务器管理器中的添加角色向导以及 Windows Server 2012 中新推出的 Active Directory 域服务配置向导，可在 Windows Server 2012 中安装 AD DS。 Active Directory 域服务安装向导 (dcpromo.exe) 从 Windows Server 2012 开始已弃用。以下几个部分讲解如何创建服务器池以在多台服务器上安装和管理 AD DS，以及如何使用相应向导安装 AD DS。创建服务器池只要可从运行服务器管理器的计算机访问，服务器管理器就将在网络上共用其他服务器。 共用后，可选择用于远程安装 AD DS 的服务器或服务器管理器内的任何其他可能配置选项。 运行服务器管理器的计算机将自动共用本身。 有关服务器池的详细信息，请参阅将服务器添加到服务器管理器https://technet.microsoft.com/library/hh831453.aspx。为了使用工作组服务器上的服务器管理器管理加入域的计算机，或进行相反的操作，需要执行额外的配置步骤。 有关详细信息，请参阅将服务器添加到服务器管理器https://technet.microsoft.com/library/hh831453.aspx中的“在工作组中添加和管理服务器”。安装 AD DS管理凭据安装 AD DS 的凭据要求会因选择的部署配置而异。 有关详细信息，请参阅 Credential requirements to run Adprep.exe and install Active Directory Domain Services。采用以下过程来使用 GUI 方法安装 AD DS。 这些步骤可在本地或远程执行。 有关这些步骤的详细说明，请参阅以下主题：Deploying a Forest with Server Manager Upgrade Existing AD DS Forests and Add Writable Replica Domain Controllers Create Child and Tree Domains Stage and Attach RODCs, Create RODCs without Staging 使用服务器管理器安装 AD DS在服务器管理器中，单击“管理”，再单击“添加角色和功能”以启动添加角色向导。在“开始之前”页上，单击“下一步”。在“选择安装类型”页上，单击“基于角色或基于功能的安装”，再单击“下一步”。在“选择目标服务器”页上，单击“从服务器池中选择服务器”，单击要安装 AD DS 的服务器的名称，再单击“下一步”。若要选择远程服务器，请先创建服务器池，再将远程服务器添加到其中。 有关创建服务器池的详细信息，请参阅将服务器添加到服务器管理器https://technet.microsoft.com/library/hh831453.aspx。在“选择服务器角色”页中，单击“Active Directory 域服务”，然后在“添加角色和功能向导”对话框中，单击“添加功能”，再单击“下一步”。在“选择功能”页上，选择要安装的任何附加功能，再单击“下一步”。在“Active Directory 域服务”页上，查看信息，再单击“下一步”。在“确认安装选择”页上，单击“安装”。在“结果”页上，验证安装是否成功，再单击“将此服务器提升为域服务器”，以启动 Active Directory 域服务配置向导。如果此时关闭添加角色向导且未启动 Active Directory 域服务配置向导，可以单击服务器管理器中的“任务”来重新启动它。在“部署配置”页上，选择以下选项之一： 如果要在现有域中安装其他域控制器，请单击“向现有域添加域控制器”，键入域名（例如，emea.corp.contoso.com）或单击“选择…”以选择域和凭据（例如，指定属于 Domain Admins 组成员的帐户），再单击“下一步”。默认情况下，仅当计算机已加入域且正在执行本地安装时，才提供域名和当前用户凭据。 如果要在远程服务器上安装 AD DS，根据设计需要指定凭据。 如果当前用户凭据不足以执行安装，请单击“更改…”，以便指定不同凭据。有关详细信息，请参阅 Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)。如果要安装新子域，请单击“将新域添加到现有林”，对于“选择域类型”选择“子域”，键入或浏览到父域 DNS 名称的名称（例如，corp.contoso.com），键入新子域的相对名称（例如 emea），键入用于创建新域的凭据，再单击“下一步”。有关详细信息，请参阅 Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)。如果要安装新域树，请单击“将新域添加到现有林”，对于“选择域类型”，选择“树域”，键入根域的名称（例如，corp.contoso.com），键入新域的 DNS 名称（例如，fabrikam.com），键入用于创建新域的凭据，再单击“下一步”。有关详细信息，请参阅 Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)。如果要安装新林，请单击“添加新林”，再键入根域的名称（例如，corp.contoso.com）。有关详细信息，请参阅 Install a New Windows Server 2012 Active Directory Forest (Level 200)。在“域控制器选项”页中，选择以下选项之一： 如果要创建新林或新域，请选择域功能级别和林功能级别，单击“域名系统 (DNS) 服务器”，指定 DSRM 密码， 再单击“下一步”。如果要将域控制器添加到现有域，请根据需要单击“域名系统 (DNS) 服务器”、“全局编录 (GC)”或“只读域控制器 (RODC)”，选择站点名称，键入 DSRM 密码，再单击“下一步”。有关不同情况下该页面的哪些选项可用或不可用的详细信息，请参阅Domain Controller Options。在“DNS 选项”页（仅当安装 DNS 服务器时才显示），根据需要单击“更新 DNS 委派”。 如果单击，请提供有权限在父 DNS 区域中创建 DNS 委派记录的凭据。如果无法联系托管父区域的 DNS 服务器，则“更新 DNS 委派”选项不可用。有关是否需要更新 DNS 委派的详细信息，请参阅了解区域委派https://technet.microsoft.com/library/cc771640.aspx。 如果尝试更新 DNS 委派但遇到错误，请参阅 DNS Options。在“RODC 选项”页上（仅当安装 RODC 时才显示），指定管理 RODC 的组或用户的名称，将帐户添加到允许或拒绝的密码复制组或从中删除帐户，再单击“下一步”。有关详细信息，请参阅密码复制策略https://technet.microsoft.com/library/cc730883(v=ws.10)。在“其他选项”页上，选择以下选项之一： 如果要创建新域，请键入新的 NetBIOS 名称或验证域的默认 NetBIOS 名称，然后单击“下一步”。如果要将域控制器添加到现有域，请选择要从中复制 AD DS 安装数据的域控制器（或允许向导选择任何域控制器）。 如果要从媒体安装，请单击“从媒体路径安装”类型，验证安装源文件的路径，再单击“下一步”。不能使用从媒体安装 (IFM) 在域中安装第一个域控制器。 IFM 无法跨不同的操作系统版本。 或者说，为了使用 IFM 安装其他运行 Windows Server 2012 的域控制器，必须在一个 Windows Server 2012 域控制器上创建备份媒体。 有关 IFM 的详细信息，请参阅使用 IFM 安装其他域控制器https://technet.microsoft.com/library/cc816722(WS.10).aspx。在“路径”页上，键入 Active Directory 数据库、日志文件和 SYSVOL 文件夹的位置（或接受默认位置），再单击“下一步”。请勿将 Active Directory 数据库、日志文件或 SYSVOL 文件夹存储到使用恢复文件系统 (ReFS) 格式化的数据卷上。在“准备选项”页上，键入足以运行 adprep 的凭据。 有关详细信息，请参阅 Credential requirements to run Adprep.exe and install Active Directory Domain Services。在“查看选项”页上，确认选择，单击“查看脚本”（如果要将设置导出到 Windows PowerShell 脚本），再单击“下一步”。在“先决条件检查”页上，确认先决条件验证已完成，再单击“安装”。在“结果”页上，验证已将服务器成功配置为域控制器。 服务器将自动重新启动，以完成 AD DS 安装。使用图形用户界面执行 RODC 分步安装RODC 分步安装允许你分两步创建 RODC。 在第一步中，Domain Admins 组成员将创建 RODC 帐户。 在第二步中，将服务器连接到 RODC 帐户。 第二步可由 Domain Admins 组成员或委派的域用户或组完成。使用 Active Directory 管理工具创建 RODC 帐户你可以使用 Active Directory 管理中心或 Active Directory 用户和计算机创建 RODC 帐户。单击“开始”，单击“管理工具”，再单击“Active Directory 管理中心”。在导航窗格（左窗格）中，单击域名。在管理列表（中心窗格）中，单击 Domain Controllers OU。在“任务”窗格（右窗格）中，单击“预创建只读域控制器帐户”。-或者-依次单击“开始”、“管理工具”和“Active Directory 用户和计算机”。右键单击Domain Controllers组织单位 (OU)，或者单击 Domain Controllers 组织单位，然后单击“操作”。单击“预创建只读域控制器帐户”。在“欢迎使用 Active Directory 域服务安装向导”页上，如果你想修改默认的密码复制策略 (PRP)，请选择“使用高级模式安装”，然后单击“下一步”。在“网络凭据”页上的“请指定用于执行安装的帐户凭据”下，单击“我的当前登录凭据”或单击“备用凭据”，然后单击“设置”。 在“Windows 安全”对话框中，提供可用来安装其他域控制器帐户的用户名和密码。 若要安装其他域控制器，你必须是 Enterprise Admins 组或 Domain Admins 组的成员。 提供凭据后，单击“下一步”。在“指定计算机名”页上，键入将成为 RODC 的服务器的计算机名称。在“请选择一个站点”页上，从列表中选择站点，或在与运行该向导的计算机的 IP 地址相对应的站点中，选择用于安装域控制器的选项，然后单击“下一步”。在“其他域控制器选项”页上，进行如下选择，然后单击“下一步”：“DNS 服务器”：默认情况下，此选项处于选中状态，以便域控制器可以作为域名系统 (DNS) 服务器。 如果你不希望该域控制器成为 DNS 服务器，则清除该选项。 但是，如果你没有在 RODC 上安装 DNS 服务器角色，并且该 RODC 是分支机构中唯一的域控制器，则分支机构中的用户将无法在中心站点的广域网 (WAN) 脱机时执行名称解析。“全局编录”：默认情况下，此选项处于选中状态。 它会将全局编录、只读目录分区添加到域控制器，并且将启用全局编录搜索功能。 如果你不希望域控制器成为全局编录服务器，则清除该选项。 但是，如果你没有在分支机构中安装全局编录服务器，或者没有为包含 RODC 的站点启用通用组成员身份缓存，则分支机构中的用户将无法在中心站点的 WAN 脱机时登录域。“只读域控制器”。 当创建 RODC 帐户时，该选项为默认选中且无法清除。如果你选中了“欢迎使用”页上的“使用高级模式安装”复选框，则会出现“指定密码复制策略”页。 默认情况下，帐户密码不会复制到 RODC，并且明确拒绝安全敏感帐户（如 Domain Admins 组的成员）在任何时候将其密码复制到 RODC。若要向策略添加其他帐户，请单击“添加”，然后单击“允许该帐户的密码复制到此 RODC”或单击“拒绝该帐户的密码复制到此 RODC”，然后选择帐户。当设置完成时（或要接受默认设置时），单击“下一步”。在“用于 RODC 安装和管理的委派”页上，键入将服务器关联到正在创建的 RODC 帐户的用户或组的名称。 你可以只键入一个安全主体的名称。若要在目录中搜索特定用户或组，请单击“设置”。 在“选择用户、计算机或组”中，键入用户或组的名称。 我们建议你将 RODC 安装和管理委派给一个组。安装之后，该用户或组在此 RODC 上也将具有本地管理权限。 如果未指定用户或组，则只有 Domain Admins 组或 Enterprise Admins 组的成员才能将服务器关联到帐户。完成后，单击“下一步”。在“摘要”页上，检查你的选择。 如有必要，请单击“上一步”更改任何选项。若要将选择的设置保存到答案文件以便以后自动执行 AD DS 操作，请单击“导出设置”。 键入答案文件名，然后单击“保存”。确认所做选择正确无误之后，请单击“下一步”创建 RODC 帐户。在“完成 Active Directory 域服务安装向导”页上，单击“完成”。创建 RODC 帐户后，可以将服务器连接到帐户，以完成 RODC 安装。 第二步可在 RODC 所在的分支机构完成。 执行此过程的服务器必须未加入域。 从 Windows Server 2012 开始，使用服务器管理器中的添加角色向导将服务器连接到 RODC 帐户。使用服务器管理器将服务器连接到 RODC 帐户以本地管理员身份登录。在服务器管理器中，单击“添加角色和功能”。在“开始之前”页上，单击“下一步”。在“选择安装类型”页上，单击“基于角色或基于功能的安装”，再单击“下一步”。在“选择目标服务器”页上，单击“从服务器池中选择服务器”，单击要安装 AD DS 的服务器的名称，再单击“下一步”。在“选择服务器角色”页上，单击“Active Directory 域服务”，单击“添加功能”，再单击“下一步”。在“选择功能”页上，选择要安装的任何附加功能，再单击“下一步”。在“Active Directory 域服务”页上，查看信息，再单击“下一步”。在“确认安装选择”页上，单击“安装”。在“结果”页上，验证“安装成功”，再单击“将此服务器提升为域服务器”，以启动 Active Directory 域服务配置向导。如果此时关闭添加角色向导且未启动 Active Directory 域服务配置向导，可以单击服务器管理器中的“任务”来重新启动它。在“部署配置”页上，单击“向现有域添加域控制器”，键入域名（例如，emea.contoso.com）和凭据（例如，指定将委派来管理和安装 RODC 的帐户），再单击“下一步”。在“域控制器选项”页上，单击“使用现有 RODC 帐户”，键入并确认目录服务还原模式密码，再单击“下一步”。在“其他选项”页上，如果要从媒体安装，请单击“从媒体路径安装”类型，验证安装源文件的路径，选择要从中复制 AD DS 安装数据的域控制器（或允许向导选择任何域控制器），再单击“下一步”。在“路径”页上，键入 Active Directory 数据库、日志文件和 SYSVOL 文件夹的位置（或接受默认位置），再单击“下一步”。在“查看选项”页上，确认选择，单击“查看脚本”以将设置导出到 Windows PowerShell 脚本，再单击“下一步”。在“先决条件检查”页上，确认先决条件验证已完成，再单击“安装”。若要完成 AD DS 安装，服务器将自动重新启动。Troubleshooting Domain Controller Deployment Install a New Windows Server 2012 Active Directory Forest (Level 200) Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200) Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200) <_caps3a_sxssource locale="en-US">This topic explains how to install AD DS in Windows Server 2012 by using any of the following methods:Credential requirements to run Adprep.exe and install Active Directory Domain Services Installing AD DS by Using Windows PowerShell Installing AD DS by using Server Manager Performing a Staged RODC Installation using the Graphical User Interface Credential requirements to run Adprep.exe and install Active Directory Domain ServicesThe following credentials are required to run Adprep.exe and install AD DS.To install a new forest, you must be logged on as the local Administrator for the computer.To install a new child domain or new domain tree, you must be logged on as a member of the Enterprise Admins group.To install an additional domain controller in an existing domain, you must be a member of the Domain Admins group.If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins group.To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins group.If you have already run adprep /rodcprep in Windows Server 2008 or Windows Server 2008 R2, you do not need to run it again for Windows Server 2012.Installing AD DS by Using Windows PowerShellBeginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012, but you can still run dcpromo.exe by using an answer file (dcpromo /unattend:<answerfile> or dcpromo /answer:<answerfile>). The ability to continue running dcpromo.exe with an answer file provides organizations that have resources invested in existing automation time to convert the automation from dcpromo.exe to Windows PowerShell. For more information about running dcpromo.exe with an answer file, see https://support.microsoft.com/kb/947034https://support.microsoft.com/kb/947034.For more information about removing AD DS using Windows PowerShell, see Remove AD DS using Windows PowerShell.Start with adding the role using Windows PowerShell. This command installs the AD DS server role and installs the AD DS and AD LDS server administration tools, including GUI-based tools such as Active Directory Users and Computers and command-line tools such as dcdia.exe. Server administration tools are not installed by default when you use Windows PowerShell. You need to specify –IncludeManagementTools to manage the local server or install Remote Server Administration Toolshttps://www.microsoft.com/download/details.aspx?id=28972 to manage a remote server.Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools <<Windows PowerShell cmdlet and arguments>>There is no reboot required until after the AD DS installation is complete.You can then run this command to see the available cmdlets in the ADDSDeployment module.Get-command –module ADDSDeploymentTo see the list of arguments that can be specified for a cmdlets and syntax: Get-help <cmdlet name>For example, to see the arguments for creating an unoccupied read-only domain controller (RODC) account, typeGet-help Add-ADDSReadOnlyDomainControllerAccountOptional arguments appear in square brackets.You can also download the latest Help examples and concepts for Windows PowerShell cmdlets. For more information, see about_Updatable_Helphttps://technet.microsoft.com/library/hh847735.aspx.You can run Windows PowerShell cmdlets against remote servers: In Windows PowerShell, use invoke-command with the ADDSDeployment cmdlet. For example, to install AD DS on a remote server named ConDC3 in the contoso.com domain, type:invoke-command {install-addsdomaincontroller –domainname contoso.com –credential (get-credential) –computername condc3-or-In Server Manager, create a server group that includes the remote server. Right-click the name of the remote server and click Windows PowerShell.The next sections explain how to run ADDSDeployment module cmdlets to install AD DS.ADDSDeployment cmdlet arguments Specifying Windows PowerShell Credentials Using test cmdlets Installing a new forest root domain using Windows PowerShell Installing a new child or tree domain using Windows PowerShell Installing an additional (replica) domain controller using Windows PowerShell ADDSDeployment cmdlet argumentsThe following table lists arguments for the ADDSDeployment cmdlets in Windows PowerShell. Arguments in bold are required. Equivalent arguments for dcpromo.exe are listed in parentheses if they are named different in Windows PowerShell.Windows PowerShell switches accept $TRUE or $FALSE arguments. Arguments that are $True by default do not need to be specified.To override default values, you can specify the argument with a $False value. For example, because -installdns is automatically run for a new forest installation if it is not specified, the only way to prevent DNS installation when you install a new forest is to use:-InstallDNS:$falseSimilarly, because –installdns has a default value of $False if you install a domain controller in an environment that does not host Windows Server DNS server, you need to specify the following argument in order to install DNS server:-InstallDNS:$trueArgumentDescriptionADPrepCredential <PS Credential>Required if you are installing the first Windows Server 2012 domain controller in a domain or forest and the credentials of the current user are insufficient to perform the operation.Specifies the account with Enterprise Admins and Schema Admins group membership that can prepare the forest, according to the rules of Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx and a PSCredential object.If no value is specified, the value of the –credential argument is used.AllowDomainControllerReinstallSpecifies whether to continue installing this writable domain controller, despite the fact that another writable domain controller account with the same name is detected.Use $True only if you are sure that the account is not currently used by another writable domain controller.The default is $False.This argument is not valid for an RODC.AllowDomainReinstallSpecifies whether an existing domain is recreated.The default is $False.AllowPasswordReplicationAccountName <string []>Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this RODC. Use an empty string "" if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.Supply values as a string array. For example:-AllowPasswordReplicationAccountName "JSmith","JSmithPC","Branch Users"ApplicationPartitionsToReplicate <string []>There is no equivalent option in the UI. If you install using the UI, or using IFM, then all application partitions will be replicated.Specifies the application directory partitions to replicate. This argument is applied only when you specify the -InstallationMediaPath argument to install from media (IFM). By default, all application partitions will replicate based on their own scopes.Supply values as a string array. For example:-ApplicationPartitionsToReplicate "partition1","partition2","partition3"ConfirmPrompts you for confirmation before running the cmdlet.CreateDnsDelegationYou cannot specify this argument when you run the Add-ADDSReadOnlyDomainController cmdlet.Indicates whether to create a DNS delegation that references the new DNS server that you are installing along with the domain controller. Valid for Active Directory–integrated DNS only. Delegation records can be created only on Microsoft DNS servers that are online and accessible. Delegation records cannot be created for domains that are immediately subordinate to top-level domains such as .com, .gov, .biz, .edu or two-letter country code domains such as .nz and .au.The default is computed automatically based on the environment.Credential <PS Credential>Required only if the credentials of the current user are insufficient to perform the operation.Specifies the domain account that can logon to the domain, according to the rules of Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx and a PSCredential object.If no value is specified, the credentials of the current user are used.CriticalReplicationOnlySpecifies whether the AD DS installation operation performs only critical replication before reboot and then continues. The noncritical replication happens after the installation finishes and the computer reboots.Using this argument is not recommended.There is no equivalent for this option in the user interface (UI).DatabasePath <string>Specifies the fully qualified, non–Universal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database, for example, C:\Windows\NTDS.The default is %SYSTEMROOT%\NTDS.While you can store the AD DS database and log files on volume formatted with Resilient File System (ReFS), there are no specific benefits for hosting AD DS on ReFS, other than the normal benefits of resiliency you get for hosting any data on ReFS.DelegatedAdministratorAccountName <string>Specifies the name of the user or group that can install and administer the RODC.By default, only members of the Domain Admins group can administer an RODC.DenyPasswordReplicationAccountName <string []>Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC. Use an empty string "" if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.Supply values as a string array. For example:-DenyPasswordReplicationAccountName "RegionalAdmins","AdminPCs"DnsDelegationCredential <PS Credential>You cannot specify this argument when you run the Add-ADDSReadOnlyDomainController cmdlet.Specifies the user name and password for creating DNS delegation, according to the rules of Get-Credentialhttps://technet.microsoft.com/library/dd315327.aspx and a PSCredential object.DomainMode <DomainMode> {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}OrDomainMode <DomainMode> {2 | 3 | 4 | 5 | 6}Specifies the domain functional level during the creation of a new domain.The domain functional level cannot be lower than the forest functional level, but it can be higher.The default value is automatically computed and set to the existing forest functional level or the value that is set for -ForestMode.DomainNameRequired for Install-ADDSForest and Install-ADDSDomainController cmdlets.Specifies the FQDN of the domain in which you want to install an additional domain controller.DomainNetbiosName <string>Required for Install-ADDSForest if FQDN prefix name is longer than 15 characters.Use with Install-ADDSForest. Assigns a NetBIOS name to the new forest root domain.DomainType <DomainType> {ChildDomain | TreeDomain} or {child | tree}Indicates the type of domain that you want to create: a new domain tree in an existing forest, a child of an existing domain, or a new forest.The default for DomainType is ChildDomain.ForceWhen this parameter is specified any warnings that might normally appear during the installation and addition of the domain controller will be suppressed to allow the cmdlet to complete its execution. This parameter can be useful to include when scripting installation.ForestMode <ForestMode> {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}OrForestMode <ForestMode> {2 | 3 | 4 | 5 | 6}Specifies the forest functional level when you create a new forest.The default value is Win2012.InstallationMediaPathIndicates the location of the installation media that will be used to install a new domain controller.InstallDnsSpecifies whether the DNS Server service should be installed and configured on the domain controller.For a new forest, the default is $True and DNS Server is installed.For a new child domain or domain tree, if the parent domain (or forest root domain for a domain tree) already hosts and stores the DNS names for the domain, then the default for this parameter is $True.For a domain controller installation in an existing domain, if this parameter is left unspecified and the current domain already hosts and stores the DNS names for the domain, then the default for this parameter is $True. Otherwise, if DNS domain names are hosted outside of Active Directory, the default is $False and no DNS Server is installed.LogPath <string>Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files, for example, C:\Windows\Logs.The default is %SYSTEMROOT%\NTDS.Do not store the Active Directory log files on a data volume formatted with Resilient File System (ReFS).MoveInfrastructureOperationMasterRoleIfNecessarySpecifies whether to transfer the infrastructure master operations master role (also known as flexible single master operations or FSMO) to the domain controller that you are creating—in case it is currently hosted on a global catalog server—and you do not plan to make the domain controller that you are creating a global catalog server. Specify this parameter to transfer the infrastructure master role to the domain controller that you are creating in case the transfer is needed; in this case, specify the NoGlobalCatalog option if you want the infrastructure master role to remain where it currently is.NewDomainName <string>Required only for Install-ADDSDomain.Specifies the single domain name for the new domain.For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should specify emea as the value of this argument.NewDomainNetbiosName <string>Required for Install-ADDSDomain if FQDN prefix name is longer than 15 characters.Use with Install-ADDSDomain. Assigns a NetBIOS name to the new domain. The default value is derived from the value of –NewDomainName.NoDnsOnNetworkSpecifies that DNS service is not available on the network. This parameter is used only when the IP setting of the network adapter for this computer is not configured with the name of a DNS server for name resolution. It indicates that a DNS server will be installed on this computer for name resolution. Otherwise, the IP settings of the network adapter must first be configured with the address of a DNS server.Omitting this parameter (the default) indicates that the TCP/IP client settings of the network adapter on this server computer will be used to contact a DNS server. Therefore, if you are not specifying this parameter, ensure that TCP/IP client settings are first configured with a preferred DNS server address.NoGlobalCatalogSpecifies that you do not want the domain controller to be a global catalog server.Domain controllers that run Windows Server 2012 are installed with the global catalog by default. In other words, this runs automatically without computation, unless you specify:-NoGlobalCatalogNoRebootOnCompletionSpecifies whether to restart the computer upon completion of the command, regardless of success. By default, the computer will restart. To prevent the server from restarting, specify:-NoRebootOnCompletion:$TrueThere is no equivalent for this option in the user interface (UI).ParentDomainName <string>Required for Install-ADDSDomain cmdletSpecifies the FQDN of an existing parent domain. You use this argument when you install a child domain or new domain tree.For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should specify corp.fabrikam.com as the value of this argument.ReadOnlyReplicaSpecifies whether to install a read-only domain controller (RODC).ReplicationSourceDC <string>Indicates the FQDN of the partner domain controller from which you replicate the domain information. The default is automatically computed.SafeModeAdministratorPassword <securestring>Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Services Restore Mode.The default is an empty password. You must supply a password. The password must be supplied in a System.Security.SecureString format, such as that provided by read-host -assecurestring or ConvertTo-SecureString.The SafeModeAdministratorPassword argument's operation is special:If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.If specified without a value, and there are no other arguments specified to the cmdlet, the cmdlet prompts you to enter a masked password without confirmation. This is not the preferred usage when running the cmdlet interactively.If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)You can also provide a secure string as a converted clear-text variable, although this is highly discouraged. -safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)SiteName <string>Required for the Add-addsreadonlydomaincontrolleraccount cmdletSpecifies the site where the domain controller will be installed. There is no –sitename argument when you run Install-ADDSForest because the first site created is Default-First-Site-Name.The site name must already exist when provided as an argument to -sitename. The cmdlet will not create the site.SkipAutoConfigureDNSSkips automatic configuration of DNS client settings, forwarders, and root hints. This argument is in effect only if the DNS Server service is already installed or automatically installed with -InstallDNS.SystemKey <string>Specifies the system key for the media from which you replicate the data.The default is none.Data must be in format provided by read-host -assecurestring or ConvertTo-SecureString.SysvolPath <string>Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for example, C:\Windows\SYSVOL.The default is %SYSTEMROOT%\SYSVOL.SYSVOL cannot be stored on a data volume formatted with Resilient File System (ReFS).SkipPreChecksDoes not run the prerequisite checks before starting installation. It is not advisable to use this setting.WhatIfShows what would happen if the cmdlet runs. The cmdlet is not run.Specifying Windows PowerShell CredentialsYou can specify credentials without revealing them in plain text on screen by using Get-credentialhttps://technet.microsoft.com/library/dd315327.aspx.The operation for the -SafeModeAdministratorPassword and LocalAdministratorPassword arguments is special:If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string-safemodeadministratorpassword (read-host -prompt "DSRM Password:" -assecurestring)As the previous option does not confirm the password, use extreme caution: the password is not visible.You can also provide a secure string as a converted clear-text variable, although this is highly discouraged:-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. With that knowledge, they can impersonate the domain controller itself and elevate their privilege to the highest level in an Active Directory forest.Using test cmdletsEach ADDSDeployment cmdlet has a corresponding test cmdlet. The test cmdlets runs only the prerequisite checks for the installation operation; no installation settings are configured. The arguments for each test cmdlet are the same as for the corresponding installation cmdlet, but –SkipPreChecks is not available for test cmdlets.Test cmdlet DescriptionTest-ADDSForestInstallationRuns the prerequisites for installing a new Active Directory forest.Test-ADDSDomainInstallationRuns the prerequisites for installing a new domain in Active Directory.Test-ADDSDomainControllerInstallationRuns the prerequisites for installing a domain controller in Active Directory.Test-ADDSReadOnlyDomainControllerAccountCreationRuns the prerequisites for adding a read-only domain controller (RODC) account.Installing a new forest root domain using Windows PowerShellThe command syntax for installing a new forest is as follows. Optional arguments appear within square brackets.Install-ADDSForest [-SkipPreChecks] –DomainName <string> -SafeModeAdministratorPassword <SecureString> [-CreateDNSDelegation] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-DomainMode <DomainMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [-DomainNetBIOSName <string>] [-ForestMode <ForestMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [-InstallDNS] [-LogPath <string>] [-NoRebootOnCompletion] [-SkipAutoConfigureDNS] [-SYSVOLPath] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]The -DomainNetBIOSName argument is required if you want to change the 15-character name that is automatically generated based on the DNS domain name prefix or if the name exceeds 15 characters.For example, to install a new forest named corp.contoso.com and be securely prompted to provide the DSRM password, type: Install-ADDSForest –domainname "corp.contoso.com" DNS server is installed by default when you run Install-ADDSForest.To install a new forest named corp.contoso.com, create a DNS delegation in the contoso.com domain, set domain functional level to Windows Server 2008 R2 and set forest functional level to Windows Server 2008, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be prompted to provide the Directory Services Restore Mode password and type:Install-ADDSForest –DomainName corp.contoso.com –CreateDNSDelegation –DomainMode Win2008 –ForestMode Win2008R2 –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" Installing a new child or tree domain using Windows PowerShellThe command syntax for installing a new domain is as follows. Optional arguments appear within square brackets.Install-ADDSDomain [-SkipPreChecks] –NewDomainName <string> -ParentDomainName <string> -SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-AllowDomainReinstall] [-CreateDNSDelegation] [-Credential <PS Credential>] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-DomainMode <DomainMode> {Win2003 | Win2008 | Win2008R2 | Win2012}] [DomainType <DomainType> {Child Domain | TreeDomain} [-InstallDNS] [-LogPath <string>] [-NoGlobalCatalog] [-NewDomainNetBIOSName <string>] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SiteName <string>] [-SkipAutoConfigureDNS] [-Systemkey <SecureString>] [-SYSVOLPath] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins group.The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name prefix or if the name exceeds 15 characters.For example, to use credentials of corp\EnterpriseAdmin1 to create a new child domain named child.corp.contoso.com, install DNS server, create a DNS delegation in the corp.contoso.com domain, set domain functional level to Windows Server 2003, make the domain controller a global catalog server in a site named Houston, use DC1.corp.contoso.com as the replication source domain controller, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be prompted to provide the Directory Services Restore Mode password but not prompted to confirm the command, type:Install-ADDSDomain –SafeModeAdministratorPassword –credential (get-credential corp\EnterpriseAdmin1) –NewDomainName child –ParentDomainName corp.contoso.com –InstallDNS –CreateDNSDelegation –DomainMode Win2003 –ReplicationSourceDC DC1.corp.contoso.com –SiteName Houston –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" –Confirm:$FalseInstalling an additional (replica) domain controller using Windows PowerShellThe command syntax for installing an additional domain controller is as follows. Optional arguments appear within square brackets.Install-ADDSDomainController -DomainName <string> [-SkipPreChecks] –SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-AllowDomainControllerReinstall] [-ApplicationPartitionsToReplicate <string[]>] [-CreateDNSDelegation] [-Credential <PS Credential>] [-CriticalReplicationOnly] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-NoDNSOnNetwork] [-NoGlobalCatalog] [-InstallationMediaPath <string>] [-InstallDNS] [-LogPath <string>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SiteName <string>] [-SkipAutoConfigureDNS] [-SystemKey <SecureString>] [-SYSVOLPath <string>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]To install a domain controller and DNS server in the corp.contoso.com domain and be prompted to supply the domain Administrator credentials and the DSRM password, type: Install-ADDSDomainController -credential (get-credential corp\administrator) -domainname "corp.contoso.com" If the computer is already domain joined and you are a member of the Domain Admins group, you can use:Install-ADDSDomainController -domainname "corp.contoso.com"To be prompted for the domain name, type:Install-ADDSDomainController -credential (get-credential) -domainname (read-host "Domain to promote into")The following command will use credentials of Contoso\EnterpriseAdmin1 to install a writable domain controller and a global catalog server in a site named Boston, install DNS server, create a DNS delegation in the contoso.com domain, install from media that is stored in the c:\ADDS IFM folder, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, have the server automatically restart after AD DS installation is complete, and be prompted to provide the Directory Services Restore Mode password:Install-ADDSDomainController –Credential (get-credential contoso\EnterpriseAdmin1) –CreateDNSDelegation –DomainName corp.contoso.com –SiteName Boston –InstallationMediaPath "c:\ADDS IFM" –DatabasePath "d:\NTDS" –SYSVOLPath "d:\SYSVOL" –LogPath "e:\Logs" Performing a staged RODC installation using Windows PowerShellThe command syntax to create an RODC account is as follows. Optional arguments appear within square brackets.Add-ADDSReadOnlyDomainControllerAccount [-SkipPreChecks] –DomainControllerAccuntName <string> -DomainName <string> -SiteName <string> [-AllowPasswordReplicationAccountName <string []>] [-NoGlobalCatalog] [-Credential <PS Credential>] [-DelegatedAdministratorAccountName <string>] [-DenyPasswordReplicationAccountName <string []>] [-InstallDNS] [-ReplicationSourceDC <string>] [-Force] [-WhatIf] [-Confirm] [<Common Parameters>]The command syntax to attach a server to an RODC account is as follows. Optional arguments appear within square brackets.Install-ADDSDomainController -DomainName <string> [-SkipPreChecks] –SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-ApplicationPartitionsToReplicate <string[]>] [-Credential <PS Credential>] [-CriticalReplicationOnly] [-DatabasePath <string>] [-NoDNSOnNetwork] [-InstallationMediaPath <string>] [-InstallDNS] [-LogPath <string>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoRebootOnCompletion] [-ReplicationSourceDC <string>] [-SkipAutoConfigureDNS] [-SystemKey <SecureString>] [-SYSVOLPath <string>] [-UseExistingAccount] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]For example, to create an RODC account named RODC1: Add-ADDSReadOnlyDomainControllerAccount –DomainControllerAccountName RODC1 –DomainName corp.contoso.com –SiteName Boston DelegatedAdministratoraccountName PilarAThen run the following commands on the server that you want to attach to the RODC1 account. The server cannot be joined to the domain. First, install the AD DS server role and management tools:install-windowsfeature –name AD-Domain-Services -includemanagementtoolsThe run the following command to create the RODC:Install-ADDSDomainController –DomainName corp.contoso.com –SafeModeAdministratorPassword (read-host –prompt "DSRM Password:" –assecurestring) –credential (get-credential Corp\PilarA) -useexistingaccountPress Y to confirm or include the –confirm argument to prevent the confirmation prompt.Installing AD DS by using Server ManagerAD DS can be installed in Windows Server 2012 by using the Add Roles Wizard in Server Manager, followed by the Active Directory Domain Services Configuration Wizard, which is new beginning in Windows Server 2012. The Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning in Windows Server 2012.The following sections explain how to create server pools in order to install and manage AD DS on multiple servers, and how to use the wizards to install AD DS.Creating server poolsServer Manager can pool other servers on the network as long as they are accessible from the computer running Server Manager. Once pooled, you choose those servers for remote installation of AD DS or any other configuration options possible within Server Manager. The computer running Server Manager automatically pools itself. For more information about server pools, see Add Servers to Server Managerhttps://technet.microsoft.com/library/hh831453.aspx.In order to manage a domain-joined computer using Server Manager on a workgroup server, or vice-versa, additional configuration steps are needed. For more information, see “Add and manage servers in workgroups” in Add Servers to Server Managerhttps://technet.microsoft.com/library/hh831453.aspx.Installing AD DSAdministrative credentialsThe credential requirements to install AD DS vary depending on which deployment configuration you choose. For more information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.Use the following procedures to install AD DS using the GUI method. The steps can be performed locally or remotely. For more detailed explanation of these steps, see the following topics:Deploying a Forest with Server Manager Upgrade Existing AD DS Forests and Add Writable Replica Domain Controllers Create Child and Tree Domains Stage and Attach RODCs, Create RODCs without Staging To install AD DS by using Server ManagerIn Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard.On the Before you begin page, click Next.On the Select installation type page, click Role-based or feature-based installation and then click Next.On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.To select remote servers, first create a server pool and add the remote servers to it. For more information about creating server pools, see Add Servers to Server Managerhttps://technet.microsoft.com/library/hh831453.aspx.On the Select server roles page, click Active Directory Domain Services, then on the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.On the Select features page, select any additional features you want to install and click Next.On the Active Directory Domain Services page, review the information and then click Next.On the Confirm installation selections page, click Install.On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking Tasks in Server Manager.On the Deployment Configuration page, choose one of the following options: If you are installing an additional domain controller in an existing domain, click Add a domain controller to an existing domain, and type the name of the domain (for example, emea.corp.contoso.com) or click Select… to choose a domain, and credentials (for example, specify an account that is a member of the Domain Admins group) and then click Next.The name of the domain and current user credentials are supplied by default only if the machine is domain-joined and you are performing a local installation. If you are installing AD DS on a remote server, you need to specify the credentials, by design. If current user credentials are not sufficient to perform the installation, click Change… in order to specify different credentials.For more information, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).If you are installing a new child domain, click Add a new domain to an existing forest, for Select domain type, select Child Domain, type or browse to the name of the parent domain DNS name (for example, corp.contoso.com), type the relative name of the new child domain (for example emea), type credentials to use to create the new domain, and then click Next.For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).If you are installing a new domain tree, click Add new domain to an existing forest, for Select domain type, choose Tree Domain, type the name of the root domain (for example, corp.contoso.com), type the DNS name of the new domain (for example, fabrikam.com), type credentials to use to create the new domain, and then click Next.For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).If you are installing a new forest, click Add a new forest and then type the name of the root domain (for example, corp.contoso.com).For more information, see Install a New Windows Server 2012 Active Directory Forest (Level 200).On the Domain Controller Options page, choose one of the following options: If you are creating a new forest or domain, select the domain and forest functional levels, click Domain Name System (DNS) server, specify the DSRM password, and then click Next.If you are adding a domain controller to an existing domain, click Domain Name System (DNS) server, Global Catalog (GC), or Read Only Domain Controller (RODC) as needed, choose the site name, and type the DSRM password and then click Next.For more information about which options on this page are available or not available under different conditions, see Domain Controller Options.On the DNS Options page (which appears only if you install a DNS server), click Update DNS delegation as needed. If you do, provide credentials that have permission to create DNS delegation records in the parent DNS zone.If a DNS server that hosts the parent zone cannot be contacted, the Update DNS Delegation option is not available.For more information about whether you need to update the DNS delegation, see Understanding Zone Delegationhttps://technet.microsoft.com/library/cc771640.aspx. If you attempt to update the DNS delegation and encounter an error, see DNS Options.On the RODC Options page (which appears only if you install an RODC), specify the name of a group or user who will manage the RODC, add accounts to or remove accounts from the Allowed or Denied password replication groups, and then click Next.For more information, see Password Replication Policyhttps://technet.microsoft.com/library/cc730883(v=ws.10).On the Additional Options page, choose one of the following options: If you are creating a new domain, type a new NetBIOS name or verify the default NetBIOS name of the domain, and then click Next.If you are adding a domain controller to an existing domain, select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller). If you are installing from media, click Install from media path type and verify the path to the installation source files, and then click Next.You cannot use install from media (IFM) to install the first domain controller in a domain. IFM does not work across different operating system versions. In other words, in order to install an additional domain controller that runs Windows Server 2012 by using IFM, you must create the backup media on a Windows Server 2012 domain controller. For more information about IFM, see Installing an Additional Domain Controller by Using IFMhttps://technet.microsoft.com/library/cc816722(WS.10).aspx.On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and click Next.Do not store the Active Directory database, log files, or SYSVOL folder on a data volume formatted with Resilient File System (ReFS).On the Preparation Options page, type credentials that are sufficient to run adprep. For more information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.On the Review Options page, confirm your selections, click View script if you want to export the settings to a Windows PowerShell script, and then click Next.On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.On the Results page, verify that the server was successfully configured as a domain controller. The server will be restarted automatically to complete the AD DS installation.Performing a Staged RODC Installation using the Graphical User InterfaceA staged RODC installation allows you to create an RODC in two stages. In the first stage, a member of the Domain Admins group creates an RODC account. In the second stage, a server is attached to the RODC account. The second stage can be completed by a member of the Domain Admins group or a delegated domain user or group.To create an RODC account by using the Active Directory management toolsYou can create the RODC account using Active Directory Administrative Center or Active Directory Users and Computers.Click Start, click Administrative Tools, and then click Active Directory Administrative Center.In the navigation pane (left pane), click the name of the domain.In the Management list (center pane), click the Domain Controllers OU.In the Tasks Pane (right pane), click Pre-create a read-only domain controller account.-Or-Click Start, click Administrative Tools, and then click Active Directory Users and Computers.Either right-click the Domain Controllers organizational unit (OU) or click the Domain Controllers OU, and then click Action.Click Pre-create Read-only Domain Controller account.On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy (PRP), select Use advanced mode installation, and then click Next.On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.On the Specify the Computer Name page, type the computer name of the server that will be the RODC.On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.On the Additional Domain Controller Options page, make the following selections, and then click Next:DNS server: This option is selected by default so that your domain controller can function as a Domain Name System (DNS) server. If you do not want the domain controller to be a DNS server, clear this option. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the wide area network (WAN) to the hub site is offline.Global catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.If you selected the Use advanced mode installation check box on the Welcome page, the Specify the Password Replication Policy page appears. By default, no account passwords are replicated to the RODC, and security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords replicated to the RODC.To add other accounts to policy, click Add, then click Allow passwords for the account to replicate to this RODC or click Deny passwords for the account from replicating to this RODC and then select the accounts.When complete (or to accept the default setting), click Next.On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. You can type the name of only one security principal.To search the directory for a specific user or group, click Set. In Select User or Group, type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.This user or group will also have local administrative rights on the RODC after the installation. If you do not specify a user or group, only members of the Domain Admins group or the Enterprise Admins group will be able to attach the server to the account.When you are finished, click Next.On the Summary page, review your selections. Click Back to change any selections, if necessary.To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.When you are sure that your selections are accurate, click Next to create the RODC account.On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.After an RODC account is created, you can attach a server to account to complete the RODC installation. This second stage can be completed in the branch office where the RODC will be located. The server where you perform this procedure must not be joined to the domain. Beginning in Windows Server 2012, you use the Add Roles Wizard in Server Manager to attach a server to an RODC account.To attach a server to an RODC account using Server ManagerLog on as local Administrator.In Server Manager, click Add roles and features.On the Before you begin page, click Next.On the Select installation type page, click Role-based or feature-based installation and then click Next.On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.On the Select server roles page, click Active Directory Domain Services, click Add Features and then click Next.On the Select features page, select any additional features that you want to install and click Next.On the Active Directory Domain Services page, review the information and then click Next.On the Confirm installation selections page, click Install.On the Results page, verify Installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking Tasks in Server Manager.On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain (for example, emea.contoso.com) and credentials (for example, specify an account that is delegated to manage and install the RODC), and then click Next.On the Domain Controller Options page, click Use existing RODC account, type and confirm the Directory Services Restore Mode password, and then click Next.On the Additional Options page, if you are installing from media, click Install from media path type and verify the path to the installation source files, select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller) and then click Next.On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.On the Review Options page, confirm your selections, click View Script to export the settings to a Windows PowerShell script, and then click Next.On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.To complete the AD DS installation, the server will restart automatically.Troubleshooting Domain Controller Deployment Install a New Windows Server 2012 Active Directory Forest (Level 200) Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200) Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)