共用方式為


Active Directory Domain Services Overview

 

Applies To: Windows Server 2012

Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions.

Create a hybrid identity solution in Microsoft Azure:
- Deploy Windows Server Active Directory on Azure Virtual Machines.
- Learn about the identity and access management solution available with Microsoft Enterprise Mobility.
- Install a replica Active Directory domain controller in an Azure virtual network.
- Manage identities for single-forest hybrid environments using cloud authentication.
- Learn more about Azure Active Directory and how it can integrate into your existing Active Directory infrastructure.

By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft® Exchange Server.

The rest of this topic explains a high-level overview of the AD DS server role. For more information about new features in AD DS in Windows Server 2012, see What’s New in Active Directory Domain Services (AD DS).

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. A server that is running AD DS is called a domain controller. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain.

Organizing network elements into a hierarchical containment structure provides the following benefits:

  • The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.

  • Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An Active Directory domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication, and trust relationships.

  • OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.

Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.

Additional AD DS features include the following:

  • A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects, and the format of their names.

  • A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.

  • A query and index mechanism, so that objects and their properties can be published and found by network users or applications.

  • A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.

  • Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and eliminate conflicting entries in the directory.

Requirements for running Active Directory Domain Services

What hardware, software, or settings configurations are required for running this feature? What prerequisites are there for running the role? Does this role/feature require special hardware?

Requirement

Description

TCP/IP

Configure appropriate TCP/IP and DNS server addresses.

NTFS

The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system. For security purposes, the Active Directory database and log files should be placed on a volume that is formatted with NTFS.

Credentials

To install a new AD DS forest, you need to be local Administrator on the server. To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group.

Domain Name System (DNS) infrastructure

Verify that a DNS infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed.

When you create a new domain, a DNS delegation is created automatically during the installation process. Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones.

For more information, see DNS Options wizard page.

Adprep

To add the first domain controller that runs Windows Server 2012 to an existing Active Directory, adprep.exe commands run automatically as needed. These commands have additional credential and connectivity requirements.

For more information, see Running Adprep.exe.

Read-only domain controllers (RODCs)

Additional requirements to install RODCs:

  • Forest functional level must be at least Windows Server 2003

  • At least one writable domain controller that runs Windows Server 2008 or later must be installed in the same domain.

For more information, see Prerequisites for Deploying an RODC.

Note

With the exception of DNS server, domain controllers generally should not host other server roles.

Running Active Directory Domain Services

How do I deploy and configure this role by using Windows PowerShell?

For step-by-step instructions for how to install and configure AD DS by using the ADDSDeployment module for Windows PowerShell® command-line interface, see Active Directory Domain Services Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=222597).

How do I deploy and configure this role in a multi-server environment?

AD DS is a distributed service that is designed to run on multiple domain controllers. For step-by-step instructions for how to install and configure AD DS on multiple domain controllers, see Active Directory Domain Services Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=222597).

How can I run this role on virtual machines?

AD DS in Windows Server 2012 includes safeguards for running on virtual machines to ensure safety and consistency of virtualized AD DS environments. For more information about how to run AD DS on virtual machines, see Running Domain Controllers in Hyper-V (https://go.microsoft.com/fwlink/?LinkID=213293).

Security considerations for running this role

After installation, AD DS is designed to be secure by default. For more information about default security settings for domain controllers, risks, and how to operate domain controllers securely, see Best Practice Guide for Securing Active Directory Installations.

Special considerations for managing this role remotely

To manage AD DS remotely, install the Remote Server Administration Tools (RSAT). There is a 32-bit version and a 64-bit version of RSAT. For more information, see Remote Server Administration Tools (https://go.microsoft.com/fwlink/?LinkId=222628).

Special considerations for managing the role on the Server Core installation option

AD DS can be installed on a Server Core installation or a server with a Minimal Server Interface, and is recommended in cases where reducing the footprint of the operating system installation is advantageous, such as for a dedicated server role in a datacenter, for virtualization guests, or RODCs in remote offices. Beginning with Windows Server 2012, a domain controller that runs on a Server Core installation can be converted to server installation with a GUI (also known as a full installation) and vice versa.

Upgrade from a Server Core installation running on a previous version of Windows Server is supported, but there is no way to upgrade directly from a Server Core installation of a previous version of Windows Server to a server installation with a GUI or directly from a server installation with a GUI to a Server Core installation. In this case, you need to upgrade directly to the same installation type on Windows Server 2012 and then convert to a different installation after the upgrade as needed.

For more information, see Windows Server Installation Options.

Role services for Active Directory Domain Services

Identity Management for UNIX is a role service of AD DS that can be installed only on domain controllers. Two Identity Management for UNIX technologies, Server for NIS and Password Synchronization, make it easier to integrate computers running Windows® into your existing UNIX enterprise. AD DS administrators can use Server for NIS to manage Network Information Service (NIS) domains. Password Synchronization automatically synchronizes passwords between Windows and UNIX operating systems.

Role service technologies

Role service description

Server for NIS

Enables a Microsoft Windows–based Active Directory domain controller to administer UNIX Network Information Service (NIS) networks. For more information, see Overview of Server for NIS (https://go.microsoft.com/fwlink/?LinkId=222677).

Password Synchronization

Helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. For more information, see Overview of Password Synchronization (https://go.microsoft.com/fwlink/?LinkId=222676).

Additional references