Observação
O acesso a essa página exige autorização. Você pode tentar entrar ou alterar diretórios.
O acesso a essa página exige autorização. Você pode tentar alterar os diretórios.
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Complete the following prerequisites before you deploy a read-only ___domain controller (RODC):
Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The ___domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the ___domain functional level of all domains in the forest is Windows Server 2003 or higher.
Constrained delegation supports security calls that must be impersonated under the context of the caller. Delegation makes it possible for applications and services to authenticate to a remote resource on behalf of a user. Because it provides powerful capabilities, typically only ___domain controllers are enabled for delegation. For RODCs, applications and services must be able to delegate, but only constrained delegation is allowed because it prevents the target from impersonating again and making another hop. The user or computer must be cacheable at the RODC for constrained delegation to work. This restriction places limits on how a rogue RODC may be able to abuse cached credentials.
Run Adprep.exe commands to prepare your existing forest and domains for ___domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new ___domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2. For more information, see Running Adprep.exe (https://go.microsoft.com/fwlink/?LinkID=142597).
Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:
Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
Prepare the ___domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
If you are installing an RODC in an existing Windows Server 2003 ___domain, you must also run adprep /rodcprep. For more information, see Prepare a Forest for a Read-Only Domain Controller. For more information about how to resolve possible errors when you run adprep /rodcprep, see Adprep /rodcprep can have an error if the infrastructure master for an application directory partition is not available.
Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. For more information, see Installing an Additional Domain Controller (https://go.microsoft.com/fwlink/?LinkID=93254).
Deploy at least one writable ___domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same ___domain as the RODC and ensure that the writable ___domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate ___domain updates from a writable ___domain controller running Windows Server 2008 or Windows Server 2008 R2.
An RODC that runs Windows Server 2008 R2 can replicate the ___domain partition from a writable ___domain controller that runs Windows Server 2008 or Windows Server 2008 R2. But if an RODC that runs Windows Server 2008 R2 is added to a ___domain that has only a writable ___domain controller that runs Windows Server 2008, the RODC logs Event ID 2916 in the Directory Services log. This error can be disregarded, and it will not appear if there is a writable ___domain controller that runs Windows Server 2008 R2 in the ___domain. For more information, see Known Issues for Deploying RODCs.
For fault tolerance, deploy at least two writable ___domain controllers running Windows Server 2008 or Windows Server 2008 R2. An RODC can use the second ___domain controller for failover if the first ___domain controller is not available. The registration of the name server (NS) resource record is necessary to allow dynamic updates to replicate to the RODC by using a replicate-single-object (RSO) operation. For more information about how DNS updates are replicated to an RODC, see DNS updates for clients that are located in an RODC site.