AD DS Simplified Management (2023)

  • Article

Gilt für: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic discusses the capabilities and benefits of deploying and managing a Windows Server 2012 domain controller and the differences between the previous DC operating system deployment and the new Windows Server 2012 implementation.

Windows Server 2012 introduced the next generation of simplified Active Directory Domain Services management and was the most radical domain redesign since Windows 2000 Server. AD DS Simplified Administration leverages 12 years of Active Directory learnings to provide architects and administrators with a more supportive, flexible, and intuitive management experience. This meant creating new versions of existing technologies, as well as expanding the functionality of the components released in Windows Server 2008 R2.

Simplified AD DS management rethinks domain deployment.

  • AD DS role provisioning is now part of the new Server Manager architecture and enables remote installation
  • The AD DS provisioning and configuration engine is now Windows PowerShell, even when using the new AD DS configuration wizard
  • Schema extension, forest initialization, and domain initialization are automatically part of domain controller promotion and no longer require separate tasks on dedicated servers such as Schema Master
  • Promotion now includes a prerequisite checker that verifies forest and domain readiness for the new domain controller, reducing the chance of failed promotions
  • The Active Directory Module for Windows PowerShell now includes cmdlets for managing replication topology, dynamic access control, and other features
  • The Windows Server 2012 forest functional layer does not implement any new features, and the domain functional layer is required for only a subset of the new Kerberos features, freeing administrators from the frequent need for a homogeneous domain controller environment
  • Added full support for virtualized domain controllers, including automated provisioning and rollback protection
    • For more information about virtual domain controllers, seeIntroduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).

In addition, there are numerous management and maintenance improvements:

  • The Active Directory Administrative Center includes a graphical Active Directory recycle bin, detailed password policy management, and a Windows PowerShell history viewer
  • The new Server Manager provides AD DS specific interfaces for performance monitoring, best practice analysis, critical services and event logs
  • Group managed service accounts support multiple computers using the same security principles
  • Improvements in versioning and relative identifier (RID) tracking for better management in mature Active Directory domains

AD DS benefits from other new features included in Windows Server 2012, including:

  • NIC-Clustering und Data Center Bridging
  • DNS security and faster zone availability built into AD after launch
  • Hyper-V reliability and scalability improvements
  • BitLocker Network Unlock
  • Additional management modules for Windows PowerShell components


Active Directory forest schema extension and domain initialization are now integrated into the domain controller configuration process. When you promote a new domain controller to an existing farm, the process detects the upgrade status and runs the schema extension and domain initialization phases automatically. The user installing the first Windows Server 2012 domain controller must still be an enterprise administrator and schema administrator, or provide valid alternative credentials.

Adprep.exe remains on the DVD to prepare the forest and domain separately. The version of the tool included with Windows Server 2012 is backward compatible with Windows Server 2008 x64 and Windows Server 2008 R2. Adprep.exe also supports Remote Forestprep and Domainprep, just like ADDSDeployment-based domain controller configuration tools.

For Adprep and the previous Forest Prep operating system, seeRun Adprep (Windows Server 2008 R2).

Administrator des AD DS-Integrationsservers

AD DS Simplified Management (1)

Server Manager acts as a hub for server administration tasks. The dashboard-style display regularly updates views of installed roles and remote server groups. Server Manager provides centralized management of local and remote servers without requiring console access.

Active Directory Domain Services is one of these hub roles. When running Server Manager on a domain controller or the remote server administration tools in Windows 8, you've recently noticed significant problems with domain controllers in your farm.

These views include:

  • server availability
  • Performance monitoring alerts for high CPU and memory usage
  • The status of AD DS specific Windows services
  • Current warnings and error entries related to directory services in the event log
  • Best practice analysis of a domain controller based on a set of rules recommended by Microsoft

Active Directory Administrative Center Recycle Bin

AD DS Simplified Management (2)

Windows Server 2008 R2 introduced Active Directory Recycle Bin, which restores deleted Active Directory objects without restoring them from backup, restarting AD DS, or restarting domain controllers.

Windows Server 2012 extends the existing Windows PowerShell-based recovery capabilities with a new graphical interface in Active Directory Management Center. This allows administrators to enable the Recycle Bin and find or recover deleted objects in forest domain environments without having to run Windows PowerShell cmdlets directly. Active Directory Administrative Center and Active Directory Recycle Bin still secretly use Windows PowerShell, so the previous scripts and techniques are still valuable.

Information about Active DirectoryRecycle Bin, see Active Directory recycling step-by-step guide (Windows Server 2008 R2).

Fine-grained password policy in Active Directory Administration Center

AD DS Simplified Management (3)

Windows Server 2008 introduced the Fine-Grained Password policy, which allows administrators to configure multiple password and account lockout policies per domain. This offers domains a flexible solution to enforce more or less restrictive password rules based on users and groups. There was no management interface and administrators had to configure it using Ldp.exe or Adsiedit.msc. Windows Server 2008 R2 introduced the Active Directory module for Windows PowerShell, which provided administrators with a command-line interface to FGPP.

Windows Server 2012 provides a graphical interface for granular password policy. The Active Directory Administration Center is home to this new dialog that offers simplified FGPP management for all administrators.

For the detailed password policy, seeStep-by-Step Guide to Fine-Grained AD DS Password and Account Lockout Policies (Windows Server 2008 R2).

Active Directory Management Center Windows PowerShell-Verlaufsanzeige

AD DS Simplified Management (4)

Windows Server 2008 R2 introduced the Active Directory Administrative Center, replacing the older Active Directory Users and Computers snap-in created in Windows 2000. The Active Directory Administrative Center provides a graphical management interface for the then-new Active Directory module for Windows PowerShell.

Although the Active Directory module contains over a hundred cmdlets, the learning curve for an administrator can be steep. Because Windows PowerShell is tightly integrated with the Windows management strategy, Active Directory Management Center now includes a viewer that allows you to see cmdlet execution in the GUI. Search, copy, delete and add notes to history from a simple interface. The intent is for an administrator to use the GUI to create and modify objects, and then review them in the history view to learn about Windows PowerShell scripting and modify the samples.

Windows PowerShell AD-Replikation

AD DS Simplified Management (5)

Windows Server 2012 adds additional Active Directory replication cmdlets to the Active Directory Windows PowerShell module. These allow the configuration of new or existing sites, subnets, links, site links and bridges. They also return Active Directory replication metadata, replication status, queue, and updated version vector information. The advent of replication cmdlets—in conjunction with provisioning and other existing AD DS cmdlets—allows a forest to be managed using only Windows PowerShell. This opens up new opportunities for administrators who want to deploy and manage Windows Server 2012 without a graphical interface, reducing the attack surface and operating system maintenance requirements. This is especially important when servers are deployed in highly secure networks such as Secret Internet Protocol Routers (SIPR) and corporate DMZs.

For more information about AD DS site topology and replication, seeWindows Server Technical Reference.

Improvements in RID management and issuance

Windows 2000's Active Directory introduced the RID master, which issues sets of related identifiers to domain controllers to create security identifiers (SIDs) of security administrators such as users, groups, and computers. By default, this global RID space is limited to 230(or 1,073,741,823) total SIDs created in a domain. SIDs cannot be returned to the pool or reissued. Over time, a large domain can run out of RID, or crashes can lead to unnecessary RID exhaustion and eventual exhaustion.

Windows Server 2012 addresses a number of RID versioning and management issues reported by customers and Microsoft Customer Support as AD DS has evolved since the creation of the first Active Directory domains in 1999. This includes:

  • Periodic RID usage alerts are written to the event log
  • Logging of events when an administrator dissolves a RID group
  • A maximum limit is now enforced for the RID block size policy
  • Artificial RID caps are now enforced and logged when global RID storage is running low, allowing the admin to take action before global storage is exhausted
  • The global RID storage space can now be increased by one bit, doubling the size to 231(2.147.483.648 SID)

For more information on RIDs and the RID master, seeThis is how security identifiers work.

AD DS role provisioning and management architecture

Server administration and ADDS deployment Windows PowerShell relies on the following key assemblies for functionality when deploying or managing an AD DS role:

  • Microsoft.ADroles.Aspects.dll
  • Microsoft.ADroles.Instrumentation.dll
  • Microsoft.ADRoles.ServerManager.Common.dll
  • Microsoft.ADRoles.UI.Common.dll
  • Microsoft.DirectoryServices.Deployment.Types.dll
  • Microsoft.DirectoryServices.ServerManager.dll
  • Adds "deployment.psm1".
  • Adds "deployment.psd1".

Both rely on Windows PowerShell and its remote command line for remote installation and role configuration.

AD DS Simplified Management (6)

Windows Server 2012 also replicates some of the earlier LSASS.EXE forwarding functions as part of:

  • DS Role Server Service (DsRoleSvc)
  • DSRoleSvc.dll (loaded by DsRoleSvc service)

This service must be present and running to promote, demote, or clone virtual domain controllers. Installing AD DS roles adds this service and sets the startup type to manual by default. Do not disable this service.

ADPrep and prerequisite checker architecture

Adprep no longer needs to be run on the schema master. It can be run remotely from a computer running Windows Server 2008 x64 or later.


Adprep uses LDAP to import Schxx.ldf files and does not automatically reconnect if the connection to the master schema is lost during import. As part of the import process, the master schema is set to a specific mode and automatic reconnection is disabled because when LDAP reconnects after a connection loss, the reconnected connection is not in that mode. In this case, the schema would not be updated correctly.

The prerequisite check ensures that certain conditions are met. These prerequisites are required for a successful AD DS installation. If certain required conditions are not met, they can be resolved before the installation continues. It also detects that a forest or domain is not yet prepared, so the Adprep deployment code runs automatically.

ADPrep, DLL, LDF executable files

  • ADprep.dll
  • LDifde.dll
  • Csvde.dll
  • Sch14.ldf - Sch56.ldf
  • *dcpromo.csv

The AD preparation code previously housed in ADprep.exe is rebuilt in adprep.dll. This allows both ADPrep.exe and the ADDSDeployment Windows PowerShell module to use the library for the same tasks and have the same functionality. Adprep.exe is included in the installation media, but is not called directly by automated processes - only an administrator runs it manually. It can only run on Windows Server 2008 x64 and later operating systems. Ldifde.exe and csvde.exe also have newly built versions as DLLs that are loaded by the initialization process. The schema extension continues to use the signature verified LDF files as in previous OS versions.

AD DS Simplified Management (7)


There is no Adprep32.exe 32-bit tool for Windows Server 2012. You must have at least one Windows Server 2008 x64, Windows Server 2008 R2, or Windows Server 2012 computer running as a domain controller, member server, or in a workgroup Forest and field preparation. Adprep.exe does not run on Windows Server 2003 x64.

prerequisite control

The required control system built into Windows PowerShell ADDSDeployment managed works in different modes depending on the mode. The following tables describe each test, when to use it, and how and what it validates. These tables can be useful when there are problems where validation fails and the error is not enough to fix the problem.

These tests are linkedDirectoryServices deploymentOperational event log channel under the task categoryKern, always as event ID103.

Windows PowerShell required

There are ADDSDeployment Windows PowerShell cmdlets for all domain controller deployment cmdlets. They have roughly the same arguments as the associated cmdlets.

  • Test-ADDSdomainControllerInstallation
  • Test-ADDSdomainControllerDeinstallation
  • Test-ADDSdomainInstallation
  • Test-ADDSForestInstallation
  • Test creating ADDSReadOnlyDomainControllerAccountCreation

Normally you don't need to run these cmdlets. By default, they are already run automatically with the deployment cmdlets.

prerequisite test



Explanation and Notes


LDAPVerifies that you have the SeEnableDelegationPrivilege right on the existing partner domain controller. This requires access to the tokenGroups built-in attribute.

Not used when communicating with Windows Server 2003 domain controllers. You must manually enable this permission prior to promotion


Requirements (Forest)

LDAPDiscovers the schema master and communicates with it via the rootDSE attribute "nameContexts" and the attribute "Schema Naming context" fsmoRoleOwner. Specifies which preparatory operations (forestprep, domainprep, or rodcprep) are required for installing AD DS. Validates the schema. The expected version of the object and whether further enhancement is required.

Prerequisites (domain and RODC)

LDAPIt discovers and contacts the infrastructure master using the rootDSE attribute "nameContexts" and the attribute "fsmoRoleOwner" of the infrastructure container. In the case of an RODC installation, this test detects the primary domain name and ensures it is online.




Check if the user is a member of the "Domain Admins" or "Enterprise Admins" group depending on the role (DA to add or demote a domain controller, EA to add or remove a domain).

team member



Confirm that the user is a member of the Schema Admins and Enterprise Admins groups and has the Manage Auditing and Security Event Logs (SesScurityPrivilege) privilege on the existing domain controllers

team member



Confirm that the user is a member of the Domain Admins group and has the Manage auditing and security event logs (SesScurityPrivilege) privilege on the existing domain controllers

team member



Confirm that the user is a member of the Company Administrators group and has the Manage Auditing and Security Event Logging (SesScurityPrivilege) privilege on the existing domain controllers

After reboot

LDAPConfirm that the schema master has been created at least once since the restart by setting a dummy value for the RootDSE attribute applySchemaMaster
Check SFUHotFix


LDAPValidate the existing Forest Squadron schema. It contains no known issue with SFU2 extension for UID attribute with OID 1.2.840.113556.1.4.7000.187.102

(Impact of Schema Changes - Win32 Applications)



LDAP, WMI, DCOM, RPCVerify that the existing forest schema still does not contain an issue. The Exchange 2000 extensions ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-Identifier (About schema extensions - configuration management)


LDAPConfirm that the existing forest schema has consistent base attributes and classes (not incorrectly modified by third parties).
DCPromoDRSR over RPC,




Check the command line syntax passed to the action code and test the action. Make sure the forest or domain doesn't already exist when creating a new one.

Playback enabled

LDAP, DRSR vs. SMB, RPC vs. SMB (LSARPC)Verify that the existing domain controller specified as the replication partner has outbound replication enabled by checking the options attribute of the NTDS Settings object for NTDSDSA_OPT_DISABLE_OUTBOUND_REPL (0x00000004).


DRSR over RPC,




Validate the secure mode password set for DSRM that meets the domain complexity requirements.
VerifySafeModePasswordN / AValidation of the local set of administrator passwords meets the complexity requirements of the computer security policy.
Top Articles
Latest Posts
Article information

Author: Rob Wisoky

Last Updated: 03/31/2023

Views: 6049

Rating: 4.8 / 5 (68 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.