Using Active Directory Administrative Center in Windows Server 2008 R2

ADAC offers time-saving features for admins

Windows Server 2008 R2 includes new features that can simplify the way you administer and maintain Active Directory (AD). Besides the AD Recycle Bin—a great feature for AD object recovery—and the AD Best Practices Analyzer—a very valuable tool for AD health checking—one of the most eye-catching new management-related features is certainly the Active Directory Administrative Center (ADAC).

Let's look at this new tool and see how ADAC can help simplify your day-to-day AD administration work. ADAC can be installed only on computers running Server 2008 R2 and is available with Windows Server 2008 R2 Standard, Enterprise, and Datacenter Editions, but not the Itanium and Web Server Editions.

ADAC is installed by default when you install the Active Directory Domain Services (AD DS) server role. ADAC is also included in the Remote Server Administration Tools (RSAT) feature.

How ADAC Differs From ADUC
ADAC offers administrators a good alternative to the Active Directory Users and Computers (ADUC) Microsoft Management Console (MMC) snap-in for managing AD objects. As with ADUC, administrators can use ADAC to perform common AD user, computer, group, and organizational unit (OU) object management tasks. Like ADUC, the current version of ADAC is used only for managing Active Directory Domain Services (AD DS) instances and not for managing Active Directory Lightweight Directory Service (AD LDS, formerly ADAM) instances.

The key difference is that ADAC is a very task-oriented administration tool that can help you manage AD in fewer steps. The ADAC interface focuses on key AD administration tasks.

For example, two very frequently performed tasks, resetting a password and searching AD for an object, are immediately available when you open ADAC, as Figure 1 shows. With ADUC, to reset a password you first had to locate the object, then right-click it and select Reset Password, and only then you could enter the new password data.

In ADAC you can do all this in a single action from the ADAC opening screen.

ADUC is, foremost, a data-oriented tool: It shows you how the data in AD is organized. ADAC supports this data-oriented view of AD objects as well.

The classic hierarchical view of AD content is available from ADAC’s tree view, which I will discuss in more detail below. Besides the ADAC interface's focus on key administration tasks, two other important differences you will notice in the interface are that ADAC is much more customizable, and it lets you simultaneously connect to other domains.

ADUC supported taskpads but these were never a big success, and it required different instances to be able to manage objects across multiple domains. ADAC lets you simultaneously connect to different domain controllers (DCs) in different domains to manage objects across multiple domains within the same ADAC instance.

The other big difference between ADUC and ADAC lies in ADAC’s underlying architecture. ADAC is not MMC–based but uses an Explorer-like interface instead.

Under the hood, ADAC leverages Windows PowerShell and the new Active Directory Web Services (ADWS). ADWS is a new Windows service that provides a web service interface to AD.

To use ADAC you need at least one Windows DC in your domain that has an operational ADWS service. ADWS is included in Server 2008 R2, and Microsoft also provides an ADWS add-on package for Windows 2003 SP2, Windows 2003 R2 SP2, Server 2008, and Server 2008 SP2. This package is called the Active Directory Management Gateway Service.

This means that you can also use ADAC to manage AD instances that are running on other Windows server platforms besides Server 2008 R2. Windows Server 2008 R2 includes a new set of powerful PowerShell cmdlets for AD administration that are bundled in the Active Directory Module for Windows PowerShell.

This module calls on the Microsoft .NET Framework 3.5.1 and ADWS for accessing the AD core engine. Server 2008 R2 automatically installs the PowerShell engine, the Active Directory Module for PowerShell, the .NET Framework 3.5.1, and ADWS when you install AD DS.

You also get access to these services when you add the Remote Server Administration Tools (RSAT) feature to a Server 2008 R2 or Windows 7 machine. RSAT is bundled with Server 2008 R2. For more information on RSAT for Windows 7 go to Microsoft support. You can download RSAT for Windows 7 at the Microsoft download site.

Exploring ADAC
You can find ADAC in the Administrative Tools folder of your Server 2008 R2 server Start Menu or you can start it from the command line using dsac.exe. When ADAC opens, it shows the Administrative Center Overview page that’s illustrated in Figure 1.

There, you can find three sections: Reset Password, Global Search, and Getting Started. Often these are the three tasks an AD administrator performs most.

You can customize the Overview page by adding or removing certain of these sections. To do so, use the Add Content drop-down button in the top right corner of the Administrative Overview page.

On the left side of the Administrative Center Overview page are the ADAC navigation pane and your personal navigation nodes. Navigation nodes are shortcuts to containers in the local AD domain or its trusted AD domains. When you click a navigation node, ADAC takes you right to the corresponding AD container and displays its content in the right pane, which Figure 2 shows.

To create your personal navigation nodes, use the “Add Navigation Nodes…” on top of the navigation pane. Again, you can customize the navigation pane: When you right-click a navigation node you can rename or remove the node, create a duplicate node, or move the node up or down in the navigation pane list.

You can browse the navigation pane and its nodes using a tree view, which is similar to the ADUC console tree or by using the new list view. If you’re used to the ADUC console tree, it’s a bit confusing that the ADAC tree view also shows all your navigation nodes.

This means a given AD container can show up multiple times in the ADAC tree view. You can switch between the ADAC list and tree view by using the two tabs at the top of the navigation pane: list view is the left tab, tree view is the right tab.

In the ADAC list view you can use the Column Explorer feature that provides a Start Menu–like view on the AD container hierarchy, which Figure 3 shows. Column Explorer simplifies browsing through the AD hierarchy because it displays all child containers of a given parent container in a single column and adds new columns as you dig deeper in the AD hierarchy.

Column Explorer also provides a Find in this column box where you can type the name of the container object you’re looking for. ADAC automatically filters the current view while you type. As you can see in Figure 3, I searched for the Seattle OU, and ADAC automatically filtered the content of the Washington OU to the Seattle and Spokane OUs while I typed the letter S in the Find in this column box.

This can be a very useful feature when dealing with large datasets: You don’t need to scroll through the entire list of OUs anymore to locate a particular OU. Another hidden ADAC change that’s important for dealing with large AD datasets is that ADAC gets rid of the OU display limit of 2,000 objects per OU that ADUC set.

The list view also has a Most Recently Used (MRU) feature that shows the last three containers you accessed in a particular navigation node. In the example back in Figure 2, my MRU containers for my EMEA navigation node were Belgium\Brussels, Spain, and Germany.

At the top of the ADAC window is the breadcrumb bar. It lets you navigate directly to a specific container in your local domain or in a trusted AD domain by specifying an LDAP path, a distinguished name (DN), or a hierarchical path to an AD container. Figure 2 shows a hierarchical path to the “Active Directory Domain Services\dc-Americas\USA\Washington\Redmond\Tech” container in the breadcrumb bar.

You can use this bar to navigate only to containers that are part of the domain AD naming context of your local domain or a trusted domain. You can’t use it to navigate to containers of the configuration, schema, or application AD naming contexts. The breadcrumb bar is a feature that can be very handy when you must administer large AD datasets.

More Customization
When you open the properties of an AD object in ADAC (which you can do by double-clicking the object or by clicking the Properties link in the Tasks pane), you will notice that the property page is very different from what it was in ADUC. This is illustrated in Figure 4 for the Peter Kent user object.

ADAC shows only the most important object properties and groups the properties in sections. To perform common administrative tasks like an object rename or move, or password reset, you can use the Tasks dropdown menu on the top right of the property page.

In case you can’t get used to the new property page, the classic tabbed ADUC view of an AD object’s properties can be found in the last section of the ADAC property page called Extensions. However, you can only use this tabbed view to administer the object properties that aren’t already contained in the other sections.

Again, ADAC lets you easily customize an object’s property page: You can display or hide property page sections by using the buttons on the right top of each section or using the Add Sections dropdown menu at the top right of the property page.
For AD administrators, it’s paramount to have a powerful AD search engine. The ADAC search engine is called Global Search and is both flexible and powerful. You can access it from the Administrative Center Overview page or by using the Global Search link on the navigation pane.

From the Global Search page, which Figure 5 shows, you can build AD queries using specific keywords and search criteria. You can use predefined criteria such as “Users with a password expiring in this number of days” or “Users with enabled but locked accounts.”

When you select the Convert to LDAP option, Global Search converts the search criteria you selected to an LDAP query string that you can then fine tune in the Enter LDAP query window. Global Search also lets you save your queries and re-use them.

To save your query, use the Save button at the top right of the Global Search page. To retrieve a query that you previously saved, use the Queries button.

Impressive Version One Product
ADAC offers a single administration interface for connecting to different domains and provides efficient tools for searching and locating AD objects in a large AD database. However, the ADAC interface is very different from ADUC, and it will definitely take some time to get used it.

One small thing I found missing from the ADAC interface is a refresh option—this can be handy when you’re using ADUC and ADAC simultaneously and you add or modify objects in ADUC. Also, for the automation of certain AD administrative tasks it would have been nice to have access to the PowerShell code that’s underlying ADAC.

ADAC is an impressive version one product and a welcome addition for AD administrators who must deal with large AD databases and many AD domains.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.