I must admit that when I was first asked to write an article on the Active Directory Administrative Center (ADAC) for Windows Server 2008 R2, I was less than thrilled. I was unimpressed by some of the early releases, but decided to give it a fair shake. As it turns out, I was pleasantly surprised by what I found.
While there are some pieces lacking, the ADAC is definitely an improvement over the old Active Directory Users and Computers snap-in that's been used over the past 10 years, especially for those managing large and complex environments. Of course if you are one of those people, then you have probably purchased a third-party tool and may see no need to use the AD Administrative Center.
The ADAC is available on Windows 2008 R2, but can also be used to manage Windows Server 2003 and 2008 domains. I did my testing in a multi-domain environment with a Windows Server 2003 root domain plus Windows Server 2008 and 2008 R2 domains, and I definitely recommend taking the feature for a spin.
The ADAC is one of the Active Directory Domain Services (AD DS) tools, which is part of the Remote Server Administration Tools feature in Windows Server 2008 R2. It can be accessed via the Administrative Tools option in the Start menu or under the AD DS tools listing in Server Manager.
In my opinion, the most important features of the ADAC in Windows Server 2008 R2 include the following:
- It is Windows PowerShell-based, which is enhanced by the PowerShell Integrated Scripting Environment (ISE).
- There is a "flatter" property tree that requires less clicking to get what you want.
- The ADAC is very customizable:
- Frequent tasks are right up front and easily accessible, with more to come in the future.
- You can build the navigation tree with OUs and containers from various domains rather than switching the entire domain context (this is very nice).
- It includes superb query abilities that are easy enough for the greenest administrator and allow for complex LDAP queries.
- Multi-domain management capabilities are excellent when compared to AD Users and Computers.
- Multi-forest management features allow you to manage anything with a trust. Note that at least one DC in each domain must have Active Directory Web Service installed. It is available as a download from Microsoft for Windows 2003 and 2008 servers.
- It is easier to perform common tasks such as password changes.
- There is an attribute editor for objects, meaning fewer trips to ADSI Edit or LDP.exe.
So let's take a look at some of these significant features in more detail.
- Administrative Center Overview – In the center pane there are special "tiles" that allow for the management of common tasks. These are controlled via the Add Content option. Unfortunately only password changes, global searches and "getting started" are available at this time. With the promise of more to come, this option could be very handy for quickly exposing common tasks.
- Adding navigation nodes – This link opens up a dialog (Figure A) that allows browsing of all trusted domains, containers and OUs. They can be added to the navigation tree individually in the ADAC. In the example below, I've added OUs from three different domains in a forest, but if other forests are available, they could be added as well. This feature permits customized organization of managed containers across all domains.
- Figure A. Adding navigation nodes in the AD Administrative Center (click to enlarge)
- User object properties are exposed in a "flatter" manner – The properties are all laid out in an easy-to-see format that requires less clicking than in AD Users and Computers and makes the properties easier to find. Also, the extensions include an attribute editor as (shown in Figure B) that reduces the need to go to the ADSI Edit tool for attribute viewing or editing.
- Figure B. Attribute editor in the ADAC (click to enlarge)
Improvements with Active Directory queries – The Global Query option (Figure 3) is a powerful query, especially for those skilled in constructing LDAP searches. With this option you can select multiple search scopes (circled in the screen shot) from the navigation nodes. Queries can also be built by simply clicking the node in the navigation pane and constructing the query.
Figure D, the filter options are exposed in the user interface with check boxes and can be saved and applied to other contexts, making this option easy to use for admins with little LDAP filter experience. Note that the query Save and Recall options are shown in the red circle and the filter options applied are highlighted in the red square. The filter options can easily be removed by clicking the red "X" by each filter option. Any change made here executes the search immediately, whereas the global search feature requires clicking the Apply button to execute the search.
The Active Directory Administrative Center is quite intuitive and formatted very logically. Additionally, it is customizable and extremely PowerShell-friendly, with more flexibility promised in the future. There is still some room for improvement, however, including:
- The addition of exposed PowerShell commands for actions taken in the UI, like with Exchange Server 2007, would be great to see. For example, you can create a mailbox in the Exchange Management Console and it dumps the PowerShell command used to do it. This is nice if you aren't a PowerShell guru since you can click on the options in the UI, get the PowerShell command and then play with it.
- I'd also like to see Microsoft add more "tiles" to the Administrative Center Overview section. Being able to build your own custom tiles would be even better.
- Incorporating tasks that were available in AD Users and Computers would be nice, like copying and renaming users and changing FSMO roles (though I still prefer NTDSUtil).
- One thing I find annoying involves managing multiple domains, as I am unable to change my credentials for the different domains. Maybe there is a way to do this, but I didn't find it. A "RunAs" option in the UI would be very helpful.
All in all, Microsoft made some great improvements with the Active Directory Administrative Center. Still, I doubt that large enterprises will use it because they probably already have a more mature third-party tool in place. It will definitely have its place though, as I still talk to lots of admins who use AD Users and Computers, so this new tool will be a great improvement for them.
Did you know?
"The introduction of the ADAC doesn't eliminate the old-school Active Directory Users and Computers interface. As a result, the old console can be used while you learn ADAC's capabilities."
-- Greg Shields, Microsoft MVP
Read more: Active Directory in R2 -- Features to care about, others to ignore
ABOUT THE AUTHOR
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.