Active Directory (AD) Web Services, an "under-the-covers" change in Windows Server 2008 R2, provides a new interface for accessing the Active Directory and Active Directory Lightweight Directory Services (AD LDS) databases. Whenever the role is installed, an instance of the Web service is created on any server running either directory.
Active Directory Web Services is built with the Windows Communication Foundation (WCF), a .NET development platform commonly used to develop distributed computing applications like Web services and other N-tier applications. WCF provides a consistent way for developers to access a particular data source (such as the Active Directory database) across a network (LAN, virtual private network (VPN), etc.).
Basically, if Microsoft developers or third-party vendors use AD Web Services to write a new application that interacts with Active Directory, this layer of abstraction between apps and the data (in this case Active Directory or AD Lightweight Directory Services (AD LDS)) reduces the likelihood of an application needing to be redeveloped if the database undergoes significant changes. In other words, AD Web Services creates a "go-between" that allows applications to access Active Directory and AD LDS in a consistent manner, making it easier for developers to create and maintain AD-integrated apps.
There are two Active Directory applications in Windows Server 2008 R2 that rely on AD Web Services: the Active Directory Administrative Center (ADAC) and many new Windows PowerShell cmdlets. As a result, you need the following to access either one:
- At least one Windows Server 2008 R2 domain controller (DC) or AD LDS instance, or
- Down-level (Windows Server 2003, 2003 R2 or 2008) DC or AD LDS server with Active Directory Management Gateway Services (AD MGS) installed. This out-of-band download adds AD Web Services to a down-level domain controller, and is available for free.
Note that even if you are running AD MGS, the Active Directory Administrative Console and PowerShell modules can't be installed on a down-level machine. These tools need to run on Windows Server 2008 R2 or a Windows 7 client; AD MGS simply provides a way for them to target a non-2008 R2 DC in order to interact with Active Directory.
Every Windows Server 2008 R2 DC -- and any server running one or more instance of AD LDS -- has AD Web Services installed. Since ADAC and PowerShell cmdlets require AD Web Services to function, these tools will not work if it or AD MGS is stopped or disabled.
Internet Information Services (IIS) is not required for AD Web Services, and AD Web Services does not install IIS on a Windows 2008 R2 domain controller. Security best practices still dictate that IIS shouldn't be installed on a DC. AD Web Services listens on TCP port 9389, and is installed automatically with Active Directory or AD LDS on Windows 2008 R2 servers.
ABOUT THE AUTHOR
Laura E. Hunter, the Principal for LHA Consulting, is a six-time recipient of the Microsoft MVP award in Windows Server System - Directory Services, and is a Microsoft Certified Masters in Windows Server 2008 Active Directory. She is also an active technical speaker, author and presenter focusing in the Active Directory, Federated Identity and Identity Management spaces.