Windows Server 2008 R2 includes new features that can simplify the way you administer and maintain Active Directory (AD). Besides the AD Recycle Bin—a great feature for AD object recovery—and the AD Best Practices Analyzer—a very valuable tool for AD health checking—one of the most eye-catching new management-related features is certainly the Active Directory Administrative Center (ADAC).
Let's look at this new tool and see how ADAC can help simplify your day-to-day AD administration work. ADAC can be installed only on computers running Server 2008 R2 and is available with Windows Server 2008 R2 Standard, Enterprise, and Datacenter Editions, but not the Itanium and Web Server Editions.
ADAC is installed by default when you install the Active Directory Domain Services (AD DS) server role. ADAC is also included in the Remote Server Administration Tools (RSAT) feature.
How ADAC Differs From ADUC
ADAC offers administrators a good alternative to the Active Directory Users and Computers (ADUC) Microsoft Management Console (MMC) snap-in for managing AD objects. As with ADUC, administrators can use ADAC to perform common AD user, computer, group, and organizational unit (OU) object management tasks. Like ADUC, the current version of ADAC is used only for managing Active Directory Domain Services (AD DS) instances and not for managing Active Directory Lightweight Directory Service (AD LDS, formerly ADAM) instances.
The key difference is that ADAC is a very task-oriented administration tool that can help you manage AD in fewer steps. The ADAC interface focuses on key AD administration tasks.
For example, two very frequently performed tasks, resetting a password and searching AD for an object, are immediately available when you open ADAC, as Figure 1 shows. With ADUC, to reset a password you first had to locate the object, then right-click it and select Reset Password, and only then you could enter the new password data.
In ADAC you can do all this in a single action from the ADAC opening screen.
ADUC is, foremost, a data-oriented tool: It shows you how the data in AD is organized. ADAC supports this data-oriented view of AD objects as well.
The classic hierarchical view of AD content is available from ADAC’s tree view, which I will discuss in more detail below. Besides the ADAC interface's focus on key administration tasks, two other important differences you will notice in the interface are that ADAC is much more customizable, and it lets you simultaneously connect to other domains.
ADUC supported taskpads but these were never a big success, and it required different instances to be able to manage objects across multiple domains. ADAC lets you simultaneously connect to different domain controllers (DCs) in different domains to manage objects across multiple domains within the same ADAC instance.
The other big difference between ADUC and ADAC lies in ADAC’s underlying architecture. ADAC is not MMC–based but uses an Explorer-like interface instead.
Under the hood, ADAC leverages Windows PowerShell and the new Active Directory Web Services (ADWS). ADWS is a new Windows service that provides a web service interface to AD.
To use ADAC you need at least one Windows DC in your domain that has an operational ADWS service. ADWS is included in Server 2008 R2, and Microsoft also provides an ADWS add-on package for Windows 2003 SP2, Windows 2003 R2 SP2, Server 2008, and Server 2008 SP2. This package is called the Active Directory Management Gateway Service.
This means that you can also use ADAC to manage AD instances that are running on other Windows server platforms besides Server 2008 R2. Windows Server 2008 R2 includes a new set of powerful PowerShell cmdlets for AD administration that are bundled in the Active Directory Module for Windows PowerShell.
This module calls on the Microsoft .NET Framework 3.5.1 and ADWS for accessing the AD core engine. Server 2008 R2 automatically installs the PowerShell engine, the Active Directory Module for PowerShell, the .NET Framework 3.5.1, and ADWS when you install AD DS.
You also get access to these services when you add the Remote Server Administration Tools (RSAT) feature to a Server 2008 R2 or Windows 7 machine. RSAT is bundled with Server 2008 R2. For more information on RSAT for Windows 7 go to Microsoft support. You can download RSAT for Windows 7 at the Microsoft download site.
Exploring ADAC
You can find ADAC in the Administrative Tools folder of your Server 2008 R2 server Start Menu or you can start it from the command line using dsac.exe. When ADAC opens, it shows the Administrative Center Overview page that’s illustrated in Figure 1.
There, you can find three sections: Reset Password, Global Search, and Getting Started. Often these are the three tasks an AD administrator performs most.
You can customize the Overview page by adding or removing certain of these sections. To do so, use the Add Content drop-down button in the top right corner of the Administrative Overview page.
On the left side of the Administrative Center Overview page are the ADAC navigation pane and your personal navigation nodes. Navigation nodes are shortcuts to containers in the local AD domain or its trusted AD domains. When you click a navigation node, ADAC takes you right to the corresponding AD container and displays its content in the right pane, which Figure 2 shows.
To create your personal navigation nodes, use the “Add Navigation Nodes…” on top of the navigation pane. Again, you can customize the navigation pane: When you right-click a navigation node you can rename or remove the node, create a duplicate node, or move the node up or down in the navigation pane list.
You can browse the navigation pane and its nodes using a tree view, which is similar to the ADUC console tree or by using the new list view. If you’re used to the ADUC console tree, it’s a bit confusing that the ADAC tree view also shows all your navigation nodes.
This means a given AD container can show up multiple times in the ADAC tree view. You can switch between the ADAC list and tree view by using the two tabs at the top of the navigation pane: list view is the left tab, tree view is the right tab.