The Attribute Editor adds a key bit of functionality that’s in ADSIEDIT or the LDP editor, but not in the familiar Active Directory Users and Computers interface: You can edit any AD object attribute, not just the ones the Active Directory Users and Computers interface traditionally exposed. Using our previous scenario, Figure 3 shows how to add an employee ID number to the new employee Sosumi Areti (the new staff Liability Director). By default, the Attribute Editor shows only a subset of all attributes for the object. You can filter the attribute list by whether they have values, are writeable, are mandatory or optional, are constructed, are backlinks, or are system-only. The ability to expose a constructed attribute can be very handy; if you’re using fine-grained password policies in Server 2008, you can expose the effective password setting (effectivePso) for a user. Doing so is analogous to looking at the resultant set of policies for a user if you want to see what GPOs are affecting the user.
In addition to installing on Windows 7 or Vista, the Attribute Editor requires that you upgrade your Server 2003 forest schema to Server 2008 to update the forestwide display specifiers. An alternative manual workaround is available at http://bit.ly/ysFP1.
Note that the RSAT installation works differently in Windows 7 and Vista than in Windows XP and Server 2003. When you install the toolset, the Start menu doesn’t change—nothing appears to have installed. To make the tools appear, open the Control Panel Programs and Features applet, select Turn Windows features on or off, select Remote Server Administration Tools, Role Administration Tools, and drill down to the Active Directory Domain Services (AD DS) tools. (I encountered an R2 bug that requires you to check each tool individually, which I hope is fixed in RTM.) Finally, check the Advanced section of the View menu to see the Attribute Editor.
Controlling Replication
Although AD replication typically works well without administrator intervention, every AD administrator should know how to control it manually. Suppose that you accidentally delete an object and don’t notice it right away. Being able to quickly stop replication outside your site will prevent the deletion from affecting outside users. Several replication control methods are available.
The best-known method is to use Active Directory Sites and Services (dssite.msc) to manage AD’s sites and site links. Site links are the pathways upon which data is replicated. Start Active Directory Sites and Services and navigate to Sites, Inter-Site Transports, IP, then open the properties of the site link on which you want to disable replication, as Figure 4 shows. Click Change Schedule, select the entire range of days and hours in the schedule grid, and select Replication Not Available. This action disables replication between all sites that use the site link.
Using Active Directory Sites and Services disables replication only at the site level. You might need to disable replication at the DC level as well, perhaps to isolate schema changes or accidental deletions (if you’re quick and have a script already set up). To disable replication at the DC level, you need to use the kitchen sink of replication tools—REPADMIN.
REPADMIN has so many command switches, sub-options, and complexities that someone could write an entire book about it. For this article, let’s focus on the /options switch. If you use the standard /? switch to search REPADMIN’s help files, you won’t even see the /options switch. You must use /experthelp, which lists the more powerful switches that Microsoft clearly states “could break your Active Directory installation.” And if you’re running Server 2008, using /options is even more complicated; you must enter repadmin /?:options.
Once you figure out REPADMIN’s syntax, it’s the same for Server 2008 and Server 2003. Although replication is always a “pull” operation—meaning that a DC will always request replication to it, rather than push replication out from it—you’ll typically want to disable outbound replication because it applies to our schema and object deletion scenarios. To disable outbound replication on a single DC, run
Repadmin /options <DC name> +disable_outbound_repl
If you want to disable outbound replication for multiple DCs, you’ll have to write a simple script. To re-enable replication, change the “+” to a “-” and rerun the command.
The one exception to the REPADMIN /options command is that in Server 2008 you can disable outbound replication for an entire site—which is very handy in case of accidental deletion:
Repadmin /options site: <Site name> disable_outbound_repl
Several other advanced methods exist for controlling replication between individual DCs or groups of DCs, but they can be an administrative nightmare because the settings are so far outside where an AD administrator would typically look to resolve a replication problem. If you didn’t clearly document the actions, your DCs might need to be entirely rebuilt. Even the /options method isn’t easy for the casual troubleshooter to find. A solid production change-control process is extremely important.
Obscurely Useful
AD is a complex structure with numerous tricks and tools to make administration easier. Some methods are more obvious and more widely used. The approaches I present in this article are less well known, but I hope they add to your arsenal of useful techniques for managing your AD environment.