Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Active Directory Services and PowerShell manageability

PowerShellAs you might be aware, every Microsoft server product has the requirement to be manageable through PowerShell and System Center. The PowerShell requirement is formulated as part of the Common Engineering Criteria (CEC).

With PowerShell available as a version 3 product (and part of Windows Server 2012) it’s time to see how the teams, responsible for the Active Directory products have built their management stories around PowerShell.

 

Active Directory Domain Services

The Active Directory Domain Services, that we love and loath as the core of our networking infrastructure on our Domain Controllers is manageable through PowerShell scripting. To enjoy PowerShell support in Active Directory Domain Services, it is recommended to manage your Domain Controllers from Windows Server 2012 or from a Windows 8 installation with the Remote Server Administration Tools (RSAT) for Active Directory installed. This way you can enjoy the 135 Active Directory Domain Services management-related PowerShell Cmdlets and 9 Active Directory Domain Services deployment-related PowerShell Cmdlets.

The Active Directory Domain Services team even went a few steps further and incorporated the PowerShell History viewer into the Active Directory Administrative Center (dsac.exe), that helps you discover the PowerShell magic that happens under the hood.

A couple of exceptions still exist, that make it impossible to manage Active Directory Domain Services from the PowerShell prompt completely. Tools like ntdsutil.exe, dsamain.exe, redirusr.exe and redircmp.exe come to mind, almost immediately. On the other end of the spectrum, several other functions in Active Directory Domain Services are only easily manageable with PowerShell. MSAs come to mind, quite to my own surprise...

 

Active Directory Lightweight Domain Services

The Active Directory Lightweight Domain Services offer specialized Domain Services, targeted at applications and perimeter networks. Their charm is you can manage the Lightweight Directory Services (mostly) with the same tools as you can manage the Directory Services in PowerShell (as long as you install the AD LDS Display Specifiers schema and Display Specifiers by importing MS-ADLDS-DisplaySpecifiers.ldf.).

Alas, the PowerShell learning ability, offered by the Active Directory Administrative Center (dsac.exe), is not available for Active Directory Lightweight Directory Services, since this management tool can not be directed to a Lightweight Directory Services installation.

Since most tools are exchangeable between Lightweight Directory Services and Directory Services, roughly the same exceptions for full PowerShell manageability exist.

 

Active Directory Certificate Services

Active Directory Certificate Services enable you to run Certification Authorities on Windows Servers. For Windows Server 2012, the team behind Active Directory Certificate Services has developed twelve PowerShell Cmdlets to deploy Certificate Services. Also an additional nine PowerShell Cmdlets were specifically created to manage certificates, but you can also manage these by mounting the Certificate Store as a PowerShell drive, if need be.

In versions of Windows Server earlier than Windows Server 2012, no built-in PowerShell Cmdlets were available to manage Active Directory Certificate Services, but you could rely on certutil.exe to script through them.

 

Active Directory Federation Services

As was the case with Active Directory Federation Services 2.0, which was a separately downloadable installation, Active Directory Federation Services 2.1, that comes bundled with Windows Server 2012, can be managed through PowerShell. A total of 48 Active Directory Federation Services-related PowerShell Cmdlets are available on Windows Server 2012, covering both deployment and management.

   

Active Directory Rights Management Services

As you might expect, the Active Directory Rights Management Services in Windows Server 2008 R2 and Windows Server 2012 are also PowerShell-enabled. Three straightforward Rights Management Services deployment-focused PowerShell Cmdlets (appropriately named Install-ADRMS, Uninstall-ADRMS and Update-ADRMS) and 21 Rights Management Services administration-focused PowerShell Cmdlets are at your disposal.

 

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets 
New features in AD DS in Windows Server 2012, Part 5: PowerShell History Viewer

Further reading

Managing Active Directory with Windows PowerShell 
Active Directory Cmdlets for Windows Server 2008 R2 
AD FS 2.0 Cmdlets for Windows Server 2008 R2  
AD RMS Cmdlets for Windows Server 2008 R2   
AD CS Administration Cmdlets in Windows Server 2012 
AD CS Deployment Cmdlets in Windows Server 2012 
AD DS Administration Cmdlets in Windows Server 2012  
AD DS Deployment Cmdlet in Windows Server 2012  
AD FS Cmdlets in Windows Server 2012  
AD RMS Administration Cmdlets in Windows Server 2012  
AD RMS Deployment Cmdlets in Windows Server 2012

Comments

JosephMoody said:

Hey Sander,

Do you think ADAC's powershell history viewer is the exception to the new management console or will be the standard?

I had hoped that with the release of Server 2012, we would see other consoles setup this way (such as GPMC).

Joseph

# May 13, 2013 3:22 PM

Sander Berkouwer said:

Hi Joseph,

The technology behind the Windows Server 2008 R2 and Windows Server 2012 Active Directory Administrative Center (dsac.exe) is called MUX. The ADAC isn't the first management tool to be built in MUX by the way, the Exchange Server 2007 Management Console was my first introduction to MUX.

I feel much of the management tools for Microsoft products, technologies and Windows Server roles and features will be PowerShell under the hood, like MUX.

However, PowerShell as the solid basis for management may not automatically imply MUX; management of Exchange Server 2012 has evolved to a webinterface. Also, not all Microsoft technologies are mostly PowerShell-enabled. Luckily, all of the Active Directory services are now, in Windows Server 2012.

Many product teams within Microsoft are probably working on their PowerShell manageability and possible graphical user interface on top of this. These GUIs under construction might be as slow as the Active Directory Administrative Center was in Windows Server 2008 R2. The decision to not release the management tools now would be easy not to hinder the acceptance.

# May 13, 2013 3:46 PM
Anonymous comments are disabled