Tuesday, March 30, 2010 8:27 PM
Where is my (AD) web service?
Windows Server 2008 R2, among other changes, brings a new interface to access directory services – the Active Directory Web Service (ADWS). It is also available for older systems – Windows 2003 and 2008 – as Active Directory Management Gateway (available as separate download).
ADWS I being used so far by a few Windows 2008 R2 components like the new AD interface AD Administrative Center and Powershell module for AD (yes, this Powershell module uses Web Service, not LDAP). This Powershell module was a cause of e-mail I got from one of my friends (and customers also).
When he tried to use Powershell module from workstation to connect to ADWS on a newly deployed Windows Server 2008 R2 box he got the following message:
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
WARNING: Error initializing default drive: 'Unable to find a default server
with Active Directory Web Services running.'.
Now, here comes the ultimate question: how does the client locate the ADWS instance? – in this case the client being the Powershell module.
The ultimate answer to this question is as always ... DC locator. DC Locator is a process which allows clients to locate an optimal domain controller. Optimal in the AD meaning of this word: closest to a client from a network perspective, where network is represented through sites and subnets in AD configuration.
A client can also pass some additional requests to a DC locator process, which are being used to choose a DC with specific roles, required by the client in this moment. This might be a request for a writable DC or a DC acting as a GC. The Domain controller passes such information in DS_FLAGS structure.
To allow clients to located DCs with ADWS instances an additional flag was added to the DS_FLAGS structure. Description of this new flag states as follows:
DS_WS_FLAG, The Active Directory Web Service, as specified in [MS-ADDM], is present on the server.
And this information can be used to locate a DC with ADWS instance, when a client will specify the additional DS_WEB_SERVICE_REQUIRED flag in the DC request. Same goes for DCs with ADMG installed.
This might be the end of this post, but life isn't perfect and often we will have to deal with mixed environments with W2008R2 and other, older DCs in the same network. Problem is that 2003/2008 DCs doesn't understand this new flag. To correct this, an additional hotfix has to be installed, KB969249 (2003) or KB967574 (2008).
If you will plan to deploy W2008R2 and use Powershell module or other software which uses ADWS, especially in larger environments, remember to deploy enough ADWS instances to handle client traffic and to allow DC locator to locate DCs which host such service. This is especially important in environments with large number of DCs deployed. This way you won't be surprised if your newly created powershell script will fail to locate an ADWS instance.
Enough for today ... but we will get back to ADWS soon...