As an AD administrator, you will want
to become very familiar with the tools used to manage and maintain AD.
The primary tools you will use to manage AD are:
Some of the aforementioned tools are
accessible via the standard Server Manager interface, while the Active
Directory Domains and Trusts, ADAC, and AD Module for PowerShell are
accessed via their respective interfaces.
Active Directory Users and Computers
ADUC is the standard console for managing users, computers, and OUs in AD (see Figure 1). ADUC can be accessed via Server Manager or via the Administrative Tools folder from the Start Menu.
ADUC can also be used to raise the
domain functional level. To raise the level, right-click on the domain
name and choose the option Raise Domain Functional Level.
Additionally, you can use ADUC to RID, PDC emulator, and Infrastructure
FSMO roles to another server. This is done by logging onto the DC you
wish to transfer one or more of the roles to. Then, open the ADUC
console. Right-click on the domain and select the Operations Masters option. Select the appropriate tab for the FSMO role you wish to transfer and click Change (see Figure 2).
Active Directory Sites and Services
AD Sites and Services is the standard console for setting up and managing AD Sites (see Figure 3).
Using the AD Sites and Services console, you can create and manage
sites, subnets, site links, and site-link bridges. The AD Sites and
Services console can be accessed via Server Manager or the
Administrative Tools folder from the Start Menu.
The AD Sites and Services console also
allows you to manage intersite transports. This setting allows you to
configure AD site links to use IP for the site link (default) or set
SMTP as the site link. SMTP should only be used for slow and unreliable
WAN links. You will use this tool to establish site links anytime you
set up a new remote subnet that will contain a DC.
Active Directory Domains and Trusts
The Active Directory Domains and Trusts
console is used to manually create trust relationships between domains
and to raise the forest functional level. The Active Directory Domains
and Trusts console is accessed from the Administrative Tools folder in
the Start Menu (see Figure 4).
To raise the forest functional level, right-click on the domain name in the console and select the option Raise Forest Functional Level.
The Domains and Trusts console can also be used to transfer the Domain
Naming Service FSMO role to another DC. This is accomplished by opening
the Domains and Trusts console on the DC that you want to transfer the
role to. Then, right-click on the root node of Active Directory Domains and Trusts and choose the option Operations Masters. Click the Change button to transfer the FSMO role to this DC.
Active Directory Administrative Center
As previously mentioned, the ADAC is a new tool introduced in Windows Server 2008 R2. The ADAC (see Figure 5)
is a new, easy-to-use, GUI tool written on top of PowerShell. ADAC
provides enhanced features such as the ability to manage multiple
domains from a single pane of glass, a comprehensive search, and an
integrated password reset tool. You may choose to use this tool over
ADUC for many of the common day-to-day administration tasks for AD,
such as resetting passwords or creating new user accounts. ADAC is
accessed from the Administrative Tools folder in the Start Menu.
Active Directory Module for PowerShell
The AD Module for PowerShell allows you to
perform many of the core AD tasks from the PowerShell command line. By
using PowerShell, you can easily automate common tasks or save scripts
for future use. PowerShell also allows you to more easily update
hundreds or thousands of accounts with a few simple commands. The
following types of tasks can be performed within PowerShell with the AD
Module loaded:
-
User and Computer Account Administration
-
Create and Administer Groups
-
Create and Administer Managed Service Accounts
-
Create and Administer Organizational Units
-
Create and Administer Password Policies
-
Manage the Forest or Domain
-
Manage Domain Controllers
-
Search for and Modify Objects in the Domain
Whether you are a “command line
junkie” or new to PowerShell, the new module for AD could easily become
one of your primary administrative tools. It could end up saving your
hours of time by automating updates and streamlining the process to
update mass numbers of objects. You can access the AD Module for
PowerShell from the Administrative Tools folder in the Start Menu.
