Step-by-Step: How to use Active Directory PowerShell cmdlets against 2003 domain controllers
Irish Soda Bread with Guinness Reduction Dip. Doesn't that sound good? It makes my mouth water just thinking about it. Recently I used my frequent flier points to take the family to Disney, and the best food we ate all week was at the Raglan Road Irish Pub in Downtown Disney. We liked the bread and dip so much that our waitress, Wendy, explained that we could email the company for the recipe. So we did! Now this recipe had some ingredients that I wasn't familiar with, and when I made it at home it didn't quite match the experience back at the pub. But who can complain when it has Guinness in it.
This is a lot like guidance from TechNet articles. Sometimes they call for odd "ingredients" that you have to hunt and download, and then the result is not always what you expected. Sometimes finding the right article on TechNet is like being down on your hands and knees crawling through grandma's yard looking for a four leaf clover.
This blog post is all about giving you the exact steps and removing the mystery from the process, so that you can use the Active Directory PowerShell cmdlets in your 2003 environment today. It may look like a lot of steps, but you can get this done in less than an hour. (This same process should work for 2008 (pre-R2) DCs as well, just read the ADMGS guide and hotfixes for the specifics.)
Recipe: AD PowerShell cmdlets on 2003 DCs
Step 1: Gather the Ingredients
Go download all of these files and hotfixes first: (Note that the hotfix downloads are a little tricky. They require you to study the KB article to find a link, and then you have to do an email dance to get the files and a password.)
- Remote Server Administration Tools (RSAT) for Windows 7 (~220MB)
- Active Directory Management Gateway Service (ADMGS) (Active Directory Web Service for Windows Server 2003 and Windows Server 2008) and Install Guide (<1MB)
- Microsoft .NET Framework 3.5 Service Pack 1 (2.8MB)
- KB969166 - A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1 (<1MB)
- KB969429 - Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers (<1MB)
- KB967574 - Windows 7 clients cannot locate the Active Directory Management Gateway Service installed on Windows Server 2008-based domain controllers (<1MB)
Read over the ADMGS install guide.
Step 2: Build Your 2003 Forest
I did this in the lab first. This is safer than going straight to production. Labbing it gives you a chance to make mistakes in a safe environment. The installs are all proven, but there is always room for a "user moment" in production. Nothing in these steps should damage a production server, since we are only adding functionality.
- Install 2003 SP2 in your lab.
- Run DCPROMO and create a test AD forest. (RaglanRoad.Pub would be a spectacular domain name.)
- Install .NET 3.5.1.
- Install hotfix KB 969166.
- Install hotfix KB 969429. (Or KB967574 if you're running 2008 RTM or 2008 SP1.)
- Install the appropriate version of ADMGS KB 968934.
- Go to Services and observe that the Active Directory Web Service is now installed and started.
Note that we are not installing PowerShell on the 2003 server. Even if we did we couldn't run the AD cmdlets from there, because they are only supported on Windows Server 2008 R2 or Windows 7. You're welcome to install PowerShell 2.0 for other purposes.
Step 3: Build Your Admin Workstation
- Install Windows 7 in your lab. (2008 R2 Server will also work.)
- Join it to the new 2003 AD domain.
- Install the appropriate version of Windows 7 RSAT.
- Add these Windows 7 RSAT features bolded below (Control Panel, Programs, Turn Windows features on or off):
- Remote Server Administration Tools
- - Role Administration Tools
- - - AD DS and AD LDS Tools
- - - - Active Directory Module for Windows PowerShell
- - - - AD DS Tools
- - - - - Active Directory Administrative Center
- - - - - AD DS Snap-ins and Command-line Tools
Step 4: Kick Up Your Heels
- Go to the PowerShell Console on your Windows 7 workstation (Click Start, type "Power"; or find it under Accessories).
- Type "Import-Module ActiveDirectory"
- Gaze gleefully at the green zipper zipping across the screen.
- Type "Get-ADForest". (You may need to use the -server parameter if other 2003 DCs in your environment do not have ADMGS installed yet.)
- Dance your favorite Irish jig.
- As a side benefit you can now use the new Active Directory Administrative Center (ADAC) against the 2003 DC. Give it a try.
You are now ready to leverage all of the PowerShell AD cmdlets against your 2003 envrionment. You no longer have to be green with envy towards the fancy pants 2008 R2 DCs running PowerShell support. Unleash the code!
Mmmm mmm. Smell that? PowerShell goodness straight from the oven! Just save some of the Guiness dip for me.
To learn more about AD Web Services read the TechNet article here: