Summary: In this step-by-step blog post, the Microsoft Scripting Guy covers installing the Active Directory Management Service for Windows PowerShell access to Active Directory Domain Services.
Hey, Scripting Guy! I read with interest your blog post yesterday about using the Microsoft Windows PowerShell cmdlets to work with users in Active Directory. The problem is that I have a Windows 2008 domain controller, so the cmdlets do not appear to work for me. Is there something I can do to allow access to the Windows PowerShell cmdlets for Active Directory?
—IH
Hello IH,
Microsoft Scripting Guy Ed Wilson here. The week in Kauai, Hawaii, is shaping up to be a nice one. The Scripting Wife and I have enjoyed traveling the island. It is actually our fourth trip to the island, and one of our favorite spots for mellowing out and relaxing. I took the following photo from a dive boat on our last trip to the island.
The first thing to do is to check the level of the .NET Framework that is installed on the domain controller to be updated. It must be running .NET Framework 3.5 with Service Pack 1. One easy way to check for the .NET Framework version is via Control Panel/Programs and Features. If .NET Framework 3.5 SP1 is installed, it appears as shown in the following figure.
I download the Windows6.0-KB968934-x86.msu file from the Microsoft Download Center, as shown in the following figure.
After the file is downloaded, I run the program. The Windows Update standalone installer starts, and it searches for updated files. After about a minute or so, an error message appears. The message is the one shown in the following figure.
There are two hotfixes that are required (and there are three options available—a .NET Framework update and an operating system–specific update), but because I am running Windows Server 2008 with Service Pack 2 on my domain controller, the KB967574 hotfix is already installed, so I do not need to install that particular update.
The system requirements section is difficult to read (I have seen several forum postings attesting to this fact). The first hotfix applies to both Windows Server 2008 and Windows Server 2003. It is a hotfix that is described in KB article 969166, This is a .NET Framework 3.5 SP1 hotfix rollup. According to the KB article, the hotfix rollup is included in the .NET Framework 4.0. However, I have the .NET Framework 4 Client Profile and the .NET Framework 4 Extended updates, as well as all .NET 4 Framework updates, and the hotfix rollup from KB 969166 is not included in any of those packages. The good thing is that after installing the 969166 update, a reboot is not required and the installation will proceed with the dialog that appears here (assuming you have the other updates).
For Windows Server 2003 and Windows Server 2003 R2, there is a specific hotfix that is described in KB 969429 to help Windows 7 clients to be able to find the management gateway. The third hotfix that is listed applies to Windows Server 2008. This hotfix, KB 967574, applies if you have not installed Service Pack 2 on the system.
After the two updates are applied to the system and the Active Directory Management Gateway Service is installed, a reboot of the server is required. After the Windows 2008 domain controller completes the reboot and the Active Directory Management Gateway Service is running, I can connect to it with Windows PowerShell from my Windows 7 desktop. Before attempting this, I open the services.msc utility and verify that Active Directory Web Services service is created and running. This service is shown in the following figure.
One thing that does not happen is there is no ActiveDirectory module available on the Windows Server 2008 Domain Controller, or Windows Server 2003 Domain Controller. Therefore, even though the management gateway is created, it does not provide any of the Active Directory cmdlets. This normally is not a problem, because of the availability of the RSAT tools for Windows 7.
On my Windows 7 desktop, I use the following command to import the Active Directory module:
Import-module ActiveDirectory
When I press Enter, I get a progress dialog displayed in the Windows PowerShell console. This progress bar is shown in the following figure.
In yesterday’s Hey Scripting Guy blog article, I talked about an error that I sometimes receive when the ActiveDirectory module is unable to talk to the specific domain controller that authenticated my logon. With the installation of the Active Directory Management Gateway Service on my DC1 server, I no longer receive that error.
I decide to do a quick test to ensure that everything is working. First, I do a query for a user named ed, but I do not specify the server. The command and results are shown here:
PS C:\Users\ed.IAMMRED> Get-ADUser ed
DistinguishedName : CN=ed wilson,OU=Charlotte,DC=iammred,DC=net
Enabled : True
GivenName : ed
Name : ed wilson
ObjectClass : user
ObjectGUID : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58
SamAccountName : ed
SID : S-1-5-21-1457956834-3844189528-3541350385-1103
Surname : wilson
UserPrincipalName : ed@iammred.net
Now I want to test a couple of my domain controllers to ensure they answer. I type two of the server names, pipe them to the ForEach-Object cmdlet (% is an alias), and inside the script block, I use the Get-ADUser command. I then select only the name attribute. The command and associated output are shown here:
PS C:\Users\ed.IAMMRED> "dc1","dc3" | % {get-aduser ed -server $_} | select name
name
ed wilson
ed wilson
Sweet! I looks like everything installed properly. Speaking of sweet, I think the Scripting Wife and I will head out and try to find a locally grown pineapple freshly gleaned from the ground. Sounds like super fun to me. Aloha.
IH, that is all there is to installing the Active Directory Management Gateway Service. Active Directory Week will continue tomorrow.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy