What's New in AD DS: Active Directory Administrative Center
Applies To: Windows Server 2008 R2
What are the major changes?
In the Windows Server 2003 and Windows Server 2008 operating systems, administrators could manage and publish information in their Active Directory environments by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. In Windows Server 2008 R2, in addition to the Active Directory Users and Computers snap-in, administrators can manage their directory service objects by using the new Active Directory Administrative Center.
Built on Windows PowerShell technology, Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation.
You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:
Create new user accounts or manage existing user accounts
Create new groups or manage existing groups
Create new computer accounts or manage existing computer accounts
Create new organizational units (OUs) and containers or manage existing OUs
Connect to one or several domains or domain controllers in the same Active Directory Administrative Center instance and view or manage the directory information for those domains or domain controllers
Filter Active Directory data by using query-building search
In addition to using it for these tasks, you can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite your particular requirements for directory service administration. This can help improve your productivity and efficiency as you perform common Active Directory object management tasks.
Who will be interested in Active Directory Administrative Center?
The following groups might be interested in Active Directory Administrative Center:
Early adopters of Windows Server 2008 R2 and information technology (IT) planners and analysts who are technically evaluating Windows Server 2008 R2
Enterprise IT planners and designers
AD DS management teams
AD DS administrators
Are there any special considerations?
Active Directory Administrative Center can be installed only on computers running the Windows Server 2008 R2 operating system. Active Directory Administrative Center cannot be installed on computers running Windows 2000, Windows Server 2003, or Windows Server 2008.
Active Directory Administrative Center can be installed on the Windows 7 operating system as part of the Remote Server Administration Tools (RSAT). To download and install RSAT, see Remote Server Administration Tools for Windows 7 (https://go.microsoft.com/fwlink/?LinkID=130862).
In this release of Windows Server 2008 R2, you cannot use Active Directory Administrative Center to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.
What new functionality does Active Directory Administrative Center provide?
Active Directory Administrative Center includes the following new features:
Administrative Center Overview page: This welcome page appears by default when you first open Active Directory Administrative Center. The Administrative Center Overview page consists of several tiles, each of which features an administrative task that you perform frequently, such as resetting a user password or searching through Active Directory data. You can customize the Administrative Center Overview page anytime by displaying or hiding various tiles.
Management of Active Directory objects across multiple domains: When you open Active Directory Administrative Center on your Windows Server 2008 R2 server, the domain that you are currently logged on to on this Windows Server 2008 R2 server (the local domain) appears in the Active Directory Administrative Center navigation pane. Depending on the rights of your current set of logon credentials, you can view or manage the Active Directory objects in this local domain. You can also use the same instance of Active Directory Administrative Center and the same set of logon credentials to view or manage Active Directory objects from any other domain (that belongs or does not belong to the same forest as the local domain) as long as it has an established trust with the local domain (Both one-way trusts and two-way trusts are supported.)
Note
For example, assume that there is a one-way trust between Domain A and Domain B, in which users in Domain A can access resources in Domain B but users in Domain B cannot access resources in Domain A. If you are running Active Directory Administrative Center on the computer where Domain A is your local domain, you can connect to Domain B with the current set of logon credentials and in the same instance of Active Directory Administrative Center. But if you are running Active Directory Administrative Center on the computer where Domain B is your local domain, you cannot connect to Domain A with the same set of credentials in the same instance of the Active Directory Administrative Center.
You can also open Active Directory Administrative Center using a set of logon credentials that is different from your current set of logon credentials. This can be useful if you are logged on to the computer that is running Active Directory Administrative Center with normal user credentials, but you want to use Active Directory Administrative Center on this computer to manage your local domain as an administrator. This can also be useful if you want to use Active Directory Administrative Center to remotely manage a domain that is different from your local domain with a set of credentials that is different from your current set of logon credentials. However, this domain must have an established trust with the local domain.
Active Directory Administrative Center navigation pane: You can browse through the Active Directory Administrative Center navigation pane by using the Tree view, which is similar to the Active Directory Users and Computers console tree, or by using the new list view:
In the list view, you can take advantage of the Column Explorer feature. Column Explorer simplifies your browsing through the various levels of your Active Directory hierarchy by displaying all the child containers of a parent container, for which you opened Column Explorer, in a single column.
In the list view, you can take advantage of the Most Recently Used (MRU) list. The MRU list automatically appears under a navigation node when you visit at least one container within this navigation node. The MRU list always contains the last three containers that you visited in a particular navigation node. Every time that you select a particular container, this container is added to the top of the MRU list and the last container in the MRU list is removed from it.
Whether you use the tree view or the list view, you can customize your Active Directory Administrative Center navigation pane anytime by adding various containers from the local domain or any foreign domain (that is, a domain other than the local domain that has an established trust with the local domain) to the navigation pane as separate nodes. Also, to further customize the navigation pane, you can rename or remove these manually added navigation pane nodes, create duplicates of these nodes, or move them up or down in the navigation pane.
In Active Directory Administrative Center, you can use different domain controllers to manage your Active Directory domains. You can change a domain controller connection for any node in the navigation pane. However, changing a domain controller connection for any particular node that represents a container within a certain domain also changes that connection for all other nodes in the navigation pane that represent containers that belong to that same domain.
Active Directory Administrative Center breadcrumb bar: You can use the breadcrumb bar to navigate directly to the container that you want to view by specifying the distinguished name of the container in the breadcrumb bar.
Active Directory Administrative Center object property page: The object property page consists of several property page sections and an inline preview feature. You can display, hide, or collapse any property page sections and the inline preview to customize your Active Directory Administrative Center object property page.
Active Directory Administrative Center query-building search: Instead of spending hours browsing through levels of hierarchical data, you can quickly locate Active Directory objects by using query-building search in Active Directory Administrative Center. When the targeted Active Directory objects are returned as the results of a search query, you can perform the necessary administrative tasks. To use Active Directory Administrative Center query-building search, you can use the following methods:
You can use Active Directory Administrative Center Global Search to specify a scope for your search query. The default Global Search scope is set to the local domain. You can use Global Search to search through your Active Directory data by either building a query using keywords and various search criteria or by using the Lightweight Directory Access Protocol (LDAP) query mode.
If an OU contains a particularly large data set, you can narrow it down by building a query and searching through the Active Directory data of that specific OU. The scope of the search through the Active Directory data of a specific OU is always set to that particular OU, it and cannot be adjusted. This scope also does not include any OUs that are children of the selected parent OU.
When you use Global Search or when you search the data of a specific OU, you can save the queries that you build as separate views and use them again at a later time. Each view consists of your query criteria, as well as your customized sorting and column information.
How should I prepare to deploy Active Directory Administrative Center?
You can install Active Directory Administrative Center by using any of the following methods:
By default, on a Windows Server 2008 R2 server when you install the AD DS server role
By default, when you make a Windows Server 2008 R2 server a domain controller by running Dcpromo.exe
As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2 server
Note
By default, Active Directory Administrative Center is installed with the Active Directory module for Windows PowerShell and the .NET Framework 3.5.1. The Active Directory module and the .NET Framework 3.5.1 must be installed on your Windows Server 2008 R2 computer for Active Directory Administrative Center to function correctly.
So that you can use Active Directory Administrative Center to manage an Active Directory domain, Windows Server 2008 R2 Active Directory Web Services (ADWS) must be installed on at least one domain controller in this domain. For more information about ADWS, see What's New in AD DS: Active Directory Web Services.
Important
To function correctly, Active Directory Administrative Center relies on the ADWS service, which requires TCP port 9389 to be open on the domain controller where the ADWS service is running. If you configure your firewall by using a Group Policy object (GPO), you must update the GPO to make sure that this port is open for ADWS.
Which editions include Active Directory Administrative Center?
Active Directory Administrative Center is available in the following editions of Windows Server 2008 R2:
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Active Directory Administrative Center is not available in the following editions of Windows Server 2008 R2:
Windows Server 2008 R2 for Itanium-Based Systems
Windows Web Server 2008 R2