- Article
- 17 minutes of reading time
Dorado para: Windows Server2022, Windows Server2019, Windows Server2016, Windows Server2012R2, Windows Server2012
This article covers the updated Active Directory Administration Center with the new Active Directory Recycle Bin, refined password policies, and Windows PowerShell History Viewer in detail, including architecture, examples of common tasks, and troubleshooting information. . See the article for an introduction.Introduction to Active Directory Administration Center Extensions (Level 100).
- Active Directory Administration Center: Architecture
- Enable and manage the Active Directory Recycle Bin in the Active Directory Administrative Center
- Configure and manage granular password policies with the Active Directory Administrative Center
- Using the PowerShell History Viewer in the Active Directory Administrative Center
- Troubleshoot AD DS administration
Active Directory Administration Center: Architecture
Active Directory Administration Center executables, DLLs
The Active Directory Administration Center engine and underlying architecture have not changed with the new Recycle Bin, FGPP, and History Viewer.
- Microsoft.ActiveDirectory.Management.UI.dll
- Microsoft.ActiveDirectory.Management.UI.resources.dll
- Microsoft.ActiveDirectory.Management.dll
- Microsoft.ActiveDirectory.Management.resources.dll
- ActiveDirectoryPowerShellResources.dll
The underlying Windows PowerShell and operational level for the new recycle bin functionality is as follows:
Enable and manage the Active Directory Recycle Bin in the Active Directory Administrative Center
functions
- With the Windows Server 2012 or later Active Directory Administration Center, you can configure and manage the Active Directory Recycle Bin for each domain partition in a forest. Windows PowerShell or Ldp.exe are no longer required to enable the Active Directory Recycle Bin or to restore objects on domain partitions.
- The Active Directory Administrative Center provides advanced filter criteria and facilitates directed recovery in large environments with many intentionally deleted objects.
limitations
Because the Active Directory Administrative Center only manages domain partitions, deleted objects cannot be recovered from the configuration, domain DNS, or forest DNS partitions (schema partition objects cannot be deleted). useRestore-ADObjectto restore objects from non-domain partitions.
The Active Directory Administrative Center cannot restore subtrees of objects in a single action. For example, if you delete an OU with nested OUs, Users, Groups, and Computers, restoring the root OU will not restore the child objects.
Uses
The Active Directory Administrative Center batch restore process performs a "best effort" classification of deleted objectswithin selectionso that parents are classified before children for the restoration list. In simple test cases, object substructures can be restored in a single action. But corner cases, e.g. a select that partially contains trees (trees missing with some of the parent nodes removed) or error cases, for example. For example, ignoring children if the parent restore fails may not work as expected. For this reason, you should always restore object subtrees as a separate action after restoring parent objects.
The Active Directory Recycle Bin requires a Windows Server 2008 R2 forest functional level and you must be a member of the Enterprise Administrators group. Once enabled, you cannot disable the Active Directory Recycle Bin. With the Active Directory Recycle Bin, Active Directory databases (NTDS DITs) grow on every domain controller in the forest. The space used by the Recycle Bin grows over time as it contains objects with all their attribute data.
Enable the Active Directory Recycle Bin in the Active Directory Administrative Center
To enable the Active Directory Recycle Bin, open thisActive Directory-Verwaltungscenterand click the forest name in the navigation pane. click areaChoresthemEnable recycle bin.
The Active Directory Administration Center displays the dialog boxConfirm recycle bin activationin. This dialog box warns you that the activation cannot be undone. click onOKto enable the Active Directory Recycle Bin. The Active Directory Administrative Center displays another dialog and warns that the Active Directory Recycle Bin will not fully function until the configuration change has been replicated to all domain controllers.
Important
The Active Directory Recycle Bin cannot be enabled if:
- Forest functional level is not at least Windows Server 2008 R2
- Trash is already enabled
The corresponding Active Directory Windows PowerShell cmdlet is:
Habilitar-ADOptionalFeature
For more information about how to enable the Active Directory Recycle Bin by using Windows PowerShell, seeActive Directory Recycle Bin Step by Step Guide.
Manage the Active Directory Recycle Bin in the Active Directory Administrative Center
This section uses an existing example domain calledcorp.contoso.com. In this domain, users are in a parent organizational unit namedUser accountneatly. The youUser accountcontains three sub-OUs with department names, which in turn contain other OUs, users, and groups.
storage and filtering
The Active Directory Recycle Bin contains all deleted objects in the forest. objects fitmsDS-deletedObjectLifetimeattribute whose default value is thestone-Attribute corresponding to the forest. The value forstoneit is set to 180 days by default in all forests created on Windows Server 2003 SP1 or later. All forests upgraded from Windows 2000 or created with Windows Server 2003 (without a service pack) do NOT have the default tombstoneLifetime attribute set, so Windows uses the built-in default of 60 days. All these values are configurable. You can use the Active Directory Administrative Center to recover any objects that have been deleted from domain partitions in the forest. You must continue to use the cmdletRestore-ADObjectUse it to recover deleted objects from other partitions, such as B. the configuration. Enable Active Directory Recycle Binexcluded objects- Visible container for each partition in the Active Directory Administrative Center.
aexcluded objects-The container contains all recoverable objects from the respective domain partition. Deleted objects older thanmsDS-deletedObjectLifetimethey are also known as reused objects. Recycled objects do not appear in the Active Directory Administrative Center and cannot be restored from there.
For a more detailed description of the Recycle Bin architecture and processing rules, seeThe AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting.
The Active Directory Administrative Center limits the default number of objects returned per container to 20,000. You can increase this limit to a maximum of 100,000 by accessing the menuAdministratorthemAdmin List Optionsclique.
Restoration
filtration
The Active Directory Administrative Center provides comprehensive criteria and filtering options that you should become familiar with before using them in an actual restore. Domains intentionally delete many objects during their lifetime. With a probable lifetime of deleted objects of 180 days, you can't just recover all objects if an accident occurs.
Instead of writing complex LDAP filters and converting UTC values to datetime objects, you can use the extended methodFilter-Use the menu to list only the relevant objects. If you know the exclusion date, object names, or other key dates, you can use that to your advantage when filtering. Click the chevron button next to the search box to enable or disable advanced filtering options.
The retrieve supports all the standard filter criteria options, just like any other search. Important built-in filters for object retrieval:
- ANR (Ambiguous Name Resolution - does not appear in the menu but is used if you type text into the fieldFilterForbidden)
- Last modified between specified dates
- Objekt ist user/inetorgperson/computer/group/organizational unit
- Name
- deletion date
- last known father
- writes
- DESCRIPTION
- Ciudad
- Land/Region
- Department
- employee ID
- First name
- job title
- Surname
- SAMA account name
- state province
- phone number
- UPN
- Postal Code
You can use multiple criteria. For example, find all user objects deleted on September 24, 2012 in Chicago, Illinois, with the title Administrator.
Additionally, you can add, change, or reorder the column headers for additional details of the items to be retrieved.
For more information on ambiguous name resolution, seeAttributed to ANR.
individual objects
Deleted object recovery has always been a single operation. The Active Directory Administration Center simplifies this operation. To restore a deleted object, such as B. restore a single user:
- In the Active Directory Administrative Center navigation pane, click the domain name.
- Double click on the management listexcluded objects.
- The right button of the mouseTo restore, or clickTo restorein the areaChores.
The object is restored to its original location.
click on"Restore to..." to change the restore location. This is useful if the parent container of the deleted object was also deleted, but you don't want to restore the parent object.
Multiple objects on the same layer
You can restore multiple objects to the same layer, for example B. All users in an organizational unit. Hold down the CTRL key and click on any deleted item you want to recover. In the Tasks panel, clickTo restore. You can select all displayed objects by pressing CTRL and the A key at the same time, or a range of objects by Shift-clicking.
Multiple parent and child objects
It is important to understand the recovery process to recover multiple parent and child objects because the Active Directory Administrative Center cannot recover nested trees of deleted objects in a single action.
- Restore the top object in the tree.
- Restore the direct children of this parent.
- Restore the direct children of these parent objects.
- Repeat the process until all objects are recovered.
You can restore child objects only after you have restored their parent object. Otherwise, the following error is thrown:
The operation could not be performed because the parent object was instantiated or deleted.
the attributelast known fathercontains the hierarchical relationship of the respective object. the attributelast known fatherit is changed from the delete location to the restore location when you update the Active Directory Administrative Center after restoring a parent. Therefore, you can restore that child object when the location of a parent object no longer shows the distinguished name of the deleted object container.
Let's assume a scenario where an administrator accidentally deletes the sales OU that contains all the child OUs and users.
First, note the value of"Last Known Father" Attributes" for all deleted users and howOU=Sales\0ADEL:<guid+distinguished name deleted object container>ler:
Filter on the ambiguous name "Sales" to view and restore the deleted OU:
Update the Active Directory Administrative Center to reflect the change in the last known primary attribute of the deleted user in the restored Distinguished Names of the Sales OU:
Filter all "Sales" users. Press CTRL + A to select all deleted "Sales" users. click onTo restoreremove objects from the containerexcluded objectsgo to OU "Sales". Group memberships and object attributes are preserved.
Si la U.O.Salescontains its own child OUs, you must restore those child OUs before restoring its child OUs, and so on.
To restore all nested objects by specifying a deleted parent container, see theAppendix B: Restoring Multiple Deleted Active Directory Objects (Sample Script).
The Active Directory Windows PowerShell cmdlet to recover deleted objects is:
restore-adobject
the functions ofRestore-ADObject-Cmdlets have not changed from Windows Server 2008 R2 to Windows Server 2012.
Server-side filtering
The Deleted Items container can grow to over 20,000 (or even 100,000) items in medium to large organizations over time, making it difficult to see all items. Since the filter engines in the Active Directory admin center only filter on the client side, these additional objects cannot be displayed. You can use the following steps to perform a server-side lookup to work around this limitation:
- Right click on the containerexcluded objectsand clickFind this node.
- Click the chevron button to open the menu+Add criteriato view, selectLast modified between specified datesand add this filter. The last change time (in the attributechange time) is an approximation of the erasure time. In most settings, the two points in time are identical. This query performs a server-side lookup.
- Find deleted items to recover by filtering, sorting, etc. in the results list and retrieve the items.
Configure and manage granular password policies with the Active Directory Administrative Center
Configure detailed password policies
In the Active Directory Administrative Center, you can create and manage detailed password policy (FGPP) objects. The FGPP role was introduced with Windows Server 2008, and Windows Server 2012 includes the first graphical management interface for this role. Detailed password policies apply at the domain level and replace the unique domain password required by Windows Server 2003. You can create FGPPs with different settings to enforce password policies for individual users or groups within a domain.
For more information on detailed password policies, seeAD DS (Windows Server 2008 R2) Step-by-step guide for configuring a detailed password and account lockout policy.
In the navigation pane, click the tree view, click your domain, then clickSystem. click onpassword settings containerand then in the task areanuevofor toppassword settings.
Manage detailed password policies
When creating or editing FGPP, the editor stopspassword settingsOpened. There you can set any password policy you want, just like you would in Windows Server 2008 or Windows Server 2008 R2, but with a specially designed editor.
Fill in all required (red asterisk) and optional fields and clickAddto configure the groups and users to which this policy should be applied. FGPP overrides the default domain policies for these specified security principals. In the image above, an extremely restrictive policy is applied to only the built-in administrator account to improve its security. The policy is too complex for standard users, but perfect for a high-risk account used only by IT professionals.
You can also configure classifications and specify which users and groups in the specified domain a policy should apply to.
The Active Directory Windows PowerShell cmdlets for detailed password policies are:
Add-ADFineGrainedPasswordPolicySubjectGet-ADFineGrainedPasswordPolicyGet-ADFineGrainedPasswordPolicySubjectNew-ADFineGrainedPasswordPolicyRemove-ADFineGrainedPasswordPolicyRemove-ADFineGrainedPasswordPolicySubjectSet-ADFineGrainedPasswordPolicy
The functionality of the detailed password policy cmdlets has not changed from Windows Server 2008 R2 to Windows Server 2012. The following graphic shows the specific arguments for each cmdlet:
You can also retrieve the resulting FGPP sets for a specific user from the Active Directory Administrative Center. Right click on any user and click "Show results password settings"...around the page"Password settings" that applies to this user by implicit or explicit association:
Nofeaturesof users and groups are theDirectly assigned password settingshown (FGPP explicitly assigned):
The implicit mapping of FGPP is not shown here; To do this, you must select the option "Show result-protected password settings"use.
Using the PowerShell History Viewer in the Active Directory Administrative Center
Windows PowerShell is the future of Windows administration. Management of complex distributed systems becomes more consistent and efficient through graphical tools built on task automation frameworks. You need to understand how Windows PowerShell works to realize its full potential and get the most out of your IT investments.
The Active Directory Administrative Center now provides a complete history view of all Windows PowerShell cmdlets run, including arguments and values. You can copy the cmdlet history to another location to review, modify, and reuse it there. You can create task notes to find out what Windows PowerShell commands resulted from what you typed in the Active Directory Administrative Center. You can also filter the history to highlight points of interest.
The PowerShell History Viewer in the Active Directory Administrative Center helps you learn from hands-on experience.
Click the chevron (arrow) button to open the PowerShell history viewer.
Then create a user or change a group membership. The History Viewer is continually updated with a collapsed view of each cmdlet and its arguments run by the Active Directory Administrative Center.
Expand the individual elements to see all the cmdlet argument values:
Click on the menustart taskto manually enter a notation before creating, modifying, or deleting an object in the Active Directory Administrative Center. Enter a description of what you do. Make your changes and clickfinal task. The task note groups all the actions performed in a foldable note for better understanding.
Example: See the Windows PowerShell commands that change a user's password and remove the user from a group:
Also, checking the Show All checkbox will display the Get-* verb for Windows PowerShell cmdlets, which is used to retrieve data.
The history viewer shows the exact commands executed by the Active Directory Administrative Center. Some cmdlets may appear to run for no reason. You can add a user, for example, create it with the following cmdlet:
New user
and you don't need the following cmdlet for that:
establishar-adaccountpasswordhabilitar-adaccountset-aduser
The Active Directory Administration Center was designed to minimize the use of code and pay attention to modularity. So instead of using one set of roles to create new users and another set to modify them, we run each role minimally and then chain them together using cmdlets. Keep this in mind as you explore Active Directory Windows PowerShell. This also serves as a learning technique and shows how easy it is to perform individual tasks with Windows PowerShell.
Troubleshoot AD DS administration
Introduction to troubleshooting
Due to its young age and the lack of existing client environments, troubleshooting options in the Active Directory Administrative Center are limited.
Troubleshooting Options
registration options
The Active Directory Administrative Center now includes built-in logging as part of a trace configuration file. Create/modify the following file in the same folder that contains dsac.exe:
dsac.exe.config
Create the following content:
<appSettings> <add key="DsacLogLevel" value="Verbose" /></appSettings><system.diagnostics> <trace autoflush="false" indentsize="4"> <oyentes> <add name="myListener" type ="System.Diagnostics.TextWriterTraceListener" initializeData="dsac.trace.log" /> <remove name="Default" /> </listeners> </trace></system.diagnostics>
The log levels ofDsacLogLevelit isNeither,Error,realize,Informationmiverbose. The output file name is configurable and the file is saved in the same folder that contains dsac.exe. This output provides more information about the operation of ADAC, the domain controllers contacted, the Windows PowerShell commands executed, their responses, and other details.
INFO level example showing all results except trace messages:
DSAC.exe starts
registration begins
The domain controller requests information from the source domain
[12:42:49][TID 3][Info] Command ID, Action, Command, Time, Elapsed Time ms (Output), Number of Objects (Output)[12:42:49][TID 3][Info ] 1 , Invoke, Get-ADDomainController, 2012-04-16T12:42:49[12:42:49][TID 3][Info] Get-ADDomainController-Discover:$null-DomainName:"CORP"-ForceDiscover:$ null - Service: ADWS-Writable: $null
DC1 domain controller returned by domain company
PS AD virtual drive loaded
[12:42:49][TID 3][Info] 1, Exit, Get-ADDomainController, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] Domain found controller 'DC1' in domain 'CORP'.[12:42:49][TID 3][Info] 2, Invoke, New-PSDrive, 2012-04-16T12:42:49[12:42:49][ TID 3][Info] New-PSDrive-Name:"ADDrive0"-PSProvider:"ActiveDirectory"-Root:""-Server:"dc1.corp.contoso.com"[12:42:49][TID 3][ Information ] 2, Output, New-PSDrive, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 3, Invoke, Get-ADRootDSE, 2012-04-16T12:42 :49
Get DSE root information for the domain
[12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 3, Saída, Get-ADRootDSE , 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 4, Invocar, Get-ADOptionalFeature, 2012-04-16T12:42:49
Get AD recycle bin info for domain
[12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 4, Saída, Get-ADOptionalFeature, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 5, Invoke, Get-ADRootDSE, 2012-04- 16T12:42:49[12:42:49][TID 3][Información] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Información] 5, Saída, Get-ADRootDSE, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 6, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49[12 :42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 6, Saída, Get-ADRootDSE, 2012 -04-16T12:42:49, 1[12:42:49][TID 3][Info] 7, Invocar, Obtener-ADOptionalFeature, 2012-04-16T12:42:49[12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"[12:42:50][TID 3][Info] 7, Saída, Get-ADOptionalFeature, 2012-04-16T12:42:50, 1[12:42:50][TID 3][Info] 8, Invoke, Get-ADForest, 2012-04-16T12:42:50
get forest AD
[12:42:50][TID 3][Info] Get-ADForest -Identity:"corp.contoso.com" -Server:"dc1.corp.contoso.com"[12:42:50][TID 3] [Info] 8, Saída, Get-ADForest, 2012-04-16T12:42:50, 1[12:42:50][TID 3][Info] 9, Invoke, Get-ADObject, 2012-04-16T12: 42:50
Get schema information for supported encryption types, FGPP, and specific users
[12:42:50][TID 3][Info] Get-ADObject-LDAPFilter:"(|(ldapdisplayname=msDS-PhoneticDisplayName)(ldapdisplayname=msDS-PhoneticCompanyName)(ldapdisplayname=msDS-PhoneticDepartment)(ldapdisplayname=msDS-PhoneticFirstName) )(ldapdisplayname=msDS-PhoneticLastName)(ldapdisplayname=msDS-SupportedEncryptionTypes)(ldapdisplayname=msDS-PasswordSettingsPrecedence))"-Properties:lDAPDisplayName-ResultPageSize:"100"-ResultSetSize:$null-SearchBase:"CN=Esquema,CN=Configuración ,DC=corp,DC=contoso,DC=com"-SearchScope:"OneLevel"-Server:"dc1.corp.contoso.com"[12:42:50][TID 3][Info] 9, Salida, Obtener -ADObject, 2012-04-16T12:42:50, 7[12:42:50][TID 3][Información] 10, Invocar, Obtener-ADObject, 2012-04-16T12:42:50
Retrieve all the information about the domain object to display to the administrator who clicked on the domain header.
[12:42:50][TID 3][Info] Get-ADObject-IncludeDeletedObjects:$false-LDAPFilter:"(objectClass=*)"-Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description ,cuando se alteró,local,gerenciadoBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName, msDS -PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,phoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode, manageBy, userPrincipalName,isDeleted,msDS- PasswordSettingsPrecedence -ResultPageSize:"100"-ResultSetSize:"20201"-SearchBase:"DC=corp,DC=contoso,DC=com"-SearchScope:"Base"-Server:"dc1.corp.contoso.com"
The Verbose level also shows the .NET stacks for each function. However, they contain little data to be particularly useful, especially when fixing access violations or Dsac.exe crashes. The two main reasons for this problem are:
- The ADWS service is not running on any of the accessible domain controllers.
- Network communication is blocked by the computer running the Active Directory Administrative Center.
Important
There is also a ready-to-use version of the service calledActive Directory-VerwaltungsgatewayIt runs on Windows Server 2008 SP2 and Windows Server 2003 SP2.
If no instance of Active Directory Web Services is installed, the following errors will be displayed:
error | Idea |
---|---|
"Cannot connect to any domain. Please refresh or try again if a connection is available" | Displayed when starting the Active Directory Administration Center application |
"A server available at<domain "NetBIOS">running Active Directory Web Service (ADWS) cannot be found" | Displayed when trying to select a domain node in the Active Directory Administration Center application |
To troubleshoot, follow these steps:
Make sure that the Active Directory Web Services service is started on at least one domain controller in the domain (and preferably all domain controllers in the forest). Make sure the service is also started automatically on all domain controllers.
On the computer running the Active Directory Administrative Center, verify that you can access a server running ADWS. To do this, use the following NLTest.exe commands:
nltest /dsgetdc:<NetBIOS domain name> /ws /forcenltest /dsgetdc:<fully qualified DNS domain name> /ws /force
If these tests fail even though the ADWS service is running, the problem is with name resolution or LDAP, not with ADWS or the Active Directory Administrative Center. However, this test will fail with "1355 0x54B ERROR_NO_SUCH_DOMAIN" if ADWS is not running on any domain controllers. So take a look at this before jumping to conclusions.
Get a list of open ports on the domain controllers returned by NLTest with the following command:
Netstat -anob > portas.txt
Examine the ports.txt file and verify that the ADWS service has port 9389 open. Example:
TCP 0.0.0.0:9389 0.0.0.0:0 ESCUCHA 1828[Microsoft.ActiveDirectory.WebServices.exe]TCP [::]:9389 [::]:0 ESCUCHA 1828[Microsoft.ActiveDirectory.WebServices.exe]
For listening mode, check your Windows Firewall rules and make sure that TCP port 9389 is allowed for incoming connections. By default, domain controllers enable the Active Directory Web Services (TCP-In) firewall rule. If you are not working in listening mode, check that the service is running on this server and restart the service. Make sure that no other process has port 9389 open.
Install NetMon or another network acquisition tool on the computer running the Active Directory Administrative Center and on the domain controller returned by NLTEST. Create parallel network searches on both computers when starting the Active Directory Administrative Center and the error will be displayed before stopping the searches. Verify that the client can send and receive to and from the domain controller on TCP port 9389. If the packets are sent and do not arrive, or if they arrive and the response from the domain controller does not reach the client, there is probably a firewall between the computer network will intercept packets on this port. This could be a software or hardware firewall, which could be part of third-party endpoint protection (antivirus).
(Video) MCSA Windows Server 2016 & 2019 | MCSA Full Course in Single Video 11 hrs by Tech Guru Manjit
Other information
AD Recycle Bin, Granular Password Policy, and PowerShell History