Gilt für: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic covers the updated Active Directory Administrative Center with the new Active Directory Recycle Bin, Detailed Password Policy, and Windows PowerShell History Viewer in more detail, including architecture, examples of common tasks, and troubleshooting information. For an introduction seeIntroducing Active Directory Administrative Center Enhancements (Level 100).
- Architecture of the Active Directory administration center
- Enable and manage Active Directory Recycle Bin using Active Directory Administration Center
- Configure and manage granular password policies with the Active Directory Administration Center
- Verwenden des Windows PowerShell History Viewer Active Directory Management Center
- Troubleshooting AD DS management
Architecture of the Active Directory administration center
Active Directory Administrative Center executable files, DLL
The Active Directory Administrative Center engine and underlying architecture have not changed with the new Recycle Bin, FGPP, and History View features.
The underlying Windows PowerShell and functional layer for the new Recycle Bin functionality is shown below:
Enable and manage Active Directory Recycle Bin using Active Directory Administration Center
- With Windows Server 2012 or later Active Directory Administrative Center, you can configure and manage the Active Directory Recycle Bin for each domain partition in a forest. It is no longer necessary to use Windows PowerShell or Ldp.exe to enable the Active Directory Recycle Bin or restore objects in domain partitions.
- The Active Directory Administrative Center has advanced filter criteria, making it easier to perform targeted recovery in large environments with many intentionally deleted objects.
Because Active Directory Administrative Center can only manage domain partitions, it cannot recover deleted objects from the configuration, domain DNS, or forest DNS partitions (you cannot delete objects from the schema partition). To recover objects from out-of-sector partitions, useRestore-ADObject.
The Active Directory Management Center cannot reset sub-object trees in one operation. For example, if you delete an OU with nested OUs, users, groups, and computers, restoring the parent OU does not restore the child objects.
With the Active Directory Administrative Center bulk restore feature, deleted objects are erased to the best of our abilityonly within the selectionTherefore, the parents are ordered before the children in the rollback list. In simple test cases, object subtrees can be restored with a single action. However, corner cases, such as a selection with some trees—trees missing some of the deleted parent nodes—or error cases, such as ignoring child nodes when resetting the parent node fails, may not work as expected. For this reason, you should always restore child object trees as a separate operation after restoring parent objects.
Active Directory Recycle Bin requires Windows Server 2008 R2 Forest functional level and you must be a member of the Company Administrators group. Once enabled, you cannot disable Active Directory Recycle Bin. The Active Directory Recycle Bin increases the size of the Active Directory database (NTDS.DIT) on each domain controller in the farm. The space consumed by the Recycle Bin will continue to grow over time as it manages objects and all of their attribute data.
Enable Active Directory Recycle Bin through Active Directory Administrative Center
To enable Active Directory Recycle Bin, open itActive Directory-Verwaltungscenterand click your forest name in the navigation pane. Out ofTaskswindow, clickActivate the recycle bin.
The Active Directory Administrative Center displays theEnable recycle bin confirmationDialog. This dialog box warns you that enabling the Recycle Bin cannot be undone. clickOkayto enable Active Directory Recycle Bin. The Active Directory Administrative Center will display another dialog box to remind you that the Active Directory Recycle Bin will not be fully functional until all domain controllers have copied the configuration change.
The option to enable Active Directory Recycle Bin is not available when:
- The functional level of the forest system is lower than that of Windows Server 2008 R2
- It's already activated
The corresponding Windows PowerShell Active Directory cmdlet is:
For more information about using Windows PowerShell to enable Active Directory Recycle Bin, seeStep-by-step instructions for Active Directory Recycle Bin.
Manage Active Directory Recycle Bin with Active Directory Administration Center
This section uses an existing named domain as an examplecorp.contoso.com. This domain organizes users into a named parent OUuser accounts. Theuser accountsThe organizational unit contains three sub-organizational units named by department, each of which contains additional organizational units, users, and groups.
storage and filtering
The Active Directory Recycle Bin keeps all deleted objects in the forest. It stores these objects accordinglymsDS-deletedObjectLifetimeAttribute that is set by default to match thetombstone for lifeCharacteristic of the forest. In any farm created with Windows Server 2003 SP1 or later, the value oftombstone for lifeIt is set to 180 days by default. Any farm upgraded from Windows 2000 or installed with Windows Server 2003 (without a service pack) does NOT have the default tombstoneLifetime attribute set and therefore Windows uses the internal default value of 60 days. All of this is configurable. You can use Active Directory Administrative Center to recover any objects that have been deleted from the domain partitions in the forest. You must continue to use the cmdletRestore-ADObjectto recover deleted objects from other partitions, such as B. the configuration to restore. Enabling Active Directory Recycle Bin does thisDeleted elementsContainer visible under each domain partition in Active Directory Management Center.
TheDeleted elementsThe container shows you all recoverable objects in this domain partition. Deleted items older thanmsDS-deletedObjectLifetimeThey are referred to as recycle items. Active Directory Administrative Center does not show recycled objects and you cannot restore these objects using Active Directory Administrative Center.
For a more detailed explanation of the Recycle Bin's architecture and processing rules, seeThe AD Recycle Bin: Understanding, Implementation, Best Practices, and Troubleshooting.
The Active Directory Management Center artificially limits the default number of objects returned by a container to 20,000 objects. You can increase this limit up to 100,000 items by clickingyou can do thismenu, thenManagement list options.
The Active Directory Administrative Center provides powerful criteria and filtering options that you should become familiar with before you need to use them in an actual restore. Domains intentionally delete many objects during their lifetime. With a potential lifetime of deleted items of 180 days, you can't easily recover everything in the event of an accident.
Instead of writing complex LDAP filters and converting UTC values to dates and times, use the simple and advanced filtersFilterMenu to list only relevant items. If you know the deletion date, article names or other important data, you can use this to your advantage when filtering. Toggle the advanced filter options by clicking the chevron to the right of the search box.
The restore function, like any other search, supports all standard options for filter criteria. Of the built-in filters, the following are usually important for object recovery:
- ANR (Ambiguous Name Resolution - not mentioned in menu but used when typingFilterCrate)
- Last change between the given dates
- The object is user/netorgperson/computer/group/organizational unit
- When deleting
- Last Known Parent
- Employee ID
- job title
- phone number
- zip codes
You can add multiple criteria. For example, you can find all user objects deleted on September 24, 2012 from Chicago, Illinois with the job title Manager.
You can also add, change, or rearrange column headings to provide more detail when evaluating the objects to be retrieved.
For more information on ambiguous name resolution, seeANR functions.
Recovering deleted items has always been a separate process. The Active Directory Administration Center facilitates this process. To restore a deleted object, such as a single user:
- In the Active Directory Management Center navigation pane, click the domain name.
- double clickDeleted elementsin the administration list.
- Right-click the object, and then clickRestore, or clickRestoreout ofTasksGlas.
The object returns to its original position.
clickReset to...to change the recovery location. This is useful when the parent container of the deleted object was also deleted, but you don't want to restore the parent container.
Multiple peer objects
You can restore multiple peer objects, such as all users in an OU. Hold down the CTRL key and click one or more deleted items that you want to recover. clickRestorefrom the task window. You can also select all displayed objects by holding down CTRL and A, or a range of objects by pressing SHIFT and clicking.
Multiple parent and child objects
It is important to understand the recovery process for a multiple parent recovery because Active Directory Management Center cannot recover a nested tree of deleted objects in a single action.
- Recover the deleted top object in a tree.
- Returns the direct children of this parent object.
- Restore the immediate children of these parent objects.
- Repeat this process as needed until all items are restored.
You cannot reset a child object until you reset its parent object. Attempting this restore returns the following error:
The operation could not be performed because the object's parent was either not created or was deleted.
TheLast Known ParentThe attribute shows the lineage of each object. TheLast Known ParentThe attribute changes from deleted location to recovery location when you refresh Active Directory Administrative Center after restoring a parent directory. Therefore, if the location of a parent object no longer shows the distinguished name of the deleted objects container, you can restore this child object.
Consider the scenario where an administrator accidentally deletes the sales OU that contains child OUs and users.
First, consider the priceLast Known ParentFunction for all deleted users and how to read itOU=sales\0ADEL:
Filter the ambiguous name "Sales" to return the deleted OU, which you then restore:
Refresh Active Directory Administrative Center to see how the Last Known Parent attribute of the deleted user object changes to the restored Distinguished Name of the Sales OU:
Filter for all sales users. Hold CTRL and A to select all deleted sales users. clickRestoreto move objectsDeleted elementsContainer in the Sales OU with memberships and team attributes intact.
If thediscountsIf an OU contained its own child OUs, restore the child OUs first before restoring their child OUs, and so on.
For information on restoring all nested deleted objects by specifying a deleted parent container, seeAppendix B: Restoring Multiple Deleted Active Directory Objects (Sample Script).
The Active Directory Windows PowerShell cmdlet to restore deleted objects is:
TheRestore-ADObjectCmdlet functionality has not changed between Windows Server 2008 R2 and Windows Server 2012.
It is possible that over time, in medium and large companies, the Deleted Items container can accumulate over 20,000 (or even 100,000) items and it becomes difficult to view all items. Because the filter mechanism in Active Directory Administrative Center is based on client-side filtering, these additional objects cannot be displayed. To work around this limitation, follow these steps to perform a server-side lookup:
- Right-clickDeleted elementsContainer and clickLook under this node.
- Click on the chevron to view it+Add criteriaCall menu, select and addLast change between the given dates. The Last Change of Time (dwhen it changedfunction) is a good approximation of the erasing time. In most environments they are identical. This query performs a server-side lookup.
- Find deleted items to recover using further screen filtering, sorting, etc. in the results and then reset them to normal.
Configure and manage granular password policies with the Active Directory Administration Center
Configure precise password policies
You can use the Active Directory Administrative Center to create and manage Fine-Grained Password Policy (FGPP) objects. Windows Server 2008 introduced the FGPP feature, but Windows Server 2012 has the first graphical management interface for it. They apply fine-grained domain-level password policies and allow overriding the single domain password required by Windows Server 2003. By creating different FGPPs with different settings, individual users or groups get different password policies in a domain.
For the detailed password policy, seeStep-by-Step Guide to Fine-Grained AD DS Password and Account Lockout Policies (Windows Server 2008 R2).
In the navigation pane, click Tree View, click your domain, and then clickSystem, clickContainer for password settings, and then click in the Tasks windowJungAndPassword Settings.
Maintain precise password policies
When you create a new FGPP or edit an existing one, you'll see the following:Password SettingsAuthor. From here you configure any password policies you want, just like you would in Windows Server 2008 or Windows Server 2008 R2, only now with a special editor.
Complete all required (red asterisk) and optional fields, then clickadditiveto define the users or groups that will receive this policy. FGPP overrides the default domain policy settings for these specified security authorities. In the image above, a highly restrictive policy applies only to the built-in administrator account to prevent tampering. The policy is too complex for typical users to follow, but is ideal for a high-risk account used only by IT professionals.
You can also prioritize which users and groups the policy applies to in a specific domain.
The Active Directory Windows PowerShell cmdlets for detailed password policies are:
The granular password policy cmdlet functionality has not changed between Windows Server 2008 R2 and Windows Server 2012. For simplicity, the following diagram illustrates the relevant arguments for the cmdlets:
You can also use Active Directory Administrative Center to find the resulting set of applied FGPPs for a specific user. Right-click any user and clickView Resulting Password Settings...to open itPassword SettingsPage applicable to this user by tacit or express assignment:
pursue somethingCharacteristicsof a user or group that displays itDirectly mapped password settings, these are the explicitly assigned FGPPs:
The implicit FGPP assignment is not shown here. For that you need to use thisView Resulting Password Settings...Selection.
Verwenden des Windows PowerShell History Viewer Active Directory Management Center
The future of Windows administration is Windows PowerShell. Layering graphical tools on top of a task automation framework makes management of the most complex distributed systems consistent and efficient. You need to understand how Windows PowerShell works to get the most out of it and maximize your computer investment.
The Active Directory Administrative Center now provides a complete history of all executed Windows PowerShell cmdlets, along with their arguments and values. You can copy the history cmdlet elsewhere to study, modify, and reuse it. You can create task notes to isolate the Active Directory Administrative Center commands that led to Windows PowerShell. You can also filter the history to find interesting places.
The purpose of the Active Directory Management Center Windows PowerShell History Viewer is to learn through hands-on experience.
Click the chevron (arrow) to view the Windows PowerShell history viewer.
Then create a user or change a group's membership. The history viewer is continuously updated with a collapsed view of each cmdlet that Active Directory Management Center ran with the specified arguments.
Expand any line item to see all of the values provided in the cmdlet's arguments:
Click onstart workingMenu to create a manual note before using Active Directory Administrative Center to create, modify, or delete an object. Enter what you did. When you're done making the change, selectQuitting time. The task note summarizes all the actions performed in a collapsible note that you can use for better understanding.
For example, to view the Windows PowerShell commands used to change a user's password and remove the user from a group:
Checking the Show All checkbox also shows the Get-* Windows PowerShell cmdlets, which only get data.
The History Viewer shows the literal commands executed by the Active Directory Management Center, and you may notice that some cmdlets appear to run unnecessarily. For example, you can create a new user by:
and you don't have to use:
The Active Directory Administrative Center design required minimal code and modularity. So instead of one set of functions that create new users and another set that modifies existing users, it minimally executes each function and then binds them to cmdlets. Keep this in mind as you learn Active Directory Windows PowerShell. You can also use it as a learning technique to see how easily you can use Windows PowerShell to complete a single task.
Troubleshooting AD DS management
Introduction to Troubleshooting
Due to its relative newness and lack of use in existing customer environments, the Active Directory Administrative Center has limited troubleshooting options.
Active Directory Administrative Center now includes built-in logging as part of a trace configuration file. Create/modify the following file in the same folder as dsac.exe:
Create the following content:
verbalization levels forDsacLogLevelIsNobody,Mistake,warning,Information, AndA polyglot. The output file name is configurable and will be written to the same folder as dsac.exe. The output can tell you more about how ADAC works, which domain controllers were contacted, what commands Windows PowerShell is running, what the responses were, and more details.
For example, using the INFO level, which returns all results except trace level verbosity:
DSAC.exe is started
The domain controller has requested the return of the original domain information
[12:42:49][TID 3][Info] Command ID, Action, Command, Time, Elapsed Time ms (Output), Numeric Objects (Output)[12:42:49][TID 3][Info] 1 , Invoke, Get-ADDomainController, 2012-04-16T12:42:49[12:42:49][TID 3][Info] Get-ADDomainController -Discover:$null -DomainName:"CORP" -ForceDiscover:$null - Service:ADWS Registration:$null
The domain controller DC1 was returned from the domain corp
The virtual PS AD drive will be loaded
[12:42:49][TID 3][Info] 1, Ausgabe, Get-ADDomainController, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] Domäne gefundener Controller 'DC1' in der Domäne 'CORP'.[12:42:49][TID 3][Info] 2, Invoke, New-PSDrive, 2012-04-16T12:42:49[12:42:49][ TID 3 ][Info] New-PSDrive-Name:"ADDrive0"-PSProvider:"ActiveDirectory"-Root:""-Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 2, Ausgabe, New-PSDrive, 16.04.2012T12:42:49, 1[12:42:49][TID 3][Info] 3, Invoke, Get-ADRootDSE, 16.04.2012T12:42:49
Get information about the root DSE domain
[12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 3, Beenden, Get-ADRootDSE , 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 4, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49
Get information about AD Domain Recycle Bin
[12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 4, Ausgabe, Get-ADOptionalFeature, 2012-04-16T12:42:49, 1[12:42:49][TID 3][Info] 5, Aufruf, Get-ADRootDSE, 2012-04- 16T12:42:49[12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 5, Ausgabe, Get-ADRootDSE, 16.04.2012T12:42:49, 1[12:42:49][TID 3][Info] 6, Aufrufen, Get-ADRootDSE, 16.04.2012T12:42:49[12 :42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"[12:42:49][TID 3][Info] 6, Ausgabe, Get-ADRootDSE, 2012 -04-16T12:42:49, 1[12:42:49][TID 3][Info] 7, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49[12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"[12:42:50][TID 3][Info] 7, Beenden, Get-ADOptionalFeature, 2012-04-16T12:42:50, 1[12:42:50][TID 3][Info] 8, Invoke, Get-ADForest, 2012-04-16T12:42:50
Get the AD forest
[12:42:50][TID 3][Info] Get-ADForest -Identity:"corp.contoso.com" -Server:"dc1.corp.contoso.com"[12:42:50][TID 3] [Info] 8, Ausgabe, Get-ADForest, 2012-04-16T12:42:50, 1[12:42:50][TID 3][Info] 9, Invoke, Get-ADObject, 2012-04-16T12: 42:50
Get schema information for supported cipher types, FGPP, and custom information
[12:42:50][TID 3][Info] Get-ADObject-LDAPFilter:"(|(ldapdisplayname=msDS-PhoneticDisplayName)(ldapdisplayname=msDS-PhoneticCompanyName)(ldapdisplayname=msDS-PhoneticPhoneticPhoneticNams-ldap) )(ldapdisplayname= msDS-PhoneticLastName)(ldapdisplayname=msDS-SupportedEncryptionTypes)(ldapdisplayname=msDS-PasswordSettingsPrecedence)"-Ιδιότητες:lDAPDisplayName-ResultPageSize:"s$nScheullS"- ma,CN=Διαμόρφωση ,DC=corp,DC=conto also,DC=com" -SearchScope:"OneLevel"-Server:"dc1.corp.contoso.com"[12:42:50][TID 3][Info] 9, Ausgabe, Get -ADObject, 2012-04-16T12:42:50, 7[12:42:50][TID 3][Info] 10, Invoke, Get-ADObject, 2012-04-16T12:42:50
Get all the information about the domain object to show to the admin who clicked on the domain header.
[12:42:50][TID 3][Get-ADObject-IncludeDeletedObjects:$false-LDAPFilter:"(objectClass=*)"-Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAsyerdiscriptAccountTags, ,whenChanged,location,managedBy , Mitglied von, primärgruppen, Objektsid, msds-user-account-kontrollkomputiert, samaccountname, lastlogontimestamp, lastlogoff, mail, accountExpires JStemversion, Telefonnummer, PhysicaldeliveryofficeName, Department,company,manager,dNSHostName,groupType,c,ID,svenntal,employeName By,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence -ResultPageSize:"100"-ResultSetSize:"20201"-SearchBase:"DC=corp,DC=contoso, DC=com"-SearchScope:"Base"-Διακομιστής:"dc1.corp.contoso.com"
The Verbose Level setting also shows the .NET stacks for each function, but these do not contain enough data to be particularly useful except when troubleshooting Dsac.exe, which has an access violation or error. The two possible causes of this problem are:
- The ADWS service is not running on any accessible domain controller.
- Network communications are blocked to the ADWS service from the computer running Active Directory Management Center.
There is also an out-of-band version of the service calledActive Directory-Verwaltungsportal, which runs on Windows Server 2008 SP2 and Windows Server 2003 SP2.
Errors that occur when no Active Directory Web Services instances are available include:
|"Could not connect to a domain. Please refresh the page or try again when a connection is available."||It appears at the top of the Active Directory Administrative Center application|
|"Cannot find an available server||Appears when you try to select a domain node in the Active Directory Administrative Center application|
To work around this issue, follow these steps:
Active Directory Web Services validation is started on at least one domain controller in the domain (and preferably on all domain controllers in the farm). Make sure that automatic start is also set on all domain controllers.
On the computer running Active Directory Administrative Center, verify that you can find a server running ADWS by running the following NLTest.exe commands:
/ws /forcenltest /dsgetdc: /ws /force
If these tests fail even though the ADWS service is running, the problem is with name resolution or LDAP, not ADWS or Active Directory Management Center. This test fails with error 1355 0x54B ERROR_NO_SUCH_DOMAIN if ADWS is not running on any domain controller. Therefore, before jumping to hasty conclusions, double check it.
In the domain controller returned by NLTest, clear the list of listening ports with the following command:
Netstat -anob > ports.txt
Examine the ports.txt file and ensure that the ADWS service is listening on port 9389. Example:
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1828[Microsoft.ActiveDirectory.WebServices.exe]TCP [::]:9389 [::]:0 LISTENING 1828[Microsoft.ActiveServices]Verzeichnis.
If you're listening, validate your Windows Firewall rules and make sure they allow incoming 9389 TCP. By default, domain controllers enable the Active Directory Web Services (TCP-in) firewall rule. If you don't hear it, reconfirm that the service is running on this server and restart it. Make sure no other process is already listening on port 9389.
Install NetMon or another network logging utility on the computer running Active Directory Administrative Center and on the domain controller returned by NLTEST. Capture concurrent network downloads from both computers on which you launch Active Directory Administrative Center and view the error before stopping the downloads. Ensure that the client can send to and receive from the domain controller over TCP port 9389. If packets are sent but never arrive, or arrive and the domain controller responds but never reaches the client, there is probably a firewall between computers on the network that is dropping packets on that port. This firewall may be software or hardware and may be part of third-party endpoint protection (antivirus) software.
AD recycle bin, exact password policy and PowerShell history