The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

How Active Directory PowerShell CMDLETS find a DC running Active Directory Web Services

If you have been playing with the the AD PowerShell cmdlets you know that it requires a few things to run, first Windows Server 2008 R2 or Windows 7, the .NET Framework 3.5.1 and of course if you want to manage an AD domain you need Active Directory Web Services (ADWS) installed on at least one domain controller. 

By the way ADWS requires TCP port 9389

So how in the world does a Windows 7 system know how to find a DC running ADWS?  Well your client running PowerShell will use the normal DC locator process.  First the client will determine which site it is in nltest /dsgetsite and then it will determine the closest DC nltest /dsgetdc:<FQDN Domain>.  It is looking at the DC for the following flag:

DS_WEB_SERVICE_REQUIRED

More info on that flag can be found here.

Now what if you don’t have Server 2008 R2 DCs?  With Server 2003 and Server 2008 a problem occurs because the Net Logon service of those domain controllers does not recognize the DS_WEB_SERVICE_REQUIRED flag.  There are two hotfixes (one for what ever version of AD you are running) available to fix that in those environments.  Server 2003 and Server 2008

After you install this hotfix the AD PowerShell module and Active Directory Administrative Center will be able to locate DCs that have Active Directory Management Gateway Service installed, similar to Active Directory Web Services (ADWS) on a Windows Server 2008 R2-based computer.

Posted: Mon, Jan 25 2010 6:39 by BrianM | with 3 comment(s)
Filed under: , , , ,

Comments

Namescape – Active Directory Software Solutions said:

Thank you for the useful information. I found a lot of interesting tips that I could not find anywhere else.

# January 27, 2010 7:08 PM

Eric Jansen said:

There are some additional requirements when certificates are involved and issues that can prevent ADWS from starting.  I recently had a case where ADWS would not start on most of the DC's in one of my customer environments.  There are a few work arounds to the issue but in the end there appears to be a cert selection bug that I need to get around to submitting.  I'm working on a blog entry to detail how to troubleshoot it and how to fix it.  I should have it done in a week or so and I'm going to post as a guest blogger on CB5's technical blog (http://cbfive.com/blog/).

Cheers,

Eric

# January 30, 2010 11:38 AM

Rich Crandall said:

@Eric's comment - you can find Eric's excellent post here:  cbfive.com/.../ADWS-Fails-to-Start-With-Error-1067-The-Process-Terminated-Unexpectedly.aspx.

# February 16, 2010 12:45 PM