Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community. There are a lot of good tweets on Active Directory and links to information. There is also a fair amount of spam/bad links. Those are usually easy to spot though (picture is a "sexy" model for example)
Thanks a lot to @SamErde for letting me use his post for this blog.
ADAC was released with Windows 2008 R2. It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration. AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.
In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests. I did see TechNet articles that this could be done but I like to verify.
I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain. You have to have proper ports open That is often easier said than done. Become friends with the firewall admins :) You also need to ensure that name resolution is working. I used conditional forwarders to resolve the domain names in DNS. Stub zones and secondary zones would also work.
There are a lot of posts and resources about setting up trusts. If you run into issues look at the basics first
- For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.
- For DNS issues nslookup is a good place to start troubleshooting. (wireshark/netmon are good there too)
At this point the forest trusts have been setup and the two way trusts are functional. The first thing we need to do is to try and add one of the other domains in ADAC.
|Add Navigation Nodes in ADAC - Windows Server 2008 R2|
I'm going to use Windows 2008 R2 for the rest of the examples. I select add navigation nodes from there I can add another domain.
|Adding domain in another forest to ADAC via Navigation Node|
Once I add the domain from the trusted forest I can now see it in ADAC
|Remote domain from trusted forest now appears in ADAC|
I'm not able to make any changes which is a good thing. The fact that the forest trust exists doesn't give any rights to administer the remote domain.
Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain. I'm unable to make any changes but can read his info.
|Attempting to update a user|
Without any rights I can't really do much. In this case I want the same account to be able the objects in both forests.
There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.
|My admin account has been added into the Administrators group in the remote domain|
Wishlist: I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that. That would be handy if an admin has a separate admin account in the remote forest/domain. I'm still researching that and will update the blog if I find something.
There is a good article about ADAC on TechNet that is worth reading.
What are your thoughts on ADAC. For those at 2008 R2 is it gaining traction in your environments?