Windows Server 2003 - ADSI EditADSI Edit (Active Directory Services Interface) is the best Windows 2003
Server tool for combining learning with troubleshooting. The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit and explore Active
Directory's properties and values. Incidentally some call this Microsoft utility adsiedit. In your Windows Active Directory career you will find dozens of occasions where the only cure to your
problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is
not my intention to cure a specific Windows Server 2003 problem, I merely chose the examples to give you a good grounding in the utility. Tutorial Topics for ADSI Edit
‡
VBScript - Researching the LDAP properties of user objects.
If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName). Active Directory Users and Computers - Display Names. The default display in both Exchange GAL and ADUC is First Name
then Last Name. Larger companies may wish to reverse the display because they find it easier to search on Last Name. Security - Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to
the Address Lists. Restoring old Backups - Learning how to extend the useful life of a backup tape by increasing the tombstoneLifetime attribute. -
TechNet - Following through on TechNet's suggested solutions. For example,
Raise Forest Level
with msDS-Behavior-Version. Replication - Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers
and imagine how they could be replicated separately.
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a
comprehensive console of utilities for troubleshooting computer problems. Guy says
it helps me monitor what's occurring on the network, and the tools
teaches me more about how the system literally operates.
There are so many good gadgets, it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.
Download your copy of the Engineer's Toolset v 10
Installing ADSI EditADSI Edit (adsidedit) is one of Windows Server 2003's support tools. My advice is to install the whole support tools package from the Server CD: \support\tools\supptools.msi. Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC. Alternatively,
you can download ADSI Edit here Note if you copy adsiedit.dll manually then you need to paste into the 'path' for example C: \windows\adsiedit.dll.
Then you need to register the dll with:
regsvr32 adsiedit. (If you install from supptools.msi there is no need for this extra step)
Once ADSI Edit launches, the secret is connecting to the correct naming context. If you are following a TechNet instruction then pay close attention to whether it says connect to
the 'Domain' or connect to the
'Configuration' container. In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing. Sorry to harp on, but the classic beginners mistake is connecting to
the wrong Naming Context and as a result, being unable to find the required objects and properties. Once you get started with ADSI Edit notice how the layout is similar to Active Directory Users and
Computers, especially the Domain container. Also notice how the Configuration container is like the Windows Server 2003 Sites and Services snap-ins. The big difference is that with ADSI
Edit you see many more properties, moreover, each property has dozens of attributes. In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values. Unlike
command line tools such as DCDiag and NTDSUTIL, ADSI Edit has a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.
 Active Directory Training
As an MCT trainer, I can thoroughly recommend
TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for
a combination of modules.
See more about Active Directory training
ADSI
Edit Example - To change the Display Name
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a real life scenario where there is no other way of configuring the settings. Our objective is to
change the display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called 'Name' and not the 'Display Name' or 'Description' column. (Although you could change those too, but that would
be a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
- Launch ADSI Edit and make sure you start at the Configuration container.
- Next it's CN=Configuration, Display Specifies. CN=409 means English sort order (not Spanish or Arabic).
- What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
- Now it took me four tries before I perfected the string value:
%<sn>, %<givenName>
Here are my mistakes:
Learn from what I did wrong, or you will be destined to suffer my frustration: %<sn>, % <givenName>. I exaggerated
the gap, but please note that there should be no space between the % and the smaller than bracket <. My most infuriating
mistake was troubleshooting <givenname> At first, I had no idea that Active Directory required the case sensitive <givenName>. Learning Points1) As ADSI Edit uses 'raw'
mode there is no error checking, therefore, do remember what I said about paying attention to detail. My point is that ADSI Edit is not a tool for a beginners in general, and gung-ho beginners in
particular. 2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing
createDialog. 3) Do experiment with other settings, for example, user-display properties, description attribute. Good NewsIf you are upset that existing users are not affected by
this change, then get a copy of ADModify and with a few clicks you can display the 'Name' column as LastName, Firstname. Would like more
examples of ADSI Edit? See here
 Guy
recommends: The SolarWinds ipMonitor
I am attracted to
ipMonitor
because it inhabits that zone of part work, part play; Guy just could not put
the dashboard away. This excellent performance monitor will get you
started in the quest to remove bottlenecks on your network. SolarWinds
provides this fully-functioning product free for 21 days. So download and
install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake, and
install SNMP on each computer that you wish to monitor. What sealed my
unreserved recommendation of SolarWinds is their support team, you will get
expert help even when you are evaluating the ipMonitor.
Download SolarWinds ipMonitor (21 days eval)
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie before they have explored the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI Edit is not Microsoft's most difficult tool, you have to be careful as there is no error checking.
See Also●
Authoritative Restore
● Windiff ●
ESEutil ●
NTDSUtil
●
Performance Monitor Tool
|
