Windows Server 2003 - ADSI EditADSI Edit (Active Directory Services Interface) is the best Windows 2003
Server tool for combining learning with troubleshooting. The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit and explore Active
Directory's properties and values. Incidentally some call this Microsoft utility adsiedit. In your Windows Active Directory career you will find dozens of occasions where the only cure to your
problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is
not my intention to cure a specific Windows Server 2003 problem, I merely chose the examples to give you a good grounding in the utility. Tutorial Topics for ADSI Edit
‡
VBScript - Researching the LDAP properties of user objects.
If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName). Active Directory Users and Computers - Display Names. The default display in both Exchange GAL and ADUC is First Name
then Last Name. Larger companies may wish to reverse the display because they find it easier to search on Last Name. Security - Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to
the Address Lists. Restoring old Backups - Learning how to extend the useful life of a backup tape by increasing the tombstoneLifetime attribute. -
TechNet - Following through on TechNet's suggested solutions. For example,
Raise Forest Level
with msDS-Behavior-Version. Replication - Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers
and imagine how they could be replicated separately.
Guy Recommends: SolarWinds LANSurveyor
LANSurveyor will produce a neat diagram of your network topology. But that's
just the start;
LANSurveyor can
create an inventory of the hardware and software
of your machines and network devices. Other neat features include dynamic
update for when you add new devices to your network. I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you take a free trial of LANSurveyor then you will
find a device on your network that you had forgotten about, or someone else
installed without you realizing!
Download a Free Trial of LANSurveyor
Installing ADSI EditADSI Edit (adsidedit) is one of Windows Server 2003's support tools. My advice is to install the whole support tools package from the Server CD: \support\tools\supptools.msi. Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC. Alternatively,
you can download ADSI Edit here Note if you copy adsiedit.dll manually then you need to paste into the 'path' for example C: \windows\adsiedit.dll.
Then you need to register the dll with:
regsvr32 adsiedit. (If you install from supptools.msi there is no need for this extra step)
Once ADSI Edit launches, the secret is connecting to the correct naming context. If you are following a TechNet instruction then pay close attention to whether it says connect to
the 'Domain' or connect to the
'Configuration' container. In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing. Sorry to harp on, but the classic beginners mistake is connecting to
the wrong Naming Context and as a result, being unable to find the required objects and properties. Once you get started with ADSI Edit notice how the layout is similar to Active Directory Users and
Computers, especially the Domain container. Also notice how the Configuration container is like the Windows Server 2003 Sites and Services snap-ins. The big difference is that with ADSI
Edit you see many more properties, moreover, each property has dozens of attributes. In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values. Unlike
command line tools such as DCDiag and NTDSUTIL, ADSI Edit has a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.
 Active Directory Training
As an MCT trainer, I can thoroughly recommend
TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for
a combination of modules.
See more about Active Directory training
ADSI
Edit Example - To change the Display Name
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a real life scenario where there is no other way of configuring the settings. Our objective is to
change the display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called 'Name' and not the 'Display Name' or 'Description' column. (Although you could change those too, but that would
be a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
- Launch ADSI Edit and make sure you start at the Configuration container.
- Next it's CN=Configuration, Display Specifies. CN=409 means English sort order (not Spanish or Arabic).
- What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
- Now it took me four tries before I perfected the string value:
%<sn>, %<givenName>
Here are my mistakes:
Learn from what I did wrong, or you will be destined to suffer my frustration: %<sn>, % <givenName>. I exaggerated
the gap, but please note that there should be no space between the % and the smaller than bracket <. My most infuriating
mistake was troubleshooting <givenname> At first, I had no idea that Active Directory required the case sensitive <givenName>. Learning Points1) As ADSI Edit uses 'raw'
mode there is no error checking, therefore, do remember what I said about paying attention to detail. My point is that ADSI Edit is not a tool for a beginners in general, and gung-ho beginners in
particular. 2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing
createDialog. 3) Do experiment with other settings, for example, user-display properties, description attribute. Good NewsIf you are upset that existing users are not affected by
this change, then get a copy of ADModify and with a few clicks you can display the 'Name' column as LastName, Firstname. Would like more
examples of ADSI Edit? See here
 Guy
Recommends: A Free tool from SolarWinds: Config Generator
Config Generator (CG) is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'. This is a brand new free utility which Solarwinds released on January 26th
2010.
Download your free copy of the Config Generator
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie before they have explored the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI Edit is not Microsoft's most difficult tool, you have to be careful as there is no error checking.
See Also●
Authoritative Restore
● Windiff ●
ESEutil ●
NTDSUtil
●
Performance Monitor Tool
|
