Step-by-Step: How to use Active Directory PowerShell cmdlets against 2003 domain controllers

Irish Soda Bread with Guinness Reduction Dip.  Doesn't that sound good?  It makes my mouth water just thinking about it.  Recently I used my frequent flier points to take the family to Disney, and the best food we ate all week was at the Raglan Road Irish Pub in Downtown Disney. We liked the bread and dip so much that our waitress, Wendy, explained that we could email the company for the recipe.  So we did!  Now this recipe had some ingredients that I wasn't familiar with, and when I made it at home it didn't quite match the experience back at the pub.  But who can complain when it has Guinness in it.

This is a lot like guidance from TechNet articles.  Sometimes they call for odd "ingredients" that you have to hunt and download, and then the result is not always what you expected.  Sometimes finding the right article on TechNet is like being down on your hands and knees crawling through grandma's yard looking for a four leaf clover.

This blog post is all about giving you the exact steps and removing the mystery from the process, so that you can use the Active Directory PowerShell cmdlets in your 2003 environment today.  It may look like a lot of steps, but you can get this done in less than an hour.  (This same process should work for 2008 (pre-R2) DCs as well, just read the ADMGS guide and hotfixes for the specifics.)

Recipe: AD PowerShell cmdlets on 2003 DCs Ingredients: 1 - 2003 DC (Use the fictitious domain name of your choice, like "RaglanRoad.Pub".) 1 - Windows 7 client joined to the domain 2.8MB - .NET 3.5.1 220MB - RSAT for Windows 7 1MB - ADMGS 3 - Hotfixes 1 - Leprechaun Instructions: Combine all of the download ingredients into an ISO file for easy access in your virtual lab. (HyperV, of course. I used freeware ImgBurn to create the ISO.) Follow the detailed instructions below.

 

Step 1: Gather the Ingredients

Go download all of these files and hotfixes first:  (Note that the hotfix downloads are a little tricky. They require you to study the KB article to find a link, and then you have to do an email dance to get the files and a password.)

• Remote Server Administration Tools (RSAT) for Windows 7 (~220MB)
  https://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
• Active Directory Management Gateway Service (ADMGS) (Active Directory Web Service for Windows Server 2003 and Windows Server 2008) and Install Guide (<1MB)
  https://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=008940c6-0296-4597-be3e-1d24c1cf0dda
• Microsoft .NET Framework 3.5 Service Pack 1 (2.8MB)
  https://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab99342f-5d1a-413d-8319-81da479ab0d7
• KB969166 - A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1 (<1MB)
  https://support.microsoft.com/kb/969166
• KB969429 - Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers (<1MB)
  https://support.microsoft.com/kb/969429
• KB967574 - Windows 7 clients cannot locate the Active Directory Management Gateway Service installed on Windows Server 2008-based domain controllers (<1MB)
  https://support.microsoft.com/kb/967574

Read over the ADMGS install guide.

 

Step 2: Build Your 2003 Forest

I did this in the lab first.  This is safer than going straight to production.  Labbing it gives you a chance to make mistakes in a safe environment.  The installs are all proven, but there is always room for a "user moment" in production.  Nothing in these steps should damage a production server, since we are only adding functionality.

• Install 2003 SP2 in your lab.
• Run DCPROMO and create a test AD forest. (RaglanRoad.Pub would be a spectacular domain name.)
• Install .NET 3.5.1.
• Install hotfix KB 969166.
• Install hotfix KB 969429.  (Or KB967574 if you're running 2008 RTM or 2008 SP1.)
• Install the appropriate version of ADMGS KB 968934.
• Go to Services and observe that the Active Directory Web Service is now installed and started.

Note that we are not installing PowerShell on the 2003 server.  Even if we did we couldn't run the AD cmdlets from there, because they are only supported on Windows Server 2008 R2 or Windows 7.  You're welcome to install PowerShell 2.0 for other purposes.

 

Step 3: Build Your Admin Workstation

• Install Windows 7 in your lab. (2008 R2 Server will also work.)
• Join it to the new 2003 AD domain.
• Install the appropriate version of Windows 7 RSAT.
• Add these Windows 7 RSAT features bolded below (Control Panel, Programs, Turn Windows features on or off):
  • Remote Server Administration Tools
  • - Role Administration Tools
  • - - AD DS and AD LDS Tools
  • - - - Active Directory Module for Windows PowerShell
  • - - - AD DS Tools
  • - - - - Active Directory Administrative Center
  • - - - - AD DS Snap-ins and Command-line Tools

 

Step 4: Kick Up Your Heels

• Go to the PowerShell Console on your Windows 7 workstation (Click Start, type "Power"; or find it under Accessories).
• Type "Import-Module ActiveDirectory"
• Gaze gleefully at the green zipper zipping across the screen.
• Type "Get-ADForest".  (You may need to use the -server parameter if other 2003 DCs in your environment do not have ADMGS installed yet.)
• Dance your favorite Irish jig.
• As a side benefit you can now use the new Active Directory Administrative Center (ADAC) against the 2003 DC.  Give it a try.

 

You are now ready to leverage all of the PowerShell AD cmdlets against your 2003 envrionment.  You no longer have to be green with envy towards the fancy pants 2008 R2 DCs running PowerShell support.  Unleash the code!

Mmmm mmm.  Smell that?  PowerShell goodness straight from the oven!  Just save some of the Guiness dip for me.

To learn more about AD Web Services read the TechNet article here:
https://technet.microsoft.com/en-us/library/dd391908(WS.10).aspx

Comments

• Anonymous
  March 21, 2011
  The comment has been removed
• Anonymous
  March 22, 2011
  Hi Tom, A couple questions to clarify:

1.  Which OS and service pack level are you installing on?
2.  What prerequisite does it specifically say you are missing?
3.  Are you running the correct install for your OS and CPU (ie. 2003 32 bit, etc.)? Please reply.  Thanks, Ashley

• Anonymous
  March 22, 2011
  sounds good but I'm trying to learn how to compute in this world. I'm illiterate about this business, & am trying to figure out this power shell stuff that just showed up on my computer. Old,slow fogey trying to adapt to a computer world. R.

• Anonymous
  March 25, 2011
  Seems like a few folks are running into the "missing prerequisite" issue.  I know this sounds simple, but if you go through the steps in the exact order listed everything should work.  The order does matter.  Also, you can try following the steps outlined in the ADMGS Install Guide one at a time.  They are the same steps, but sometimes it helps to see them from a different angle.  Let me know if you're still having issues after trying this. Ashley

• Anonymous
  April 28, 2011
  I ran into the "missing prerequisite" issue, and it was because I did not reboot after installing 969429 (even though that install does request it). After a reboot, ADWS then installed fine. For clarity, it may be worth adding this as a (required) step at that time. Otherwise, great article, simple and very helpful. Much appreciated.

• Anonymous
  July 10, 2012
  j'ai bien aimer votre article mais ... ca ne marche pas :-(

• Anonymous
  January 29, 2014
  Very helpful stuff..thanks

• Anonymous
  January 29, 2014
  Very helpful stuff..thanks

• Anonymous
  June 15, 2014
  Works like a charm.. Sir thank you so much.. greatly appreciate this article.. rarely we find clean ones like this.

• Anonymous
  July 04, 2014
  Wow I had no idea this was possible on Server 2003! How many years have I been suffering with no AD powershell! A bit too late to only just discover it now but hey, maybe it will help with our Server 2003 migration!
  
  I was led here by this technet article from a colleague of yours http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx but I was failing on the pre-req error (turns out it was the .Net rollup)
  
  Thanks
  @thommck

• Anonymous
  August 25, 2014
  All I am still unable to use pwowershell command on my computer. I have gone through these steps, but AMGS does not get fully installed.. I just falshes so quick and fast that I don't see anything.
  
  Can someone please help me. I need to run the report quickly.
  
  thanks

• Anonymous
  August 29, 2014
  I followed this post and sucessfully installed the but some commands can not work as expected. For example: Get-ADDefaultDomainPasswordPolicy: can not find an object with identity....
  
  So I can not query the max password age of the domain password policy. Anyone can help?

• Anonymous
  September 05, 2014
  @liana30, can you provide more details of your situation? You can use the link at the top right to email me directly.
  
  @NamTQ, could you post more details of your error? In the meantime you can try the old way "net accounts /domain".

• Anonymous
  October 13, 2014
  Ashley, this article is faultless & incredibly explanatory. Thank you.

• Anonymous
  October 29, 2014
  Welcome! Today’s post includes demo scripts and links from the Microsoft Virtual Academy event: Using PowerShell for Active Directory . We had a great time creating this for you, and I hope you will share it with anyone needing to ramp up their

• Anonymous
  November 24, 2014
  Microsoft premier field engineer (PFE), Ashley McGlone, discusses the Active Directory PowerShell cmdlets.

• Anonymous
  December 16, 2014
  Hi,
  
  Thanks for sharing the information. It was great.
  
  Can I ask you few quick questions?
  
  I want to manage my 2003 SP2 by running powershell scripts on win2008 R2. Steps provided by you wil accomplilsh the task?
  
  Does LDAP and ADWS are in some way connected?
  
  Does working of my present DC with LDAP will get hampered or restricted in any way?
  
  Please help!!

• Anonymous
  December 16, 2014
  The comment has been removed

• Anonymous
  December 18, 2014
  Hi Jay,
  Glad I could help. :D Enjoy your new skills. You might also find these videos helpful:http://aka.ms/MVAPSAD
  Ashley
  GoateePFE

• Anonymous
  December 23, 2014
  I cannot recommend that series enough. I just went through it and it is a phenomenal resource to use to get your "old ways" up to speed with the "new ways".

• Anonymous
  January 02, 2015
  Hello Harshit,
  
  I have answered your questions in the opening video in this series: http://aka.ms/mvapsad
  
  Let me know if you have further questions.
  
  Ashley
  GoateePFE

• Anonymous
  May 18, 2017
  My 2003 domain A, is a trusting domain. my 2012R2 domain B trusts 2003. What permissions does a user in domain B need to be able to use Active Directory Web Services and query domain AMy Domain B user, is able to browse LDAP for domain A, but gets an error when retrieving objects through a AD cmdlet:Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

• Anonymous
  January 09, 2018
  The comment has been removed

• Anonymous
  January 17, 2018
  Hi Ashley,What is the best way to learn power-shell for beginner