Hands on with Windows Server 2008 r2: Admin tools

New PowerShell cmdlets let you manage Active Directory quickly and efficiently

Development on Windows Server 2008 R2 proceeds apace. And in addition to DirectAccess and other features I've already written about, with today's announcement of the newest Windows Server 2008 release candidate there are numerous other important improvements in administrative usability in Windows Server 2008 R2.

I'll take a look at several in this piece, including:

  • New PowerShell cmdlets that let you manage Active Directory quickly and efficiently
  • A new AD administrative console that exposes the power of those cmdlets to more graphically oriented users
  • How to deploy BranchCache, a WAN caching technology, in your Windows 7/Windows Server 2008 environment

Managing Active Directory through PowerShell

PowerShell now comes with an Active Directory Domain Services (AD DS) module that introduces over 75 Active Directory cmdlets. From a script or the new Graphical PowerShell user interface, you can perform routine administrative tasks on your Active Directory forests, domains, trees and so on.

Best of all, the tab-completion function (where Windows thinks about what you're typing and suggests completions for your current context when you hit the Tab key) works as you'd expect and is a useful feature.

Active Directory module for PowerShell

Windows Server 2008 R2 now includes an Active Directory module for PowerShell.

Click to view larger image

Here are some common commands:

  • To load the AD DS module, use Add-Module ActiveDirectory, then Get-Module
  • To get information about a domain, use Get-ADDomain <b><i>domain_name</i></b>
  • To display information about domain controllers in a specific domain, use Get-ADDomainController -Discover
  • To browse a specific domain, with results neatly formed in a table, "change directory" into AD via Cd AD: and then use the following series of commands:
  • PWD

    DIR | Format-Table -Auto

    CD "DC=<i><b>domain_name</b></i>,DC=<i><b>TLD</b></i>"

    DIR | ft -a

  • To create a new organizational unit within a domain, use the following command:
  • New-ADOrganizationalUnit ­Name "International" ­Path "DC=<i><b>domain_name</b></i>,DC=<i><b>TLD</b></i>"

  • To delete the organizational unit you created in the previous step, use the following series of commands, one to allow the organizational unit to be deleted and the other to actually perform the removal:
  • Set­ADorganizationalUnit International ­ProtectedFromAccidentalDeletion $False Remove­ADOrganizationalUnit International Unit

The Active Directory Administrative Center

Along with the new set of PowerShell cmdlets comes a revised GUI interface for managing Active Directory Domain Services, called the Active Directory Administrative Center. This new console gives administrators the power to drill down into the computers, domain controllers, users, and other objects within AD DS forests and perform operations on them. A refreshed view gives pretty simple access to common tasks via a now-standard three-pane interface, shown here.

Active Directory Administrative Center management console

The Active Directory Administrative Center management console gives administrators the power to drill down into computers, domain controllers, users and other objects and perform operations on them.

Click to view larger image

Replacing the old Active Directory Users and Computers interface that's been around since Windows 2000, what's interesting about this new console is that it's built on the new cmdlets, like some administrative console tools in Microsoft's other server products -- including Exchange, System Center, Small Business Server and so on. A feature called "Progressive Disclosure" allows high-level administrators to restrict the information that the tool returns to its user. Clearly, this could be useful for organizations that make heavy use of permission delegation.

Setting up BranchCache

BranchCache extends some of the improvements made in Windows Server 2003 R2 and Windows Server 2008 by caching downloaded information from the Web and intranet sites within a branch office the first time it is requested. This is, of course, most effective when users at a remote location frequently download similar information among themselves. Since branch offices often operate on lower-speed Internet links, user productivity is improved as the day goes on since more and more files are present within the cache.

A costly upgrade to Windows 7 is required for clients to take advantage of WAN caching technology, but the good news is that a few seconds at the command line and a couple of GPOs later, you have increased the efficiency of your remote links significantly.

Essentially, BranchCache works like a big file cabinet, storing a copy of retrieved content (identified and selected by an administrator, of course) within the local branch office network. When other clients on the same network request this content, the client does a quick check to make sure its local, cached copy is equivalent to the live copy at the head office, and, if so, serves up that copy to its client colleague over the faster LAN.

Content can be web-based (HTTP) or typical files and folders (SMB), can be configured to work over SSL or IPSec-encrypted connections, and all security is maintained through an authorization process controlled by the host servers, not the "mini servers" holding the cache in the remote office.

In a demo, a document was downloaded over a 512 KB connection, taking about 30 to 45 seconds. After the cache, when another user in the same site requested that information, the transfer was nearly instantaneous. BranchCache works not only with a branch office server but also on a peer-to-peer basis among Windows 7 clients in the same location.

There are essentially two ways to deploy BranchCache:

  • Dedicating a machine at a remote office to serve cached content. This is more appropriate for larger companies with good-sized branch offices, with both the resources and administrative expertise to care for a server-class machine in remote locations. This is the most secure configuration as well.
  • Using peer caching among all clients in a remote office. This is the best fit for very small offices in businesses that don't have the time or resources to manage servers in various locations. Essentially this makes each client a cache server, hearkening to the days of peer-to-peer networking. Still, it's a cost effective solution assuming all clients are running Windows 7.

Here's how to set up BranchCache in HTTP caching mode:

1. Open Server Manager.

2. Click Features, and then Add Features.

3. Check Windows Branch Cache and then click the Install button.

4. Once BranchCache is installed, enable the server mode by opening a command prompt and typing netsh branchcache set service mode=HOSTEDSERVER.

5. Next, check out the name you need to configure the client computers to look for by entering PowerShell and issuing the following commands:

CD Cert:

CD LocalMachine

CD MY

Get-ChildItem | Format-List *

exit

6. Write down the string that is in the Subject field of the on-screen display.

7. Next, set up a Group Policy object by opening the Group Policy Management Console, navigating to Forest\Domains\Domain\Group Policy Objects, and then adding a new GPO named BranchCache GPO and clicking OK.

8. Right-click the new GPO you created, and select Edit from the pop-up context menu.

9. In the Group Policy Editor, go to Computer Configuration/Policies/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/Network/ BranchCache.

10. Set up the following configuration:

  • Turn on Branch Cache: Enabled
  • Set BranchCache Hosted Cache mode: Enabled
  • Set BranchCache Hosted Cache mode/Location: SERVER (the value you wrote down earlier).
Microsoft's BranchCache

BranchCache helps performance by caching downloaded information from the Web and intranet sites within a branch office the first time it is requested.

Click to view larger image

11. Next, we have to allow the Windows Firewall on all involved computers to let BranchCache connections in. In the Group Policy Editor, go to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Inbound Rules.

12. On the Action menu, click New Rule.

13. Create a new inbound rule using these values:

a. Rule Type: Predefined: Peer Distribution -- HTTP Transport (Uses HTTP)

b. Action: Allow the connection

14. On the Action menu, click New Rule.

15. Create a new inbound rule using these values:

a. Rule Type: Predefined: Peer Distribution -- Hosted Cache (Uses HTTP)

b. Action: Allow the connection

16. Finally, we have to work the other way and let Windows Firewall accept outbound BranchCache connections as well. In the Group Policy Editor, go to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Outbound Rules.

17. On the Action menu, click New Rule. 18. Create a new inbound rule using these values:

a. Rule Type: Predefined: Peer Distribution -- HTTP Transport (Uses HTTP)

b. Action: Allow the connection

19. On the Action menu, click New Rule. 20. Create a new inbound rule using these values:

a. Rule Type: Predefined: Peer Distribution -- Hosted Cache (Uses HTTP)

b. Action: Allow the connection

BranchCache is configured for HTTP caching now. To check the status of the cache, use the following command at a command prompt to display the amount of data stored in the hosted cache: Netsh branchcache show status all

The last word

Some of the more interesting improvements present in the publicly available release candidate build of Windows Server 2008 include new support for administering Active Directory via PowerShell and a new GUI that replaces the ancient and decrepit administrative tool that's been with us for the last decade.

As development on Windows Server 2008 R2 continues, there are sure to be more features you'll be able to test in your own environment. Stay tuned for more.

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include a variety of books on Windows client and server, including Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics ranging from networking and security to Windows administration. You can reach Jon at jhassell@sunvalleygp.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies