The ADSI Edit snap-in, which is included in the Support Tools pack, is a tool that provides "low-level" access to Active Directory. It allows you to perform the following operations:
Connect to any directory partitions (including application partitions).
Connect directly to any Active Directory object using its distinguished name.
View, move, rename, and modify any attribute of any object.
Tune security settings down to a single attribute.
Perform a query through a whole domain tree and save it.
Create and delete objects of any type.
Connect to Global Catalog servers.
The newly installed ADSI Edit snap-in is configured for work with three Active Directory namespaces (contexts, or partitions):
Domain (DC=domainName, DC=com)
Configuration (CN=Configuration, DC=domainName, DC=com)
Schema (CN=Schema, CN=Configuration, DC=domainName, DC=com)
The first namespace is replicated among all DCs that belong to the same domain. The other two are replicated over every DC in the domain tree.
The ADSI Edit snap-in allows you to connect to any application directory partitions. There are two default (built-in) application partitions that can be created on a DC and used by the DNS server installed on the same DC (see Chapter 3, "Domain Name System (DNS) as Main Naming Service"):
ForestDnsZones (DN=ForestDnsZones, DC=domainName, DC=com)
DomainDnsZones (DN=Schema, CN=Configuration, DC=domainName, C=com)
There is one more object, which the ADSI Edit snap-in can be connected to:
Note that the Windows 2000 version of ADSI Edit only shows the informational (LDAP) attributes of the RootDSE object. Operational (system specific) attributes, such as isSynchronized or isGlobalCatalogReady are not accessible. The Windows .NET version of the tools displays all RootDSE's attributes.
You can also add the standalone ADSI Edit snap-in to any MMC console opened in the author mode. In this case, it is added without any connection. If you create your own MMC console, you have a feature such as the Favorites tab, which can be very helpful for working with multilevel tree structures and various Active Directory objects (which all have very long LDAP names).
To make a new connection, point the root node in the tree pane and select the Connect to command from the context menu. Enter any string you want in the Name field and specify the distinguished name of an object, or select a predefined name-space from the Naming Context list (Fig. 7.25). You may also enter a domain or server name different from the default one.
Fig. 7.25: Connecting to a namespace
You can also create a connection to any object while browsing through the object tree. Point to an object and select New Connection from here in the context menu. All new connections are saved upon exit from the snap-in.
In the Advanced window (click Advanced in the Connection window) you can specify alternative credentials, a port number, or choose the protocol: LDAP or Global Catalog. To view or modify the current properties of a connection, select the Settings command from the context menu for this connection. Any connection may be deleted with the Remove command.
Let us see how to work with the ADSI Edit snap-in in the two following examples that contain some tips which may be useful for an administrator.
Using the example of the showInAdvancedViewOnly attribute (see the "Advanced Features Mode" section), let us discuss how to locate attributes of an Active Directory object and modify their values.
Suppose we would like to hide the Builtin container from browsing. Point to it in the tree pane of the ADSI Edit snap-in and click Properties on the toolbar. In the opened window, the Attributes pane (in Windows 2000 — the Select a property to view drop-down list) contains all attributes of the selected object. You can quickly locate an attribute in the list by typing in the first few characters of the attribute's name (Fig. 7.26).
Fig. 7.26: Finding and editing an attribute of an Active Directory object
When the attribute has been selected, select True in the Boolean Attribute Editor window and click OK, then Apply. (In Windows 2000, enter the new value TRUE, or true — it does not matter — into the Edit Attribute field and click Set, then Apply.) To delete the value of an attribute, click either Clear or Non set. If the attribute is multi-valued, select a value, and click Remove.
This example shows how to modify the schema by using ADSI Edit.
By default, you cannot create a new object of the Container type using the Active Directory Users and Computers snap-in. Sometimes it may be useful to have such an option for organizing directory objects. (You might also wish to enable the creation of any other object types.) To create this option, it is necessary to modify the schema.
If you have not yet connected to the schema name context, do so now.
Open the schema folder and find the container class (CN=Container).
In the Properties window, select the optional defaultHidingValue attribute (the default value is TRUE).
Set value to False, then click Apply and OK.
Point to the Schema node and select Update Schema Now from the context menu.
If the schema cache has been updated successfully, open the Active Directory Users and Computers snap-in (restart it, if it has been already opened) and check that the container object has appeared in the Action | New menu.
A query in the ADSI Edit snap-in is a custom template for displaying only desired objects in the tree pane. (This is an analog to saved queries in the Active Directory Users and Computers snap-in.) This makes working with large numbers of objects or objects related to different Active Directory containers simpler. The queries can be created in any Active Directory namespace (partitions), but remember that since a namespace belongs to a specific domain, the queries work within the borders of one domain only.
Let us create a query for all published folders. Point to the node related to the domain context and select the New | Query command in the context menu. Give the new query any name you like (Fig. 7.27) and click Browse to define a container — the root of the search. In our case, it will be the root domain (net.dom).
Fig. 7.27: This window contains the parameters necessary for creating a custom query
The next step is to define the query itself. You can either directly enter a query in the Query String field or click Edit Query and start the wizard that helps to create a custom filter (see the "Filter Options" section, Fig. 7.13). The generated string is displayed in the Query String field. (Remember the limitations of custom filters!)
To see all folders, you must specify the Is present option (the "*" character) for the folder name. Select the appropriate query scope — Subtree Search or One Level Search.
An example of the resulting display is shown in Fig. 7.28. Notice (in the Distinguished Name column) that the selected folders are related to different OUs in the same domain. This means that you have really searched the entire domain.
Fig. 7.28: The query that allows you to work with all published folders in the whole domain forest
All queries are saved upon snap-in closing, and refreshed upon its loading. You can refresh the contents of a query at any time. To edit a query, select Setting from the query's context menu.
Using the ADSI Edit snap-in, you can create Active Directory objects of any type. However, it can hardly be recommended that you do so, because of a high probability of errors with object attributes: you must be familiar with the meaning of all mandatory and optional attributes and their valid values. Using the "standard" administrative snap-ins and tools is much more preferable.
If, nevertheless, you do decide to create an object manually, point to the desired object in the tree pane and select the New | Object command. The wizard will start and ask you for all required values. The list of possible new objects depends on the type of object selected initially. (See also "Extending the Schema" in Chapter 16, "Active Directory Service Interfaces (ADSI).")
Being able to work directly with a global catalog (GC) server may be helpful while troubleshooting the problems related to GC replication. You can connect to different GC servers and compare the values of stored attributes (see also the description of DsaStat.exe in Chapter 11, "Verifying Network and Distributed Services"). You can also verify the representation of attributes in a GC. (This process can be controlled via the Active Directory Schema Manager snap-in, see the next section.)
Only some of Active Directory object's attributes are presented in Global Catalog. When you have enabled/disabled replication of an attribute to Global Catalog, you may wish to use the ADSI Edit snap-in to verify the presence of this attribute on a GC server.
In general, the procedures for working with Global Catalog are the same as described above. The only difference is that you must select the Global Catalog protocol in the Advanced window when creating a connection to an Active Directory naming context (partition). It must be clear that it is impossible to create new objects in Global Catalog.