(2011-12-12) The Active Directory Web Service (ADWS)
Posted by Jorge on 2011-12-12
Windows Server 2008 R2 (W2K8R2) introduces a new service called the “Active Directory Web Service (ADWS)” to support remote management of running directory services through the WS-* protocols. The AD PowerShell Module (also see: Active Directory Administration with Windows PowerShell and Active Directory Powershell Blog) and the Active Directory Administrative Center (ADAC) are components that require the usage of ADWS. The ADWS is installed automatically when either promoting a W2K8R2 server to a DC (both RWDC and RODC) or installing the first ADLDS instance on a W2K8R2 server. It also supports directory services instances loaded with DSAMAIN (only when on W2K8R2 and not on W2K8!). To find a W2K8R2 DC/server with the ADWS installed DC locator uses a special flag called “DS_WEB_SERVICE_REQUIRED”. The server where the AD PowerShell Modules are being executed or where the ADAC has been started communicates with the DC/server with the ADWS installed over TCP:9389.
Of course it is possible to have the RSAT installed on Win7 workstation or W2K8R2 member server while your AD infrastructure is still running on W2K3 or W2K8. To support both scenarios Microsoft released an out-of-band version of the ADWS which can be downloaded from here.
–
To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:
- Operating system is at least W2K3 (R2) with SP2
- The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
- The following hotfix must be installed on the W2K3 (R2) DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers”
–
To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:
- Operating system is at least W2K8 or W2K8 with SP2
- The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
- The following hotfix must be installed on the W2K8 DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers” (is already included in SP2 for W2K8)
–
Figure 1: The Network Trace On A W2K8R2 DC Reporting It Supports The ADWS
–
Additional information about the ADWS can be found through the following links:
- [MS-ADDM]: Active Directory Web Services: Data Model and Common Elements
- [MS-ADCAP]: Active Directory Web Services: Custom Action Protocol Specification
- What’s New in AD DS: Active Directory Web Services
- Active Directory Web Services Overview
- Active Directory Management Gateway Service released to web – manage YOUR Windows 2003/2008 DCs USING AD POWERSHELL !
- ADWS diagnostic logging
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
Henrik said
Checked it out earlier this year and was hoping to find a way of talking to it but it seems it requires an advanced client like the one for FIM does… When are Microsoft going to learn that REST web services is the shit?
LikeLike
Jorge said
I submitted a suggestion (https://connect.microsoft.com/WindowsServer/feedback/details/713606/leveraging-the-adws-from-custom-tools) on connect about this and this is the response I got back:
——————-
I had a discussion with our Program Managers and here is what one of our program managers suggested: “There is no functionality available via ADWS that is not available through powershell. In fact powershell provides additional functionality.”
Also he recommended using Directory Services APIs available on MSDN. In case you haven’t already referred, here are few links to start with:
System.DirectoryServices Namespace: http://msdn.microsoft.com/en-us/library/system.directoryservices.aspx
Directory Services in the .NET Framework: http://msdn.microsoft.com/en-us/library/ms180826.aspx
What is System.DirectoryServices?: http://msdn.microsoft.com/en-us/site/ms180829
——————-
LikeLike
Alan Burchilll said
Fantastic…. Just looking at this issues. I assume that you would not have a problem if you ran the commands from a Windows XP / Vista computer ?
LikeLike
Jorge said
It specifically mentions Windows 7 because on Windows XP/Vista you cannot use the AD PowerShell CMDlets nor ADAC as it is not available for both Windows XP/Vista.
Regards,
Jorge
LikeLike
How to fix AD PowerShell error “Unable to find a default server with Active Directory Web Services running.” said
[…] this time I then noticed a new blog post https://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was […]
LikeLike
just me said
Also check if necessary ports are open: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
LikeLike
just me said
Here are some steps: https://technet.microsoft.com/en-us/library/dd759202.aspx
LikeLike