Skip to main content

Installing and using the Active Directory Management Gateway Service (ADMGS)

ADMGS - How to install on Server 2003 and Server 2008

From someone who has done a lot of AD related scripting in powershell v1, it has taken me a while to get to grips with using the new AD cmdlets in PowerShell v2.  Needless to say, I have started 'dipping my toe' into the vast 'sea of cmdlets' now available and am finding them quite useful.  So much so, that enabling the ability to use the cmdlets in my older domains has become essential.   I no longer want to have to write v1 and v2 scripts, or more specifically, ad cmdlet and non-ad-cmdlet enabled scripts. 

Here enters the 'Active Directory Management Gateway Service' .This provides the connectivity for the AD-cmdlets to communicate with a domain controller in your domain.


For a small installer, this guy need a fair few prerequisites - each OS version being slightly different.

Windows 2008 (tested on 32bit)

It is best that you have SP2 installed as there is an issue with
Windows 7 clients and 2008 DCs.  There is a hotfix but you have to request it, but it is included in Windows 2008 SP2

General installs

What ever platform you are using, these are required :
Windows 2003 (SP2 and R2 - again, tested on 32bit)

The only 2003 specific patch required is 969429, which is a request by email patch.  Don't be put off by this as I got the link emailed to me very quickly.

Once you have completed all these tasks, install the applicable version of the gateway

Using the gateway.

My R2 forest is single domain, so I have not given a second thought to how I access resources in other domains using the AD cmdlets.  I also have take for granted that the cmdlets just work.  I am, however, fortunate enough to have an R2 utility server to script on as well as R2 DC's.

The biggest thing here is the AD cmdlets only run on Windows 2008 R2 or Windows 7.  The gateway will run on the older OS's, but the cmdlets themselves do not. 

The second thing is that you need a gateway server in each domain.  I ran this in my test forest (from the root domain)
get-aduser -SearchBase "dc=child,dc=test2003,dc=com" -filter {name -like "*"}
and got this back :

Get-ADUser : A referral was returned from the server
At line:1 char:11
+ get-aduser <<<< -SearchBase "dc=child,dc=test2003,dc=com" -filter {name -like "*"} + CategoryInfo : ResourceUnavailable: (:) [Get-ADUser], ADReferralException + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge tADUser

The correct command is  : 
get-aduser -Server -filter {name -like "*"}
...where server is the gatway server of that domain. 

For the future

I can see use for the gateway, as long as I can get the required R2 utility servers in the forests to run the scripts.  I would probably (on the said R2 util server) setup the profile to create variables for each domain gateway server.  This would not only make the scripting easier and more uniform, if I had to move my gateway server, I would change only the profile rather than all my scripts.

This being my research and testing, I am about to deploy this in my environments (this time 64 bit).  I'll report on the experience once I am up and running.


Popular posts from this blog

PowerShell 3 behavioural change

It's taken me way too long to get into PowerShell 3, I guess opportunity hasn't shown it's self until now and so, here, my V3 journey begins.

I was asked to debug a script that would run fine in PS v2 and not in v3.  The issue was a that a variable length was being checked and was failing in v3.  This is why...

In v2 if a variable is undefined, this test returns false

PS C:\windows\system32> $var.length -eq 0

In v3 the same test returns true....

PS C:\windows\system32> $var.length -eq 0

Not a biggie, but as in this case, a script has broken so something to consider!



Enable Powershell Remoting (WinRM) via Group Policy

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM ....

set the winrm service to auto start

Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services

Windows Remote Management (WS-Management)  set Startup Mode to Automatic

start the service

incorporated in to the above - you may need a restart.

create a winrm listener

Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners

IPv4 filter: *

* is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use -, - …

compare-object in Powershell - comparing mulitple values

I'm starting to use compare-object more and more, and one thing I noticed, is that you can compare 2 objects based on multiple attributes. here is how it is constructed...
Compare-Object -ReferenceObject $object1 -DifferenceObject $object2 -Property a,b,c,d,eIf a,b,c and d are the same, but e is different, compare object will return a difference. In the following example, I use "-eq $null" as a check because by default compare-object returns $null if the objects are the same.
#create an array of objects to check against

$collection = @()
foreach ($entry in ("aaaaa","bbbbb","ccccc","ddddd")){
   $store = "" | select "a","b","c","d","e"
   $store.a = $entry*1
   $store.b = $entry*2
   $store.c = $entry*3
   $store.d = $entry*4
   $store.e = $entry*5
   $collection += $store

#create an object similar to those in the array
$object = "" | select "a","b…