In-Depth

Editor's Choice: Active Directory Management and Migration

<b>Winner:</b> Full Armor Software FAZAM 2000 3<br> <br> <b>Honorable Mention:</b> <a href="#aelita">Aelita Controlled Migration Suite</a>

• By Bill Boswell
• 12/01/2002

FAZAM 2000 3 $9 per user, plus 18 percent annual support and maintenance Full Armor Software; 617-457-8100; www.fullarmor.com

One of the best parts of having Windows 2000 fully deployed is the ability to exercise centralized control of desktops, servers and users via group policies. From security to software deployment, scripts to granular configuration settings, you can’t beat Group Policy for simple, fast and orderly control of a large number of network entities.

The only problem with group policies is the sheer number of possible settings and the ways those settings can be applied. You can link Group Policy Objects (GPOs) to sites, domains and any number of Organizational Units (OUs). The settings in each GPO in the hierarchy apply to users and computers in the linked containers, unless an OU has been set to block inheritance. Even then, a GPO can be set to override inheritance blocking. Within a hierarchy of containers, a particular GPO can be targeted at specific groups of users or computers. Also, a particular GPO can have policy settings that affect computer configurations and user configurations, with precedence rules that can be overridden with loopback settings.

All in all, things can get very confusing very quickly. That’s where Full Armor Software’s FAZAM 2000 comes into play. It’s a suite of tools that simplifies the deployment and analysis of group policies. Using FAZAM 2000, you can ask questions such as, “What kind of group policies will user Margaret get if she logs onto desktop A22-2301 in the Phoenix site? Will that change if Margaret is a member of the Sales group?” This analysis yields a report called a Resultant Set of Policies (RSoP) that details the result of Group Policy precedent and loopback calculations for the given scenario. This can be compared to the actual group policies applied when Margaret logs on to help diagnose problems.

If that’s all FAZAM did, it would still be worth the license fee—but it does a whole lot more. If you have a large number of administrators who make changes to group policies, it’s important to track the changes. This not only adds accountability to the process, it gives you important information for performing diagnostics if something goes wrong. FAZAM 2000 Version 3 has extensive change-tracking functionality. An administrator must check GPOs in and out for editing. The changes can be evaluated prior to putting them into production. There’s even the ability to make backups and restores of individual GPOs to avoid the need for a System State restore from tape.

Wait, there’s more! Proper Group Policy functionality relies on an intricate ballet between GPO elements in Active Directory and GPO elements stored in Sysvol. Two separate services are responsible for AD and Sysvol replication, and it’s possible for the GPO elements to get out of synch. FAZAM 2000 has features for checking Group Policy health throughout an enterprise and making full reports of what it finds. It’ll even check local event logs for Group Policy events and display them on a central console.

But Group Policy can only be truly effective if you’ve fully migrated to Win2K and AD. If you’re still in the process of deploying Win2K, you might want to look at domain migration tools. My favorite set of tools, based on getting the best bang for the buck, is the Controlled Migration Suite from Aelita. The suite includes Enterprise Directory Reporter for gathering information about your domains, domain controllers, member servers and member desktops; the Domain Migration Wizard for moving users, groups, computers, and servers to a new domain; and the Exchange Migration Wizard for migrating mailboxes to Exchange 2000. You’ll save hours and hours of work with these tools.