In-Depth

12 Mighty Labors of Active Directory Management

Administering and managing AD encompasses a multitude of activities. Although you can do the job with built-in services and tools, four powerful third-party solutions also want to help.

Any systems administrator will agree that Active Directory (AD) covers and offers a lot more than the NT SAM. You might also agree that managing an NT network isn’t the same as managing a Windows Server 2003 network (or a Windows 2000 network, for that matter). In fact, though administrators gain a lot more power when moving to AD, they also gain something else: a lot more stuff to do. We’ve added it up and found that AD administration and management covers 12 major activities:

 User and group administration

 PC/Mobile device administration

 Networked service administration

 Group Policy Object administration

 Domain Name Service administration

 AD topology and replication administration

 AD configuration administration

 AD schema administration

 Information management

 Security management

 Database administration

 AD report generation

Depending on the size of your network, each of these activities can be a job in and of itself. And if you’re alone to perform them, they can sometimes feel like the 12 mighty labors of Hercules. Unfortunately, unlike the great hero of ancient times, you don’t always get the same recognition for a job well done.

Does the base Windows server configuration include the proper tools for AD administration or are third-party products also required? It all depends on what you do, how your network is organized and how many users or computers you need to manage. In an online sidebar to this story, we look at each task more in-depth and provide some tips for helping to make them easier.

Also read:

12 Mighty Chores of Active Directory Administration in Depth
by Danielle and Nelson Ruest

Active Directory Migration Gets Easier
by Gary Olsen

If you can complete the 12 gargantuan tasks we enumerate using only the built-in AD tools, you should be congratulated. Of course, you can also bring other tools to bear, such as the Windows Scripting Host and the Active Directory Services Interface (ADSI). Not all of us are scripting kings or have the time to devote to developing scripts that can help us in these tasks. Microsoft provides the Windows Scripting Center (see Resources), but even then, it takes time to turn sample scripts into usable tools.

Making AD administration easier is the goal of the following four products. Each addresses a particular set of AD administration tasks. Some cover the same functionality, while others offer completely different features. Each claims that it will save you time and money. That’s just what we’ve concentrated on. Table 1 lists the basic requirements for each tool and identifies how it integrates with AD and Windows 2003. Table 2 lists which of the 12 administrative activities are addressed by each tool. You can use these tables to identify what products will give you what you need.

Product Information

Enterprise Directory Manager v. 5.0
Starts at $18 per user
Aelita Software
www.aelita.com/products/EDM4.htm

ADvantage version 1.1.2.0
$995
Javelina Software
www.javelinasoftware.com/advantage.html

Security Administration Suite v. 4.1
Starts at $24 in 100 user packs
NetIQ
www.netiq.com/products/admin/ default.asp

FastLane ActiveRoles version 5
Starts at $20 per user, or $25 with FastLane Reporter and Spotlight on Active Directory
Quest Software
www.quest.com/fastlane/activeroles/

Quest FastLane ActiveRoles version 5.0
Managing security rights within the directory using the default Windows Server tools can be a true hassle unless you’re highly structured and document your changes thoroughly. This is where Quest Software’s FastLane ActiveRoles comes into play. ActiveRoles and its counterpart, ResourceRoles, let you design security templates that consolidate AD Access Control Entries (ACEs) for both users or groups and resources respectively. These templates or roles can be assigned to specific containers for either users or groups. For example, if you want to delegate password resets to help desk operators in the People OU, you create the appropriate role, grant it Read and Write access rights for user passwords, then assign it to the People OU for the help desk operators’ group. The same goes for the assignment of administrative rights to resources. Thus, you can create roles for cluster server operators, shared folder operators, domain controller operators, and so on.

Once a role is created, it can be reused countless times. ActiveRoles provides a few roles by default. These roles can administer both AD and Exchange (if it’s present in your network). ActiveRoles runs in either Local or Directory Enabled Mode. In Local Mode, you can evaluate the usefulness of ActiveRoles in your network without changing your AD installation. The Directory Enabled Mode modifies the default AD Schema to integrate classes and attributes specific to the FastLane tools. This modification isn’t to be taken lightly, because it can’t be undone.

ActiveRoles also includes both a Self Service Web site, as well as a Web Client for AD, NT or Exchange administration. Both are powerful tools. They do, however, require the presence of Internet Information Services (IIS). Depending on the size of your network, this may have to reside directly on a domain controller, something that’s no longer recommended by Microsoft. But the Self Service tool by itself makes the risk worthwhile, especially in large networks. This tool allows users to manage their own information within the directory through a single interface and also their own passwords. It provides a list of five questions and answers that users can prepare in advance. Then, when they need to have their password reset for any reason, they can do it themselves by simply going to the self-service page, answering five personal questions and being granted password reset rights. This module alone can save a considerable number of phone calls to the help desk, not to mention that it’s a lot less embarrassing for the user.

The Web client lets administrators use a Web interface to access most directory administration tasks (see Figure 1). This tool provides a nice, clean interface that’s fast and responsive. What’s more, it seems that both the Self Service and the Web Client modules can be installed separately from the ActiveRoles and ActiveResource tools, letting you decide where and when to use them.

Quest FastLane ActiveRoles
Figure 1. Quest FastLane ActiveRoles’ Web Client module lets administrators manage directory objects through a complete Web interface. (Click image to view larger version.)

ActiveRoles also includes ActivePolicies, a module that integrates with AD to provide Group Policy management. ActivePolicies can be linked to specific GPOs within multiple domains. Any change in the ActivePolicy will be automatically reflected in every policy it’s linked to, providing a powerful way to manage multiple policies from a single interface.

ActiveRoles isn’t a tool to be taken lightly. Role definition is a complex process that requires advanced knowledge of the directory and the objects it contains. Even though it includes default roles, you’ll still need to plan its implementation in your network carefully if you want to profit from this tool.

Table 1. Active Directory Tool Criteria

The nature of management tools is likely to change, given the new security enhancements in Windows Server 2003. For example, tools that require the presence of IIS, especially on domain controllers, may no longer be popular since it’s no longer installed by default. In addition, tools that make use of the .NET Framework may be more popular since it’s integrated into the OS. Also, through integration with ADAM, management tools may no longer have to modify the AD schema. Use the following table to identify the requirements for each tool.

Criteria Quest Fastlane Activeroles Aelita
Enterprise Directory
Manager
Javelina
ADvantage
NetIQ
Security
Administration Suite
Require IIS

Yes, but only for Web interface Yes, but only for Web interface No Yes
Supported
database
MSDE, SQL Server MSDE, SQL Server n/a Access 2000 or runtime, SQL Server, MSDE
ADAM support No No No No
Modify schema Yes No No Yes/No
MMC TaskPad MMC, no TaskPad MMC, no Taskpad No MMC, no Taskpad

.NET Framework
1.1 Support
No No No No
Windows Installer
MSI
Yes Yes No Yes
Web interface Yes Yes No Yes, also within MMC

Aelita Enterprise Directory Manager version 5.0
Aelita Software’s Enterprise Directory Manager (EDM) is also a tool for managing AD access rights from a central location. Where it stands out is in its installation. EDM requires a working copy of either SQL Server 2000 or Microsoft Desktop Engine (MSDE) to use as a central repository of all EDM information. This data store hosts all EDM data. Modifications are made in the database then transferred to AD. This approach facilitates the way EDM manages forests and domains, letting administrators of large environments manage multiple directories from a single location.

EDM also uses roles to apply security and delegation rights. It does so in a different manner, though. First, you need to define Access Templates. These templates let you identify which access rights are available for a given role on any given object. Once the templates are defined, you can use them to assign management rights to the administrators or operators in your network. This is done through the assignment of Managed Units to Trustees (the people you trust to manage information in AD).

One of the most interesting concepts of the EDM is the Managed Unit (MU). The Managed Unit is used to regroup the elements for which you want to delegate management. But unlike the organizational unit in AD, the MU isn’t limited to a single domain or even in the type of objects it can contain. For example, if you have several domains that contain a People OU and you want a single administrative group to manage the contents of all of these OUs at the same time with the same rules, you regroup the People OU from each domain into a People MU and assign management rights to this Managed Unit to the administrative group. This tool is obviously powerful for large directories.

EDM also supports the administration of Group Policy, letting you even perform “what if” scenarios before implementing the GPO in your production environment. As far as reporting is concerned, EDM offers one of the most impressive sets of reporting tools (see Figure 2), even supporting the use of OLAP cubes for analysis of the data stored within your directory.

Aelita EDM
Figure 2. The Aelita Reporting Console provides a comprehensive set of reporting tools on all aspects of directory administration. (Click image to view larger version.)

EDM’s Web interface is one of the cleanest and most comprehensive on the market. Like the other tools in the EDM suite, it provides role-based assignment of activities, offering different versions of the Web site for full administrators, help desk personnel or even individual users. This is a really good tool for delegation of AD information management, especially at the user level.

Another interesting EDM feature is the ability to generate groups based on content rules. These dynamic groups will change with time given the nature of the rules devised for their membership. For example, you could create a special group that contains only users whose passwords will expire in less than two weeks, then use this group to send reminders that it’s time to change passwords.

Enterprise Directory Manager is a powerful product that shouldn’t be implemented without extensive preparation. It requires planning and testing to make the most of this tool, especially in large enterprises. On the other hand, its reporting capabilities are second to none and almost warrant the implementation of the solution on their own.

NetIQ Security Administration Suite version 4.1
NetIQ has been in the Microsoft management realm for quite some time. In fact, they were the original creators of the product that became the Microsoft Operations Manager. Therefore, it isn’t surprising to see them create a complete set of AD management tools in the Security Administration Suite. This suite includes three tools: Directory and Resource Administrator (DRA), Group Policy Administrator (GPA) and Directory Security Administrator (DSA).

DRA is a comprehensive set of programs designed to manage both directory objects and resources from a single point. Its main purpose is to manage delegation rights for AD administration. It allows you to define delegation roles and assign them to managed objects. Administrators who have been delegated rights can use the DRA console to manage the objects they’re responsible for (see Figure 3). Both AD objects and resources can be managed through the DRA Web-based interface.

NetIQ Directory and Resource Administrator
Figure 3. The NetIQ Directory and Resource Administrator lets operators manage objects they’re responsible for through a single global Web-based interface. (Click image to view larger version.)

The Directory Security Administrator is designed to provide a single interface for security management of AD objects. It supports Access Control List (ACL) generation and management as well as object auditing. Access rights can be granted through roles defined within the console. In addition, it offers powerful security analysis tools as well as comprehensive reporting.

As far as Group Policy is concerned, NetIQ has teamed up with Full Armor to integrate Fazam 2000 version 3 into the NetIQ Security Administration Suite. This gives the suite a mature GPO management tool. The GPA uses a GPO Repository stored in SQL Server 2000 (or MSDE), which means it won’t touch the production environment. This repository can contain any number of domains, letting you experiment to your heart’s content before deploying anything. Because it’s actually Fazam 2000, the GPA offers comprehensive reporting capabilities.

By mixing and matching tools from different sources, NetIQ has provided a fully fleshed out suite of AD management functions. But the drawback of this approach is lack of consistency across the suite. For example, the DRA uses Microsoft Access to provide reporting capabilities, the GPA uses SQL Server for GPO modeling and the entire suite requires modification of the OS schema to enable its most powerful features. This makes for a mishmash of prerequisites that can be cumbersome to manage during installation.

Nevertheless, the NetIQ programs provide solid management functionality that covers a wide variety of AD activities. The Directory and Resource Administrator, especially, will require planning and preparation before implementation because of its wide-ranging impact on your management structure.

Javelina ADvantage version 1.1.2.0
Javelina ADvantage is a product that focuses on user and security administration within Active Directory. It’s simple to install and operate. It offers an Outlook-like interface with a toolbar on the left side and operations within the right pane. This interface isn’t a Microsoft Management Console, but a standard Windows rich-client interface. Managing AD with ADvantage is a two-step process. You manage and prepare information in the ADvantage interface, then (when you’ve completed your preparation activities), you load the information into the directory. It’s simple and straightforward.

ADvantage covers three types of activities: user management, file and share administration and directory tools. The first lets you modify massive numbers of users at once. There’s no doubt that if you need to do this, ADvantage is much better than the csvde command-line tool provided in Windows, though both tools can work from comma-delimited files prepared in an application such as Microsoft Excel. This responds to specific client needs. Say, for example, that your organization merges with another and that each of you used different user naming standards in your directories. You could use ADvantage to import the names from both directories, manipulate them for standardization purposes and then reload them into the directory.

The File and Share management portion of ADvantage works in the same way as the user management portion. Information is imported to or created directly in ADvantage, manipulated and then exported from ADvantage to the directory. In addition, ADvantage offers a directory Resynch tool that automatically generates a multi-master replication event; it includes an ACL analysis tool that generates reports on ACLs within the directory; and it offers a third feature, which is probably its most powerful: Search and Replace (see Figure 4).

Javelina ADvantage
Figure 4. Javelina ADvantage offers a powerful search and replace feature that will let you modify directory ACLs. (Click image to view larger version.)

In fact, ADvantage offers Search and Replace for users, files and shares as well as ACLs. This makes it compelling, indeed. For example, if the manager for a group of employees changes and you want to modify directory objects to reflect this organizational change, you can perform a search on the old manager and replace the value with the new manager’s name. This is a feat few tools can perform today.

Table 2. Help for the Mighty Labors

Final Report
Two of the tools examined here modify the default AD schema. This means that if you implement these tools, you’ll most likely be their client for life because, currently, schema changes can’t be undone easily. It would be preferable if both manufacturers, Quest and NetIQ, moved toward Active Directory in Application Mode (ADAM) integration. [See this month’s “Windows Insider” by Bill Boswell for more about ADAM.—Ed.] By modifying the schema of an ADAM instance and leaving the OS schema alone, they would make their integration much simpler. This would probably grant them wider acceptance in the market.

That’s why, of the three similar products reviewed here, we favor Aelita’s most. This vendor has already realized that schema modifications aren’t to be taken lightly. Aelita takes a different approach, using a SQL Server database to store its modifications that are later integrated to AD through its programming interfaces—smart thinking that proves you don’t need to modify the OS schema to create an enterprise-level directory management product. On the other hand, if schema modifications aren’t a concern to you, the choice between the three will be more complex because the feature sets are similar.

Javelina’s ADvantage doesn’t really perform the same type of administration task as the others. It seems to be designed mostly for massive information management manipulation within the directory, something that you shouldn’t have to do on a regular basis, especially if you plan your directory well. But if you’re faced with mergers or acquisitions, there’s no doubt it could be quite useful.

comments powered by Disqus

Reader Comments:

Tue, Sep 21, 2004 John Coate Washington State

We just purchased NetIQ and your statement that it requires a schema change conflicts with the vendor... they say it does not. What is the source for your statement? Thank you.

Mon, Aug 2, 2004 Guy Québec

now that Quest owns both software. (fastlane and EDM) How will them market those two products ?
I agree to store data in the AD. Good review.

Tue, Jan 13, 2004 Anonymous Anonymous

Great overiew, I trust we can trust the good and bad points.

Thu, Oct 23, 2003 Chuck USA

One thing missing here and the reason we choice aelita was the flexibility the middle tier added. We automate many processes through scripting in EDM that cut down the time it took to create users and configure their accounts. Also, integrating with our peoplesoft database and automating DL membership. Just a solid tool. The flexibility is the biggest differentiator and makes aelita the best for large organizations with intelligent IT staffs.

Tue, Sep 16, 2003 Chris MA

Another tool left out of this article was Ecora's Enterprise Auditor. Great tool for managing AD configuration data and tracking changes.

Tue, Sep 16, 2003 Anonymous Anonymous

Extending the schema is not something to be scared of. If you want to take full advantage of a directory enabled application, then you'll want to extend the directory's schema. What I mean to say that not only are schema extensions safe if done properly, but they are also a good thing. They can help to provide huge value to large, directory-centric enterprises, by maximizing their investment in directory services - isn't that what their directory is supposed to do?

Sun, Sep 7, 2003 Karen San Rafael

Oops. Typo in my last one. I meant to say that unused schema extensions aren't causing replication traffic.

Sun, Sep 7, 2003 Karen San Rafael

Danielle & Nelson-
I think you missed the boat on this one. You call out Aelita's Managed Unit features as a distinct advantage but completely neglected to talk about Quest's Business Views feature, which has been in the product since we started using it a couple of years ago and allows the same ability to group objects outside of the constraints of the OU.

Additionally, your argument about schema extensions causing customer lock-in is simply wrong. If, for example, I chose to deinstall a product that extends the schema, what is preventing from doing that? Any objects that the app creates can be deleted and, while the schema extensions may remain disabled, I am not using them, they're causing replication traffic, I don't have to manage them, etc. How is this any different from the (literally) hundreds of attributes MS includes in the base schema that go unused every day?
In fact, if you ask me, products that use a database result in more customer lock-in because you're putting all of your business processes into a proprietary database structure rather than AD, where they belong, regardless of the vendor product.

Fri, Sep 5, 2003 Dave Chicago

The uneducated focus on schema extensions lets down what could otherwise be a very good article.
We went through a very long process evaluating these tools recently and fell upon ActiveRoles from Quest.
It's big differetiator is that through the schema extensions it allows you to store everything you need in AD, so therefore no SQL server, databse, extra tier or single point of failure is introduced unlike all of the other products. Also at the time ActiveRoles was the only product to allow you to manage ANY object in AD, and I think it still is. I agree with Steve in that going natively the way Bill intended is much better. Also, to answer Danielle, the Managed Unit from Aelita also exists in the Quest tool, it's called a business view.

Thu, Sep 4, 2003 Steve Wilson London

Quite a good review I thought, fair and reasonable. We use the Quest suite of tools now, having looked at Bindview, Aelita and NetIQ about 18 months ago. All the products have matured considerably since then and we see the web interfaces as the next step in AD user management delegation to remote sites.
When we did he initial review we didn't like the (then) proposed schema extensions for the next release of tools. We now take the view that as they are fully supported by Microsoft (as is Exchange 2000) they do actually make a lot of sense. The additional attributes and associated permissions are part of the object and as such always available. We were never too clear what happens when the EDM SQL database is unavailable - and anyway why add another level of complexity to the AD equation? AD is a scalable extensible ldap database that comes with built in fault tolerant replication tools... Why not use it as Bill intended?

Wed, Sep 3, 2003 Danielle and Nelson Ruest Quebec

Hi Mark. First, Windows Server 2003 will let you rename, reuse and disable schema extensions, but not delete them. Second, Aelita does have a differentiator. It is the Managed Unit. This unit lets you regroup containers from different locations in the OU hierarchy or even from different domains and apply a single set of delegation and management rules. This is a simple, but powerful approach.

Tue, Sep 2, 2003 Mark Toronto

This schema debates seems to be a lot of noise about nothing considering that Server 2003 allows you to back off your schema changes. I've looked at a few of these tools and am puzzled that the authors chose to highlight features of the Aelita tool that also exists in Quest's ActiveRoles. Do us a favor, tell us about something that clearly differentiates Aelita's product!

Thu, Aug 28, 2003 Jim USA

I have just finished a long and grueling process of selecting an Enterprise class AD administration tool and I'd like to add a few points. I fully agree with this article. Aelita has put an extreme amount of thought and experience into the Directory Manager tool. It has features that none of the others have and works as advertised. The flexibility provided by this product is unmatche3d in the area. There isn't too much that can't be done and I'm not worried about my AD becoming corrupted in any way since they do not store anything in AD keeping AD CLEAN! I can't wait for the implementation to be complete.

Wed, Aug 27, 2003 John Howard Oxley Atlanta GA

One of the best articles on AD administration that I have ever seen. I put out a filter blog of items potentially interesting to teachers in applied IT, and this article just got referenced in it!

Wed, Aug 27, 2003 Scotty UK

To join the schema debate I would like to say that of MS had been succesful in getting people to use AD to store extra data they would not have produced ADAM.

I am happy with the separet DB and possible use of ADAM to store data not because I am scared of altering the schema .It is a well documented procedure and if the changes can be examined and evaluated in light of what they change then I will do it.

What I do not like is not being able to get rid of the changes and thus the alteration of my AD by a product I am then locked into.

Wed, Aug 27, 2003 Danielle and Nelson Ruest Quebec

Fred, we think when you see the missing component of our article, you will agree that we do cover administrative as well as IT requirements (it should be posted soon). We have worked with a lot of AD implementations and all of our customers have struggled with the way they would manage schema modifications. The real problem here is the one we have stated in the article: schema modifications cannot be undone; once a customer, always a customer. That's why we favor solutions that do not modify the schema. Schema modifications from Microsoft are OK (example, Exchange) because they are the originators of AD. But if other manufacturers can do without, hurray for them. After all, the customer will make the final decision. All we are doing is giving our recommendations.

Wed, Aug 27, 2003 Fred from Montreal Anonymous

My 2 cents again.
Yes, extending the schema is a big deal. But, managing several directories and syncronizing them is even a bigger one. And how is it more complicated to backup and restore a directory ?

Tue, Aug 26, 2003 DavidS Colorado

An excellent article. I strongly disagree with one of the other commentators, schema changes are a big deal in a enterprise level directory. Especially down the road as more applications integrate with AD. Schema changes also multiply admin and overhead of the directory. Replication, backup and restore becomes a nightmare.

Tue, Aug 26, 2003 Fred from Montreal Anonymous

This is only an IT vision . AD management tools should be chosen not only for IT administrators to do their job, witch is also very important, but to cover business requirements as well. Business requirements such as role base access control, security, identity management, etc. You should also say that only Quest tools use pure IP. The other ones all rely on Netbios, Bindview as well. Did not check for Javelina but ADvantage does not do much anyways. I also don't agree to use a separate database to manage your network objects. AD is expendable and is intended just for that. I might not be possible in all cases but it should be a priority. Everybody seems to be afraid to extend the Schema. MS does it with Exchange 2K / 2K3. Is that such a big deal ? Should they run Exchange on a separate LDAP. I know it is possible with ADAM but synchronizing LDAP databases is not a simple task and will create major management overhead.
Anyways, that just my opinion.

Tue, Aug 26, 2003 tROY Seattle

This was a very timely article we are doing this very evaluation now. Also a follow-up article on reporting would be much appreciated.

Tue, Aug 26, 2003 Anonymous Anonymous

Very useful, comprehensive, fair

Tue, Aug 26, 2003 AdminGuy Anonymous

I have tested many admin products. I recommend Aelita for usability and above all Security.

Tue, Aug 26, 2003 Danielle and Nelson Ruest Quebec

Thank you for your kind comments about our article.

Please note that we are aware that BindView Corporation produces an administration suite as well, but they did not provide us with a review copy. That's why they were ommitted from our analysis.

Tue, Aug 26, 2003 Anonymous Anonymous

a noticeable...and correct omission...was Bindview. As a user, I can attest their product doesn't compare.

Tue, Aug 26, 2003 Anonymous Anonymous

great article

Tue, Aug 26, 2003 Anonymous Anonymous

awesome analysis

Tue, Aug 26, 2003 Scott D. Hill Houston

One of the major competitors was left out - BindView. How can you represent a fair and competitive review without including BindView?

Mon, Aug 25, 2003 Salah Bahrain

Please, keep us up to date

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.