12 Mighty Labors of Active Directory Management
Administering and managing AD encompasses a multitude of activities. Although you can do the job with built-in services and tools, four powerful third-party solutions also want to help.
Any systems administrator will agree that Active Directory (AD) covers and offers a lot more than the NT SAM. You might also agree that managing an NT network isn’t the same as managing a Windows Server 2003 network (or a Windows 2000 network, for that matter). In fact, though administrators gain a lot more power when moving to AD, they also gain something else: a lot more stuff to do. We’ve added it up and found that AD administration and management covers 12 major activities:
User and group administration
PC/Mobile device administration
Networked service administration
Group Policy Object administration
Domain Name Service administration
AD topology and replication administration
AD configuration administration
AD schema administration
AD report generation
Depending on the size of your network, each of these activities can be a job in and of itself. And if you’re alone to perform them, they can sometimes feel like the 12 mighty labors of Hercules. Unfortunately, unlike the great hero of ancient times, you don’t always get the same recognition for a job well done.
Does the base Windows server configuration include the proper tools for AD administration or are third-party products also required? It all depends on what you do, how your network is organized and how many users or computers you need to manage. In an online sidebar to this story, we look at each task more in-depth and provide some tips for helping to make them easier.
If you can complete the 12 gargantuan tasks we enumerate using only the built-in AD tools, you should be congratulated. Of course, you can also bring other tools to bear, such as the Windows Scripting Host and the Active Directory Services Interface (ADSI). Not all of us are scripting kings or have the time to devote to developing scripts that can help us in these tasks. Microsoft provides the Windows Scripting Center (see Resources), but even then, it takes time to turn sample scripts into usable tools.
Making AD administration easier is the goal of the following four products.
Each addresses a particular set of AD administration tasks. Some cover
the same functionality, while others offer completely different features.
Each claims that it will save you time and money. That’s just what we’ve
concentrated on. Table 1 lists the basic requirements for each tool and
identifies how it integrates with AD and Windows 2003. Table 2 lists which
of the 12 administrative activities are addressed by each tool. You can
use these tables to identify what products will give you what you need.
Quest FastLane ActiveRoles version 5.0
Managing security rights within the directory using the default Windows
Server tools can be a true hassle unless you’re highly structured and
document your changes thoroughly. This is where Quest Software’s FastLane
ActiveRoles comes into play. ActiveRoles and its counterpart, ResourceRoles,
let you design security templates that consolidate AD Access Control Entries
(ACEs) for both users or groups and resources respectively. These templates
or roles can be assigned to specific containers for either users or groups.
For example, if you want to delegate password resets to help desk operators
in the People OU, you create the appropriate role, grant it Read and Write
access rights for user passwords, then assign it to the People OU for
the help desk operators’ group. The same goes for the assignment of administrative
rights to resources. Thus, you can create roles for cluster server operators,
shared folder operators, domain controller operators, and so on.
Once a role is created, it can be reused countless times. ActiveRoles provides a few roles by default. These roles can administer both AD and Exchange (if it’s present in your network). ActiveRoles runs in either Local or Directory Enabled Mode. In Local Mode, you can evaluate the usefulness of ActiveRoles in your network without changing your AD installation. The Directory Enabled Mode modifies the default AD Schema to integrate classes and attributes specific to the FastLane tools. This modification isn’t to be taken lightly, because it can’t be undone.
ActiveRoles also includes both a Self Service Web site, as well as a Web Client for AD, NT or Exchange administration. Both are powerful tools. They do, however, require the presence of Internet Information Services (IIS). Depending on the size of your network, this may have to reside directly on a domain controller, something that’s no longer recommended by Microsoft. But the Self Service tool by itself makes the risk worthwhile, especially in large networks. This tool allows users to manage their own information within the directory through a single interface and also their own passwords. It provides a list of five questions and answers that users can prepare in advance. Then, when they need to have their password reset for any reason, they can do it themselves by simply going to the self-service page, answering five personal questions and being granted password reset rights. This module alone can save a considerable number of phone calls to the help desk, not to mention that it’s a lot less embarrassing for the user.
The Web client lets administrators use a Web interface to access most
directory administration tasks (see Figure 1). This tool provides a nice,
clean interface that’s fast and responsive. What’s more, it seems that
both the Self Service and the Web Client modules can be installed separately
from the ActiveRoles and ActiveResource tools, letting you decide where
and when to use them.
|Figure 1. Quest FastLane ActiveRoles’ Web
Client module lets administrators manage directory objects through
a complete Web interface. (Click image to view larger version.)
ActiveRoles also includes ActivePolicies, a module that integrates with AD to provide Group Policy management. ActivePolicies can be linked to specific GPOs within multiple domains. Any change in the ActivePolicy will be automatically reflected in every policy it’s linked to, providing a powerful way to manage multiple policies from a single interface.
ActiveRoles isn’t a tool to be taken lightly. Role definition is a complex
process that requires advanced knowledge of the directory and the objects
it contains. Even though it includes default roles, you’ll still need
to plan its implementation in your network carefully if you want to profit
from this tool.
Table 1. Active
Directory Tool Criteria
The nature of management tools is likely to change, given the new
security enhancements in Windows Server 2003. For example, tools
that require the presence of IIS, especially on domain controllers,
may no longer be popular since it’s no longer installed by
default. In addition, tools that make use of the .NET Framework
may be more popular since it’s integrated into the OS. Also,
through integration with ADAM, management tools may no longer have
to modify the AD schema. Use the following table to identify the
requirements for each tool.
|Yes, but only for Web interface
||Yes, but only for Web interface
|MSDE, SQL Server
||MSDE, SQL Server
||Access 2000 or runtime, SQL Server, MSDE
||MMC, no TaskPad
||MMC, no Taskpad
||MMC, no Taskpad
||Yes, also within MMC
Aelita Enterprise Directory Manager version 5.0
Aelita Software’s Enterprise Directory Manager (EDM) is also a tool for
managing AD access rights from a central location. Where it stands out
is in its installation. EDM requires a working copy of either SQL Server
2000 or Microsoft Desktop Engine (MSDE) to use as a central repository
of all EDM information. This data store hosts all EDM data. Modifications
are made in the database then transferred to AD. This approach facilitates
the way EDM manages forests and domains, letting administrators of large
environments manage multiple directories from a single location.
EDM also uses roles to apply security and delegation rights. It does so in a different manner, though. First, you need to define Access Templates. These templates let you identify which access rights are available for a given role on any given object. Once the templates are defined, you can use them to assign management rights to the administrators or operators in your network. This is done through the assignment of Managed Units to Trustees (the people you trust to manage information in AD).
One of the most interesting concepts of the EDM is the Managed Unit (MU). The Managed Unit is used to regroup the elements for which you want to delegate management. But unlike the organizational unit in AD, the MU isn’t limited to a single domain or even in the type of objects it can contain. For example, if you have several domains that contain a People OU and you want a single administrative group to manage the contents of all of these OUs at the same time with the same rules, you regroup the People OU from each domain into a People MU and assign management rights to this Managed Unit to the administrative group. This tool is obviously powerful for large directories.
EDM also supports the administration of Group Policy, letting you even
perform “what if” scenarios before implementing the GPO in your production
environment. As far as reporting is concerned, EDM offers one of the most
impressive sets of reporting tools (see Figure 2), even supporting the
use of OLAP cubes for analysis of the data stored within your directory.
|Figure 2. The Aelita Reporting Console provides
a comprehensive set of reporting tools on all aspects of directory
administration. (Click image to view larger version.)
EDM’s Web interface is one of the cleanest and most comprehensive on the market. Like the other tools in the EDM suite, it provides role-based assignment of activities, offering different versions of the Web site for full administrators, help desk personnel or even individual users. This is a really good tool for delegation of AD information management, especially at the user level.
Another interesting EDM feature is the ability to generate groups based on content rules. These dynamic groups will change with time given the nature of the rules devised for their membership. For example, you could create a special group that contains only users whose passwords will expire in less than two weeks, then use this group to send reminders that it’s time to change passwords.
Enterprise Directory Manager is a powerful product that shouldn’t be
implemented without extensive preparation. It requires planning and testing
to make the most of this tool, especially in large enterprises. On the
other hand, its reporting capabilities are second to none and almost warrant
the implementation of the solution on their own.
NetIQ Security Administration Suite version 4.1
NetIQ has been in the Microsoft management realm for quite some time.
In fact, they were the original creators of the product that became the
Microsoft Operations Manager. Therefore, it isn’t surprising to see them
create a complete set of AD management tools in the Security Administration
Suite. This suite includes three tools: Directory and Resource Administrator
(DRA), Group Policy Administrator (GPA) and Directory Security Administrator
DRA is a comprehensive set of programs designed to manage both directory
objects and resources from a single point. Its main purpose is to manage
delegation rights for AD administration. It allows you to define delegation
roles and assign them to managed objects. Administrators who have been
delegated rights can use the DRA console to manage the objects they’re
responsible for (see Figure 3). Both AD objects and resources can be managed
through the DRA Web-based interface.
|Figure 3. The NetIQ Directory and Resource Administrator
lets operators manage objects they’re responsible for through
a single global Web-based interface. (Click image to view larger version.)
The Directory Security Administrator is designed to provide a single interface for security management of AD objects. It supports Access Control List (ACL) generation and management as well as object auditing. Access rights can be granted through roles defined within the console. In addition, it offers powerful security analysis tools as well as comprehensive reporting.
As far as Group Policy is concerned, NetIQ has teamed up with Full Armor to integrate Fazam 2000 version 3 into the NetIQ Security Administration Suite. This gives the suite a mature GPO management tool. The GPA uses a GPO Repository stored in SQL Server 2000 (or MSDE), which means it won’t touch the production environment. This repository can contain any number of domains, letting you experiment to your heart’s content before deploying anything. Because it’s actually Fazam 2000, the GPA offers comprehensive reporting capabilities.
By mixing and matching tools from different sources, NetIQ has provided a fully fleshed out suite of AD management functions. But the drawback of this approach is lack of consistency across the suite. For example, the DRA uses Microsoft Access to provide reporting capabilities, the GPA uses SQL Server for GPO modeling and the entire suite requires modification of the OS schema to enable its most powerful features. This makes for a mishmash of prerequisites that can be cumbersome to manage during installation.
Nevertheless, the NetIQ programs provide solid management functionality
that covers a wide variety of AD activities. The Directory and Resource
Administrator, especially, will require planning and preparation before
implementation because of its wide-ranging impact on your management structure.
Javelina ADvantage version 188.8.131.52
Javelina ADvantage is a product that focuses on user and security administration
within Active Directory. It’s simple to install and operate. It offers
an Outlook-like interface with a toolbar on the left side and operations
within the right pane. This interface isn’t a Microsoft Management Console,
but a standard Windows rich-client interface. Managing AD with ADvantage
is a two-step process. You manage and prepare information in the ADvantage
interface, then (when you’ve completed your preparation activities), you
load the information into the directory. It’s simple and straightforward.
ADvantage covers three types of activities: user management, file and share administration and directory tools. The first lets you modify massive numbers of users at once. There’s no doubt that if you need to do this, ADvantage is much better than the csvde command-line tool provided in Windows, though both tools can work from comma-delimited files prepared in an application such as Microsoft Excel. This responds to specific client needs. Say, for example, that your organization merges with another and that each of you used different user naming standards in your directories. You could use ADvantage to import the names from both directories, manipulate them for standardization purposes and then reload them into the directory.
The File and Share management portion of ADvantage works in the same
way as the user management portion. Information is imported to or created
directly in ADvantage, manipulated and then exported from ADvantage to
the directory. In addition, ADvantage offers a directory Resynch tool
that automatically generates a multi-master replication event; it includes
an ACL analysis tool that generates reports on ACLs within the directory;
and it offers a third feature, which is probably its most powerful: Search
and Replace (see Figure 4).
|Figure 4. Javelina ADvantage offers a powerful
search and replace feature that will let you modify directory ACLs.
(Click image to view larger version.)
In fact, ADvantage offers Search and Replace for users, files and shares
as well as ACLs. This makes it compelling, indeed. For example, if the
manager for a group of employees changes and you want to modify directory
objects to reflect this organizational change, you can perform a search
on the old manager and replace the value with the new manager’s name.
This is a feat few tools can perform today.
Two of the tools examined here modify the default AD schema. This means
that if you implement these tools, you’ll most likely be their client
for life because, currently, schema changes can’t be undone easily. It
would be preferable if both manufacturers, Quest and NetIQ, moved toward
Active Directory in Application Mode (ADAM) integration. [See this month’s
“Windows Insider” by Bill Boswell for more about ADAM.—Ed.] By modifying
the schema of an ADAM instance and leaving the OS schema alone, they would
make their integration much simpler. This would probably grant them wider
acceptance in the market.
That’s why, of the three similar products reviewed here, we favor Aelita’s most. This vendor has already realized that schema modifications aren’t to be taken lightly. Aelita takes a different approach, using a SQL Server database to store its modifications that are later integrated to AD through its programming interfaces—smart thinking that proves you don’t need to modify the OS schema to create an enterprise-level directory management product. On the other hand, if schema modifications aren’t a concern to you, the choice between the three will be more complex because the feature sets are similar.
Javelina’s ADvantage doesn’t really perform the same type of administration
task as the others. It seems to be designed mostly for massive information
management manipulation within the directory, something that you shouldn’t
have to do on a regular basis, especially if you plan your directory well.
But if you’re faced with mergers or acquisitions, there’s no doubt it
could be quite useful.