Simplifying the Life of an AD Admin
NetPro’s suite can reduce AD administration woes.
Those who manage Active Directory strain to keep tabs on 12 main areas: administration of users and groups; PCs and mobile devices; networked services; Group Policy Objects (GPOs); DNS; AD topology and replication; AD configuration; AD schema; the NTDS database; information management; security management and AD report generation.
Each of these can be quite a job. That’s one good reason (or is it 12?) to get the right tools, such as NetPro’s Active Directory Lifecycle Suite, which is offered in two flavors: the Secure version, with DirectoryLockdown (SADLS), and the standard version, without DirectoryLockdown (ADLS).
SADLS has a unique spin on AD administration. While most tools aim at role-based access management and GPO administration, NetPro targets the health of the directory itself. The suite has five tools: DirectoryLockdown, DirectoryInsight, DirectoryAnalyzer, DNSAnalyzer and DirectoryTroubleshooter.
DirectoryLockdown is the only product we’ve come across that provides
a secure, recoverable approach to the unauthorized use of high-level administrative
privileges. Microsoft realized that rogue administrators, if given physical
access to a domain controller, could modify key system settings and grant
themselves high privilege levels by working with the DC in debug mode.
This could be done through the addition of an account name to the Enterprise
Administrators group or by usurping the SID of an enterprise administrator.
Then, when the DC is rebooted, changes would be automatically replicated
to every other DC in the network.
|NetPro’s Active Directory Lifecycle Suite
offers wide-ranging analysis and reporting capabilities. (Click image
to view larger version.)
That is, unless you’re running DirectoryLockdown, which automatically shuts down and disables the DC as soon as it detects unauthorized changes to configuration containers. To restore the DC to a working state, DirectoryLockdown provides a recovery diskette, much like a disaster recovery solution.
Rights elevation is not the only type of attack DirectoryLockdown thwarts. It also staves off attacks that try to modify either the Schema or Configuration naming contexts. The tool automatically notifies authorized administrations in the event of unauthorized changes and protects against attempts to hamper its own agent.
DirectoryInsight handles change management monitoring and logging. It records all changes performed at any level of the directory on objects. In fact, DirectoryInsight is meant to replace all manual change logs, letting administrators actually do their work rather than keeping records of the work they do. All change data is viewed through a Web browser where administrators can control the amount of information viewed by users.
DirectoryAnalyzer and DNSAnalyzer give comprehensive information about the status of the directory and its related naming service. DirectoryAnalyzer even contains its own DNS analysis components for all naming service activities related to the proper operation of AD. DNSAnalyzer can then be used to monitor DNS services exclusively or monitor DNS servers unrelated to AD.
Of all the tools, DirectoryAnalyzer is of most use to AD administrators because it monitors all activity related to AD infrastructure. It provides analysis of AD activities such as replication, site connectivity, LDAP query loads, and more. It can also give on-demand replication status information, something that isn’t so easy with Microsoft’s default tools. Both analysis tools support the Simple Network Messaging Protocol (SNMP) and can integrate with Microsoft Operations Manager to provide comprehensive AD and DNS monitoring and reporting capabilities.
Last up is DirectoryTroubleshooter. This tool is
of particular interest to help desk people, especially those that deal with level two or three problems because it provides complete AD troubleshooting information and links problems to a wide-ranging knowledge base that contains the answers to many problems. DirectoryTroubleshooter provides links to related Microsoft Knowledge Base articles and includes insight from NetPro’s own experts. With all the analysis and monitoring functions of the suite, problems shouldn’t occur as often, but when trouble does happen, it’s nice to have DirectoryTroubleshooter
The Secure version of ADLS, with DirectoryLockdown, is aimed at organizations such as banks, government agencies or insurance companies where secure AD containers are a must. For those with less stringent directory protection needs, but who still want to monitor and manage the directory, ADLS offers a scaled-down version without the lockdown component. The suite also offers a simple, integrated look and feel that makes it easy
to identify the wealth of information it gathers.
Danielle Ruest and Nelson Ruest, both Microsoft MVPs, are IT professionals focused on technologies futures. They are authors of multiple books, including "Microsoft Windows Server 2008: The Complete Reference" (McGraw-Hill Osborne Media, 2008), which focuses on building virtual workloads with Microsoft's new OS.