In-Depth

12 Mighty Labors of Active Directory Management

Administering and managing AD encompasses a multitude of activities. Although you can do the job with built-in services and tools, four powerful third-party solutions also want to help.

Any systems administrator will agree that Active Directory (AD) covers and offers a lot more than the NT SAM. You might also agree that managing an NT network isn’t the same as managing a Windows Server 2003 network (or a Windows 2000 network, for that matter). In fact, though administrators gain a lot more power when moving to AD, they also gain something else: a lot more stuff to do. We’ve added it up and found that AD administration and management covers 12 major activities:

 User and group administration

 PC/Mobile device administration

 Networked service administration

 Group Policy Object administration

 Domain Name Service administration

 AD topology and replication administration

 AD configuration administration

 AD schema administration

 Information management

 Security management

 Database administration

 AD report generation

Depending on the size of your network, each of these activities can be a job in and of itself. And if you’re alone to perform them, they can sometimes feel like the 12 mighty labors of Hercules. Unfortunately, unlike the great hero of ancient times, you don’t always get the same recognition for a job well done.

Does the base Windows server configuration include the proper tools for AD administration or are third-party products also required? It all depends on what you do, how your network is organized and how many users or computers you need to manage. In an online sidebar to this story, we look at each task more in-depth and provide some tips for helping to make them easier.

Also read:

12 Mighty Chores of Active Directory Administration in Depth
by Danielle and Nelson Ruest

Active Directory Migration Gets Easier
by Gary Olsen

If you can complete the 12 gargantuan tasks we enumerate using only the built-in AD tools, you should be congratulated. Of course, you can also bring other tools to bear, such as the Windows Scripting Host and the Active Directory Services Interface (ADSI). Not all of us are scripting kings or have the time to devote to developing scripts that can help us in these tasks. Microsoft provides the Windows Scripting Center (see Resources), but even then, it takes time to turn sample scripts into usable tools.

Making AD administration easier is the goal of the following four products. Each addresses a particular set of AD administration tasks. Some cover the same functionality, while others offer completely different features. Each claims that it will save you time and money. That’s just what we’ve concentrated on. Table 1 lists the basic requirements for each tool and identifies how it integrates with AD and Windows 2003. Table 2 lists which of the 12 administrative activities are addressed by each tool. You can use these tables to identify what products will give you what you need.

Product Information

Enterprise Directory Manager v. 5.0
Starts at $18 per user
Aelita Software
www.aelita.com/products/EDM4.htm

ADvantage version 1.1.2.0
$995
Javelina Software
www.javelinasoftware.com/advantage.html

Security Administration Suite v. 4.1
Starts at $24 in 100 user packs
NetIQ
www.netiq.com/products/admin/ default.asp

FastLane ActiveRoles version 5
Starts at $20 per user, or $25 with FastLane Reporter and Spotlight on Active Directory
Quest Software
www.quest.com/fastlane/activeroles/

Quest FastLane ActiveRoles version 5.0
Managing security rights within the directory using the default Windows Server tools can be a true hassle unless you’re highly structured and document your changes thoroughly. This is where Quest Software’s FastLane ActiveRoles comes into play. ActiveRoles and its counterpart, ResourceRoles, let you design security templates that consolidate AD Access Control Entries (ACEs) for both users or groups and resources respectively. These templates or roles can be assigned to specific containers for either users or groups. For example, if you want to delegate password resets to help desk operators in the People OU, you create the appropriate role, grant it Read and Write access rights for user passwords, then assign it to the People OU for the help desk operators’ group. The same goes for the assignment of administrative rights to resources. Thus, you can create roles for cluster server operators, shared folder operators, domain controller operators, and so on.

Once a role is created, it can be reused countless times. ActiveRoles provides a few roles by default. These roles can administer both AD and Exchange (if it’s present in your network). ActiveRoles runs in either Local or Directory Enabled Mode. In Local Mode, you can evaluate the usefulness of ActiveRoles in your network without changing your AD installation. The Directory Enabled Mode modifies the default AD Schema to integrate classes and attributes specific to the FastLane tools. This modification isn’t to be taken lightly, because it can’t be undone.

ActiveRoles also includes both a Self Service Web site, as well as a Web Client for AD, NT or Exchange administration. Both are powerful tools. They do, however, require the presence of Internet Information Services (IIS). Depending on the size of your network, this may have to reside directly on a domain controller, something that’s no longer recommended by Microsoft. But the Self Service tool by itself makes the risk worthwhile, especially in large networks. This tool allows users to manage their own information within the directory through a single interface and also their own passwords. It provides a list of five questions and answers that users can prepare in advance. Then, when they need to have their password reset for any reason, they can do it themselves by simply going to the self-service page, answering five personal questions and being granted password reset rights. This module alone can save a considerable number of phone calls to the help desk, not to mention that it’s a lot less embarrassing for the user.

The Web client lets administrators use a Web interface to access most directory administration tasks (see Figure 1). This tool provides a nice, clean interface that’s fast and responsive. What’s more, it seems that both the Self Service and the Web Client modules can be installed separately from the ActiveRoles and ActiveResource tools, letting you decide where and when to use them.

Quest FastLane ActiveRoles
Figure 1. Quest FastLane ActiveRoles’ Web Client module lets administrators manage directory objects through a complete Web interface. (Click image to view larger version.)

ActiveRoles also includes ActivePolicies, a module that integrates with AD to provide Group Policy management. ActivePolicies can be linked to specific GPOs within multiple domains. Any change in the ActivePolicy will be automatically reflected in every policy it’s linked to, providing a powerful way to manage multiple policies from a single interface.

ActiveRoles isn’t a tool to be taken lightly. Role definition is a complex process that requires advanced knowledge of the directory and the objects it contains. Even though it includes default roles, you’ll still need to plan its implementation in your network carefully if you want to profit from this tool.

Table 1. Active Directory Tool Criteria

The nature of management tools is likely to change, given the new security enhancements in Windows Server 2003. For example, tools that require the presence of IIS, especially on domain controllers, may no longer be popular since it’s no longer installed by default. In addition, tools that make use of the .NET Framework may be more popular since it’s integrated into the OS. Also, through integration with ADAM, management tools may no longer have to modify the AD schema. Use the following table to identify the requirements for each tool.

Criteria Quest Fastlane Activeroles Aelita
Enterprise Directory
Manager
Javelina
ADvantage
NetIQ
Security
Administration Suite
Require IIS

Yes, but only for Web interface Yes, but only for Web interface No Yes
Supported
database
MSDE, SQL Server MSDE, SQL Server n/a Access 2000 or runtime, SQL Server, MSDE
ADAM support No No No No
Modify schema Yes No No Yes/No
MMC TaskPad MMC, no TaskPad MMC, no Taskpad No MMC, no Taskpad

.NET Framework
1.1 Support
No No No No
Windows Installer
MSI
Yes Yes No Yes
Web interface Yes Yes No Yes, also within MMC

Aelita Enterprise Directory Manager version 5.0
Aelita Software’s Enterprise Directory Manager (EDM) is also a tool for managing AD access rights from a central location. Where it stands out is in its installation. EDM requires a working copy of either SQL Server 2000 or Microsoft Desktop Engine (MSDE) to use as a central repository of all EDM information. This data store hosts all EDM data. Modifications are made in the database then transferred to AD. This approach facilitates the way EDM manages forests and domains, letting administrators of large environments manage multiple directories from a single location.

EDM also uses roles to apply security and delegation rights. It does so in a different manner, though. First, you need to define Access Templates. These templates let you identify which access rights are available for a given role on any given object. Once the templates are defined, you can use them to assign management rights to the administrators or operators in your network. This is done through the assignment of Managed Units to Trustees (the people you trust to manage information in AD).

One of the most interesting concepts of the EDM is the Managed Unit (MU). The Managed Unit is used to regroup the elements for which you want to delegate management. But unlike the organizational unit in AD, the MU isn’t limited to a single domain or even in the type of objects it can contain. For example, if you have several domains that contain a People OU and you want a single administrative group to manage the contents of all of these OUs at the same time with the same rules, you regroup the People OU from each domain into a People MU and assign management rights to this Managed Unit to the administrative group. This tool is obviously powerful for large directories.

EDM also supports the administration of Group Policy, letting you even perform “what if” scenarios before implementing the GPO in your production environment. As far as reporting is concerned, EDM offers one of the most impressive sets of reporting tools (see Figure 2), even supporting the use of OLAP cubes for analysis of the data stored within your directory.

Aelita EDM
Figure 2. The Aelita Reporting Console provides a comprehensive set of reporting tools on all aspects of directory administration. (Click image to view larger version.)

EDM’s Web interface is one of the cleanest and most comprehensive on the market. Like the other tools in the EDM suite, it provides role-based assignment of activities, offering different versions of the Web site for full administrators, help desk personnel or even individual users. This is a really good tool for delegation of AD information management, especially at the user level.

Another interesting EDM feature is the ability to generate groups based on content rules. These dynamic groups will change with time given the nature of the rules devised for their membership. For example, you could create a special group that contains only users whose passwords will expire in less than two weeks, then use this group to send reminders that it’s time to change passwords.

Enterprise Directory Manager is a powerful product that shouldn’t be implemented without extensive preparation. It requires planning and testing to make the most of this tool, especially in large enterprises. On the other hand, its reporting capabilities are second to none and almost warrant the implementation of the solution on their own.

NetIQ Security Administration Suite version 4.1
NetIQ has been in the Microsoft management realm for quite some time. In fact, they were the original creators of the product that became the Microsoft Operations Manager. Therefore, it isn’t surprising to see them create a complete set of AD management tools in the Security Administration Suite. This suite includes three tools: Directory and Resource Administrator (DRA), Group Policy Administrator (GPA) and Directory Security Administrator (DSA).

DRA is a comprehensive set of programs designed to manage both directory objects and resources from a single point. Its main purpose is to manage delegation rights for AD administration. It allows you to define delegation roles and assign them to managed objects. Administrators who have been delegated rights can use the DRA console to manage the objects they’re responsible for (see Figure 3). Both AD objects and resources can be managed through the DRA Web-based interface.

NetIQ Directory and Resource Administrator
Figure 3. The NetIQ Directory and Resource Administrator lets operators manage objects they’re responsible for through a single global Web-based interface. (Click image to view larger version.)

The Directory Security Administrator is designed to provide a single interface for security management of AD objects. It supports Access Control List (ACL) generation and management as well as object auditing. Access rights can be granted through roles defined within the console. In addition, it offers powerful security analysis tools as well as comprehensive reporting.

As far as Group Policy is concerned, NetIQ has teamed up with Full Armor to integrate Fazam 2000 version 3 into the NetIQ Security Administration Suite. This gives the suite a mature GPO management tool. The GPA uses a GPO Repository stored in SQL Server 2000 (or MSDE), which means it won’t touch the production environment. This repository can contain any number of domains, letting you experiment to your heart’s content before deploying anything. Because it’s actually Fazam 2000, the GPA offers comprehensive reporting capabilities.

By mixing and matching tools from different sources, NetIQ has provided a fully fleshed out suite of AD management functions. But the drawback of this approach is lack of consistency across the suite. For example, the DRA uses Microsoft Access to provide reporting capabilities, the GPA uses SQL Server for GPO modeling and the entire suite requires modification of the OS schema to enable its most powerful features. This makes for a mishmash of prerequisites that can be cumbersome to manage during installation.

Nevertheless, the NetIQ programs provide solid management functionality that covers a wide variety of AD activities. The Directory and Resource Administrator, especially, will require planning and preparation before implementation because of its wide-ranging impact on your management structure.

Javelina ADvantage version 1.1.2.0
Javelina ADvantage is a product that focuses on user and security administration within Active Directory. It’s simple to install and operate. It offers an Outlook-like interface with a toolbar on the left side and operations within the right pane. This interface isn’t a Microsoft Management Console, but a standard Windows rich-client interface. Managing AD with ADvantage is a two-step process. You manage and prepare information in the ADvantage interface, then (when you’ve completed your preparation activities), you load the information into the directory. It’s simple and straightforward.

ADvantage covers three types of activities: user management, file and share administration and directory tools. The first lets you modify massive numbers of users at once. There’s no doubt that if you need to do this, ADvantage is much better than the csvde command-line tool provided in Windows, though both tools can work from comma-delimited files prepared in an application such as Microsoft Excel. This responds to specific client needs. Say, for example, that your organization merges with another and that each of you used different user naming standards in your directories. You could use ADvantage to import the names from both directories, manipulate them for standardization purposes and then reload them into the directory.

The File and Share management portion of ADvantage works in the same way as the user management portion. Information is imported to or created directly in ADvantage, manipulated and then exported from ADvantage to the directory. In addition, ADvantage offers a directory Resynch tool that automatically generates a multi-master replication event; it includes an ACL analysis tool that generates reports on ACLs within the directory; and it offers a third feature, which is probably its most powerful: Search and Replace (see Figure 4).

Javelina ADvantage
Figure 4. Javelina ADvantage offers a powerful search and replace feature that will let you modify directory ACLs. (Click image to view larger version.)

In fact, ADvantage offers Search and Replace for users, files and shares as well as ACLs. This makes it compelling, indeed. For example, if the manager for a group of employees changes and you want to modify directory objects to reflect this organizational change, you can perform a search on the old manager and replace the value with the new manager’s name. This is a feat few tools can perform today.

Table 2. Help for the Mighty Labors

Final Report
Two of the tools examined here modify the default AD schema. This means that if you implement these tools, you’ll most likely be their client for life because, currently, schema changes can’t be undone easily. It would be preferable if both manufacturers, Quest and NetIQ, moved toward Active Directory in Application Mode (ADAM) integration. [See this month’s “Windows Insider” by Bill Boswell for more about ADAM.—Ed.] By modifying the schema of an ADAM instance and leaving the OS schema alone, they would make their integration much simpler. This would probably grant them wider acceptance in the market.

That’s why, of the three similar products reviewed here, we favor Aelita’s most. This vendor has already realized that schema modifications aren’t to be taken lightly. Aelita takes a different approach, using a SQL Server database to store its modifications that are later integrated to AD through its programming interfaces—smart thinking that proves you don’t need to modify the OS schema to create an enterprise-level directory management product. On the other hand, if schema modifications aren’t a concern to you, the choice between the three will be more complex because the feature sets are similar.

Javelina’s ADvantage doesn’t really perform the same type of administration task as the others. It seems to be designed mostly for massive information management manipulation within the directory, something that you shouldn’t have to do on a regular basis, especially if you plan your directory well. But if you’re faced with mergers or acquisitions, there’s no doubt it could be quite useful.

Featured