Ever since its inception, almost exactly 20 years ago with the introduction of Windows 2000 Server Edition in February 1999, Active Directory has been a key component of the Microsoft server ecosystem. Its primary purpose is keeping information about networked resources. Computer networks can be rather complicated. Consequently, Active Directory tends to be complicated as well which is why our main goal today is to provide you with an introduction to Active Directory domains and forests.
We don’t intend to make you Active Directory experts but our hope is to shed some light on this complicated topic. Also, given the relatively high level of complexity of the technology, it is no surprise that several third-party tools have been created to monitor and/or manage various aspects of Active Directory. So, we’ll have a look at what some of them can do for you.
Here’s how we’re planning our journey into the core of Active Directory: We’ll start off be lifting any confusion there could be with the concept of domain. It is a key element of AD but also a key element of the Internet and yet, they are two completely different types of domains that should not be confused. We’ll then introduce Active Directory, what it is and where it’s coming from. Next, we’ll discuss AD domains and the trees we use to represent their structure. In nature, a group of trees is called a forest. Well, the same thing is true in Active Directory as we’ll see next. Managing and monitoring Active Directory will be our next order of business and finally, while on the subject, we’ll review some of the best Active Directory monitoring and management tools.
Avoiding Confusion – What’s A Domain?
A domain can be many things depending on what field you’re in. And even within Information Technology, the term domain is used for two very different things. The first kind of domain, the one most computer users—even those who are not computer scientists—are familiar with is the Internet domain. It is a group of internet resources belonging to a specific organization. Domain names are used to access various resources using user-friendly(er) names rather than cryptic IP addresses. For instance, the addictivetips.com is the domain name of this web site. Microsoft.com is another well-known domain name and I’m pretty sure you can easily think of dozens more.
The other place where the term domain is widely used is related to Active Directory. An Active Directory domain is a group of resources (notice the similarity with the previous domains?) covered by one single authentication database. We’ll describe AD domains in greater details shortly. For now, the key is to understand that the same term is used to define two totally unrelated concepts and that it is important not to mix them up as they are definitely not the same thing.
Active Directory In A Nutshell
The first question people generally ask about Active Directory is: What is it, exactly? The answer is simple, it is Microsoft’s implementation of an LDAP directory service. While this answer is absolutely exact, it is possibly useless and it raises more questions than it answers.
Let’s dig down. First, a directory service, in the context of computer networks, is a database that contains information about each and every component of a network. By components, we mean each computer and server but also each user or group of users or each directory. You can think of it as a phone directory. Any resource that needs to find another resource looks it up in the directory.
As for the LDAP part of our initial answer, it is an acronym for Lightweight Directory Access Protocol. In simple terms, LDAP defines how information about resources are stored in the database and how this information can be accessed. It is an industry-standard protocol shared by several vendors which, unfortunately, does not mean that various implementations are interoperable.
An Active Directory structure is a hierarchical organization of objects. There are three primary categories of objects: resources (such as computers or printers, for example), services (such as email) and users (user accounts and groups of users). Active Directory provides information about the objects, organizes them, and controls their access and security. It is, for all intents an purposes, a database of entries with each entry having a name and a set of attributes. Each attribute has a name, a type and one or many values. Attributes are defined in the database’s schema.
You can think of the hierarchical structure of an Active Directory database as that of a file system. And just like a file system has containers (called directories or folders), AD has them too. They are called Organizational Units (OU) and they help group related things together. System administrators are free to create OUs as they see fit and it’s not uncommon, for example, to see individual OUs for each department of an organization.
Active Directory Domains
Now that we’re all on the same page as to what Active Directory is, let’s have a look at domains. Interestingly, domains predate Active Directory by several years. Even before Microsoft released their own LDAP directory service in 1999, domains had been in existence since the early days of Windows NT. In a typical network of Windows servers, at least one of them—and often two or more—are configured as domain controllers. They are the servers hosting the domain database, thereby authenticating users, and controlling access to resources. The information they hold is replicated between them. And last but not least, the objects in a domain are organized in a hierarchical fashion.
The Trees And The Forest
A tree analogy is often used to describe hierarchical structures such as a domain. But with Active Directory, Microsoft has decided to push that analogy one step further and it calls a hierarchical structure of domains a tree. Remember, a domain is a group of resources under the control of one database but a tree, for various reasons can be comprised of several domains. This is something which is actually quite common in larger organizations and it is not at all uncommon to see one domain for each division of a large company. And for even larger organizations, trees can be grouped into, you guessed it, forests. This is the topmost element in Active Directory and everything else descends from it.
Managing And Monitoring Active Directory
Monitoring is everything! If you’re a network or system administrators, you’ve probably heard that phrase countless times. And you know what? It is everything! Monitoring is one of the best ways to stay on top of things. Various types of monitoring tools exist that will allow you to obtain precisely the type of metrics that you are after. For instance, bandwidth monitoring will report on the usage of different segments of a network, CPU monitoring will display your servers’ CPU gauges. Most operational metrics of systems and networks can be monitored. The main advantage of using monitoring tools is that they are mostly automatic. You don’t have to be constantly watching them. Whenever something is out of the ordinary, your monitoring tool(s) will alert you.
In the case of Active Directory, several parameters can be monitored. For instance, domain controllers—the servers where a domain’s database are stored—could be monitored for response and performance. Changes to access rights could also be monitored to some advantage. Logins—especially failed ones—is another parameter worth monitoring as it could be an indication of malicious activity.
Active Directory Management is something else. Several tools are provided by Microsoft to help you manage Active Directory. They will let you create objects, assign rights and generally perform most of the day to day activities related to AD management. However, some of these tools can turn out to be rather cumbersome or impractical to use and several vendors have stepped up to offer various Active Directory Management tools which can make the task of administering Active Directory much easier.
The Best AD Tools
We’ve scoured the market for some of the best Active Directory tools. What we have for you today is a mix of monitoring tools—some AD-specific and some generic—and management tools. All of them can help you—and this was one of our main inclusion criteria—with your day to day tasks as they relate to Active Directory. Some are security-oriented while others are performance-oriented.
SolarWinds is one of the best publishers of network and system administration software. Its flagship product called the Network Performance Monitor consistently scores among the top network bandwidth monitoring systems. Furthermore, the company is also famous for its free software. We’re talking about smaller tools, each addressing a specific need of network administrators. Two great examples of these free tools are the Advanced Subnet Calculator and the Kiwi Syslog Server.
Despite a somewhat misleading name that could lead you to believe that it only deals with object permissions, the SolarWinds Access Rights Manager is primarily aimed at making user provisioning and unprovisioning, tracking, and monitoring easy. It also offers a powerful and easy way of managing and monitoring user permission to ensure that no unnecessary permissions are granted.
One of the greatest strength of this product is its intuitive user management dashboard that you can use to create, modify, delete, activate and deactivate user accesses to different files and folders. It features role-specific templates that can easily give users access to specific resources on your network.
Also very interesting and quite unique are the SolarWinds Access Rights Manager’s reporting features. The software can create reports that can be used as evidence in case of disputes or eventual litigation. Detailed reports for auditing purposes and for compliance with specifications set by regulatory standards that apply to your business are also available. Reports can be quickly and easily created with just a few clicks. They can include any information you may find useful. For example, log activities in Active Directory and file server accesses could be included in a report. It is up to the user to make them as summarized or as detailed as they need.
Attacks and/or data leaks often happen when folders and/or their contents are accessed by users who are not—or should not be—authorized to access them, a common situation when users are granted wide-reaching access to folders or files. The SolarWinds Access Rights Manager can help you prevent these types of leaks and unauthorized changes to confidential data and files. It offers administrators a visual representation of permissions for multiple files servers and it easily and visually lets one see who has what permission on what file.
Pricing for the SolarWinds Access Rights Manager is based on the number of activated users within Active Directory. In SolarWinds parlance, an activated user is either an active user account or a service account. Prices for the product start at $2 995 for up to 100 active users. For more users (up to 10 000), detailed pricing can be obtained by contacting SolarWinds sales. If you want to give the tool a test run before purchasing it, a free unlimited 30-day trial version can be obtained.
The SolarWinds Server and Application Monitor was designed to help administrators monitor servers, their operational parameters, their processes, and the applications that are running on them. It is one of the best tools you can use to monitor your Active Directory Domain Controllers and the critical services that they need to be running. But the tool will also monitor any or all of your servers. It can easily scale from the smallest of networks to big ones with hundreds of servers—both physical and virtual—spread over multiple sites.
The Active Directory performance monitoring offered by the SolarWinds Server and Application Monitor gives you insight into Active Directory issues related to user account such as account creation, password change and reset attempts, disabled and deleted user accounts. It will also provide information on domain and system policy changes and data recovery just as it also provides insight into firewall settings and other system changes and currently running services. The tool also allows the monitoring LDAP sessions. With the number of clients connected impacting the server load, the tool will monitor the NTDS object counters to help prevent a server overload connected to a specific LDAP session. In addition, the software can provide insight into advanced statistics, such as LDAP active threads, bind time, client sessions, successful binds/sec, and searches/sec.
The product’s initial configuration is quickly and easily done with the help of a two-pass auto-discovery process. The first pass discovers every server and the second one will find applications on each discovered server. Although this process can take time, it can be sped up by supplying a list of specific applications to look for. Once the tool is up and running, the user-friendly GUI makes using it a breeze. The tool’s dashboard can be personalized and it will let you display information in either a table or a graphic format.
Price for the SolarWinds Server and Application Monitor starts at $2 995 and is based on the number of components, nodes, and volumes monitored. A free 30-day trial version is available for download, should you want to try the product before purchasing it.
3- Free AD Tools From ManageEngine
ManageEngine is another well-known name with system and network administrators. Its ManageEngine OpManager package is among the top IT infrastructure monitoring tools. Like some of its competitors, ManageEngine makes some great free tools. And when it comes to Active Directory, the company offers no less than fifteen free tools which can help with monitoring and administering your AD infrastructure. There is a combination of standalone programs and Powershell cmdlets. Most of the tools are bundled in a single download so obtaining them shouldn’t be much of a problem. Let’s see what the some of most interesting of these tools are.
- AD Query Tool, as its name suggests, allows you to read any attribute data that you require from the Active Directory
- Last Logon Finder is used to list the last logon time of all or of selected users in all the selected domain controllers in the domain. It is typically used for audit and cleanup activities.
- Active Directory Replication Manager enables administrators replication of data in a domain as well as provides comprehensive reports on the last replication.
- Domain Controller Roles Reporter lists all the domain controllers and their respective roles in the Domain.
- Domain Controller Monitoring Tool is a simple yet powerful tool. It will auto-discover domains and display them, showing important parameters of domain controllers such as CPU Utilization, Disk Utilization, and Memory Utilization.
- Password Policy Manager lets one retrieve and view and edit—provided he has the proper rights— the domain’s password policy.
- Active Directory Duplicate Finder is a Powershell utility that lets administrators identify duplicate entries for Active Directory attributes in a domain.
- Service Accounts Management is designed to help you easily create, edit, and delete managed service accounts in just a few clicks.
- Weak Password Users Report helps find weak passwords in Active Directory by comparing users’ passwords against a list of over 100,000 commonly used weak passwords.
These are just some of the many free Active Directory Tools provided by ManageEngine. While using separate tools for each individual task is probably not as practical as using an integrated tool with all the functionalities built in, the price of these tools is hard to beat and could certainly make them an option worth considering.
4- Active Administrator
Last on our list is Active Administrator from Quest software, now part of Dell. This is a complete and integrated Active Directory management software solution. It bridges the gaps that some of Microsoft’s tools leave behind. This is the kind of tool that can make it easier and faster to meet both security and auditing requirements. It has features addressing many of the most important areas of AD management.
Among the tool’s main features, Active Administrator offers integrated, proactive administration. This is also a very potent monitoring tool which has intuitive reporting and alerting, letting you quickly discover changes and report on them by filtering by event type, user, and date, as well as user login and lockout activity. You can also set event alerts and automatically launch alert-based actions.
Pricing for Active Administrator is per enabled user account in your Active Directory and it starts at $16.37 for a perpetual license with one-year support. A minimum license for 20 user accounts must be purchased. A free 30-day trial version can be downloaded.