the essential guide to active directory management
TRANSCRIPT
sponsored by
EssentialGuide
to Active Directory Management
By David Chernicoff
Guide
The
2 March 2005
you’ve made the decision to imple-ment Active Directory in your net-
working environment, you’ve also decided tomake major changes in the way you manageyour network, users, and network resources. Agreat deal of planning and execution workgoes into a successful migration fromWindows NT or Novell Directory Services(NDS) to Windows Server 2003 and ActiveDirectory. But your job doesn’t stop there. Thecomplex nature of Active Directory and thefluid nature of most network environmentsmean that you’ll need to proactively manageyour Active Directory implementation.
In most environments, just deploying ActiveDirectory and forgetting about it isn’t anoption; too many applications interact closelywith the directory service, some of whichmake changes to the directory schema. ActiveDirectory requires a hands-on managementapproach. Fortunately, features in ActiveDirectory and third-party tools exist to simplify the complex problems that managingActive Directory presents.
Delegating TasksThe primary tool for allowing simplified andmore effective Active Directory managementis Active Directory’s ability to delegate admin-istrative authority. In a very granular fashion,top-level administrators can assign authorityto users to perform specific managementtasks. These users don’t need full administra-tive privileges. This detailed dispensation of
management rights and privileges has a number of important benefits.
• Reduced management complexityBy allowing members of a team ordepartment to manage themselves, youcan empower personnel who are famil-iar with the department to intelligentlydeal with Active Directory concerns inthe organization—without involvingtop-level IT administration.
• Reduced IT workloadWith the increase in administrative efficiency you gain by delegating specific Active Directory authoritywhere necessary, you reduce the overallIT workload. The granular nature of theresponsibilities you assign to adminis-trators who need them lets thoseadmins more easily master their tasks.
• Reduced administrative costsSharing administrative responsibilityacross a group of administrators withlimited administrative privileges makesit less costly to make administrativechanges to Active Directory.
• Improved securityWhen you delegate administrativeauthority, you create a pyramid ofadministrators, with each level possess-ing progressively fewer administrativerights than the level above it. Thismodel requires very few administratorswith enterprise-wide administrativeauthority, which reduces the chance of accidentally exposing the network to unauthorized access due to a large number of users with broadadministrative authority.
Third-party tools exist to give Active Directory administrators the ability to perform centralized administration of all
IF
The Essential GuideMarch 2005This special advertising section was produced by the Windows IT Pro Custom Media Group inconjunction with Quest Software. This supplementappears as an insert in the March 2005 issue ofWindows IT Pro magazine.
March 2005 3
their Active Directory deployments, includingthose in multiforest environments. Becausethe biggest headache with delegating authori-ty is keeping track of which users have administrative rights on which directoryobjects, many tools offer role-based adminis-tration. Although some of this functionality(and the tools needed to implement it) arepresent in Active Directory, some third-partyapplications provide easier-to-use tools formanaging the complexities of ActiveDirectory. The out-of-the-box Active Directorytools that Microsoft provides are perfectlyfunctional and work as advertised; however,they can leave a lot to be desired in largerenvironments or in situations in which a consolidated approach to managing ActiveDirectory is required.
In role-based administration, you set permis-sions for users according to the specific rolesthose users serve within the organization.When you make permission changes thatapply universally to a specific role (not to aspecific user), you can automatically updatethe permissions of all users in that role whenever the role is deployed or changed.Even with role-based management, you runthe risk that administrators with the samelevel of authority will handle the directory indifferent ways, which can cause consistencyproblems. It’s important to ensure that allactions taken within the directory are consis-tent, regardless of which administrator makesthe changes. Rule-based functionality isessential to consistency because it ensuresthat a predefined set of rules is applied
Figure 1: Using role-based administration
4 March 2005
whenever a user, group, organizational unit(OU), contact, shared folder, or printer object is created or modified. It ensures thatregardless of which administrator creates oredits an object, consistent application of theappropriate elements throughout the man-aged directory will occur.
Securing Active DirectoryOn one level, securing Active Directory is astraightforward task. You can take steps toassure administrators that they have properlyconfigured and secured the directory. In gener-al, Active Directory is just one portion of thenetwork infrastructure that should be includedin a full security audit of the infrastructure.
However, you should emphasize specific areasof concentration for an audit of the directory.
First, you should be able to audit all of yourbusiness rules. It’s important to ensure thatnaming conventions are met, account fieldsare populated correctly, resource permissionsare assigned consistently and correctly, andadministrative privileges are granted to theappropriate users. For each of the foregoingelements, auditing compliance with the rulesthat maintain the corporate standard shouldbe an automated task and include reportingcapabilities for the administrative user.
In addition to auditing directory content, youalso need to keep track of activity surroundingthe directory: for example, changes to directory
Figure 2: Viewing results of a policy audit
March 2005 5
data or permissions and attempts to use net-work credentials. The Windows OS stores agreat deal of data that OS and third-party toolscan access. For tracking activities on servers,you can set up event logs to record every fileaccess and administrative action, for example.Compliance regulations might require that suchdata is tracked and stored for some time, and
Figure 3: Backing up Active Directory
tools that are capable of aggregating dataacross multiple servers are required in anymultiserver environment. Native OS tools don’treally provide this capability, nor do they pro-vide sufficient detail of the data they can track.In addition, auditing functionality that OStools provide can be system-resource inten-sive and impact server performance negatively.
Maintaining the DirectoryTo maintain an enterprise ActiveDirectory, you need tools thatprovide you with options beyondthose Microsoft offers out of thebox. For administrators who rec-ognize the weaknesses in nativetools, the first concern to addressis how quickly they can back upand restore the directory. In theevent of a major system disrup-tion, administrators need to beable to quickly recover ActiveDirectory. The most importantthing to have on hand when youneed to restore your infrastructure is a reliable backup.Therefore, the directory-mainte-
Figure 4: Augmenting native event logs with more detailedthird-party change auditing
top of changes to Active Directory on a morecontinual and real-time basis. Although manychanges are expected and innocuous, youshould particularly be proactive in trackingthe more crucial changes to ActiveDirectory—those changes that have securityimplications (e.g., a user being added to theEnterprise Admins group) and changes thatcould cause problems, even outages, for thedirectory (e.g., an important Group Policy set-ting being incorrectly modified).
Maintaining the directory also means thatyou’re maintaining the service. The mainte-nance tool you select should let you trou-bleshoot and manage all DCs from one graphical console. You should be able todetect problems at a glance and see the cur-rent status of actions being taken to correctthe problems. The tool should be able to growwith your network enterprise, scaling to sup-port as many directory replicas as necessary.
nance tool you select must have a relativelypainless automated backup mechanism.
This backup should also allow for the granularrestoration of directory objects. In manycases, it isn’t necessary to restore the entiredirectory but rather only a subset of the direc-tory objects or perhaps even a single object orattribute. Often, problems discovered in thedirectory structure can be repaired withoutaffecting unassociated directory objects. Ifyou can restore objects that have been cor-rupted or destroyed, your management ofActive Directory will be much more effective.
Detailed reporting tools should be available to let you create comparison reports thatshow the current state of the directory relativeto the last backup. Where comparison reportsprovide point-in-time comparisons of ActiveDirectory changes to assist in the recoveryprocess, it’s also a good practice to keep on
6 March 2005
Figure 5: Viewing DC activity
March 2005 7
Group PolicyManagementGroup Policy Objects (GPOs) are perhaps themost powerful management and configura-tion tools available to network administrators.Using GPOs, you can define everything fromdesktop computer configuration to computernetwork behavior to application access andsecurity procedures.
Microsoft includes the Group Policy Manage-ment Console (GPMC) with the WindowsServer OS, but as you begin to really make useof GPOs to their fullest extent, you’ll need tofind a tool that does more than the GPMC can.The GPMC quickly becomes cluttered and dif-ficult to use when you start applying dozensor hundreds of GPOs across your enterprise.Remember that GPOs often affect only a sub-set of your network users, with specific GPOsperforming similar (but not identical) actionsagainst objects in different groups. That beingthe case, medium- or large-size enterprisessee exponential growth in the use of GPOs toprovide detailed control of users’ activities.
A good GPO management tool gives adminis-trators the ability to delegate GPO manage-ment and actively manage GPO creation andchanges. Ideally, such a tool will allow theadministrator to test new GPOs or changes to
existing GPOs offline before rolling thechanges out and affecting network users. Youshould also be able to roll back changes if youfind that, despite testing, some GPO changeshave unexpected or undesired effects on net-work users. An effective GPO version-controlsystem and reporting tools let you keep trackof previous GPO usage and which configura-tions worked in the past, so you can revertback to earlier versions of existing GPOs,which eliminates the need to recreate thoseGPOs from scratch.
ReportingThe Active Directory management tool youselect should provide reports that fall into twocategories: reports based on real-time dataand reports based on stored data. You selectthe type of report you need depending on thereport’s content. Generally, reports from livedata are generated quickly and give you themost up-to-date information possible.However, a report based only on live datalacks context; if you need reports that showchanges over time or need data for purposesof comparison, reports based on stored dataare the way to go. A good reporting tool willgive users the option to choose either type ofreport for any information where it is practi-cal. Ad hoc reporting should also be able tomake use of live or stored data.
Figure 6: Using a group policy management tool
8 March 2005
ovell Directory Services (NDS) administrators who move into the Active
Directory world face challenges that they are well equipped to handle. Although
there are significant differences between NDS/eDirectory and Active Directory, the
fundamental concepts of managing a directory service–based infrastructure change
very little. Concepts such as Lightweight Directory Access Protocol (LDAP), an
extensible directory schema, organizational unit (OU) structures, and multi-mastered
directories with replication services are common to both directory services.
Although implementations differ, the Active Directory environment should hold
no surprises for the well-prepared NDS
administrator. The process of planning
and executing an NDS-to-AD migration
acquaints NDS administrators with
the necessary concepts of AD
management and also drives home
the differences between the two
services.
The single most difficult change is likely
dealing with the different methods of delegating authority in Active Directory and
NDS. Delegation doesn’t map well on a one-to-one basis, and depending on the
structure of the NDS environment, the greater granularity of delegation available in
Active Directory, and the detailed control available through the use of Group Policy
Objects (GPOs), NDS administrators have a lot to learn about Active Directory to be
most efficient. Because there is no direct mapping of the native delegation Security
Principles or Security Equivalences concepts from NDS to Active Directory, these
areas are the ones that NDS administrators need to focus on most directly. However,
the fairly close attribute mapping between the two directory services and their
similar management approach should ease the NDS administrator’s transition to
the Active Directory environment.
NDS ReduxN
NDS administrators have
a lot to learn about
Active Directory to be
most efficient.
March 2005 9
ly by using the tools that thebase network OS provides, third-party tools that automate thesefunctions let you quickly realizeROI, both in terms of absolutecosts and manpower allocations.
User Empowerment
The single most common, andannoying, call to an IT helpdesk is the one from a user whohas forgotten his password orlocked himself out of hisaccount. In today’s security-conscious networking environ-ment, password requirementshave become more stringent,with longer, more complexpasswords required and shorterpassword expiration times.These factors have increasedthe chances that users might
forget their current password.
To manage this problem, a password-resettingmechanism that doesn’t require direct ITintervention is necessary. You should select atool that provides a self-service password-reset capability. This tool should use uniqueidentifiers that define the identity of users andinclude, but are not limited to, logon ID;unique SMTP address; employee ID number;some combination of first, last, and middlename; or any combination of these methods.The resulting user-defined or random-gener-ated password should fit all the securityrequirements your enterprise has establishedfor the creation of passwords on your network.The tool should make use of a Web-basedinterface, so that users need only have accessto the local intranet to access the tool’s facili-ties. Additional functionality, in the form of theability to update user information and modifygroup memberships (on an appropriate level)should also be available to end users.
When reporting on Active Directory, a man-agement tool should be able to gather dataabout any object that resides in the directory(as well as create reports and display informa-tion about all the directory objects). Youshould be able to generate reports on allaspects of Active Directory—the ability tomodify directory content according to theresults of the reports increases the utility ofthe reporting tool and is another step in sim-plifying the management of an ActiveDirectory environment.
IdentityManagementIdentity management is concerned with thechallenge of managing common user identityproblems, such as resetting passwords, syn-chronizing passwords, and provisioning usersacross the entire network enterprise. Althoughyou can perform all of these functions manual-
Figure 7: Accessing a self-service password-reset tool
It isn’t possible to overestimate the impor-tance of a good automatic provisioning tool inbuilding an enterprise network. Adding usersto the network involves significant amounts ofmanual labor. Creating the user account,assigning the proper groups, creating homedirectories, and creating a mailbox on theExchange server is the minimum necessary tocreate a single user on the network. Multiplythese tasks by even just a dozen users and youhave a significant workload. Multiply them byhundreds of users and you have a formidableoperation that requires substantial resourcesto complete.
When you consider that not all users need to be provisioned in the same way, the prob-lem grows exponentially. Add the tasks ofmaking sure that the correct resources areassigned to the user and that the user is onthe appropriate email server, has access to theappropriate email lists or groups, has accessrights to the appropriate file and printdevices, ad infinitum, you quickly see whytools that automate the provisioning processare mission-critical.
Employing a simple solution to the situationof users forgetting their password has atwofold benefit. First, it reduces the time thatthe IT department spends handling this sim-ple-to-solve yet time-consuming problem.This in turn makes IT resources available tosolve more complex problems or actuallywork on those forward-looking projects thatperpetually reside on the to-do list of everynetwork administrator. Second, it tends toproduce end users who are happier with theirIT department. The user satisfaction levelgoes up, and more important, productivitydoesn’t take a hit while users wait for the ITdepartment to generate a new password. Thisis a win-win situation for all concerned.
User Provisioning
Automating user provisioning is a key compo-nent of managing a large network implemen-tation. Powerful automated provisioning toolsare capable of handling account creation inActive Directory, mailbox provisioning inExchange Server, and resource provisioning inWindows.
10 March 2005
Figure 8: Selecting a provisioning policy
March 2005 11
operation because administrators can guarantee that the appropriate information is created for every user they add to their network. And once you begin making full useof directory enablement, the resultingimprovement in administrative efficienciesmakes a positive impact on the costs associat-ed with corporate IT.
The Benefits ofManagementThe primary point to remember about imple-menting Active Directory is that, althoughplanning the journey to Active Directory iscrucial, planning for how you will live in andmanage Active Directory is just as important.Indeed, the key to realizing the TCO benefitsof an upgrade to a scalable directory servicesuch as Active Directory is ensuring that youaccomplish the ongoing management of theinfrastructure in a consistent, secure, andhighly available manner.
Microsoft does a good job of providing basicActive Directory management tools, but youneed to determine whether those basic toolswill meet the needs of your business. If not,identify areas where third-party support maybe needed to address areas that this EssentialGuide describes. The value of planning forongoing management from the beginning ofyour Active Directory implementation is thatyour new environment will be able to deliveron the promises of lower TCO that Microsoftmakes for Active Directory.
Bear in mind that the initial provisioning of auser account isn’t always the end. In anyorganization, employees move. Often, thismeans that network accounts must be repro-visioned to give employees the appropriateaccess rights for a new job. When employeesmove from one geographical office to another,their account must be reprovisioned to givethem appropriate rights and applicationaccess at their new location. Although theuser accounts already exist, they must bemodified appropriately for the new job. Inthese cases, an administrator shouldn’t needto know the details of every resource anemployee might need in any job or location.The administrator should be able to simplymove the user account to the relevant groupor role and let automation take care of appropriately provisioning the account in thatnew group or role.
The last step in the provisioning process isactually deprovisioning. When employeesleave the company, they should no longerhave access to corporate network resources.This means that those user accounts shouldbe deprovisioned—that is, removed fromevery location on which they are currentlystored on the network. In many organizations,deprovisioning simply isn’t done; although thebase user account is deleted, the artifacts thatmight be attached to the account remain scattered throughout the directory, constitut-ing deadweight that must be managed.Automated deprovisioning lets administratorstake a single step to remove the user accountand all its artifacts from all locations in thedirectory.
Automating all aspects of account provisioning is a significant step towardreducing the total cost of ownership (TCO) of Active Directory networks and ActiveDirectory–enabled applications. Usingautomation tools makes managing directory-enabling applications a more practical
David Chernicoff ([email protected])
is a senior contributing editor for Windows IT Pro.
He has been writing computer-related
features and product reviews for more than 15
years and is coauthor of Microsoft Windows XP
Power Toolkit (Microsoft Press).
Application Management | Database Management | Windows Management
©2005 Q
uest
Soft
war
e,I
nc.
All
righ
ts r
ese
rved.Q
uest
and Q
uest
Soft
war
e a
re t
radem
arks
or
regi
stere
d t
radem
arks
of
Quest
Soft
war
e.A
ll
oth
er
bra
nd o
r pro
duct
nam
es
are t
radem
arks
or
regi
stere
d t
radem
arks
of
their
resp
ect
ive h
old
ers
.3/2
005/E
ssen
tia
l G
uid
e I
T P
ro
Give the right users the right view.With secure identity management from Quest.
This innovative, practical solution empowers you with lifecycle control of
users from hire to retire. Superior user provisioning, password management,
identity administration, and self-service. And cost-effective benefits due to
improved security, compliance, IT efficiency and user satisfaction.
Quest—Microsoft’s 2004 Global ISV Partner of the Year and the leader in Active
Directory management—helps you leverage your existing infrastructure,
allowing you to get more from your Active Directory.
Find out more. Get The Essential Guide to Active Directory Management
inside this issue.
——————————————————————————————————
Or visit www.quest.com/IdM4AD to download this guide today!
——————————————————————————————————