The Essential Guide To Active Directory Management

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View The Essential Guide To Active Directory Management as PDF for free.

More details

  • Words: 3,455
  • Pages: 12
The

Essential Guide

to Active Directory Management By David Chernicoff

sponsored by

IF

you’ve made the decision to implement Active Directory in your networking environment, you’ve also decided to make major changes in the way you manage your network, users, and network resources. A great deal of planning and execution work goes into a successful migration from Windows NT or Novell Directory Services (NDS) to Windows Server 2003 and Active Directory. But your job doesn’t stop there. The complex nature of Active Directory and the fluid nature of most network environments mean that you’ll need to proactively manage your Active Directory implementation.

In most environments, just deploying Active Directory and forgetting about it isn’t an option; too many applications interact closely with the directory service, some of which make changes to the directory schema. Active Directory requires a hands-on management approach. Fortunately, features in Active Directory and third-party tools exist to simplify the complex problems that managing Active Directory presents.

Delegating Tasks The primary tool for allowing simplified and more effective Active Directory management is Active Directory’s ability to delegate administrative authority. In a very granular fashion, top-level administrators can assign authority to users to perform specific management tasks. These users don’t need full administrative privileges. This detailed dispensation of

The Essential Guide March 2005 This special advertising section was produced by the Windows IT Pro Custom Media Group in conjunction with Quest Software. This supplement appears as an insert in the March 2005 issue of Windows IT Pro magazine.

2

March 2005

management rights and privileges has a number of important benefits. • Reduced management complexity By allowing members of a team or department to manage themselves, you can empower personnel who are familiar with the department to intelligently deal with Active Directory concerns in the organization—without involving top-level IT administration. • Reduced IT workload With the increase in administrative efficiency you gain by delegating specific Active Directory authority where necessary, you reduce the overall IT workload. The granular nature of the responsibilities you assign to administrators who need them lets those admins more easily master their tasks. • Reduced administrative costs Sharing administrative responsibility across a group of administrators with limited administrative privileges makes it less costly to make administrative changes to Active Directory. • Improved security When you delegate administrative authority, you create a pyramid of administrators, with each level possessing progressively fewer administrative rights than the level above it. This model requires very few administrators with enterprise-wide administrative authority, which reduces the chance of accidentally exposing the network to unauthorized access due to a large number of users with broad administrative authority. Third-party tools exist to give Active Directory administrators the ability to perform centralized administration of all

Figure 1: Using role-based administration

their Active Directory deployments, including those in multiforest environments. Because the biggest headache with delegating authority is keeping track of which users have administrative rights on which directory objects, many tools offer role-based administration. Although some of this functionality (and the tools needed to implement it) are present in Active Directory, some third-party applications provide easier-to-use tools for managing the complexities of Active Directory. The out-of-the-box Active Directory tools that Microsoft provides are perfectly functional and work as advertised; however, they can leave a lot to be desired in larger environments or in situations in which a consolidated approach to managing Active Directory is required.

In role-based administration, you set permissions for users according to the specific roles those users serve within the organization. When you make permission changes that apply universally to a specific role (not to a specific user), you can automatically update the permissions of all users in that role whenever the role is deployed or changed. Even with role-based management, you run the risk that administrators with the same level of authority will handle the directory in different ways, which can cause consistency problems. It’s important to ensure that all actions taken within the directory are consistent, regardless of which administrator makes the changes. Rule-based functionality is essential to consistency because it ensures that a predefined set of rules is applied

March 2005

3

Figure 2: Viewing results of a policy audit

whenever a user, group, organizational unit (OU), contact, shared folder, or printer object is created or modified. It ensures that regardless of which administrator creates or edits an object, consistent application of the appropriate elements throughout the managed directory will occur.

Securing Active Directory On one level, securing Active Directory is a straightforward task. You can take steps to assure administrators that they have properly configured and secured the directory. In general, Active Directory is just one portion of the network infrastructure that should be included in a full security audit of the infrastructure.

4

March 2005

However, you should emphasize specific areas of concentration for an audit of the directory. First, you should be able to audit all of your business rules. It’s important to ensure that naming conventions are met, account fields are populated correctly, resource permissions are assigned consistently and correctly, and administrative privileges are granted to the appropriate users. For each of the foregoing elements, auditing compliance with the rules that maintain the corporate standard should be an automated task and include reporting capabilities for the administrative user. In addition to auditing directory content, you also need to keep track of activity surrounding the directory: for example, changes to directory

Figure 3: Backing up Active Directory

data or permissions and attempts to use network credentials. The Windows OS stores a great deal of data that OS and third-party tools can access. For tracking activities on servers, you can set up event logs to record every file access and administrative action, for example. Compliance regulations might require that such data is tracked and stored for some time, and

tools that are capable of aggregating data across multiple servers are required in any multiserver environment. Native OS tools don’t really provide this capability, nor do they provide sufficient detail of the data they can track. In addition, auditing functionality that OS tools provide can be system-resource intensive and impact server performance negatively.

Maintaining the Directory

Figure 4: Augmenting native event logs with more detailed third-party change auditing

To maintain an enterprise Active Directory, you need tools that provide you with options beyond those Microsoft offers out of the box. For administrators who recognize the weaknesses in native tools, the first concern to address is how quickly they can back up and restore the directory. In the event of a major system disruption, administrators need to be able to quickly recover Active Directory. The most important thing to have on hand when you need to restore your infrastructure is a reliable backup. Therefore, the directory-mainte-

March 2005

5

Figure 5: Viewing DC activity

nance tool you select must have a relatively painless automated backup mechanism. This backup should also allow for the granular restoration of directory objects. In many cases, it isn’t necessary to restore the entire directory but rather only a subset of the directory objects or perhaps even a single object or attribute. Often, problems discovered in the directory structure can be repaired without affecting unassociated directory objects. If you can restore objects that have been corrupted or destroyed, your management of Active Directory will be much more effective. Detailed reporting tools should be available to let you create comparison reports that show the current state of the directory relative to the last backup. Where comparison reports provide point-in-time comparisons of Active Directory changes to assist in the recovery process, it’s also a good practice to keep on

6

March 2005

top of changes to Active Directory on a more continual and real-time basis. Although many changes are expected and innocuous, you should particularly be proactive in tracking the more crucial changes to Active Directory—those changes that have security implications (e.g., a user being added to the Enterprise Admins group) and changes that could cause problems, even outages, for the directory (e.g., an important Group Policy setting being incorrectly modified). Maintaining the directory also means that you’re maintaining the service. The maintenance tool you select should let you troubleshoot and manage all DCs from one graphical console. You should be able to detect problems at a glance and see the current status of actions being taken to correct the problems. The tool should be able to grow with your network enterprise, scaling to support as many directory replicas as necessary.

Figure 6: Using a group policy management tool

Group Policy Management Group Policy Objects (GPOs) are perhaps the most powerful management and configuration tools available to network administrators. Using GPOs, you can define everything from desktop computer configuration to computer network behavior to application access and security procedures. Microsoft includes the Group Policy Management Console (GPMC) with the Windows Server OS, but as you begin to really make use of GPOs to their fullest extent, you’ll need to find a tool that does more than the GPMC can. The GPMC quickly becomes cluttered and difficult to use when you start applying dozens or hundreds of GPOs across your enterprise. Remember that GPOs often affect only a subset of your network users, with specific GPOs performing similar (but not identical) actions against objects in different groups. That being the case, medium- or large-size enterprises see exponential growth in the use of GPOs to provide detailed control of users’ activities. A good GPO management tool gives administrators the ability to delegate GPO management and actively manage GPO creation and changes. Ideally, such a tool will allow the administrator to test new GPOs or changes to

existing GPOs offline before rolling the changes out and affecting network users. You should also be able to roll back changes if you find that, despite testing, some GPO changes have unexpected or undesired effects on network users. An effective GPO version-control system and reporting tools let you keep track of previous GPO usage and which configurations worked in the past, so you can revert back to earlier versions of existing GPOs, which eliminates the need to recreate those GPOs from scratch.

Reporting The Active Directory management tool you select should provide reports that fall into two categories: reports based on real-time data and reports based on stored data. You select the type of report you need depending on the report’s content. Generally, reports from live data are generated quickly and give you the most up-to-date information possible. However, a report based only on live data lacks context; if you need reports that show changes over time or need data for purposes of comparison, reports based on stored data are the way to go. A good reporting tool will give users the option to choose either type of report for any information where it is practical. Ad hoc reporting should also be able to make use of live or stored data.

March 2005

7

NDS Redux

N

ovell Directory Services (NDS) administrators who move into the Active Directory world face challenges that they are well equipped to handle. Although there are significant differences between NDS/eDirectory and Active Directory, the fundamental concepts of managing a directory service–based infrastructure change very little. Concepts such as Lightweight Directory Access Protocol (LDAP), an extensible directory schema, organizational unit (OU) structures, and multi-mastered directories with replication services are common to both directory services. Although implementations differ, the Active Directory environment should hold no surprises for the well-prepared NDS administrator. The process of planning NDS administrators have and executing an NDS-to-AD migration acquaints NDS administrators with a lot to learn about the necessary concepts of AD management and also drives home Active Directory to be the differences between the two services.

most efficient.

The single most difficult change is likely dealing with the different methods of delegating authority in Active Directory and NDS. Delegation doesn’t map well on a one-to-one basis, and depending on the structure of the NDS environment, the greater granularity of delegation available in Active Directory, and the detailed control available through the use of Group Policy Objects (GPOs), NDS administrators have a lot to learn about Active Directory to be most efficient. Because there is no direct mapping of the native delegation Security Principles or Security Equivalences concepts from NDS to Active Directory, these areas are the ones that NDS administrators need to focus on most directly. However, the fairly close attribute mapping between the two directory services and their similar management approach should ease the NDS administrator’s transition to the Active Directory environment.

8

March 2005

ly by using the tools that the base network OS provides, thirdparty tools that automate these functions let you quickly realize ROI, both in terms of absolute costs and manpower allocations.

User Empowerment The single most common, and annoying, call to an IT help desk is the one from a user who has forgotten his password or locked himself out of his account. In today’s securityconscious networking environment, password requirements have become more stringent, with longer, more complex passwords required and shorter password expiration times. Figure 7: Accessing a self-service password-reset tool These factors have increased the chances that users might forget their current password. When reporting on Active Directory, a management tool should be able to gather data To manage this problem, a password-resetting about any object that resides in the directory mechanism that doesn’t require direct IT (as well as create reports and display informaintervention is necessary. You should select a tion about all the directory objects). You tool that provides a self-service passwordshould be able to generate reports on all reset capability. This tool should use unique aspects of Active Directory—the ability to identifiers that define the identity of users and modify directory content according to the include, but are not limited to, logon ID; results of the reports increases the utility of unique SMTP address; employee ID number; the reporting tool and is another step in simsome combination of first, last, and middle plifying the management of an Active name; or any combination of these methods. Directory environment. The resulting user-defined or random-gener-

Identity Management Identity management is concerned with the challenge of managing common user identity problems, such as resetting passwords, synchronizing passwords, and provisioning users across the entire network enterprise. Although you can perform all of these functions manual-

ated password should fit all the security requirements your enterprise has established for the creation of passwords on your network. The tool should make use of a Web-based interface, so that users need only have access to the local intranet to access the tool’s facilities. Additional functionality, in the form of the ability to update user information and modify group memberships (on an appropriate level) should also be available to end users.

March 2005

9

Figure 8: Selecting a provisioning policy

Employing a simple solution to the situation of users forgetting their password has a twofold benefit. First, it reduces the time that the IT department spends handling this simple-to-solve yet time-consuming problem. This in turn makes IT resources available to solve more complex problems or actually work on those forward-looking projects that perpetually reside on the to-do list of every network administrator. Second, it tends to produce end users who are happier with their IT department. The user satisfaction level goes up, and more important, productivity doesn’t take a hit while users wait for the IT department to generate a new password. This is a win-win situation for all concerned.

User Provisioning Automating user provisioning is a key component of managing a large network implementation. Powerful automated provisioning tools are capable of handling account creation in Active Directory, mailbox provisioning in Exchange Server, and resource provisioning in Windows.

10

March 2005

It isn’t possible to overestimate the importance of a good automatic provisioning tool in building an enterprise network. Adding users to the network involves significant amounts of manual labor. Creating the user account, assigning the proper groups, creating home directories, and creating a mailbox on the Exchange server is the minimum necessary to create a single user on the network. Multiply these tasks by even just a dozen users and you have a significant workload. Multiply them by hundreds of users and you have a formidable operation that requires substantial resources to complete. When you consider that not all users need to be provisioned in the same way, the problem grows exponentially. Add the tasks of making sure that the correct resources are assigned to the user and that the user is on the appropriate email server, has access to the appropriate email lists or groups, has access rights to the appropriate file and print devices, ad infinitum, you quickly see why tools that automate the provisioning process are mission-critical.

Bear in mind that the initial provisioning of a user account isn’t always the end. In any organization, employees move. Often, this means that network accounts must be reprovisioned to give employees the appropriate access rights for a new job. When employees move from one geographical office to another, their account must be reprovisioned to give them appropriate rights and application access at their new location. Although the user accounts already exist, they must be modified appropriately for the new job. In these cases, an administrator shouldn’t need to know the details of every resource an employee might need in any job or location. The administrator should be able to simply move the user account to the relevant group or role and let automation take care of appropriately provisioning the account in that new group or role. The last step in the provisioning process is actually deprovisioning. When employees leave the company, they should no longer have access to corporate network resources. This means that those user accounts should be deprovisioned—that is, removed from every location on which they are currently stored on the network. In many organizations, deprovisioning simply isn’t done; although the base user account is deleted, the artifacts that might be attached to the account remain scattered throughout the directory, constituting deadweight that must be managed. Automated deprovisioning lets administrators take a single step to remove the user account and all its artifacts from all locations in the directory.

operation because administrators can guarantee that the appropriate information is created for every user they add to their network. And once you begin making full use of directory enablement, the resulting improvement in administrative efficiencies makes a positive impact on the costs associated with corporate IT.

The Benefits of Management The primary point to remember about implementing Active Directory is that, although planning the journey to Active Directory is crucial, planning for how you will live in and manage Active Directory is just as important. Indeed, the key to realizing the TCO benefits of an upgrade to a scalable directory service such as Active Directory is ensuring that you accomplish the ongoing management of the infrastructure in a consistent, secure, and highly available manner. Microsoft does a good job of providing basic Active Directory management tools, but you need to determine whether those basic tools will meet the needs of your business. If not, identify areas where third-party support may be needed to address areas that this Essential Guide describes. The value of planning for ongoing management from the beginning of your Active Directory implementation is that your new environment will be able to deliver on the promises of lower TCO that Microsoft makes for Active Directory.

David Chernicoff ([email protected])

Automating all aspects of account provisioning is a significant step toward reducing the total cost of ownership (TCO) of Active Directory networks and Active Directory–enabled applications. Using automation tools makes managing directoryenabling applications a more practical

is a senior contributing editor for Windows IT Pro. He has been writing computer-related features and product reviews for more than 15 years and is coauthor of Microsoft Windows XP Power Toolkit (Microsoft Press).

March 2005

11

©2005 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software. All other brand or product names are trademarks or registered trademarks of their respective holders. 3/2005/Essential Guide IT Pro

Give the right users the right view. With secure identity management from Quest. This innovative, practical solution empowers you with lifecycle control of users from hire to retire. Superior user provisioning, password management, identity administration, and self-service. And cost-effective benefits due to improved security, compliance, IT efficiency and user satisfaction. Quest—Microsoft’s 2004 Global ISV Partner of the Year and the leader in Active Directory management—helps you leverage your existing infrastructure, allowing you to get more from your Active Directory. Find out more. Get The Essential Guide to Active Directory Management inside this issue. ——————————————————————————————————

Or visit www.quest.com/IdM4AD to download this guide today! ——————————————————————————————————

Application Management | Database Management | Windows Management

Related Documents