How does your organization handle Active Directory management? Did you know that not every company deals with Active Directory management in the same way or with the same Active Directory tools, and that the differences have as much to do with culture as they do with technology?
How does your company approach Active Directory management?
Let’s say that a newbie admin accidentally deletes an organizational unit (OU) or changes a Group Policy object (GPO). Suddenly, 26 people in Tech Publications can’t access a shared folder or send jobs to the fast duplex printer. Unhappiness ensues, big time.
If you worked for Company A, which believes in distributed AD administration, you might be responsible for either DNS infrastructure, delegated administration, user accounts, group membership or AD health monitoring, to name a few areas of Active Directory management. You might not find out until your next team meeting that those 26 people in Tech Pubs suddenly couldn’t get their work done one day last week.
Or, if you worked for Company B, which has integrated AD administration, you could be one of a small handful of generalists, and all of you would be responsible for AD management. You might be sitting in the bullpen when your smartphone and three others right around you start chirping the red alert from the help desk. You’d find out in a hurry about those 26 people not being able to get their work done.
Naturally, whether your organization takes the distributed or integrated approach, somebody has to fix the broken GPO or rebuild the OU, right? Actually, first somebody has to:
- Check a few tools to determine what the problem isn’t (not a flaky network connection or a machine turned off)
- Open a few more tools, do research, then figure out that the problem is a broken GPO or missing OU
- Decide whether it’s easier to repair the object or restore it from backup (you do have a backup, don’t you?) (Don’t you?)
- Restore the deleted object, if you can
- Double-check that the restore operation doesn’t cause more problems than it solves
The only easy part is tracking down that newbie admin who caused the problem and making him buy lunch for the whole IT team.
How are those Active Directory tools working out for you?
From what I hear from admins in both distributed and integrated organizations, the problem isn’t that they don’t have tools. The problem is that it takes too many tools to birddog, diagnose and fix things that go wrong with AD. Not to mention just keeping Active Directory secure and healthy on an everyday basis.
Think about some of the common issues that arise with Active Directory, and the native tools Windows provides (Microsoft Management Console, or MMC, in most cases) for dealing with them:
- Permissions — You can delegate control through AD to other users, but MMC doesn’t let you manage the process very well. For instance, it’s not easy to un-delegate permission once you’ve delegated it, unless you do it manually.
- Group Policy — MMC works against live Group Policy objects, so edits go into production immediately. Remember how well that went with the newbie administrator above? You may have gotten a free lunch out of it, but it cost you a morning of unplanned scrambling.
- Object recovery — You can recover individual objects that have been deleted. But if a user attribute or group membership is changed (deliberately or not), the native tools cannot help you easily identify and undo that change.
- Auditing — Good luck. The native tool doesn’t report on permissions. Things like Active Directory changes, account lockouts and user activity are recorded in Windows event logs, but not in a way that is conducive to reporting or troubleshooting.
- Health monitoring — Worst of all, IMO, is that the Active Directory tools in Windows aren’t set up for simply monitoring the health and stability of AD. You get a high-level view with Performance Monitor and some shell commands to check on things like replication status, but by and large you’re on your own.
Active Directory doesn’t care whether your AD administration is distributed, integrated or polka-dotted. All it knows is that the tools it comes with aren’t adequate to keep it young, clean and healthy forever. They don’t allow you to control delegation, backup or restore individual objects (without taking AD offline), send alerts about critical changes or monitor Active Directory for health and performance.
Still, things are not completely bleak. We’ve put together an animated video that describes how you can simplify Active Directory management with Active Administrator from Dell:
We’ve also created a white paper called “Complete Active Directory Management from a Single Pane of Glass” with more details on the distributed and integrated approaches to Active Directory management and a wish list for daily AD management.