Active Directory, or AD as it is often referred to, is Microsoft’s own version of an LDAP directory service. It’s been around since Windows server 2000 and replaced the then-aging domain management features of Windows servers. It is a hugely complex service that takes care of authenticating users and equipment, pinpointing their location and managing access rights. Being so complex, it’s no surprise that several developers have tried to make tools that ease the pain of managing Active Directory. Today, we’re bringing you some of the best Active Directory tools that can be found on the Internet.
We’ll first have a general discussion about directory services, what they are, their purpose and utility, and give you some example of them. Next, we’ll talk about LDAP and X.500, two standardized protocols related to directory services. Then, we’ll briefly talk about the evolution of Microsoft directory services. This will bring us to the core of our matter, the best Active Directory Tools we could find. We’ll give you a brief review of each one.
Directory Services, What They Are
Wikipedia defines a Directory Service as “a mapping between the names of resources in a network and their respective network addresses.” And in its simplest form, this is really all it is. So then, you may ask, is the Domain Name System (DNS) a directory service? The answer is a resounding YES! But if it’s that simple, why is Active Directory so complex?
Active Directory, just like most modern directory services, implements much more functionality than just mapping names to addresses. They are at the core of the network’s security and will contain detailed information about users (user accounts) and resources and are also at the center of the access-control mechanisms of most networks. The modern directory service is a database where most of the information about a network, its resources and users are stored.
A directory service is a hierarchical database of objects, each representing a different entity. Some objects represent users, some represent computers or other available resources such as network shares. Other objects are containers for objects. The hierarchical structure makes finding any single object easier and allows for easy permission management where objects can inherit permissions from their parent.
Our goal is not to make you a directory service expert, though, but rather to give you enough background information to better understand what Active Directory is and where it’s coming from. Let’s have a look at some real-life examples of past and present directory services you may have encountered.
DNS is one of the very first directory services. It dates back to the early eighties. It had–and still has–a single primary purpose: translating hostnames into IP addresses. It’s still in widespread use today and it’s one of the foundations of the Internet.
The Network Information Service, or NIS, was Sun Microsystems’ own implementation of a name service similar to DNS for its Unix ecosystem.
Novell Directory Services—later called eDirectory—was the directory service of Novell Netware networks. Somewhat similar to what Active Directory is today, it was an all-encompassing system not only used for name resolution but also for authentication and access control.
NetInfo was developed by NEXT and, when Apple acquired the company, became the Mac OS’s directory service before being replaced by OpenDirectory.
Finally, NT Domains are another example of a directory service. They are the ancestor of Active Directory. NT Domains were primarily used for access control and authentication purposes.
X.500 And LDAP, Two Directory Services Standards
In the information age, interoperability is more important than ever which causes standards to emerge in every field. Directory services are no different two primary standards exist, LDAP and X.500
The X.500 standard, or more precisely the X.500 series of standards are a group of specifications from the ITU-T covering several aspects of electronic directory services. The first iterations date back to 1988 but X.500 is still in widespread use today.
One of the goals of a set of standard protocols as proposed by X.500 is to ensure interoperability and allow systems from different vendors to interact. X.500 is actually a set of nine individual protocols
The Lightweight Directory Access Protocol, or LDAP, is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Today, most directory services implementations, including Microsoft’s Active Directory are LDAP-compliant.
LDAP was originally intended as a lightweight alternative protocol for accessing X.500 directory services through the simpler TCP/IP protocol stack. As such, X.500 and LDAP are not mutually exclusive and are instead complementary. For instance, the LDAP specification states that the structure of the directory services database must be X.500 compliant.
LDAP clients can not only read the attributes of objects in a directory services database, they can also modify them. This, of course, means that LDAP is secure and offers an authentication mechanism to protect against unauthorized modifications.
From NT Domain To Active Directory
As stated earlier, Windows NT domains were the first form of directory service in the Microsoft ecosystem. As you could have guessed, they first appeared with Windows NT, back in 1993. They had a centralized database that was located on a domain controller which was primarily responsible for user authentication. The database could be replicated on several domain controllers for redundancy and to ensure that large, multi-site networks could authenticate users locally.
With Windows 2000, Microsoft released Active Directory. It was a much-needed improvement over the traditional domains that had been used for years. Active Directory provides several different services. First and foremost are the domain services. These are the cornerstone of Windows networks. They store information about members of the domain, including devices and users, verifies their credentials, authenticates them, and defines their access rights.
Other important services of Active Directory include Certificate Services which provide a local public key infrastructure. They can create, validate and revoke public key certificates for internal use in an organization. Such certificates can be used to encrypt files, emails, and network traffic. Other services provided by Active Directory include federation services, a type of single sign-on mechanism, and rights management services.
The Best Active Directory Tools
The main characteristic of Active Directory is that it is big and complex. And with this complexity comes administration headaches. Fortunately, many tools have been developed by third parties to address some of the AD administration burdens. Those are the tools we’ve researched and we’re presenting you some of the best we could find. This list is far from extensive as there are simply way too many tools out there.
SolarWinds is known to make some of the very best network and system administrations tools. We’ve featured SolarWinds product countless times when, for example, we reviewed the best SNMP monitoring tools or the best NetFlow collectors and analyzers. SolarWinds is also famous for its free tools, task-specific tools aimed at administrators.
It’s no surprise, then, that the SolarWinds Server & Application Monitor is on our list. And while its unassuming name might not lead one to think this is an Active Directory tool, its broad range of functionalities make it a great tool for monitoring and managing Active Directory.
Let’s start by having a look at how the SolarWinds Server & Application Monitor can help with AD management. First, the tool features domain controller monitoring which monitors several operational parameters. It will tell you when CPU usage is getting too high, when a user account is locked out or when there is a login issue.
The software will also monitor the NTDS object counters, helping reduce server overload. Furthermore, the SolarWinds Server and Application Monitor gives you insight into several LDAP statistics including LDAP active threads, bind time, client sessions, and successful binds and searches per second.
The SolarWinds Server & Application Monitor can send notifications when directory servers fail to replicate, an event which can prevent users from accessing folders and files. It also provides detailed performance statistics related to directory services such as distributed file system, DFS replication, intersite messaging, DNS client, Windows time, RPC, server and workstation services, and Active Directory domain services, just to name a few of the most significant ones.
But as its name implies, this tool will not only monitor Active Directory services but also the servers themselves and the applications running on them. This complete package can scale from the smallest networks to large, multi-site networks with hundreds of physical and virtual servers. And it can monitor servers in cloud environments such as those from Amazon Web Services and Microsoft Azure just as well.
The SolarWinds Server & Application monitor will initially auto-discover hosts and devices on your network. Then, a second discovery scan will detect applications running on each server. Once it’s up and running, using this tool can hardly be easier, thanks to its intuitive user interface. Clicking on Node Detail, for instance, displays the node’s performance and health information.
Pricing for the SolarWinds Server and Application Monitor starts at just below $2 995 and a free 30-day trial version is available for download.
2. ManageEngine Active Directory Free Tools
ManageEngine is another common name among system and network administrators. It makes the OpManager, arguably one of the best IT infrastructure monitoring tools. And like SolarWinds, ManageEngine also makes some great free tools. In fact, they have more than fifteen free Active Directory tools that can help with monitoring and administering your AD infrastructure. Some are standalone programs while others are Powershell cmdlets. One great thing about this toolkit is that most of the tools are bundled in a single download. Let’s see what the most interesting of these tools are.
The AD Query Tool allows you to read any attribute data that you require from the Active Directory like a User objects’ first name, last name telephone, address an so on. The utility can also help query Active Directory Group and Computer objects.
The CSV Generator Tool will generate a CSV file (who would have thought?) that contains a custom array of user-specified Active Directory attributes and their corresponding values. The resulting file can be used for bulk Active Directory management.
The Last Logon Finder is used to list the last logon time of all or selected users in all the selected domain controllers in the domain. It is typically used for audit and cleanup activities.
The Terminal Session Manager is a Powershell cmdlet you can use to identify and manage multiple terminal sessions in a domain from a single point. With it, terminal sessions for multiple users across a domain can be managed, disconnected or logged off.
The Active Directory Replication Manager enables administrators to force replication of data in a domain or the entire forest. It also allows replication of data between two domain controllers and it will list comprehensive reports on the last replication.
The DMZ Port Analyzer lets administrators check the status of ports required by any third party application to work with Active Directory. It can be used to open appropriate ports on firewalls.
The Domain Controller Roles Reporter lists all the domain controllers and their respective roles in the Domain. It can help administrators identify any associated role of a domain controller.
The Local User Manager helps administrators manage user accounts within the domain. It provides information about local user accounts and also allows management of these accounts using a convenient user interface.
The Domain Controller Monitoring Tool is a simple tool which auto-discovers the domains and displays them. It will show various parameters of domain controllers such as CPU Utilization, Disk Utilization, and Memory Utilization. You can also view other parameters like Page Reads per second, Page Writes per second, File Reads, File Writes, etc.
The Password Policy Manager allows any user to retrieve and view the domain’s password policy. It also allows users with administrative rights to edit the domain password policy.
As its name implies, the Empty Password Users Report Tool is used to find the user accounts with password fields set to null, helping administrators to avoid any security-related issues.
The Active Directory Duplicate Finder is a Powershell utility that lets administrators identify duplicate entries for Active Directory attributes in a domain. Duplicate entries are conveniently listed, helping administrators ensure a duplicate-free Active Directory.
The DNS Reporter helps you obtain information related to your network’s DNS infrastructure. It can display the details of the available DNS records, their corresponding record types, IP addresses and the service details simply by entering a domain name.
The Service Accounts Management is designed to help you easily create, edit, and delete managed service accounts in just a few clicks. This tool requires no knowledge of PowerShell, the usual tool used to accomplish these tasks.
The Weak Password Users Report helps find weak passwords in Active Directory by comparing users’ passwords against a list of over 100,000 commonly used weak passwords. You can then force the users with weak passwords to change their passwords the next time they log on.
3. Enow Compass
Compass from ENow Software helps you identify hidden issues in your environment before it is compromised. It allows real-time network monitoring of your Active Directory and all domain controllers. Compass can ensure your Active Directory is healthy by monitoring DFS/FRS replication It will also find DNS name resolution issues and help troubleshoot problematic applications to help you keep your AD running smoothly.
Compass has over 50 reports that include the audit of the Domain Admins Group, the identification and removal of inactive user accounts, and the identification of FSMO roles. The tool is quick to install and easy to use. It features an intuitive and easy to use dashboard that helps identify issues early before they become outages.
Detailed pricing information for Compass can be obtained by contacting Enow sales and a free 14-day trial can be obtained.
4. Anturis Active Directory Monitor
Half the work of managing Active Directory is to ensure all the services are running smoothly and this is exactly what the Active Directory Monitor from Anturis is all about. This tool can alert you to abnormal situations via email, SMS or voice call notifications. You can also use the Active Directory Monitor to establish performance baselines for your Active Directory servers and replication structure allowing you to recognize performance trends and help reduce the risk of bottlenecks before they have a negative impact on your AD performance.
The Active Directory Monitor will show you server and LDAP sessions and set alerting thresholds. It will also show you Kerberos and NTLM authentications per second, giving you an idea of the general server load. And with replication being one of the most important aspects of Active Directory, replication performance metrics such as replication status, DRA pending replication synchronizations and DRA pending replication operations are also monitored.
Active Directory Monitor is a cloud-based service and several subscription plans are available at prices ranging from $10/month for 10 monitors to $650/month for 1000 monitors. A free version is also available but it is limited to 5 monitors. However, all paid plans have a free 30-day trial.
5. Quest Active Administrator
Las on our list is the Quest Active Administrator. This is a complete and integrated Active Directory management software solution. It bridges the gaps that Microsoft’s tools leave behind. The tools will make it easier and faster to meet auditing requirements and security needs. It has features addressing many of the most important areas of AD management.
Among the tool’s main features, Active Administrator offers integrated, proactive administration. It also has intuitive reporting and alerting, letting you quickly monitor and report on changes by filtering event type, user, and date, as well as user login and lockout activity. You can also set event alerts and automate alert-based actions.
Pricing for Active Administrator is per enabled user account in your AD and starts at $16.37 for a perpetual license with one-year support. A minimum license for 20 user accounts must be purchased. A free 30-day trial version can be downloaded.