Use Operations Management Suite for Active Directory assessment


Summary: Ed Wilson talks about using MS OMS to perform an Active Directory assessment.

Good morning everyone. Ed Wilson here. It seems that everyone always wants to do some sort of assessment for Active Directory. Whether it is in the cloud or on premises, everyone needs some kind of assessment. It may be because it is complicated, it may be because it vital to a business and to many applications, or it may be because it is often set up and forgotten…because everyone knows the squeaky app gets the attention. Active Directory is very robust. It can stand a lot of misconfiguration and still function. And yet, when we get down to it, we want to know what is going on.

This need for assessment has existed since Active Directory first hit the scene in Windows 2000. Yeah, it has been a long time. In the past, it meant writing pretty complex VBScript scripts, and later running some rather obscure applications, and still later writing some pretty cool Windows PowerShell code, then more obscure applications, and so on. This need is so great that one of the most popular offerings in Microsoft Premier services is the Active DirectoryRAP. You got it! An Active Directory assessment.

OMS assessments

When I have Microsoft Operations Management Suite (MS OMS), I also have access to a number of assessments that I can plug in. All I need to do is go to the Solutions Gallery from within my console, and I can add the following assessments:

  • Active Directory assessment
  • Configuration assessment
  • SQL assessment
  • System update assessment

That is right, there is an Active Directory assessment. When I select it from my overview pane, I gain access to reports such as:

  • Security and Compliance
  • Availability and Business Continuity
  • Performance and Scalability
  • Upgrade, Migration, and Deployment

Image of menu

As shown in the following image, the Security and Compliance assessment has a high priority recommendation (shown in red). I can also see that the weight is 10 for the first recommendation in the prioritized list:

Image of menu

When I look at this, I see that for some reason the password policy permits blank passwords. I can see that this would indeed be a very important issue.

Could I have found this with Windows PowerShell? Sure, and it is pretty easy. But what if I have multiple domains, or even multiple forests. And what if multiple issues are found? How do I go about ranking them? In addition, there are other issues reported that are related to passwords. Again, this is easy enough to get with Windows PowerShell, but it is harder to produce an easy-to-read report with specific recommendations.

When I select the Active Directory Focus area by clicking my graph, I can begin to see the power of OMS. I have a priority list and specific recommendations for each one. It also tells which objects in Active Directory are affected, and it has links to additional guidance and information:

Image of menu

Business continuity

The next area that I find red showing is Availability and Business Continuity. Under it, I see that there are two high-priority recommendations:

  • Ensure that directory partitions are backed up.
  • Investigate missing inbound replication links.

Cool. The site also shows me that one of my time servers is incorrectly configured on the PDC emulator. When I click that link, it tells me which server is not correct and the commands I need to run:

Image of menu

Performance

The third area is Performance and Scalability. I see that one issue has been detected. It is classified as low priority, but has to do with a very large working set on one of my servers:

Image of menu

The last area tells me that I have an instance of a Windows Server role that is running in an unsupported configuration. Hmmm, I also might want to learn more about that.

As you can see, the information available from the Active Directory assessment in MS OMS is very useful, comprehensive, and easy-to-use.

That is all I have for you today. Join me tomorrow when I’ll continue my overview of the MS OMS solutions.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team

Comments (9)

  1. Mark says:

    Hi Ed, Great series, looking forward to more information about OMS. If you’ve seen a lot of AD health check requests lately I can tell you that with the move to O365, assessing the AD infrastructure is paramount to success. I’ve used the AD Rap tool and was very happy to see this blog as an additional method for clients without access to the MS premier tools. Keep up the good work!

    1. IamMred says:

      Hi Mark. I am glad you like the new MSOMS blog. That is a good point about needing to do an AD assessment prior to an O365 migration. A real good point. Yeah, the AD Rap tool is awesome, but as you say it is a MS Premier tool. Thanks for writing.

  2. Hardeep Bains says:

    Hi Ed,

    Great article. I love the AD assessment feature but don’t know how to rerun it. It is still showing data from days ago, some of it that has been corrected. Can you advise how I can re-run the AD assessment please?

    Thanks

    Hardeep

    1. @Hardeep, the AD Assessment Runs every 7 days. There is no changing the interval as it stands right now. That is likely why you are still seeing data from a few days ago.

      1. Morne says:

        I understand that the assessments runs every 7 days however I have recommendations that’s now a month old. Is there a way to force the assessment?

  3. Vimal says:

    Hi Ed,

    How this OMS AD assessment is different from ADRAP service done by PFE. Can you give more details on about ADRAP by PFE on premise. What kind of reports its generate etc etc.

    Thanks

  4. Vimal says:

    Hi Ed,

    How RADT is different from OMS AD assessment in the features comparison.

  5. Derrick Kassen says:

    HI Ed,

    Just starting using OMS – trial version.
    I’ve installed the agent on my DC’s and Exchange server, but AD assessment not populating. Is there something else I need to do? or open certain ports on Firewall?

    1. Kent Ejdersand says:

      Hi,
      Same problem as Derrick, “no data found”, did you find a solution?
      Best regards.
      –Kent

Skip to main content