Summary: Ed Wilson talks about using MS OMS to perform an Active Directory assessment.
Good morning everyone. Ed Wilson here. It seems that everyone always wants to do some sort of assessment for Active Directory. Whether it is in the cloud or on premises, everyone needs some kind of assessment. It may be because it is complicated, it may be because it vital to a business and to many applications, or it may be because it is often set up and forgotten…because everyone knows the squeaky app gets the attention. Active Directory is very robust. It can stand a lot of misconfiguration and still function. And yet, when we get down to it, we want to know what is going on.
This need for assessment has existed since Active Directory first hit the scene in Windows 2000. Yeah, it has been a long time. In the past, it meant writing pretty complex VBScript scripts, and later running some rather obscure applications, and still later writing some pretty cool Windows PowerShell code, then more obscure applications, and so on. This need is so great that one of the most popular offerings in Microsoft Premier services is the Active DirectoryRAP. You got it! An Active Directory assessment.
When I have Microsoft Operations Management Suite (MS OMS), I also have access to a number of assessments that I can plug in. All I need to do is go to the Solutions Gallery from within my console, and I can add the following assessments:
- Active Directory assessment
- Configuration assessment
- SQL assessment
- System update assessment
That is right, there is an Active Directory assessment. When I select it from my overview pane, I gain access to reports such as:
- Security and Compliance
- Availability and Business Continuity
- Performance and Scalability
- Upgrade, Migration, and Deployment
As shown in the following image, the Security and Compliance assessment has a high priority recommendation (shown in red). I can also see that the weight is 10 for the first recommendation in the prioritized list:
When I look at this, I see that for some reason the password policy permits blank passwords. I can see that this would indeed be a very important issue.
Could I have found this with Windows PowerShell? Sure, and it is pretty easy. But what if I have multiple domains, or even multiple forests. And what if multiple issues are found? How do I go about ranking them? In addition, there are other issues reported that are related to passwords. Again, this is easy enough to get with Windows PowerShell, but it is harder to produce an easy-to-read report with specific recommendations.
When I select the Active Directory Focus area by clicking my graph, I can begin to see the power of OMS. I have a priority list and specific recommendations for each one. It also tells which objects in Active Directory are affected, and it has links to additional guidance and information:
The next area that I find red showing is Availability and Business Continuity. Under it, I see that there are two high-priority recommendations:
- Ensure that directory partitions are backed up.
- Investigate missing inbound replication links.
Cool. The site also shows me that one of my time servers is incorrectly configured on the PDC emulator. When I click that link, it tells me which server is not correct and the commands I need to run:
The third area is Performance and Scalability. I see that one issue has been detected. It is classified as low priority, but has to do with a very large working set on one of my servers:
The last area tells me that I have an instance of a Windows Server role that is running in an unsupported configuration. Hmmm, I also might want to learn more about that.
As you can see, the information available from the Active Directory assessment in MS OMS is very useful, comprehensive, and easy-to-use.
That is all I have for you today. Join me tomorrow when I’ll continue my overview of the MS OMS solutions.
I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at firstname.lastname@example.org. I wish you a wonderful day, and I’ll see you tomorrow.
Microsoft Operations Management Team