Today, Active Directory is still the cornerstone of most networking infrastructure environments. In Hybrid Identity environments, where on-premises Active Directory is coupled with Azure AD, the reliance on Active Directory is enormous. In these environments, the answers to the question ‘What if something would happen to Active Directory?’ range from ‘Everything goes down’ to ‘Game over due to a security breach’.
The latest numbers indicate that 80% of successful attacks leverage the organization’s identity platform including the way people use their credentials for other services that are not company-owned. It shouldn’t come as a surprise that some malware will check if the device on which it runs is domain-joined. If it’s not, the payload isn’t delivered.
Due to today’s security climate and the fact that Active Directory is a central target since it is connected to so many line of business applications, it is paramount that it is monitored and managed well. There are so many problems in today’s IT environments that can be Active Directory related. For example, it is not uncommon to see an object reside on one Domain Controller but not on other Domain Controllers (a so called ‘lingering object’). This situation could have devastating effects on the way people perform their work in your organization. It is also not uncommon to see business applications suffer from poor performance due to long-running LDAP queries. These situations can be resolved if you know how to build an index, but only a handful of people know how to troubleshoot and resolve these situations well. Complaints of excruciatingly slow Start Menus can be attributed to DNS and – in most environments – Active Directory Domain Controllers.
Yet, there are not a lot of organizations that manage Active Directory well. Sure, Active Directory admins know about following best practice naming conventions, changing passwords regularly and applying Windows Updates to Domain Controllers in the week following Patch Tuesday. Those practices are important but more is needed to ensure that your Active Directory remain secure and healthy. It is very important to include checking the integrity of the Active Directory database regularly, identifying empty groups and removing them safely, and monitoring NTLM traffic to minimize the use of this archaic authentication protocol. These activities were not outlined in the Windows Server 2016 MCSE courses (the latest available on Active Directory). Heck, those courses talked about Active Directory only in terms of three A’s: authentication, authorization and auditing. It didn’t even cover the 4th A for administration.
I’ve managed Active Directory most of my career and have been writing about it since 2006. Granted, most tasks are tedious and time-consuming when using the built-in tools. To avoid getting bogged down, Active Directory admins need a specific tool.
What is the best Active Directory monitoring tool?
When asked, ‘what is the best Active Directory monitoring tool’, I feel ENow’s Active Directory Monitoring Tool (formerly known as Compass) offers the best feature set to help you monitor and manage Active Directory proactively.
About ENow’s Active Directory Monitoring & Reporting
ENow’s Active Directory Monitoring Tool helps in two key ways:
ENow’s solution offers help with monitoring the core and critical components of Active Directory and its Domain Controllers. This way, it provides information on what’s going on with the Domain Controllers and helps track down root causes of problems with Active Directory’s integrity, availability and/or confidentiality. The coverage is expansive and includes netlogon, replication, name resolution and expensive LDAP queries to name a few areas that are monitored. If you’ve never experienced an AD outage, be glad. If you have, you’ll know why having in depth monitoring is important.
ENow’s solution also includes a powerful reporting component that offers over 50 useful reports that will help you ensure your Active Directory remain secure and healthy. These reports provide information on all the key Active Directory objects and their behavior. In fact, the new UI controls that were just introduced make it easy to sort and work with the data presented so you can correct items that are surfaced.
Active Directory Monitoring and Domain Controller Monitoring
ENow’s marketing materials focus on the Active Directory monitoring part, but under the hood, its Domain Controller monitoring functionality is what sets the solution apart from its competitors.
Domain Controller Monitoring is an important area to assess the health of Active Directory. I firmly believe that you can only get Active Directory Monitoring right if you do Domain Controller Monitoring, too. ENow has spent years developing, fine-tuning, and perfecting the Domain Controller Monitoring features in their product, right next to its Active Directory Monitoring features.
Visual Approach to Monitoring
ENow’s tool provides it’s monitoring via a dashboard that employs a traffic light system where critical errors are red warning events are yellow. My dashboard is all green:
At first glance the dashboard may look old fashioned, but when you understand the reasoning behind the design and use the tool, you will quickly see why it is so impactful and reduces the time it takes to troubleshoot your Active Directory. ENow's visual approach to monitoring has been battle-tested in the real world for over 12 years. Everything monitored in the dashboard was intentionally designed by Active Directory MVPs in a fashion that helps you be proactive and quickly identify what is broken and what needs to be fixed. When everything is working well, the dashboard will remain green and not draw attention to itself. When something goes wrong, then the power of their approach really shrines through because critical errors will light up a red indicator. A lot of time and thought was put into the design and layout and it does an excellent job of helping you understand what is causing the issue
The reporting comes in different shapes and styles. It’s unlikely that the same 85 inch screens adorning most NOCs and system administrator co-work spaces is used to go through the reports. For those large screens, the monitoring dashboard in full screen mode (press F12) is ideal. Reporting is a task typically performed on a workstation. In ENow Active Directory Monitoring & Reporting v7.16, the built-in reports have all been revamped to reflect that:
As you can see in the above screenshot, the columns can now be selected, filtered on, sorted by and, importantly, exported – making the reports easier to work with.
Information on a need-to-know basis
The dashboard themselves are granular. There is an entire delegation model beneath it that allows its dashboards to show the right Active Directory information to every group within your organization. The built-in roles for Administrator, Help Desk, Manager, CIO, and NOC offer specific dashboards and reports to accommodate their needs, but these roles can be edited. New roles can be defined too. Not everyone needs all the information that all the reports (and dashboards) offer:
You can hide certain reports for specific roles, but you could also create a dashboard for first day admins and assign it to them to get them up to speed fast in your environment. If you work with consultants, you can specify a specific dashboard that alerts on the areas that are impacted by their activities. This flexibility and versability adds to the power of the dashboards and reports.
The way I use ENow Active Directory Monitoring & Reporting
I am a proud user of ENow’s Active Directory Monitoring Tool. It allows me to manage Active Directory better than I could with Microsoft’s built-in and remote administration tools. When there’s something wrong with Active Directory, the blinking red indicators in the dashboard allows me to quickly drill down into what’s wrong (it’s usually DNS…).
My top three reports are:
Domain Controller Authentication Activity
This report provides an overview of all the authentication requests handled by the Domain Controllers. The requests are broken down into the various authentication protocols offered, allowing me to keep tabs on the usage of out-of-date protocols:
Users expiring in the next 14 days
If your HR department is not aligned with the IT processes, you’ll love this report as much as I do. Temporary people in my organization have their user accounts configured with expiration for the end of their contract. Sometimes, it takes the manager and HR too long to get the change to us to extend the account. This report allows me to forecast potential trouble and expedite some changes:
Unlinked Group Policy Objects
Getting rid of the garbage is one of the most important tasks an administrator has. Yet, it’s the hardest thing to do in Active Directory. This report helps me identity Group Policy Objects (GPOs) that have no link and can be removed without consequences. It’s a monthly job that took 1 hour and now only takes me 2 minutes…
The Best Active Directory Monitoring tool?
When comparing competitors to what ENow’s Active Directory Monitoring Tool does, a parallel comes to mind with Microsoft System Center. You could do everything Microsoft’s System Center suite offered back in 2015 manually, but this product makes your life as an Admin so much easier.
I feel the biggest competitor to ENow, currently, is Azure AD Connect Health for AD DS. This cloud service that is bundled with Azure AD Premium licenses offers notifications and some of the reports that ENow offers. ENow’s Active Directory Monitoring Tool, however, offers so much more.
When reading this review you might think that I feel that ENow is the perfect tool to help you manage Active Directory and Domain Controllers. I feel it’s a great tool, but it’s not a perfect tool.
The Domain Controller Monitoring part lacks checks on registry values, drivers and firmware. Without this information, a colleague admin or consultant might still introduce a situation that hurts Active Directory in the long term (for instance, with the KrbtgtFullPacSignature registry value) or with a vulnerable version of the VMware Tools. I’m working with ENow to get this functionality in the product.
There are many Active Directory Monitoring solutions, but ENow’s Active Directory Monitoring Tool is special because it was designed by engineers who have had experience managing Active Directory and it makes Active Directory admins job easier. I highly recommend it.