Navigate a challenging AD environment
I love submarine movies. They’re exciting and full of danger because the sub captains go full speed and drive completely blind – like I’ve had to do with some networks that I’ve been called in to work on. The big difference, of course, is that a movie is a movie … and the networks are not. When it comes to managing your Active Directory (AD) environment, you need to slow down and make sure that there’s a clear picture of where you’ve been and where you’re going. Blackbird Management Suite helps you know exactly what is going on so that you’re not accused of pulling a Crazy Ivan. Let’s take a look.
The installation takes place on a stand-alone server with a connection to either a separate Microsoft SQL Server computer or a local SQL Server Express database. A quick start guide walks you through configuring the services, connecting to Active Directory, and setting up the database. My biggest challenge by far was getting the setup routine to recognize the SQL Express database. But this issue was more about how Microsoft now completely locks down SQL Server than about any problems in the application. As soon as you have the database working (and talking) correctly, the installation process is a breeze.
After you’ve installed the Blackbird server, the Blackbird console is installed. Then, you install any additional packages that you purchased, such as Auditor for AD, Privilege Manager, Recovery Manager, or Protector. Lastly, it’s important to remember that each domain controller (DC) needs to have a data handler installed. This is done in the Management Suite. This would be a simple process if the data handler installation routine were in the .msi format; a simple Group Policy object (GPO) linked to the domain controller would then ensure that any new domain controller that was added would always have Blackbird support. Unfortunately, the software is in the .exe format, so you have to remember to deploy the data handler to each DC that you add.
Blackbird Management Suite can perform a number of functions for Active Directory, including recovery, auditing, protection from unwanted changes, and change management with workflow. I spent some time in each of these modules and enjoyed the easy-to-understand interface as I worked to grasp the power of this suite of applications.
After I used the quick guide to set up the suite, it led me through setting up my first collector. A collector is simply a way to selectively back up the domain. While it may be desirable in a small company to back up the entire domain, an administrator of a large Active Directory domain that spans multiple continents may want to compartmentalize the backups. Creating a collector is as simple as a few clicks. However, I think it could be even easier. The quick guide instructs you to "click the browse button” to select the OU or container that you want to back up. Instead, I found that you must manually enter the full path yourself (for example, CN=Users,DC=itpro,DC=local). Regardless, to use a collector backup to restore a deleted object in Active Directory, simply right-click an object in the domain, click Rollback, and then select the backup that you want to use.
Of course, unexpected or unauthorized changes shouldn’t occur in the first place, and that’s where the Active Directory Rules feature comes into the picture. With this feature, you can intervene when an object is created, modified, deleted, moved, or renamed. When one of these actions occurs, Blackbird can force the user to conform to a specific naming standard, prevent the action from occurring in the first place, submit the action for approval, send an email message, or run a script that you wrote. For example, perhaps you want to be alerted when a new user object is created. Or, maybe you want to approve all SMTP email address changes before they are implemented. I used Active Directory Rules to create quite a few rules, and I was impressed with the range and flexibility of this feature.
At the end of the day, you probably need a quick and dirty report on what is going on within your Active Directory domain. Blackbird provides an audit trail so complete that a rogue administrator would be hard-pressed to execute his dastardly scheme. I counted no fewer than 43 built-in audit reports, not including the 18 pre-configured FISMA/HIPPA/PCI/SOX reports. If the reports that are included here don't fit your particular need, you can easily create your own … or modify an existing report.
In addition to the Blackbird console, the application is tightly integrated with Active Directory Users and Computers. By simply right-clicking an object, you can quickly roll back a change, show a complete audit trail, or display account activity. Figure 1 shows the simple Blackbird interface and the tight integration with Active Directory Users and Computers. Selecting “Show account activity” generates a screen that displays a history of exactly what the account has been doing: creating users, moving objects to other OUs, deleting computers, modifying object attributes, you name it. With this feature, you’ll never again have to hear that lame “I didn’t do it” refrain.
Figure 1: Blackbird's integration with Active Directory Users and Computers
There are two other available Blackbird modules that we did not test. (These modules were still in beta at the time of this writing.) These are Auditor for File Systems and Privilege Explorer. These two products should be available by the time you read this.
Blackbird is easy to set up and easy to use. There are a few aspects that could use some tweaking (adding a browse button to point to OUs instead of requiring the user to manually type the OU path, for example). But overall, I found the product fun to use. The Activity report should be built in to Windows Server by default and is something that every company should have. It makes finding out who did what as easy as the right- click of a mouse. If you need some additional control around your Windows domain, add Blackbird to your list of products to evaluate.
Blackbird Management Suite
Pros: Easy to set up; easy to use. Simple navigation with an intuitive interface.
Cons: Some settings need a manual entry, and the interface appears to be missing a “browse” button. Can be confusing in terms of which module is required for your needs.
Rating: 4.5 diamonds out of 5.
Price: All four modules as a bundle: $14.40/user. Individual pricing and volume discounts available.
Contact: 866.224.8330 • www.blackbird-group.com