I’ve put together a list of great tools you can use to manage Active Directory and to also monitor the health of AD.
1.) Active Directory Replication Status Tool
Microsoft have a free tool that you can use to monitor the health state of your replication between domain controllers in a domain or forest
Features of the tool are:
- Will show you any errors found with your replication in a domain or forest
- Prioritize the errors that you need to resolve first in order not to create any lingering objects in your Active Directory forest
- Within the tool are direct links to Microsoft to troubleshoot what specific errors relate to, which will help during the troubleshooting stage
- Export the results so you can analyse the results offline
2.) DCDiag Active Directory Command Line Tool
DCDiag is a great tool that comes built into Active Directory as part of the built in command line tools. DCDiag will analyse your domain controllers for any errors and give a report on any errors or mis configurations.
A list of what DCDiag will check are as follows:
To run a through report on your domain controller, i like to run the following command line:
DCDIAG /V /C /D /E > C:\dcdiaglog.txt
This will export the results to a txt file on your C:\ drive for you to review
3.) Repadmin Active Directory Command Line
Repadmin is another command line built into Active Directory. You run it to check the replication consistency been replication partners (domain controllers). Monitor replication status, display application metadata, you can force replication between domain controllers and knowledge consistency checker recalculation.
The most common commands are:
Repadmin /replsum – This will show you the replication details with largest delta replication. Here you can see if there have been any failures and locate with domain controller isn’t replicating. Most of the time its a firewall issue or network issue if you have an unreachable domain controller.
4.) Best Practice Analyzer Tool
Within Server Manager if you click on Roles / Active Directory and on the main window scrowl down to best practices analyzer press scan this role and it will perform a scan of your AD and display any non compliant alerts
5.) Solarwinds Free Active Directory Tools Bundle
Solarwinds are known for their products of monitoring solutions for your entire infrastructure (Network, Databases, AD, Exchange, Vmware, Hyper-v, Security, etc). They also have a set of free tools that you can download for Active Directory administration.
The free tools can be used for:
- Inactive user account removal. Allows you to scan for user accounts that haven’t been used for a certain amount of time and delete them
- Inactive computer account removal. Allows you to scan for computer objects that haven’t been used for a certain amount of time and delete them
- User import tool. Allows you to save time and bulk import users via csv and allowing you to specify certain user attributes (e.g department, job title, manager, email address, etc)
6.) ManageEngine Tools – ADManager Plus Active Directory Tools
ManageEngine have a suite of free tools you can download to help with the administration of AD. A list of the tools that are available to download are:
- AD Query Tool: A search tool to query AD via LDAP queries within a single interface. It allows you to get any attribute data that you require from active directory. It also allows you to query groups and computer objects
- CSV Generator: This tool allows you to generate a CSV that contains a list of different attributes from your objects in Active Directory. Its a great bulk AD management tool, if you need to export the attributes of alot of users from AD
- Last Logon Reporter: This is an auditing tool that will allow you to find out the last logon time for your users within the domain.
- Terminal Session Manager: This is a powershell cmdlet that allows you to manage multiple terminal sessions in a domain. You can disconnect or log off users all from a single console
- Active Directory Replication Management Tool: This tool allows you to force a replication between your domain controllers within a domain or forest.
- Domain and Domain Controllers Roles Reporter: This will allow you to find out what roles your domain controllers have (FSMO)
- Windows local Users Management Tool: A utility to manage local user accounts and groups on computers in a domain.
- Domain Controller Monitoring: A useful peace of freeware that will display details about your DCs – CPU utilization, disk utilization, and memory utilization, page reads per second, page writers per second, file reads, file writes.
- Empty Passwords Users Reporting Tool: Find out which user accounts have empty passwords with the PASSWD_NOTREQD property flag set. This helps find account that are susceptible to attacks if they have no password or password set to null
- Duplicate Finder: Useful for administrators to find duplicate entries for active directory attributes within your domain.
- Password Expiry Reminder: Let users know via email or SMS that their domain password is about to expire. Great way to let users know who aren’t regularly connected to the network like OWA or VPN users. Will help reduce the amount of help desk calls requesting to change password due to lockouts.
7.) Active Directory Explorer
AD Explorer is an advanced editor that allows you to view object properties, attributes, objects schema, change permissions, OUs, locations, do advanced searches all in one interface. You can also take snapshots of the database for offline viewing.
8.) Netwrix Free AD Tools
Netwrix have a suite of free tools that you can download. The ones for active directory are the following:
- Netwrix Change Notifier For Active Directory: An auditing tool that tracks changes to AD users, group memberships, OUs, permissions. It will provide insight into changes in your AD environment.
- Netwrix Account Lockout Examiner: Get alerted when an account is locked out and troubleshoot what is causing accounts to be locked out. It will analyze the cause of the account being locked out via the console.