Tuesday, June 21, 2011

Find out who and what applications are hogging your Active Directory resources

Do you ever feel like your Active Directory is slow to authenticate or that your domain controllers are working harder than they really should be? Do you feel like users or applications are not being efficient in their use of your AD domain controllers? Quest ChangeAuditor can help you prove it. ChangeAuditor for LDAP tracks queries to your Active Directory environment, and then translates raw data into meaningful intelligent data to keep your infrastructure efficient and it also provides detailed analysis. It analyzes all LDAP queries against your domain controllers to tell you in simple terms of “Who, What, When, Where and originating Workstation," saving you the time you once spent digging for more details.

A couple of examples to illustrate how and when you can use ChangeAuditor for LDAP to get answers to the questions about your Active Directory:

1. Improve in-house and COTS use of Active Directory:
A logistic company noticed that over time their AD logon process slowed down to the point where it was a problem for users. Other than buying new hardware or re-architecting their AD, they wanted to know if there were applications or users that were taking up more resources than are reasonable for day to day business use. Using CA for LDAP – they were able to identify some internal applications that were querying AD for a large number of objects over and over. They were able to refine the queries to gather only the attributes they required, on an as needed basis, and the resource utilization was brought back in line – improving their overall user AD responsiveness without any hardware or AD design changes.

2. Don’t migrate before you know who is using your AD and how:
During a migration, an internal application was hard-coded to attach to a specific domain controller – but the users and administrators didn’t realize this until the domain controller was shut down. This broke a critical application. If they knew ahead of time that there was an application that was hard-coded, they would have updated the application before the migration, rather than having to restore an old domain controller and maintain 2 directories until the application was updated

How does it look? Here’s an example screen shot:


You can immediately see the container the application is querying, the scope of the query, the number of results, how many times (occurrences) the query has been made in the last few minutes – and the actual query they are making. All information you can use to see who’s using your directory resources.

Save yourself the headache of finding out the hard way that someone or something is not being a good “directory citizen” or abusing their access to Active Directory. Querying over and over, scoping queries that retrieve way too much information, or even hard-coded queries that go against specific domain controllers – all of which can be problematic to your directory. You can even see if someone is NOT using secure and signed queries. Quest ChangeAuditor for LDAP provides you with a proactive solution to problems you may not know you’re already having.

No comments: