Active Directory forests & domains

Active Directory is the key element in authentication methods for users in Microsoft systems. It also manages the validation of computers and devices connected to a network and can also be deployed as part of a file permissions system.

Microsoft increasingly relies on the Active Directory system to provide user account management for a range of its products. For example, AD is at the heart of the user authentication methodology for Exchange Server.

Here is our list of the five best tools for managing Active Directory forests and domains:

  1. SolarWinds Access Rights Manager EDITOR’S CHOICE This tool unifies access rights supervision and management across the enterprise. It provides a single access point for multiple AD implementations for Windows, SharePoint, Exchange Server, and Windows File Share. Get a 30-day free trial.
  2. SolarWinds Admin Bundle for Active Directory (FREE TOOL) Three free tools to help you manage access rights in AD.
  3. ManageEngine ADManager Plus (FREE TRIAL) An attractive front end to Active Directory that will manage permissions to Office 365, G-Suite, Exchange, and Skype, as well as standard Windows utility access rights.
  4. Paessler Active Directory Monitoring with PRTG (FREE TRIAL) A three-in-one system monitoring tool that covers networks, servers, and applications. Includes an AD monitor to manage AD replication.
  5. Datadog Infrastructure This SaaS package of system monitors watches over all of the components of your IT operations that lie between user-facing applications and the network. This includes Active Directory monitoring.

Domains, trees, and forests

The concept of a domain is commonly understood by the networking community. A website is a domain and is identified on the World Wide Web by a domain name. Another use of the term lies in addressing on a network where all computers are within the same address space, or ‘scope’.

In Active Directory terminology, a domain is the area of a network covered by one single authentication database. The store of that database is called a domain controller.

Several domains can be linked together in a tree structure. So, you can have a parent domain with child domains linked to it. The child domains inherit the address space of the parent, so the child is a subdomain. The top of the tree structure is the root domain. The whole group of parents and child relationship forms the tree. A child to one domain can also be the parent to other domains.

So, think of a group of domains that share the same root domain address as a tree. Once you can see the trees, you can work out what the forest is: it is a collection of trees.

Distribution and replication

The concept of a forest is complicated slightly by the fact that it is a collection of unique trees. On large networks, it is a common practice to replicate the domain controller and have several copies on different servers around the system — this speeds up access.

If you operate a multi-site WAN you want to have a common network access system for the whole organization. The location of the domain controller can have a serious impact on performance, with users at remote locations having to wait longer in order to log into the network. Having copies of the domain controller locally gets around this problem.

When you have several copies of the same domain controller in different locations, you don’t have a forest.

The central administration module of Active Directory needs to coordinate all of the copies to make sure all of the databases are exactly the same. This requires a process of replication. Although the Active Directory permissions database is distributed around the network, it is not what is officially regarded as a ‘distributed database.’ In a distributed database, the collection of records is split between several servers. So, you would need to visit each server in order to gather the full database. This is not the case with Active Directory because each server (domain controller) has an exact and complete copy of the database.

Benefits of replication

A replicated domain controller has several additional benefits for security. If one domain controller gets damaged accidentally, you can replace all of the original records by copying over the database from another site. If a hacker gets hold of credentials from one of the users on a network, he may try to alter the permissions held in the local domain controller to get high privileges, or wider access to resources on the network. Those changes can be rolled back once spotted.

The constant comparison on domain controller databases provides a key security measure. The replication process can also help you shut down a compromised account all across the system. However, the restoration of an original database and the roll out of updated records requires very regular system sweeps and integrity checks in order to be effective.

The management of replication is a key task for network managers operating Active Directory. The fact that there can be many local domain controllers can give intruders an opportunity to sneak around a segment of the network and steal or alter data before being detected and locked out. The coordination between copies of domain controllers can soon become a very complicated and time-consuming task. It cannot be carried out manually within a reasonable timeframe. You need to use automated methods to keep frequent checks on all domain controllers and to update all servers when a change is made to the permissions that they contain.

Defining a forest

In order to have a forest, you need to have several domain trees. This scenario could exist if you want to have different permissions for different areas of your network. So, you might have a separate domain per site, or you might want to keep the permissions for certain resources or services on your network completely separate from the regular network authentication system. So, domains can overlap geographically.

Your company network may contain many domain controllers and some of them will all contain the same database, while others contain different permissions.

Imagine your company runs services for users on its own network and wants to keep those permissions separate from the resources accessed by staff. It would create two separate domains. If you also run Exchange Server for your company email system, you will have another AD domain.

Although the staff email system will probably have the same domain name as the website, you do not HAVE to keep all domains with the same domain root in the same tree. So, the email system can have a single-domain tree and the user network can have a separate single-domain tree. So, in this scenario, you are dealing with three separate domains, which make a forest.

The Exchange domain may well have just one domain controller, because the actual server for the email system is only resident in one location, and so only needs to access one authentication database. The user domain might only need to be in one location – on the gateway server. However, you could implement an instance of your staff domain controller for each of your company’s sites. So, you may have seven domain controllers, five for the staff domain, one for the user domain, and one for the email domain.

You might want to divide up the internal network into subsections by office function, so you would have an accounts section and a sales section with no interoperability. These would be two child domains of the parent staff domain, forming a tree.

One reason to keep the staff network separate from the user network is for security. The need for privacy on the internal system may even extend to creating a separate domain name for that staff network, which does not need to be made known to the general public. This move forces the creation of a separate tree because you cannot have different domain names included in one tree. Although the email system and the user access system only have one domain each, they also each represent a tree. Similarly, if you decided to create a new website with a different domain name, this could not be merged into the administration of the first site because it has a different domain name.

Splitting up the staff domain to create child domains requires more domain controllers. Rather than just one domain controller per site for the staff network, you now have three per site, making a total of 15 over five sites.

Those 15 staff domain controllers need to be replicated and coordinated with the tree structure relationship between the three original domains preserved on each of the five sites. Each of the other two domain controllers are distinct and won’t be part of the replication procedures of the staff domain. The site has three trees and one forest.

As you can see from this relatively simple example, the complexity of managing domains, trees, and forests can quickly become unmanageable without a comprehensive monitoring tool.

Global Catalog

Although the separation of resources into domains, subdomains, and trees can enhance security, it doesn’t automatically eliminate the visibility of resources in a network. A system called Global Catalog (GC) lists all of the resources in a forest and it is replicated to every domain controller that is a member of that forest.

The protocol that underpins GC is called the ‘transitive trust hierarchy.’ This means that all elements of the system are assumed to be bona fide and not harmful to the security of the network as a whole. Therefore, the authentication records entered in one domain can be trusted to grant access to a resource that is registered on another domain.

Users given permissions to resources in one domain don’t automatically get access to all resources, even within the same domain. The GC feature that makes resources visible to all does not mean that all users can access all resources in all domains of the same forest. All that GC lists is the name of all objects in the forest. It isn’t possible for members of other domains to query even the attributes of those objects in other trees and domains.

Multiple forests

The forest isn’t just a description of all trees run by the same administration group, there are common elements for all domains that are held at forest level. These common features are described as a ‘schema.’ The schema contains the design of the forest and all of the domain controller databases within it. This has a unifying effect, which is expressed in the common GC that is replicated to all controllers within the same forest.

There are some scenarios where you might need to maintain more than one forest for your business. Because of GC, if there are resources that you want to keep completely secret from members of the domains, you would have to create a separate forest for them.

Another reason that you might need to set up a separate forest is if you are installing AD management software. It could be a good idea to create a sandbox copy of your AD system to try out the configuration of your new software before letting it loose on your live system.

If your company acquires another business that already operates Active Directory on its network, you will be faced with a number of options. The way your business deals with the new company will dictate how you operate the network of that new division. If the business of the new company is going to be taken over by your organization and the name and identity of that company will be retired, then you will need to migrate all of the users and resources of the acquired business over to your existing domains, trees, and forest.

If the acquired company will carry on trading under its existing name, then it will be continuing with its current domain names, which cannot be integrated into your existing domains and trees. You could port the trees of this new division over to your existing forest. However, a simpler method is to leave that acquired network as it is and link together the forests. It is possible to create a transitive trust authority between two independent forests. This action must be performed manually and it will extend the accessibility and visibility of resources so that effectively, the two forests merge on a logical level. You can still maintain the two forests separately and that trust link will take care of mutual accessibility for you.

Active Directory Federation Services

Active Directory runs a number of services that authenticate different aspects of your system or aid cohesion between domains. One example of a service is the Active Directory Certificate Services (AD CS) which controls public key certificates for encryption systems, such as Transport Layer Security. The service that is relevant to domains and forest is the Active Directory Federation Services (AD FS).

AD FS is a single sign-on system, which extends the authentication of your network out to services run by other organizations. Examples of systems that can be included in this service are Google G-Suite facilities and Office 365.

The single sign-on system exchanges authentication tokens between your AD implementation and the remote service so once users have logged into your network, they will not need to log in again to the participating SSO remote service.

Managing AD forests and domains

A relatively straightforward structure for Active Directory can quickly become unmanageable once you start creating subdomains and multiple forests.

Generally, it is better to err towards having as few domains as possible. Although separating out resources into different domains and subdomains has security benefits, the increased complexity of a multiple-instance architecture can make intrusion tracking difficult.

If you are beginning a new Active Directory implementation from scratch, it is recommended that you start off with one domain in one tree, all contained by one forest. Select an AD management tool to assist you in the installation. Once you have become adept at managing your domain with your chosen tool, you can consider splitting out your domain into subdomains and also adding on more trees or even forests.

The best Active Directory management tools

Don’t try to get by managing your authentication system without assisting tools. You will get overwhelmed very quickly if you try to do without specialist tools. Fortunately, many Active Directory management and monitoring tools are free, so you don’t have the problem of budget holding you back from trying one out.

There are many AD tools on the market at the moment, so you will end up spending a lot of time assessing software if you try to preview all of them. Just picking the first tool that appears in a search engine results page is also a mistake. To ease your quest, we have compiled a list of recommended tools for AD.

Our methodology for selecting an Active Directory monitor 

We reviewed the market for Active Directory monitoring systems and analyzed tools based on the following criteria:

  • An interface that is easier to use than the native Active Directory system
  • A tool that can control and update several AD controllers
  • A service that includes bulk actions
  • A search facility to find specific accounts or account statuses
  • A method to replicate or migrate Active Directory instance
  • A free trial or a demo service that provides an assessment opportunity
  • Value for money, represented by a comprehensive tool that is offered at a fair price

With these selection criteria in mind, we identified the best Active Directory monitoring systems that will save you time and money and improve the administration of Active Directory.


Related: You can read more about these options in the next sections of this guide. For a longer list of AD software, check out The Best Active Directory Tools and Software.

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds Access Rights Manager

The top-of-the-line tool for AD management is the SolarWinds Access Rights Manager. This tool installs on all versions of Windows Server. This Active Directory management tool is able to supervise AD implementations that operate for SharePoint, Exchange Server, and Windows File Share as well as general operating system access.

Key Features:

  • An easy-to-use console
  • Manages multiple domain controllers simultaneously
  • Change logging
  • Self-service portal for users
  • Permissions analysis

Why do we recommend it?

SolarWinds Access Rights Manager is an on-premises system that provides a front end for multiple Active Directory instances. You can use the tool to coordinate accounts between them. This system provides time-saving features such as an interface to allow users to change their own passwords.

This tool includes a lot of automation that can help you complete standard tasks with little effort. This category of tasks includes user creation and there is also a self-service portal to enable existing users to change their own passwords.

The Access Rights Manager tracks user activity and resource access around the clock through a logging system. This enables you to discover any intrusion even if it happens outside of business hours or when you are away from your desk.

The utility also has an analysis feature that can help you decide how to optimize your AD implementation. The Access Rights Manager will highlight inactive accounts and help you tidy up your domain controllers by weeding out abandoned user accounts.

Reporting tools in the Access Rights Manager are coordinated to the requirements of data security standards bodies, so you can enforce rules and demonstrate compliance through this AD assistant.

Who is it recommended for?

This service is particularly suitable for large businesses. You run the package on your own servers, so it won’t appeal to system administrators who prefer cloud services. Companies that use all of the services of Office 365 on-premises, such as Exchange Server and SharePoint. The tool also provides analysis functions for improved account security.

Pros:

  • Provides a clear look into permission and file structures through automatic mapping and visualizations
  • Pre-configured reports make it easy to demonstrate compliance
  • Any compliance issues are outlined after the scan and paired with remediation actions
  • Sysadmins can customize access rights and control in Windows and other applications

Cons:

  • In-depth platform designed for sysadmin which may take time to fully learn

You can get a 30-day free trial of the Access Rights Manager.

EDITOR'S CHOICE

SolarWinds Access Rights Manager is our first choice for Active Directory management because it simplifies the implementation of forests and trees. The service provides a single entry point to many AD implementations within an organization. Managers can supervise all AD instances from one dashboard and get a better overall view than AD itself provides.

Start 30-day Free Trial: solarwinds.com/access-rights-manager/

OS: Windows Server

A cut down version of the tool is available for free. This is called the SolarWinds Permissions Analyzer for Active Directory.

SolarWinds Permissions Analyzer for Active Directory Download 100% FREE Tool

2. SolarWinds Admin Bundle for Active Directory (FREE TOOL)

SolarWinds Admin Bundle for Active Directory

SolarWinds produces another Active Directory monitoring option with their Admin Bundle for Active Directory. This pack of tools includes:

  • Inactive User Account Removal Tool
  • Inactive Computer Account Removal Tool
  • User Import Tool

The package is free to use forever and each of the three tools operates as a standalone function.

Key Features:

  • Bulk actions
  • Work with data in CSV files
  • Clean up accounts
  • Free to use

Why do we recommend it?

SolarWinds Admin Bundle for Active Directory is a free system and so isn’t as comprehensive as the top-of-the-line Access Rights Manager from SolarWinds. However, if you can’t afford to pay for an administration tool for Active Directory, this useful package is worth considering. It provides tools for easing administration.

The User Import Tool gives you the ability to create user accounts in bulk from a CSV file. The Inactive User Account Removal utility helps you identify and close down unused user accounts. With the Inactive Computer Account Removal Tool, you can identify defunct device records in your Active Directory domain controllers.

Who is it recommended for?

You might decide that it isn’t worth buying an administration tool for Active Directory and stick with the interface that comes with AD. In this case, you are exactly the type of person that SolarWinds created this tool for. It doesn’t cost you anything to use the SolarWinds Admin Bundle for Active Directory.

Pros:

  • A small suite of tools that add additional features to the default access control in AD
  • Helps speed up routine access management tasks when on/offboarding users
  • Is completely free – great for smaller environments

Cons:

  • Larger networks may require more features

This free tool bundle runs on Windows Server.

SolarWinds Admin Bundle for Active Directory Download 100% FREE Tool Bundle

3. ManageEngine ADManager Plus (FREE TRIAL)

ManageEngine ADManager Plus

ManageEngine produces resource monitoring systems and this comprehensive AD management tool is written to the company’s high standard. You can manage Active Directory implementations to manage permissions for Office 365, G-Suite, Exchange, and Skype as well as your network access rights.

Key Features:

  • Clean up accounts
  • Manage cloud accounts
  • Compliance reporting

Why do we recommend it?

ManageEngine ADManager Plus is a similar package to the SolarWinds Access Rights Manager. As well as working for general system access controls, this package can manage AD for on-premises and cloud-based Microsoft 365 products. Additionally, this tool will manage accounts for Google Workspace and Skype for Business.

ManageEngine ADManager Plus has a web-based interface, so it can run on any operating system. You can create, edit, and remove objects from your domain controller including bulk actions. The tool monitors account usage so you can spot dead accounts and a number of AD management tools can be automated through the utility.

The auditing and reporting function of ADManager Plus help you demonstrate compliance to SOX and HIPAA and other data security standards.

Who is it recommended for?

ManageEngine provides an app that enables administrators to access the console, even though the main package is an on-premises system. This is a handy feature for technicians that are frequently away from their desks. There is a Free edition that is limited to managing 100 user accounts.

Pros:

  • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)
  • Supports multiple domains
  • Supports delegation for NOC or helpdesk teams
  • Allows you to visually view share permissions and the details of security groups

Cons:

  • Takes time to explore all features and options

This system is available in Standard and Professional editions. You can get a 30-day free trial of the tool. If you decide not to buy after the trial period ends, the software keeps working as a restricted, free version.

ManageEngine ADManager Plus Access 30-day FREE Trial

4. Paessler Active Directory Monitoring with PRTG (FREE TRIAL)

Paessler Active Directory Monitoring with PRTG

Paessler’s PRTG is a bundle of tools, each of which is called a ‘sensor.’ The utility includes Active Directory sensors that help you monitor your AD implementation. PRTG runs on Windows Server and you can use it for free if you only activate 100 sensors. The price of the paid tool depends on how many sensors you activate.

Key Features:

  • Tracks user activity
  • Manages domain forest
  • Replication support

Why do we recommend it?

Paessler PRTG provides an Active Directory Replication Error sensor. This is the weakest of the tools in this package because PRTG doesn’t provide any AD management services or any other monitor for AD other than the replication error sensor. PRTG has many other sensors that provide better monitoring for other technologies.

The AD sensors in PRTG keep track of the replication system of Active Directory. This ensures that the complete database is copied to all domain controller versions that are located around your network. The tool also logs user activity to help you to detect inactive user accounts.

Who is it recommended for?

Paessler PRTG is not the best tool for Active Directory monitoring but it is very good for network monitoring – it discovers, documents, and maps networks. The system also provides constant monitoring for networks, servers, and applications and it can perform network traffic analysis. You can use up to 100 sensors in the package for free.

Pros:

  • Drag and drop editor makes it easy to build custom views and reports
  • Can monitor the server, network, and supporting infrastructure in one solution
  • Offers AD replication – great for BDR and multi-domain environments
  • Supports a freeware version

Cons:

  • Is a very comprehensive platform with many features and moving parts that require time to learn

You can get a 30-day free trial of the full system with unlimited sensors.

Paessler Active Directory Monitoring PRTG Download 30-day FREE Trial

5. Datadog Infrastructure

Datadog Infrastructure

Datadog Infrastructure Monitoring is delivered from a SaaS platform that offers a range of system monitoring and management tools. This service will watch over applications and service down to server resources.

Key Features:

  • An integration for Active Directory
  • Monitor Azure AD as well
  • Throughput monitoring

Why do we recommend it?

Datadog Infrastructure is a cloud package for monitoring networks, servers, and services. Active Directory monitoring is provided by an integration, which you need to activate. The add-on is one of 600 free additions that are available in the Datadog integrations library. The platform includes many other system monitoring and management tools.

The Active Directory monitor is delivered as an integration. This has to be activated and it adds on extra screens and data collectors to your Datadog implementation. The console for the monitoring system is hosted in the cloud and local data is collected by an onsite agent.

Using the AD monitor doesn’t shut down all of the other capabilities of the Datadog Infrastructure system. That means you get much more than just Active Directory monitoring with this package.

Who is it recommended for?

This package is suitable for any business. It is priced per host, which makes it very scalable. Even better for small businesses, there is a Free edition that will manage up to five hosts. You can’t use the Active Directory integration with that free package.

Pros:

  • AD access transactions monitoring
  • DNS reference counts
  • LDAP connection tracking

Cons:

  • Doesn’t include Active Directory management functions

You can subscribe to multiple modules on the Datadog platform. For example, Log Management is a very useful addition because it will receive and store AD logs. You can get a 14-day free trial of all Datadog modules.

Active Directory management

Now that you understand the basics of Active Directory configurations, you should consider employing a tool to help you manage your implementation. Hopefully, our guide has set you on the path to running AD more effectively.

Do you use any tools to manage Active Directory? Do you use any of the tools on our list? Leave a message in the Comments section below to share your experience with the community.

Active Directory forests & domains FAQS

What is the difference between a domain and a forest?

An instance of Active Directory is a domain controller and this is a tree. You can have sub-domains and a collection of subdomains within the same namespace is called a domain tree. A related domain that you want to share access rights with your original domain would go in the same forest. If you put that new domain in a new forest, it can’t share permissions and accounts with the original domain.

What is a Active Directory forest?

An Active Directory forest is the top level of organization within Active Directory. It can be used as an umbrella to link together several domains that would otherwise be completely unrelated. Put domains into a common forest if you want them to share objects. If you want to keep those domains completely separate with different user accounts for each system, put them in separate forests.

How many domains can be created in a forest?

There is no structural limit on the number of domains that can go into a forest. However, for the sake of manageability, Microsoft recommends limiting a forest’s size to 10 domains.