Indian and Northern Affairs gets proactive with Active Directory

Although the department of Indian and Northern Affairs Canada (INAC) had long migrated from Microsoft Corp.’s Windows NT 4 to Active Directory and Windows 2000, it was only recently that the federal agency got a handle on troubleshooting its decentralized directory.

The Gatineau, Que.-based federal department is responsible for meeting the Canadian government’s constitutional, treaty, political and legal responsibilities to First Nations, Inuit and Northerners.

Heath Beechey, access control officer for INAC, presided over the Windows migration in 2001. Since then INAC wanted to optimize its Active Directory implementation, which was built from the ground up; Beechey designed a single forest with 22 sites and 35 domain controllers distributed among 14 regional offices, located in every territory and every province in the country. Currently 5,400 users are on the system, Beechey said.

While Active Directory — Microsoft’s Windows 2000 directory service designed for distributed networking environments — is useful, it lacks the ability to audit and track changes to the system, Beechey said.

To solve the audit and tracking trouble, INAC turned to Phoenix, Ariz.-based NetPro Corp. and its ChangeAuditor, an auditing and configuration-management product designed to maintain control of Active Directory.

Similar tools to extend Active Directory are available from Quest Software Inc., Desktop Standard Corp., and Centrify Corp.

NetPro CTO Gil Kirkpatrick said the recently updated ChangeAuditor 2.0 features custom user and group attribute tracking and integrates with Microsoft Operations Management to support multiple repositories and multiple-agent configurations.

INAC implemented the solution late fall of 2004. ChangeAuditor tracks all key Active Directory configuration changes in real-time, Beechey said.

The product captures user changes to the directory including what, where and why original data was altered. In the past, troubleshooting the problem to determine exactly who made a particular change was extremely difficult, Beechey said.

The solution also means the IT department is more proactive and accountable, Beechey noted. Previously, the only way to track change activity was to check Active Directory every once in a while for recent changes. He said the system now tracks in real-time changes to organizational units (OU) from the directory, domain controllers, subnets and other components.

Currently, users dial in through a virtual private network (VPN) to gain access to the system and provide credentials, which are then matched to an Active Directory user profile. ChangeAuditor allows INAC to track the Active Directory values that affect system availability for users — such as approved and unapproved changes that may affect overall availability, Beechey said.

According to Beechey, using the NetPro tools reduces change-related network downtime and troubleshooting pains. What would originally take five hours has been cut to one or two, he added.