Aelita Enterprise Suite (AES) 2.04 is a collection of utilities and applications that augment Windows NT's wizards and administrative and system control applications. This suite expands the NT 4.0 Option Pack's Microsoft Management Console (MMC) with functions such as domain relationship management, user and permissions reporting, and event management.
The 5-minute installation was simple. I used a clean server running NT 4.0 with Service Pack 5 (SP5). The default file location settings worked fine. The software presented me with several applications and utilities: Aelita Delegation Manager (Aelita DM), Domain Migration Wizard (DMW), Virtuosity, Journal, EventAdmin, BootAdmin, ERDisk, MultiReg, and TimeAdmin. The suite also includes the Administrator Assistant Tool Kit, which has three more utilities. After installation, I was unsure how to start the applications because the suite lacks a controlling application that starts the separate applications and utilities. The software didn't have a README file, so I had to search the somewhat skimpy online Help to find the answer.
The Aelita DM administrates security for NT domains and member servers and workstations. The tool provides security privileges to subdomain administrators who don't need administrative control over an entire domain. Without making the individuals members of the administrator group, administrators can use the Aelita DM to grant privileges to individuals to perform specific tasks, such as reenable locked accounts, as Screen 1 shows.
The DMW maps to Novell Directory Services (NDS) partitions and can administrate the Active Directory (AD) hierarchy in Windows 2000 (Win2K), which is helpful for administrators who need to migrate NT to Win2K. This wizard is a toolbox that helps migrate NT domains to the hierarchical AD model. To test the DMW's capabilities, I used several spare servers and made a multiple master domain. The process was simple yet gave me many options to choose among, such as which organizational units (OUs) to migrate and which usernames to resolve. Next, I transferred information from the NT 4.0 domain to Windows 2000 Advanced Server (Win2K AS) Release Candidate 2 (RC2) without removing the original NT account and group information. The DMW let me open all the domains, then pull objects and groups together with breathtaking ease. This application worked well on my test network, but my test network wasn't big enough to take advantage of all that this application offers to a large network. The DMW alone is worth the suite's cost for administrators with NT domain infrastructures that have grown unwieldy.
The DMW relies heavily on Virtuosity, which is a valuable collection application. Virtuosity collects permissions, usernames, profiles, domains, and other data, then feeds the data to the enclosed Microsoft Access and Microsoft Jet databases (with a little tweaking, you can use an ODBC database). You can generate canned or custom reports based on the data that Virtuosity gathers from domains, servers, and member PCs. The reports list items such as inappropriate usernames and file modifications. Because this tool digests a large amount of data, a report about a large network might take a long time to generate.
Journal is a schedule daemon that lets you analyze with varying degrees of granularity the records that the other applications store. Journal has the powerful ability to run as an autonomous agent for administrators. After you perform an analysis, you can configure Journal to launch a query, application, or messaging system (e.g., email, pager, SNMP trap) to track events, as Screen 2 shows. You can set diverse event analyses to trigger disparate actions. You can check Journal to learn when the last time an analysis ran, then drill down into Journal to see the report. The resulting reports were quite complete, so I didn't need to drill down into Access for additional information.
EventAdmin is a repository and action agent (i.e., notifier) for networkwide NT events that Journal collects. EventAdmin tracks events such as failed logons and Dr. Watson errors. The application also tracks server events in NT's Event Viewer. You can easily sort the events, but the application doesn't interpret them.
I created some events for EventAdmin to report and configured the application to send email messages to me. EventAdmin tracks multiple servers to generate reports on application, security, and system events. To make a security assessment, you can report items such as file and object access, logon status, logon times, changes to groups, new account information, security policy changes, and user activities. You can also generate printer, hard disk capacity, RAS, and memory-management reports. As with most AES applications, you can use the Scheduler Wizard to schedule EventAdmin to run reports at a specific time.
The other AES applications have somewhat limited functionality. For example, BootAdmin simply forces remote shutdowns and restarts of machines within a domain. With BootAdmin, you can configure applications to close with unsaved changes, reboot after shutdown, vary the warning message to display before a shutdown, and post events in a log file. You can also configure BootAdmin to run on a predetermined schedule. This application worked properly.
The ERDisk utility makes and stores Emergency Repair Disks (ERDs) for NT servers and NT workstations and stores the contents of the ERDs in a directory that you configure. (Aelita recommends storing ERDs in an area inaccessible to intruders.) I made ERDs for my five servers and stored the ERDs on a PDC without incident. You use the Scheduler Wizard to trigger ERDisk to run. ERDisk lacks a way to create ERDs for Windows 9x machines.
MultiReg is a utility that lets a COM object access the Registry keys of several NT machines simultaneously. This wonderful tool uses the same user interface (UI) that regedit uses. With this tool, you can synchronize Registry keys among a group of machines to enforce policies, anchor Microsoft Office applications, or prevent virus changes. You can use Journal to audit, identify, and investigate Registry key changes. To use MultiReg, I opened the application and selected a system as the base system. After I made a change to the base system, MultiReg automatically replicated the change to other systems that I had selected. However, you can kill all servers in one action, so keep MultiReg under lock and key.
The TimeAdmin application simply updates servers to synchronize the time. You can use the Scheduler Wizard to schedule TimeAdmin to run. The time server that Aelita chose as the default was difficult to access, but you can choose other time servers around the world (e.g., http://www.nist1.datum.com). Many firewalls block port 13, which the Network Time Service uses, so you might have to proxy through your firewall, as I did. TimeAdmin adds logs and centralized administration to the limited time synchronization capabilities that several freeware applications offer.
Finally, the Administrator Assistant Tool Kit consists of FileAdmin, RegAdmin, and ScanPro. FileAdmin lets administrators (or delegated users) add, remove, modify, or clone account permissions to folders, files, or file groups. Then, you can replicate the changes throughout a directory tree without altering permission attributes for other accounts. The RegAdmin tool, which is similar to regedit, lets you clone, copy, and replicate Registry hives or entries. This tool can give you easier hive and value movement than regedit does. As with MultiReg, you can easily use RegAdmin to shut down a server in a heartbeat, so be careful. ScanPro is an interesting utility that you can use to test passwords against dictionary attacks. Although you can add words to the dictionary, the default version is quite small. I used several English words that ScanPro didn't have in its dictionary as passwords, so the tool breezed by them. Scanning the dictionary for one user's password on a 366MHz server took 9 seconds. A larger dictionary would take longer to test a password but would provide a better emulation of dictionary attacks. You can easily schedule ScanPro and have it audit servers and domains on a regular basis to make sure that new passwords aren't vulnerable to attacks.
AES is useful for administrators of midsized and enterprise NT networks, but the suite is a little rough around the edges. Aelita needs to enhance the online Help and provide more wizards and templates to make the suite easier for administrators to use. And the suite would benefit from having all components in one shell application. Overall, AES is one of the best suites that I've seen.
| Aelita Enterprise Suite 2.04 |
|
Contact: Aelita Software Group * 800-263-0036 Web: http://www.aelita.net Price: $5499 for 5 servers and 100 users DECISION SUMMARY: Pros: Powerful administration utilities; useful migration tools; wide-ranging reports, scheduling capabilities, and event notification methods Cons: No shell application; inadequate online Help |
