Chat now with support
Chat with Support

Active Administrator 8.6.2 - User Guide

Active Administrator Overview User Provisioning Certificates Security & Delegation  Active Directory Health
Switching to Active Directory Health Using the Active Directory Health landing page Installing Active Directory Health Analyzer agents Using the Active Directory Health Analyzer agent configuration utility Excluding domain controllers Managing the Remediation Library Analyzing Active Directory health Analyzing Azure Active Directory Managing Active Directory Health Analyzer alerts Managing alert notifications Pushing alerts to System Center Operations Manager and SNMP managers Managing monitored domain controllers Managing data collectors Active Directory Health Templates Managing Active Directory Health Analyzer agents Using the Troubleshooter Recovering Active Directory Health data
Auditing & Alerting Group Policy Active Directory Recovery Active Directory Infrastructure DC Management DNS Management Configuration
Using the Configuration landing page Managing tasks Defining role-based access Setting email server options Configuring SCOM and SNMP Settings Setting notification options Setting Active Template options Setting agent installation options Setting recovery options Setting GPO history options Setting certificate configuration Setting service monitoring policy Managing archive databases Migrating data to another database Setting a preferred domain controller Setting up workstation logon auditing Managing configuration settings Setting user options Managing the Active Directory server
Diagnostic Console Alerts Appendix
Domain controller alerts
Active Directory Certificate Services service is not running Active Directory Domain Services is not running Active Directory Web Services service is not running Consecutive replication failures DC cache hits DC DIT disk space DC DIT log file disk space DC LDAP load DC LDAP response too slow DC Memory Usage DC properties dropped DC RID pool low DC SMB connections DC SYSVOL disk space DC time sync lost Detected NO_CLIENT_SITE record DFS Replication service not running DFS service is not running DFSR conflict area disk space DFSR conflict files generated DFSR RDC not enabled DFSR sharing violation DFSR staged file age DFSR staging area disk space DFSR USN records accepted DFSRS CPU load DFSRS unresponsive DFSRS virtual memory DFSRS working set DNS Client Service is not running Domain controller CPU load Domain controller page faults Domain controller unresponsive File Replication Service is not running File replication (NTFRS) staging space free in kilobytes GC response too slow Group policy object inconsistent Hard disk drive Intersite Messaging Service is not running Invalid primary DNS domain controller address Invalid secondary DNS domain controller address KDC service is not running LSASS CPU load LSASS virtual memory LSASS working set Missing SRV DNS record for either the primary or secondary DNS server NETLOGON not shared NetLogon service is not running Orphaned group policy objects exist Physical memory Power supply Primary DNS resolver is not responding Secondary DNS resolver is not responding Security Accounts Manager Service is not running SRV record is not registered in DNS SYSVOL not shared W32Time service is not running Workstation Service is not running
Domain alerts Site alerts Forest alerts Azure Active Directory Connect alerts
Event Definitions PowerShell cmdlets

Setting up auditing on domain controllers

Previous Next


Auditing & Alerting > Managing audit agents > Setting up auditing on domain controllers

Setting up auditing on domain controllers

To gather the proper information from the security event logs, the information must first be audited. You need to modify the Default Domain Controllers Policy to enable auditing.

To set up auditing on a domain controller
1
Start Active Administrator Console.
2
Select Group Policy | Group Policy Objects.
3
Select Default Domain Controllers Policy, and click Edit.
4
Expand Computer Configuration | Windows Settings | Security Settings | Local Policies, and select Audit Policy.
5
Verify that the following polices are defined. If not, double-click the following policies to edit their Success and Failure settings.
 

Table 65. Default domain controller policy settings

Policy

Setting

Audit logon events

[Success, Failure]

Audit account logon

[Success]

Audit account management

[Success]

Audit directory service access

[Success]

Audit policy change

[Success]

Audit system events

[Success]

6
Close the Group Policy window.
7
From the command prompt, refresh the Group Policies by typing gpupdate /force.
 
* 
NOTE: Auditing policy changes may take a long time to take effect.
NOTE: If there are issues detecting audit events when monitoring domain controllers, manually set the above audit policies for each type of object using the Microsoft auditpol system utility.

Installing audit agents

Previous Next


Auditing & Alerting > Managing audit agents > Installing audit agents

Installing audit agents

To collect data on a computer, you must install and activate the audit agent.

 
* 
IMPORTANT: For Active Administrator Server agents to audit Active Directory events, auditing must be enabled in all domains that will be monitored. Make sure that Windows auditing is enabled on the Default Domain Controller policy. See Setting up auditing on domain controllers.
To install an audit agent
1
Select Auditing & Alerting | Agents.
2
Click Install.

The Welcome page reminds you to enable auditing in Active Directory®. See Setting up auditing on domain controllers.

3
Click Next.
4
In the Domain box, type the domain name; or browse to locate a domain.
5
If necessary, click Find Domain Controllers.
To select all listed domain controllers, click Select all.
To clear all the check boxes, click Clear all.
6
Select the domain controllers from which you want to audit activity.
7
Click Next.
8
Select the options for the install process.

You can install the audit agent on the selected domain controllers themselves or on another computer in the current domain. A single audit agent should be able to monitor activity on up to five domain controllers, depending on the type and frequency of activities being audited.

 

Table 66. Options for the install process

Option

Description

Install on target Domain Controller(s)

By default, the audit agent is installed on the domain controllers you selected on the previous page.

Audit from an agent on the following computer

Select to install the audit agent on a computer in the domain. Type a computer's fully qualified domain name in the box, or browse to locate a computer.

NOTE: If you choose to do remote monitoring, the Advanced Agent is not installed on the selected domain controllers.

Start collecting events immediately after installation of the agent

By default, the audit agent is activated and collection begins immediately upon completion of the installation process. Clear the check box if you want to activate the audit agents manually.

Enable agent monitoring and recovery

By default, Active Administrator® monitors the status of the audit agent.

9
Click Next.
10
In the Run as box, type an account with domain administrative rights, or click to locate an account, and then enter the password.
* 
NOTE: The Active Administrator Agent service can also run under a domain user account provided it is a local administrative account, which gives it the rights to log on as a service, log on locally, and manage auditing and security log, or these privileges can be granted individually. This user or service account should also be a member of the AA_Admin group, which by default is located in the Local groups of the server where the ActiveAdministrator database is located. If the group is not found in this location, the settings during the initial database creation were modified and it can be found under the Users container object of Active Directory.
11
To verify the account, click Test Audit Agent Account.
12
Click Next.
13
Review the summary.
14
Click Next.
15
Click Finish.

The Audit Agent page lists the domain controllers you selected, the time and date of the last event collected, the status of the audit agent and the advanced audit agent, the name of server on which Active Administrator is installed, and the version number of the audit agent installed on the domain controller.

 
* 
NOTE: By default, the audit agent is activated upon installation. To change the default setting, click Configuration | Agent Installation Settings. See Setting agent installation options.

You can view details about the install in the AuditAgentInstall*.log file, which is located in the Program Files\Quest\Active Administrator\Server\Logging folder.

NOTE: If you experience deactivated audit agents after installing agents in a new domain on a Windows Server 2016, Windows 2019, or Windows 2022 domain controller, clear the security event log and restart the audit agent.

Modifying the audit agent startup account

Previous Next


Auditing & Alerting > Managing audit agents > Modifying the audit agent startup account

Modifying the audit agent startup account

 
* 
IMPORTANT: The agent startup account must have the privilege to manage auditing and security logs. Domain administrators have this privilege by default.
To modify the audit agent startup account
1
Select Auditing & Alerting | Agents.
2
Select a domain controller, and select More | Set Startup Account.
3
Change the account used to start the audit agent.
* 
NOTE: A domain administrator account is recommended. The Active Administrator® audit agent service can run under a domain user account if it is a local administrative account, which gives it the rights to log on as a service and log on locally, or an account with these two privileges granted individually. This account should also be a member of the AA_Admin group, which by default is located in the Local groups of the server where the ActiveAdministrator database is located. If the group is not found in this location, the settings during the initially database creation were modified and the group can be found under the Users container object of Active Directory®.
4
Type the password.
5
Click OK.

Modifying the audit agent test account

Previous Next


Auditing & Alerting > Managing audit agents > Modifying the audit agent test account

Modifying the audit agent test account

By default, Active Administrator® monitors the status of the audit agent.

To modify the audit agent test account
1
Select Auditing & Alerting | Agents.
2
Select a domain controller, and select More | Test Startup Account.
3
Change the account used to monitor the status of the audit agent.
4
Type the password.
5
Click OK.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating