Chat now with support
Chat with Support

Change Auditor - For Advanced Users 7.3 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

Enable ChangeAuditor Agent service to start with the Microsoft security update (KB2264107)

In 2010, Microsoft introduced a security update (KB2264107) to disallow the loading of 'unsafe' DLLs. The update sets the CWDIllegalInDllSearch registry entry to 0xFFFFFFFF under KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.

This computer-wide setting will not allow the Change Auditor agent service (NPSrvHost.exe) to start.

Location

Registry

Path

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Value Name

CWDIllegalInDllSearch

Value Type

DWORD

Default

Not present. Change Auditor Agent service will fail to start if the computer-wide setting is present.

Value

1 – Overrides the computer-wide setting for Change Auditor Agent service, it will be allowed to start.

Adjust memory dumps settings

Change Auditor overwrites the settings in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe] causing them to be ignored.

Use the following registry setting to adjust memory dumps settings on a domain controller.

Location

Registry

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\ChangeAuditor for Active Directory

Value Name

Value Type

DWORD

Default

Default value 2

Value

MemoryDumpType can contain values 1, 2, or any bitmask value outlined here:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519(v=vs.85).aspx

 

 

Change Auditor built-in fault tolerance

Fault tolerance and high availability is inherently built in to Change Auditor and no additional configuration is required.

Each component in the Change Auditor architecture is designed with high availability (fault tolerance and failover) as a goal. There will always be only one SQL database and this database is typically hosted on a Microsoft SQL Server cluster.

More than one management service (coordinator) can be installed and they automatically work together and become redundant. No additional configuration is required. An agent can connect to multiple coordinators to process events and prepare them for Change Auditor agents (version 6.x or later) which prefer available coordinators within the same site, but if none are found, all available coordinators within the same installation are considered. If one or more (depending on agent type) non-site coordinators are connected, and one or more coordinators are later discovered within the agent site, the agents connect to the site-located coordinators and drop non-site coordinator connections. If this behavior is problematic for your environment, contact Quest Technical Support to discuss possible configuration options.or insertion into the SQL database. The need for multiple coordinators depend on the event volume, number of agents, and the hardware specifications of the coordinator. If one of these servers suffers a catastrophic failure, the other continues.

Also, the auditing agent has the inherent ability to cope with service or network outages. If for any reason an agent is unable to communicate with the other components, that agent continues auditing normally and stores audit data locally until communications are restored. This outage can exist for an extended period without issue. After communications resume, the agent begins forwarding its queued events in a controlled fashion.

If a coordinator is unavailable, agents stop forwarding events. This is by design. For redundancy, or if a coordinator is not able to handle the event load, two or more coordinators can be installed. Server agents submit events to all available coordinators and load balancing occurs automatically. However, workstation agents randomly connect to a single coordinator and submit events to that coordinator.

Change Auditor protection

This section explains how access permissions are evaluated when multiple protection templates are assigned to an object which may contain conflicting rules. The evaluation process used is for all types of protection templates (Active Directory, ADAM (AD LDS), Group Policy, File System, and Exchange Mailbox). However, there are some special considerations to keep in mind when using the Exchange Mailbox Protection feature, see How access rules are evaluated.

Protection templates can be one of two types:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating