Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor - For Advanced Users 7.3 - Technical Insight Guide

Table of Contents

Change Auditor Services

Quest Change Auditor Coordinator Quest Change Auditor Workstation Agent Quest Change Auditor Agent Change Auditor for EMC

Change Auditor licensing processes

License check process Component licensing User counts

Component Start-up Considerations

Start up delays

Change Auditor network communications

Service Connection Points

CN=ChangeAuditor.Coordinator

Ports and protocols Network encryption

SMB protocol and share encryption Secure password storage Client to coordinator connection Agent to coordinator connection (version 6.x and 7.0.1) Agent to coordinator connection (version 7.0.2) Coordinator to SQL Server connection

Coordinator internal tasks

Forest topology collection Group expansion Alert processing License check Remote deployment Agent heartbeat check Refresh coordinator statistics Event aggregator SQL upgrade monitor Open handle Scheduled purge job Scheduled archive job Scheduled report job

Registry Settings

Force agent WCF port Force client port Force SDK port Use predefined GC for name resolution Allow collation switch Report zip limit SQL command timeout Enable ChangeAuditor Agent service to start with the Microsoft security update (KB2264107) Adjust memory dumps settings

Change Auditor built-in fault tolerance Change Auditor protection

Using multiple protection templates

How access rules are evaluated How scheduling and location works with denied access

Database Considerations

How to move the Change Auditor database and coordinator to another server How to estimate the required SQL server disk space How SQL Server Autogrow affects Change Auditor How to query an archive database

Account exclusions best practices

Enable ChangeAuditor Agent service to start with the Microsoft security update (KB2264107)

Enable ChangeAuditor Agent service to start with the Microsoft security update (KB2264107)

In 2010, Microsoft introduced a security update (KB2264107) to disallow the loading of 'unsafe' DLLs. The update sets the CWDIllegalInDllSearch registry entry to 0xFFFFFFFF under KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.

This computer-wide setting will not allow the Change Auditor agent service (NPSrvHost.exe) to start.

To keep the strict system-wide setting, but still allow the Change Auditor agent to start:

1

Log on as an administrator on the computer hosting the agent.

2

Open the Registry Editor.

3

In the following registry key create a new key named NPSrvHost.exe:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

4

Right-click the newly created key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPSrvHost.exe.

5

Select New | DWORD (32-bit) Value and type CWDIllegalInDllSearch.

6

Set the value of CWDIllegalInDllSearch to 1.

Table 16. Registry setting: CWDIllegalInDllSearch
Location	Registry
Path	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Value Name	CWDIllegalInDllSearch
Value Type	DWORD
Default	Not present. Change Auditor Agent service will fail to start if the computer-wide setting is present.
Value	1 – Overrides the computer-wide setting for Change Auditor Agent service, it will be allowed to start.

Adjust memory dumps settings

Adjust memory dumps settings

Change Auditor overwrites the settings in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe] causing them to be ignored.

Use the following registry setting to adjust memory dumps settings on a domain controller.

Table 17. Registry setting: Memory Dump Type

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\ChangeAuditor for Active Directory

•

•

CircularDumpCount

Default value 2

MemoryDumpType can contain values 1, 2, or any bitmask value outlined here:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519(v=vs.85).aspx

Change Auditor built-in fault tolerance

Fault tolerance and high availability is inherently built in to Change Auditor and no additional configuration is required.

Each component in the Change Auditor architecture is designed with high availability (fault tolerance and failover) as a goal. There will always be only one SQL database and this database is typically hosted on a Microsoft SQL Server cluster.

More than one management service (coordinator) can be installed and they automatically work together and become redundant. No additional configuration is required. An agent can connect to multiple coordinators to process events and prepare them for Change Auditor agents (version 6.x or later) which prefer available coordinators within the same site, but if none are found, all available coordinators within the same installation are considered. If one or more (depending on agent type) non-site coordinators are connected, and one or more coordinators are later discovered within the agent site, the agents connect to the site-located coordinators and drop non-site coordinator connections. If this behavior is problematic for your environment, contact Quest Technical Support to discuss possible configuration options.or insertion into the SQL database. The need for multiple coordinators depend on the event volume, number of agents, and the hardware specifications of the coordinator. If one of these servers suffers a catastrophic failure, the other continues.

Also, the auditing agent has the inherent ability to cope with service or network outages. If for any reason an agent is unable to communicate with the other components, that agent continues auditing normally and stores audit data locally until communications are restored. This outage can exist for an extended period without issue. After communications resume, the agent begins forwarding its queued events in a controlled fashion.

If a coordinator is unavailable, agents stop forwarding events. This is by design. For redundancy, or if a coordinator is not able to handle the event load, two or more coordinators can be installed. Server agents submit events to all available coordinators and load balancing occurs automatically. However, workstation agents randomly connect to a single coordinator and submit events to that coordinator.


	NOTE: Change Auditor agents (version 6.x or later) prefer available coordinators within the same site, but if none are found, all available coordinators within the same installation are considered. If one or more (depending on agent type) non-site coordinators are connected, and one or more coordinators are later discovered within the agent site, the agents connect to the site-located coordinators and drop non-site coordinator connections. If this behavior is problematic for your environment, contact Quest Technical Support to discuss possible configuration options.

Change Auditor protection

Change Auditor protection

Using multiple protection templates

This section explains how access permissions are evaluated when multiple protection templates are assigned to an object which may contain conflicting rules. The evaluation process used is for all types of protection templates (Active Directory, ADAM (AD LDS), Group Policy, File System, and Exchange Mailbox). However, there are some special considerations to keep in mind when using the Exchange Mailbox Protection feature, see How access rules are evaluated.

Protection templates can be one of two types:

•

Classic (allow) templates which deny access by default, allowing access to the protected object by the override accounts explicitly specified in the protection template.

•

Reverse (deny) templates which allow access by default, denying access to the protected object by the override accounts explicitly specified in the protection template.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center