Welcome, we are now Quest! Learn more about Support at Quest

Change Auditor for Windows File Servers 5.8 - Change Auditor Installation Guide

About This Guide Installation Overview Install ChangeAuditor Add Users to ChangeAuditor Security Groups Deploy ChangeAuditor Agents Install ChangeAuditor Web Client Upgrade ChangeAuditor Appendix A Installation Notes and Best Practices Appendix B Multi-Forest Deployments Appendix C Install ChangeAuditor to Audit ADAM (AD LDS) on Workgroup Servers Appendix D Quest ActiveRoles Server Integration Appendix E Quest GPOADmin Integration Appendix F Windows Installer Command Line Options Appendix G Knowledge Pack Correlation Tables Appendix H ChangeAuditor Report Pack for Quest Knowledge Portal

Before You Begin

Before you can download the product, you must register with Quest. If you are a registered Quest user, log on using your email address and password.
Once you have registered or logged in, locate the product and version that you want to download from the product list.
If you have purchased multiple ChangeAuditor products (e.g., ChangeAuditor for Active Directory and/or ChangeAuditor for Exchange, etc.), you only need to download one instance of the ChangeAuditor product. The code is the same for all and the license keys are the mechanism used to determine what features are enabled/disabled in the product.
Ensure you have the appropriate license files to enable ChangeAuditor product(s). A separate license file is required to enable the functionality of each of the ChangeAuditor products:
ChangeAuditor for Active Directory
ChangeAuditor for Exchange
ChangeAuditor for Windows File Servers
ChangeAuditor for SQL Server
ChangeAuditor for Quest Authentication Services (QAS)
ChangeAuditor for Defender
ChangeAuditor for NetApp
ChangeAuditor for SharePoint
ChangeAuditor will prompt you for a valid license during the coordinator installation. If an invalid or expired license is entered, the coordinator installation will not continue. If you are upgrading from ChangeAuditor 5.5, 5.6 or 5.7, you will NOT require a new license(s).

Was this topic helpful?

[Select Rating]



System Requirements

Minimum: P4 2.0 GHz or better; 1 GB RAM or better
Recommended: P4 3.0 GHz or better; 2 GB RAM or better
Microsoft Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)
To verify that you are running the appropriate version of Microsoft’s .NET Framework, use Add/Remove Programs (Start | Control Panel | Add or Remove Programs).
Minimum: P4 2.0 GHz or better; 1 GB RAM or better
Recommended: P4 3.0 GHz or better; 2 GB RAM or better
Microsoft Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)
The ChangeAuditor database be configured on a separate, dedicated SQL server instance. (For smaller environments, you can use a well equipped SQL server that meets the performance requirements defined in SQL Server Performance Requirements.)
SQL Database Mirroring is NOT recommended because the ChangeAuditor archive and purge functions do not work on mirrored SQL databases.
The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server:
* It is recommended that the user account performing the installation be a member of the Domain Admins group in the domain where the coordinator is being installed.
Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator.
If you are running the coordinator under a service account (instead of LocalSystem), use a Manual connection profile that specifies the IP address of the server hosting the ChangeAuditor Coordinator whenever you launch the ChangeAuditor Client. See the ChangeAuditor User Guide or online help for more information on defining and selecting a connection profile.
An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:
Must be assigned the db_owner role on the ChangeAuditor database
A ChangeAuditor Agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. These agents will then report these audit events to the SQL database or ChangeAuditor Coordinator.
Minimum: PIII 1.0 GHz or better; 512 MB RAM or better
Recommended: P4 2.0 GHz or better; 2 GB RAM or better
Microsoft Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)
ChangeAuditor Agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008 (Full UI and Server Core), enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment.
Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the ChangeAuditor for Exchange Event Reference Guide for the minimum service packs required for Exchange events.
The ChangeAuditor Agent uses the COM+ and Distributed Transaction Coordinator (DTC) services locally on the host server for detecting Exchange Server 2003 message created, moved, copied and deleted events. If the COM+ or DTC services are disabled or inoperative, these events will not be detected but the Agent will otherwise run normally. Network access to DTC is not required. When enabling the COM+ service, a ChangeAuditor Agent restart is required, because COM+ service registration occurs at agent startup time.
VNXe is NOT supported. VNXe does not support CEPA at this time and therefore ChangeAuditor for EMC will NOT run successfully in VNXe environments.
See the ChangeAuditor for EMC User Guide for information on how to install, configure and use ChangeAuditor for EMC.
See the ChangeAuditor for NetApp User Guide for more information on the requirements, as well as how to install, configure and use ChangeAuditor for NetApp.
See the ChangeAuditor for SharePoint User Guide for detailed information on installing, configuring and using ChangeAuditor for SharePoint.
See the ChangeAuditor InTrust Integration Guide for more information on the requirements, as well as how to configure ChangeAuditor to retrieve user logon activity events from InTrust.
The ChangeAuditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to ChangeAuditor data through a standard or mobile web browser.

Was this topic helpful?

[Select Rating]



SQL Server Performance Requirements

ChangeAuditor requires SQL server for storing and retrieving event information collected by the agents. Client and coordinator performance can be directly attributed to how quickly SQL server can respond to requests to read or write data. Please use the performance guides referenced below to test how well SQL server is performing in your environment. Key indicators are disk related counters as well as CPU and memory.
Troubleshooting Performance Problems in SQL Server 2005:
http://www.microsoft.com/technet/prodtechnol/sql/2005/tsprfprb.mspx
Storage Top 10 Best Practices:
http://msdn.microsoft.com/en-us/library/cc966534.aspx
The table below lists the generic hardware requirements for Microsoft SQL Server on x86 and x64 platforms as well as Itanium-based systems. These requirements are based on the following data volumes:
Low - up to 100,000 events per day
Medium - up to 200,000 events per day
High - up to 500,000 events per day
Anything beyond 500,000 events per day would need to be a custom configuration with either multiple direct attached storage chassis or multiple dedicated arrays on a SAN.
Two 2-GHz or faster, AMD Opterton, Intel Xeon, Intel Itanium processors
Two 2-GHz or faster Dual Core, AMD Opterton, Intel Xeon, Intel Itanium processors
Two 2-GHz or faster Quad Core, AMD Opterton, Intel Xeon, Intel Itanium processors
OS and SQL installation, master, model, msdb databases, Raid 1 (2 hard drives in the array)
OS and SQL installation, Raid 1 (2 hard drives in the array)
OS and SQL installation, Raid 1 (2 hard drives in the array)
master, model msdb databases, Raid 1 (2 hard drives in the array)
master, model, msdb databases, Raid 1 (2 hard drives in the array)
TempDB, pagefile, Raid 0 (2 plus hard drives in the array)
TempDB, Raid 0 (2 plus hard drives in the array)
TempDB, Raid 0 (2 plus hard drives in the array)
Data and Log files, Raid 10 (4 plus hard drives in the array)
Data and Log files, Raid 10 (4 plus hard drives in the array)
Data files, Raid 10 (4 plus hard drives in the array)
Log files, Raid 10 (4 plus hard drives in the array)

Was this topic helpful?

[Select Rating]



System Statistics and Facilities

1 - 3 KB of TCP traffic is generated per audit event sent from a ChangeAuditor Agent to a ChangeAuditor Coordinator.
1 KB of TCP traffic is generated every five minutes to update the ChangeAuditor Agent statistics, which are displayed on the Agent Statistics page.
Every 60 seconds a ChangeAuditor Agent tries to establish a connection/communication channel with a ChangeAuditor Coordinator.
Every five seconds an agent forwards all of the audited events stored in the local queue to a specified ChangeAuditor Coordinator. These are the audited events that have not been previously sent to the coordinator. This interval is configurable using the Configuration Setup dialog.
If the agent does not receive an immediate success acknowledgment from the coordinator for the audited events it just transmitted, it will resend all unacknowledged events after five minutes from the previous attempt. This interval is configurable using the Configuration Setup dialog.
Note: When using Direct SQL Connection, which is the default connection method, events are forwarded directly to a SQL server instead of through the coordinator. In this case, an acknowledgement refers to a successful database call to the SQL server to save an event.
To display the Configuration Setup page use the View| Administration menu command to open the Administration Tasks tab and select Configuration | Agent from the navigation pane. On the Agent Configuration page select the Configurations button to display the Configuration Setup dialog, open the System Settings tab to view/modify the Forwarding Interval and Retry Interval settings.

Was this topic helpful?

[Select Rating]



Related Documents