Chat now with support
Chat with Support

Change Auditor 7.0.3 - Installation Guide

Installation Overview Install Change Auditor Add Users to Change Auditor Security Groups Connecting to the Clients Deploy Change Auditor Agents Upgrade Change Auditor Installation Notes and Best Practices Multi-Forest Deployments Workstation Agent Deployment Agent Comparison Install an agent to audit ADAM (AD LDS) on workgroup servers Active Roles Integration Quest GPOADmin Integration Windows Installer Command Line Options

Multi-forest deployment requirements

Coordinators in all forests connect directly to the SQL Server that is hosting the Change Auditor audit database.

Coordinators must resolve the host name of the SQL server or must be configured to use the IP address of the SQL server.

The coordinator is responsible for collecting and maintaining the topology information for each forest. This includes domains, sites, domain controllers, and member servers.

The coordinator is also responsible for many other periodic tasks such as:

To connect to coordinators in other forests, users must be added to either the ‘ChangeAuditor Administrators — <InstallationName>’ OR ‘ChangeAuditor Operators — <InstallationName>’ in the forest where the coordinator is joined.

Depending on whether the Active Directory forests have a trust in place, you need to configure Change Auditor to use the appropriate SQL credentials.

The coordinator that is not part of the same forest where the SQL server is joined to, must be configured to use a SQL user account or a Domain Account from the forest where the SQL server resides.

Each of the coordinators may be configured to use either authentication type. Both Windows or SQL user accounts may be used in each of the forests.

Installation example

The following diagram shows two separate forests where Change Auditor will be deployed. Forest A is deployed first and the Forest B is added.

Quest recommends that the same database access account used in the first forest is also used in the second forest. If a different user account for database access is used in the second coordinator's installation, the following permissions must be granted before the installation is started:
db_owner database role on the Change Auditor database
dbcreator server role


This section discusses how Change Auditor configurations are handled in multi-forest environments, including:

Audit and protection configuration flow

Audit and protection configurations are maintained using the client that is installed on either workstations or member servers. Configuration changes are stored in the SQL database by the coordinator service.

The following configurations can be shared across forests regardless of the forest trust level:

The following configurations can be shared when a two-way trust exists:

Related Documents