Active Administrator 8.7 - Installation Guide


	NOTE: All ports need to be open (incoming/outgoing) with the exception of the Workstation Logon agent which only needs to be outgoing on the workstation's firewall and incoming on the Active Administrator Server. Figure 1 displays an example of how communication is achieved through the specified ports.

Active Administrator Console

•

TCP 15600 for Active Administrator Foundation Service (AFS) communication with Active Administrator Server

•

TCP 8080 for communication with Active Administrator Web Server through the Web Console (internal, http)

•

TCP 9443 for communication with Active Administrator Web Server through the Web Console (external, https)

•

TCP 389 for communication with Active Directory on domain controllers

Active Administrator Server

•

TCP 15600 for communication with Active Administrator Foundation Service (AFS)

•

TCP 15601 incoming only communication from Workstation Logon agents

•

TCP 15602 for communication with Active Administrator Data Service (ADS)

•

TCP 15603 for communication with Active Directory Health Analyzer agents

•

TCP 15604 for communication with Azure Active Directory Connect agents

•

TCP 1433 for communication with SQL Server

•

TCP 8080 for communication as a Web Server for Active Administrator Web Consoles (internal, http)

•

TCP 9443 for communication as a Web Server for Active Administrator Web Consoles (external, https)

•

TCP 389 for communication with Active Directory on domain controllers

Active Administrator database server

•

TCP 1433 for SQL communication with Active Administrator Server and domain controllers with auditing agents

Domain controller with no installed agents

•

TCP 389 for communication with Active Administrator Server and Active Administrator Consoles

Domain controller with auditing agent

•

TCP 1433 for communication with SQL Server

Domain controller with Active Directory Health Analyzer agent

•

TCP 15602 for communication with Active Administrator Data Service (ADS)

•

TCP 15603 for communication through the Active Directory Health Analyzer agent

Domain controller with Azure Active Directory Connect agent

•

TCP 15604 for communication through the Azure Active Directory Connect agent

Member server with Active Directory Health Analyzer agent (pool agent)

•

TCP 15602 for communication with Active Administrator Data Service (ADS)

•

TCP 15603 for communication through the Active Directory Health Analyzer Agent

SMTP server

•

TCP 25 for sending email notifications via SMTP

Workstation with logon agent

•

TCP 15601 outgoing only for communication to Active Administrator Server through Workstation Logon agent

Figure 1. Port requirements example

Additional requirements

•

Remote Procedure Call (RPC) must be open between the AFS Server and the target.

•

When installing the audit agent on a member server instead of a domain controller, the following inbound firewall exceptions for Windows Management Instrumentation must be enabled:

•

ASync-In

•

DCOM-In

•

WMI-In

•

If you are using the Certificate Management feature, Remote Registry Service must be enabled on all Windows computers on which certificates are managed.

•

If you want to access the DNS event logs in Active Administrator, the following inbound firewall exceptions are required on each DNS server:

•

COM+ Network Access (DCOM-In)

•

Remote Event Log Management (NP-In)

•

Remote Event Log Management (RPC)

•

Remote Event Log Management (RPC-EPMAP)

•

HTTP Port 8080 must be open on the computer running the Web Server.


	IMPORTANT: It is recommended that you only use the Web Console internal to the network. If you want to use the Web Console externally, use HyperText Transfer Protocol Secure (HTTPS) by enabling Secure Sockets Layer (SSL). You need to select a certificate, which must be installed in the Personal or My store on the local computer. The default port is 9443.

User privilege requirements

•

To install Active Administrator, a user must hold administrative rights on the local system and the SQL instance that will host the Active Administrator database.

•

To use Active Administrator, a user must hold administrative rights on both the local system and the domain, and be a member of the AA_Admin database access group, which is created during the installation process.

Password recovery

Active Administrator can restore passwords when you restore accounts that were deleted. To enable password recovery, a minor modification is made to the Schema. To be able to modify the Schema, you must use an account that is a member of the Schema Admins group.

Services

The Domain Administrator account provides the necessary permissions for the various Active Administrator services to operate properly.

When choosing an account, keep these requirements in mind:

•

Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. For more detailed permission requirements, see Active Administrator module requirements.

•

Active Administrator Data Services (ADS) requires an account that is a member of the AA_Users group, has read access to the enterprise, and has full access on the server where the Active Directory Health Analyzer agent is installed. For more detailed permission requirements, see Active Administrator Data Services (ADS) requirements.

•

Active Administrator Advanced Auditing runs as the Local System account, regardless of the user account configured for the Active Administrator Agent service.

•

Active Administrator Agent can run under a Domain User account provided it is a local administrator account, which gives it the rights to log on as a service, log on locally and manage auditing and security log. The user account should also be a member of the AA_Admin group, which by default is located in the Local groups of the server where the ActiveAdministrator database is located. If the group is not found in this location, the settings during the initial database creation were modified and it can be found under the Users container object of Active Directory.

•

Active Administrator Agent can run under a non-domain admin user account if the following permissions are set.

To set up a non-domain admin user account

Create a Domain User account within Active Directory Users and Computers.

Use Group Policy Management console (GPMC) to edit the Default Domain Controller Group Policy Object. Give the user account User Rights to Manage auditing and security log.

On the target domain controllers, give the user account Read permission to the registry key: HKLM\System\CurrentControlSet\Services\Eventlog\Security.

After the agent is installed, verify the user account has Write permission on the folder: C:\Windows\SLAgent.


	NOTE: For more detailed instructions, see https://support.quest.com/active-administrator/kb/209446/how-to-configure-a-non-domain-admin-audit-agent-service-account.

•

Active Administrator Notification service needs to have access to the database.

Audit database

On the database server, the database installation creates two local groups that control access to the audit database.

•

AA_Admin group = users that need to be able to update the database

•

AA_User group = users that only need to run reports from the database

Active Administrator module requirements

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. This section details the permissions required for operation of each module and submodule.

Modules:

•

Home

•

Certificates

•

Security and Delegation

•

Active Directory Health

•

Auditing & Alerts

•