Running ApexSQL Audit in a multi-domain environment
Applies to
Summary
This article outlines the basic requirements for running ApexSQL Audit in a multi-domain environment.
Description
There is a number of reasons why companies might need to implement a multiple domain architecture. Those reasons mainly revolve around internal and external business structures that determine the need for several or many different levels of organization. ApexSQL Audit is by design a tool for administering SQL Server auditing in a domain environment. However, in use cases involving multiple domains, certain requirements need to be met in order to utilize the full capacity of the application’s functionalities.
From a prerequisite point of view, setting up ApexSQL Audit in a multi-domain environment is not that different from installing and running the application in a single-domain setting. The only difference being that, apart from the initial network and permission-related requirements, a two-way trust needs to be established between the respective domains.
Getting a Configuration Error In the UI
Although ApexSQL Audit components can be installed and run without the creation of mutual trust between the domains, that lack of trust will affect the application’s capability of applying the auditing configuration which involves the filtering of users (logins) from other domains.
In the example given below, due to the fact that only a one-way trust had been created, the auditing configuration could not be applied for the monitored server and the “Saving configuration was not successful” message is received.
Logins from the other domain (OUT.A**\login01 and OUT.A**\login02) could not be authenticated, causing the auditing configuration update to fail for the monitored server.
To avoid this issue, as well as to prevent it from causing additional complications in conducting successful auditing, a two-way trust should be created.
Two-way trust
In a two-way trust, the authentication path is bidirectional and enables the access of resources of Domain A from Domain B and vice versa. For ApexSQL Audit users, it means that logins from other domains can be successfully authenticated, resulting in effective application of the desired auditing configuration across domains.
The following example displays a two-way trust which had previously been created between the domains. In this scenario, the logins which belong to the other domain (OUT.A**\login01 and OUT.A**\login02) can be successfully authenticated, which in turn, allows the auditing configuration to get applied without any difficulties, enabling the auditing to move forward as planned on the monitored server.
Conducting SQL Server auditing with ApexSQL Audit in a multi-domain environment requires a certain amount of planning beforehand, which involves the cooperation between the security, networking and Active Directory teams to ensure that the necessary requirements are met in accordance with organizational policies and business needs.