OpsMgr 2007: How to enable ACS role on Gateway server
Since this topic has not been covered before and could not find any documents which cover this topic in much details, I thought it is worth sharing my experience installing the ACS on the gateway server.
If I want to collect the security events of the agents in the DMZ/untrusted domain, there would be two approaches to achieve this goal, either by using the certificate based authentication as described in Clive Eastwood blog or installing the ACS role on the gateway server. Since the ACS collected to DB is one-to-one relationship, multiple ACS collector cannot connect to one ACS DB at the same time, yet you can have two collector connected to one ACS database if failover setup is in place, which means one of the collector is active and the other is offline. Furthermore, the ACS role cannot be installed on a workgroup gateway. Either you need to leverage the gateway into domain controller or at least be a member server of a domain.
I have the following lab: two domains where no trust relationship is available between them.
On the domain where the RMS is located, I have RMS, MS, and SQL cluster. The RMS is also a reporting and audit collector server. The OpsMgrDB, OpsMgrDW and OpsMgrAC DB are all located on the sql cluster.
The gateway is already configured with certificate authentication and reporting to the MS, I had just to install the ACS role on the gateway. Since the ACS collector on the gateway cannot connect to the same DB of the collector in the trusted domain, we have to create a new ACS DB either in the same domain of the gateway, or in the trusted domain of the RMS. In my example I preferred to install the ACS DB in the trusted domain on the same SQL
server.
Insert the OpsMgr 2007 media on the gateway server and select Audit Collection Service. In the first screen of the installation wizard, select “Create a new database”:
In the Data source screen, leave the default data source name as it is and click next
In the database screen, I have to point to the SQL Server (opsmgr-sql) in the trusted domain and give a different name for the database (OperationsManagerGWAC) since this SQL server is having the first ACS DB of the trusted domain (RMS domain)
In the database authentication screen, we will use the SQL authentication mode since there is no trust between the two domains. adtadmin is a SQL user i have created before on the SQL Server.
In the database creation screen, I had selected to use the default SQL Server data and log file directories, but unfortunately the installation of the ACS, was always failing
When I checked the SQL Server logs, the installation was trying to create the same data and log files of the first ACS DB!! So I have created a subfolder for the new ACS DB and re-run the ACS installation on the gateway, but this time i have to specify the DB data and log directories
In the SQL Server login name, I have provided the SA SQL account which will be sufficient to create the DB and its tables.
This time the installation of the ACS also failed but at least the all the steps were all successful except “Starting the AdtServer service”!!
I have tried to start the Operations Manager Audit Collection Service manually but it failed and the error was “Insufficient access rights to perform this operation”!!!
I checked the gateway OpsMgr log and found the following error:
The service was not able to start because it failed to register the SPN. So I realized I had to add the SPN’s manually on the computer account of the gateway. AdtServer/OPSMGR-GATEWAY and AdtServer/opsmgr-gateway.scom.opsmgr
After that i have tried to start the Audit collection service and this time started successfully.
I checked the gateway OpsMgr logs and all seem okay:
So now it is time to enable the audit collection service on the agent in the untrusted domain which is reporting to the gateway. In the OpsMgr console, go to Monitoring –> Operations Manager –> Agent –> Agent Health State. Select the agent in the untrusted domain and click on “Enable Audit collection” on the actions pane. Select Collection Server and then click on Override button to provide the FQDN of the gateway server(opsmgr-gateway.scom.opsmgr). In the Task credentials, provide a user name and password from the untrusted domain (gateway domain). Enabling the ACS on the agent was successful. I checked the logs of the agent and it was showing the agent successfully connected to the collector (gateway)
Now it is time to run the reports, but will I be able to run the Audit reports in the OpsMgr console against the agents in the untrusted domain? The answer is no!!! because the Audit reports data source is pointing to the ACS DB in the trusted domain (OperationsManagerAC), while the ACS database which we have just created is OperationsManagerGWAC. So what to do? Okay, first I have to change the name of the folder of the Audit reports in the SQL Server reporting services. I gave it this name “Audit Reports – Trusted Domain”, then I have uploaded the Audit reports which are included in the OpsMgr 2007 media CD. The reports were uploaded successfully, and they have the default name “Audit Reports”, so I decided to give it a better name “ Audit Reports – Untrusted Domain”.
Before running the reports against the agents in the untrusted domain (gateway domain), we need to make sure that the audit reports data source is pointing to the proper ACS DB as by the default when you upload the Audit reports, the data source is pointing to OperationsManagerAC DB. I have changed the database to the new created DB OperationsManagerGWAC and applied the settings
Now it is time to check if we have data or not. I ran the report “ Forensic – All Events For Specified Computer” and here we go, I got the following report
