Top of Page

Domain Time II Audit Server
Version 5.2

Advanced Options


This page describes Audit Server's Advanced Options.

Audit List Management...
Audit Server can add discovered machines to the Audit list and also remove non-responding systems from the list automatically.

Audit List Management
Audit List Management   [Click for larger size]

    Automatic Addition to the Audit List

      Check the Add DTII machines discovered during audit checkbox to add any new machines running Domain Time Server, Client, Windows Time Agent, or the domtimed daemon found on the network to the list of audited machines.

      Check the Add NTP Servers discovered during audit checkbox to add any newly-discovered NTP servers to the list of audited machines.

      Check the Add machines discovered by receipt of startup Real-Time Alerts checkbox (version 5.2.b.20150307 or later) to allow new machines not already in the Manager database to be added upon receipt of a Real-Time Alert upon service start.

        For security purposes, Audit Server will not accept Real-Time Alerts from machines that are not already present in the Manager database (appearing in the Domains and Workgroups list) by default. However, in some circumstances, such as adding new machines to the network that don't exist in Active Directory, this will prevent a machine set to "Always audit this machine" on its Status Reports configuration page from being auto-added (since its Real-Time alerts are being rejected). Enabling this checkbox can bypass this restriction. Use only if required.

        If checked, and a previously-unknown machine sends a Real-Time Alert shortly after boot or service restart, Audit Server will attempt to add the machine to the audit list. The sending machine must respond to Audit Server's query before it can be added. Audit Server will only try unknown machines a few times before giving up.

      Check the Add PTP masters discovered by PTP Monitor checkbox (version 5.2.b.20170101 or later) to add any PTP master servers discovered by PTP Monitor to the audit list.

      Check the Add PTP masters discovered by PTP Monitor checkbox (version 5.2.b.20170101 or later) (version 5.2.b.20170101 or later) to add any PTP slaves discovered by PTP Monitor to the audit list.

      Check the Add machines that have synchronized with Domain Time II Server checkbox to add those systems to the list of audited machines.

        When checked, Audit Server will automatically add systems to the Audit List by contacting Server(s) and retrieving a list of all machines (ephemera) that have synchronized their time with that server using Domain Time II protocols. Multiple servers may be contacted to obtain their machine lists, if desired.

        This method is a reliable method for populating the Audit List, and it has the added advantage of adding machines that are not currently online. However, it cannot discover any Domain Time II components that are not synchronizing with a Domain Time II Server. Those machines must be discovered using Domain Time Manager list discovery and/or entered manually and added to the list.

        Notes:

        • The "Adding machines that have synchronized with Server" function requires Domain Time II Server version 3.1 and later.

        • Only systems that synchronize with Domain Time Server(s) using the DT2 protocol can be auto-discovered.

        • The Audit Server must use credentials with sufficient rights to connect to the administrative share on the remote Server(s). See the Service Credentials... and IP Restrictions sections below for details on those settings.

        • Machines may also be manually added to the audit list using Domain Time II Manager, either one-at-a-time or in a batch. See the Select machines to audit with Audit Server section of the "How to Manage Domain Time Remotely" page of the Manager documentation.

        Foreground - collection must finish before audit completes
        Background - collection finishes independent of scheduled audits
            Run background collection periodically, not just at audit time

          These choices determine whether Audit Server will collect the server ephemera data in a separate thread from the audit run itself. Collecting ephemera data records from each Server can take an extended amount of time, particularly if you have a large number of synchronization events, since Audit Server must parse each event to determine whether or not it represents a new machine to be added.

          Choosing Background allows collection of the basic audit data very quickly, and then the collection of the ephemera logs can complete in the background. Running the collection in the background periodically can make collection even more efficient.

        Obtain records from this machine only
        Specify a list of servers

          Collection of the list of machines that synchronize with Domain Time II Server is enabled by default only on the Domain Time II Server on which Audit Server itself is installed. Other Domain Time II Servers will not keep a record of synchronizing machines until you enable data collection on them by entering them in the Server List. You will see a confirmation dialog when the server is successfully added to the list.

    Automatic Removal from the Audit List

      Stop auditing machines that haven't responded in over days will trim the audit list of any machines that have not been contacted in the specified period. Uncheck the box if you do not want to trim the list.

      Reset last contact date and failure count when a machine is added manually sets the failure counters to defaults when manually adding machines.


Data Folders...
Choose where Audit Server stores records, reports, and logs.

     Folders 

    Audit Results
     
    Daily Reports
     
    Synchronization Logs
     

    The file locations can be any valid file folder to which the Audit Server service account has sufficient rights to read and write files.

    You should specify locations on physically-attached storage so that the background service may access them without interruption. If you change a location, Audit Server will automatically move existing files to the new location for you.

    If you must, you may indicate any valid UNC path to store the files on a remote machine, however, be aware that should the remote machine become unavailable for any reason, audit data collected during that period will be irretrievably lost.

    IMPORTANT:

    Since files in these folders are used to create an audit trail, best practice requires that they must be as secure as possible, and we strongly recommended that the folder be located on a local drive using the NTFS filesystem to accomplish this.

    Folder permissions should be set so that only the Audit Server service account (usually System) has Full Control. By default, everyone else should be denied access entirely. If you choose to grant exceptions (such as to export Daily Report files), you should take care to only grant Read-Only rights to the required user/group. You may also wish use operating system auditing to monitor the folders for unauthorized changes.


    Service Credentials...
    Audit Server needs administrative rights to be able to collect synchronization logs and ephemera discovery records from remote systems. The settings on the Audit Server -> Advanced -> Credentials... dialog allow you to specify the account used by Audit Server for this purpose.

       Audit Server Credentials 

      Run the Audit Server service using a Domain Admin account

      Domain: 
      Username: 
      Password: 

      Run the Audit Server service using a Domain Admin account

      Domain: 
      Username: 
      Password: 

      You have the choice of having the Audit Server service itself run under the LocalSystem account and supply the administrative access credentials only when performing an audit, or having the service running with the administrative privileges at all times. In general, the first option is preferred. In either case, account details are encrypted in the registry.

      Audit Server can access other domains and workgroup members as long as the credentials supplied match an administrative account on the domain (or local machines in the workgroup). If you select a workgroup or domain to which Audit Server does not have administrative access, the collection will fail and will be noted in the logs.


    IP Restrictions...
    The Audit Server -> Advanced -> IP Restrictions... menu item allows you restrict which systems are allowed to contact Audit Server.

     

    Next Proceed to the Standby Mode page
    Back Back to the PTP Monitor page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2017 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.