System Requirements for AD Bridge

The following are the requirements for the reporting system.

Database Server

Install SQL Server 2012 or higher.
SQL Server must be a member of the domain.
Windows Authentication must be enabled.

This section assumes you are a database administrator who knows how to set up and administer SQL Server, including configuring the database to comply with your IT security policy.

For more information, see the following:

AD Bridge Installation Guide.
For a complete list of prerequisites for Microsoft SQL Server 2012 or higher, Hardware and Software Requirements for Installing SQL Server.

Collection Server

.NET Framework version 4.5.
Collection server must be a member of the domain.
Microsoft Windows Server 2012 R2 or higher to act as a server for the event collection server.
We recommend that you use a separate collection server, and calculate the number of computers using this formula: Total Collectors = ((number of AD Bridge Agents) / 400) + 1. The requirements might vary with the size of your network.

Item	Requirement
Memory	8GB
Disk space	10GB free disk space (for local event storage before copying to the central database). The size you require might vary depending on the number of events, the number of systems, and other factors.
Processor	2GHz dual core
Network	1Gb Ethernet (minimum to database server)

Admin Machine

When you install AD Bridge, you must install the BeyondTrust Management Console and the reporting components:

Reporting Components
Database Update and Management Tools
Operations Dashboard
Microsoft Report Viewer 2015 (ReportViewer.exe)

For more information, see the following:

AD Bridge Installation Guide.
To download the Report Viewer, Microsoft® Report Viewer 2015 Runtime.

Plan SQL Server Database Security

Although the SQL Server database will contain no user passwords or other highly confidential information, it will contain a list of user accounts, information about resources the users can access, and other information that could be used for nefarious purposes. In considering the security of the database, you should ask yourself several questions:

Who will be allowed to write to the database?
Who will be allowed to read from the database?
What accounts will be used to access the database?

Data is written to the database in several cases:

When a collection server copies events to the database
When the LDBUpdate utility writes information from Active Directory to the database
When administrators perform maintenance operations on the database (for example, creating or restoring event archives)

Active Directory Groups and SQL Server Roles

The following table provides general guidelines on securing reporting components using Active Directory groups.

Create the groups in the table prior to creating the database. The supplied reporting database creation script relies on the existence of the groups to create the corresponding SQL Server roles and set database object permissions.

Active Directory Group	Description
ADB_DB_Administrators	Contains accounts that are required to configure and maintain the reporting database. We recommend that a minimum number of AD Bridge administrators tasked with maintaining the reporting infrastructure be included here. This group can access all Reporting and Auditing nodes in the BeyondTrust Management Console.
ADB_Collectors	Contains the service accounts used to run the collector services. The collection server must be part of this group. This group can access the Enterprise Database Management node.
ADB_DB_Archive_ Administrators	Contains the service accounts used for automated archiving. This group can access the Archive Status.
ADB_Report_Viewers	Contains accounts that need to view the Operations Dashboard. This group can access the Operations Dashboard.
ADB_LDBUpdate	Contains the service accounts that need to run the LDBUpdate utility to import Active Directory information into the database. This group can access all Reporting and Auditing nodes in the BeyondTrust Management Console.