Tonight I have been thinker with ACS forwarder failover. You can read more about Audit Collection Services (ACS) in prior posts, but the fundamental is that the agent can be a ACS Forwarder which forward security events to a ACS collector (management server). My thought what is happening if a ACS collector goes down? What will the ACS forwarder do?

When you enable Audit Collection on a machine, in the “Run Task – Enable Audit Collection” box, there is a Override button (if you have multiple ACS collectors). If you click that one you can manually input collector servers. If you input “opsmgracs01.contoso.local, opsmgracs02.contoso.local” bot of these machines will be written in your ACS forwarder registry as AdtServers. You can verify that in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\AdtAgent\Parameters\AdtServers

If you disconnect the first machine, opsmgracs01, from the network you will get a event (ID 4369) in the event viewer at the ACS forwarder. This event tells you that the agent can not connect to any ACS collector, but a couple of seconds later you will see a event (ID 4368) telling you that the ACS forwarder is now connected to the other ACS collector, opsmgracs02.

I have been waiting around 30 minutes, after I reconnected the first ACS collector, and I have not seen a event telling me that the ACS forwarder has return back to the first ACS collect. You could control this with a extra script.

Summary: If you use the override button during enable audit collection you can setup multiple ACS collectors for your ACS forwarder. Remeber that if the agent failover, you will have ACS data in two different databases.