Environment
NetIQ Directory and Resource Administrator 8.7.x
NetIQ Directory and Resource Administrator 9.x
NetIQ Directory and Resource Administrator 9.x
Situation
The NetIQ Directory Resource Administrator (DRA) product requires regular read and write access into the Active Directory Domains, and any Office 365 tenants managed by each DRA Server. In order to ensure this process occurs in a timely manner each DRA Server will cache a limited number of properties about all AD object types supported by DRA. When an operation performed by a DRA Server requires information about a specific AD or cloud object, that DRA server will look to its local off line cached. If there are AD object attributes not stored within our cache, the DRA Server will issue a call directly to a specific Windows Domain Controller or Online Office 365 portal to obtain these properties. This cache is a one way sync FROM AD or the Office 365 Tenant TO DRA. This cache is kept in sync via regular cache refresh updates. The cache refresh updates will pick up any changes made to an AD or Cloud object since the last cache refresh.
Resolution
In order to view details related to the cache refresh, you will need access to the DRA Delegation and Configuration console. You will need to also have access to the Windows OS hosting DRA Server. You will want to logon to the Windows OS as the AD account used to run the DRA Services; or at least be able to impersonate that account after logon. Each DRA server will have its own cache refresh for each managed domain and managed Office 365 tenant. Each managed can also be configured to cache; but not manage a trusted domain of the managed domain.
To change or view the AD Accounts Cache Refresh Status
To change or view the AD Accounts Cache Refresh Status
- Logon to the DRA Delegation and Configuration Console (D&C) as the DRA Service account, or other account with DRA Administration powers
- Expand the D&C Console tree to Configuration Management, and then highlight Managed Domains.
- From the right click menu on any managed domain, choose the Properties option
- From the properties Window you will be able to view and configure the Accounts Cache Refresh
To view or change the Office 365 tenant accounts cache refresh
- Logon to the DRA Delegation and Configuration Console (D&C) as the DRA Service account, or other account with DRA Administration powers
- Expand the D&C Console tree to Configuration Management, and then highlight Office 365 Tenants.
- From the right click menu on any managed Office 365 Tenant open the properties page
Cause
Each DRA server will maintain its own offline copy of AD, known as the Cache. When a request is made of the DRA application which requires a read or write of AD object data, that request will first utilize the offline cache. This cache contains a limited subsect of AD attributes for any object type supported by DRA, within each managed domain; and also Office 365 Tenants. Any attributes and their associated values not stored in the cache will come from live AD directly.
The DRA offline cache is stored in a Mongo Database instance local to each DRA. In the event of a FACR the database records for the domain in question will remain in a locked state until the entire FACR has completed. This lock only affects the domain in which the FACR is occurring.
The DRA offline cache is kept in sync with AD or the Office 365 tenant based on two different methods:
The DRA offline cache is stored in a Mongo Database instance local to each DRA. In the event of a FACR the database records for the domain in question will remain in a locked state until the entire FACR has completed. This lock only affects the domain in which the FACR is occurring.
The DRA offline cache is kept in sync with AD or the Office 365 tenant based on two different methods:
- Incremental Accounts Cache Refresh (IACR)
- Updates the accounts cache with changes made to each managed domain or Office 365 since the previous IACR or FACR
- Will run every 5 mins for every manged domain 1 hour for each managed Office 365 tenant, by default
- Full Accounts Cache Refresh (FACR)
- Replaces all of the cache details with what is currently stored within AD or the Office 365 cloud
- Will lock all records specific to the manged domain or tenant being cached. This will temporarily prevent the domain or tenant from being accessed within DRA, until the FACR has completed.
Additional Information
The Windows Application Event log will log an event from Source McsAdminSVC and CacheLoader for each start and stop of the cache refresh. These can be used to track the progress of a cache refresh. The Windows Task Manager will also show a separate instance of DRACacheLoader.exe for each managed domain, or Office 365 Tenant as the cache refresh occurs. The details tab of task manager can be configured to show the CMD line for each running Windows process. Each instance of the DRACacheLoader.exe will have a unique CMD line listed. This CMD line will reflect the current domain or tenant being updated by that instance of the cache loader.