How to use DRA when remote access to the Windows DC SAM is restricted

  • 7023292
  • 21-Aug-2018
  • 21-Aug-2018

Environment

NetIQ Directory and Resource Administrator 9.1.x
NetIQ Directory and Resource Administrator 9.2.x

Microsoft Windows Domain Controller 2016

Situation

Microsoft Windows GPO settings provide the option of restricting remote access to any member server, or domain controller’s Security Account Manager’s (SAM) database. This database contains security details for users and groups within the local Windows OS or Domain Controller. Through the use of a GPO setting, remote access into the database can be restricted.

If this security lock down is in place, the DRA server might return an error when attempting to set a domain access account. DRA will fail to determine if the access account has the necessary AD rights.

Resolution

Modify the Security Descriptor to include the AD account used for the Domain Access account within the managed domain properties of DRA. Enabling this setting will allow the account(s) listed within the Security descriptor field the ability to make remote queries to the SAM. This ability is not restricted by remote client.


Cause

NetIQ Directory and Resource Administrator (DRA) requires some level of Administrative access to each Active Directory Domain or Member Server managed by DRA. The DRA Server will validate this access by checking the SAM of the Member Server or AD Domain Controller. If there are no security details returned back to DRA, the DRA Server will report an error. This access check occurs at multiple times within the regular operation of DRA. The most common occurrences are:
Adding a new managed domain
Accounts Cache Refresh
Domain Configuration Refresh
When the Microsoft GPO setting for: Network access: Restrict clients allowed to make remote calls to SAM, the default value used the Security descriptor field is set to Built-In\Administrators. When the DRA Domain Access account is not a direct or indirect member of the Built-In\Administrators group, requests made to the SAM will fail. This failure will cause DRA to fail as well.


Additional Information

More information on this GPO setting can be found at: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls .
The most common use of this GPO is with Windows 2016 AD Domains. Other domain functional levels can still apply the GPO as well. Specific details about the Domain and Computer requirements for the GPO application can be found within the Microsoft Documentation listed above.
This GPO setting will not affect a Domain Access account within membership in the AD Domain Admins group. This group is a member of the built-in Administrators group within AD.