How to rebuild the ADLDS instance on a Primary DRA Server

  • 7025176
  • 28-Jun-2021
  • 28-Jun-2021


Directory and Resource Administrator 9.x
Directory and Resource Administrator 10.x


Directory and Resource Administrator uses a local Microsoft Lightweight Directory Services instance to store various configuration and other features used by DRA. It is possible for the LDS instance to have a problem that might require it to be re-created. The Primary DRA Server will host the LDS instance with the Schema Master and Naming Master LDS FSMO Roles. This is the first LDS instance within the LDS configuration set.


Remove the ADLS instance on the Primary DRA Server
  • Stop and Disable the NetIQ Administration Service on the Primary DRA Server BEFORE removing the LDS instance
  • The ADLDS instance hosted on all Secondary DRA server(s) must be removed, BEFORE removing the Primary DRA server's ADLDS instance.
  1. Use Windows Add / Remove Programs to remove the existing ADLDS instance
  2. Modify the DRA specific ADLDS information with the Windows Registry, of the Primary sever
      • Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\ADAMConfiguration
    1. Set ADAMInstallationFlag to a decimal value of 1
    2. Set the AdminAccount to be the same value stored in the PrimaryAdminAccount
      1. Reg path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Data\Modules\ServerConfiguration\PrimaryADAMConfiguration
    3. Set a decimal value of 0 on the flowing keys
      • AQSchemaExtensionsFlag
      • AQSchemaExtensionVASupportFlag
      • DynamicGroupFlag
      • InstanceCreationFlag Note: If rebuilding the Primary DRA Server’s LDS instance this value will be set a decimal value of 1
      • LastLogonSchemaExtensionsFlag
      • RootContainersFlag
      • SHConfigRootContainersFlag
      • SHConfigSchemaExtensionsFlag
      • VAExchDynamicDLSchemaExtensionsFlag
      • VASchemaExtensionsFlag
    4. Set the LDAPPort value to be 50000 and SSLPort value to be 50001
      • Note: If using a different port number, ensure two way communication on the port between all DRA servers
    5. Verify key values under the path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Data\Modules\ServerConfiguration\PrimaryADAMConfiguration
      • PrimaryAdminAccount – This should be set a Domain Local group, which contains the AD account used to run the NetiQ Administration Service on every DRA server within the MMS
      • PrimaryInstanceStatusFlag – This should be set to decimal value 1
      • PrimaryLDAPPort – This should be set the value of LDAPPort in the Primary DRA Server’s local registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\ADAMConfiguration

To restore the ADLDS instance hosted on the Primary DRA Server

  1. Logon locally as DRA Service or a direct member of the ADLDS Administrators group
  2. Use the following options within the Microsoft LDS wizard,
      • located in Administrative Tools within the Start Menu
    1. Choose the option to create a unique instance
    2. Set the instance name to be the value of InstanceName
      • Registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\ADAMConfiguration).
      • This value will also be the Windows Service Display name as well.
    3. Set the LDAP and SSL ports to match the values stored within the Windows Registry
    4. Choose the option to create an application directory partition and use DC=DRA,DC=COM for the value
    5. Set the ADLDS Data and Recovery files paths to be: C:\Program Files (x86)\NetIQ\DRA\<instancename>
    6. Configure the ADLDS service account to be the default of Network Service
    7. Configure the ADLDS administrative account to be the value from step 2.1
    8. Do not configure any LDIF files to be imported
    9. Click finish to complete the setup
  3. Use the DRA Health Check Utility on the Primary DRA Server, to complete the LDS restore
      • The DRA HCU may only be run as DRA Service or a direct member of the ADLDS Administrators group
    1. Select only the Checks located under the AD LDS section
      • Note: Exclude the AD LDS Replication and Instance Backup
    2. Run the checks
    3. Use the Fix it option, to repair the failing LDS checks
  4. Start the Local NetIQ Administration Service on the secondary DRA Server


In some cases the data stored within ADLDS, or other problems with the instance may exist. In those cases, it may be necessary to rebuild the entire LDS configuration set.

Additional Information

To remove the Secondary DRA Server's LDS instance, see KB  7016076

Rebuilding the ADLDS instance hosted on the Primary DRA server will cause data loss of all DRA specific configuration data stored within ADLDS. Some of this data will be re-created by re-configuring DRA using the Delegation and Configuration console.

The following DRA feature specific configuration data can not be re-created

DRA Virtual Attributes
DRA Custom LDAP Search Queries
DRA Dynamic Group filters

Once the ADLDS instance is re-created, you will need to re-configure the following feature:

Managed Domain access account details -- This will trigger a FACR on every manged domain
Managed Tenant -- This will need to be re-added
Managed Domain Last Logon job details
DRA Reporting Collector Schedule

The DRA Reporting data , nor the DRA Change History data is not stored within LDS. This data will be saved if ADLDS is reconfigured.

The value used for Admin Account is recommended to be a Domain Local Group, which must contain the AD account used to run the NetIQ Administration Service.

The values used for LDAP and SSL ports should be the same on every DRA Server. The default value to be used is 50000 and 50001 . For more details on the ports, please see the DRA install guide .