Environment
Directory and Resource Administrator 6.6
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x
Situation
What can I expect if I set DRA to manage a subtree?
What features of DRA are unavailable if departmental support is enabled?
Resolution
If you set Directory and Resource Administrator (DRA) to manage a subtree of a domain, DRA checks if the account has full permission and the inheritance flag is on for the specified OU or subtree. If the requirements are not met, a warning message will state that the account does not have full permissions and that some functions may not work correctly.
The following event is generated in the application log.
Event Type: Warning
Event Source: MCSAdminSvc
Event Category: AcctProvDomain
Event ID: 14245
Date: 3/14/2003
Time: 3:19:30 PM
User: N/A
Description:
The domain_name\user_name access account for the domain_name domain does not have full control permissions to the domain_name\OU_name subtree. Some DRA features may not function as expected when you attempt to manage objects in this subtree.
The account that you use to manage the subtree must have at least read access to the domain subtree and all child objects. If the account does not have at least read access, DRA will fail to add the managed subtree. If the account does not have recommended access, DRA will warn but still add the subset. The specific required permissions may depend on the desired set of DRA functions. The recommended permissions are Full control over the top-level OU or container for each subtree with inheritance to all child objects. All core DRA features within the subtree (provided the access account has appropriate AD permissions) will be the same like -Create, delete and modify objects within a subtree ,-Move objects between subtree or within a subtree, -Add to/Remove group members from the groups in a managed subset (members can be from this subtree, outside of subtree or in any trusted domain)
The following items that are not supported:
- Exchange 5.5 Support. DRA 7.0 and later has the ability to manage Exchange 2000/2003 mailboxes.
- Triggers run under the credentials of the DRA Service Account, therefore they may not work as expected when acting on a subtree-managed domain.
- Certain domain-specific ActiveVeiw rules will no longer function. Likewise, powers and roles specific to domain-type functions will no longer be valid.
- Domain Controller resources cannot be managed because agents are not installed on the domain controllers of the managed subtree domain (even if managed with Administrator account).
- ServerDiscovery does not work so all Assistant Admins using DRA must specify DRA server in the CLI, ADSI, Web Console, MMC and Account and Resource Management Console.
- Last Logon statistics are not collected for partially-managed domains.
- All Reporting capabilities will be lost. Reporting cannot be focused on a subset of a domain. DRA can only focus on the entire domain.
- The Recycle Bin will be disabled by default.
You will see the following event in the application log.
Event Type: Warning
Event Source: MCSAdminSvc
Event Category: AcctProvDomain
Event ID: 14251
Date: 3/14/2003
Time: 3:19:30 PM
User: N/A
Computer: Server1
Description:
The DomainA\test access account for the DomainA.local(DomainA) domain cannot access the Recycle Bin for this domain. The Recycle Bin will be disabled. Use the Recycle Bin Utility to verify and delegate the appropriate permissions.
The utility is called DraRecycleBinUtil. By default, utility is located in the c:\Program Files\NetIQ\DRA directory. The following is the syntax.
Usage: DraRecycleBinUtil /domain:Domain
{/delegate:AcctName1|/verify:AcctName2|/display} [/dc:Computer]
/domain:Domain - Specifies NETBIOS or DNS name of the domain
/delegate:AcctName1 - Delegates permissions to the specified account
/verify:AcctName2 - Verifies permissions of the specified account
/display - Displays security settings for the NetIQRecycleBin
container
/dc:Computer - Specifies name or IP address of the DC
Another item to expect is in regards to the Incremental Cache refresh. If the account that is specified for department support does not have access to the deleted objects container in AD, you will get the following event in the event log.
Event Type: Error
Event Source: MCSAdminSvc
Event Category: AcctProvDomain
Event ID: 14081
Date: 3/14/2003
Time: 3:36:45 PM
User: N/A
Computer: Server1
Description:
Domain DomainA\testOU (DomainA) (Subset-Managed,AD) (Customer-requested incremental accounts cache refresh) began at 2003-03-14 15:36:44 and ended at 2003-03-14 15:36:45, contents unsuccessfully loaded, hr=c0043708=(The Administration server service account or domain override account does not have permission to access deleted objects in the Active Directory for this domain. Use the Deleted Objects Utility to ensure this account has the appropriate permissions. The Administration server will continue to attempt an incremental accounts cache refresh) The Administration server did not successfully update the accounts cache. The cache may not contain all recent changes.
The dradelobjsutil ca.
n be used to set the perms on the Deleted objects container.
Usage: dradelobjsutil /domain:Domain [/dc:Computer]
{/delegate:AcctName1|/verify:AcctName2|/remove:AcctName3|/display [/right]}
/domain:Domain - Specifies NETBIOS or DNS name of the domain
/dc:Computer - Specifies name or IP address of the DC
/delegate:AcctName1 - Delegates permissions to the specified account
/verify:AcctName2 - Verifies permissions of the specified account
/remove:AcctName3 - Remove permissions previously delegated to the
specified account
/display - Displays security settings for the Deleted Objects
container
/right - Ensures the specified account has the Synchronize
directory service data user right
note
For more information, see: NETIQKB25435 "How do I configure Directory and Resource Administrator to manage a particular OU?"