Resolution
Directory and Resource Administrator 6.60
fact
Directory and Resource Administrator 7.x
symptom
Changes made to objects in a managed Organizational Unit using Native Tools are not reflected, even after an Accounts Cache Refresh.
symptom
Incremental Accounts Cache Refresh does not detect any changes made using Native Tools after enabling Departmental Support.
symptom
The following event is written to the Application log on the Directory and Resource Administrator server:
Event Type: Error
Event Source: MCSAdminSvc
Event Category: AcctProvDomain
Event ID: 14081
User: N/A
Computer: machine_name
Description:
Domain fully_qualified_domain_name(domain_name) (Subset-Managed,AD) (Customer-requested incremental accounts cache refresh) began at 2003-03-14 15:36:44 and ended at 2003-03-14 15:36:45, contents unsuccessfully loaded, hr=c0043708=(The Administration server service account or domain override account does not have permission to access deleted objects in the Active Directory for this domain. Use the Deleted Objects Utility to ensure this account has the appropriate permissions. The Administration server will continue to attempt an incremental accounts cache refresh) The Administration server did not successfully update the accounts cache. The cache may not contain all recent changes.
cause
When using the Departmental Support feature in Directory and Resource Administrator to manage a specific OU the Incremental Accounts Cache Refresh is disabled if the domain access account does not have read permissions on the Deleted Objects container in the domain.
fix
To resolve this issue, the domain access account must be granted at a minimum read permissions to the Deleted Objects container to enable the Incremental Accounts Cache Refresh. Directory and Resource Administrator includes a utility called Deleted Objects Utility, which can be used to verify and grant access to the Deleted Objects container.
In order to grant the domain access account read permissions to the Deleted Objects container using the Deleted Objects Utility, please perform the following steps:
1. Launch Command Prompt on the Directory and Resource Administrator server, logged in as a user with Administrator permissions in the domain where the Deleted Objects container is located.
2. Connect to the Program Files\NetIQ\DRA folder on your Administration server.
3. Type the following syntax:
DRADELOBJSUTIL /DOMAIN:domain_name /DELEGATE:domain_name\domain_access_account
4. Press Enter
note
By default, you can run the Deleted Objects Utility from the Program Files\NetIQ\DRA folder on your Administration server. You can install and run the Deleted Objects Utility on a computer that is not an Administration server. To install this utility, choose custom installation in the setup program. For more information about performing a custom installation, see the Installation Guide.
note
For more information on the Deleted Objects Utility, please refer to the following Knowledge Base article:
What is the purpose of the DRADelObjsUtil.exe (Deleted Objects Utility)?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB24873