Resolution
Directory and Resource Administrator 7.5
symptom
Directory and Resource Administrator (DRA) 7.5 clients cannot connect to the Administration server.
symptom
DRA 7.5 clients cannot authenticate to the Administration server.
symptom
After upgrading domain controllers to Windows 2003 Server Service Pack 1, DRA 7.5 clients cannot automatically connect to the Administration server.
symptom
Domain controllers log DCOM error messages to the system log after Windows 2003 Server Service Pack is applied.
symptom
When using the DRA 7.5 Delegation and Configuration console or Account and Resource Management console to connect to an Administration server you see the following error message:
symptomUnable to connect to Administration server [name]. This error occurs if your account cannot be authenticated by the domain in which the Administration server is running or if the server is not running at all.
When using the DRA 7.5 Web Console to connect to an Administration server, you see the following error message:
symptomThe following error occurred during Web Console initialization: The attempt to automatically connect to domain [name] failed. Could not detect a DRA server that is managing [name]. Common issues that can cause this error include:
- The DRA server is not connected to the network.
- The Web Console cannot find the DRA server managing your domain.
- The connection between the Web Console server and DRA server has been interrupted.
Click "Retry" to try again, otherwise click "Cancel" to change your domain and DRA server settings. If this problem persists, contact your administrator.
You see the following error message on Windows 2003 Server Service Pack 1 domain controllers:
DCOM error 10021
symptomThe launch and activation security descriptor for the COM Server application with CLSID {E04D7E5C-648D-4879-8EEF-C530F71521D0} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
You see the following event in the system log on Windows 2003 Server Service Pack 1 domain controllers:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: 5/12/2005
Time: 9:27:18 AM
User: N/A
Computer: DCName
Description:
The launch and activation security descriptor for the COM Server application with CLSID {E04D7E5C-648D-4879-8EEF-C530F71521D0} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.For more information, see Help and Support
Center at http://go.microsoft.com/fwlink/events.asp.
Cause
Windows 2003 Server Service Pack 1 implements DCOM security changes that prevent DRA clients from automatically connecting to the Administration server. When you install Windows 2003 Service Pack 1 on a computer, the Service Pack:
- Closes all inbound remote DCOM calls to the computer unless the user has administrator privileges
- Denies DCOM connections that use the Everyone security group
- Creates a group called Distributed COM Users and gives this group activate and launch DCOM permissions by default
If you install Windows 2003 Server SP1 on a member server, the Service Pack installs the Distributed COM Users group as a local group on the member server.
If you install Windows 2003 Server SP1 on a domain controller, the Service Pack installs the Distributed COM Users group as a domain local group in the Active Directory Builtin container.
DRA installs the DRA agent on the domain controller. The DRA agent ensures clients can locate and connect to an Administration server. DRA clients use the Everyone security group for DCOM connections to the DRA agent. When you install Windows 2003 Server Service Pack 1 on the domain controller where a DRA agent is installed, Service Pack 1 denies DCOM connections that use the Everyone security group. As a result, DRA clients cannot connect to the DRA agent and locate and connect to an Administration server. In addition, the domain controller may log DCOM errors in the system log each time a DRA client tries to connect to the DRA agent on the domain controller.
FixThis issue is resolved with NetIQ Directory and Resource Administrator and Exchange Administrator version 7.5 Hotfix 47150.
Hotfix 47150 addresses an issue where the Account and Resource Management console, Web Console, and Delegation and Configuration console cannot connect to DRA agents running on computers with Windows 2003 Server with Service Pack 1 installed. DRA agents use the Everyone ACL for DCOM connections to the DRA consoles. Service Pack 1 makes modifications that deny DCOM connections using the Everyone ACL. This hotfix corrects this issue by updating the DRA agents installed in your environment to use the default security settings of the computer where they are installed.
Note: Installation of this hotfix requires you to perform a series of procedures on several different computers depending on your installation of DRA. Please review the entire series of procedures before you begin.
Before installing this hotfix:
- Ensure the computer where the IIS Admin service runs has the Trusted for delegation flag set in the computer account properties. For more information, refer to the NetIQ Knowledge Base article NETIQKB14935, available at www.netiq.com/support/dra/knowledgebase.asp.
- Ensure the IIS server running the Directory and Resource Administrator Web Component is configured as a Local intranet site and not as a Trusted site. For more information, refer to the NetIQ Knowledge Base article NETIQKB28001, available at www.netiq.com/support/dra/knowledgebase.asp.
- For any web browser that will connect to DRA, enable the Integrated Windows Authentication option on the Internet Options Advanced tab of Internet Explorer. For more information, refer to the NetIQ Knowledge Base article NETIQKB14935, available at www.netiq.com/support/dra/knowledgebase.asp.
Note: This Hotfix requires DRA version 7.5.
To download and install this hotfix:
- Close all DRA user interfaces.
- Run the DRA75000_Hotfix47150.msi file on each DRA Administration server computer.
The hotfix setup program stops the NetIQ Administration service and restarts it once the installation is complete. Once restarted, the Administration Server deploys the updated DRA agent.
This hotfix modifies the following files:
- EaCommon70.dll
- OnePointAgent.exe
By default, these files are located in the Program Files\NetIQ\DRA folder.
After you have installed the hotfix, perform the following steps on a computer where you have installed the Delegation and Configuration console:
Configuring the Distributed COM Users Group
- Log on as a DRA Admin.
- Start the Delegation and Configuration console. If the console does not automatically connect to the DRA Server, manually establish the connection.
- Expand the Account and Resource Management node.
- Expand the All My Managed Objects node.
- For each domain where you have a domain controller with Windows 2003 Server with Service Pack 1 installed, expand the domain node.
- Click the Builtin container.
- If you installed the Administration server on a member server, search for the local Distributed COM Users group.
- If you installed the Administration on a domain controller, search for the global Distributed COM Users group.
- In the search results list, click the Distributed COM UsersNG> group.
- Click Members in the lower pane, then click Add Members.
- Add the users and/or groups that will utilize DRA. Ensure you add the DRA service account to this group.
- Click OK.
Perform the following steps on each domain controller AND each Administration server with Windows 2003 Server with Service Pack 1 installed:
Configuring Domain Controllers and Administration Servers
- On the Start menu, click Settings > Control Panel.
- Open Administrative Tools, then open Component Services.
- Expand Component Services > Computers > My Computer > DCOM Config.
- If you have installed Windows 2003 Server with Service Pack 1 on the domain controller, select OnePointAgent.
- If you have installed Windows 2003 Server with Service Pack 1 on the Administration server, select MCS OnePoint Administration Service.
- On the Action menu, click Properties.
- On the General tab in the Authentication Level area, ensure Packet is selected.
- On the Security tab in the Access Permissions area, click Edit.
- Ensure the Distributed COM Users group is present. If it is not present, add it. If the Everyone group is present, remove it.
- Ensure that the Distributed COM Users group has Local and Remote Access permissions.
- On the Security tab in the Launch and Activation Permissions area, click Edit.
- Ensure the Distributed COM Users group is present. If it is not present, add it. If the Everyone group is present, remove it.
- Ensure that the Distributed COM Users group has the following permissions:
- Local Launch
- Remote Launch
- Local Activation
- Remote Activation
14. Apply the changes.
For more information, contact Technical Support at www.netiq.com/support.
Note
If you cannot apply the hotfix immediately and if the domain controller and Administration server are on different servers, you may be able to use the following workaround:
If you are using the DRA Delegation and Configuration console or Account and Resource Management console to connect to an Administration server, you may still connect to an Administration server before installing the hotfix by specifying a connection to a specific Administration server. Specifying a connection to a specific Administration server allows the DRA console to connect directly to an Administration server, rather than connecting to an Administration server through the DRA agent.
To connect to an Administration server:
- On the error message, click OK.
- From the console window, click Connect to Administration Server.
- Type the name of the Administration server.
- Click OK.
After specifying an Administration server to connect to:
- If you are using the DRA Delegation and Configuration console, you will not need to specify an Administration server each time you connect to an Administration server. You will only have to specify an Administration server if the DRA agent restarts on the domain controller.
- If you are using the DRA Account and Resource Management console, you must specify an Administration server each time you connect to an Administration server.
If you are using the DRA Web Console to connect to an Administration server, you may still connect to an Administration server before installing the hotfix by specifying a connection to a specific Administration server. Specifying a connection to a specific Administration server allows the DRA Web Console to connect directly to an Administration server, rather than connecting to an Administration server through the DRA agent.
To connect to a specific Administration server:
- On the error message, click Cancel.
- On the Change focus domain window, click Set focus domain.
- Type the name of the domain and Administration server.
- Click Set focus domain.
After specifying the focus domain, you will not need to specify an Administration server each time you connect to an Administration server. You will only have to specify an Administration server if the Web Console cookie is deleted.