How do I break a Secondary DRA server from an existing Multi-Master Set? (NETIQKB55950)

  • 7755950
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
How do I break a Secondary DRA server from an existing Multi-Master Set?

goal
Can I remove a Secondary DRA server from a Multi-Master set and still retain the Security Model?

goal
Can a Secondary DRA server retain the Security Model from it's MMS once it has been removed from the MMS?

goal
Can two different Primary DRA servers contain the same security information?

fact
Directory and Resource Administrator 7.x

fact
Directory and Resource Administrator 8.0

fix

Directory and Resource Administrator (DRA) does not have a built-in process to remove a Secondary DRA server from the existing Multi-Master Set (MMS) while retaining all Security Model information on that Secondary server.  However, this can be accomplished through a series of registry changes to both the existing Secondary and Primary DRA servers.  This is useful if you want to be able to upgrade one Secondary DRA server to a newer version of DRA and change it's role to a Primary DRA server while maintaining your existing MMS model.  The result is that you will have two different Multi-Master Sets, each with it's own Primary DRA server, yet both will contain the same Security Model information (ActiveViews, Polices, UI pages, etc.).  This is far simpler than having to manually re-create all the existing Security Model information on the Secondary DRA server once it has been broken from the original MMS. 

Note: As this process involves numerous edits to the registries of at least two DRA servers, it is not a fully supported procedure and should be noted.  To continue, follow these steps:

STEP 1 - Perform a Multi-Master sync to replicate current Security Model information

  1. Launch the Delegation and Configuration (D&C) Console on to the Primary DRA server with an account that is, at minimum, a member of the DRA Admins Assistant Admin Group.
  2. Select Configuration Management and Administration Servers then right-click the Primary DRA server and select Synchronize All Servers.

STEP 2 - Ensure the Secondary DRA server you plan to break from the MMS has the current Security Model intact

Note:  Heretofore, the Secondary DRA server will be designated "SecondaryX" and the existing Primary DRA server will be designated "PrimaryX".

  1. Connect to the SecondaryX DRA server with the D&C console and expand Delegation Management.
  2. Verify (by comparing) that all ActiveViews, Assistant Admins and Power/Role information is present as it exists on the PrimaryX DRA server.
  3. Launch Windows Explorer on the SecondaryX DRA server and browse to the directory in which DRA was installed (By default, this is:  C:\Program Files\NetIQ\DRA).
  4. Under the DRA folder, select the Refresh folder.
  5. Compare the number of files, names, size and Date Modified time-stamp with that of the Replication folder on the PrimaryX DRA server located (by default) at C:\Program Files\NetIQ\DRA\Replication.
  6. If the information from steps 1-5 above does not match, perform another Multi-Master sync as detailed in STEP 1 above.

Note:  Additionally, you can check the Application Event Log on the PrimaryX DRA server for Event ID 13484 which indicates the MMS was synchronized with the Secondary server(s) to the Primary server.  Likewise, you can check the Application Event log on the SecondaryX DRA server for Event ID 13453 which indicates the MMS synchronization with the PrimaryX DRA server has completed.

STEP 3 - Breaking the SecondaryX DRA Server from the existing Multi-Master Set

Note: Perform these steps ONLY on the SecondaryX DRA server

  1. From the SecondaryX DRA server, launch the D&C Console and connect to the SecondaryX DRA server (setting focus of the DRA server the D&C console will next attempt to.
    connect to).
  2. Close the D&C console.
  3. Launch services.msc on the SecondaryX DRA server and change the Startup Type on the NetIQ Administration Service from Automatic to Manual.
  4. Stop the NetIQ Administration Service on the SecondaryX DRA server.
  5. Launch Windows Explorer on the SecondaryX DRA server and delete the entire Refresh folder and it's contents located (by default) at C:\Program Files\NetIQ\DRA\Refresh.
  6. Launch regedit on the SecondaryX DRA server and delete the following registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration\Servers
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration\WebShare
  7. Delete the MMSID string value on the SecondaryX DRA server located at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Server Configuration
  8. Change the Hexadecimal DWORD value for Mode on the SecondaryX DRA server from 1 to 0 at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration
  9. Change the Primary string value on the SecondaryX DRA server from the actual name of the PrimaryX DRA server to that of the actual name of the SecondaryX DRA server at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration
  10. Delete the string value for <actual PrimaryX server name>/OnePointAdmin on the SecondaryX DRA server at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Server Configuration\WebShare

STEP 4 - Removing the SecondaryX DRA Server from the PrimaryX DRA server registry

Note: Perform these steps ONLY on the PrimaryX DRA server

  1. Launch regedit on the PrimaryX DRA server and delete the SecondaryX DRA server string value entries from the following registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Server Configuration\Servers
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Server Configuration\WebShare
  2. Delete the SecondaryX DRA server registry keys from beneath the following registry keys on the PrimaryX DRA server:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration\Replication
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\Server Configuration\Servers

STEP 5 - Completing the Process

  1. Launch services.msc on the SecondaryX DRA server and change the Startup Type on the NetIQ Administration Service from Manual back to Automatic.
  2. Restart the NetIQ Administration Service on the SecondaryX DRA server.
  3. Stop and re-start the NetIQ Administration Service on the PrimaryX DRA server.

STEP 6 - Verifica.
tion of Success

  1. Launch the D&C Console on to the PrimaryX DRA server with an account that is, at minimum, a member of the DRA Admins Assistant Admin Group.
  2. Select Configuration Management and Administration Servers and verify the SecondaryX DRA server is no longer listed as a Secondary DRA server.
  3. Launch the D&C Console on what was the SecondaryX DRA server with an account that is, at minimum, a member of the DRA Admins Assistant Admin Group.
  4. Select Configuration Management and Administration Servers and verify that what was the SecondaryX DRA server is now listed as the Primary DRA server (heretofore designated "PrimaryZ").
  5. On what is now the PrimaryZ DRA server, expand Delegation Management.
  6. Verify that all ActiveViews, Assistant Admins and Power/Role information is present.
  7. Expand Policy and Automation Management and verify that all information for Policies and Automation Triggers (if applicable) is present.
  8. Expand Configuration Management and verify that all information for User Interface Extensions (if applicable) is present.
  9. Launch regedit on the PrimaryZ and PrimaryX DRA servers and verify (by comparing) that the MMSID string value is different for each server at:
     
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Server Configuration

STEP 7 - Configuring the new PrimaryZ DRA Server

Since PrimaryZ is now the Primary DRA server for a separate MMS, you will need to configure (or at least check) it's settings for managing your domain(s).  Be sure to configure the following settings on thePrimaryZ DRA server:

  • Full Accounts Cache Refresh Schedule
  • Incremental Accounts Cache Refresh Schedule
  • Last Logon Statistics gathering (if applicable)
  • Resource Cache Refresh Schedule
  • Domain Cache Refresh Schedule

Additionally, you may want to Refresh Agents on the PrimaryZ DRA server so all domain controllers in your managed domain(s) are aware that the role for PrimaryZ has changed and it is now a new Primary DRA server also managing the domain(s).

At this point changes can be made to the Security Model on PrimaryZ which will act independently to that of the Security Model on the PrimaryX's MMS.  PrimaryZ can also be upgraded to a newer version of DRA as well.

An Enhancement Request has been opened with Development to include this functionality in a future version of Directory and Resource Administrator.

For more information, please contact NetIQ Technical Support at https://www.netiq.com/support .

.


note
Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be resolved. Make sure that you back up your Registry prior to making any changes.

Additional Information

Formerly known as NETIQKB55950