What are the new features and benefits of upgrading to Directory and Resource Administrator 8.0 SP1? (NETIQKB70110)

Goal
What are the new features and benefits of upgrading to Directory and Resource Administrator 8.0 SP1?

Goal
Why should I install/upgrade to Directory and Resource Administrator 8.0 SP1?

Fact
Directory and Resource Administrator 8.0 SP1

Fix

Directory and Resource Administrator (DRA) and Exchange Administrator (ExA) provide highly secure and automated administration of Microsoft Windows Server 2003, Microsoft Windows 2000 Server, and Microsoft Exchange. Through advanced delegation and powerful policy-based management capabilities, DRA and ExA increase Active Directory security, dramatically reduce administrative efforts and costs while increasing efficiency, and protect the integrity of data in your Microsoft Windows Server 2003 Active Directory, Microsoft Windows 2000 server Active Directory, and Microsoft Exchange directory.

DRA and ExA 8.0 Service Pack 1 provides improvements and corrects issues found in DRA and ExA 8.0. This service pack also incorporates all the hotfixes available for DRA and ExA 8.0. NetIQ has made many of these improvements in direct response to suggestions from customers. Thank you for your time and valuable input.

This document outlines why you should install this service pack, provides additions to the documentation, and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing DRA and ExA, see the Installation Guide.

Why Install This Service Pack?

The following sections outline the new key features and functions as well as some issues that this service pack corrects:

Display of Group if Selected Users are Existing Members
This service pack resolves an issue where the Account and Resource Management (ARM) and Delegation and Configuration (DC) consoles did not display groups to which you wanted to add multiple members concurrently when at least one user was already a member of the specified group. When adding multiple users to a group at the same time, the ARM and DC consoles now display all groups to which you want to add these users even if one or more users are already members of the specified group. When you add users who are existing members of a group, DRA ignores existing members and only adds users who are not yet members of that group.

Audit of Password Reset Flag in the Application Log
This service pack resolves an issue where DRA was not recording password reset events in the Application event log when you made user password resets by right-clicking on a user and resetting the password. DRA now records all password events in the Application event log regardless of how you initiate the password reset.

Recycle Bin Support in the Web Console for Groups, Contacts, and Computers
In addition to users, DRA now allows you to use the Web Console to delete and restore groups, contacts, and computers in the Recycle Bin.

Web Console Support for Contacts
DRA now allows you to use the Web Console to manage contacts. However, you cannot manage mailboxes for contacts using the Web Console.

Connection to Primary Administration Server Using Web Console
DRA now allows you to use the Web Console to connect to the primary Administration server, even if you install the Web Console and the primary Administration server on computers running Windows Server 2003 Service Pack 1. This enhancement is in addition to the issue addressed in NetIQ Knowledge Base Article NETIQKB14935, available at https://support.netiq.com/dra.

Display of Correct Number of User Accounts in Managed Domains
This service pack resolves an issue where DRA was including user objects in managed as well as trusted domains in the license count. DRA now excludes user objects from trusted domains in the license count and displays the correct number of user accounts in all managed domains in the License tab of the DRA Properties window.

Display of Custom User Interface Extensions
This service pack corrects an issue where DRA did not display custom user interface extensions for users in some domains. DRA now correctly displays custom user interface extensions in the User Properties window.

Usage of Wildcard Characters as Normal Characters in DRA Search
DRA now allows you to specify the question mark (?), asterisk (*), or number sign (#) wildcard characters as normal characters by prefixing a backslash (\) to the particular wildcard character when searching for a specific character pattern in DRA. For example, to search for abc*, type the search text abc\*.

Display of Unhandled Exception Errors when Creating New Temporary Group Assignments
This service pack resolves an issue where DRA displayed unhandled exception errors when creating new temporary group assignments on computers where the regional options settings displayed a region other than English (United States) in the Regional and Language Options application in Control Panel. DRA now creates temporary group assignments without any errors.

More Specific Powers to Move Objects to Organizational Units
DRA now provides you with more specific powers to move different objects to organizational units (OUs). The new powers are:

• Move Computer to OU
• Move Contact to OU
• Move Group to OU
• Move Organizational Unit to OU
• Move Print Queue to OU
• Move User to OU

Support for InetOrgPerson Object in DRA
This service pack resolves an issue where DRA did not recognize the InetOrgPerson object type. DRA now recognizes InetOrgPerson objects as normal users and provides all user management tasks to manage InetOrgPerson objects. DRA does not recognize the special properties available for an InetOrgPerson object.

     Note:  DRA now includes InetOrgPerson object types in the license count. 

Registry Restoration during a Multi-Master Set Synchronization
This service pack includes hotfix 54631. Hotfix 54631 corrected an issue with the way DRA handled registry restoration during a Multi-Master Set (MMS) synchronization between primary Administration servers and secondary Administration servers and when you had set the NetIQ Administration service to automatically start on secondary Administration servers.

When a Multi-Master Set (MMS) synchronization occurs, the primary Administration server exports the registry keys for different modules and transfers these files to computers running as secondary Administration servers. The secondary Administration servers delete the existing registry entries for these modules and restore the registry keys using the files from the primary Administration server. If the secondary Administration server is running Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP, or Microsoft Windows XP Service Pack 2 and if any of the exported files is large in size, the registry restoration takes a very long time and during this time, the secondary Administration server computer becomes unavailable. Similarly, if you set the NetIQ Administration service to start automatically and if you restart the secondary Administration server, the secondary Administration server takes a long time to complete the registry restoration.

DRA now allows you to restore the registry on the secondary Administration server one key at a time during MMS synchronization so DRA does not completely lock the registry during registry restoration.

To configure each secondary Administration server computer before or after installing this service pack:

1. Start the Registry Editor interface.
2. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\Refresh.
3. On the Edit menu, click New > DWORD Value.
4. Type MMSRegRestoreType.
   1. If the value data for the MMSRegRestoreType value is 0, the secondary Administration server uses the old registry restoration method.
   2. If the value data for the MMSRegRestoreType value is 1, the secondary Administration server uses the new registry restoration method.
5. To change the value data, select MMSRegRestoreType.
6. On the Edit menu, click Modify and type 0 or 1.

Installing This Service Pack

To benefit from the new features and fixes provided in this service pack, install it on each Administration server computer and on each computer where you installed an Account and Resource Management console or Delegation and Configuration console.

You should have DRA and Exa 8.0 already installed on your computer. To upgrade to DRA and ExA version 8, install the new version over your existing version. Do not uninstall your existing version.

To install this service pack:

1. Download the NetIQ Directory and Resource Administrator and Exchange Administrator 8.0 Service Pack 1 installation program.
2. Double-click the DRA800_SP1.msi file.

Hotfixes

This service pack includes all the hotfixes previously released for DRA and ExA 8.0. The following list describes the issues and the corresponding fixes:

Hotfix 54920  DRA Agent Installation on 64-Bit Domain Controllers
 
This hotfix corrects an issue with the way DRA handles the installation of DRA Agents on 64-bit domain controllers.

If your domain includes a 64-bit domain controller with the primary Administration server running on a 32-bit member server of this domain, and if you try to install the DRA Agent on the 64-bit domain controller using the Delegation and Configuration console or the EaAgentUtil command in the CLI, the installation fails.

This hotfix ensures the successful installation of the DRA Agent on a 64-bit domain controller by modifying the prerequisite check that searches for the specific processor architecture.

For more information, see NetIQ Knowledge Base Article NETIQKB54920, available at https://support.netiq.com/dra

Hotfix55224  Full Accounts Cache Refresh Failure During Group Enumeration
 
This hotfix corrects an issue with the way DRA handles the failure of full accounts cache refreshes in some scenarios where DRA is enumerating groups of a particular domain and the group has members that belong to a different domain.

During a full accounts cache refresh in certain scenarios, the DraDomFile.exe file, which performs the caching, fails when it is enumerating groups in a particular domain and the group has members that belong to a different domain.

This hotfix includes a workaround to ensure DRA completes the full accounts cache refresh successfully. The workaround requires you to create a text file called DcsToIgnore.txt with entries containing the distinguishedName of the domains to which the group members belong.

      Note:  You should only add entries for those domains that cause the failure. 

For example, if DraDomFile.exe fails when enumerating the group members of domain X, which contains a few group members that belong to domain Y and possibly some other domains, and the failure occurs when processing group members from domain Y, the entry in the text file should contain the value of the distinguishedName attribute of domain Y.

Save this text file in the {InstallDir}\Program Files\NetIQ\DRA\DomFiles folder. Create and set the TruncateGroupMemberships registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration to True before performing the full accounts cache refresh.

For more information, see NetIQ Knowledge Base Article NETIQKB55224, available at https://support.netiq.com/dra

Hotfix 55584  User Accounts Management

This hotfix addresses the following issues:

• When you remove certain user accounts from the Send on behalf list on the Delivery options tab on the User Properties window, DRA removes all user accounts between and after the selected user accounts. This hotfix corrects this issue by only removing the selected user accounts from the Send on behalf list.
• When you select multiple user accounts and try to update the properties of these accounts, DRA displays the error message, "The E-mail address field should not be blank. Enter an address." DRA prevents you from updating the properties of these user accounts. This hotfix corrects this issue by simulating the Recipient Update Service (RUS) for every mailbox or mail-enabled user account and completes the email address field with the email address of that user.
• When you create or clone a user account with a mailbox and then try to edit the user account properties, DRA displays the error message, "The E-mail address field should not be blank. Enter an address." This error occurs because DRA requires an email address for any mailbox or mail-enabled user account. The RUS updates the email address field on a scheduled basis and the email address field may remain empty until you run RUS. This hotfix corrects this issue by simulating RUS for every mailbox or mail-enabled user account and completes the email address field with the email address of that user.
• When you try to add a user account to multiple groups having the same name, but belonging to different organizational units (OUs), DRA only allows you to select one of these groups. This hotfix corrects this issue and allows you to add a user account to multiple groups.
• If you are an Assistant Admin with the Add Object to Group power or the Manage Group Memberships role, when you select a user account to add to a group, DRA does not display either the Add to Groups icon in the toolbar or the Add to Groups option in the Tasks menu. This problem occurs because DRA only allows Assistant Admins with the Add User to Group power to add users to groups. This hotfix corrects this issue by allowing Assistant Admins with the Add Object to Group power to add users to groups.

      Note:  To create mailboxes and mail-enabled user accounts, you should install the System Admin Tools for Microsoft Exchange 2000 or later on the Administration server computer. 

For more information, see NetIQ Knowledge Base Article NETIQKB55584, available at https://support.netiq.com/dra