Environment
Situation
Why should I install/upgrade to Directory and Resource Administrator 8.1?
What are the Release Notes for Directory and Resource Administrator 8.1?
Resolution
This version of Directory and Resource Administrator (DRA) and Exchange Administrator (ExA) provides several new features. This version also improves usability and extends several capabilities. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.
This document outlines why you should install this version, provides additions to the documentation, and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing these products, see the Administration Installation Guide.
Why Install This Version?
NetIQ Directory and Resource Administrator (DRA) delivers an unparalleled ability to control who can manage what within Active Directory while protecting the consistency and integrity of its information by validating all administrative changes. Through granular delegation of permissions, robust change management policies, and automation that simplifies workflows, DRA reduces down time and operational risks to Active Directory that are posed by the consequences of malicious or accidental changes.
This version provides enhanced policy and regulation compliance, operational integrity, and process enforcement capabilities. These new features, combined with the powerful, policy-based administration that DRA provides, help you comply with regulatory standards and increase the security of your Active Directory deployment.
The following sections outline the new key features and functions:
Advanced Queries
DRA allows you to use advanced queries to perform searches on customized attributes, such as account lockout status, that are not available through regular DRA search functionality.
Virtual Attributes
DRA allows you to create user-defined attributes to define custom properties for Active Directory objects without extending the Active Directory schema.
Active Directory Application Mode for Data Storage
DRA uses Active Directory Application Mode (ADAM) to store specific information. ADAM is now also known as Active Directory Lightweight Directory Services (ADLDS).
Support for 64-Bit Platforms
In addition to 32-bit platforms, DRA now supports 64-bit platforms, ensuring you can run DRA in any Windows environment.
Note: 64-bit support does not include Itanium-based 64-bit support.
Support for Running DRA Clients on Microsoft Windows Vista Operating System
You can now install the DRA and ExA user interfaces on computers running Microsoft Windows Vista. The Web Console supports Microsoft Windows Vista running on Internet Explorer 7.0. The Web Console also supports Internet Explorer 7.0 on Microsoft Windows XP, Microsoft Windows 2000 Server, and Microsoft Windows Server 2003.
Support for Microsoft Exchange Server 2007
DRA and ExA 8.1 now allow you to manage Microsoft Exchange Server 2007 mailboxes.
Upgrading from Previous Versions
To upgrade from previous versions, install the new version over your existing version. You do not need to uninstall your existing version. For more information about upgrading from previous versions, see the Administration Installation Guide.
Additions to Documentation
The product documentation is up-to-date with the exception of information in the Administration Installation Guide pertaining to the ADAM admin account.
Creating Domain Local Security Groups to Manage ADAM
If you have a secondary Administration server in the same forest as the primary Administration server, either use the same domain local security group you used as the ADAM admin account for the primary Administration server or create another domain local security group in the secondary Administration server's domain to use as the ADAM admin account.
If you have a secondary Administration server in a different forest than the forest of the primary Administration server, use a domain local security group from the secondary Administration server's domain as the ADAM admin account. The Administration server service account of the secondary Administration server should be a member of this group and should also be a member of the ADAM admin account of the primary Administration server.
Note: Before you promote a secondary Administration server to be a primary Administration server, add all Administration server service accounts in the MMS to the ADAM Admin account.
Viewing Documentation Files
When viewing the documentation files in the installation kit, you may observe the following issues:
The installation kit provides some documentation in PDF files. To view these documentation files, you need Adobe Acrobat or Adobe Acrobat Reader installed. You can download Adobe Acrobat Reader from the Adobe Web site (www.adobe.com).
When you view the documentation files through the setup program, the snap-in for Internet Explorer may display some hidden text, such as index entry tagging, in the files. To hide this hidden text:
- On the Tools menu, click Options.
- Clear the All and Hidden Text check boxes, and then click OK.
General Notes
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).
Handling Port Numbers of Inactive ADAM Instances
During the DRA installation process, if any one of the existing ADAM instances stops running, DRA assumes the port numbers for this ADAM instance are available for creating a new ADAM instance and allows you to use these port numbers. If you use existing port numbers, the DRA installation process prompts you to run the setup program again. You need to manually track the port numbers you use to create each new ADAM instance.
Assigning Appropriate Powers for Executing Saved Advanced Queries
Assistant Admins with Execute Saved Advanced Query power also require the View Advanced Query power to be able to view and execute saved advanced queries in the advanced search pane.
Web Console Not Connecting to the Administration Server in Double-Hop Scenarios
The Web Console cannot connect to the Administration server in double-hop scenarios where you launch the browser from an external trusted forest. For more information about this issue, see NetIQ Knowledge Base Article NETIQKB70535, available at https://support.netiq.com/dra, or contact NetIQ Technical Support at www.netiq.com/support.
Running the Web Console on 64-Bit Operating Systems
To use the Web Console on 64-bit operating systems, you need to configure the Internet Information Server (IIS) to support 32-bit worker processes in the Worker Process Isolation mode of 64-bit operating systems. For more information about this issue, see NetIQ Knowledge Base Article NETIQKB70519, available at https://support.netiq.com/dra, or contact NetIQ Technical Support at www.netiq.com/support.
Adding Secondary Administration Servers in Trusted Domains
When you add a secondary Administration server that is in a trusted domain, to a primary Administration server, you may not be able to create advanced queries on the secondary Administration server. If this issue occurs, you may have to restart the secondary Administration server.
Installing the DRA Server on a Domain Controller
When you install the DRA server on a domain controller, the ADAM instance runs under the Network Service account. In this scenario, run ADAM under an Active Directory account that does not have administrative privileges. For more information about the best practices in such a scenario, see the Microsoft Technet article about ADAM replication and configuration sets at www.microsoft.com
DRA and ExA No Longer Support Microsoft Exchange 5.5
DRA and ExA 8.1 no longer support Microsoft Exchange 5.5. It is recommended you migrate your mailboxes to Microsoft Exchange 2000, Microsoft Exchange 2003, or Microsoft Exchange Server 2007. You can still manage Microsoft Exchange 5.5 mailboxes using DRA and ExA, but if you face any issues, NetIQ Technical Support may not be able to help you.
Demoting a Primary Administration Server as a Secondary Administration Server in Another Multi-Master Set
When you demote the primary Administration server in one MMS and add it as a secondary Administration server in another MMS, you may not be able to create advanced queries.
To avoid this issue, perform the following steps manually:
- After demoting a primary Administration server, access the other primary Administration server and add the demoted primary Administration server as a secondary Administration server to it.
- Manually restart the NetIQ Administration service on the secondary Administration server.
Connecting to ADAM partition if DRA is Running in a Microsoft Windows 2000 Mixed Mode Domain
If DRA is running in a Microsoft Windows 2000 Mixed Mode domain, the NetIQ Administration service cannot connect to the ADAM partition. To avoid this issue, promote the domain functional level to Microsoft Windows 2000 Native Mode or higher. Microsoft Windows 2000 Mixed Mode is a requirement only if you have pre-Windows 2000 domain controllers and DRA does not support pre-Windows 2000 domain controllers.
Unable to Add Certain Attributes Available in Built-In Powers to a New Power
You may not be able to add certain attributes available in built-in powers to a new power. These attributes are:
- $McsLocalAccount
- LoginHours
- LoginWorkstations
- LogonHours
- LogonWorkstations
As a workaround, you can clone the built-in power and then add the attributes you want to the new power.
Setting Microsoft Exchange Mailbox Permissions for Well-Known Security Principals
DRA does not allow you to set permissions for the SELF and SYSTEM security principals on the Mailbox security tab of the User Properties window. Please contact NetIQ Technical Support for help on this issue.
Using Extended ASCII Character Set in Passwords
During installation, DRA does not accept extended ASCII characters in passwords for the Administration server service account. You can only use normal ASCII characters in your passwords while installing DRA. After installing DRA, you can modify the Administration server service account password to include extended ASCII characters.
Home Directories Created Using DRA
If you have created home directories using DRA, DRA may create a new access control entry (ACE) on the parent directory for each new home directory you create. There is no known workaround for this issue.
Permanently Deleting Certain Objects from the DRA Recycle Bin
The DRA Recycle Bin does not allow you to permanently delete objects that have other objects associated with them. Please contact NetIQ Technical Support for help on this issue.
Managing Multiple Administration Servers
If you experience issues when configuring and maintaining your Multi-Master Set, see the NetIQ Knowledge Base for related articles. For example, for more information about specifying an access account for a secondary Administration server, see NetIQ Knowledge Base Article NETIQKB1157.
Implementing Property Validation Policies in Active Directory Domains
To successfully implement a property validation policy for an Active Directory domain, ensure the selected property is a valid Active Directory property. For example, to establish a property validation policy for a user's first name, specify the givenName property. To establish a property validation policy for a user's last name, specify the sn property. For more information about Active Directory properties, see the Schema.mdb file provided with the Directory and Resource Administrator Software Development Kit.
Accessing Exchange 2000 Functions on a Secondary Administration Server
After you configure or promote a secondary Administration server, you may not be able to access Exchange 2000 functionality through that Administration server. To correct this issue, restart the Administration server.
Access Account Logon Error When Changing from Override to Service Account
After switching the access account for a domain from an override account to the service account or from a service account to an override account, you may receive an error message. DRA is not able to verify whether the account is a member of the Exchange Domain Servers group. You should manually verify that the access account has these permissions. This only applies in environments with Exchange 2000 or later.
Accessing Windows Server 2003 Attributes on a Secondary Administration Server
After you configure or promote a secondary Administration server, you may not be able to access Windows Server 2003 attributes through that Administration server. To correct this issue, restart the Administration server.
Managing Administrator Accounts in an Active Directory Subtree
When managing administrator accounts in a managed subtree of an Active Directory domain, you may encounter permissions issues. If the account is a member of a native administrator group, Active Directory may reset the Access Control List (ACL) of this account, preventing DRA from being able to manage the account. Affected accounts include members of the following groups:
- Administrators
- Domain Admins
- Enterprise Admins
- Schema Admins
For more information about this issue, see Microsoft Knowledge Base Article Q232199.
Working with Distributed File System Shares
When working with Distributed File System (DFS) shares, the Administration server may not correctly translate the path to the actual file location. To correct this issue, specify the actual path to the location from which the DFS is sharing the files and directories.
Creating Custom Policies with Executable Files
If you specify an executable file when creating a custom policy, ensure the executable file does not launch a graphical user interface. Using an executable file that launches a graphical user interface may cause the process to take longer than expected and will cause the operation to fail.
Additional Information
General Notes Continued
Managing Multiple Windows 2000 or Later Domains with Exchange 2000 Support
If DRA is managing a Windows 2000 domain with Exchange 2000 support as well as a Windows 2003 domain, DRA may not be able to access object properties specific to Windows 2003. By default, when managing multiple Active Directory domains, the Administration server uses the largest Active Directory schema to populate the accounts cache. If the selected schema (Windows 2000) does not contain object properties that are available in another managed Active Directory (Windows 2003), DRA cannot access those additional properties. For more information about correcting this issue, see the NetIQ Knowledge Base Article NETIQKB35094.
Domain Controller Becoming Unavailable
If the domain controller becomes unavailable while you are performing a task, specify another domain controller by performing one of the following tasks:
- Perform an immediate domain configuration refresh.
- Specify the target domain controller to which DRA applies your change.
Creating and Managing Microsoft Exchange 2007 Mailboxes in Trusted Domains
To create Microsoft Exchange 2007 mailboxes in trusted domains managed by DRA, you need to install secondary Administration servers in the trusted domains. To manage Microsoft Exchange 2007 mailboxes in trusted domains managed by DRA, you need to install primary and secondary Administration servers in the trusted domains.
DRA Creates Two Email Addresses when Restoring Contacts from the DRA Recycle Bin
When you delete a contact with an alias that is different from the contact name, and then restore this contact from the DRA Recycle Bin, DRA creates two different email addresses for the contact. Currently there is no known workaround for this issue.