Environment
Situation
How do I permanently hide a DRA server from users automatically connecting to it?
Resolution
The Auto-discovery feature of DRA where the Account and Resource Management console (ARM) finds the ?best? DRA server is done by the client. However to identify the DRA servers that are available and the ?best? DRA server, when DRA initializes, it registers a Service Connection Point (SCP) in Active Directory. This SCP holds information such as which Active Directory Site the DRA server belongs to. So when the ARM console is opened, it connects to the Domain Controller closest to the client machine and queries the SCP for each DRA server to determine what the ?Best? DRA server for the client is. In other words, if the DRA server is in the same Active Directory (AD) Site as the client machine, it is routed to that DRA server within the same AD site. If there is more than one DRA server within the same AD Site, then one of the DRA servers within that site is randomly chosen by the client.
The Service Connection Points are created during the DRA server initialization as well as during the Domain Cache Refresh (which runs every 4 hours by default). So if you delete a Service Connection Point, it will be recreated on the next Domain Cache Refresh or restart of the NetIQ Administration Service.
How to permanently hide a DRA server from users automatically connecting to it.
To hide a DRA server perform the following steps:
1. Open Active Directory Users and Computers snapin (making sure to enable ?show advanced features?) and browse to System |DRAserver container
2. Right click on the name of the DRA server you wish to hide and go to properties
3. Click Security tab | Advanced Button
4. Uncheck the ?Allow inheritable permissions from parent to propagate to this object and all child objects, including these with entries explicitly defined here? and then click ?Remove? button when prompted
5. Modify the security so that no user can access the SCP. (If you want you can simply leave System with permissions)
Note: At this stage, this DRA server is now hidden from users who launch the ARM console, however if the server is restarted or a Domain Cache Refresh (DCR) runs, the SCP will be recreated and the permissions will be put back in place and will once again be visible to clients. If you wish to simple set the DCR schedule to ?Never? keep in mind that the DCR is set per each DRA server so you have to make sure that you are updating the DCR for that particular DRA server and also note that if the NetIQ Administration Service is restarted, you will have to go back in and reset the permissions again. To permanently hide the DRA server, the permissions on the DRAServer node will need to be modified to remove the ability to delete and recreate the SCP when the NetIQ Administration Service is restarted. To do this:
6. Right click on the DRAserver node in ADUC and go to properties
7. Click Security tab | Advanced Button
8. Uncheck the ?Allow inheritable permissions from parent to propagate to this object and all child objects, including these with entries explicity defined here and then click ?COPY? button when prompted
9. Click Add and add the DRA service account
10. Highlight the DRA service account and click Advanced
11. Hightlight the DRAservice account and click Edit
12. Change the apply to ?This object and all child objects?
13. Set deny permission for Delete/Delete subtree/delete all child objects
Additional Information
This procedure does not stop users who are authorized to use DRA to manually specify the DRA server and connect by typing in the name of the DRA server. To stop users from manually entering the DRA server name, you will have to modify the DCOM permissions for the MCS OnePoint Administration Service DCOM application object (for 32bit, ADSI and CLI) console connections. For the Web console modify the permissions on the DRA directory (by default c:\program files\NetIQ\DRA) for the web console users.