Directory and Resource Administrator
Exchange Administrator

Version 8.0 Service Pack 1

Release Notes

Revised: March 15, 2007

 

 

Directory and Resource Administrator (DRA) and Exchange Administrator (ExA) provide highly secure and automated administration of Microsoft Windows Server 2003, Microsoft Windows 2000 Server, and Microsoft Exchange. Through advanced delegation and powerful policy-based management capabilities, DRA and ExA increase Active Directory security, dramatically reduce administrative efforts and costs while increasing efficiency, and protect the integrity of data in your Microsoft Windows Server 2003 Active Directory, Microsoft Windows 2000 server Active Directory, and Microsoft Exchange directory.

DRA and ExA 8.0 Service Pack 1 provides improvements and corrects issues found in DRA and ExA 8.0. This service pack also incorporates all the hotfixes available for DRA and ExA 8.0. NetIQ has made many of these improvements in direct response to suggestions from customers. Thank you for your time and valuable input.

This document outlines why you should install this service pack, provides additions to the documentation, and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing DRA and ExA, see the Installation Guide.

Why Install This Service Pack?

The following sections outline the new key features and functions as well as some issues that this service pack corrects:

Display of Group if Selected Users are Existing Members

This service pack resolves an issue where the Account and Resource Management (ARM) and Delegation and Configuration (DC) consoles did not display groups to which you wanted to add multiple members concurrently when at least one user was already a member of the specified group. When adding multiple users to a group at the same time, the ARM and DC consoles now display all groups to which you want to add these users even if one or more users are already members of the specified group. When you add users who are existing members of a group, DRA ignores existing members and only adds users who are not yet members of that group.

Audit of Password Reset Flag in the Application Log

This service pack resolves an issue where DRA was not recording password reset events in the Application event log when you made user password resets by right-clicking on a user and resetting the password. DRA now records all password events in the Application event log regardless of how you initiate the password reset.

Recycle Bin Support in the Web Console for Groups, Contacts, and Computers

In addition to users, DRA now allows you to use the Web Console to delete and restore groups, contacts, and computers in the Recycle Bin.

Web Console Support for Contacts

DRA now allows you to use the Web Console to manage contacts. However, you cannot manage mailboxes for contacts using the Web Console.

Connection to Primary Administration Server Using Web Console

DRA now allows you to use the Web Console to connect to the primary Administration server, even if you install the Web Console and the primary Administration server on computers running Windows Server 2003 Service Pack 1. This enhancement is in addition to the issue addressed in NetIQ Knowledge Base Article NETIQKB14935, available at http://support.netiq.com/dra.

Display of Correct Number of User Accounts in Managed Domains

This service pack resolves an issue where DRA was including user objects in managed as well as trusted domains in the license count. DRA now excludes user objects from trusted domains in the license count and displays the correct number of user accounts in all managed domains in the License tab of the DRA Properties window.

Display of Custom User Interface Extensions

This service pack corrects an issue where DRA did not display custom user interface extensions for users in some domains. DRA now correctly displays custom user interface extensions in the User Properties window.

Usage of Wildcard Characters as Normal Characters in DRA Search

DRA now allows you to specify the question mark (?), asterisk (*), or number sign (#) wildcard characters as normal characters by prefixing a backslash (\) to the particular wildcard character when searching for a specific character pattern in DRA. For example, to search for abc*, type the search text abc\*.

Display of Unhandled Exception Errors when Creating New Temporary Group Assignments

This service pack resolves an issue where DRA displayed unhandled exception errors when creating new temporary group assignments on computers where the regional options settings displayed a region other than English (United States) in the Regional and Language Options application in Control Panel. DRA now creates temporary group assignments without any errors.

More Specific Powers to Move Objects to Organizational Units

DRA now provides you with more specific powers to move different objects to organizational units (OUs). The new powers are:

  • Move Computer to OU
  • Move Contact to OU
  • Move Group to OU
  • Move Organizational Unit to OU
  • Move Print Queue to OU
  • Move User to OU

Support for InetOrgPerson Object in DRA

This service pack resolves an issue where DRA did not recognize the InetOrgPerson object type. DRA now recognizes InetOrgPerson objects as normal users and provides all user management tasks to manage InetOrgPerson objects. DRA does not recognize the special properties available for an InetOrgPerson object.

Note
DRA now includes InetOrgPerson object types in the license count.

Registry Restoration during a Multi-Master Set Synchronization

This service pack includes hotfix 54631. Hotfix 54631 corrected an issue with the way DRA handled registry restoration during a Multi-Master Set (MMS) synchronization between primary Administration servers and secondary Administration servers and when you had set the NetIQ Administration service to automatically start on secondary Administration servers.

When a Multi-Master Set (MMS) synchronization occurs, the primary Administration server exports the registry keys for different modules and transfers these files to computers running as secondary Administration servers. The secondary Administration servers delete the existing registry entries for these modules and restore the registry keys using the files from the primary Administration server. If the secondary Administration server is running Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP, or Microsoft Windows XP Service Pack 2 and if any of the exported files is large in size, the registry restoration takes a very long time and during this time, the secondary Administration server computer becomes unavailable. Similarly, if you set the NetIQ Administration service to start automatically and if you restart the secondary Administration server, the secondary Administration server takes a long time to complete the registry restoration.

DRA now allows you to restore the registry on the secondary Administration server one key at a time during MMS synchronization so DRA does not completely lock the registry during registry restoration.

To configure each secondary Administration server computer before or after installing this service pack:

  1. Start the Registry Editor interface.
  2. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Modules\ServerConfiguration\Refresh.
  3. On the Edit menu, click New > DWORD Value.
  4. Type MMSRegRestoreType.
    1. If the value data for the MMSRegRestoreType value is 0, the secondary Administration server uses the old registry restoration method.
    2. If the value data for the MMSRegRestoreType value is 1, the secondary Administration server uses the new registry restoration method.
  5. To change the value data, select MMSRegRestoreType.
  6. On the Edit menu, click Modify and type 0 or 1.
Return to Top

Installing This Service Pack

To benefit from the new features and fixes provided in this service pack, install it on each Administration server computer and on each computer where you installed an Account and Resource Management console or Delegation and Configuration console.

You should have DRA and Exa 8.0 already installed on your computer. To upgrade to DRA and ExA version 8, install the new version over your existing version. Do not uninstall your existing version.

To install this service pack:

  1. Download the NetIQ Directory and Resource Administrator and Exchange Administrator 8.0 Service Pack 1 installation program.
  2. Double-click the DRA800_SP1.msi file.
Return to Top

Hotfixes

This service pack includes all the hotfixes previously released for DRA and ExA 8.0. The following table describes the issues and the corresponding fixes:

Hotfix NumberDescription
54920DRA Agent Installation on 64-Bit Domain Controllers

 
This hotfix corrects an issue with the way DRA handles the installation of DRA Agents on 64-bit domain controllers.

 
If your domain includes a 64-bit domain controller with the primary Administration server running on a 32-bit member server of this domain, and if you try to install the DRA Agent on the 64-bit domain controller using the Delegation and Configuration console or the EaAgentUtil command in the CLI, the installation fails.

This hotfix ensures the successful installation of the DRA Agent on a 64-bit domain controller by modifying the prerequisite check that searches for the specific processor architecture.

For more information, see NetIQ Knowledge Base Article NETIQKB54920, available at http://support.netiq.com/dra

55224Full Accounts Cache Refresh Failure During Group Enumeration

 
This hotfix corrects an issue with the way DRA handles the failure of full accounts cache refreshes in some scenarios where DRA is enumerating groups of a particular domain and the group has members that belong to a different domain.

 
During a full accounts cache refresh in certain scenarios, the DraDomFile.exe file, which performs the caching, fails when it is enumerating groups in a particular domain and the group has members that belong to a different domain.

This hotfix includes a workaround to ensure DRA completes the full accounts cache refresh successfully. The workaround requires you to create a text file called DcsToIgnore.txt with entries containing the distinguishedName of the domains to which the group members belong.

Note
You should only add entries for those domains that cause the failure.

For example, if DraDomFile.exe fails when enumerating the group members of domain X, which contains a few group members that belong to domain Y and possibly some other domains, and the failure occurs when processing group members from domain Y, the entry in the text file should contain the value of the distinguishedName attribute of domain Y.

Save this text file in the {InstallDir}\Program Files\NetIQ\DRA\DomFiles folder. Create and set the TruncateGroupMemberships registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration to True before performing the full accounts cache refresh.

For more information, see NetIQ Knowledge Base Article NETIQKB55224, available at http://support.netiq.com/dra

55584User Accounts Management

This hotfix addresses the following issues:

  • When you remove certain user accounts from the Send on behalf list on the Delivery options tab on the User Properties window, DRA removes all user accounts between and after the selected user accounts. This hotfix corrects this issue by only removing the selected user accounts from the Send on behalf list.
  • When you select multiple user accounts and try to update the properties of these accounts, DRA displays the error message, "The E-mail address field should not be blank. Enter an address." DRA prevents you from updating the properties of these user accounts. This hotfix corrects this issue by simulating the Recipient Update Service (RUS) for every mailbox or mail-enabled user account and completes the email address field with the email address of that user.
  • When you create or clone a user account with a mailbox and then try to edit the user account properties, DRA displays the error message, "The E-mail address field should not be blank. Enter an address." This error occurs because DRA requires an email address for any mailbox or mail-enabled user account. The RUS updates the email address field on a scheduled basis and the email address field may remain empty until you run RUS. This hotfix corrects this issue by simulating RUS for every mailbox or mail-enabled user account and completes the email address field with the email address of that user.
  • When you try to add a user account to multiple groups having the same name, but belonging to different organizational units (OUs), DRA only allows you to select one of these groups. This hotfix corrects this issue and allows you to add a user account to multiple groups.
  • If you are an Assistant Admin with the Add Object to Group power or the Manage Group Memberships role, when you select a user account to add to a group, DRA does not display either the Add to Groups icon in the toolbar or the Add to Groups option in the Tasks menu. This problem occurs because DRA only allows Assistant Admins with the Add User to Group power to add users to groups. This hotfix corrects this issue by allowing Assistant Admins with the Add Object to Group power to add users to groups.

    Note
    To create mailboxes and mail-enabled user accounts, you should install the System Admin Tools for Microsoft Exchange 2000 or later on the Administration server computer.

For more information, see NetIQ Knowledge Base Article NETIQKB55584, available at http://support.netiq.com/dra

Return to Top

Additions to Documentation

Viewing Documentation Files

When viewing the documentation files in the installation kit, you may observe the following items:

  • The installation kit provides some documentation in PDF files. To view these documentation files, you need Adobe Acrobat or Adobe Acrobat Reader installed. You can download Adobe Acrobat Reader from the Adobe Web site (www.adobe.com).
  • When you view the documentation files through the setup program, the snap-in for Internet Explorer may display some hidden text, such as index entry tagging, in the files. To hide this hidden text:
    1. On the Tools menu, click Options.
    2. Clear the All and Hidden Text check boxes, and then click OK.

The following sections supplement the Administrator Guide and provide information about configuring and managing the Administration server. For more information about using DRA and ExA in your enterprise, contact NetIQ Solutions Support (www.netiq.com/support).

Managing Home Directory Triggers for NetApp Filers

NetApp filers do not have drive letters. When you define a policy or automation trigger for managing home directories on a NetApp filer, you need to use a different format for the directory specification.

If you are using Windows file systems, specify the parent directory in the following format:

\\machinename\driveletter:\path

If you are using NetApp filers, specify the parent directory in the following format:

\\FilerName\adminshare:\volumerootpath\directorypath

The adminshare variable is the hidden share that maps to the root volume on the NetApp filer, such as c$. For example, if the local path of the share on the usfiler NetApp filer is c$\vol\vol0\mydirectory, you can specify a root path of \\usfiler\c:\vol\vol0\scratch for the NetApp filer.

Managing Delete and Rename HomeShare Triggers

Delete and rename HomeShare triggers will not work until you specify valid root directories. Upgrading from 7.0 to 7.5 or later will cause the delete and rename triggers to stop working until you enter the valid root directories.

Installing Agents on Any Windows Server 2003 Domain Controller Requires Domain Controller Policy Changes

Check for the proper policy settings when installing agents on Windows Server 2003 domain controllers. If you changed the Impersonate a client after authentication policies, you need to include Local Service and Network Service, or leave the policy setting undefined (default). For more information about this agent install issue, see the NetIQ Knowledge Base Article NETIQKB36744.

Uninstalling Microsoft Operations Manager Agents or Installing the Microsoft Operations Manager 2005 Hotfix on a Computer Running DRA

If you are uninstalling the Microsoft Operations Manager (MOM) agent or installing the MOM 2005 hotfix on a computer running DRA, you need to take a backup of the NetIQ registry key. For more information about this issue, see the NetIQ Knowledge Base Article NETIQKB47391.

Additional Administration Server Configurations

DRA provides several feature enhancements you can configure on the Administration server. For more information about these enhancements, see NetIQ Knowledge Base Article NETIQKB7039.

Additional Implementation Scenarios

For more information about implementation scenarios and best practices, such as designing exclusion rules for multiple ActiveViews, see the relevant NetIQ Knowledge Base articles.

Return to Top

Legal Notice

Return to Top