Where on each DRA server can the Service and / or Access account information be configured

  • 7012508
  • 29-May-2013
  • 22-Aug-2013

Environment

NetIQ Directory and Resource Administrator 8.5.x
NetIQ Directory and Resource Administrator 8.6.x

Situation

NetIQ Directory and Resource Administrator (DRA) requires an Active Directory user account to accomplish the following tasks:
 
  1. Run the various Windows Services Associated with each DRA Server
  2. Connect the Primary DRA Server to all Secondary DRA Servers
  3. Interact with each managed Domain
  4. Connect to a SQL Server when using the Optional DRA Reporting features
  5. Collect AD data from the DRA Managed Domains when using the Optional DRA Reporting features
  6. Run the Internet Information Services (IIS) Application Pool on the Web Server hosting the NetIQ Reporting Center (NRC) when using the Optional DRA Reporting features
  7. Interact with each DRA Server's Local Active Directory Application Mode (ADAM) / Active Directory Lightweight Directory Services (ADLS) instance

Resolution

To change the AD Account used to run the NetIQ DRA Services:
  1. Login Locally to each DRA Server's Windows Console as a Local Admin
  2. Use Windows Services Manager to change the properties of the DRA Services
    • NetIQ Administration Service
    • NetIQ DRA Core Service
    • NetIQ DRA Log Archive Service
  3. After changing the properties, all services will need to be restarted
    • Caution: Restarting the Services will render the specific DRA Server unavailable until each Managed Domains Accounts cache has completed.
To change the AD Account used by the Primary Server to access each Primary Server
  1. Login to the DRA Delegation and Configuration console (D&C Console) as a DRA Assistant Admin (AA) with DRA Administration Powers
  2. Connect the D&C Console to the Primary DRA Server
  3. Expand the Configuration Management Node
  4. Right Click on each Secondary DRA Server and choose the Properties Menu
  5. From the Server Properties Window locate the Access Account Details
    • The default configuration is to use the AD Account running the NetIQ Administration Service.
    • You can specify a different AD Account to access the Secondary DRA Server
  6. Click OK to apply & save your changes.
To update the access account used to interact with Each Managed Domain & Exchange Server
  1. Login to the D&C Console for EACH specific DRA Server as a DRA Assistant Admin (AA) with DRA Administration Powers
  2. Expand the Configuration Management Node
  3. Expand the Managed Domains Node
  4. Right Click on a specific Managed Domain, and choose Properties
  5. From the Domain Properties Windows you can update the Domain Access account and the Exchange Access Account
    • The default option for both Domain & Exchange Access is to use the AD Account running the NetIQ Administration Service
    • Each Managed Domain on Each DRA Server can have a different access account configured
  6. Click OK to Apply and Save the changes
To update the DRA Reporting Services Configuration
  1. Login to the DRA Delegation and Configuration console (D&C Console) as a DRA Assistant Admin (AA) with DRA Administration Powers
  2. Connect the D&C Console to the Primary DRA Server
  3. Highlight the Configuration Management Node
  4. From the right hand window pane, select Update Reporting Services Configuration
  5. For more details on the Reporting Services Configuration, see Chapter 18 of the DRA and ExA Admin Guide
To update the NRC Server's IIS Application Pool Identity
  1. Locate the Server Running IIS and Hosting the Application pool named NRCAppPool
    • This is the server name listed Web Service field of the NRC Console Login window
  2. Use Microsoft IIS Management tools to modify the NRCAppPool Identity
To verify the AD Account or AD Group used to access ADAM / ADLS
  1. Login to the DRA Delegation and Configuration console (D&C Console) as a DRA Assistant Admin (AA) with DRA Administration Powers
  2. Connect the D&C Console to the Primary DRA Server
  3. Expand the Configuration Management Node
  4. Right Click on the Administration Servers Options, and choose Update Administration Server Options
  5. From the Administration Server Options, click the ADAM Configuration
    • This will show the current AD User or Group configured to be the Administrator of ADAM / ADLS
  6. Once this access account / group is configured (during install) it can't be changed again, without the use of Microsoft Directory Services Administration Tools.
    • If an AD Domain Local group is used, its members can be changed.

Additional Information

For more information on DRA Configuration see the DRA and ExA Admin Guide.