Environment
NetIQ Directory and Resource Administrator 8.7.x
Microsoft Active Directory Light Weight Directory Services (ADLDS)
Microsoft Active Directory Application Mode (ADAM)
Microsoft Active Directory Light Weight Directory Services (ADLDS)
Microsoft Active Directory Application Mode (ADAM)
Situation
After applying a service pack or new version of Directory Resource Administrator (DRA) , there are times when the DRA Health Check Utility will report the LDS Schema fails the check. Further investigation into the Windows ADAM Event logs will show that the LDS instance on the Primary DRA Server can't verify that it holds the correct FSMO roles. This will prevent DRA from extending the schema to include new features specific to a new DRA version. The NetIQ DRA Administration Service and NetIQ DRA Cache Service depend upon certain attribute types being inside the LDS instance. When the service is unable to locate these, it will often restart or fail completely.
Resolution
To resolve the FSMO role issues, you will need to use the Microsoft NT Directory Services Utility (NTDSUTIL) Command line tool. This tool is a Sub Feature of the Remote Server Administration Tools (RSAT) Windows Server Feature. It is located under the following Feature path: RSAT --> Role Administration Tools --> AD DS and AD LDS Tools --> AD LDS Snap-Ins and Command-Line Tools. You will also need to be logged onto the Primary DRA Server Windows OS as the AD account running the NetIQ DRA Administration Service. Once the NTDSUTIL is loaded, run the following steps:
- Run a Windows CMD Prompt as Administrator
- From the C:\> run NTDSUTIL
- From the NTDSUTIL: prompt, run Roles
- From the FMSO Maintenance: prompt, run Connections
- From the Connections: prompt, run connect to server localhost:50000
- From the Connections: prompt, run quit
- From the FMSO Maintenance: prompt, run Seize Schema Master
- Click Yes on the Windows Dialog box asking for confirmation to transfer the Schema master role
- From the FMSO Maintenance: prompt, run Seize Naming Master
- From the FMSO Maintenance: prompt, run Quit
- From the NTDSUTIL: prompt, run Quit
Proceed to extending the LDS schema for the current version of DRA
- Use Windows Explorer to locate and copy the path to: <Path to DRA Program Files>\ADLS Schema\UpdateAdam.xml
- Within the previous Administrator Windows CMD Prompt change to the DRA Program Files Directory
- From the <path to DRA Program Files>:\> prompt, run the following UpdateAdam /ConfigFile:"<Path to DRA Program Files>\ADLS Schema\UpdateAdam.xml>"
- Restart the NetIQ Administration Service
- Re-run the DRA Health Check Utility to verify the LDS Instance status and LDS Schema
Cause
When there is at least one Primary and one Secondary DRA Server, it is possible for the LDS instance to not hold the correct FSMO roles. This often occurs when the DRA Server mode is changed. During the process of promoting a new primary, LDS may have problems gracefully transferring the FSMO roles to the LDS instance on the new Primary DRA Server. This does not affect the normal operation of LDS or DRA. The problem occurs when DRA attempts to add new attribute classes into the LDS schema. If the Primary DRA server's LDS instance is unable to verify that it has the Schema Master role, LDS will fail to update the schema.