DRA components require the following software and accounts:
Component |
Prerequisites |
---|---|
Installation Target Operating System |
NetIQ Administration Server Operating System:
DRA Interfaces:
|
Installer |
|
Administration Server |
Directory and Resource Administrator:
Microsoft Office 365/Exchange Online Administration:
For more information, see Supported Platforms. |
User Interface |
DRA Interfaces:
|
DRA Host Service |
|
DRA REST Endpoint and Service |
|
PowerShell Extensions |
|
DRA Web Console |
Web Server:
Microsoft IIS Components:
|
Component |
Operating Systems |
---|---|
DRA Server |
|
Account |
Description |
Permissions |
---|---|---|
AD LDS Group |
The DRA service account needs to be added to this group for access to AD LDS |
|
DRA Service Account |
The permissions required to run the NetIQ Administration Service |
NOTE:
|
DRA Administrator |
User account or Group provisioned to the built in DRA Admins role |
|
DRA Assistant Admin Accounts |
Accounts that will be delegated powers through DRA |
|
Below are the permissions and privileges needed for the accounts specified and the configuration commands you need to run.
Domain Access Account: Using ADSI Edit grant the Domain Access account the following Active Directory Permissions at the top domain level for the following descendant object types:
FULL control over builtInDomain objects
FULL control over Computer objects
FULL control over Connection Point objects
FULL control over Contact objects
FULL control over Container objects
FULL control over Group objects
FULL control over InetOrgPerson objects
FULL control over MsExchDynamicDistributionList objects
FULL control over MsExchSystemObjectsContainer objects
FULL control over Organizational Unit objects
FULL control over Printer objects
FULL control over publicFolder objects
FULL Control over Shared Folder objects
FULL control over User objects
Grant the Domain Access account the following Active Directory Permissions at the top domain level to this object and all descendant objects:
Allow create Computer objects
Allow create Contact objects
Allow create Container objects
Allow create Group objects
Allow create MsExchDynamicDistributionList objects
Allow create Organizational Unit objects
Allow create publicFolders objects
Allow create Shared Folder objects
Allow create User objects
Allow delete Computer objects
Allow delete Contact objects
Allow delete Container
Allow delete Group objects
Allow delete InetOrgPerson objects
Allow delete MsExchDynamicDistributionList objects
Allow delete Organizational Unit objects
Allow delete publicFolders objects
Allow delete Shared Folder objects
Allow delete User objects
NOTE:
By default, some Builtin container objects within Active Directory do not inherit permissions from the top level of the domain. For this reason those objects will require inheritance to be enabled, or explicit permissions to be set.
If the REST Server is not installed on the same server as the DRA Administration Server, the running REST Service account must have full control over the REST Server in Active Directory. For example, set FULL control over CN=DRARestServer,CN=System,DC=myDomain,DC=com
Exchange Access Account: To manage on-premises Microsoft Exchange objects, assign the Organizational Management role to the Exchange Access Account and the Exchange Access Account to the Account Operators group.
Skype Access Account: Ensure that this account is a Skype-enabled user and that is a member of at least one of the following:
CSAdministrator role
Both the CSUserAdministrator and CSArchiving roles
Public Folder Access Account: Assign the following Active Directory permissions to the Public Folder Access Account:
Public Folder Management
Mail Enabled Public Folders
Azure Tenant Access Account: Assign the following Azure Active Directory permissions to the Azure Tenant Access Account:
Distribution Groups
Mail Recipients
Mail Recipient Creation
Security Group Creation and Membership
(Optional) Skype for Business Administrator
If you want to manage Skype for Business Online, assign the Skype for Business Administrator power to the Azure tenant access account.
User Administrator
NetIQ Administration Service Account Permissions:
Local Administrators
Grant the least privilege override account “Full Permission” on share folders or DFS folderswhere Home directories are provisioned.
Resource Management: To manage published resources within a managed Active Directory domain, the Domain Access account must be granted local administration permissions on those resources.
Post DRA installation: After required domains are added or are being managed by DRA, run the following commands:
To delegate permission to the “Deleted Objects Container” from the DRA Installation folder (Note: the command must be executed by a domain administrator):
DraDelObjsUtil.exe /domain:<NetbiosDomainName> /delegate:<Account Name>
To delegate permission to the “NetIQReceyleBin OU” from the DRA Installation folder:
DraRecycleBinUtil.exe /domain:<NetbiosDomainName> /delegate:<AccountName>
Remote Access to SAM: Assign Domain Controllers or member servers managed by DRA to enable the accounts listed in the GPO setting below, so they can make remote queries to the Security Account Manager's (SAM) database. The configuration needs to include the DRA service account.
Network access: Restrict clients allowed to make remote calls to SAM
To access this setting, do the following:
Open the Group Policy Management console on the domain controller.
Expand Domains > [domain controller] > Group Policy Objects in the node tree.
Right-click Default Domain Controllers Policy and select Edit to open the GPO editor for this policy.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies in the node tree of the GPO editor.
Double-click Network access: Restrict clients allowed to make remote calls to SAM in the policies pane, and select Define this policy setting.
Click Edit Security and enable Allow for Remote Access. Add the DRA service account if it is not already included as a user or part of the administrators group.
Apply the changes. This will add the security descriptor, O:BAG:BAD:(A;;RC;;;BA) to the policy settings.
For more information, see Knowledge Base article 7023292.