3.5 DRA Administration Server, Web Console, and REST Extensions Requirements

DRA components require the following software and accounts:

3.5.1 Software Requirements

Component

Prerequisites

Installation Target

Operating System

NetIQ Administration Server Operating System:

  • Microsoft Windows Server 2012 R2, 2016, 2019

    NOTE:The server must also be a member of a supported Microsoft on-premises Active Directory domain.

DRA Interfaces:

  • Microsoft Windows Server 2012 R2, 2016, 2019

  • Microsoft Windows 8.1 (x86 & x64), 10 (x86 & x64)

Installer

  • Microsoft .Net Framework 4.6.2 and above

Administration Server

Directory and Resource Administrator:

  • Microsoft .Net Framework 4.6.2 and above

  • Microsoft Visual C++ 2013 Redistributable Packages (x64) and Microsoft Visual C++ 2017 (Update 3) Redistributable Packages (x64 and x86)

  • Microsoft Message Queuing

  • Microsoft Active Directory Lightweight Directory Services roles

  • Remote Registry Service Started

  • Microsoft Internet Information Services URL Rewrite Module

  • Microsoft Internet Information Services application request routing

Microsoft Office 365/Exchange Online Administration:

  • Windows Azure Active Directory Module for Windows PowerShell

  • Skype for Business Online, Windows PowerShell Module

  • Exchange Online PowerShell V2 module

  • Enable WinRM for Basic authentication on the client-side for Exchange Online tasks.

For more information, see Supported Platforms.

User Interface

DRA Interfaces:

  • Microsoft .Net Framework 4.6.2

  • Microsoft Visual C++ 2017 (Update 3) Redistributable Packages (x64 and x86)

DRA Host Service

  • Microsoft .Net Framework 4.6.2

  • DRA Administration Server

DRA REST Endpoint and Service

  • Microsoft .Net Framework 4.6.2

PowerShell Extensions

  • Microsoft .Net Framework 4.6.2

  • PowerShell 5.1 or later

DRA Web Console

Web Server:

  • Microsoft .Net Framework 4.x > WCF Services > HTTP Activation

  • Microsoft Internet Information Server 8.0, 8.5, 10

  • Microsoft Internet Information Services URL Rewrite Module

  • Microsoft Internet Information Services application request routing

Microsoft IIS Components:

  • Web Server

    • Common HTTP Features

      • Static Content

      • Default Document

      • Directory Browser

      • HTTP Errors

    • Application Development

      • ASP

    • Health and Diagnostics

      • HTTP Logging

      • Request Monitor

    • Security

      • Basic Authentication

    • Performance

      • Static Content Compression

  • Web Server Management Tools

3.5.2 Server Domain

Component

Operating Systems

DRA Server

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

  • Microsoft Windows Server 2012 R2

3.5.3 Account Requirements

Account

Description

Permissions

AD LDS Group

The DRA service account needs to be added to this group for access to AD LDS

  • Domain Local Security Group

DRA Service Account

The permissions required to run the NetIQ Administration Service

  • For “Distributed COM Users” Permissions

  • Member of the AD LDS Admin Group

  • Account Operator Group

  • Log Archive groups (OnePointOp ConfgAdms & OnePointOp)

  • One of the following Account tab > Account options must be selected for the DRA service account user if installing DRA on a server using STIG methodology:

    • Kerberos AES 128 bits encryption

    • Kerberos AES 256 bits encryption

NOTE:

  • For more information on setting up least privilege domain access accounts see: Least Privilege DRA Access Accounts.

  • For more information on setting up a Group Managed Service Account for DRA see: “Configuring DRA Services for a Group Managed Service Account” in the DRA Administrator Guide.

DRA Administrator

User account or Group provisioned to the built in DRA Admins role

  • Domain Local Security Group or domain user account

  • Member of the managed domain or a trusted domain

    • If you specify an account from a trusted domain, ensure the Administration server computer can authenticate this account.

DRA Assistant Admin Accounts

Accounts that will be delegated powers through DRA

  • Add all DRA Assistant Admin accounts to the “Distributed COM Users” group so that they can connect to the DRA Server from remote clients. It is required only when you are using thick client or the Delegation and Configuration console.

    NOTE:DRA can be configured to manage this for you during the installation.

3.5.4 Least Privilege DRA Access Accounts

Below are the permissions and privileges needed for the accounts specified and the configuration commands you need to run.

Domain Access Account: Using ADSI Edit grant the Domain Access account the following Active Directory Permissions at the top domain level for the following descendant object types:

  • FULL control over builtInDomain objects

  • FULL control over Computer objects

  • FULL control over Connection Point objects

  • FULL control over Contact objects

  • FULL control over Container objects

  • FULL control over Group objects

  • FULL control over InetOrgPerson objects

  • FULL control over MsExchDynamicDistributionList objects

  • FULL control over MsExchSystemObjectsContainer objects

  • FULL control over Organizational Unit objects

  • FULL control over Printer objects

  • FULL control over publicFolder objects

  • FULL Control over Shared Folder objects

  • FULL control over User objects

Grant the Domain Access account the following Active Directory Permissions at the top domain level to this object and all descendant objects:

  • Allow create Computer objects

  • Allow create Contact objects

  • Allow create Container objects

  • Allow create Group objects

  • Allow create MsExchDynamicDistributionList objects

  • Allow create Organizational Unit objects

  • Allow create publicFolders objects

  • Allow create Shared Folder objects

  • Allow create User objects

  • Allow delete Computer objects

  • Allow delete Contact objects

  • Allow delete Container

  • Allow delete Group objects

  • Allow delete InetOrgPerson objects

  • Allow delete MsExchDynamicDistributionList objects

  • Allow delete Organizational Unit objects

  • Allow delete publicFolders objects

  • Allow delete Shared Folder objects

  • Allow delete User objects

NOTE:

  • By default, some Builtin container objects within Active Directory do not inherit permissions from the top level of the domain. For this reason those objects will require inheritance to be enabled, or explicit permissions to be set.

  • If the REST Server is not installed on the same server as the DRA Administration Server, the running REST Service account must have full control over the REST Server in Active Directory. For example, set FULL control over CN=DRARestServer,CN=System,DC=myDomain,DC=com

Exchange Access Account: To manage on-premises Microsoft Exchange objects, assign the Organizational Management role to the Exchange Access Account and the Exchange Access Account to the Account Operators group.

Skype Access Account: Ensure that this account is a Skype-enabled user and that is a member of at least one of the following:

  • CSAdministrator role

  • Both the CSUserAdministrator and CSArchiving roles

Public Folder Access Account: Assign the following Active Directory permissions to the Public Folder Access Account:

  • Public Folder Management

  • Mail Enabled Public Folders

Azure Tenant Access Account: Assign the following Azure Active Directory permissions to the Azure Tenant Access Account:

  • Distribution Groups

  • Mail Recipients

  • Mail Recipient Creation

  • Security Group Creation and Membership

  • (Optional) Skype for Business Administrator

    If you want to manage Skype for Business Online, assign the Skype for Business Administrator power to the Azure tenant access account.

  • User Administrator

NetIQ Administration Service Account Permissions:

  • Local Administrators

  • Grant the least privilege override account “Full Permission” on share folders or DFS folderswhere Home directories are provisioned.

  • Resource Management: To manage published resources within a managed Active Directory domain, the Domain Access account must be granted local administration permissions on those resources.

Post DRA installation: After required domains are added or are being managed by DRA, run the following commands:

  • To delegate permission to the “Deleted Objects Container” from the DRA Installation folder (Note: the command must be executed by a domain administrator):

    DraDelObjsUtil.exe /domain:<NetbiosDomainName> /delegate:<Account Name>

  • To delegate permission to the “NetIQReceyleBin OU” from the DRA Installation folder:

    DraRecycleBinUtil.exe /domain:<NetbiosDomainName> /delegate:<AccountName>

Remote Access to SAM: Assign Domain Controllers or member servers managed by DRA to enable the accounts listed in the GPO setting below, so they can make remote queries to the Security Account Manager's (SAM) database. The configuration needs to include the DRA service account.

Network access: Restrict clients allowed to make remote calls to SAM

To access this setting, do the following:

  1. Open the Group Policy Management console on the domain controller.

  2. Expand Domains > [domain controller] > Group Policy Objects in the node tree.

  3. Right-click Default Domain Controllers Policy and select Edit to open the GPO editor for this policy.

  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies in the node tree of the GPO editor.

  5. Double-click Network access: Restrict clients allowed to make remote calls to SAM in the policies pane, and select Define this policy setting.

  6. Click Edit Security and enable Allow for Remote Access. Add the DRA service account if it is not already included as a user or part of the administrators group.

  7. Apply the changes. This will add the security descriptor, O:BAG:BAD:(A;;RC;;;BA) to the policy settings.

For more information, see Knowledge Base article 7023292.