DRA allows you to manage multiple domains as well as multiple subtrees from a specific Microsoft Windows 2008 or later domain. By managing a subtree of a Microsoft Windows 2008 or later domain, you can use DRA to secure a department or division within a larger corporate domain.
For example, you can specify the Houston subtree in the SOUTHWEST domain, allowing DRA to securely manage only those objects contained in the Houston OU and its child OUs. This flexibility allows you to manage one or more subtrees without requiring administrative permissions for the entire domain. For more information about required permissions for managed subtrees, see the Installation Guide.
You can view properties and statistics for managed and trusted domains. You can also perform the following essential tasks:
Add and remove managed domains
Add and remove managed subtrees in a specific Microsoft Windows 2008 or later domain
Specify the access account for the Administration server
Check the status of the domain and view any error messages
Specify the default domain controller to which DRA connects
Check the status of the accounts cache refresh
Schedule how often the Administration server gathers last logon statistics
Perform an accounts cache refresh immediately
Manage the accounts cache refresh schedule
The Administration server builds and maintains an accounts cache that contains portions of the Active Directory for the managed domains. DRA and ExA use the accounts cache to improve performance when managing user accounts, groups, contacts, and computer accounts.
To schedule a cache refresh time or view the cache status, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role.
NOTE:To perform incremental accounts cache refreshes in domains that contain managed subtrees, ensure the service account has read access to the Deleted Objects container as well as all objects in the domain of the subtree. You can use the Deleted Objects Utility to verify and delegate the appropriate permissions. For more information about this utility, see Section B.2, Deleted Objects Utility. For more information about service account configurations, see the Installation Guide.
An incremental accounts cache refresh updates only the data that changed since the last refresh. The incremental refresh provides a streamlined way to keep up with your changing Active Directory. Use the incremental refresh to quickly update the accounts cache while incurring the least impact on your enterprise.
An incremental refresh updates the following data:
New and cloned objects
Deleted and moved objects
Group memberships
All cached object properties
A full accounts cache refresh loads the entire Active Directory. Use the full refresh to maintain consistency between your Active Directory and the accounts cache for your managed domain.
DRA offers the full accounts cache refresh for all managed domains, and the incremental accounts cache refresh for Microsoft Windows domains. You can manually perform an immediate cache refresh for a managed or trusted domain at any time. You can also schedule regular, automatic refreshes.
How often you should refresh the accounts cache depends on how often your enterprise changes. Use the incremental refresh to update the accounts cache often, ensuring that DRA has the most up to date information about the Active Directory.
By default, the Administration server performs an incremental accounts cache refresh at the following times:.
|
Domain Type |
Default Scheduled Refresh Time |
|---|---|
|
Managed Windows |
Every 5 minutes |
|
Trusted Windows |
Every hour |
You cannot schedule a FACR; however, DRA runs an automatic FACR under the following circumstances:
After you configure a managed domain for the first time.
After you upgrade DRA to a new full version from a previous version.
After you install a DRA service pack.
Performing a full accounts cache refresh can require several minutes.
If the full accounts cache refresh fails, the Administration server retries every 30 minutes until the refresh succeeds. If the incremental accounts cache refresh fails, the Administration server retries four times, at 15 minute intervals. If the Administration server fails to perform an incremental accounts cache refresh because the specified domain is unavailable, DRA immediately attempts a full accounts cache refresh. You can also specify a timeout period for incremental cache refresh. If the incremental cache refresh takes longer than this specified timeout period, DRA immediately attempts a full accounts cache refresh.
You must periodically refresh the accounts cache to ensure DRA and ExA have the latest information. Before performing or scheduling an accounts cache refresh, review the following considerations:
The Administration server can refresh the accounts cache only for computers that are running when the cache refresh occurs.
To perform an incremental accounts cache refresh, the Administration server service account or access account must have permission to access deleted objects in the Active Directory of the managed or trusted domain. For more information, see Section B.2, Deleted Objects Utility.
The Administration server does not allow you to modify objects in the managed domain during an incremental accounts cache refresh. However, you can view Active Directory data for the managed domain.
The Administration server allows you to modify objects in the managed domain during a full accounts cache refresh. Then the Administration server performs an incremental refresh to detect those latest changes. If you access the managed domain before the incremental refresh begins, the accounts cache may not reflect changes made during the refresh process.
When DRA performs an accounts cache refresh, the Administration server does not include domain local security groups from trusted domains. Because the cache does not contain these groups, DRA does not allow you to add a domain local security group from the trusted domain to a local group on the managed member server.
The incremental accounts cache refresh may not detect when you move an object to or from an OU for which the Administration server service account or access account does not have permissions. To ensure the accounts cache accurately reflects these changes, perform a full accounts cache refresh.
If you omit a trusted domain from an accounts cache refresh, the Administration server also omits that domain from the domain configuration refresh. For more information about the trusted domains and the domain configuration, see Section 17.3.4, Domain Configuration.
If you include a previously omitted trusted domain in the accounts cache refresh, perform a full accounts cache refresh for the managed domain. This ensures that the accounts cache on the Administration server for the managed domain correctly reflects group membership data in your managed and trusted domains.
If you set the incremental accounts cache refresh interval to Never, the Administration server performs full accounts cache refreshes only. A full account cache refresh may take some time, during which you cannot manage objects in this domain.
DRA and ExA cannot automatically determine when changes are made through other tools, such as Microsoft Directory Services Administrator. Operations performed outside DRA and ExA can affect the accuracy of the cached information. For example, if you use another tool to add a mailbox to a user account, you cannot use ExA to manage this mailbox until you update the accounts cache.
The time required to complete a full accounts cache refresh depends on several variables:
Size of the managed domains
Speed of the Administration server computer
Performing a full accounts cache refresh deletes the last logon statistics maintained in the cache. The Administration server then collects the latest logon information from all the domain controllers.
The access account allows you to override the Administration service account you configured for the Administration server when you installed DRA and ExA. The Administration server uses the access account to read and write data from other managed and trusted domains. When you modify the access account, be sure to manually refresh the accounts cache for this domain so that the server uses the correct account.
Before you specify an access account, verify that the account has the appropriate privileges to access data on all managed and trusted domains. For more information about required permissions, see the Installation Guide.
NOTE:The Administration server stores account information locally for access accounts. If you change the name or password of a managed access account, you must also update the override account specifications through the Delegation and Configuration console on the Administration server. For more information, see Section 17.8.9, Specifying Domain Access Accounts.
The last logon time for a user is stored only on the specific domain controller that validated the user logon. Other domain controllers, including the PDC, have only the timestamp of when that domain controller last validated the user. DRA can gather and consolidate last logon statistics from domain controllers. By consolidating the last logon statistics, DRA enables you to identify user accounts that have not been used for a period of time. You can specify how often DRA polls the domain controllers using the Last logon schedule tab in the domain properties window.
To collect and consolidate the last logon information, DRA periodically polls all domain controllers in the managed domains. DRA collects the last logon timestamp for each user since the most recent poll and stores this information in the domain configuration. DRA uses the values in the domain configuration to report the last logon information. By default, last logon statistics are disabled.