DRA requires the following server requirements for software and accounts:
Component |
Prerequisites |
---|---|
Installation Target Operating System |
NetIQ Administration Server Operating System:
Windows DRA Interfaces:
|
Installer |
|
Administration Server |
Directory and Resource Administrator:
Microsoft Office 365/Exchange Online Administration:
For more information, see Supported Platforms. |
Legacy Web Components |
Web Server:
Microsoft IIS Components:
Windows DRA Interfaces:
|
Account |
Description |
Permissions |
---|---|---|
AD LDS Group |
The DRA service account needs to be added to this group for access to AD LDS |
|
DRA Service Account |
The permissions required to run the NetIQ Administration Service |
NOTE:For more information on setting up least privilege domain access accounts see: Least Privilege DRA Access Accounts. |
DRA Administrator |
User account or Group provisioned to the built in DRA Admins role |
|
DRA Assistant Admin Accounts |
Accounts that will be delegated powers though DRA |
|
Below are the permissions and privileges needed for the accounts specified and the configuration commands you need to run.
Domain Access Account: Using ADSI Edit, grant the Domain Access account the following Active Directory Permissions at the top domain level to the following descendant object types:
FULL control over builtInDomain objects
FULL control over Computer objects
FULL control over Contact objects
FULL control over Container objects
FULL control over Group objects
FULL control over InetOrgPerson objects
FULL control over MsExchDynamicDistributionList objects
FULL control over MsExchSystemObjectsContainer objects
FULL control over Organizational Unit objects
FULL control over Printer objects
FULL control over publicFolder objects
FULL control over serviceConnectionPoint objects
FULL control over User objects
Grant the Domain Access account the following Active Directory Permissions at the top domain level to this object and all descendant objects:
Allow create Computer objects
Allow create Contact objects
Allow create Container objects
Allow create Group objects
Allow create MsExchDynamicDistiributionList objects
Allow create Organizational Unit objects
Allow create publicFolders objects
Allow create Shared Folder objects
Allow create User objects
Allow delete Computer objects
Allow delete Contact objects
Allow delete Container
Allow delete Group objects
Allow delete InetOrgPerson objects
Allow delete MsExchDynamicDistiributionList objects
Allow delete Organizational Unit objects
Allow delete publicFolders objects
Allow delete Shared Folder objects
Allow delete User objects
Office 365 Tenant Access Account: Assign the following Active Directory permissions to the Office 365 Tenant Access Account:
User Management Administrator in Office 365
Recipient Management in Exchange Online
Exchange Access Account: Assign the Organizational Management role to the Exchange Access Account to manage Exchange 2013, Exchange 2016, or later Exchange versions. Assign the Exchange Access Account to the Account Operators group.
Skype Access Account: Ensure that this account is a Skype-enabled user and that is a member of at least one of the following:
CSAdministrator role
Both the CSUserAdministrator and CSArchiving roles
Public Folder Access Account: Assign the following Active Directory permissions to the Public Folder Access Account:
Public Folder Management
Mail Enabled Public Folders
Post DRA installation:
Run the following command to delegate permission to the “Deleted Objects Container” from the DRA Installation folder (Note: the command must be executed by a domain administrator):
DraDelObjsUtil.exe /domain:<NetbiosDomainName> /delegate:<Account Name>
Run the following command to delegate permission to the “NetIQReceyleBin OU” from the DRA Installation folder (Note: this can be done only after adding the respective domains to be managed by DRA):
DraRecycleBinUtil.exe /domain:<NetbiosDomainName> /delegate:<AccountName>
Add the least privilege override account to the “Local Administrators” group on each computer that DRA will manage resources such as Printers, Services, Event Log, Devices and so forth.
Grant the least privilege override account “Full Permission” on share folders or DFS folders where Home directories are provisioned.
Add the least privilege override account to the “Organization Management” role to manage Exchange objects.
Remote Access to SAM: Assign Domain Controllers or member servers managed by DRA to enable the accounts listed in the GPO setting below, so they can make remote queries to the Security Account Manager's (SAM) database.
Network access: Restrict clients allowed to make remote calls to SAM
The GPO Editor path to this policy setting is Default Domain Controllers Policy [<server name>] Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
For more information, see Knowledge Base article 7023292.