Overview
This update is applicable for Active Directory drivers running Identity Manager 4.6 or later. The driver version will be changed to 4.1.1.0 after the patch is applied.
Supported Platforms
- Windows Server 2016
- Windows Server 2012 (64 bit)
- Windows Server 2012 R2 (64 bit)
- Windows Server 2008 R2 (64-bit)
System Requirements
Upgrading the Driver
The driver upgrade process involves the following tasks:
- Upgrading the driver packages
- Updating the driver files
Upgrading the Driver Packages
- Download the following packages:
- Active Directory Default Configuration
- Package Name: NOVLADDCFG
- Version: 2.5.2
- Build Date: 20180730
- Build Number: 122953
- Active Directory Entitlements and Exchange Mailbox Support
- Package Name: NOVLADENTEX
- Version: 2.5.6
- Build Date: 20180814
- Build Number: 164700
- Open the project containing the driver.
- Right-click the driver for which you want to upgrade an installed package, then click Driver > Properties.
- Click Packages.
A check mark indicates a newer version of a package in the Upgrades column.
- Click Select Operation for the package that indicates there is an upgrade available.
- From the drop-down list, click Upgrade.
- Select the version that you want to upgrade to, then click OK.
NOTE: Designer lists all versions available for upgrade.
- Click Apply.
- (Conditional) Fill in the fields with appropriate information to upgrade the package, then click Next.
Depending on which package you selected to upgrade, you must fill in the required information to upgrade the package.
- Read the summary of the packages that will be installed, then click Finish.
- Review the upgraded package, then click OK to close the Package Management page.
Updating the Driver Files
- Take a back-up of the current driver configuration.
- (Conditional) If the driver is running locally, stop the driver instance and the Identity Vault.
- (Conditional) If the driver is running with a Remote Loader instance, stop the driver and the Remote Loader instance.
- Download and unzip the contents of IDM46_ADDriver_4110.zip file to a temporary location on your server.
- Update the driver files:
Navigate to the extracted <addriverfp>\x64\windows folder and perform the following actions:
- Copy addriver.dll to the appropriate folder for your Identity Manager version.
- Identity Manager 4.7: \NetIQ\IdentityManager\NDS (local installation) or \Novell\RemoteLoader\64bit (remote installation)
- Identity Manager 4.6: \Novell\NDS (local installation) or \Novell\RemoteLoader\64bit (remote installation)
- Replace the existing C:\Windows\System32\nls directory with the \addriverfp\x64\nls directory.
- If the server has password synchronization configured, copy the following files from the extracted <addriverfp>\x64 folder:
- PassSyncConfig.cpl to the C:\Windows\System32 folder.
- pwFilter.dll to the \Novell\IDM_PassSync\w64 folder.
- Restart the server.
- Update the Password Sync Filter.
NOTE: You must reboot each Domain Controller for the changes to take effect. Therefore, check your current pwfilter.dll file version before starting the update. If the current version and the version shipped with the driver patch file are same, skip this step.
- Verify the current version of your Password Sync Filter (pwfilter.dll).
- On all Domain Controllers, browse to the C:\Windows\System32 folder.
- Right-click the pwfilter.dll file.
- Click Properties.
- Click the Details tab and check the version of the file.
- Update the Password Sync Filter files.
- On each Domain Controller, rename the existing pwfilter.dll file to pwfilter.old.
- Navigate to the extracted <addriverfp>\x64 folder and copy the pwfilter.dll file to the \Windows\System32 folder.
Alternatively, run the Control Panel applet and check the filter status. Any old password sync filters should show as outdated and can be updated using that utility. A reboot of the Domain Controller is still needed because pwfilter.dll is loaded by the LSA process and that is only run at the startup of a server.
- Reboot each Domain Controller to apply the Password Sync Filter changes.
- If you enabled the driver to synchronize Exchange data or if you want to use Active Directory PowerShell, update the Exchange Service files.
NOTE: You must perform this step only if your Active Directory driver version is less than 4.0.0.1.
Your Exchange Service files must match the Microsoft Exchange version you are using. For example, use:
- IDM_PowerShell_Service for Exchange 2016 or Exchange 2013
- IDM_AD_Ex2010_Service for Exchange 2010
To update the Exchange Service files:
- Stop the currently running Exchange service and remove it.
- Copy the new Exchange Service files from the unzipped <addriverfp>\noarch folder to \Novell\NDS or \Novell\RemoteLoader\64bit folder on your computer.
- IDMPowerShellManagementServer.dll and IDMPowerShellService.exe for Exchange 2016 or Exchange 2013.
- IDMEx2010ManagementServer.dll and IDMEx2010Service.exe for Exchange 2010.
- Install the Identity Manager Exchange service. See the instructions from Identity Manager Active Directory Driver Implementation Guide.
- Start the Exchange Service.
NOTE: Review the following considerations for running IDM_PowerShell_Service on Windows 2008.
- Install Windows Management Framework 3.0.
- Update the Active Directory driver to the latest packages that include updated Global Configuration Values for Exchange 2016 and Exchange 2013.
- If the driver is running locally, start the Identity Vault and the driver instance.
- If the driver is running with a Remote Loader instance, start the Remote Loader instance and the driver instance.
Technical Support Information
Issues Fixed in This Release
- Bug 731112 - Active Directory driver should forward password synchronization metadata
- Bug 847538 - Control Pannel PassSync Applet should show when a Domain Controller is Read-Only and not install the Password Sync Filter
- Bug 860828 - uniqueID missing for a user created from the Publisher Channel in the Active Directory driver
- Bug 887659 - Login Disabled attribute should not be set by policy if Enable Login Disabled Attribute Sync Global Configuration Value is set to true
- Bug 948282 - DirXML-ADAliasName attribute information is written to the Identity Vault despite the success of create user event
Issues Fixed in Previous Releases
- Bug 982663 - Default value for AD driver parameter "Enable DirSync Incremental Values" should be yes
- Bug 960715 - Typos in package policies -
- Bug 973093 - AD Package updates need to account for later versions of engine and Designer
- Bug 967200 - OES 2015 SP1 : Identity Manager doesn't sync edir group to AD for non english user (chinese, French)
- Bug 1037861 - AD Recycle bin recovery comes across as a Delete
- Bug 958260 - Enable-mailbox fails if user CN has an apostrophe
- Bug 1063880 - IDM active directory driver silently loses events when class-name missing on event
- Bug 942800 - Multiple events in transaction, if first fails, subsequent events discarded
- Bug 1065987 - Dirsync Incremental Values does not work against a Windows 2016 Functional Forest level
- Bug 1066515 - AD Driver sends duplicate password change events on the Publisher channel
- Bug 1047075 - IDMPowershellservice.exe crashes instead of returning an error message
- Bug 897854 - Steps to move a driver to a Different Domain Controller in Section 10.12 step 4 are confussing
- Bug 963941 - Clarify required group membership for AD driver service account
- Bug 947053 - User Account Settings - dirxml-uACLockout does not work in AD Driver 4.0.1.0
- Bug 957031 - Password sync applet does not report version difference between pwfilter 2.6 and 2.7
- Bug 1042073 - PwFilter: Security Audit requirement for "Restrictions for Unathenticated RPC clients"
- Bug 1011723 - Exchange 2003 information needs to be removed from AD driver since it is out of Microsoft support
- Bug 1011724 - Exchange 2007 support in the AD driver needs to be removed - since Microsoft support has ended
- Bug 1019268 - PWFILTER.DLL retains the old file in remoteloader.NET folder after upgrade
- Bug 1005200 - Windows server 2016 forest functional level support in AD Driver
- Bug 939535 - NOVLLIBAJC-JS should not use eval
- Bug 1014125 - Remove IDMEx2007ManagementServer from AD driver deliverable
- Bug 890138 - AD driver reports success status for failure of execution of Exchange cmdlets
- Bug 914211 - IDM 4.5 Exchange 2010 service won't start due to exception
- Bug 831051 - ADDriver.dll 64bit has to support ASLR (Address Space Layout Randomization)
- Bug 863220 - Exchange Service does not honor the Exchange Tools version
- Bug 854970 - xds query failed because of wrong LDAP filter
- Bug 870881 - Possible memory leak in the Remote Loader / ADDriver Shim
- Bug 866107 - AD pwfilter status is reported as "Installed - Needs Reboot" when static port is used
- Bug 849022 - Windows server 2012 R2 forest functional level support in AD driver
- Bug 819128 - PowerShell Service does not create Exchange Mailbox
- Bug 833725 - Query with an invalid read-attr attribute lists all the attributes
- Bug 845250 - pwFilter.dll causes memory build up
- Bug 798090 - AD Driver returns invalid Query response if search-class is invalid
- Bug 826089 - AD Driver version 4.0.0.1 showing forest functional level: Unsupported during driver startup
- Bug 821589 - AD driver does a return all on an ill formed query doc
- Bug 738301 - Identity Manager trace 'Association' misspelled in message
- Added support for Windows 2012 (Remote Loader Mode Only)
- Added support for Exchange 2013
- Bug 776269 - IDM Password Sync console fails to copy .dll files to DCs but returns no error
- Bug 733760 - Active directory driver errors out modifying lockoutTime in AD LDS
- Bug 733874 - AD LDS driver Unable to do a Check Password Connection
- Bug 710062 - AD driver not clearing stale entries from cache
- Bug 700616 - Identity Manager package for Microsoft Active Directory (MAD) config hides useful values
- Bug 710833 - Default code from AD driver's 4.0.1 package appears incorrect
- Bug 717082 - sAMAccountName incorrectly sanitized due to invalid regex
- Bug 409545 - Enable functionality to time out entries in the password filter cache
- Bug 699433/699792 - Need to add an additional driver parameter for password filter timeout
- Bug 694912 -Identity Manager MAD package's rule does not always block omitted passwords on Publisher channel
- Bug 283109 - Removed the fix on the PWFILTER.DLL which caused LSASS on the domain controllers to lock up
- Bug 617978 - Fixed an issue where under the AD Password Sync-Password Agent Status column- Password Filters, only partial names were displayed if the domain name was very long
- Bug 624950 - Fixed an Error LDAP_INVALID_CREDENTIALS when performing a check password status
- Bug 654813 - Fixed an issue where the driver would fail to restart if it was running locally on a WINDOWS 2008 R2 server
- Bug 660434 - Fixed an issue where the Active Directory driver would not properly handle queries for zero-length strings
- Bug 283109 - Added back the PWFILTER.DLL file with a new fix
- Bug 519024 - Fixed a problem pushing out the PWFILTER.DLL and associated files whe the default install locations are not used. The error was "Error copying files (3)"
- Removed the PWFILTER.DLL file (which fixed bug 283109 but caused other issues)
- Bug 283109 - Identify the SetOperation of password change (administrator reset user's password)
- Bug 622530 - Provisioning Exchange 2010 accounts fails on user add and modify events
- Bug 636363 - Setting filter to a static port on a AD Domain Controller cause lsass to fail, server to reboot in a loop
- Bug 653855 - Password sync fails with 351 RL on 64 bit windows (Doc Update)
- Bug 465870 - Fixed a problem where the ADDriver.dll did not contain version information resource
- Bug 485306 - The Active Directory driver in some cases was unable to delete objects in Windows 2008 if Protect Object from Deletion was turned on for an object in Active Directory. A new setting has been added on the properties of the driver for drivers created with IDM 4 or later
- Bug 494196 - Fixed the issue where the Active Directory driver treated schema names as case sensitive
- Bug 587753 - Fixed an issue where 4 exchange attributes were being removed by the shim when syncing groups to Exchange 2007 or 2010. They are homeMTA, legacyExchangeDN, msExchHomeServerName, msExchMailboxSecurityDescriptor
- Bug 602047 - Fixed an issue where the AD driver would discard delete operations when mulitple deletes were sent together
- Bug 574386 - Fixed an issue where the sam account name (pre-Windows 2000) for users and groups was not getting set correctly. A string value starting with a $ would be created instead of the correct value
- Bug 574916 - Fixed a problem in the Subcriber Create policy where it was missing code to add the source name to the DirxmlAD-alias name. This causes the group to get created with a random pre-windows 2000 name even if you want your naming based on the sam account name
- Bug 566638 - Fixed an issue where the AD Driver does not delete the user in AD when the option "Allow Exchange mailbox delete" is set to No
- Added support for Exchange 2010. To provision mailboxes in Exchange 2010, the EXCH 2010 option has to be selected. The on-line documentation will be updated to show these changes.
- Bug 541375 - eDirectory becomes unresponsive when we stop the AD driver
- Bug 133631 - AD driver not properly handling a multi-valued description attribute
- Bug 533958 - enable-incremental-values ignored/not working in 2008 domain/forest functional level
- Bug 482861 - Exchange 2007 Exception When Moving a Mailbox, (Changing homeMDB attribute)
- Bug 499307 - Active Directory Driver reports changes on computer objects in AD even though not in the filter
- Bug 501954 - Exchange 2007 -DomainController option being passed with no value
- Bug 510318 - AD Password changes periodically not published and remain in registry on the RL
- Bug 519024 - "Error copying files (3)" when installing PWFILTER.DLL.
- Bug 549466 - Added support for Windows 2008 R2.
- Bug 499382 - Driver-Active Directory Add support for Windows 2008 server running in a 2008 functional level
- Bug 486949 - Driver-Active Directory Unlocalised text "Warning" present in Jobs Results tab
- Bug 486804 - Driver-Active Directory Incorrect tooltip on OK button in Identity Manager Library / Mapping Tables Dialog
- Bug 408306 - Driver-Active Directory Subscriber Password payload on an add event returns wrong XML document on Publisher
- Bug 254763 - Driver-Active Directory MD: JPN : PreCfg : UserID "Administrator" is translated in example
- Bug 417504 - Remote Loader hangs when issuing Enable-Mailbox command via AD driver
- The AD Driver failed to provision Exchange 2007 accounts on Windows 2008 (x64). The error presented in trace is "Exchange 2007 Exception. code:0x0000274d Connnection Error. Make sure service is Running"
- Bug 393862 - Driver-Active Directory MD - All_Lang- Unlocalised text when you create a new driver
- Bug 385606 - Driver-Active Directory AD driver won't stay running
- Bug 381457 - Driver-Active Directory AD Driver crashes after reconnect from network failure
- Bug 376542 - Driver-Active Directory Bad wording and grammar in MAD driver preconfig
- Bug 330245 - Driver-Active Directory Need way to specify LDAP port(s) for ADAM
- Bug 364791 - When forcing Powershell to the same DC as the driver, the DomainController parameter was missing in the last AD patch. It has been added
- Bug 364791 (same bug as above) - AD Driver now forces Powershell to same DC as the driver. Before there were replication delays that would cause "object could not be found" errors. This only happened when the driver was talking to one DC but the IDM exchange service was talking to another
- Bug 301558 - Fixed memory leak in AD Query mechanism
- Bug 344553 - Fixed issue where Password sync install does not update correct registry key for 64bit filter. During the install of the 64bit password filter to the domain controllers the registry keys for Host Names was only created in hklm/SOFTWARE/Wow6432Node/Novell/PwFilter and no entry was added in hklm/SOFTWARE/Novell/PwFilter
- Bug 330245 - Implemented the LDAP Incremental values control feature