Workflow Automation Adapter Reference for DRA

This document provides information about installing and configuring the NetIQ Workflow Automation Adapter for Directory and Resource Administrator (DRA). This document also covers how to verify a successful installation.

1.0 Overview

The Workflow Automation Adapter for Directory and Resource Administrator, commonly referred to as the DRA Adapter, enables Workflow Automation to communicate with DRA and automate manual processes associated with the administration and security of Microsoft Active Directory.

The DRA Adapter includes a library of workflow activities that Process Authors can use in the Workflow Designer. For more information about activities or activity libraries, see the Workflow Automation Process Authoring Guide.

2.0 Product Requirements

The DRA Adapter requires the following minimum software versions:

  • Directory and Resource Administrator 10.2.2

  • Workflow Automation 10.2.2

  • Microsoft .NET Framework 4.8

The DRA Adapter requires one of the following operating system versions:

  • Microsoft Server 2016

  • Microsoft Server 2019

  • Microsoft Server 2022

3.0 Understanding How the DRA Adapter Uses Multi-Master Sets

In DRA, a Multi-Master Set (MMS) is a set of multiple Administration servers. Each MMS consists of a primary Administration server and one or more secondary Administration servers. The primary server provides security and domain management as well as account and Microsoft Exchange management. Each secondary server acts as a supplemental server, providing additional access to enterprise data while allowing you to balance loads and traffic across local or remote locations. Secondary servers also ensure availability if the primary server is offline.

The DRA Adapter requires at least one MMS in the Workflow Automation namespace for Workflow Automation to model the DRA environment. If your DRA environment does not have an existing MMS, you do not have to create one in DRA. The installation program creates one for you in the Workflow Automation namespace. The default name is MultiMasterSet, but you can specify any name.

Each MMS has an associated Run As account the DRA Adapter uses to communicate with DRA and run the activities in a workflow. For more information about the Run As account, see Ensuring Minimum Rights and Privileges.

4.0 Supported Configurations

The DRA Adapter supports the following DRA configurations:

Single Administration Server

The DRA Adapter communicates with one Administration server that manages a single domain. The Workflow Automation Server computer must be a member of the managed domain. The Workflow Automation service account must have “run as” privileges.

Multiple Administration Servers

The DRA Adapter communicates with multiple Administration servers, each of which manages a different domain. There must be a trust relationship between the domains, and the Workflow Automation Server computer must be a member of the trusted domain. The Workflow Automation service account must have “run as” privileges.

Single Multi-Master Set

The DRA Adapter communicates with an MMS that manages a forest. There must be a trust relationship between the domains in the forest, and the Workflow Automation Server computer must be a member of the trusted domain. The Workflow Automation service account must have “run as” privileges.

Multiple Multi-Master Sets

The DRA Adapter communicates with multiple MMSs, each of which manages a different forest. There must be a trust relationship between the forests, and the Workflow Automation Server computer must be a member of the trusted domain. The Workflow Automation service account must have “run as” privileges.

For more information about assigning “run as” privileges to the Workflow Automation service account, see Ensuring Minimum Rights and Privileges.

5.0 Implementation Overview

The following table provides an overview of tasks to configure the DRA Adapter:

Steps

For more information, see...

Configure the minimum rights and privileges for the Run As account and Workflow Automation service account.

Ensuring Minimum Rights and Privileges

Install a DRA console on the Workflow Automation Server computer.

Installing the DRA Adapter

Install the DRA Adapter on the Workflow Automation Server computer.

Installing the DRA Adapter

Validate the configuration information you supplied during the installation process.

Validating Administration Server Connections

Configure the adapter to connect to additional Administration servers.

Configuring Administration Server Connections

Verify the installation was successful.

Verifying a Successful Installation

6.0 Ensuring Minimum Rights and Privileges

Before you install the DRA Adapter, configure the following minimum rights and privileges for the Run As account and the Workflow Automation service account:

Run As Account

When you install the DRA Adapter, you must specify the credentials for the Run As account. The Run As account allows the DRA Adapter to communicate with DRA and run the activities in a workflow. The Run As account must be:

  • A member of the Domain Users Global Security Group in the target domain or a Local Account on a managed server

  • A valid Assistant Administrator in DRA with the Audit All Objects role

ActiveView for the Run As Account

In DRA, create an ActiveView for the Run As account. Ensure the ActiveView has the powers to add, modify, and delete the following objects:

  • Users

  • Azure Users

  • Contacts

  • Groups

  • AA Groups

  • Dynamic Groups

  • Dynamic Distribution Groups

  • Computers

  • ActiveViews

  • Organizational Units (OUs)

  • Exchange Mailboxes

  • Resource Mailboxes (Room and Equipment)

Workflow Automation Service Account

The Workflow Automation service account is the account Workflow Automation uses to execute the Namespace Provider service on the Workflow Automation Server. The Workflow Automation service account on the Workflow Automation Server computer must have “run as” privileges in your environment.

To ensure the Workflow Automation service account has “run as” privileges, in Local Security Settings on the Workflow Automation Server computer, assign the Impersonate a client after authentication policy to the Workflow Automation service account.

For more information about supported configurations, see Supported Configurations.

7.0 Default Ports

To enable proper communication between the DRA Adapter and the DRA Administration service in your DRA environment, ensure the following ports are open on the DCOM server computer.

Port Number

Component Computer

Port Use

DCOM 135

Workflow Automation Server

Enables the DRA Adapter to locate the Administration service.

RPC xxxxx-xxxxx

Database Server

Enables the DRA Adapter to communicate with the DCOM Service communication. Enter the port range you specified in your DCOM configuration, typically ports 60000-60100.

8.0 Installing the DRA Adapter

The DRA Adapter is installed by default when you install Workflow Automation. The component is shown under Workflow Automation Services in WFA Installer.

For information about installing Workflow Automation, see the Workflow Automation Administrator Guide.

9.0 Validating Administration Server Connections

When the installation is complete, the WFA Adapter Configuration Utility allows you to validate the information you supplied during the installation process.

To validate a connection to an Administration server:

  1. Log on to the Workflow Automation Server computer with an administrator account.

  2. In the NetIQ program group, click Workflow Automation Adapter Configuration Utility.

    NOTE:If your user account does not have administrator privileges on the Workflow Automation Server computer, right-click the Workflow Automation Adapter Configuration Utility shortcut, and then click Run As Administrator.

  3. In the left pane, expand DRA Adapter, and then expand the appropriate MMS.

  4. In the left pane, click the Administration server for which you want to validate the connection.

  5. Click Validate.

  6. If the connection is invalid, make the appropriate changes, and then click Save All.

  7. If you made any changes, restart the Workflow Automation Namespace Provider service.

10.0 Configuring Administration Server Connections

When the installation is complete, the WFA Adapter Configuration Utility allows you to configure Administration server connections at any time. Using the WFA Adapter Configuration Utility, you can:

  • Add Administration servers to any existing MMS.

  • Configure the DRA Adapter to communicate with additional MMSs.

  • Modify the Run As account credentials for existing servers.

10.1 Adding an Administration Server to an Existing MMS

Using the WFA Adapter Configuration Utility, you can add one or more Administration servers to an existing MMS. The DRA Adapter automatically detects the primary Administration server in the MMS.

To add an Administration server to an existing MMS:

  1. Log on to the Workflow Automation Server computer with an administrator account.

  2. In the NetIQ program group, click Workflow Automation Adapter Configuration Utility.

    NOTE:If your user account does not have administrator privileges on the Workflow Automation Server computer, right-click the Workflow Automation Adapter Configuration Utility shortcut, and then click Run As Administrator.

  3. In the left pane, expand DRA Adapter, and then click the MMS to which you want to add a new Administration server.

  4. On the Edit menu, click New Entry.

  5. Provide the appropriate information, and then click Save All.

  6. Click Close.

  7. Restart the Workflow Automation Namespace Provider service.

10.2 Configuring a New MMS in the DRA Adapter

Using the WFA Adapter Configuration Utility, you can create a new MMS.

To configure the DRA Adapter to communicate with an additional MMS:

  1. Log on to the Workflow Automation Server computer with an administrator account.

  2. In the NetIQ program group, click Workflow Automation Adapter Configuration Utility.

    NOTE:If your user account does not have administrator privileges on the Workflow Automation Server computer, right-click the Workflow Automation Adapter Configuration Utility shortcut, and then click Run As Administrator.

  3. In the left pane, click DRA Adapter.

  4. On the Edit menu, click New Entry.

  5. Provide the name for the new MMS, and then click Save All.

  6. To add an Administration server to the MMS, complete the following steps:

    1. In the left pane, click the new MMS.

    2. On the Edit menu, click New Entry.

    3. Provide the appropriate information, and then click Save All.

  7. Click Close.

  8. Restart the Workflow Automation Namespace Provider service.

10.3 Adding the Run As Account to the Process Operators Group

As part of the integration with the DRA Server, you need to ensure the Run As account is a member of the Process Operators group on the Workflow Automation Server.

To add the Run As account to this group:

  1. Open the Workflow Automation Adapter Configuration Utility from the NetIQ program group, and navigate to Security.

  2. Right-click Users in the Navigation pane, and select Import Domain Users.

    (Another option would be to import a domain group the Run As account is a member of.)

  3. Locate the domain account that you are using for the WFA Run As account and add it to WFA Users.

  4. Click Groups in the navigation pane.

  5. Right-click the Process Operators group, and click View Members.

  6. Select the account that you imported from the domain for the Run As account from the Available Users and Group list.

  7. Click Add and OK to add the account to the group’s members.

  8. To define specific permissions in WFA for the Run As account, right-click the Process Operators group again, and select Edit WFA Group.

  9. Use the Security tab to select the user again and add a permission set. You can repeat this process if you want to add more than one permission set.

11.0 Verifying a Successful Installation

After you configure at least one Administration server connection, Workflow Automation imports all computers in the managed domains as resources.

To verify successful registration with the Resource Management database:

  1. Start the Workflow Automation Configuration Console.

    For more information about starting the Configuration Console, see the Workflow Automation Administrator Guide.

  2. In the Navigation pane, click Resources.

  3. In the left pane, expand Adapter Resource Hierarchies.

  4. Ensure DRA Adapter is in the list of installed adapters.

  5. If you configured one or more Administration server connections, complete the following steps:

    1. Expand DRA Adapter.

    2. Expand DRA Data Source for MMS, where MMS is the name of the MMS to which an Administration server belongs.

    3. Ensure the domains and OUs associated with the MMS display in the list.

    4. Ensure the Administration servers associated with the MMS display as resources.

After verifying a successful installation, we recommend that you build a simple workflow with one of the activities in the DRA Adapter Library. For more information about building workflows, see the Workflow Automation Process Authoring Guide.

12.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/en-us/legal.

© Copyright 2007-2023 Open Text or one of its affiliates.

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.