3.5 DRA Administration Server and Web Console Requirements

DRA components require the following software and accounts:

3.5.1 Software Requirements

Component

Prerequisites

Installation Target

Operating System

Administration Server Operating System:

  • Microsoft Windows Server 2016, 2019, 2022

    NOTE:The server must also be a member of a supported Microsoft on-premises Active Directory domain.

DRA Interfaces:

  • Microsoft Windows Server 2016, 2019, 2022

  • Microsoft Windows 10, 11

Installer

  • Microsoft .Net Framework 4.8 and above

Administration Server

Directory and Resource Administrator:

  • Microsoft .Net Framework 4.8 and above

  • Microsoft Visual C++ 2015-2019 Redistributable Packages (x64 and x86)

  • Microsoft Message Queuing

  • Microsoft Active Directory Lightweight Directory Services roles

  • Remote Registry Service Started

  • Microsoft Internet Information Services

  • Microsoft Internet Information Services URL Rewrite Module

  • Microsoft Internet Information Services application request routing

NOTE:DRA REST Endpoint and Service are installed with the Administration Server.

Microsoft Office 365/Exchange Online Administration:

DRA 10.2.3:

  • Windows PowerShell Module

  • Microsoft.Graph 2.8 or later

  • Az.accounts 1.2.1 or later

  • Exchange Online PowerShell V3.0.0 or later

DRA 10.2.2 or earlier:

  • Windows PowerShell Module

  • Windows Azure Active Directory Module for Windows PowerShell

  • Exchange Online PowerShell V2.0.3 or later

  • Enable WinRM for Basic authentication on the client-side forExchange Online tasks.

For more information, see Supported Platforms.

User Interface

DRA Interfaces:

  • Microsoft .Net Framework 4.8

  • Microsoft Visual C++ 2015-2019 Redistributable Packages (x64 and x86)

PowerShell Extensions

  • Microsoft .Net Framework 4.8

  • PowerShell 5.1 or later

DRA Web Console

Web Server:

  • Microsoft .Net Framework 4.x > WCF Services > HTTP Activation

  • Microsoft Internet Information Server 8.5, 10

  • Microsoft Internet Information Services URL Rewrite Module

  • Microsoft Internet Information Services application request routing

Web Server (IIS) components:

  • Web Server > Security > URL Authorization

3.5.2 Server Domain

Component

Operating Systems

DRA Server

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

3.5.3 Account Requirements

Account

Description

Permissions

AD LDS Group

The DRA service account needs to be added to this group for access to AD LDS

  • Domain Local Security Group

DRA Service Account

The permissions required to run the Administration Service

  • “Distributed COM Users” Permissions

  • Member of the AD LDS Admin Group

  • Account Operator Group

  • Log Archive groups (OnePointOp ConfgAdms & OnePointOp)

  • When installing DRA on a server using STIG methodology, select one of the following options for the DRA service account user from the User account flags area of the Accounts tab on the user properties page:

    • This account supports Kerberos AES 128 bits encryption

    • This account supports Kerberos AES 256 bits encryption

NOTE:

  • For more information about setting up least privilege domain access accounts see, Least Privilege DRA Access Accounts.

  • For more information on setting up a group Managed Service Account for DRA see, “Configuring DRA Services for a Group Managed Service Account” in the DRA Administrator Guide.

DRA Administrator

User account or Group provisioned to the built-in DRA Admins role

  • Domain Local Security Group or domain user account

  • Member of the managed domain or a trusted domain

    • If you specify an account from a trusted domain, ensure that the Administration server computer can authenticate this account.

DRA Assistant Admin Accounts

Accounts that get delegated powers through DRA

  • Add all DRA Assistant Admin accounts to the “Distributed COM Users” group so that they can connect to the DRA Server from remote clients. It is required only when you are using a thick client or the Delegation and Configuration console.

    NOTE:DRA can be configured to manage this for you during the installation.

3.5.4 Least Privilege DRA Access Accounts

A DRA access account allows you to override the Administration service account you configured for the Administration server when you installed DRA. These accounts can be used to access domains, tenants, public folders and so on. The following sections list the permissions and privileges that are required for the access accounts and the configuration commands you need to run.

Domain Access Account: Using ADSI Edit, grant the Domain Access account the following Active Directory Permissions at the top domain level:

  1. Launch ADSI Edit.

  2. Select the domain node (DC=<Domain_Name>,DC=/?), right-click and select Properties.

  3. Click Security > Advanced > Permissions.

  4. Select the domain access account and click Edit.

  5. Ensure that the Type list is set to Allow.

  6. In the Applies to list, select Descendant builtInDomain objects.

  7. Under Permissions, select the Full Control check box.

  8. Repeat steps 6-7, and provide Full control for the following descendant objects:

    • Descendant Computer objects

    • Descendant Connection Point objects

    • Descendant Contact objects

    • Descendant Container objects

    • Descendant Group objects

    • Descendant InetOrgPerson objects

    • Descendant MsExchDynamicDistributionList objects

    • Descendant MsExchSystemObjectsContainer objects

    • Descendant msDS-GroupManagedServiceAccount objects

    • Descendant Organizational Unit objects

    • Descendant Printer objects

    • Descendant publicFolder objects

    • Descendant Shared Folder objects

    • Descendant User objects

  9. With the Type list set to Allow, select This object and all descendant objects from the Applies to list.

  10. Under Permissions, select the following check boxes:

    • Create Computer objects

    • Delete Computer objects

    • Create Contact objects

    • Delete Contact objects

    • Create Container objects

    • Delete Container objects

    • Create Group objects

    • Delete Group objects

    • Delete InetOrgPerson objects

    • Create MsExchDynamicDistributionList objects

    • Delete MsExchDynamicDistributionList objects

    • Create msDS-GroupManagedServiceAccount objects

    • Delete msDS-GroupManagedServiceAccount objects

    • Create Organizational Unit objects

    • Delete Organizational Unit objects

    • Create publicFolders objects

    • Delete publicFolders objects

    • Create Shared Folder objects

    • Delete Shared Folder objects

    • Create User objects

    • Delete User objects

    • Create Printer objects

    • Delete Printer objects

  11. Click OK.

Using ADSI Edit, provide read access to the Microsoft Exchange container for the Domain Access account by following these steps:

  1. Launch ADSI Edit (adsiedit.msc).

  2. In the left navigation pane, right-click ADSI Edit and choose Connect to.

  3. Select Configuration as the well-known Naming Context, then click OK.

  4. Expand the Configuration node. (CN=Configuration,DC=<Domain_Name>,DC=/?).

  5. Navigate to CN=services -> CN=Microsoft Exchange.

  6. Right-click CN=Microsoft Exchange and select Properties.

  7. Click Security>Advanced>Permissions.

  8. Locate the domain access account then click Edit.

  9. Confirm that the Type list is set to Allow.

  10. In the Applies to list, select Descendant objects.

  11. Under Permissions, select List Contents, Read all Properties and Read Permissions check box.

  12. Click OK and then Apply.

NOTE:

  • If the managed domain’s Active Directory schema is not extended for Exchange Online, the following objects will not be listed:

    • MsExchDynamicDistributionList objects

    • MsExchSystemObjectsContainer objects

    • publicFolder objects

  • By default, some Built-in container objects within Active Directory do not inherit permissions from the top level of the domain. For this reason, those objects will require inheritance to be enabled, or explicit permissions to be set.

  • If you use the least privilege account as the access account, ensure that the account is assigned the “Reset Password” permission for itself in Active Directory for the password reset to be successful in DRA.

Exchange Access Account: To manage on-premises Microsoft Exchange objects, assign the Organizational Management role to the Exchange Access Account and the Exchange Access Account to the Account Operators group.

Skype Access Account: Ensure that this account is a Skype-enabled user and that is a member of at least one of the following:

  • CSAdministrator role

  • Both the CSUserAdministrator and CSArchiving roles

Public Folder Access Account: Assign the following Active Directory permissions to the Public Folder Access Account:

  • Public Folder Management

  • Mail Enabled Public Folders

Azure Tenant: Basic authentication requires Azure Active Directory permissions on both the Azure Tenant Access Account and the Azure application. Certificate-based authentication requires Azure Active Directory permissions on the Azure application. By default, DRA automatically creates a self-signed certificate required for authentication.

Azure application: The Azure application requires the following roles and permissions:

Roles:

  • User administrator

  • Exchange administrator

Permissions:

  • Read and write all users' full profiles

  • Read and write all groups

  • Read directory data

  • Manage Exchange Online as an application to access Exchange Online resources

  • Read and write all applications

  • Exchange Recipient Administrator

Azure Tenant Access Account: The Azure Tenant Access Account requires the following permissions:

  • Distribution Groups

  • Mail Recipients

  • Mail Recipient Creation

  • Security Group Creation and Membership

  • (Optional) Skype for Business Administrator

    If you want to manage Skype for Business Online, assign the Skype for Business Administrator power to the Azure tenant access account.

  • User Administrator

  • Privileged authentication administrator

Administration Service Account Permissions:

  • Local Administrators

  • Grant the least privilege override account “Full Permission” on share folders or DFS folders where Home directories are provisioned.

  • Resource Management: To manage published resources within a managed Active Directory domain, the Domain Access account must be granted local administration permissions on those resources.

Post DRA installation: You must run the following commands before you manage the required domains:

  • To delegate permission to the “Deleted Objects Container” from the DRA Installation folder (Note: the command must be executed by a domain administrator):

    DraDelObjsUtil.exe /domain:<NetbiosDomainName> /delegate:<Account Name>

  • To delegate permission to the “NetIQRecycleBin OU” from the DRA Installation folder:

    DraRecycleBinUtil.exe /domain:<NetbiosDomainName> /delegate:<AccountName>

Remote Access to SAM: Assign Domain Controllers or member servers managed by DRA to enable the accounts listed in the GPO setting below, so they can make remote queries to the Security Account Manager's (SAM) database. The configuration needs to include the DRA service account.

Network access: Restrict clients allowed to make remote calls to SAM

To access this setting, do the following:

  1. Open the Group Policy Management console on the domain controller.

  2. Expand Domains > [domain controller] > Group Policy Objects in the node tree.

  3. Right-click Default Domain Controllers Policy and select Edit to open the GPO editor for this policy.

  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies in the node tree of the GPO editor.

  5. Double-click Network access: Restrict clients allowed to make remote calls to SAM in the policies pane, and select Define this policy setting.

  6. Click Edit Security and enable Allow for Remote Access. Add the DRA service account if it is not already included as a user or part of the administrators group.

  7. Apply the changes. This will add the security descriptor, O:BAG:BAD:(A;;RC;;;BA) to the policy settings.

For more information, see Knowledge Base article 7023292.