Quest®
ActiveRoles™
Server
Version 6.5.0
Release Notes
November 6, 2009
Resolved Issues and Enhancements
Quest ActiveRoles Server can help you automatically provision, re-provision and de-provision users quickly, efficiently and securely in Active Directory and beyond. ActiveRoles Server provides strictly enforced role-based security, automated group management, change approval and easy-to-use Web interfaces for self service, to achieve practical user and group lifecycle management for the Windows enterprise.
The newest version, ActiveRoles Server 6.5, adds significant value: workflows to coordinate processes of directory data management, including change approval and notification; policy extensions that make it easy to create, deploy and use custom policy types; the ability to deprovision groups; increased self-service capabilities for users to administer their group memberships; the ability to assign multiple managers (owners) to a single group; and support for the Active Directory Recycle Bin feature of Windows Server 2008 R2, with a point-and-click interface for restoring deleted objects.
For information about the key new features in the latest version of ActiveRoles Server, refer to the ActiveRoles Server What's New document. Information about other new features along with instructions on how to start using new features can be found in the ActiveRoles Server Feature Guide. These documents are available from the Documentation page in the ActiveRoles Server CD Autorun window.
This section provides a list of issues that were resolved in ActiveRoles Server version 6.5.0 (as compared to version 6.1.0). Each item in the list includes an ID number, which identifies the item, and a brief description of the issue. The list is divided by component so that the items related to each individual component of the product are grouped together:
Please note that updates to this list may be published to the Quest Support
website SupportLink (http://support.quest.com)
after the product release.
TF00039338
Fixed: The Setup program does not register the Administration Service as being
dependent on SQL Native Client, a component of Microsoft SQL Server. As a
result, the SQL Native Client installer fails to warn the user before
uninstalling Native Client that the Administration Service may be broken if
Native Client is removed.
TF00054462
Fixed: When installing the Administration Service with the option to import data
from an existing ActiveRoles Server database (source database), you may receive
the following error message: "The newsequentialid() built-in function can only
be used in a DEFAULT expression for a column of type 'uniqueidentifier' in a
CREATE TABLE or ALTER TABLE statement. It cannot be combined with other
operators to form a complex scalar expression." This issue may occur if the
source database is hosted by SQL Server that holds the Publisher role in the
ActiveRoles Server replication environment.
TF00102291
Fixed: When performing a silent (unattended) installation upgrading the Web
Interface, the Setup program may cause an on-screen error message to appear,
waiting for a user action. In unattended mode, the Setup program is expected to
record error messages, if any, to a log file rather than display an error
message box on the screen.
TF00102319
Fixed: When installing the ActiveRoles Server Report Pack, you may encounter the
following error: "Could not connect to SQL Server. Reason: Login failed for user
''. The user is not associated with a trusted SQL Server connection." This issue
may occur when you configure the data source with the Windows Authentication
option even though you provide a valid user name and password.
TF00102326
Fixed: When installing the ActiveRoles Server Report Pack, you may encounter an
irrelevant error message such as "Cannot find reporting service: "Client found
response content type of '', but expected 'text/xml'. The request failed with an
empty response."
TF00103552
Fixed: The Setup program for ActiveRoles Server Collector installs the
EDMCollector.exe file with an invalid digital signature.
TF00105217
Fixed: After the Internet Information Services software has been removed from
the computer on which the ActiveRoles Server Web Interface is installed, the Web
Interface Setup program fails to uninstall the Web Interface. Specifically, when
uninstalling the Web Interface, the Setup program attempts to stop the World
Wide Web Publishing Service (W3SVC) regardless of whether that service is
present in the system. If the W3SVC service does not exist, an error condition
occurs in the Setup program, so the uninstall process cannot continue.
TF00106448
Fixed: When installing the ActiveRoles Server Web Interface, you may receive the
following error message in the Installation Wizard: "MsiExec.exe - Bad Image:
The application or DLL <Local Path>\<File Name>.tmp is not a valid Windows
image."
TF00022179
Fixed: The Administration Service does not provide support for the "Add/Remove
self as member" permission. As a result, the "Groups - Add/Remove Self As
Member" Access Template has no effect in ActiveRoles Server.
TF00023649
Fixed: The Administration Service does not apply the changes to the 'ou', 'cn'
or 'dc' attribute on an object although that attribute is not a naming attribute
for that object. For example, when you use the Advanced Properties command in
the ActiveRoles Server console to change the 'ou' attribute of a user account,
your changes are not applied and the attribute remains unchanged.
TF00023695
Fixed: The Administration Service may fail to retrieve the mailbox security
descriptor data from Exchange Server. As a result, the ActiveRoles Server
console or Web Interface cannot display the "Mailbox Rights" page for a
mailbox-enabled user account.
TF00023781
Fixed: When connection to the ActiveRoles Server database is lost, the
Administration Service may stop unexpectedly. In this situation, it is expected
that the Administration Service continues running and attempts to re-establish
connection to the database.
TF00023919
Fixed: The Administration Service treats the objects representing the
ActiveRoles Server replication partners as container objects rather than leaf
objects. As a result, the objects located in the "Configuration/Server
Configuration/Configuration Databases" or "Configuration/Server
Configuration/Management History Databases" container may appear in the
ActiveRoles Server console tree although they are expected to appear only in the
details pane.
TF00023941
Fixed: When building a consolidated schema for multiple managed domains, the
Administration Service may not distinguish between the 'msExchLabeledURI' and 'labeledURI'
attributes, which makes one of those attributes unavailable for management by
ActiveRoles Server.
TF00024033
Fixed: If the Administration Service cannot manage a domain because of
insufficient rights of the service account, the console may not provide
descriptive information on this error situation. Thus, you may encounter the
"0x80005008" entry in the Status field on the object representing the domain in
the "Configuration/Server configuration/Managed Domains" container. The problem
occurs under the following conditions:
- There are multiple Administration Services - say, Service 1 and Service 2 -
that share common configuration data (for example, via ActiveRoles Server
replication).
- A domain was registered with ActiveRoles Server using Service 1, with the
option to access the domain using the service logon account.
- The console is connected to Service 2 whose service logon account does not
have sufficient rights to access that domain.
In this scenario, Service 2 recognizes the domain as a managed domain, but
cannot access it because of insufficient rights of the service account used by
Service 2. Status of the managed domain reads "0x80005008". Note that the option
to access the domain using the service account information causes each Service
to use its own service account for that purpose, so Service 1 may be able to
access the domain while Service 2 not.
TF00024437
Fixed: When building ActiveRoles Server's consolidated schema for multiple
managed domains, the Administration Service may record a large number of warning
events in the EDM Server event log.
TF00024462
Fixed: After removing a Management History replication partner (Subscriber), the
Administration Service may not promptly update the status of the corresponding
database server in the ActiveRoles Server console. As a result, refreshing the
console view is required for the database server to be displayed as Standalone.
TF00024484
Fixed: The Administration Service may return an inappropriate error message
(such as "IDispatch error #3149") in a situation where it fails to configure a
Subscriber for ActiveRoles Server replication. This issue occurs if the
Subscriber's SQL Server instance is located in an Active Directory forest that
is different from the forest in which the Publisher's SQL Server instance
resides, and the option to impersonate the SQL Server Agent service account is
selected for that Subscriber in the New Replication Partner wizard.
TF00024732
Fixed: The Administration Service may return the "Members" or "Member Of" list
to the calling application, such as the ActiveRoles Server console or Web
Interface, even if the application does not have read access to the "member" or
"memberOf" attribute of the managed object. See also TF00064627 and TF00064718.
TF00025506
Fixed: When connection to the ActiveRoles Server database is lost, The
Administration Service returns an "Unspecified error" message to the ActiveRoles
Server console when the console user attempts to refresh the contents of any
node located under Configuration in the console tree. In this scenario, the
Administration Service is expected to return an error message that clearly
describes the problem.
TF00025517
Fixed: In an environment where multiple instances of the Administration Service
are deployed, uninstalling an Administration Service instance may not properly
remove information about that instance from the ActiveRoles Server database. As
a result, when deploying a new instance of the Administration Service, the
Installation Wizard may erroneously identify the removed instance as if it were
active, and display the incorrect status information on the Database Summary
page.
TF00025535
Fixed: When importing the configuration data during the upgrade process, the
Administration Service may disregard the data stored in the
"Configuration/Server Configuration/Mail Configuration/Default Mail Settings"
object. As a result, the changes that were made to the properties of the
"Default Mail Settings" object are lost after the upgrade; the object reverts to
the default state.
TF00025540
Fixed: The "Default E-mail Alias" policy may cause the Administration Service to
generate an e-mail alias that contains unacceptable characters, such as a comma
character (,). As a result, when requested to create a mailbox-enabled user
account, the Administration Service may not create a mailbox for the newly
created user account as expected. This issue occurs if the alias is generated
based on a user property containing any characters that a valid alias cannot
contain.
TF00025581
Fixed: In an Exchange 2007 organization, the Administration Service performs the
Exchange tasks in the security context of the user account under which the
Administration Service is running (service account). To perform Exchange tasks
in a domain that belongs to an Exchange 2007 organization, the Administration
Service must be configured to access that domain with the service account rather
than an override account. This issue is addressed in version 6.5 by enabling the
use of an override account to perform Exchange tasks in an Exchange 2007
organization domain, with the exception of the "Move Mailbox" task.
TF00025722
Fixed: Under certain conditions when SQL Server replication is used to
synchronize ActiveRoles Server configuration data, the Administration Service
may cause a deadlock condition on SQL Server. In this case, the Administration
Service returns an error message of the following form: "Your transaction
(process ID {#number}) was deadlocked on {lock | communication buffer | thread}
resources with another process and has been chosen as the deadlock victim. Rerun
your transaction."
TF00026091
Fixed: The following issue may occur after an upgrade of the Administration
Service with the option to import the existing configuration data: Configuring
ActiveRoles Server replication causes duplicate objects to appear in the
"Configuration/Server Configuration/Administration Services" container.
TF00026387
Fixed: Policy information containing non-printable characters may cause an error
condition in the Administration Service. A symptom of
this issue a record in the diagnostic log file (ds.log) similar to the
following: "(severity=Medium) System.InvalidOperationException: There was an
error generating the XML document. ---> System.ArgumentException: '',
hexadecimal value 0x07, is an invalid character."
TF00035313
Fixed: The Administration Service may disregard the manual line breaks when
saving the text of the certification agreement that is specified on the General
page of the Attestation Review Configuration panel, in the ActiveRoles Server
console. As a result, the manual line breaks (created by pressing ENTER or
SHIFT+ENTER) are removed from the text.
TF00035383
Fixed: The Administration Service may return an error in the following scenario:
You use the Add Managed AD LDS Instance wizard to register an AD LDS instance
with ActiveRoles Server and then perform the Refresh command on the
"Configuration/Server Configuration/Managed AD LDS Instances (ADAM)" container
in the ActiveRoles Server console while the instance registration is not
completed. The error message reads as follows: "Could not continue scan with
NOLOCK due to data movement."
TF00036090
Fixed: The Administration Service may not perform an access check as expected
when a client application requests a list of groups to which a particular
object, such as a user, belongs. As a result, the client application may receive
and list some groups that it does not have sufficient rights to access. For
example, the ActiveRoles Server console may list the groups on the "Member Of"
page for a user account even though the console user has permission to view only
User objects and is not permitted to view any groups.
TF00036324
Fixed: The Administration Service may not perform an access check as expected
when a client application requests a list of objects located in a particular
container or a list of members of a particular group. As a result, the client
application may receive and list some objects that it does not have sufficient
rights to access. For example, the ActiveRoles Server console may list AD LDS
proxy objects, and allow the console user to add them to an AD LDS group, even
though the console user is not permitted to view the AD LDS proxy object class.
TF00037400
Fixed: The Administration Service may return a misleading error message when you
add a Subscriber to ActiveRoles Server replication. This issue occurs if the SQL
Server version of the Publisher differs from the SQL Server version of the
database server that you want to make a Subscriber. The error message reads as
follows: "SET DEADLOCK_PRIORITY option 'high' is invalid."
TF00038455
Fixed: The Administration Service incorrectly evaluates the delegated rights of
the user account in the following scenario:
- Certain groups are configured so that a given user account is set as the
manager (primary owner) of those groups (the Managed By property on each group
is assigned the DN of the user account).
- The ActiveRoles Server security settings on the groups are configured using
the "Primary Owner (Managed By)" built-in account so that the group manager
(primary owner) is permitted to view and modify the groups (for example, the
"Self-Service - My Groups Management" Access Template is applied with the
"Primary Owner (Managed By)" built-in account specified as the Trustee).
In this scenario, ActiveRoles Server does not permit the group manager (primary
owner) to view the groups when performing a search request: The "My Groups"
section in ActiveRoles Self-Service Manager displays no groups.
TF00039292
Fixed: The Administration Service may not run a Group Family as expected when
you manually start the Group Family update from the ActiveRoles Server console
by using the Force Run command. As a result, it may fail to create the Group
Family controlled groups. This issue is most likely to occur in an environment
where multiple Administration Service instances use ActiveRoles Server
replication to synchronize configuration data.
TF00039293
Fixed: For an existing Group Family, the Administration Service may not allow
the "Run on this server" setting to be changed. A symptom of this issue is as
follows: When you open the Properties dialog box for a Group Family
configuration storage group, go to the Schedule tab and click Configure on that
tab, you encounter an empty list of servers in the "Run on this server" box on
the "Group Family Scheduling" page.
TF00039433
Fixed: When using ActiveRoles Self-Service Manager, you may encounter the
following issue: Information about the number of your Approval tasks and the end
dates for your ongoing Attestation Review tasks is not displayed on the
Self-Service Manager Home page as expected. The issue is due to inaccurate
configuration of the user access rights on the Administration Service side.
TF00039525
Fixed: When you remove and then re-add a Subscriber to ActiveRoles Server
replication, an error condition may occur in the Administration Service. An
indication of this issue is an error event with the following description in the
EDM Server event log:
"Critical error occurred upon start of ActiveRoles Server Administration
Service.
Details: Table '[dbo].[MHServices]' into which you are trying to insert, update,
or delete data is currently being upgraded or initialized for merge replication.
On the publisher data modifications are disallowed until the upgrade completes
and snapshot has successfully run. On subscriber data modifications are
disallowed until the upgrade completes or the initial snapshot has been
successfully applied and it has synchronized with the publisher.
The transaction ended in the trigger. The batch has been aborted."
TF00039534
Fixed: The Administration Service raises an error on initiating an operation
that requires approval if a script function for designating approvers returns a
Distinguished Name (DN) containing a backslash character (\).
TF00040250
Fixed: You may encounter an empty page with a message such as "There are no
items to show in this view" when navigating back and forth through the pages
that display historical results of Attestation Review. For example, this issue
may occur when you click "Previous Page" on page 3 and then click "Next Page" on
page 2 to return to page 3.
TF00046412
Fixed: When configuring a mail-enabled group in an Exchange 2007 organization,
the Administration Service may incorrectly generate the Display Name for that
group, removing space characters from the Display Name. For example, it may
assign the Display Name of GroupOne to a group whose pre-Windows 2000 name is
set to Group One. This issue occurs if no pre-Exchange 2007 servers exist in the
Exchange organization.
TF00048849
Fixed: Incorrect behavior of the deprovisioning policy option to hide
deprovisioned mailboxes from the Global Address List (GAL): In an Exchange
Server 2007 organization, this option may have no effect. Thus, when a mailbox
is deprovisioned by applying an Exchange Mailbox Deprovisioning policy with the
"Hide the mailbox from the global address list (GAL), to prevent access to the
mailbox" option selected, the mailbox may still be present in the GAL. The
problem occurs if the Recipient Update Service (RUS) is unavailable in the
Exchange organization.
TF00048952
Fixed: During the startup process, the Administration Service may not log an
error event as expected when the following condition is violated: "All the
Administration Services that use a common Configuration Database must also use a
common Management History Database."
TF00049018
Fixed: In an Exchange 2003 organization with Exchange resource forest topology,
the Administration Service may link a mailbox in the resource forest with a
master account in the account forest even though the mailbox user account in the
resource forest (shadow account) is not disabled for logon. The expected
behavior is as follows: When requested to link a particular account from the
account forest with a certain mailbox in the resource forest, the Administration
Service returns an error if the user account associated with the mailbox in the
resource forest is enabled.
TF00049019
Fixed: In an Exchange 2003 organization with Exchange resource forest topology,
the Administration Service may link different mailboxes in the resource forest
with the same master account in the account forest. The expected behavior is as
follows: When requested to link a particular account with a certain mailbox, the
Administration Service returns an error if the account is already linked with
another mailbox.
TF00049648
Fixed: When you use scripting in ActiveRoles Server to create a linked mailbox
on Exchange Server 2003 that is deployed in a resource forest topology, you may
encounter the following issue: If the user account to be associated with the
mailbox in the resource forest is not disabled, the Administration Service
completes the request without any error but the linked mailbox is not created.
In this scenario, the Administration Service is expected to return an
appropriate error message as a linked mailbox requires a disabled user account
in the resource forest.
TF00049650
Fixed: When you use scripting in ActiveRoles Server to create a linked mailbox
on Exchange Server 2007 that is deployed in a resource forest topology, you may
encounter the following issue: If the user account to be associated with the
mailbox in the resource forest is not disabled, the Administration Service
completes the request without any error but the linked mailbox is not created.
In this scenario, the Administration Service is expected to return an
appropriate error message as a linked mailbox requires a disabled user account
in the resource forest.
TF00049713
Fixed: When you add a Subscriber to ActiveRoles Server replication for
Management History data (for instance, by using the ActiveRoles Server console
to add a Subscriber to the Publisher located in the "Configuration/Server
Configuration/Management History Databases" container), an error condition may
occur in the Administration Service: "Error: -2147217900 Could not find stored
procedure 'GetReplJobId'."
TF00053446
Fixed: The Administration Service may not remove a deprovisioned user from a
group if the user is a temporal or pending member of that group. The "Scheduled
Operation Checker" task does not remove the deprovisioned user from the group as
expected in this scenario.
TF00053606
Fixed: The Administration Service may incorrectly process the membership rules
on a Managed Unit which results in an incomplete list of the Managed Unit
members being returned to the client. A symptom of this issue is that the
console cannot resolve some of the objects and identify them by GUID rather than
by name in the user interface for managing membership rules; the unresolved
objects are missing from the list of the Managed Unit members. This issue may
occur in a situation where certain objects are explicitly included in the
Managed Unit and then deleted from the directory by using a tool other than
ActiveRoles Server, provided that the deletion occurred while the Administration
Service was stopped.
TF00054201
Fixed: With a large volume of Management History data stored in the ActiveRoles
Server database (500,000+ records, about 8 GB), the Administration Service may
fail to configure its database server as the Publisher for ActiveRoles Server
replication. The Promote operation fails, with SQL Server returning the
following action message from the Snapshot Agent: "Timeout expired. The timeout
period elapsed prior to completion of the operation or the server is not
responding."
TF00054739
Fixed: The Administration Service may incorrectly process the temporal
membership settings when adding a temporal or pending member to a group. The
issue occurs if the member object is an Exchange Query-based Distribution Group
(QDG) or an Exchange Public Folder (PF). In this scenario, applying a Start Time
setting on a QDG and then on a PF within a single group may cause the
Administration Service not to show the QDG in the Members list for that group.
TF00055309; TF00054855
Fixed: When a client application such as the Web Interface retrieves change
requests that are waiting for approval, the response from the Administration
Service may include information about change requests that actually do not
require approval. Thus, the Administration Service may return information about
pending requests specific to temporal group membership changes even though those
requests are not subject to approval. As a result, the list of operations in the
Approval section of the Web Interface may contain irrelevant records.
TF00055370
Fixed: Incorrect behavior of the deprovisioning policy option to allow access to
deprovisioned mailboxes: The permissions assigned by that option are
insufficient to access the mailbox. Thus, when a mailbox is deprovisioned by
applying an Exchange Mailbox Deprovisioning policy with the option to grant the
user's manager access to the mailbox, the identity designated as the user's
manager is unable to connect to the mailbox because of insufficient access
rights.
TF00055555
Fixed: It may take longer than expected for the Administration Service to
complete a search in a Managed Unit containing a large number of objects. Thus,
a noticeable delay may occur when you open such a Managed Unit in the "Browse
for Container" dialog box invoked from the Find window in the ActiveRoles Server
console.
TF00055925; TF00057036
Fixed: The Administration Service may take longer than expected to build a list
of group members that contains both the direct members and the members that
belong to the group because of group nesting. The same issue occurs when the
Administration Service is requested to build a "member of" list containing
nested groups. As a result, a long delay may occur when you open the "Members"
or "Member Of" page in the ActiveRoles Server console or Web Interface.
TF00056310
Fixed: The Administration Service may fail to retrieve a multi-valued attribute
of an AD LDS object if the attribute contains more than 1,500 values. Thus, when
requested to retrieve the members of an AD LDS group, the Administration Service
may not return a list of the group members to the calling client application if
the group has more than 1,500 members.
TF00056351
Fixed: The Administration Service does not record information about the managed
AD LDS instances into the diagnostic log file (ds.log).
TF00056398
Fixed: When a user that holds the AR Server Admin role requests changes that are
subject to approval in accord with the approval rules configured in ActiveRoles
Server, the changes are submitted for approval. The expected behavior of the
Administration Service in this scenario is that the changes requested by an AR
Server Admin role holder are applied without requiring approval.
TF00056417
Fixed: On a 64-bit system, information about common components such as the
ActiveRoles Server ADSI Provider is missing from the <SystemInformation> -> <CommonComponents>
section in the Administration Service diagnostic log file (ds.log).
TF00056613
Fixed: The Administration Service may not provide Self-Service Manager with
information about the logged on user as expected following the registration of
the user's home domain with ActiveRoles Server. A symptom of this issue is as
follows: When a user from a non-managed domain opens the Self-Service Manager
Home page, the page does not display the name of the user (which is an expected
behavior since the domain is not registered with ActiveRoles Server); then,
after the domain has been registered (so it is now a managed domain), refreshing
the Home page in the Web browser still does not cause the user name to appear on
the page.
TF00057086
Fixed: When a user or process running in the security context of the
Administration Service logon account (service account) requests changes that are
subject to approval in accord with the approval rules configured in ActiveRoles
Server, the changes are submitted for approval. Thus, the Administration Service
may not apply changes performed by a script-based policy until they are
approved. The expected behavior of the Administration Service in this scenario
is that the changes requested by the service account are applied without
requiring approval.
TF00057102
Fixed: When an Access Template (AT) or Police Object (PO) is applied to the
"Active Directory" or "AD LDS (ADAM)" node in the ActiveRoles Server console
tree, the permission or policy settings defined by the AT or PO may have no
effect on the objects under that node. For example, if an Access Template is
applied to the "Active Directory" node, the permission settings defined by that
Access Template may not propagate to all the managed domains as expected.
TF00057124
Fixed: When verifying the uniqueness of an object name, the Administration
Service may not consider the difference between ANSI and Unicode characters in
the object name string. As a result, the Administration Service may treat
different names as identical, which causes an error condition upon the renaming
or creation of directory objects via ActiveRoles Server.
TF00057967
Fixed: It may take longer than expected for the Administration Service to
complete the operation of adding members to a group if the group has temporal
members (objects scheduled to be added or removed from the group). When adding
members to such a group, you may experience a noticeable delay as compared to
the same operation on a group that has no temporal members.
TF00057971
Fixed: It may take longer than expected for the Administration Service to
complete a search on an Organizational Unit (OU) if the OU has a number of
Access Templates and Policy Objects applied to it, and belongs to one or more
Managed Units in ActiveRoles Server.
TF00058588
Fixed: The Administration Service fails to start on a Windows Server 2008 R2
based system.
TF00058768
Fixed: The Administration Service may incorrectly process a request to disable a
mailbox feature such as IMAP4 or POP3 protocol. As a result, it may not properly
configure the corresponding protocol settings on the mailbox. A symptom of this
issue is that the affected mailbox feature can no longer be managed by standard
administrative tools, such as Active Directory Users and Computers.
TF00060109
Fixed: The Administration Service does not provide the ability to perform a
paged search for pending operations or tasks (such as operations awaiting
approval) using the method IEDM::ExecuteRequest. As a result, the Web Interface
may display incomplete information in the Approval section (see TF00060044).
TF00060380
Fixed: Selecting the "Configuration Databases" or "Management History Databases"
node in the ActiveRoles Server console tree may cause the Administration Service
to return the "Object not found" error. This issue occurs if the database used
by the Administration Service is located on a named instance of SQL Server.
TF00060937
Fixed: The Administration Service may provide incorrect domain status
information to the ActiveRoles Server console, which appears in the Status
column of the list of the Managed Domain objects in the "ActiveRoles
Server/Configuration/Server Configuration/Managed Domains" container. The
Administration Service is expected to update the domain status information on a
regular basis. However, it may fail to do this, which results in a wrong status
displayed on some of the managed domains. For example, a fully operational
domain may show up with the status of "Server is not operational" or "The
directory Service is unavailable" until the Administration Service is restarted.
This issue may occur after the Administration Service has selected a certain
domain controller to act as the DirSync server or Operational DC for the domain
in the situation where connection to the ActiveRoles Server database has been
lost.
TF00061591
Fixed: A request to change an attribute of Object(DN-Binary) syntax may cause an
error condition in the Administration Service, raising an error such as "One or
more values have incorrect format" or "A value for the attribute '%s' was not in
the acceptable range of values." A symptom of this issue is that deprovisioning
policies in ActiveRoles Server may not clear attributes of Object(DN-Binary)
syntax as expected. For example, if a user object has an attribute set to a
certain value with the Object(DN-Binary) syntax, then the Deprovision operation
on the user object leaves the attribute value unchanged even though the
deprovisioning rules are configured to clear that attribute.
TF00061698
Fixed: In an Exchange 2007 organization that is deployed in compatibility mode,
the Administration Service may refuse to perform the Move Mailbox operation on
Exchange Server 2003 when configured to use an override account to access the
managed domain. The Administration Service is expected to successfully move
mailboxes between Exchange Server 2003 mailbox stores regardless of whether the
service account or an override account is used to access the domain.
TF00062192
Fixed: The Administration Service may provide incorrect information to the Web
Interface regarding the total number of the operations that are waiting for
approval by the current Web Interface user. As a result, the Approval section in
the Web Interface lists no more than 100 approval tasks. Another symptom of this
issue is that the "Pending tasks" section on the Self-Service Manager Home page
may indicate an incorrect total number of approval tasks.
TF00062457
Fixed: Permission to view the contents of the "Server Configuration" or
"Management History Databases" container is missing from the "AR Server Security
- Configuration Objects" Access Template. As a result, the authenticated users
are not shown the "Management History Databases and Replication" section on the
root page in the ActiveRoles Server console by default, nor can they use the "Go
to Configuration Databases" or "Go to Management History Databases" link on that
page.
TF00062492
Fixed: When a user account is deprovisioned and then restored
(un-deprovisioned), property values containing non-printable characters may not
be properly restored in the user account. For example, if a property value of a
user account contains a carriage return and the deprovisioning rules are
configured to clear the property value, then un-deprovisioning the user account
does not restore the carriage return in the property value.
TF00062598
Fixed: The "Allow | Read objectClass | User" permission entry is missing from
the "Self-Service - My Account Management" Access Template. This may cause an
incorrect behavior of the My Account pages in ActiveRoles Self-Service Manager
since self-service users do not have sufficient access rights to the object
class information in their own accounts.
TF00063121
Fixed: In a Microsoft Exchange Server 2007 environment, the Administration
Service may not perform the "Establish an e-mail address" task on a group as
expected: The task is completed without errors but some Exchange attributes,
such as the e-mail address and the display name, are not set on the group. This
issue occurs in environments where Exchange Server 2007 coexists with Exchange
Server 2003 or Exchange 2000 Server, and any Exchange server policies are in
effect on servers running Exchange Server 2003 or Exchange 2000 Server.
TF00064391
Fixed: A typo in the LDAP display name of a virtual attribute that controls
whether the manager (primary owner) of a group is allowed to add or remove
members from the group: edsaManagerCanUpdateMemebershipList instead of
edsaManagerCanUpdateMembershipList.
TF00064517
Fixed: After a connection to the ActiveRoles Server database has been lost and
then restored, the Administration Service may not run scheduled tasks as
expected.
TF00064627
Fixed: When processing a request to perform an ASQ search (for example, a
request to list the members of a group), the Administration Service builds the
search results in the security context of the service account instead of using
the security context of the client that requested the search. This causes the
following issue: The search results returned to the client may contain the
objects that the client is not permitted to access. For example, the list of
members of a group in the ActiveRoles Server console may contain the objects
that the console user does not have permission to view.
TF00064718
Fixed: When processing a request to perform an ASQ search (for example, a
request to list the groups that a particular user is a member of), the
Administration Service builds the search results in the security context of the
service account instead of using the security context of the client that
requested the search. This causes the following issue: The search results
returned to the client may contain the object attributes to which the client
does not have read access. For example, the "Member Of" list for a user account
in the ActiveRoles Server console may display the temporal membership settings
such as "Start Time" and "End Time" even though the console user does not have
read access to the attributes that store the start time or end time membership
information on the groups.
TF00064729
Fixed: The permission settings or policy rules on a Managed Unit may have no
effect if the Managed Unit is created by copying another Managed Unit. Suppose,
for example, you create Managed Unit MU2 by using the Copy command on Managed
Unit MU1 that explicitly includes Organizational Unit OU1. Since the command
copies the membership rules, MU2 includes OU1. Then, you apply an Access
Template or Policy Object to MU2. In this scenario, OU1 does not inherit the
permission settings or policy rules defined by the Access Template or Policy
Object on MU2.
TF00065632
Fixed: When retrieving schema information from the managed Active Directory
domains, the Administration Service may not consider the possibleInferiors and
possSuperiors attributes of schema objects. As a result, those attributes are
missing from the ActiveRoles Server schema storage, which may prevent certain
solutions from properly operating on top of ActiveRoles Server.
TF00067857
Fixed: The Administration Service may not perform an access check as expected
when a client application requests a list of members of a particular Managed
Unit. As a result, the client application may receive and list some objects that
it does not have sufficient rights to access. For example, when a Managed Unit
is selected in the ActiveRoles Server console tree, the details pane may list
all objects that belong to the Managed Unit even though the console user has
permission to view only some of those objects and is not permitted to view the
others.
TF00067948
Fixed: The "Allow | Reset Password | User" permission entry is missing from the
"Users - Perform Undo Deprovision Tasks" Access Template. As a result, the
delegated administrator whose access rights are configured using that Access
Template is unable to un-deprovision user accounts with the option to reset the
password of the un-deprovisioned account.
TF00068411
Fixed: The Administration Service may incorrectly handle the Range-Upper or
Range-Lower attribute on an attribute-schema object. For example, setting a
particular attribute may cause an error condition in the Administration Service
if Range-Upper has the value of -1 while Range-Lower has the value of 0 for that
attribute in the corresponding attribute-schema object. The error message in
this case reads as follows: "A value for the attribute was not in the acceptable
range of values."
TF00070998
Fixed: When you change the group memberships of an object (for instance, add a
user to a group by using the "Member Of" page in the ActiveRoles Server
console), the Administration Service may not promptly update the display of the
object's group memberships on the client side. As a result, although the object
is actually added to the group, you may experience a noticeable delay before the
group appears in the list on the "Member Of" page for that object. The problem
may occur if the domain controller on which to make the changes (Operational DC)
is explicitly specified by the client.
TF00078101
Fixed: The "Allow | Read edsva-ScheduledLink-StartTime | All Classes" and "Allow
| Read edsva-ScheduledLink-EndTime | All Classes" permission entries are missing
from the "Groups - Add/Remove Members" Access Template. This causes the
following issue: If you have used that Access Template to delegate the task of
adding or removing members from groups, the delegated user is shown temporal or
pending members as if they were regular members. The client such as the
ActiveRoles Server console or Web Interface is unable to tell the temporal or
pending members from the regular members because the client user does not have
read access to the attributes that store the temporal membership settings.
TF00081311
Fixed: In certain conditions, the Administration Service may treat DN strings as
if they were case-sensitive. As a result, you may encounter an error in a
situation where a particular user is a member of a certain group and you attempt
to add that user to that group again via the ActiveRoles Server ADSI Provider or
ActiveRoles Management Shell. This issue may occur, for example, if the DN
string that specifies the Distinguished Name of the user to add contains the ou=
clause (ou in lowercase) instead of OU= (OU in uppercase).
TF00090247
Fixed: Permission to select or clear the "User must change password at next
logon" option (permission entry "Allow | Write User Must Change Password At Next
Logon | User") is missing from the "Users - Help Desk" Access Template. As a
result, the delegated administrators whose rights are specified by using the
"Users - Help Desk" Access Template cannot change that option.
TF00090669
Fixed: The Administration Service may incorrectly handle an
attribute of the Object(OR-Name) syntax. For example, setting the
ms-Exch-Auth-Orig (authOrig) attribute via the ActiveRoles Server ADSI Provider
may cause an error condition. As a result, you may encounter an error when using
the Web Interface to change the delivery restrictions settings for an Exchange
recipient.
TF00090853
Enhancement: Performance degradation may occur in ActiveRoles Server due to
processing of directory synchronization (DirSync) requests. To address this
issue, ActiveRoles Server now provides the ability to configure the
Administration Service so that the DirSync requests on certain object classes
are discarded.
To adjust the processing of the DirSync requests, use the ActiveRoles Server
console in Raw view mode as follows:
1. In the Configuration/Application Configuration/Services container, create
an object of the EDS-Application-Settings-Container object class with the object
name of ActiveRoles Server. You can do this using the All Tasks | Advanced
Create command.
2. In the Configuration/Application Configurtion/Services/ActiveRoles Server
container, create an object of the EDS-Application-Setting object class with the
object name of DirSync Options. You can do this using the All Tasks | Advanced
Create command.
3. On the DirSync Options object, set the edsaExtensionAttribute1 attribute to
the value of dnsNode;nTDSSiteSettings. You can do this using the All Tasks |
Advanced Properties command.
As a result of these steps, the Administration Service will discard the DirSync
requests specific to the dnsNode and nTDSSiteSettings object classes, which
increases overall performance of the Administration Service while keeping all
functions of ActiveRoles Server intact.
TF00090854
Fixed: The Administration Service does not support the approval or attestation
related notification messages in plain text format. Only HTML format is
supported. As a result, an e-mail client that recognizes only plain text format
may incorrectly display notification messages received from ActiveRoles Server.
TF00096198
Fixed: ActiveRoles Server replication may fail to synchronize changes to
configuration data between Administration Service instances. The changes made on
one Administration Service (for example, linking an Access Template or Policy
Object to an Organizational Unit) may not be propagated properly to another one.
The issue is encountered in an environment where multiple Administration Service
instances use the same Publisher database server.
TF00097553
Fixed: The Administration Service may encounter an error when processing a
request to change mailbox features such as the IMAP4 or POP3 protocol settings.
The client that submitted the request receives the following error message:
"Administrative Policy returned an error. Index was outside the bounds of the
array."
TF00098109
Fixed: When an Access Template (AT) or Police Object (PO) is applied to a
Managed Unit (MU), the permission or policy settings defined by the AT or PO may
have no effect on the objects held in that MU. For example, the permission
settings may not propagate to an Organizational Unit (OU) included in the MU so
the Access Template applied to the MU does not affect the objects held in that
OU as expected. This issue is most likely to occur after a restart of the
ActiveRoles Server Administration Service.
TF00100164
Fixed: The "Use FIPS compliant algorithms for encryption, hashing and signing"
Group Policy setting causes the Administration Service to fail upon startup,
with the following error being reported in the event log: "This implementation
is not part of the Windows Platform FIPS validated cryptographic algorithms."
TF00101859
Fixed: Under certain conditions, the Administration Service may encounter an
error during the process of building the ActiveRoles Server consolidated schema.
As a result, the Administration Service fails to start. This issue is most
likely to occur when a large number of changes to directory data take place in
Active Directory concurrently with the Administration Service startup process.
TF00102321
Fixed: The Administration Service may incorrectly process a property generation
and validation policy containing a single policy rule that controls the value of
a certain attribute based on the value of the Name (cn) attribute. It executes
such a policy upon any change request, regardless of which attributes are
requested to be changed. As a result, the Administration Service may change the
attribute controlled by the policy in question even if no changes to that
attribute are requested.
TF00102332
Fixed: When configuring an Exchange recipient, the Administration Service does
not verify that the recipient's e-mail alias meets the following requirement:
"E-mail alias cannot contain space characters or any of the following
characters:
@ ( ) \ : ; " , [ ] < >
An alias may contain one or more periods (.), but each period should be preceded
and followed by at least one of the other characters."
Additionally, it does not verify that the recipient's display name contains
space characters at the beginning or at the end of the name.
ActiveRoles Server now has a built-in policy that validates the e-mail alias and
display name, and rejects the requests to set an alias or display name that does
not meet the above requirements.
TF00103094
Fixed: If a managed AD LDS instance requires the use of a Secure Sockets Layer
(SSL) connection, the Administration Service may fail to connect to that
instance, returning an error message that states that the instance does not
exist or cannot be contacted. This issue occurs even though the appropriate SSL
usage option is selected in the properties of the object that represents the
managed AD LDS instance in ActiveRoles Server.
TF00103103
Fixed: The Administration Service may fail to configure the groups controlled by
Group Family because of a policy violation condition caused by the Alias
(mailNickName) attribute value although the groups are not mail-enabled. For
example, this issue occurs if the naming rule for the controlled groups adds a
space character to the group name and a policy is in effect that disallows space
characters in the Alias values.
TF00104535
Fixed: The Administration Service reports an inappropriate error event in the
EDM Server event log in the following scenario:
- The Administration Service is configured to store the Management History data
in a database that is separate from the Configuration database.
- The Administration Service has lost connection to the SQL Server instance
that hosts the Management History database.
In this scenario, the Administration Service reports an error event indicating a
connection failure to the Configuration rather than Management History database
as expected.
TF00104549
Fixed: The Administration Service may fail to start, returning a "Class not
registered" error. This issue occurs if SQL Server 2008 Native Client rather
than SQL Server 2005 Native Client is installed on the Administration Service
computer.
TF00104552
Fixed: The "Configuration/Server Configuration/Scheduled Tasks/Builtin"
container is not marked as a system object in the ActiveRoles Server schema. As
a result, the Administration Service does not prevent the properties of that
container from being changed via the ActiveRoles Server console or by using a
script.
TF00104553
Fixed: In a situation where a newly created object matches the membership rules
of a particular Managed Unit, and thus becomes a member of that Managed Unit,
the Policy Objects that are applied to the Managed Unit may not affect the
object as expected. This issue occurs if the new object is created by copying an
existing object.
TF00104556
Fixed: When consolidating display specifiers during the startup process, the
Administration Service may log an unnecessary warning event stating that an
object such as CN=409,CN=Display Specifiers by ActiveRoles Server (Custom),CN=Application
Configuration,CN=Configuration cannot be found. Since the "Display Specifiers by
ActiveRoles Server (Custom)" container is normally empty, a notification of that
fact should not appear in the EDM Server event log.
TF00104557
Fixed: The Administration Service may take longer than expected to generate the
change history results that include information about numerous changes to a
single multi-valued attribute, such as the Members attribute of a group. For
example, when you add a large number of members (5000+) to a particular group
and then use the "Change History" command on that group in the ActiveRoles
Server console or Web Interface, you may experience a long delay before the
change history results are displayed.
TF00104568
Fixed: When configured to use a separate Management History database, the
Administration Service may provide the ActiveRoles Server console with incorrect
information about the current ActiveRoles Server replication topology. As a
result, the console may display duplicate list items in the "Configuration
Databases and Replication" or "Management History Databases and Replication"
section on the console root page.
TF00104576
Fixed: When performing a search request, the Administration Service may return
an incorrect value of the edsvaUserMustChangePasswordAtNextLogon attribute. This
issue occurs if the search request is configured so that it does not retrieve
the pwdLastSet attribute.
TF00105275
Fixed: The Administration Service may allow AD LDS groups to be added to the
scope of Attestation Review. Since the Attestation Review process is not
applicable to AD LDS groups, the expected behavior is that the Administration
Service rises an error when explicit addition of AD LDS groups to Attestation
Review is requested, and filters out the AD LDS groups that might occur in the
Attestation Review scope because of a particular configuration of membership
rules (for example, through a rule that causes the Attestation Review scope to
include an entire Managed Unit which holds both AD DS and AD LDS groups).
TF00105277
Fixed: The Administration Service may lose information about some of the
existing Policy Object links or Access Template links after the following
sequence of steps: You configure the Administration Service's database server to
be a Subscriber for ActiveRoles Server replication, remove it from replication,
and then again configure it to be a Subscriber.
TF00105280
Fixed: When a copy of the "Built-in Policy - Default Rules to Generate
Properties" Policy Object is applied instead of the original Policy Object, the
Administration Service may incorrectly generate e-mail alias for groups. This
issue occurs if new property generation policies have been added to the copy of
that Policy Object. A symptom of this issue is that the Administration Service
does not remove the leading or trailing space characters from the generated
alias as expected.
TF00105287
Fixed: The Administration Service may attempt to configure a linked mailbox
without checking for prerequisites such as whether the account to be associated
with the mailbox is disabled or whether the account to be specified as the
master account is not linked with another mailbox.
TF00105298
Fixed: The Administration Service may take longer than expected to perform a
search by a custom stored virtual attribute if a NOT logical operator (!) is
used in the LDAP search filter, such as (&(name=user*)(!(edsvaDeprovisionStatus=*))).
TF00105360
Fixed: ActiveRoles Server replication may not synchronize license information
between multiple instances of the Administration Service. For example, when you
update the ActiveRoles Server license by using the ActiveRoles Server console
connected to a particular Administration Service instance, the new license may
not be propagated to the other Administration Service instances as expected.
TF00105723
Fixed: The Administration Service may fail to perform the "Establish E-mail
Address" task on a user or group in a particular managed domain whose parent
domain is registered with ActiveRoles Server so that an override account is used
to access the parent domain and the override account does not have sufficient
rights to perform Exchange tasks. This issue occurs despite the fact that the
account with which the Administration Service accesses the child domain has all
the necessary permissions to perform any Exchange tasks.
TF00105725
Fixed: The Administration Service may incorrectly process a request to add a
membership rule for a newly created group. The group is converted to Dynamic
Group but the membership list of the group remains unchanged and the membership
rule has no effect until the Administration Service is forced to rebuild the
group, whether by a rebuild request from the ActiveRoles Server console or by
the "Dynamic Group Updater" scheduled task.
TF00105746
Fixed: The Administration Service may fail to perform an ASQ search with an LDAP
search filter that includes a condition imposed on a custom stored virtual
attribute. For example, the following search command causes the Administration
Service to stop unexpectedly: "<EDMS://" + strDN + "//EDS_SEARCHPREF_ATTRIBUTE_QUERY=member>;(edsvaDeprovisionStatus=*);distinguishedName,AdsPath;base"
TF00106148
Fixed: The Administration Service may incorrectly look up a user account by SID,
returning an AD LDS proxy object instead of the user account with which the
proxy object is linked (master account). This issue occurs with proxy objects of
a custom object class inherited from the userProxy object class. A symptom of
this issue is that the My Account page in ActiveRoles Self-Service Manager
displays the proxy object rather than the corresponding master account.
TF00106155
Fixed: When creating a user account with a mailbox on Exchange 2007, the
Administration Service may fail to set certain Exchange attributes on the user
account. A symptom of this issue is that a Property Generation and Validation
policy rule does not set Exchange attributes as expected upon user mailbox
creation.
TF00106279
Fixed: The Administration Service may fail to perform a search within an AD LDS
container if the LDAP filter of the search imposes conditions on a custom stored
virtual attribute. For example, if the ActiveRoles Server schema is extended by
adding a custom stored virtual attribute named edsvaADAM for the Proxy Object (userProxy)
object class, the Administration Service returns no search results when
searching with the LDAP search filter of (edsvaADAM=*) even though the search
scope contains AD LDS proxy objects that have the edsvaADAM attribute set.
TF00106282
Fixed: The Administration Service may not apply an Approval Rule if a condition
that evaluates the sAMAccoutName property is specified in the Filtering part of
the Approval Rule configuration. For example, this issue affects an Approval
Rule that is expected to request approval when any user changes the membership
of a group if the pre-Windows name (sAMAccountName) of the group equals to a
certain value. The Administration Service makes changes to the membership of
that group immediately, without submitting them for approval. With the same
filtering condition imposed on the name (cn) of the group, the Administration
Service executes the Approval Rule as expected.
TF00106289
Fixed: The Administration Service may not run the onPreRename or onPostRename
function in a policy script as expected during an object rename operation.
TF00107225
Fixed: With the default ActiveRoles Server security configuration, the user who
is set as the primary owner (manager) or a secondary owner of certain groups
does not have sufficient rights to view the groups he owns: The list of groups
is empty in the My Groups section of ActiveRoles Self-Service Manager.
TF00021833
Fixed: Incorrect layout with a long horizontal scroll bar may occur in the
"Change History" or "User Activity" window if the data displayed in the window
contains a long string value without space characters, such as a security
descriptor property value.
TF00025396
Fixed: In certain rare conditions, the ActiveRoles Server console may return an
error when adding members to a group: "An item with the same key has already
been added." This issue occurs, for example, when you attempt to apply illegal
changes to the group membership (for example, add an object from an external
domain to a global group), receive an error as expected, correct the list of the
objects to add to the group, and then attempt to apply the changes again.
TF00038587
Fixed: In certain rare condition, the Attestation Review Configuration panel may
display an incorrect information message after you have clicked the button to
stop the running Attestation Review instance: "Please wait while Attestation
Review gets started." This issue may occur in an environment where ActiveRoles
Server replication is used to synchronize configuration data between multiple
instances of the Administration Service while each Administration Service uses
its own, separate database to store the management history data.
TF00049015
Fixed: The Select Objects dialog may fail to find objects that match a search
string containing an asterisk wildcard character, such as '*admin'. The issue
occurs when you use the Select Objects dialog box invoked from the Member Of
page for an object in order to select a group to add the object to.
TF00053417
Fixed: The ActiveRoles Server console uses the pwdLastSet attribute to set the
option "User must change password at next logon" whereas the Web Interface uses
the attribute edsvaUserMustChangePasswordAtNextLogon for that purpose This
causes inconsistencies when there is a policy in effect that controls the state
of the "User must change password at next logon" option in ActiveRoles Server.
Both the console and Web Interface are expected to use the
edsvaUserMustChangePasswordAtNextLogon attribute.
TF00053518
Fixed: Incorrect behavior of the Deprovision/Undo Deprovisioning menu item on a
selection of multiple objects in the ActiveRoles Server console: After you have
applied the Deprovision command, the Deprovision item may remain on the menu
instead of changing to Undo Deprovisioning.
TF00053567
Fixed: The ActiveRoles Server console may take longer than expected (10+
minutes) to open the "Attestation Review Configuration" panel when you use the
Properties command on an existing Attestation Review configuration. This issue
is most likely to occur with an Attestation Review configuration that specifies
a large number of groups to review (5,000+ groups).
TF00055559
Fixed: When configuring Workflow or Attestation Review notification settings in
the ActiveRoles Server console, you may encounter the flowing issue: The
notification settings you specified for a particular are not preserved as
expected when you select a different event and then return back to the event for
which the settings were specified. The "Notification Settings" dialog box is
expected not to lose the user-entered data when the user changes the event
selection without closing the dialog box.
TF00055599
Fixed: In the "Select Operation Target Object Type" dialog box, which is part of
the user interface for configuring approval rules in the ActiveRoles Server
console, double-clicking a list item does not select the corresponding object
type as expected.
TF00055629
Fixed: Incorrect behavior of the Options dialog box in the text editor that is
used to view or change Workflow or Attestation Review notification messages in
the ActiveRoles Server console: Clicking the Default button in that dialog box
has no effect.
TF00055689
Fixed: The user interface for configuring the "Home Folder Location Restriction"
policy in the ActiveRoles Server console makes it possible to specify a folder
path that does not conform to the UNC syntax (\\server\share\folder). To address
this issue, the console now verifies the path string you have specified, and
does not allow you to enter a folder path with invalid syntax.
TF00056378
Fixed: An error condition may occur in the ActiveRoles Server console when you
specify notification recipients in an Approval Rule or Attestation Review
configuration. If you select the name of a recipient in the Message Recipients
dialog box, the recipient is not added to the configuration settings as
expected. The console fails to resolve the recipient's e-mail address.
TF00056382
Fixed: Consider the following scenario. You use the ActiveRoles Server console
to add objects to a group. You open the Members tab in the Properties dialog box
for that group and add objects to the Members list. Then, when you click Apply,
an error occurs because some of the objects you have added to the list cannot be
added to the group for whatever reason. To resolve the problem, you correct the
Members list so that it now contains only the objects that can be added to the
group. In this scenario, after the list has been corrected, clicking Apply or OK
may cause an error: "An item with the same key has already been added."
TF00056453
Fixed: When configuring notification settings for an Approval Rule or
Attestation Review, you may encounter an error upon an attempt to specify a
notification recipient. Clicking the button next to the "Mail addresses" field
may cause an error: "Attempted to read or write protected memory. This is often
an indication that other memory is corrupt." The problem occurs if no e-mail
client application, such as Microsoft Outlook or Outlook Express, is properly
set up on the computer running the console.
TF00056545
Fixed: If a domain local group includes a member from an external forest,
double-clicking that member on the Members page for the group in the ActiveRoles
Server console may cause an error instead of opening the Properties dialog box
for the corresponding foreign security principal object: "Object properties
cannot be displayed. The object you have selected belongs to a domain that is
not registered with ActiveRoles Server as a managed domain." The issue occurs
when the member in question belongs to a non-managed domain.
TF00056582
Fixed: Setting the "End date" option on a large selection of temporal group
members (1000+) in the ActiveRoles Server console may cause the console to close
unexpectedly. This issue is most likely to occur if two or more instances of the
console are open on the same computer.
TF00056653
Fixed: In the ActiveRoles Server console, the Check Policy menu item is missing
from the menu on a user object if that object was deprovisioned and then
restored by using the Undo Deprovisioning command.
TF00056897
Fixed: The ActiveRoles Server Group Policy Object Editor may not start,
returning an "Unspecified error" message. The problem occurs when you select the
Edit command on a Group Policy Object under the Group Policy node in the
ActiveRoles Server console tree.
TF00056921
Fixed: When no domains are registered with ActiveRoles Server, the console root
page prompts to register a domain even though the console user does not have
sufficient rights to do that.
TF00057775
Fixed: When adding a temporal member to a group, the "Add to a group" command
may not function as expected in the ActiveRoles Server console: If you use that
command on an object (such as a user account), selecting a group along with a
schedule for the object to be added or removed from the group, the console may
not add the object to the Members list of the group you have selected.
TF00057954
Fixed: Incorrect behavior of the user interface for configuring query-based
membership rules on a Managed Unit or Dynamic Group in the ActiveRoles Server
console: When you configure a rule to use the "Bitwise AND" condition, save and
then reopen the rule for editing, it may appear that the rule has "Bitwise AND"
replaced by the "Bitwise OR" condition.
TF00058432
Fixed: On a non-empty container that is protected by the "Container Deletion
Prevention" policy, the Delete command in the ActiveRoles Server console may not
display a message to inform that the container cannot be deleted because it has
child objects. The Delete command on such a container merely has no effect.
TF00058592
Fixed: The ActiveRoles Server console may fail to start, returning the following
error message: "There is no email program associated to perform the requested
action. Please install an email program or, if one is already installed, create
an association in the Default Programs control panel." This issue occurs if an
Extended MAPI client is not present or configured on the computer on which the
ActiveRoles Server console is installed.
TF00061195
Fixed: The following sequence of actions may cause an error in the Advanced
Create wizard, in the ActiveRoles Server console: Select a certain object class
(such as User) on the first page and click Next; then, click Back on the second
page to return to the first page, select a different object class (such as
Group), and then click Next.
TF00061488
Fixed: Incorrect behavior of the Exchange Task wizard in the ActiveRoles Server
console: While the requested operation is in progress, the Next button is
available on the wizard page, which enables you to close the wizard before the
console has completed the operation. If you do so, you cannot see the operation
results. The Next button is expected to be unavailable (grayed out) until the
operation is complete.
TF00061566
Fixed: The Select Objects dialog may fail to find objects that match a search
string containing an asterisk wildcard character, such as 'admin*'. The issue
occurs when you select an object to add to a domain local group provided that
the domain of the object is external to the forest in which the group resides.
TF00062713
Fixed: The ActiveRoles Server console fails to create a group if the name of the
group contains an "at sign" character (@).
TF00066403
Fixed: The ActiveRoles Server console may fail to display an icon denoting an
object class if the color depth of the icon is higher than 8-bit.
TF00091033
Fixed: The ActiveRoles Server console may take longer than expected to start. A
noticeable delay may occur during the "Loading schema" phase, due to rebuilding
local files containing schema data even though the files are up-to-date and do
not need to be rebuilt.
TF00102251
Fixed: In the Add Permission Entries wizard, duplicate list items occur in the
list of the extended rights that is displayed when you select the "Object
access" option. For example, the "View Change History" item is listed two times.
TF00102254
Fixed: When copying a user account, the ActiveRoles Server console may not copy
the state of the "User cannot change password" option. For example, when copying
an account that has the "User cannot change password" option selected, the
console may create an account with that option cleared.
TF00102972
Fixed: With the advanced details pane turned on in the ActiveRoles Server
console, the toolbar buttons that are specific to the "AR Server Security" or
"AR Server Policy" tab may appear on the toolbar when the tab is not selected.
In this case, clicking the button has no effect. The expected behavior is that
the buttons are hidden unless the corresponding tab is selected in the advanced
details pane.
TF00102973
Fixed: A typo (missing space character) in the dialog box that displays the
progress of the Delete operation when multiple objects are selected for
deletion.
TF00102986
Fixed: In the New Object - User wizard, the access keys (keyboard shortcuts) are
not assigned to the controls on the page for configuring the mailbox settings.
TF00103002
Fixed: The access keys (keyboard shortcuts) are not assigned to the
"Deprovision" and "Undo Deprovisioning" menu items in the ActiveRoles Server
console.
TF00103005
Fixed: Incorrect behavior of the Select Objects dialog invoked from the Delivery
Restrictions page in the ActiveRoles Server console: When adding users or groups
to the "Accept messages | Only from" list for a mailbox-enabled user, you cannot
select a query-based distribution group in the Select Objects dialog box. The
dialog box does not list query-based distribution groups and it fails to find
such groups by name.
TF00104465
Fixed: With the ActiveRoles Server console, the scope of Attestation Review can
be configured to include a Managed Unit that contains both AD groups and AD LDS
groups. In this situation, although the AD LDS groups do not participate in
Attestation Review, the console displays them along with the AD groups in the
list of the groups that are subject to Attestation Review. The console is
expected to filter out the AD LDS groups from that list.
TF00104470
Fixed: Incorrect behavior of the Members page in the ActiveRoles Server console
when you add an object to the Members list and then make that object a temporal
member by using the "Temporal Membership Settings" dialog box to specify the
date on which the object is to be removed from the group. As a result, the
object may disappear from the Members list after you click Apply on the Members
page.
TF00105136
Fixed: Incorrect behavior of the "Member Of" page in the ActiveRoles Server
console in a situation where the console user does not have sufficient rights to
add or remove members from a particular group: The console user can add that
group to the list on the "Member Of" page, and then cannot remove it from the
list as the Remove button is unavailable. This issue is addressed as follows:
Before adding a group to the "Member Of" list, the console now checks to see if
the console user is authorized to add members to that group. If the user is not
authorized to add members, the console displays an appropriate information
message and does not add the group to the list.
TF00105139
Fixed: The ActiveRoles Server console may incorrectly process the
EDS_EPI_UI_AUTO_GENERATED setting specified by using a script policy - setting
EDS_EPI_UI_AUTO_GENERATED to 'False' has no effect; the console behaves as if
EDS_EPI_UI_AUTO_GENERATED were set to 'True'.
TF00105155
Fixed: Under certain rare conditions, the ALT+S shortcut key may have no effect
in the ActiveRoles Server console script editor. When you make changes to the
script held in a particular Script Module, pressing ALT+S is expected to save
your changes in the corresponding Script Module object.
TF00105656
Fixed: When you use the Add Managed Domain wizard in the ActiveRoles Server
console, you may encounter the following issue: The wizard incorrectly processes
the override account information if the user name of the account is specified in
the User Principal Name (UPN) format (such as user_name@domain.com) on the
"ActiveRoles Server Credentials" page. A symptom of this issue is that the UPN
of the account appears in the Domain field in the Properties dialog box for the
newly created managed domain object, whereas the "User name" field is empty.
TF00105659
Fixed: When you use the "Member Of" page for a particular object in the
ActiveRoles Server console to make the object a temporal or pending member of a
certain group, you may encounter an error such as "The specified account does
not exist." This issue occurs if the group is from an Active Directory forest
that is external to the forest in which the object resides.
TF00106108
Fixed: The ActiveRoles Server console script editor may not properly handle a
SHIFT+<character> key combination. For example, it may enter '3' instead of '#'
when you press SHIFT+'3'. This issue occurs when you start editing a script
module that is not open for edit. Thus, if you press SHIFT+'3' and then click
'Yes' to confirm that you want to edit the script module, the script editor
enters '3' instead of '#' in the script text.
TF00106141
Fixed: If a Property Generation and Validation policy rule is in effect that
restricts the length of a certain property (for example, requires that a
pre-Windows 2000 logon name contain not more than 8 characters), then the
ActiveRoles Server console may display only a part of the property value. Thus,
on the Account tab in the Properties dialog box for a user account whose
pre-Windows 2000 logon name contains more characters than allowed by a policy
rule, the console displays only as many characters of the pre-Windows 2000 logon
name as it may contain in accord with the policy rule.
TF00021645
Fixed: The Web Interface does not display the Active Directory tree in the
"Browse for Container" dialog box as expected when the Web Interface user
(delegated administrator) has the following permission settings in ActiveRoles
Server:
- Allow List Object for All Classes
- Allow Read All Properties for All Classes
- Deny Read ObjectClass for Domain
TF00022365
Fixed: A delegated administrator that has sufficient rights to rename local
users or groups is not allowed to change the user or group name on the Rename
page in the computer resources management section of the Web Interface: The Name
field is read-only.
TF00022367
Fixed: A delegated administrator that has sufficient rights to view or change
the properties of Windows services is not allowed to change the "Log On"
settings for a service in the computer resources management section of the Web
Interface: All the entries on the "Log On" tab of the Properties page for a
Windows service are read-only.
TF00022498
Fixed: When searching for objects in Active Directory, the ActiveRoles Server
ADSI Provider may consume an excessive amount of memory (memory leak).
TF00023060
Fixed: An error condition may occur in the Web Interface when you open Web
Interface pages in multiple windows by using the "File | New Window" command in
your Web browser, and then use pages in different windows to create objects of
the same object type (for example, user accounts).
TF00024381
Fixed: When installed together with the Administration Service on the same
computer, the Web Interface may not authenticate the user as expected. Instead
of using integrated Windows authentication, it may repeatedly prompt for the
user name and password, and then return the "Access is denied" error.
TF00025638; TF00026305
Fixed: The Web Interface disregards the "Default Columns" setting for a Managed
Unit. This setting can be configured in the ActiveRoles Server console, allowing
a custom set of columns to be displayed in the list of the Managed Unit members
by default. When you choose additional list columns to appear for a particular
Managed Unit in the console, the new columns are not added to the corresponding
list for that Managed Unit in the Web Interface as expected.
TF00025678
Fixed: The "Members" command on a built-in domain local group, such as
Administrators or Accounts Operators, may cause an error in the Web Interface:
"Exception has been thrown by the target of an invocation." This issue occurs
when the rights of the Web Interface user (delegated administrator) are defined
by applying only the "Groups - Read all Properties" and "Groups - Add/Remove
Members" Access Templates in ActiveRoles Server.
TF00026193
Fixed: The "View Contents" command on an Organizational Unit (OU) in the Web
Interface may not list the objects of the Container object class held in that
OU.
TF00026268
Fixed: The Web Interface menu for an AD LDS partition may not contain the "New
Container" command. The menu is expected to contain that command by default.
TF00026269
Fixed: When an AD LDS partition is selected in the Web Interface tree view, the
image denoting the partition may not appear on the page that displays the
contents of the partition.
TF00026273
Fixed: An unhandled exception occurs in the Web Interface Sites Configuration
wizard when the wizard attempts to contact the Administration Service (System.Runtime.InteropServices.COMException
(0x80005000): Exception from HRESULT: 0x80005000), provided that the
Administration Service has not finished building startup information. In this
situation, the wizard is expected to display an information message such as "The
Administration Service is not available. Building startup information is in
progress. Wait until the information is built, and then try again."
TF00026321
Fixed: The Web Interface may return an error when performing the task of
creating a user mailbox: "A property that is required to perform the operation
is not specified. Missing property: homeMDB" This issue is most likely to occur
when a property generation and validation policy is in effect that controls the
homeMDB attribute.
TF00028095
Fixed: An unhandled exception occurs in the Web Interface Sites Configuration
wizard when the wizard cannot find or contact the Administration Service (System.Runtime.InteropServices.COMException
(0x80005000): Exception from HRESULT: 0x80005000).
TF00036804
Fixed: The Web Interface may incorrectly apply an Exchange Mailbox
AutoProvisioning policy to select a mailbox store containing the least number of
mailboxes: When you use the Web Interface to create mailbox-enabled user
accounts, the same mailbox store is always selected to hold the user mailboxes
despite the policy rules that are in effect.
TF00037126
Fixed: On the Advanced search page in the Web Interface, selecting the "Present"
or "Not Present" condition does not cause the Value field to become unavailable
as expected.
TF00037378
Fixed: For a password reset operation that is performed using ActiveRoles
Server, the operation details information that is available in the Approval
section of the Web Interface makes it possible to guess whether an empty
password has been set.
TF00037648
Fixed: The Advanced search page in the Web Interface allows you to configure a
search by ActiveRoles Server virtual attributes. The expected behavior is that
the list of available attributes on the Advanced search page does not contain
the virtual attributes as ActiveRoles Server does not support search filters
with conditions imposed on virtual attributes.
TF00038126
Fixed: If self-administration in ActiveRoles Server is delegated by applying
only the "Self-Service - My Account Management" Access Template, the Web
Interface for Self-Administration (Self-Service Manager) may not allow users to
open the "My Account" page, returning the error "Access is denied."
TF00039330; TF00039331; TF00062194
Fixed: Numeric values on the Settings page in the Web Interface cannot be
entered from the keyboard or cleared by pressing the BACKSPACE or DELETE key.
Pressing the TAB key or arrow keys does not move the focus as expected on the
Settings page.
TF00040336
Fixed: Certain custom script-based policies configured in ActiveRoles Server may
adversely affect the drop-down command menu in the Web Interface so that the
list of commands in the combo-box at the top of the Web Interface page becomes
unavailable.
TF00040774
Fixed: In the Web Interface, opening the Approval section may cause an error:
"Object reference not set to an instance of an object." The problem occurs if
the Web Interface cannot identify the object class of the object representing
the approver's identity.
TF00040779
Fixed: The "Choose Columns" option on a custom command of the Search Task type
in the Web Interface may cause an error such as "Object reference not set to an
instance of an object."
TF00050997
Fixed: On the Members page for a group in the Web Interface, setting the
membership end date for a selection of multiple objects to make them temporal
members of the group may cause an error such as "The string was not recognized
as a valid DateTime. There is an unknown word starting at index 0." As a result,
the objects are removed from the group.
TF00051352
Fixed: Incorrect placement of the "Policy description" buttons for the "Select
Mailbox Store" entry, on the Web Interface page for creating a user mailbox.
TF00051630
Fixed: Incorrect behavior of the "Last Logon" function on the Account tab on the
General Properties page for a user account in the Web Interface: The dialog box
that appears when you click the Last Logon button may provide incorrect
information. Thus, it may indicate "Last logon timestamp" or "Days since last
logon" as "undefined" instead of displaying the actual values.
TF00051681
Fixed: On the Members page, the Web Interface may represent the temporal
membership start time or end time in a time zone that is different from the time
zone that is used to represent the date and time in the "Temporal Membership
Settings" dialog box. This issue occurs if the time zone of the Web Server
running the Web Interface differs from the time zone of the computer running the
Administration Service.
TF00052204
Fixed: An error may occur in the Approval section of the Web Interface upon an
attempt to open an approval task in a new window, provided that the task is
associated with the operation of configuring temporal group members.
TF00053005
Fixed: A script error may occur in the Web Interface when you choose the
"Members" or "Member Of" command on a group if the name of the group contains an
apostrophe (').
TF00053819
Fixed: The Web Interface may fail to add temporal members to an AD LDS group,
returning an error such as "Exception has been thrown by the target of an
invocation. System.OverflowException: Value was either too large or too small
for an Int32." This issue occurs when you configure temporal membership settings
for a selection containing multiple objects from both AD LDS and Active
Directory (AD DS).
TF00054208
Fixed: The Web Interface may fail to add a member to an AD LDS group - a script
error "Unterminated string constant" occurs if the name of the group contains
non-alphanumeric characters such as = \ ,
TF00054458
Fixed: In the list on the "Members" or "Member Of" page, the Web Interface may
not provide the appropriate graphical indication to distinguish between the
regular group memberships and the temporal group memberships. This issue occurs
if the "Start Time" and "End Time" columns are removed from the list. For
example, if those columns are removed from the "Members" list, the temporal or
pending members are shown as if they were regular members.
TF00054728
Fixed: With ActiveRoles Server approval rules configured so that deletion of an
object (such as a user account) requires approval, the Delete command on that
object may cause a script error in the Web Interface. The problem may occur if
the name of the object contains a series of non-alphanumeric characters.
TF00055081
Fixed: The tree view in the Web Interface does not provide the full DNS names of
the managed domains. Only the first label of the DNS name (DNS prefix) of each
domain is shown in the tree view.
TF00055222
Fixed: When connection to the Administration Service is lost (for example, the
Administration Service has stopped), an attempt to select an object in the Web
Interface may cause a memory access violation condition (Exception 0xC0000005).
In this scenario, the Web Interface is expected to display a message stating
that the Administration Service is unavailable.
TF00056274
Fixed: For a delete mailbox operation on a user account, the approval task
details page in the Approval section of the Web Interface may not list the user
account properties to be modified by that operation.
TF00056603
Fixed: On the Self-Service Manager Home page, clicking a hyperlink in the
"Pending tasks" area may cause an error: "Object reference not set to an
instance of an object."
TF00056663
Fixed: Incorrect name of the Web Interface page that is used to establish the
contact's e-mail address when creating a new contact - "Create Mailbox" instead
of "Create an Exchange e-mail address."
TF00056924
Fixed: Selecting the Properties command on a Group Policy Object in the Web
Interface may cause an error such as "(3304, 1) Microsoft VBScript runtime error
(-2146828275): Type mismatch: 'GetDwordParts'."
TF00056926
Fixed: Clicking the Exit button on the Web Interface pages for creating a new
object, such as a new user or group, may cause an error such as "The 'Name'
field cannot be empty." To close the pages, you need to enter a name for that
object.
TF00057001
Fixed: When creating a group in a domain that has the domain functional level of
Windows 2000 mixed, the Web Interface makes it possible to choose the Universal
group scope option along with the Security group type option. The expected
behavior is that the Security group type option is unavailable as only Universal
Distribution groups can be created in a Windows 2000 mixed mode domain.
TF00057071
Fixed: When the General Properties form for the group object class is customized
by adding a read-only auto entry for the Members attribute, the following issue
may occur in the Web Interface: Clicking Save on the General Properties page for
a particular group causes the Web Interface to clear the Members attribute on
that group. As a result, all members are removed from the group.
TF00057844; TF00062122
Fixed: Incorrect behavior of the Select Object dialog box in the Web Interface:
After you have used the "Choose columns" command to add one or more columns to
the list of objects in the Select Object dialog box, clicking an object in the
list opens a page that shows the properties of the object whereas this is only
expected to select the object. As a result, you cannot select an object from the
list.
TF00057880
Fixed: On the "Member Of" page in the Web Interface, the "Set Primary Group"
button is available even though a group is selected that cannot be set as the
primary group. The expected behavior is that the "Set Primary Group" button is
available only if a global or universal security group is selected.
TF00057974
Fixed: An incorrect image is used to denote the AD LDS Organizational Unit
object class in the Web Interface (the image is the same as for the AD LDS
Container object class).
TF00058078
Fixed: When you use the Web Interface to add members to an AD LDS group, the
Select Object dialog box erroneously allows you to select object classes that
cannot be members of AD LDS groups (for instance, Contact objects).
TF00058192
Fixed: The Web Interface may fail to create a mailbox-enabled user account,
returning an error such as "E-mail alias does not comply with the E-mail Alias
Generation policy. A different e-mail alias must be assigned to this user
account." This issue occurs if the E-mail Alias Generation policy requires the
alias to contain a part of a certain property of the user account. For example,
the following alias generation rule causes the issue in question: "Set e-mail
alias to %2<cn>{@counter(3)}"
TF00058510
Fixed: The Web Interface may fail to create a new user account by copying an
existing user account, returning an error: "Provisioning policy failure. The
'Exchange Mailbox AutoProvisioning' policy encountered an error. An unsupported
conversion was attempted." This issue occurs if the Exchange Mailbox
AutoProvisioning policy that is in effect has the "Enforce creation of the
mailbox" option selected.
TF00058887
Fixed: The 'United Kingdom', 'Isle of Man' and 'Jersey' items are missing from
the 'Country/region' list on the Web Interface pages for managing user
properties. As a result, when you use the Web Interface to make any changes to a
user account that has Country/region already set to a missing list item, such as
'United Kingdom', the Country/region setting may unexpectedly change on that
account.
TF00058919
Fixed: Numeric identifiers instead of object names may appear in the "Users or
groups" list on the Delegation (Send As) tab of the Exchange Properties page for
a user account in the Web Interface.
TF00059276
Fixed: When you use the Customization section of the Web Interface to link an
existing command with a new form, the form is created but contains no tabs. A
newly created form is expected to have a default tab.
TF00059315
Fixed: The Web Interface cannot find the Help pages when you click "Learn more
about approval workflow" in the "Your Changes Require Approval" message box.
TF00059747
Fixed: No information about the client version number is recorded in the
ActiveRoles Server ADSI Provider diagnostic log (ArsAdsiLog.txt).
TF00060044
Fixed: The "Recent Operations" list in the Approval section of the Web Interface
may not display some operations that are waiting for approval. Thus, the problem
may occur when a delegated administrator adds temporal members to a number of
groups and submits those changes for approval, and then performs another
operation that also requires approval. In this scenario, the latter operation
may not be displayed in the "Recent operations" list.
TF00060925
Fixed: In the Attestation Review notification e-mails, hyperlinks to the "My
Reviews" page of the Self-Service Manager Web Interface site may not work as
expected: When you click such a hyperlink, you may receive an error message
stating that file CurrentReview.aspx does not exist.
TF00061234
Fixed: Selecting the Properties command on a Group Policy Object in the Web
Interface may cause an error such as "Value cannot be null."
TF00061392
Fixed: In the Customization section of the Web Interface, setting the default
command for a newly created menu may cause an error such as "Object reference
not set to an instance of an object." This issue occurs when you select a menu
that contains no commands, and then click Default Command.
TF00061395
Fixed: An incorrect title on the page that displays the results of a search for
approval tasks in the Approval section of the Web Interface.
TF00061432
Fixed: The Preview command on a Query-based Distribution Group has no effect in
the Web Interface.
TF00061532
Fixed: The Web Interface does not allow you to change the filter settings for a
Query-based Distribution Group. The filter settings are read-only on the page
for managing general properties of a Query-based Distribution Group in the Web
Interface.
TF00061572
Fixed: Filters on list columns may not function as expected in the Web
Interface. When you type in the text box beneath the name of a column and then
press ENTER, the Web Interface may not filter the list to match what you have
typed.
TF00061699
Fixed: Incorrect behavior of the "Managed By" page in the Web Interface: When
you open the "Select Object" dialog box, select a user, group or contact to
assign to the manager role, and then click Cancel in the "Select Object" dialog
box, the manager setting may change on the "Managed By" page. The expected
behavior in this case is that the manager setting remains unchanged.
TF00061825
Fixed: In ActiveRoles Self-Service Manager, clicking the Add button on the
"Claim a Group" page may cause an error: "An invalid directory pathname was
passed."
TF00062207
Fixed: The Web Interface may fail to add a user to a group and return an "Object
not found" error message" if the name of the user contains an "at sign"
character (@).
TF00062494
Fixed: Incorrect behavior of the Web Interface pages for creating a user
account: When you receive an error due to improper data input on the first page,
correct your input and then click Next, the Web Interface may skip the
subsequent page, presenting you with the next nearest (third) page.
TF00062525
Fixed: Clicking the Exit button on the Web Interface pages for creating a new
computer object may cause an error such as "The 'Name' field cannot be empty."
To close the pages, you need to enter a computer name.
TF00064440
Fixed: In the Customization section of the Web Interface, setting the default
command for a newly created menu may cause an error such as "Object reference
not set to an instance of an object." This issue occurs when you create a new
menu, add one or more commands to the menu, and then click Default Command.
TF00069734
Fixed: The "Establish E-mail Address" operation may cause an error in the Web
Interface. This issue occurs in an environment that has an E-mail Alias
Generation policy configured with the option to allow manual edits of e-mail
alias if a unique alias cannot be generated by the policy.
TF00070369
Fixed: The Web Interface may fail to create a new user account by copying an
existing user account, returning an error: "Provisioning policy failure. The
'Exchange Mailbox AutoProvisioning' policy encountered an error. An unsupported
conversion was attempted." This issue occurs if a policy is in effect that
requires ActiveRoles Server to provision a new user with a mailbox located on
the Exchange server containing the least number of mailboxes.
TF00090329
Fixed: Incorrect behavior of the "Show nested groups" option on the "Member Of"
page in the Web Interface: The page may not display all groups to which the
selected object belongs through group nesting. The problem occurs in a situation
where an object is a member of a certain group which is, in turn, a member of
several other groups. When you select the "Show nested groups" check box, you
may encounter an empty list on the "Member Of" page for that object whereas the
page is expected to display a portion of the groups list.
TF00091535
Fixed: Incorrect behavior of an entry for an attribute of syntax ORName in the
ActiveRoles Server Web Interface: The entry may not list all the existing values
of the attribute. Some values may be missing from the list provided by that
entry.
TF00092959
Fixed: If the service account of the Administration Service is denied Read
access to a certain organizational unit, an error may occur in the Web Interface
upon an attempt to view properties of a user account when the user account is a
member of a group that resides in that "denied" organizational unit. The same
issue may occur in a situation where the Web Interface form for managing user
properties is configured to include an entry for a custom stored virtual
attribute of DN syntax.
TF00095719
Fixed: When saving the changes you make on the "User/Exchange Properties/Mailbox
Rights" page in the Web Interface, you may encounter the following error:
"Invalid attribute type or type mismatch." The issue is due to an error
condition that occurs in the ActiveRoles Server ADSI Provider upon an attempt to
change the security descriptor of the mailbox.
TF00096027
Fixed: When you change the e-mail address of a contact by using the Web
Interface, you may encounter the following problem: After you have changed the
e-mail address, it is no longer set as the primary address on that contact. The
result is that the contact has no primary address specified.
TF00100133
Fixed: The "Use FIPS compliant algorithms for encryption, hashing and signing"
Group Policy setting causes the following error in the Web Interface: "This
implementation is not part of the Windows Platform FIPS validated cryptographic
algorithms."
TF00100962
Fixed: The "Show pending group memberships" option is not selected by default on
the "Member Of" page in the Web Interface. The option should be selected to
ensure that the "Member Of" page lists the groups to which the focus object
belongs as a temporal or pending member, in addition to the groups in which the
focus object is a regular member.
TF00102189
Fixed: Incorrect behavior of the "Save to File" command in the Web Interface: In
the resulting file, string values that contain comma characters are not enclosed
in quotation marks as expected. This causes a problem when you attempt to open
that file as a CSV file in Microsoft Office Excel. When exporting a list to a
file, the Web Interface is expected to add a quotation mark at the beginning and
at the end of every exported string value containing one or more comma
characters.
TF00102211
Fixed: Information about the Web Interface connection sessions to the
Administration Service is missing from the "Configuration/Server
Configuration/Client Sessions" container in the ActiveRoles Server console.
TF00102216
Fixed: Clicking the Exit button on the Web Interface pages for creating a user
account may not close the pages as expected. This issue occurs if a policy
violation is detected and an error message informing of the violation is
displayed on the page. In this case, clicking Exit has no effect.
TF00102258
Fixed: In certain rare situations, an operation request from the ActiveRoles
Server ADSI Provider may cause the Administration Service to stop unexpectedly.
This issue may occur, for instance, on a 64-bit system with more than 4GB of
RAM.
TF00102370
Fixed: In the Web Interface, you may encounter an error such as "The object name
has bad syntax" when administering a user or group that is located in an
Organizational Unit whose name contains non-alphanumeric characters such as ` ~
! @ # $ % ^ & * ( ) _ + - = [ ] \ { } | ; ' : " , . / < > ? For example, this
error may occur when you use the "Members," "Member Of" or "Managed By" page to
view or change the corresponding settings on a group or user object from such an
Organizational Unit.
TF00103085
Fixed: On the page for managing properties of a logical printer, in the computer
management section of the Web Interface, the Priority field on the Advanced tab
is available even if the Web Interface user does not have sufficient rights to
change the Priority setting.
TF00103086
Fixed: In the Customization section of ActiveRoles Self-Service Manager, the
"Set Default Command" function has no effect. For example, if you choose a
certain command as the default for the "My Account" page, the command you have
chosen is not performed as expected when you click "My Account" on the
Self-Service Home page.
TF00103091
Fixed: You may encounter a script error in the Web Interface when you select the
Organizational Unit to move an object to. This issue occurs if the
Organizational Unit that holds the object has the name containing
non-alphanumeric characters such as ` ~ ! @ # $ % ^ & * ( ) _ + - = [ ] \ { } |
; ' : " , . / < > ?
TF00103641
Fixed: Incorrect default behavior of the "Member Of" page for an object such as
a user, computer or group in the Web Interface. By default, the page lists only
those groups to which the object belongs as a regular member (regular group
memberships). The page is expected to list both the regular and temporal group
memberships by default, so that making an object a temporal or pending member of
a group causes the group to appear in the list on the "Member Of" page for that
object.
TF00103894
Fixed: The Web Interface has the "Loading" label not localized. The
English-language label appears when you click to expand a node in the tree view
regardless of the user interface language you selected.
TF00104485
Fixed: The "Managed By" tab is missing from the Properties page for an AD LDS
Organizational Unit in the Web Interface.
TF00104486
Fixed: The domain functional level or forest functional level of Windows Server
2008 is not displayed on the Properties page for a Domain object in the Web
Interface.
TF00104489
Fixed: The creation of a new menu may cause an error condition in the
Customization section of the Web Interface. The error message reads as follows:
"Object reference not set to an instance of an object."
TF00105170
Fixed: In the Approval section of the Web Interface, the link "To open task in
new window, click here" does not function as expected. Clicking that link does
not cause a new window to open; the task details page replaces the page in the
current window.
TF00105174
Fixed: The following sequence of steps causes a script error in the
Customization section of the Web Interface: Click the Choose button on the
"Default Command" page to open the "Default Command" dialog box, click the
"Command name" or "Description" column heading, and then click OK to close that
dialog box.
TF00105178
Fixed: Incorrect behavior of the "Dial-in Properties" page for a user account in
the Web Interface: When you add an entry to the "Static routes" list, the Web
Interface loses the Metric setting in the entry you have added.
TF00105260
Fixed: Incorrect sizing of the "Certify Groups" dialog box in the "My Reviews"
section of ActiveRoles Self-Service Manager due to long strings in the text of
the certification agreement.
TF00105265
Fixed: A script error occurs in Approval section of the Web Interface when you
attempt to approve or reject an operation for which you have not been assigned
as an approver.
TF00105693
Fixed: You may encounter a script error when using the "Advanced Search" page in
the Approval section of the Web Interface. This issue occurs if a non-English
user interface language is selected.
TF00105700
Fixed: The "New Query-based Distribution Group" command is missing from the
default menu for the Organizational Unit object class in the Web Interface for
Administrators.
TF00105707
Fixed: An error condition may occur in the "Temporal Membership Settings" dialog
box in the Web Interface, causing the Web browser to close unexpectedly. You may
encounter this issue in the following scenario: You click "Temporary Access" in
the "Select Object" dialog box and choose the "On this date" option under "Add
to the group"; then, you click OK to close the "Select Object" dialog box, and
click "Temporary Access" on the Web Interface page. As a result, the field next
to the "On this date" option in the "Temporal Membership Settings" dialog box
may not display a date-time setting as expected; if you click that field, your
Web browser may close unexpectedly.
TF00105748
Fixed: If the name of a Managed Unit contains non-alphanumeric characters (such
as * < > ? \ % | : ' ! # " , ; < > + ( ) : / ), then a script error may occur in
the Web Interface when you select that Managed Unit in the tree view pane of a
Web Interface page.
TF00106116
Fixed: Re-running an advanced search in the Approval section of the Web
Interface may cause an error such as "Value cannot be null. Parameter name:
arsAttributeCollection." This issue occurs in the following scenario: You click
"Advanced Search" in the Approval section, specify certain search conditions,
click the Search button, and wait for the search to complete; then, you expand
the "Search Options" area and click the Search button again without changing the
search conditions.
TF00106416
Fixed: The Web Interface may not display a custom icon that denotes the object
type of the focus object. A custom icon for an object type can be specified in
the XML document that is stored in the edsaWISettings attribute of the Web
Interface configuration object, as described in the "Creating a Custom Icon for
Directory Object" topic in the ActiveRoles Server SDK and Resource Kit.
TF00026069
Fixed: ActiveRoles Server Collector incorrectly processes data collection tasks
configured to collect EDM Server event log data from remote computers: It
retrieves events from the log located on the computer running Collector instead
of gathering data from the remote computer specified.
TF00055716
Fixed: For a data set collected from a large Active Directory domain (50,000+
objects), some reports included with the ActiveRoles Server Report Pack may fail
because of an error condition in SQL Server Reporting Services. Thus, the "View
report" command on the "Group membership by group" report may cause a long delay
(up to several minutes) and then fail with an error message similar to the
following:
"An error has occurred during report processing.
Query execution failed for data set 'MainDataSet'.
A severe error occurred on the current command. The results, if any, should be
discarded. Operation cancelled by user.
Execution 'zhaiv25541xzrr554ycdovbk' cannot be found (rsExecutionNotFound)."
TF00057244
Fixed: The "Users with specified properties" report may take longer than
expected to open in Quest Knowledge Portal or SSRS Report Manager.
TF00058884
Fixed: Information about Rename operations is missing from the "Directory object
management" report.
TF00062303
Fixed: In the "Directory object management" or "User attribute management"
report, the Rename check box is missing from the "Select actions" list although
the report data source contains the Rename operation records.
TF00065666
Fixed: Certain ActiveRoles Server reports, such as "Active Directory Object
Properties" or "Linked Property Validation Settings (with inheritance)," may not
display graphics as expected when viewed using Quest Knowledge Portal or SSRS
Report Manager.
TF00093091
Fixed: Information about the ObjectDelete and ObjectMove operations is missing
from the "Directory object management" report.
TF00102994
Fixed: The ActiveRoles Server reports such as "Directory object management" and
"User attribute management" may take much longer than expected to open, or may
fail to open due to a timeout condition, in Quest Knowledge Portal or SSRS
Report Manager.
TF00103001
Fixed: In the "Domain group statistics" report, hyperlinks are missing from the
column that displays group counts (total number of groups and number of groups
with particular group type or scope). Clicking a number in that column does not
open the "Group list with member statistics" report as expected.
TF00103623
Fixed: The "User attribute management" report may not contain information about
the newly created user accounts. The report considers only the existing user
accounts that have any attributes changed.
TF00103624
Fixed: Certain typos and misspellings in the ActiveRoles Server reports and
sub-reports such as, "Active Directory Object Properties," "All discontinued
computer accounts," "Group Membership by Group," "User account options," "User
attribute management," "ActiveRoles User Details" and "ARS Subreport User
Details."
TF00103625
Fixed: Quest Knowledge Portal or SSRS Report Manager may not display a
description for the following ActiveRoles Server reports: "Active Directory
Object Properties," "Linked Property Validation Settings," "Linked Property
Validation Settings (with inheritance)," "Linked Script Settings (with
inheritance)."
TF00104522
Fixed: When you use the SSRS Report Manager to view or change the properties of
an ActiveRoles Server report, you may encounter a script error in your Web
browser. Thus, a script error occurs when you open the Properties page for the
"Empty Groups" report and then click the Parameters tab.
TF00104526
Fixed: The "OU" column in the "Password age information" displays the canonical
name of a user instead of the canonical name of the container that holds the
user. To address this issue, the "OU" column is renamed to "Parent Container"
and it now displays the parent container canonical name as expected.
TF00104528
Fixed: In the "Linked Property Validation Settings (with inheritance)" report,
the "Class name like" filter option may not function as expected. To address
this issue, the option in question (renamed to "Policy object type") now
requires a policy category to be selected from a list instead of allowing it to
be specified by typing.
TF00104529
Fixed: In the "Users with specified properties" report, the filter option
"Property 2 value like" does not function as expected. When you use that option,
the report may contain no data although certain users match the specified filter
conditions.
TF00105395
Fixed: Incorrect behavior of ActiveRoles Server Collector in an environment
where multiple instances of the Administration Service are deployed: When
configured to connect to a particular Administration Service instance, Collector
gathers event data from only that instance whereas the expected behavior is that
the event data is collected from all Administration Service instances that share
the same configuration whether via ActiveRoles Server replication or by using a
common configuration database.
TF00105674
Fixed: Quest Knowledge Portal or SSRS Report Manager may not display a
description for the following ActiveRoles Server reports:
- All discontinued user accounts
- Bad password information
- Deprovisioned user accounts
- Disabled user accounts
- Email delivery options
- Email delivery restrictions
- Expired user accounts
- Inactive user accounts
- Locked user accounts
- Mailbox information by user
- Objects managed by user
- Password age information
- User account list
- User account options
- User accounts with expired password
- User profile information
TF00106106
Fixed: For the user accounts that are configured to never expire, the "Active
Directory object properties" shows the accoutExpires attribute value of
'1970-01-01 00:00:00' or '2100-01-01 00:00:00', as specified in Active
Directory, without giving a cue that this value actually indicates a
non-expiring account. To address this issue, the report now adds the '(never)'
suffix to the display of those attribute values, such as '1970-01-01 00:00:00
(never)' or '2100-01-01 00:00:00 (never)'.
TF00106348
Fixed: Incorrect filter option names, 'Organizational unit like' instead of
'Path to object like' and 'Organizational unit not like' instead of 'Path to
object not like', in the following ActiveRoles Server reports:
- All discontinued user accounts
- Deprovisioned user accounts
- Disabled user accounts
- Email delivery options
- Email delivery restrictions
- Expired user accounts
- Inactive user accounts
- Locked user accounts
- Mailbox information by user
- Objects managed by user
- Password age information
- User account options
- User accounts with expired password
- User profile information
TF00056235; TF00062248; TF00093147; TF00105511; TF00105518
Fixed: Some minor inaccuracies and typos in the printed
(PDF) documentation for ActiveRoles Server.
TF00060928; TF00061523; TF00093147
Fixed: Some minor inaccuracies and typos in the online documentation (Help) for
ActiveRoles Server.
TF00097274
Fixed: The ActiveRoles Server SDK and Resource Kit does not provide information
about the GetIADsLargeInteger method of the IEDMLargeInteger interface.
TF00100685
Fixed: Certain inaccuracies in the sample solution "Property Page Extension"
(see the "Adding Extension Snap-in's Property Page" topic in the ActiveRoles
Server SDK and Resource Kit) that may cause compilation errors when you attempt
to build the solution.
TF00103014
Fixed: Certain inaccuracies in the "Copying Groups" and "Copying User Accounts"
code snippets, in the ActiveRoles Server SDK and Resource Kit.
TF00103020
Enhancement: The "Specifying Parameters for Policy Scripts" section added to the
ActiveRoles Server SDK and Resource Kit.
TF00104504
Fixed: Incorrect VBScript sample for the onPreDelete event handler in the
"Understanding Event Handlers" topic, in the ActiveRoles Server SDK and Resource
Kit.
TF00104506
Fixed: The "Moving Mailbox for User Account" code snippet, in the ActiveRoles
Server SDK and Resource Kit, should use the "edsaHomeMDB" rather than "homeMDB"
attribute to specify the mailbox store or database to move the mailbox to.
TF00104508
Fixed: Certain inaccuracies in the contents of the "Managing AD Objects" section
in the ActiveRoles Server SDK and Resource Kit. The "Unlocking User Accounts"
and "Moving Groups" code snippets are missing from that section.
TF00104509
Enhancement: The "Web Interface/Reference/Intrinsic Objects" section of the
ActiveRoles Server SDK and Resource Kit documentation has been extended to
include the following topics:
- ADUtils Object
- LanguageUtils Object
- Trace Object
- Server Object
- FormPage Object
- DropDownList Object
These topics cover the new objects specific to Web Interface customization that
have been added in the latest release of ActiveRoles Server.
TF00105133
Fixed: In the ActiveRoles Server SDK and Resource Kit, the FormPage object is
erroneously referred to as the PageForm object.
TF00105141
Fixed: Incorrect sample script in the "Deprovisioning User Accounts" topic in
the ActiveRoles Server SDK and Resource Kit: When you run that script, you
encounter an error in line 38.
TF00105213
Fixed: The ActiveRoles Server SDK and Resource Kit does not provide information
specific to Exchange 2007 or Exchange 2010. In this release, the following new
topics and samples are added that cover the management of Exchange recipients in
an Exchange 2007 or Exchange 2010 organization: "Creating Resource Mailbox for
User Account" and "Converting a User Mailbox to Linked Mailbox."
TF00105243
Fixed: The "IEDSPolicyComplianceRequest::SetPolicyComplianceInfo" topic in the
ActiveRoles Server SDK and Resource Kit does not describe all available
parameters of the SetPolicyComplianceInfo method of the
IEDSPolicyComplianceRequest interface.
TF00105663
Enhancement: The "ActiveRoles Management Shell" section added to the ActiveRoles
Server SDK and Resource Kit.
TF00105969
Fixed: The ActiveRoles Server SDK and Resource Kit contains an outdated example
of a policy script - "Restricting the Type of Distribution Groups." To address
this issue, the outdated example has been replaced with a new one covered by the
"Restricting the Scope of Groups" topic.
TF00105980
Enhancement: In the ActiveRoles Server SDK and Resource Kit documentation, the
"Using ActiveRoles Server Controls" topic has been extended to include
descriptions of the following new controls:
- IndirectMembership-GetData
- OperationID
- PrimaryGroup-GetData
- ShowRecycledObjects
This section provides a list of the currently known issues that customers may experience with ActiveRoles Server version 6.5.0. For each issue, the list includes an ID number, which identifies the issue, a brief description of the problem, and a workaround, if any exists, for the problem. The list is divided by component so that the issues related to each individual component of the product are grouped together:
Please note that updates to this list may be published to the Quest Support
website SupportLink (http://support.quest.com)
after the product release.
TF00018149
When installing the Administration Service, you may encounter the following
error: "A short NETBIOS name should be used for connection to SQL Server. See
Release Notes.htm file, "known issues" section for details."
This error occurs in any of the following cases:
Case 1. A data loss occurred in SQL Server system tables
Case 2. The computer running the SQL Server instance was renamed
Case 3. You have used an alias to identify the SQL Server instance
To determine which case you have encountered, run the following two queries on
the SQL Server instance that you specified when installing the Administration
Service (enter these queries "as is," without making any substitutions for the 'servername'
parameter):
select @@servername
select serverproperty('servername')
Examine the results returned by these queries:
1. If "select @@servername" returns NULL, you have encountered Case 1.
2. If "select @@servername" and "select serverproperty('servername')" return
different non-null values, you have encountered Case 2.
3. If "select @@servername" and "select serverproperty('servername')" return the
same non-null value, you have encountered Case 3.
WORKAROUND
Use the following instructions, depending on the case you have encountered, and
then re-run the Setup program to install the Administration Service.
Case 1:
Run the following query against the Master database on the SQL Server instance
in question, and then restart the SQL Server instance:
declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'
Case 2:
Run the following two queries in succession against the Master database on the
SQL Server instance in question, and then restart the SQL Server instance:
exec sp_dropserver @@servername, 'droplogins'
declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'
Case 3:
Use the following syntax to identify the SQL Server instance when installing the
Administration Service:
"computername" - for the default instance
"computername\instancename" - for a named instance
In this syntax: "computername" stands for the NetBIOS name of the computer
running SQL Server; "instancename" stands for the name of the SQL Server
instance.
TF00024066
When upgrading the Administration Service from version 5.x to version 6.x with
the migration option selected in the Installation Wizard, you may encounter the
following problem: At the end of the installation process, the Setup program
requires that the computer be restarted.
WORKAROUND
You can avoid having to restart the computer as follows: Prior to running the
Installation Wizard, stop the Administration Service that you are going to
upgrade. To stop the Administration Service version 5.x, enter the following
command at a command prompt on the computer running that Service: net stop
edmsvc
TF00024475
If the ActiveRoles Server Language Pack and Administration Service are installed
on the same computer, uninstalling the Administration Service on that computer
prior to uninstalling the Language Pack causes the following problem: When
attempting to uninstall the Language Pack, you encounter "Error 1920: Service 'ArsSvc'
(ArsSvc) failed to start. Verify that you have sufficient privileges to start
system service." As a result, the Language Pack cannot be uninstalled since the
Setup program requires the Administration Service.
WORKAROUND
Install the Administration Service, uninstall the Language Pack, and then
uninstall the Administration Service.
TF00025903
Incorrect behavior of the Web Interface Setup program: Clicking Cancel in the
Web Interface Installation Wizard and then clicking "Exit Setup" may not cancel
the installation process.
WORKAROUND
Wait until the Setup program has completed the installation, and then use the
Add or Remove Programs tool in Control Panel to un-install the Web Interface.
TF00037391
When installing the Administration Service on a domain controller, you may
encounter the following error: "Error 1920. Service 'Quest ActiveRoles
Administration Service' (ArsSvc) failed to start. Verify that you have
sufficient privileges to start system services."
WORKAROUND
Do not close the error message box. Use the Services tool to manage the service
named Quest ActiveRoles Administration Service: On the Log On tab in the
Properties dialog box for that service, specify the logon name and password of
the account that you want the service to log on as, and click Apply; then, go to
the General tab, and click Start. Once the service has been started, click Retry
in the error message box that was displayed by the Administration Service Setup
program.
TF00101036
Under certain rare conditions, the Setup program for a
particular ActiveRoles Server component may stall while calculating the disk
space requirements. A symptom of this issue is a message box with the message
such as "Please wait while the installer determines your disk space
requirements" that persists for an indefinite time after you click Next on the
Select Features page in the Installation Wizard.
WORKAROUND
Quit and then re-run the Setup program. To quit the Setup program, click Cancel
to close the "Please wait while the installer determines your disk space
requirements" message box and then click Cancel in the Installation Wizard.
TF00011990
The Administration Service does not support querying for more than 200 different
Custom Stored Virtual Attributes (CSVAs) within a single search request. When
you query for more than 200 different CSVAs within a single search request so
that the request is configured to retrieve the values of those attributes, you
may experience performance degradation in the Administration Service and your
query may return incorrect results.
WORKAROUND
If you need to query for a large number of CSVAs (so as to have your search
request retrieve the values of those attributes), perform multiple search
requests with a smaller number of attributes involved in each request. For best
performance, a single search request should not query for more than 32 different
CSVAs.
TF00018378
The Administration Service incorrectly evaluates the delegated rights of the
user account in the following scenario:
- An organizational unit (OU) is configured so that a given user account is set
as the manager of the OU (the Managed By property of the OU is assigned the DN
of the user account).
- The ActiveRoles Server security settings on the OU are configured so that the
"Primary Owner (Managed By)" built-in account has full control of the OU.
In this scenario, ActiveRoles Server does not permit the user account to modify
objects in the OU. The expected behavior is as follows: since the user account
is set as the manager of the OU, and full control of the OU is delegated to the
"Primary Owner (Managed By)" account, the user account has full control of the
OU and all objects held in the OU. The same issue occurs in the situation where
a group is set as the manager.
WORKAROUND
Configure the ActiveRoles Server security settings on the OU so that the
appropriate rights (for example, full control) are delegated to the user account
(or group) itself rather than to the "Primary Owner (Managed By)" account.
TF00018419
The default Exchange mailbox store in which the Administration Service creates
user mailboxes may differ from the mailbox store that Microsoft's native tools
select for the mailbox creation operation by default.
WORKAROUND
When you use ActiveRoles Server to create a new mailbox-enabled user or create a
mailbox for an existing user, verify the mailbox store selection, and choose the
appropriate store if necessary. Another option is to configure and apply an
Exchange Mailbox AutoProvisioning policy that would automatically choose the
appropriate mailbox store.
One more option is to configure and apply a script-based policy that would use
the onGetEffectivePolicy handler to set the appropriate default value on the
homeMDB attribute, which specifies the mailbox store:
Sub onGetEffectivePolicy(Request)
Request.SetEffectivePolicyInfo "homeMDB", EDS_EPI_UI_GENERATED_VALUE,
array(<desired value>)
End Sub
TF00022786
When using the "Handle changes from DirSync control" option in a script-based
policy, you may encounter the following problem: The policy does not execute the
onPostDelete handler. This problem occurs if the Policy Object containing the
policy in question is applied (linked) to an organizational unit.
WORKAROUND
Apply the Policy Object to a domain rather than to an organizational unit.
TF00022929
When attempting to connect to a remote Administration Service using explicit
credentials, you may encounter error messages providing no details on the error
situation. Thus, in the ActiveRoles Server console, when you use the "Connect
As" option in the "Change Administration Service" dialog box, the console may
fail to establish a connection, returning an error such as the following:
- IDispatch error #xxxx
- Unknown error 0x8013xxxx
This problem may occur if all of the following conditions are true:
- You are attempting to connect to a remote Administration Service, or to
assign the Subscriber role to a remote Administration Service.
- You have used the "Connect As" option in the "Change Administration Service"
dialog box, and specified a different user name and password in the "Connect As"
dialog box.
- You do not have sufficient permissions to connect to the Administration
Service without specifying a different user name and password. For example, the
domain of your user account is not trusted by the domain of the Administration
Service computer.
In this case, the console is unable to retrieve the correct error descriptions
from the Administration Service. As a result, only the error codes are
displayed.
WORKAROUND
Use the following steps to add the user name and password to the "Stored User
Names and Passwords" list on the computer from which you want to connect to the
remote Administration Service. You should add the user name and password to that
list instead of specifying them in the "Connect As" dialog box provided by the
ActiveRoles Server console. Note that this workaround only applies to computers
running Windows XP or Windows Server 2003.
1. Click Start, click Run, type 'control userpasswords2', and then click OK.
2. Click the Advanced tab, and then click the "Manage Passwords" button.
3. Add a new entry to the password list, specifying the following information:
- Full DNS name of the remote Administration Service computer.
- The user name and password you want to use to connect to that
Administration Service.
After you complete these steps, you will be able to connect to the
Administration Service without using the "Connect As" option.
TF00023848
Creation, modification, or deletion of a custom display specifier has no effect
on a given Administration Service until that Service is restarted. A symptom is
that the directory management section of the ActiveRoles Server console does not
reflect the changes to custom display specifiers until you restart the
Administration Service the console is connected to.
WORKAROUND
Restart each Administration Service after you have made changes to custom
display specifiers.
TF00023885
When upgrading the Administration Service from version 5.1 to version 6.x, you
may encounter the following problem: The configuration data migration option is
not supported. This option is only supported when you upgrade the Administration
Service from version 5.2. (See also TF00024191)
WORKAROUND
To transfer your ActiveRoles Server configuration data from version 5.1 to
version 6.x, first upgrade the Administration Service to version 5.2.5 using the
"in-place upgrade" option. Then, upgrade the Administration Service from version
5.2.5 to version 6.x using the data migration option.
TF00024227
When you export policy check results or change history results to a file in HTML
format, and then send the file as an e-mail attachment, you may encounter the
following problem: Opening the attachment in Outlook displays a corrupted HTML
page, with extra spaces being inserted between page sections.
WORKAROUND
Archive the file to which you have exported the results and then send the
archive file as an attachment instead of sending the original file.
TF00024229
When configuring a Managed Unit to use a query-based membership rule, you may
encounter the following problem: A membership rule based on a custom LDAP query
may not work as expected if the query includes a right bracket (]). For example,
the following query causes an error: (&(objectcategory=group)(accountNameHistory=*[DG]*)).
WORKAROUND
If possible, modify your query to eliminate the right brackets. In the above
example, the query can be modified as follows, without loss of functionality:
(&(objectcategory=group)(accountNameHistory=*[DG*))
See also TF00023627
TF00024439
When applying an Access Template to the "Active Directory" container in the
ActiveRoles Server console, with the option to enable synchronization of the
resulting permission entries to Active Directory, you encounter the following
problem: The resulting permission entries are propagated from the "Active
Directory" container to the managed domains held in that container, but not
synchronized to Active Directory.
Thus, you can check "Advanced Details Pane" on the View menu in the console,
select a managed domain under the "Active Directory" node in the console tree,
and examine the permission entries on the "Native Security" tab in the lower
sub-pane of the details pane, to see that the permission entries resulting from
the Access Template you applied to the "Active Directory" container are marked
as Absent, and displayed in red. In this case, the synchronization can only be
performed manually, by right-clicking such entries on the "Native Security" tab,
and then clicking the "Resync from ActiveRoles Server Security" command.
WORKAROUND
Avoid using the synchronization option when applying Access Templates to the
"Active Directory" container. If you need to synchronize permission entries from
ActiveRoles Server security to native Active Directory security, apply Access
Templates to managed domains or objects and containers within managed domains.
TF00024486
When applying an Access Template to a Managed Unit, with the option to enable
synchronization of the resulting permission entries to Active Directory, you
encounter the following problem: The resulting permission entries are inherited
by the directory objects held in the Managed Unit, but not synchronized to
Active Directory. The same problem occurs when you apply an Access Template to a
Managed Unit Container.
Thus, you can check "Advanced Details Pane" on the View menu in the console,
select a directory object held in the Managed Unit, and examine the permission
entries on the "Native Security" tab in the lower sub-pane of the details pane,
to see that the permission entries resulting from the Access Template you
applied to the Managed Unit are marked as Absent, and displayed in red.
WORKAROUND
Avoid using the synchronization option when applying Access Templates to Managed
Units or to Managed Unit Containers. If you need to synchronize permission
entries from ActiveRoles Server security to native Active Directory security,
apply Access Templates to directory objects rather than to Managed Units or
Managed Unit Containers.
TF00024487
The Administration Service may not provide its client applications with
information about an ActiveRoles Server replication failure as expected. As a
result, the ActiveRoles Server console or Management Pack for MOM may not
display an appropriate alert or status message on the ActiveRoles Server
database servers that are experiencing replication problems.
WORKAROUND
Use the instructions given in the document "Quest ActiveRoles Server -
Replication: Best Practices and Troubleshooting" to check the health of, and
troubleshoot problems (if any) with, ActiveRoles Server replication.
TF00025236
The policy compliance check in the Administration Service may inappropriately
handle a policy configuration where values of certain object properties in the
directory are dependent on other property values that are to be generated by a
policy. Thus, when a "Property Generation and Validation" policy is configured
to assign a certain property value based on a user logon name generated by a
"User Logon Name Generation" policy, you encounter a policy violation error when
creating a user account using the ActiveRoles Server console unless you have
clicked the Generate button to have the Administration Service generate a user
logon name.
WORKAROUND
If you have encountered a policy violation error when using a page that includes
the Generate button, click that button to have the Administration Service
generate a property value.
TF00025521
In an environment where Exchange Server 2007 and the Administration Service are
deployed in different forests, the Administration Service fails to create a user
with a mailbox on Exchange Server 2007.
WORKAROUND
Use the Administration Service running on a computer that belongs to the forest
in which Exchange Server 2007 is deployed.
TF00025620
There is no option to configure an ActiveRoles Server policy for generating a
user principal name (UPN) so that the UPN Suffix part of the name automatically
changes if the generated name is in use by another user account. Normally, the
UPN Prefix part of the name (the value of the edsaUPNPrefix attribute) is the
same as the pre-Windows 2000 user logon name (the value of the sAMAccountName
attribute). This ensures the uniqueness of the user principal name regardless of
the UPN Suffix setting.
WORKAROUND
After the user account has been created with a valid (unique) user principal
name, change the UPN Suffix and UPN Prefix parts of the name as needed using the
ActiveRoles Server console or Web Interface.
TF00025625
After an upgrade of the Administration Service from version 5.2 to version 6.x
with the option to import the configuration data of version 5.2, the Exchange
mailbox provisioning policies that were configured with version 5.2 may not work
as expected in version 6.x. Thus, some of the mailbox stores in which creation
of mailboxes is allowed may not appear in the corresponding lists on the pages
for creating or managing Exchange recipients in the ActiveRoles Server console
or Web Interface.
WORKAROUND
Use the ActiveRoles Server console to update the policy settings specific to the
Exchange mailbox provisioning polices in each of the existing Policy Objects
after the upgrade:
1. Open the Properties dialog box for the Policy Object and go to the Policies
tab.
2. In the list on the Policies tab, double-click an Exchange Mailbox
AutoProvisioning policy entry (by default, such an entry has the following
description: "Controls selection of mailbox stores where Exchange mailbox
creation is allowed") and go to the "Allowed Mailbox Stores" tab.
3. Do not make any changes on the tab; only click OK for the console to resend
the data from the dialog box to the Administration Service.
4. Click OK to close the Properties dialog box.
You should repeat these steps for every Exchange Mailbox AutoProvisioning policy
entry in each Policy Object that was imported from version 5.2.
TF00025700
Incorrect behavior of a User Logon Name Generation policy that is configured to
disallow certain (non-acceptable) characters in the user logon names: In the
situation where the policy allows the generated name to be modified manually
(for example, if the policy fails to generate a unique name), adding
non-acceptable characters to the name in the New Object - User wizard causes a
policy violation and then the field for entering the name gets unavailable so
you cannot correct your input.
WORKAROUND
In the wizard, re-enter the value of any property based on which the user logon
name is generated. This will enable the field for entering the user logon name
so that you can remove the unacceptable characters from the name.
TF00025728
In some limited scenarios, you may encounter corruption of attribute names
(wrong characters) on the page that displays a report produced by the "Change
History" command. For example, this problem may occur with the Change History
report on a user account that was deprovisioned via the ActiveRoles Server Web
Interface using the Web browser with a non-English locale.
TF00025879
You may encounter the following error when using the "View RSoP" command in the
Web Interface: "The stylesheet does not contain a document element." This
problem occurs if you do not have the Read permission on the "Group Policy"
container in the ActiveRoles Server namespace. Note that in ActiveRoles Server
6.x this permission is not granted to Authenticated Users by default.
WORKAROUND
Use the "Group Policy/Advanced/Group Policy Node - View" Access Template to give
the Read permission on the "Group Policy" container (CN=Group Policy) to the
appropriate users.
TF00025902
With an ActiveRoles Server policy configured so that the value of a certain
(dependent) property is based on another (master) property, the Administration
Service may not force the Web Interface to change the dependent property in
accordance with the changes that are made to master property. For example, with
a policy that makes the user alias the same as the user logon name, changes to
the user logon name may not cause the user alias to change accordingly. The
problem may occur if the entries for the master property and the dependent
property are located on different pages in the Web Interface.
WORKAROUND
To prevent this problem, modify properties of user accounts in the ActiveRoles
Server console.
TF00025904
The Administration Service may fail to install on a computer that has East Asian
language support added in Regional and Language Options, with the following
error being reported by the Installation Wizard: "Error 1001. The specified
driver is invalid." The problem occurs if the logon name of the user who is
running the Installation Wizard contains Unicode characters.
WORKAROUND
Prior to installing the Administration Service, create a folder on the local
disk so that the path and name of the folder do not contain non-English
(Unicode) characters (for example, C:\TMP) and configure the TMP environment
variable to point to that folder:
1. Right-click My Computer and select Properties.
2. Select the Advanced tab.
3. Click the "Environment Variables" button.
4. In the "User variables" area, select TMP and click the Edit button.
5. Note down (copy to Notepad) the contents of the "Variable value" field.
6. Enter the new path for the TMP environment variable in the "Variable value"
field, and click OK.
7. Click OK to close the "Environment Variables" dialog box and OK once more to
close the "System Properties" dialog box.
After you have installed the Administration Service, use Steps 1-4, 6-7 above to
enter the original path for the TMP variable (the path you noted down in Step
5).
TF00026003
The "User Configuration Summary/Group Policy Objects" section of a Group Policy
Modeling report may be empty or contain incorrect information. This issue does
not affect the resulting set of the effective Group Policy settings that are
displayed in a Group Policy Modeling report.
TF00026017
Incorrect behavior of the console tree root page in the ActiveRoles Server
console: Clicking Refresh at the top of the page may cause the following error:
"Validation failed on XML." The problem may occur when you are repeatedly
clicking Refresh while the Administration Service is busy loading information
from a newly registered managed domain or AD LDS instance.
WORKAROUND
Click OK in the error message box and wait until the Administration Service has
finished loading information from the managed domains and AD LDS instances.
Then, click Refresh.
TF00026043
While the Administration Service is busy loading information from the managed
domains and AD LDS instances (for example, upon the startup to the
Administration Service), the ActiveRoles Server console may fail to connect to
the Administration Service, returning the following error messages:
Message 4301: Failed to connect to Administration Service on '<servername>'
Message 1003: hr = 0x80131600
Interface: Unknown
WORKAROUND
Click Close in the error message box and wait until the Administration Service
has finished loading information from the managed domains and AD LDS instances.
Then, attempt to connect to the Administration Service.
TF00026218
The Administration Service does not send to the console the information that is
required to populate the list of Administration Services in the "Management
History Databases and Replication" section on the console tree root page in the
details pane. As a result, the page does not display a list of the
Administration Services that use a given Management History database.
WORKAROUND
To view a list of the Administration Services that use a certain Management
History database, go to the "Configuration/Server Configuration/Management
History Databases" container in the console, open the Properties dialog box for
the database you want to examine, and view the list on the "Administration
Services" tab.
TF00035396
When processing a query with an LDAP filter that specifies wildcard-based
conditions on an ActiveRoles Server Custom Stored Virtual Attribute (CSVA) of
the Integer type, the Administration Service may report the following error: "An
unsupported conversion was attempted." This error may occur if the filter
conditions include an asterisk wildcard character coupled with other characters,
such as (edsvadeptcode=4*).
WORKAROUND
Use filter conditions that do not include a combination of an asterisk with
other characters. For example, you should use (edsvadeptcode>=4000) rather than
(edsvadeptcode=4*).
TF00037103
When performing the Deprovision operation on a user object, the Administration
Service may return the following error: "Failed to retrieve attributes of the
object '<objectDN>'. XML document must have a top level element." The error
occurs if the Administration Service performs the Deprovision operations
concurrently with running the "Change Tracking Cleanup" scheduled task.
WORKAROUND
Click OK in the error message boxes that appear on the screen until you receive
a message stating that the deprovision operation is completed. Then, open the
report on the operation results by using the Deprovisioning Results command in
the ActiveRoles Server console.
TF00037289
The Administration Service may incorrectly process a Property Generation and
Validation policy rule that includes a text string following the value of an
attribute, such as "%<description> This user account was deprovisioned {@date(M/d/yyyy)}".
If the attribute is empty (has no value set), the text string may be missing
from the generated output. In this example, the output would not contain the
text "This user account was deprovisioned".
WORKAROUND
Create a custom stored virtual attribute that holds the text string you want and
modify the rule, replacing the text with that attribute. Thus, in the preceding
example, you could create an attribute named edsvaDeprovisionTextConst on the
domain object, set the attribute to the text string in question, and then apply
the following rule: "%<description>%<domain.edsvaDeprovisionTextConst> {@date(M/d/yyyy)}"
TF00037310
ActiveRoles Server may fail to re-evaluate the membership of a Dynamic Group in
a timely fashion after the membership rules of the Dynamic Group are modified.
The problem can be caused by unavailability of the Administration Service that
was designated to evaluate and apply the membership rule changes on the Dynamic
Group.
WORKAROUND
On the Membership Rules tab in the Properties dialog box for the Dynamic Group
in the ActiveRoles Server console, select the appropriate Administration Service
from the "Service to evaluate and apply rule changes" list and click Apply.
Alternatively, you may wait for ActiveRoles Server to correct the situation. For
this purpose, ActiveRoles Server uses the "Dynamic Group Checker" scheduled
task, located in the "Configuration/Server Configuration/Scheduled Tasks/Builtin/"
container. The "DG update latency threshold" parameter on that task specifies
the maximum period of time (5 days by default) after which the re-evaluation of
the Dynamic Group membership is forced and the appropriate Administration
Service is automatically designated to evaluate the membership.
TF00037379
The Administration Service may fail to execute a policy based on a script that
calls the EventLog.ReportEvent method, returning the "Object doesn't support the
action" error.
WORKAROUND
In ActiveRoles Server policy scripts, use the Request.ReportEvent method rather
than EventLog.ReportEvent to record events to the event log, if necessary.
TF00037733
The Change History records may not reflect the changes that were made by using
the "Set data" option in the Policy Check Results report. Thus, when you use the
Check Policy command to detect policy violations, and click "Set data" to bring
a certain object into compliance with the ActiveRoles Server policies that are
in effect, the changes to the object data may not show up in the Change History
report for that object.
WORKAROUND
This issue will be fixed in a future release of ActiveRoles Server.
TF00038121
The Management History records that were received through ActiveRoles Server
replication or imported using the Management History Migration Wizard may be
unavailable to the Administration Service for a significant time period.
The cause of this issue is as follows. In order to support Change History
related queries and Approval Workflow functionality, ActiveRoles Server keeps
certain non-replicated data in the Management History database. When new
Management History records are added to the database from an external source
(for example, via replication or data migration), the new records cannot be
accessed until after the non-replicated data is properly updated. The time it
takes to update that data depends upon various factors, including:
- The total number of records in the Management History database
- The number of records that were received from an external source
- CPU and disk performance of the SQL Server computer that hosts the Management
History database
Depending on these factors, the average time to update a single Management
History record may range from 0.1 seconds to 1 second.
WORKAROUND
Reduce the number of records in the Management History database in order to
reduce the time it takes to complete the process of updating the non-replicated
Management History data. For example, when importing Management History data by
using the Management History Migration Wizard, you may choose not to transfer
the records that are older than a certain date.
TF00038242
Incorrect behavior of the Attestation Review function in the following scenario:
- Initially, multiple instances of the Administration Service are configured to
synchronize the configuration data and the management history data using
ActiveRoles Server replication, with each instance storing all data in the
configuration database.
- Within the initial configuration, one or more instances of Attestation Review
are started.
- While Attestation Review is in progress, the ActiveRoles Server environment
is re-configured so that some instances of the Administration Service use a
separate database to store the management history data, possibly synchronizing
that data within a separate replication group of management history databases.
After the environment is re-configured, the instances of Attestation Review that
were started within the initial configuration fail to behave as expected. For
example, the groups that are certified on one of the Administration Service
instances show up on another instance of the Administration Service as if they
were not certified.
WORKAROUND
Before re-configuring the ActiveRoles Server environment, ensure that no
instances of Attestation Review are running. If any instances of Attestation
Review were started before you re-configured the environment, and remain running
in the new environment, stop and then re-start those instances (for instructions
on how to stop or start a review, see the ActiveRoles Server Administrator
Guide).
TF00038246
Incorrect behavior of the Approval Workflow function in the following scenario:
- Initially, multiple instances of the Administration Service are configured to
synchronize the configuration data and the management history data using
ActiveRoles Server replication, with each instance storing all data in the
configuration database.
- Within the initial configuration, certain operations (for example, creation
of user accounts) that require approval are requested but not completed (neither
approved nor rejected).
- While the operations are waiting for approval, the ActiveRoles Server
environment is re-configured so that some instances of the Administration
Service use a separate database to store the management history data, possibly
synchronizing that data within a separate replication group of management
history databases.
After the environment is re-configured, ActiveRoles Server fails to properly
process the operations that were requested within the initial configuration. For
example, when such an operation (say, creation of a user account) receives the
Approve action, the operation is marked as approved but it is not actually
performed (the user account is not created). In addition, when approved on one
of the Administration Service instances, the operation shows up as waiting for
approval on another instance of the Administration Service.
WORKAROUND
Before re-configuring the ActiveRoles Server environment, ensure that no
operations are waiting for approval. If any operations were requested but not
completed before you re-configured the environment, have those operations
re-initiated in the new environment. For example, if creation of a user account
was started and was not approved or rejected in the initial environment, start
creation of that user account again in the new environment.
TF00038483
When managing user accounts in the Windows Server 2008 Active Directory Domain
Services, the Administration Service fails to properly consider the password
policy settings that are configured by using Password Settings objects (PSOs).
As a result, ActiveRoles Server may generate user passwords that do not meet the
password policy requirements that are in effect (for example, it may generate a
password of an inappropriate length). Only the password policy settings that
originate from Group Policy objects are considered by the password generation
algorithm.
WORKAROUND
Ensure that the password policy requirements imposed via Group Policy are the
same as those specified by using Password Settings objects.
TF00038646
In certain rare conditions, the Administration Service may fail to properly
configure a Subscriber database server: The New Replication Partner wizard in
the ActiveRoles Server console reports that the operation is completed
successfully, but the Subscriber database server configured by the wizard
remains in standalone state and the Publisher database server does not recognize
the newly configured Subscriber (the Subscriber's status on the Publisher is
indicated as "unknown"). The EDM Server event log contains a "ReplPartnerPolicy
failed" error event in this case. Data synchronization between the Publisher and
the newly configured Subscriber does not occur.
WORKAROUND
Use the instructions that follow to delete the failed Subscriber record from the
Publisher's database, and then use the New Replication Partner wizard in the
ActiveRoles Server console to add the Subscriber again.
To delete the failed Subscriber record, run the following SQL query against the
ActiveRoles Server database on the Publisher database server (before running the
query, replace the <databasename> and <servername> placeholders with the name of
the failed Subscriber database and the name of the SQL Server instance that
hosts the failed Subscriber database, respectively):
delete from tblReplication where edsaSQLAlias = N'<servername>' and
edsaDatabaseName = N'<databasename>'
TF00039140
In an ActiveRoles Server replication environment where multiple Administration
Service instances use the same database, execution of the 'Change Tracking
Cleanup' task may fail with the following last run message: "Transaction
(Process ID <number>) was deadlocked on lock resources with another process and
has been chosen as deadlock victim. Rerun the transaction."
WORKAROUND
Run the task again: In the ActiveRoles Server console tree, expand Configuration
| Server Configuration | Scheduled Tasks | Builtin; then, in the details pane,
right-click Change Tracking Cleanup and select All Tasks | Execute. When running
the task, ensure that no data migration is being performed using the Management
History Migration Wizard.
TF00050597
Setup may stall when installing the Administration Service with the option to
share the database with other Administration Service instances.
WORKAROUND
If the Administration Service Installation Wizard displays the "Preparing data
migration" message for an unreasonable period of time (several minutes), stop
all instances of the Administration Service that use the database that is going
to be used by the newly installed Administration Service instance. After that,
the Installation Wizard is expected to continue the setup process.
TF00051063
Consider the following scenario. In your ActiveRoles Server environment, a Group
Membership Removal policy is in effect that removes deprovisioned user accounts
from groups. You use the Temporal Group Memberships feature of ActiveRoles
Server to schedule addition of user accounts to groups. In this scenario, when
you deprovision a user account that is scheduled to be added to a certain group,
the Administration Service may not cancel that scheduled operation as expected.
As a result, the deprovisioned account eventually becomes a member of that
group, which violates the Group Membership Removal policy.
WORKAROUND
If you are affected by this issue, please contact Quest Support to obtain a
hotfix for this version of the Administration Service.
TF00053277
Consider the following scenario. You delegate the rights to add or remove
members from groups by applying the "Groups - Add/Remove Members" Access
Template. The delegated administrator uses the Temporal Group Memberships
feature of ActiveRoles Server to add temporal members to a group. In this
scenario, the delegated administrator does not have sufficient rights to view
the Start Time and End Time settings on temporal members. Thus, those settings
are not displayed in the list of group members on the Members tab in the
Properties dialog box for a group.
WORKAROUND
Create a new Access Template that contains the "Read properties" permission for
these attributes on all object classes:
- edsva-ScheduledLink-StartTime
- edsva-ScheduledLink-EndTime
Apply that Access Template in addition to the "Groups - Add/Remove Members"
Access Template, so as to give the delegated administrator the right to view the
Start Time and End Time settings.
TF00053491
Consider the following scenario. You have the Undo Deprovisioning policy
configured so that it allows password reset on restored user accounts (this is
the default policy setting). You delegate the right to restore deprovisioned
accounts by applying the following Access Templates:
- All Objects - Read All Properties
- Users - Perform Undo Deprovision Tasks
In this scenario, the delegated administrator receives the following error
message when using the Undo Deprovisioning command: "Administrative Policy
returned an error. Attempted to perform an unauthorized operation."
WORKAROUND
Create a new Access Template that contains the "Write properties" permission for
these attributes on the User object class:
- edsaPassword
- userAccountControl
- edsvaUserMustChangePasswordAtNextLogon
- edsaUserCannotChangePassword
- edsaPasswordNeverExpires
Apply that Access Template in addition to those listed above, so as to give the
delegated administrator the rights to reset password and manage password
options.
TF00057430
Group Family does not support the Contact object class. The Administration
Service fails to populate Group Family controlled groups with Contact objects.
TF00061399
Consider the following scenario. You delegate the right to perform Exchange
tasks by applying the following Access Templates:
- All Objects - Read All Properties
- Exchange - Recipients Full Control
In this scenario, the delegated administrator receives the following error
message when performing the "Establish E-mail Address" task on a group or
contact: "Administrative Policy returned an error. Attempted to perform an
unauthorized operation."
WORKAROUND
Create a new Access Template that contains the "Write properties" permission for
all properties of the Group object class and Contact object class. Apply that
Access Template in addition to those listed above, so as to give the delegated
administrator the right to set any properties of a group or contact object.
TF00092136
If a Managed Unit (MU) has a query-based membership rule configured to search
within another Managed Unit, the MU with that membership rule may not propagate
the permission or policy settings as expected: When an Access Template (AT) or
Police Object (PO) is applied to the MU, the permission or policy settings
defined by the AT or PO may have no effect on the objects held in that MU. For
example, the permission settings may not propagate to an Organizational Unit
(OU) included in the MU so the Access Template applied to the MU does not affect
the objects held in that OU as expected.
WORKAROUND
Configure query-based membership rules to search in Active Directory containers
(such as Organizational Units) rather than Managed Units: In the "Create
Membership Rule" dialog box, ensure that an Active Directory container (rather
than a Managed Unit) is selected in the "In" box next to the "Find" setting.
TF00098840
The Administration Service may cause the ActiveRoles Server console not to
display the Configuration node in the console tree. This issue occurs in a
multi-forest environment with the Active Directory schema extended so that a
certain attribute is added to the schema of one of the forests while an
attribute that has the same name but a different LDAP display name exists in the
schema of another forest. When domains from both forests are registered with
ActiveRoles Server, the Administration Service may fail to build the
consolidated schema, which prevents the Configuration node from appearing in the
console tree.
WORKAROUND
Restart the Administration Service - at a command prompt on the computer running
the Administration Service, enter the following commands in succession:
net stop arssvc
net start arssvc
TF00099277
When running on a Windows Server 2008 R2 based computer, the Administration
Service cannot retrieve or change the Terminal Services Profile properties of a
user account; as a result, the "Terminal Services Profile" page is inoperative
in the ActiveRoles Server console or Web Interface.
WORKAROUND
Install the Administration Service on a computer running a pre-Windows Server
2008 R2 operating system, or use other administrative tools (such as Active
Directory Users and Computers) to manage the Terminal Services Profile
properties of user accounts.
TF00100230
In an Exchange 2010 organization, the Administration Service does not support
the "Move Mailbox" task. A request to perform that task fails with an error such
as "The term 'Move-Mailbox' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path
was included, verify that the path is correct and try again." The same issue
occurs in an Exchange 2007 organization if the Administration Service is
installed on a computer with Exchange 2010 Management Tools.
WORKAROUND
To perform the "Move Mailbox" task on Exchange Server 2007, install Exchange
2007 Management Tools (rather than Exchange 2010 Management Tools) on the
computer running the Administration Service.
TF00100231
In an Exchange 2010 organization, the Administration Service may fail to perform
the "Create Mailbox" task if the mailbox database is selected on Exchange Server
2007. A request to perform that task may cause an error such as "Property
RoleAssignmentPolicy can't be set on this object because it requires the object
to have version 0.10 (14.0.100.0) or later. The object's current version is 0.1
(8.0.535.0)." This issue occurs if the Exchange 2010 Management Tools software
is installed on the computer running the Administration Service.
WORKAROUND
To perform the "Create Mailbox" task on Exchange Server 2007, install Exchange
2007 Management Tools (rather than Exchange 2010 Management Tools) on the
computer running the Administration Service.
TF00100584
An ActiveRoles Server workflow that uses conditional branching based on the
If-Else activity may cause duplicate occurrences of the EVENT_ACTIVITY_ALERT
(ID=2711) event in the EDM Server event log: "This activity is skipped because
branch condition is not satisfied on any of its branches." Although expected to
raise Event 2711 only one time when the ongoing request does not meet the
condition on any of the If-Else branches, the Administration Service may report
that same event two or more times in the EDM Server event log.
WORKAROUND
Disregard the duplicate occurrences of Event 2711 in the EDM Server event log.
TF00102049
Cyclic references within custom library scripts may cause the Administration
Service to stop unexpectedly. Cyclic references occur when two different library
scripts reference each other by calling the ScriptLib.Load() function. A typical
example of a cyclic reference is as follows. Consider a library script module
named LIB1 containing a script that loads a script module named LIB2 (Set LIB2 =
ScriptLib.Load("LIB2")) whereas the script that is held in the module LIB2 loads
the module LIB1 (Set LIB1 = ScriptLib.Load("LIB1")). In this case, saving
changes to the module LIB1 or LIB2 may cause the Administration Service to stop
unexpectedly.
WORKAROUND
Avoid cyclic references in ActiveRoles Server script module. In a situation
where cyclic references may occur, consider copying the necessary functions from
one script module to another instead of loading the module that contains those
functions.
TF00104474
When you deprovision and then un-deprovision a group, the temporal or pending
members of that group may not be restored as expected. This issue may occur, for
example, when you schedule a member to be added to a particular group at a
certain time in the future, deprovision and then un-deprovision that group. As a
result, the Administration Service loses the schedule setting for that member,
so the member will not be added to the group as expected.
WORKAROUND
After you have un-deprovisioned a group, review the "Members" list of that group
and, if necessary, add and configure the temporal or pending members by hand.
TF00104550
The Administration Service fails to perform the "Move Mailbox" task if all of
the following conditions are true:
- An override account (rather than the service account) is used to access the
managed domain.
- The source or destination mailbox database is on Exchange Server 2007.
In this case, the Administration Service returns an error such as "Unable to
perform this Exchange task: Move Mailbox. Ensure that the managed domain is
registered with the option to use service account information rather than
override account information. ActiveRoles Server does not support this Exchange
task if an override account is used to access the domain."
WORKAROUND
Configure the Administration Service to access the managed domain with the
service account. You can do this by using the ActiveRoles Server console:
1. Open the Properties dialog box for the object representing the domain in the
"Configuration/Server configuration/Managed Domains" container.
2. On the General tab, under "Access the domain using" click "The service
account information the Administration Service uses to log on."
3. Click OK to close the Properties dialog box.
TF00105507
When performing the Demote operation on the Publisher role holder, the
Administration Service may cause a deadlock condition on SQL Server. In this
case, the Administration Service returns an error message of the following form:
"Your transaction (process ID {#number}) was deadlocked on {lock | communication
buffer | thread} resources with another process and has been chosen as the
deadlock victim. Rerun your transaction." This issue is most likely to occur
when the database server to demote is busy with other requests from the
Administration Service, such as retrieving ActiveRoles Server configuration data
requested through a custom script.
WORKAROUND
Ensure that the Administration Service is not performing any resource-intensive
operations against the database, such as running scheduled tasks or custom
scripts, and then try the Demote operation again.
TF00023797
You may experience a noticeably delay in the ActiveRoles Server console when you
select multiple objects from a list by using the SHIFT+DOWN ARROW or SHIFT+UP
ARROW key combination. This issue is most likely to occur when you select a
large number of objects (20+) one-by-one.
WORKAROUND
To select multiple objects, click with the mouse while holding the SHIFT or CTRL
key.
TF00024079
When configuring a Dynamic Group to use a membership rule of the "Include
Explicitly" category, you may encounter the following problem: The "Select
Objects" dialog box erroneously allows you to select objects from a domain other
than the domain to which the group belongs. When you attempt to apply such a
rule, the console fails to update the group, returning an error. The current
implementation of the Dynamic Group feature requires that the members of a
Dynamic Group belong to the same domain as the Dynamic Group itself. So, the
expected behavior is that the "Select Objects" dialog box only allows objects
from that domain to be selected when configuring a membership rule for the
Dynamic Group.
WORKAROUND
When configuring a Dynamic Group to use a membership rule of the "Include
Explicitly" category, you should select objects that belong to the same domain
as the Dynamic Group.
TF00025666
You may encounter the following issue when using the ActiveRoles Server console
to configure a membership rule of the "Include by Query" or "Exclude by Query"
category for a Dynamic Group or Managed Unit: The "Condition" clause of the rule
cannot be set to "Contains." As a result, you cannot configure a rule that would
match any object with a certain attribute containing a particular string.
WORKAROUND
When configuring a membership rule, choose "Custom Search" from the Find list,
and then, on the Advanced tab, enter an LDAP query of the following syntax:
attrName=*string* where attrName stands for the LDAP display name of the
attribute you want the rule to apply to. For example, if you want a rule to
match any object for which the "sales" substring occurs anywhere in the
"department" attribute value, enter the following LDAP query: department=*sales*
TF00026019
Consider the following scenario. You are using the ActiveRoles Server console to
register an AD LDS instance with ActiveRoles Server. On the ActiveRoles Server
Credentials page in the Add Managed AD LDS Instance wizard, you specify an
incorrect account (for example, an account that does not have sufficient rights
to access the desired AD LDS instance). Then, you return back to the previous
page of the wizard and click Next on that page. In this scenario, you may
receive an error message stating "There is no such object on the server."
WORKAROUND
Close the wizard by clicking Cancel, and start registering the AD LDS instance
again. Another option is to click Next again, without closing the dialog box
that displays the error message, and then close that dialog box.
TF00026398
Consider the following scenario. You are using the ActiveRoles Server console to
manage a mailbox-enabled user account that resides in a forest other than the
forest in which the console is installed. In addition, the domain of your user
account is not trusted by the domain of the account being managed. You open the
Exchange Advanced tab in the Properties dialog box for that mailbox-enabled
account and click Mailbox Rights. Then, you click Add in the Permissions dialog
box to select users or groups for which you want to assign permissions.
In this scenario, the Select Users, Computers, or Groups dialog box, which
appears when you click Add, may not allow you to specify the desired location
from which to select users or groups. The problem occurs if the domain of the
users or groups you want does not trust the domain of the user account under
which the console is running.
WORKAROUND
In this scenario, you can use the ActiveRoles Server Web Interface to configure
mailbox rights. The Web Interface would allow you to select users or groups from
the location you want.
TF00037375
With the user interface language switched to German, the caption of the
ActiveRoles Server console's main window remains in English - "ActiveRoles
Server Console."
WORKAROUND
Use Microsoft Management Console (MMC) in Author mode to create a new console
with the desired caption: Click Options on the File menu in MMC and type in the
text that you want to appear in the caption of the console window. Then, add the
ActiveRoles Server snap-in to the new console (use the "Add/Remove Snap-in"
command on the File menu) and save the console in an MSC file (use the "Save As"
command on the File menu). The console can be opened by double-clicking the MSC
file you have saved.
TF00037701
Consider the following scenario. In the list of groups generated by a report on
Attestation Review results in the ActiveRoles Server console, you click the
Specify Owner link for a certain group. If the domain of the group is
unavailable, the console may stop responding after you have clicked that link.
WORKAROUND
Wait while ActiveRoles Server completes the search for the domain. When the
search is finished, you will receive an error message in the console. To avoid a
delay in this scenario, ensure that all managed domains are available to
ActiveRoles Server. In the ActiveRoles Server console, you can view the state of
all managed domains by selecting the console tree root (ActiveRoles Server node
in the console tree).
TF00037815
The console incorrectly processes Property Generation and Validation policy
rules that include any values containing a backslash character (\).
WORKAROUND
To specify one backslash character (\) in a Property Generation and Validation
policy rule, use a combination of two backslash characters (\\). For example, to
specify a policy rule such as "Network path must begin with \\server\", enter
\\\\server\\ in place of \\server\.
TF00039592
For a Dynamic Group or Managed Unit with a membership rule based on a custom
LDAP query, the ActiveRoles Server console may incorrectly display the query in
the dialog box for editing the rule: A closing parenthesis character may get
removed.
WORKAROUND
When editing such a query, verify the query to ensure that the syntax is
correct. If necessary, add the closing parenthesis character at the end of the
string. Another option is to modify the query so as to change the order of
sub-filter strings.
TF00055373
Consider the following scenario. You have a Dynamic Group configured in
ActiveRoles Server with complex membership rules (for example, using a complex
query that returns a large number of objects). You open the Properties dialog
box for that group, go to the Members tab, and click Rebuild. The console
informs you of the fact that you are going to start a lengthy operation, without
giving you the option to cancel the operation. When you click OK in the warning
message box, the console may stop responding for a certain time period.
WORKAROUND
Wait while ActiveRoles Server completes the rebuild operation.
TF00055600
In the ActiveRoles Server console, when you right-click a selection containing a
large number of objects (100+), you may experience a substantial delay before
the shortcut menu is displayed.
WORKAROUND
Wait while the console processes your selection. Consider using a smaller
selection.
TF00055919
You may encounter a noticeable delay in the ActiveRoles Server console when you
click the plus sign (+) to expand an Organizational Unit (OU) in the "Browse for
Container" dialog box. This issue is most likely to occur if the OU holds a
large number of other OUs.
WORKAROUND
If you need to select an OU itself, avoid expanding the OU, only click the name
of the OU in the "Browse for Container" dialog box. To select an OU that is held
within another (parent) OU, you have to wait while the console expands the
parent OU.
TF00055998
You may encounter a noticeable delay in the ActiveRoles Server console when
saving your changes to a Group Family configuration that were made from the
Groupings tab in the Properties dialog box for the corresponding Group Family
configuration storage group. Clicking OK or Apply on that tab may cause the
console to "hang" for up to a minute. This issue is most likely to occur if the
Group Family is configured to search within a large number of objects (50,000+),
and has two or more group-by properties specified.
WORKAROUND
When you specify the location of managed objects for Group Family, avoid
choosing containers that hold a large number of objects.
TF00064436
When configuring the "<attribute> must be <value>" policy rule for a Property
Generation and Validation policy, you may encounter an issue in the following
scenario. Suppose you have specified a list of acceptable values for a certain
attribute and selected one of them to be the default value. Then, you choose the
"Sort Items Ascending" or "Sort Items Descending" command from the shortcut menu
to reorder the values. As a result, the default value setting may change: the
value that now occupies the first position in the list is set as the default
value.
WORKAROUND
After the values have been reordered, right-click the value that you want to be
default, and then click "Set as Default Value."
TF00093007
You may encounter an issue in the following scenario of configuring a workflow
that includes an approval or notification activity. Suppose the workflow applies
to the User object type - User is selected as the target object type in the
workflow start conditions. You specify notification settings for a particular
event so that the "Manager of operation target object" option is selected in the
"Notification recipients" area. Then, you change the target object type in the
workflow start conditions by selecting Group instead of User. In this scenario,
the "Manager of operation target object" option gets cleared (so notification
e-mails will not be sent to the manager), but the event with that recipient
remains in the "Events, Recipients and Messages" list. Re-selecting the "Manager
of operation target object" causes the manager to be specified two times in the
"Notification Recipient" field of the corresponding list entry under "Events,
Recipients and Messages."
WORKAROUND
Prior to changing the target object type from User to Group, or vice versa,
verify the notification settings for all events to ensure that the "Manager of
operation target object" option is not selected.
TF00104052
On the Approvers page, which is part of the user interface for configuring an
approval rule in the ActiveRoles Server workflow designer, double-clicking a
list item has no effect. The expected behavior is that the "Approvers Selection"
dialog box opens when you double-click a list item on the Approvers page.
WORKAROUND
To open the "Approvers Selection" dialog box, click the "Designate Approvers"
button on the Approvers page.
TF00104085
When running on a Windows Server 2008 based computer, the ActiveRoles Server
console may return an error message stating that the console cannot use the
Administration Service on a particular computer due to version incompatibility,
although both the console and the Administration Service are of the same
version. This issue occurs if the user account under which the console is
running does not have sufficient rights to access the Administration Service.
Under that condition the console attempts to contact the Administration Service
with the credentials of the Guest user account, and fails to identify the
version of the Administration Service. As a result, it displays an error message
that informs of a version mismatch.
WORKAROUND
Disable the Guest user account.
TF00104546
The ActiveRoles Server console displays a misleading information message in the
following scenario. Suppose ActiveRoles Server approval rules are configured so
that the Deprovision operation requires approval. When you deprovision a user
account, the console informs you that the changes you requested will be
submitted for approval, and then it displays a message stating that the
Deprovision operation is successfully completed. In this scenario, the message
is misleading as the operation is merely submitted for approval and waiting for
the approver's decision.
WORKAROUND
In the above scenario, disregard the message that informs of the operation
completion. The operation will be performed only after it is approved.
TF00018427
When you add a number of organizational units to an ActiveRoles Server Managed
Unit, and then open that Managed Unit in the Web Interface, you may encounter
the following problem: The organizational units are not sorted by name in the
Tree View pane.
WORKAROUND
When adding organizational units to the Managed Unit, add them in the order in
which you want them to appear in the Tree View pane. For example, if you first
add the 'Groups' OU, then add the 'Special Accounts' OU, and then add the
'Users' OU, these three organizational units appear sorted by name in the Tree
View pane.
TF00018900
The Web Interface may incorrectly process a Property Generation and Validation
policy that controls the Country and countryCode properties, and enforces a
certain uppercase string value on the Country property (such as "'Country' must
be 'UNITED STATES'"): When you click Save on the Web Interface pages for
managing user properties, a policy violation error may occur, with the error
message stating that the 'co' property value does not conform to policy
requirements.
WORKAROUND
This issue will be fixed in future release of ActiveRoles Server.
TF00022820
When adding values to a multi-value attribute, the ActiveRoles Server ADSI
Provider may add only the last value in a sequence of values. The problem occurs
when you add values one by one, as in the following example:
obj.PutEx 3,"otherHomePhone",Array("123")
obj.PutEx 3,"otherHomePhone",Array("456")
obj.SetInfo()
When executing the code given in this example, the ADSI Provider will only add
the "456" value and disregard the "123" value.
WORKAROUND
Use a single array containing all values to add, as in the following example:
obj.PutEx 3,"otherHomePhone",Array("123", "456")
obj.SetInfo()
TF00023074
The Web Interface Sites Configuration tool may fail to export a Web Interface
site if the name of the site's configuration contains non-alphanumeric
characters such as ! @ # $ % ^ & * ( ) _ +
WORKAROUND
Rename the configuration so that the configuration name does not contain
restricted characters (! @ # $ % ^ & * ( ) _ +). You can do this using the
ActiveRoles Server console:
1. Switch to Raw view mode (select View | Mode, click Raw Mode, and then click
OK).
2. Locate the configuration object in the "Configuration/Application
Configuration/Web Interface" container. To help you find the desired
configuration object, configuration name is normally included in the Description
field for each configuration object.
3. Use the All Tasks | Advanced Properties command on the configuration object
to modify the edsaWIConfigurationName attribute, which stores the name of the
configuration.
Once you have renamed the configuration, use the Web Interface Sites
Configuration tool to create a new Web Interface site based on that
configuration. Then, you can export the newly created site.
TF00023720
You may encounter inconsistent formatting of the creation date and last change
date for directory objects. On the Object tab, the creation date and last change
date are formatted in accordance with the regional and language options
specified in Control Panel, whereas in lists of objects that data is formatted
in accordance with the language preferences specified in Internet Options.
TF00023929
After you have started the deletion of a selection of objects, the Web Interface
provides no option to cancel the deletion operation. The expected behavior is
that the dialog box informing of the operation progress includes the Cancel
button.
TF00024192
When using the "Choose Columns" dialog box, you may encounter the following
problem with the "Hidden columns" list: Different list entries have the same
name. For example, for the object type User, the list includes two entries with
the same label - Name.
WORKAROUND
Click Add to move an entry to the "Displayed columns" list. This will allow you
to view the LDAP display name which uniquely identifies the entry. If you do not
want to display the column represented by the entry, use the Remove button to
delete the entry from the "Displayed columns" list.
TF00024421
When using the Web Interface to create a network share, you may encounter the
following problem on the "New Share" page: If you specify the path to the folder
in the form "DiskLetter:/FolderName", and select the "Create folder if it
doesn't exist" check box, the folder is created but a network share on that
folder is not.
NOTE: You can access the "New Share" page as follows:
1. Select a computer object and click the Manage command to display a list of
computer resource categories.
2. In the list, click Shares to display a list of network shares found on that
computer.
3. Click the "New Share" command.
WORKAROUND
In the Path field on the "New Share" page, specify the path in the form "DiskLetter:\FolderName"
(use a backslash character (\) rather than a slash mark (/) as a separator in
the path).
TF00024713
After submitting changes to a certain object for approval, the Web Interface may
fail to display the appropriate page, returning the "Object reference is not set
to an instance or object" error. The problem occurs if the Web Interface user
does not have the Read permission on the Active Directory container that holds
the object. This scenario implies that the object is located by selecting a
Managed Unit rather than an Active Directory container, so the Read permission
on the container is not required to locate the object.
WORKAROUND
If modification of a certain object requires approval, ensure that the Web
Interface user has the All Objects - Read All Properties permission on the
Active Directory container that hold the object.
TF00024740
When using the Web Interface to view the membership list of a group that is
under the control on an ActiveRoles Server Group Gamily (controlled group), you
may encounter the following error: "Exception has been thrown by the target of
an invocation." The Web Interface returns this error when you select a
controlled group and then click Members if your logon account does not have the
Read permission on the objectClass property of objects that belong to that
group.
WORKAROUND
Apply the "All Objects - Read All Properties" Access Template on a directory
container that holds the members of the controlled groups so that that the Web
Interface users have the Read permission on all properties, including the
objectClass property.
TF00025113
If a form in the Web Interface is customized so it includes two instances of the
same custom entry, the form fails to open, returning the "Type Mismatch" error.
You may encounter this error situation, for example, after you have added two
instances of the Home Folder custom entry to the same form, one instance to
service the "homeDirectory, homeDrive" pair of attributes and another one to
service the "edsaWTSUserConfigTerminalServerHomeDir,
edsaWTSUserConfigTerminalServerHomeDirDrive " pair of attributes.
WORKAROUND
Avoid adding multiple instances of the same custom entry to a form. Use auto
entries instead.
TF00025314
In the Approval section of the Web Interface, the Approve and Reject buttons may
remain available on the page that displays an Approval Task even though the Web
Interface user is not authorized to take an action on the Task. Each item in the
"My Operations | Recent" list includes a hyperlink to open a page that displays
the Approval Tasks associated with the item. On the page the Web Interface user
opens by clicking that hyperlink, the Approve and Reject buttons may not be
disabled as expected.
TF00025400
After installing the Web Interface, you may encounter the following error upon
an attempt to connect to any of the Web Interface sites: "Parser Error Message:
Unrecognized configuration section 'siteMap'."
WORKAROUND
At a command prompt on the computer on which the Web Interface has been
installed, go to the Microsoft .NET Framework 2.0 installation folder (this is
the "%windir%\Microsoft.Net\Framework\v2.0.50727\" folder if you have .NET
Framework 2.0 build 50727 installed), and enter the following commands:
aspnet_regiis –i
After that, restart Internet Information Services (for example, by entering
iisreset at a command prompt).
TF00025421
In the computer resources management section of the Web Interface, the "Pause"
and "Resume" commands are not implemented for Service objects. Only the "Start",
"Stop" and "Restart" commands are available on a Service object.
TF00025559
In the computer resources management section of the Web Interface, the "Pause",
"Resume" and "Restart" commands are not implemented for Print Job objects. Only
the "Cancel" command is available on a Print Job object.
TF00025606
When using the Web Interface to configure permission settings on a network file
share, you may encounter the following problem: The Web Interface fails to
assign permissions to a local user account returning an error message that
states "Value does not fall within the expected range."
WORKAROUND
Use native Windows tools to perform that task.
TF00025678
In certain conditions, the Members command on a group may fail in the Web
Interface, returning the "Exception has been thrown by the target of an
invocation" error message. This issue may occur if the ActiveRoles Server
security settings are configured on a query-based Managed Unit so that the Web
Interface user is restricted to only have read access to groups and add or
remove members from groups held in that Managed Unit.
WORKAROUND
Use the Delegate Control command on the Active Directory node in the ActiveRoles
Server console tree to configure the ActiveRoles Server security settings so
that the Web Interface users have read access to the objectSid attribute on all
object classes. This can be done as follows.
1. Create an Access Template that contains the following permission entry:
Type: Allow
Permission: Read objectSid
Apply To: All Classes
Namely, when creating the Access Template, on the first page of the Add
Permission Entries wizard, select "All object classes"; on the next page, select
"Object property access" and then select the "Read properties" check box; on the
next page, select "The following properties" and then select the "objectSid"
check box in the list of properties.
2. Apply the Access Template to the Active Directory node; when prompted to
select users or groups to whom you want to delegate control, select the group
that holds your Web Interface users (another option is to select the
Authenticated Users account).
TF00025913
When you use the Advanced Search option in the Approval section of the Web
Interface to find an operation by completion date, you may encounter the
following issue: The search results include some operations that are waiting for
approval and therefore are not completed. This issue occurs with operations that
have to be reviewed by multiple approvers. If such an operation is approved by
some but not all of the approvers, the operation may appear in the search
results list as if it were completed by the specified date.
WORKAROUND
When configuring a search for operations by completion date, specify an
additional rule to ensure that the search returns only the completed operations:
select the "Status" field, "Is (exactly)" condition, and "COMPLETED" value;
then, select the AND option and click Add to include the new rule in the search
filter.
TF00026027
Selecting the "Microsoft Exchange System Objects" container in the Web Interface
displays a page for managing properties of the container instead of displaying a
list of objects held in that container.
WORKAROUND
Select the "Microsoft Exchange System Objects" container and then click "View
Contents" to display a list of objects held in that container.
TF00026046
Incorrect behavior of an entry for a single-valued attribute of the DN syntax
after an upgrade of the Administration Service and the Web Interface from an
earlier version with the option to import the existing configuration data: If
the Web Interface was customized so that such an entry was added to a custom
form, then after the upgrade the entry behaves as if the attribute were
multi-valued.
WORKAROUND
After the upgrade, use the ActiveRoles Server console to correct the
configuration of the Web Interface:
1. Switch the console into Raw view mode: Select "View | Mode" and then select
the "Raw Mode" option.
2. In the console tree, expand "Configuration | Application Configuration | Web
Interface."
3. In the console tree, under "Web Interface," locate the Web Interface site
configuration items identified by GUIDs, such as
"662cf9fd-3985-431b-8b32-19ca436319d8".
4. Select a configuration item in the console tree and use the "All Task |
Advanced Properties" command on that item to examine the value of the
edsaWITemplateVersion attribute.
5. If the edsaWITemplateVersion attribute value is 28, then go to Step 6;
otherwise, perform Step 4 on the next configuration item.
6. In the details pane, double-click "Customization Settings".
7. Use the "All Tasks | Advanced Properties" command on each of the "CurrentCopy"
and "WorkingCopy" objects in the details pane to modify the value of the "edsaWIEntries"
attribute as follows:
7.1. Copy the attribute value from the ActiveRoles Server console into
Notepad.
7.2. Use the Find command in Notepad to look for occurrences of the "FormEntry"
XML element with the "Properties" attribute set to the LDAP display name of the
attribute managed by the entry that exhibits the incorrect behavior.
7.3 If no occurrences of such an XML element can be found, leave the "edsaWIEntries"
attribute value unchanged; otherwise, set the value of the "SingleValue"
attribute in that XML element to "True" (SingleValue="True").
7.4 Copy the text from Notepad to the "edsaWIEntries" attribute value in the
ActiveRoles Server console, to replace the attribute value.
8. Repeat steps 4-7 for each of the configuration items located in the "Web
Interface" container.
9. Restart Internet Information Services (IIS) on the Web server running the
Web Interface (enter the iisreset command at a command prompt.
TF00026135
When two or more administrators simultaneously use the Customization section of
the Web Interface to customize the same Web Interface site, the changes that
were made by one of the administrators can be lost.
WORKAROUND
Ensure that no more than one administrator uses the Customization section of the
Web Interface at a time so that no more than one customization session is in
progress at a time for each Web Interface site. The session begins when an
administrator opens the Customization section of the Web Interface in the Web
browser and ends when the administrator issues the Reload command and closes the
Web browser window.
TF00026204
On the "Advanced Search" page in the Approval section of the Web Interface, a
search for tasks by the "Operation initiator" field is not supported.
TF00026205
On the "Advanced Search" page in the Approval section of the Web Interface, a
search for tasks by the "Operation target object" field is not supported
TF00026270
In the Web Interface Sites Configuration wizard, on the "New Web Site" or "Edit
Web Site" page, you may encounter an incorrect prefix in the URL field (http
instead of https).
WORKAROUND
You may disregard this inaccuracy in the URL display since it does not affect
the Web interface functions. If your Web server is configured so that the Web
Interface site requires Secure Socket Layer (SSL) connections, the Web Interface
users must specify the https prefix (rather than http) in the address of the Web
Interface site when connecting to the Web Interface.
TF00036194
Incorrect behavior of the "Import configuration from disk" function in the Web
Interface Sites Configuration wizard in the following scenario:
- Create a new Web Interface site configuration by using the "Import
configuration from disk" option.
- Open the newly created configuration for editing.
- Observe on the "Name" and "Folder and file" fields: the "Name" field is
empty; the file name is missing from "Folder and file" field.
- If you re-type the name in the "Name" field and click OK, the newly created
Web Interface site is corrupted.
WORKAROUND
Retype the name in the "Name" field; then, in the "Folder and file" field,
specify the path and name of the file from which the configuration was imported,
and click OK.
TF00036759
When creating a user account, the Web Interface may incorrectly process a User
Logon Name Generation policy if the logon name to be generated includes any
property values of the parent domain or organizational unit. For example, the
following generation rule causes a policy violation error: <%givenName>%<ou.ou>
(the logon name is composed of the user first name followed by the name of the
parent OU). With this policy in effect, a policy violation error occurs when you
enter the user first name and then click Next on the Web Interface pages for
creating a user account.
WORKAROUND
Disregard this error. Click Next once more: the user account will be
successfully created.
TF00036760
When renaming a user account, the Web Interface may incorrectly process a User
Logon Name Generation policy if the logon name to be generated includes any
property values of the parent domain or organizational unit. For example, the
Web Interface incorrectly processes the following rule when you change the user
first name on the page for renaming the user account: <%givenName>%<ou.ou> (the
logon name is composed of the user first name followed by the name of the parent
OU). In this scenario, the Web Interface returns a policy violation error or
generates a logon name that does not include the OU name.
WORKAROUND
This issue will be fixed in a future release of ActiveRoles Server.
TF00036771
The Web Interface may incorrectly process a User Logon Name Generation policy
that is configured to automatically remove certain characters from the generated
logon name (restricted characters). For example, when creating a user account,
the Web Interface sets an incorrect logon name on the user account if the
following policy rules are in effect:
- The user logon name is to be composed of the user first name followed by the
name of the parent OU (<%givenName>%<ou.ou>)
- The list of the restricted characters contains the following combination of
characters: -'. (a hyphen character followed by an apostrophe character followed
by a period character)
In this case, a script error occurs in the Web Interface.
WORKAROUND
When configuring a User Logon Name Generation policy, ensure that the list of
the restricted characters does not contain the following combination of
characters: -'. (a hyphen character followed by an apostrophe character followed
by a period character).
TF00036775
When configuring custom Web Interface pages for creating objects of a certain
type (for example, Contact objects), you may encounter the following problem: If
you have added the entry for the Name (name) property by creating a new entry
(rather than selecting the existing entry), the pages do not work as expected.
The object creation operation fails, returning error "The 'Name' field cannot be
empty."
WORKAROUND
When configuring the object creation pages, select the existing entry for the
naming property Name (name) instead of creating a new entry (on the Select
Existing Entries page, select the check box that has the label 'Name' followed
by 'name').
TF00036788
When modifying a user account, the Web Interface may fail to set the e-mail
alias on the user account in accordance with the E-mail Alias Generation policy
that is in effect. The policy is configured to set the e-mail alias to the user
logon name (pre-Windows 2000). Despite of that policy, the Web Interface does
not set the new alias when the pre-Windows 2000 logon name is changed.
WORKAROUND
Customize the Web Interface to have the e-mail alias (mailNickname) entry and
the pre-Windows 2000 logon name (sAMAccountName) entry located on the same Web
Interface page (tab) for managing user account properties.
TF00037870
There is a limitation on processing of Property Generation and Validation policy
rules in the Web Interface. For a rule to generate a property value on a
particular Web Interface form, the form must contain the entries for the
properties based on which the value is to be generated. For example, since the
form for creating AD LDS user objects does not contain entries for the givenName
and sn attributes, the Web Interface is unable to process a rule that generates
the logon name based on those attributes when creating an AD LDS user object.
WORKAROUND
Customize the form so that it contains entries for all attributes required by
the policy rules that are in effect. In the preceding example, you should add
entries for the givenName and sn attributes.
TF00038651
The order of commands on the menus for certain object types in the Web Interface
version 6.5 differs from that in the Web Interface of version 6.0.3 or earlier
(for example, this is the case with the commands for managing user accounts).
So, in a new, pristine installation of the Web Interface 6.5 you encounter the
new order of the commands. However, when you upgrade your Web Interface
installation from version 6.0.3 (or an earlier release of version 6.0) to
version 6.5, the order of commands remains the same as it was in the Web
Interface of the earlier version.
WORKAROUND
Use the Customization section of the Web Interface to adjust the order of
commands as needed:
1. Point to Customization and click Directory Objects.
2. Click the object type for which you want to change the order of commands
(for example, click User if you want to reorder commands on the menu for
managing user accounts).
3. Select check boxes next to the names of the commands to reposition on the
menu, and click "Move Up" or "Move Down" on the toolbar at the top of the list
of the commands.
4. When you are done re-configuring the menu, point to Customization and click
Reload to publish your changes to the Web Interface.
NOTE To use the Customization section, you must be logged on as a member of the
AR Server Admin role, which defaults to the Administrators group on the computer
running the ActiveRoles Server Administration Service being used by the Web
Interface site you are going to customize.
TF00039209
If no Global Catalog servers are available in an Active Directory domain, then
the Active Directory domain services fail to authenticate a domain user other
than the built-in administrator. In this situation, the Web Interface user may
encounter one of the following errors:
- Error: Message 1003: hr = 0x80070005 Interface: Unknown Access is denied.
- Error: Message 5202: The ActiveRoles Administration Service is not
available.
WORKAROUND
Ensure that at least one Global Catalog server is available in every Active
Directory domain.
TF00039361
Consider the following scenario. In an earlier version of the Web Interface, a
custom command of the Custom Task type was created with no URL parameter
specified. Then, the Web Interface was upgraded to the latest version so as to
preserve the existing configuration settings. In this scenario, an attempt to
use that custom command after the upgrade causes an error in the Web Interface:
"A null or zero length string does not represent a valid Type."
WORKAROUND
After the upgrade, delete the failed custom command and then create a new
command with the appropriate parameters. You can do this using the Customization
section in the Web Interface.
TF00039531
When you select a built-in domain local group (for example, Administrators or
Account Operators) in the Web Interface, and then navigate to the "Member Of"
page for that group, you encounter the following issue: The Add button is
available on the "Member Of" page. Clicking Add and selecting a group to add the
built-in group to causes an error such as "A new member could not be added to a
local group because the member has the wrong account type."
WORKAROUND
Do not use the Add button on the "Member Of" page for a built-in group: In
Active Directory built-in groups cannot be added to other groups.
TF00039767
Upon an ActiveRoles Server Administration Service failure caused by loss of
connection to SQL Server, you may receive an inappropriate error message in the
Web Interface: "Client cannot use the selected Administration Service due to
version incompatibility."
WORKAROUND
If you receive that error message in the Web Interface, verify that the
Administration Service is up and running. It is advisable to check for Event ID
2512 in the EDM Server event log.
TF00046387
On the General Properties/Managed By page for a group in the Web Interface, the
object name may not fit in the Manager field, so you cannot view the entire
name.
WORKAROUND
You can view the name by copying it to a text editor, such as Notepad: Click in
the Manager field, press Ctrl+A, press Ctrl+C, switch to your text editor, and
then press Ctrl+V.
TF00047238
The following Property Generation and Validation policy rule for computer
objects may cause a policy violation when you create a computer account in the
Web Interface:
'Computer name (pre-Windows 2000)'
must be
'%<cn>$' (default value)
Upon object creation, this policy generates default value: Yes
WORKAROUND
Modify the rule by selecting the 'Computer name (pre-Windows 2000) is
case-insensitive' option. As a result, the rule changes to:
'Computer name (pre-Windows 2000)' is case-insensitive and
must be
'%<cn>$' (default value)
Upon object creation, this policy generates default value: Yes
TF00054638
On the Member Of page in the Web Interface, the "Set Primary Group" button is
available when you select a group that does not meet the standard requirement
for the primary group setting: "A user's primary group must be in the same
domain as the user's account and the primary group must be either a global or
universal security group."
WORKAROUND
If clicking "Set Primary Group" has no effect, verify whether the group you
selected meets the above requirement. If not, change your selection.
TF00055184
Consider the following scenario. The DN of an AD LDS partition managed by
ActiveRoles Server contains the DN of an Active Directory domain that is also
managed by ActiveRoles Server. In this scenario, the ActiveRoles Server ADSI
Provider may fail to locate the Administration Service when binding to a
directory object.
WORKAROUND
In a binding string, explicitly specify the name of the computer running the
Administration Service (for example, "EDMS://server.company.com/CN=John Smith,OU=Research,DC=Gamp,DC=com").
TF00056231
The "Read only" option on the custom entry for the homeMDB attribute has no
effect in the Web Interface. With the entry customized so that the "Read only"
option is selected, the Web Interface still allows an Exchange server or mailbox
store to be selected from a drop-down list when creating a mailbox-enabled user
or creating a mailbox for an existing user.
WORKAROUND
To enforce a certain mailbox store setting, configure and apply an Exchange
Mailbox AutoProvisioning policy in which a single mailbox store is selected.
TF00057007
In the Web Interface, you may encounter the following issue when filtering a
list of objects by the Type column: The asterisk (*) wildcard character is not
supported. For example, when you enter Cont* in the Type filter box, the list
does not contain the Contact objects as expected.
WORKAROUND
In the Type filter box, specify the full name of an object type. For example, to
display only the contacts in a list of objects, enter Contacts (rather than
Cont*) in the edit box beneath the Type column heading.
TF00103650
When you assign a secondary owner for a group by using the Web Interface, the
Select Object dialog box allows you to choose an AD LDS (ADAM) user or group
from a Managed Unit. The expected behavior is that only AD users or groups can
be selected for the role of secondary owner.
WORKAROUND
When using the Select Object dialog box in the Web Interface to select a user or
group for the secondary owner role, verify that you do not select an AD LDS user
or group: to distinguish AD LDS objects from AD objects, the icons denoting AD
LDS objects have an orange tint.
TF00104225
When installed on a Windows Server 2008 R2 based computer, the Web Interface
does not support the "Use FIPS compliant algorithms for encryption, hashing and
signing" Group Policy setting. If that Group Policy setting is turned on, an
error occurs in the Web Interface: "This implementation is not part of the
Windows Platform FIPS validated cryptographic algorithms."
WORKAROUND
Install the Web Interface on a computer running a pre-Windows Server 2008 R2
operating system or turn off the "Use FIPS compliant algorithms for encryption,
hashing and signing" Group Policy setting.
TF00104964
The Web Interface does not support Property Generation and Validation policy
rules that control the "name (name)" property value. Thus, a policy rule such as
"name=%1<givenName>%<sn>" has no effect on the name of an object when you
administer that object in the Web Interface.
WORKAROUND
When configuring a policy rule for a certain object class, choose the naming
property of that object class rather than the "name (name)" property. The naming
property for most object classes is "Name (cn)". The naming property for the
Organizational Unit object class is "Name (ou)". So, to work around the issue
with the "name=%1<givenName>%<sn>" policy rule on the User object class, you
could replace that policy rule with the following one: "cn=%1<givenName>%<sn>"
TF00105449
When you use Windows Internet Explorer 8.0 to access the Web Interface, you may
encounter the following issue: Internet Explorer fails to open the Web Interface
pages, returning an error such as "Access is denied" or "You are not authorized
to view this page due to invalid authentication headers." The same issue may
occur when you use Windows Internet Explorer 7.0 on a computer running the
Windows Vista operating system or a later version of the Windows operating
system, such as Windows Server 2008 or Windows 7.
WORKAROUND
On the client computers that are used to access the Web Interface, add the Web
Interface sites to the 'Trusted Sites' zone in Internet Explorer and disable
Internet Explorer Enhanced Security Configuration (IE ESC) for both user and
admin accounts. You can disable IE ESC manually or by using Group Policy. For
more information and instructions, see Microsoft's document "Managing Internet
Explorer Enhanced Security Configuration" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b
TF00105471
With the E-mail Alias Generation policy configured to set the e-mail alias to
the "Name (cn)" property of the user account, the Web Interface fails to create
a mailbox-enabled user account, returning an error such as "E-mail alias does
not comply with the E-mail Alias Generation policy. A different e-mail alias
must be assigned to this user account."
WORKAROUND
Select the "name (name)" property rather than "Name (cn)" when configuring the
E-mail Alias Generation policy with the option "Set e-mail alias to other
combination of user properties."
TF00023641
Containers other than Organizational Units do not show up on the OU-related
reports. For example, such reports do not include information about the Users or
Builtin container. For version 6.x, this behavior is by design.
WORKAROUND
Create a Managed Unit that holds the container and then use Managed Unit-related
reports to display data from that container. To create a Managed Unit that holds
a given container, use the ActiveRoles Server console. When creating the Managed
Unit, specify the membership rule with the following settings:
- Type: Include by Query
- Find: Custom Search
- In: The container you want the Managed Unit to hold
- LDAP query (enter this syntax on the Advanced tab): (objectClass=*)
TF00024297
On domains with a large number of directory objects (typically 100,000 or more
user accounts), you may encounter a significant performance degradation of the
Data Collector component. Thus, a data collection job may take more than 30
hours to finish running for a domain containing 100,000+ user accounts.
TF00025714
Incorrect behavior of the "Performing Data Collection" page in the ActiveRoles
Server Collector wizard in the following scenario:
- The wizard is running on a non-English language version of the operating
system
- Regional and Language Options in Control Panel are configured so that the
language for non-Unicode programs is set to English
- The wizard is collecting data from an organizational unit that has the name
containing non-English characters
In this scenario, the display of the path to the organizational unit in the list
on the "Performing Data Collection" page is corrupted (wrong characters are
displayed).
WORKAROUND
Adjust Regional and Language Options in Control Panel so that the language for
non-Unicode programs matches the language that is used for object names in your
environment.
TF00025736
The ActiveRoles Server Collection wizard may fail to start the "Process gathered
events" task: Clicking Next on the "Target Database" page has no effect. The
problem occurs when the wizard is run for the first time after it is installed.
WORKAROUND
Use the wizard to perform the "Collect data from the network" task first. After
the wizard has completed the data collection task, you can use it to perform the
"Process gathered events" task.
TF00025742
Incorrect behavior of the ActiveRoles Server Collector wizard upon canceling the
"Process gathered events" task: If you click the Cancel button while the task is
in progress, the wizard closes unexpectedly, returning the following error:
"Client Site not available."
TF00049955
When using Quest Knowledge Portal or SSRS Report Manager to export an
ActiveRoles Server report in Excel format, you may experience the following
problem: The report data in the resulting Excel book is incomplete.
WORKAROUND
Choose a different export format.
TF00050295
In the ActiveRoles Server reports, the filter options that use the "like"
operator (such as "Object name like") do not support the asterisk (*) wildcard
character, which is expected to represent a string of zero or more characters.
WORKAROUND
Use the percent character (%) to represent any string of zero or more
characters, or use the underscore character (_) to represent any single
character.
TF00050322
When preparing EDM Server event log data for reporting, ActiveRoles Server
Collector may lose certain event descriptions. As a result, the 'ActiveRoles
Server event statistics' report may display 'N/A' instead of an actual event
description.
WORKAROUND
You can find event descriptions by looking for respective Event ID in the EDM
Server event log on the computer running the Administration Service. Event ID
numbers are listed in the first column of the report.
TF00050496
When using Quest Knowledge Portal to view an ActiveRoles Server report, you may
experience the following problem: Clicking the Back button on a report page
displays a list of reports instead of displaying the preceding report page as
expected.
WORKAROUND
Click the Back button on the toolbar in your Web browser.
TF00105583
The Quest Knowledge Portal 2.0 software, which is included on the ActiveRoles
Server CD, cannot be installed on a Windows Server 2008 R2 based computer. When
you install Quest Knowledge Portal 2.0 on a computer running the Windows Server
2008 R2 operating system, you encounter an error such as "Following software is
missing: Windows 2000 Service Pack 4, Windows 2003 or Windows 2008 required."
WORKAROUND
Install Quest Knowledge Portal 2.0 on a computer running a pre-Windows Server
2008 R2 operating system, or use SSRS Report Manager to view reports.
TF00054437
After installing version 6.5 of the ActiveRoles Server Management Pack for MOM,
servers running the Administration Service or Web Interface may not appear in
the MOM 2005 Operator Console as expected.
WORKAROUND
Use the MOM 2005 Administrator Console to adjust properties of the "Quest
ActiveRoles Server Services" and "Quest ActiveRoles Server Web Interfaces"
nodes, located in "Management Packs/Computer Groups": On the Formula tab, find
the '< "6.1"' sub-string and replace 6.1 with 6.6 there. Click OK. Then, select
the Commit Configuration Change command on the Management Packs node.
TF00054593
After installing version 6.5 of the ActiveRoles Server Management Pack for MOM,
you may receive "AR Server WI: Availability" alerts stating "AR Server WI is
unavailable" even though the Web Interface is running and healthy.
WORKAROUND
Use the MOM 2005 Administrator Console to adjust properties of the "AR Server
WI: Availability" object, located in "Management Packs/Scripts": On the Script
tab, find the 'Msxml2.ServerXMLHTTP.4.0' sub-string and replace 4.0 with 6.0
there. Click OK. Then, select the Commit Configuration Change command on the
Management Packs node.
TF00107342
The German-language version of the ActiveRoles Server Administrator Guide
contains incorrect instructions on how to configure the Administration Service
to use a particular Management History database, in the "Konfigurieren des
Verwaltungsdienstes, sodass dieser die neueVerwaltungsverlaufsdatenbank
verwendet" section on Pages 384-385.
WORKAROUND
Use the instructions from the English-language version of the ActiveRoles Server
Administrator Guide, section "Configuring the Administration Service to Use the
New Management History Database."
For instructions on how to upgrade ActiveRoles Server components, refer to the "Upgrading from an Earlier Version" section in the ActiveRoles Server Quick Start Guide.
When upgrading ActiveRoles Server components to version 6.5 from an earlier version, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, it is advisable to upgrade the client components (ActiveRoles Server console and Web Interface) once you have upgraded the Administration Service. For more information, refer to the "Upgrade Issues" section in the ActiveRoles Server Quick Start Guide.
Custom solutions (scripts or other modifications) that rely on the functions of ActiveRoles Server may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of ActiveRoles Server in a lab environment to verify that the solutions continue to work. Should any compatibility issues arise during the test process, you can contact Quest Professional Services for paid assistance with those solutions.
The following table shows the version upgrade path that you can take from one version of ActiveRoles Server to another. Source Version refers to the current ActiveRoles Server that you have installed. Destination Version refers to the highest version of ActiveRoles Server to which you can upgrade.
| Source Version | Destination Version |
| 5.1.x | 5.2.5 |
| 5.2.0 through 5.2.4 | 5.2.5 |
| 5.2.5 | 6.5.0 |
| 6.0.3 or 6.0.4 | 6.5.0 |
| 6.1.0 | 6.5.0 |
ActiveRoles Server includes the following components:
The tables below outline system requirements for installing and running each of these components.
| Platform | 1 GHz or higher Intel Pentium-compatible CPU. |
| Memory (RAM) | 1 GB or more recommended. The amount required depends on the total number of managed objects. |
| Hard Disk Space | 100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the ActiveRoles Server database. |
| Operating System | Administration Service can be run on any of these operating
systems: - Microsoft Windows Server 2003, including x64 editions, updated with Service Pack 2 or a later Service Pack - Microsoft Windows Server 2003 R2 - Microsoft Windows Server 2008, Standard or Enterprise edition, 32-bit (x86) or 64-bit (x64) architecture - Microsoft Windows Server 2008 R2 |
| SQL Server | ActiveRoles Server database can be hosted by: - Microsoft SQL Server 2005, any edition for x86 (32-bit) or x64 (64-bit) platform, updated with Service Pack 2 or a later Service Pack - Microsoft SQL Server 2008, any edition for x86 (32-bit) or x64 (64-bit) platform, with or without any Service Pack Note Microsoft SQL Server 2008 Native Client is required on the computer running the Administration Service. You can install SQL Server 2008 Native Client from the Redistributables page in the ActiveRoles Server CD Autorun window. |
| Microsoft .NET Framework | Administration Service requires Microsoft .NET Framework version 3.5 or later. Microsoft .NET Framework 3.5 Service Pack 1 is strongly recommended. You can install .NET Framework 3.5 Service Pack 1 from the Redistributables page in the ActiveRoles Server CD Autorun window. |
| Microsoft Windows PowerShell | Administration Service requires Windows PowerShell 1.0 or 2.0. On a Windows Server 2003 based computer, you can install Windows PowerShell 1.0 from the Redistributables page in the ActiveRoles Server CD Autorun window. On a computer running a later version of the Windows Server operating system, the Windows PowerShell feature can be installed by using Server Manager. |
| Quest ActiveRoles Management Shell for Active Directory | Administration Service requires ActiveRoles Management Shell for Active Directory 1.3. You can install ActiveRoles Management Shell from the Solutions page in the ActiveRoles Server CD Autorun window. |
| Microsoft Exchange Server 2000/2003 System Management Tools | To perform the Move Mailbox task on Exchange 2000 Server or Exchange Server 2003, ActiveRoles Server requires Microsoft Exchange System Management Tools to be installed on the computer running the Administration Service. Use the Setup program of Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 to install Microsoft Exchange System Management Tools on the computer where you plan to install the Administration Service. |
| Microsoft Exchange Server 2007 Management Tools | To manage Exchange recipients on Exchange 2007,
ActiveRoles Server requires the Exchange 2007 Management Tools to be
installed on the computer running the Administration Service, and
updated with Update Rollup 1 for Exchange Server 2007 Service Pack 1
or a later update rollup for Exchange Server 2007 Service Pack 1. Use the Exchange Server 2007 Setup program to install the Management Tools on the computer where you plan to install the Administration Service. Next, update the Management Tools by installing Exchange Server 2007 Service Pack 1 on that computer. Then, update Management Tools by installing the update rollup. The latest update rollup for Exchange Server 2007 Service Pack 1 is strongly recommended. For instructions on how to obtain the latest update rollup, see Microsoft's Knowledge Base article "How to obtain the latest service pack or update rollup for Exchange 2007" at http://support.microsoft.com/kb/937052. |
| Microsoft Exchange Server 2010 Management Tools | To manage Exchange recipients on Exchange 2010, ActiveRoles Server requires the Exchange 2010 Management Tools to be installed on the computer running the Administration Service. Use the Exchange Server 2010 Setup program to install the Management Tools on the computer where you plan to install the Administration Service. |
| Operating System on Domain Controllers | ActiveRoles Server retains all features and functions when
managing Active Directory on domain controllers running any of these
operating systems: - Microsoft Windows 2000 Server - Microsoft Windows Server 2003, including x64 editions - Microsoft Windows Server 2003 R2 - Microsoft Windows Server 2008, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 R2 |
| Exchange Server | Administration Service is capable of managing Exchange
recipients on: - Microsoft Exchange 2000 Server, with or without any Service Pack - Microsoft Exchange Server 2003, with or without any Service Pack - Microsoft Exchange Server 2007, with or without any Service Pack - Microsoft Exchange Server 2010, with or without any Service Pack Note Microsoft Exchange 5.5 Server is not supported. |
| Platform | 500 MHz or higher Intel Pentium-compatible CPU. |
| Memory (RAM) | 512 MB or more recommended. The amount required depends on the number of objects being administered. |
| Hard Disk Space | About 50 MB of free disk space. |
| Operating System | ActiveRoles Server Console can be run on any of these operating
systems: - Microsoft Windows XP, with or without any Service Pack - Microsoft Windows Server 2003, including x64 editions, with or without any Service Pack - Microsoft Windows Server 2003 R2 - Microsoft Windows Vista Business, Enterprise or Ultimate edition, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 Standard or Enterprise edition, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 R2 - Microsoft Windows 7 |
| Web Browser | Microsoft Internet Explorer 6.0, or Windows Internet Explorer 7.0 or 8.0. |
| Microsoft .NET Framework | MMC Interface requires Microsoft .NET Framework version 3.5 or later. Service Pack 1 for .NET Framework 3.5 is strongly recommended. You can install .NET Framework 3.5 Service Pack 1 from the Redistributables page in the ActiveRoles Server CD Autorun window. |
| Platform | 1 GHz or higher Intel Pentium-compatible CPU. |
| Memory (RAM) | 1 GB or more recommended. The amount required depends on the number of objects being administered. |
| Hard Disk Space | About 50 MB of free disk space. |
| Operating System | ActiveRoles Server Web Interface can be run on a Web server with
any of these operating systems: - Microsoft Windows Server 2003, including x64 editions, with or without any Service Pack - Microsoft Windows Server 2003 R2 - Microsoft Windows Server 2008 Standard or Enterprise edition, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 R2 |
| Internet Services | On the Web server, the Web Interface requires Microsoft
Internet Information Services (IIS) 6.0 or later. On IIS 7.0, the Web
Interface requires the following Web server role services to be
installed: |
| Web Browser | Microsoft Internet Explorer 6.0, or Windows Internet Explorer 7.0 or 8.0, with screen resolution of at least 800x600. Screen resolution of 1024x768 or higher is recommended. |
| Microsoft .NET Framework | Web Interface requires Microsoft .NET Framework 3.5 Service Pack 1 or later. You can install .NET Framework 3.5 Service Pack 1 from the Redistributables page in the ActiveRoles Server CD Autorun window. |
| Platform | 500 MHz or higher Intel Pentium-compatible CPU. |
| Memory (RAM) | 512 MB or more recommended. |
| Hard Disk Space | About 50 MB or more of free disk space. If SQL Server and Collector are installed on the same computer, the amount required depends on the size of the Collector database. |
| Operating System | ActiveRoles Server Collector can be run on any of these
operating systems: - Microsoft Windows XP, with or without any Service Pack - Microsoft Windows Server 2003, including x64 editions, with or without any Service Pack - Microsoft Windows Server 2003 R2 - Microsoft Windows Vista Business, Enterprise or Ultimate edition - Microsoft Windows Server 2008 Standard or Enterprise edition, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 R2 - Microsoft Windows 7 |
| SQL Server | Collector database can be hosted by: - Microsoft SQL Server 2005, any edition, with or without any Service Pack - Microsoft SQL Server 2008, any edition, with or without any Service Pack |
| Data Access Components | ActiveRoles Server Collector also requires: - Microsoft Data Access Components (MDAC) version 2.7 or later You can install MDAC 2.8 from the Redistributables page in the ActiveRoles Server CD Autorun window. |
| SQL Server Reporting Services | ActiveRoles Server Report Pack requires Microsoft SQL Server 2005 Reporting Services or Microsoft SQL Server 2008 Reporting Services. |
| Operating System | ActiveRoles Server Report Pack can be installed on
a computer running any of these operating systems: - Microsoft Windows XP, with or without any Service Pack - Microsoft Windows Server 2003, including x64 editions, with or without any Service Pack - Microsoft Windows Server 2003 R2 - Microsoft Windows Vista Business, Enterprise or Ultimate edition - Microsoft Windows Server 2008, Standard or Enterprise edition, 32-bit or 64-bit architecture - Microsoft Windows Server 2008 R2 - Microsoft Windows 7 |
| Quest Knowledge Portal | ActiveRoles Server Report Pack is compatible with: - Quest Knowledge Portal 1.1 - Quest Knowledge Portal 2.0 |
This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.
This release is Unicode-enabled and supports any character set. It supports simultaneous operation with multilingual data. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan.
The release is localized to the following languages:
The components localized include Web Interface, Administration Service, MMC Interface (Console), CD Autorun program, Help files, and documentation.
This release has the following limitations:
The ActiveRoles Server release package contains the following product items:
The ActiveRoles Server release package contains the following redistributable components:
You can use the following steps to install ActiveRoles Server:
Note Normally, ActiveRoles Server components should be installed by running the respective setup.exe files rather than .msi installation packages. Thus, .exe files are run when you perform installation from the ActiveRoles Server CD Autorun window. The .exe setup ensures that all the necessary pre-requisite software components are installed prior to opening the .msi package. If you need to install a certain component directly from its .msi package, you may encounter a situation where installation fails because some redistributable components are missing (for example, Microsoft Visual C++ libraries). In this case, you have to install the missing components and then re-run the installation package. You can install the necessary pre-requisite components from the Redistributables page in the ActiveRoles Server CD Autorun window.
Get the latest product information, find helpful resources, and join a
discussion with the ActiveRoles Quest team and other community members. Join the
ActiveRoles Community at
http://activeroles.inside.quest.com.
| info@quest.com | |
| Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA |
|
| Web |
Refer to our Web site for regional and international office information.
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com.
From SupportLink, you can do the following:
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures.
The guide is available at: http://support.quest.com/pdfs/Global Support Guide.pdf.
Note: This document is only available in English.
This guide contains proprietary information protected by copyright. The
software described in this guide is furnished under a software license or
nondisclosure agreement. This software may be used or copied only in accordance
with the terms of the applicable agreement. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than the purchaser’s
personal use without the written permission of Quest Software, Inc.
© 2009 Quest Software, Inc.
ALL RIGHTS RESERVED.
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles,
Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BusinessInsight,
ChangeAuditor, ChangeManager, DeployDirector, DirectoryAnalyzer,
DirectoryTroubleshooter, DS Analyzer, DS Expert, ERDisk, Foglight, GPOADmin,
Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,
LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool,
NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Quest Central, Quest
vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, SelfServiceADmin,
SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL
Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad,
T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer
Pro, vPackager, vRanger, vRanger Pro, vSpotlight, vStream, vToad, Vintela,
Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup,
Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, Vizioncore
vTraffic, Vizioncore vWorkflow, WebDefender, Webthority, Xaffire, and XRT are
trademarks and registered trademarks of Quest Software, Inc in the United States
of America and other countries. Other trademarks and registered trademarks used
in this guide are property of their respective owners.
If you have any questions regarding your potential use of this material, contact:
|
Quest Software World Headquarters
LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 Email: legal@quest.com |
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.