|
This section provides a list of issues
known to exist with ActiveRoles Direct version 5.4.0. For
each issue, the list includes a brief description of the
problem, and provides a workaround, if any exists, for the
problem. The list is divided by component so that the issues
related to each individual component of the product are
grouped together.
General
Upgrade
TFS00051057
PROBLEM DESCRIPTION
When you upgrade ActiveRoles Direct version 5.3 by installing version 5.4 on top of the existing installation, the setup may prompt you for the installation package of the version being upgraded.
WORKAROUND
It is strongly recommended that you install the SOL45118 hotfix before upgrading version 5.3 to version 5.4. The SOL45118 hotfix is available at:
https://support.quest.com/SUPPORT/index?page=solution&id=SOL45118.
Web Client
PROBLEM DESCRIPTION
When the Quest ActiveRoles Web Client is upgraded to version
5.4 from a previous version, an error may occur when
changing from the current localization to a new language.
This error causes some of the frames to change to the new
language, while others remain the same.
WORKAROUND
Refresh the page and change the language again. Another
workaround is to have all Web Client users delete the
browser cookies before accessing the Web Client.
Auditing
PROBLEM DESCRIPTION
When attempting to enable auditing for the first time within
the Web Client, the Auditing Enabled checkbox may remain
disabled.
WORKAROUND
The COM+ application needs to be shutdown after auditing is
configured, in addition the browser will need to be closed
and reopened.
Online Help
PROBLEM DESCRIPTION
If the Web Client is installed choosing a parent virtual
directory, the Online Help will not be functional. This
issue only affects the Online Help, the rest of the Web
Client remains fully functional.
PROBLEM DESCRIPTION
If the Web Client Online Help is viewed in any language
other than Japanese and English using a Japanese Web
Browser, a runtime Web Browser error will occur. This issue
only affects the Online Web Help when using Japanese Web
Browser.
Object Creation
PROBLEM DESCRIPTION
If the Web Client is installed on a Windows 2000 IIS server,
and you create an object containing the characters "\/" (" \
" + " / "), you will not be able to edit that object using
either the Web Client or the native Windows tools.
WORKAROUND
Install on a Windows 2K3 IIS server if possible. Otherwise
do not create objects containing the above special
characters.
PROBLEM DESCRIPTION
When the Web Client is installed on a Windows 2K3 IIS
server, in a 2K3 parent domain, connected to a 2K child
domain DC and you attempt to create a user in an OU in the
parent domain, an error will be displayed and you will not
be able to create the user.
WORKAROUND
Use the Quest ActiveRoles Direct console to create a user.
Management of Exchange Recipients
PROBLEM DESCRIPTION
Exchange Extension Attributes cannot be modified when added
as a Client Extension attribute. These attributes are
already present on the Exchange Advanced editing tab.
WORKAROUND
If Exchange Extension Attributes are added as a Client
Extension they must be modified in the Exchange Advanced
tab, not in the Client Extensions tab. The Client Extensions
tab should be considered Read Only with respect to the
Exchange Extension Attributes.
PROBLEM DESCRIPTION
When objects are mail-enabled, the Exchange recipient
policies are not applied as they are in the native tools to
automatically generate the email addresses for the object.
WORKAROUND
Enter the email addresses for the object manually after the
object is mail-enabled.
PROBLEM DESCRIPTION
Due to the limitations of Microsoft Exchange 2003 tools,
Move Mailbox functionality is not available from the Web
Client when using Exchange 2003 tools to manage an Exchange
2000 Organization. This situation occurs when the IIS Server
computer has the Exchange 2003 tools installed to obtain
Exchange Management functionality in the Web Client. The
limitation in the native tools is inherited by the Web
Client.
PROBLEM DESCRIPTION
An error will occur when attempting to move a user mailbox
located on Exchange 2000 or 2003 server if the current user is not a member of the local IIS Server
administrator group. This limitation is imposed by Microsoft
CDOEXM API used to perform mailbox management.
WORKAROUND
Ensure that the user attempting to move a mailbox has the
appropriate directory permissions and is a member of the
local IIS Server administrators group.
User Management
PROBLEM DESCRIPTION
In rare cases the callback number will not be saved when
modified on certain Active Directory users.
WORKAROUND
Edit the callback number through Active Directory Users and
Computers.
PROBLEM DESCRIPTION
If you try to set "User Must Change Password at next Logon"
in the User Account editing page without having Read and
Write to pwdLastSet attribute, a page error displays and the
changes are not made. This is because Active Directory
requires Read and Write permissions to pwdLastSet attribute to make
changes to this particular Account Option.
WORKAROUND
Ensure that users who need to modify Account Options or
reset passwords have Read and Write permissions for both the userAccountControl attribute and the pwdLastSet attribute.
PROBLEM DESCRIPTION
When a UNIX-enabled object is disabled on the UNIX tab in
the editing page, the UNIX attributes are cleared resulting
in the loss of this data. If the object is again
UNIX-enabled, this data must be re-entered manually. This
behavior is different from the native tools and other Quest
products which disable the user in UNIX without clearing
values of the UNIX attributes.
Web Browser Related Issues
PROBLEM DESCRIPTION
The Web Client may not work as expected if Internet Explorer
Enhanced Security Configuration is enabled with the default
settings.
WORKAROUND
Add the site to trusted sites list, reduce security settings
in IE advanced options, and remove IE Enhanced Security via
Add/Remove Windows Components.
PROBLEM DESCRIPTION
Popup blockers may cause features in the Web Client to
malfunction.
WORKAROUND
Popup blockers should be turned off when running the Web
Client.
Installation
PROBLEM DESCRIPTION
If the Web Client is installed through the Windows Installer
command line, it will not be installed correctly.
WORKAROUND
Install the Web Client using the normal interactive install.
Licensing
PROBLEM DESCRIPTION
If a licensing error occurs connecting to the Web Client
either from an invalid or an expired license, you must clear
your browser cache once the license error is corrected
otherwise the error message will persist.
Picklists
PROBLEM DESCRIPTION
Picklists always assume that any value matches the raw
syntax for the attribute. When this is not the case (i.e.: a
picklist on the "Assistant" attribute with a value that is
not a DN) an error will occur when a user attempts to save a
value to that attribute during object editing.
WORKAROUND
Ensure picklist values are valid.
PROBLEM DESCRIPTION
If the Administrator configures a picklist for an attribute
that conflicts with the attribute's native Active Directory
data type, then a runtime error will occur on object editing
and object creation pages that use this attribute. This
occurs most frequently with attributes that are specified as
Integer but are configured with plain text characters.
PROBLEM DESCRIPTION
The object picker used within the Web Client cannot browse
domains to which the current user's domain does not have a
trust. This can be problematic in certain trust
configurations when modifying group membership cross-domain.
This limitation is imposed by the trust model itself. To
browse these domains a new set of credentials, other than
the current user credentials, are required to browse
untrusted domains.
WORKAROUND
Ensure that trusts exist between the user domain and any
domains from which objects will need to be selected.
PROBLEM DESCRIPTION
When configuring an attribute value Picklist in the Web
Client for the Country attribute, you must use the standard
country abbreviations for the value, not the country name.
For example, "United States" is "US", "Canada" is "CA". The
web client will display these values as the full country
name when the Picklist is rendered in editing pages.
Account Configuration
PROBLEM DESCRIPTION
New features (editing tabs and tasks) must be explicitly
enabled for any users who are configured in Account
Configuration.
PROBLEM DESCRIPTION
When adding multiple entries to Account Configuration using
multi-select, only the currently focused entry will be
saved.
WORKAROUND
Add Account Configuration entries one at a time.
PROBLEM DESCRIPTION
When Account Configured entries are removed from the Account
Configuration list, the changes are saved immediately
without a user prompt or the need to click Save.
Personal Settings
PROBLEM DESCRIPTION
The Web Client will not save personal settings if the IIS
Server hosting the application contains an underscore or
certain special characters in the name. This is because
Internet Explorer is discarding the cookies that persist
these settings. This is due to a known issue with current
Internet Explorer patches containing security patch MS01-055
for Microsoft Internet Explorer 5.5 or 6.0 or after you
install a patch that includes the fix provided in security
patch MS01-055.
WORKAROUND
Use a DNS alias or a static IP address to identify the
server in the URL
PROBLEM DESCRIPTION
If the Administrator has configured the Web Client through
Account Configuration to not show certain editing tabs on
objects, the object editing page will show as a blank if a
user configures their personal settings to default to one of
the removed object editing tabs.
WORKAROUND
Do not set the default tab through personal settings to tabs
that are not visible. If this problem occurs go back to
personal settings and select a different visible tab.
IIS Related Issues
PROBLEM DESCRIPTION
Before uninstalling a previous version of Web Client, you
must run IISRESET on the IIS machine console immediately
prior to the uninstall. This ensures that all resources have
been released by IIS and ActiveRoles Direct can perform a
full uninstall. It is also recommended that users be
prevented from accessing the ActiveRoles Direct web
application during this process.
PROBLEM DESCRIPTION
After restarting IIS or after completing an initial install,
and logging in to the Web Client, the following error is
displayed when creating a mailbox or establishing an email
for an existing object:
"'parent.frames.navigation.document.frmNavigation.btnNext'
is null or not an object." This is a one time error that
occurs due to a browser/server timing issue. This does not
produce any harmful effects or modify any object data.
WORKAROUND
When this occurs simply cancel the wizard and try again.
This problem will only occur once and the wizard will
proceed as expected.
Issues Related to Japanese-language Web Server
PROBLEM DESCRIPTION
When the Web Client is running on a Japanese Windows 2003 R2
IIS Server an error will occur when trying to edit User
Terminal Services properties with Japanese data. The Web
Client can successfully view Japanese Terminal Services
data, however it cannot make changes to it.
WORKAROUND
Use Japanese Windows 2003 R2 Active Directory Users and
Computers to modify this data.
PROBLEM DESCRIPTION
When the Web Client is running on a Japanese Web Server an
error will occur when modifying the description property
through the Web Client Task View, if the user being searched
for contains Japanese characters.
Authentication
PROBLEM DESCRIPTION
When the Web Client is configured with Integrated
Authentication using Kerberos Delegation, errors will occur
when attempting to modify Exchange Permissions on user
Mailboxes.
WORKAROUND
Create a duplicate Web Client Web Site which is configured
with IIS Basic Authentication. Use this website to modify
Exchange Mailbox permissions.
My Account Management
PROBLEM DESCRIPTION
The My Account Management link in the Web Client should only
be used from the domain to which the running user belongs.
Group Membership Management
PROBLEM DESCRIPTION
When users are delegated group membership management
permissions through the Group Membership Management feature
they are granted Read and Write access to group membership.
This differs from Active Directory Users and Computers which
grants only Write access when the equivalent feature is
used..
ADAM Related Issues
PROBLEM DESCRIPTION
When the Web Client is targeting a domain with an ADAM
deployment of ActiveRoles Direct, a Microsoft VBScript
runtime error will occur if the current user is not a member
of the ADAM Readers role in the ADAM configuration. The
error indicates the following:
Object doesn't support this action
/activeroleswebclient/ad/include/i_group.asp, 118
WORKAROUND
Ensure that Web Client users are added to the ADAM Reader
role for any domains that will be targeted and are deployed
in ADAM Configuration mode.
Business Rules
PROBLEM DESCRIPTION
The Web Client does not support Business Rules on the Dialup
Callback number property.
WORKAROUND
If Business Rule logic is required for this attribute it
must be provided through a custom Business Rule script.
Business Views
PROBLEM DESCRIPTION
You cannot move objects in Business Views from a remote
domain within the same forest.
PROBLEM DESCRIPTION
When you delete objects in a Business View from the Web
Client, you will receive the following error message:
Invalid procedure call or argument. The object, however,
does get deleted.
"Clone" Operation
PROBLEM DESCRIPTION
You cannot clone a user from a remote domain within the same
forest.
PROBLEM DESCRIPTION
The following Exchange attributes are not populated if you
clone a user without choosing to create a mailbox for the
user during the creation process: Hide object from Exchange
address lists and Exchange Internet Locator Service.
PROBLEM DESCRIPTION
Multi-valued client extensions cannot be cloned. If you
select these items for cloning, they will be filtered out of
the list of cloned attributes.
PROBLEM DESCRIPTION
The "badPwdCount" field, available as a client extension, is
a system managed attribute which cannot be edited. If the
field is included as a client extension field, any attempt
to change the value will fail. The update of additional
edited fields will also fail if the value of this field is
changed. Including "badPwdCount" in the list of fields to
use when cloning a user will cause the creation of the new
user to fail.
Unix Management via Vintela Authentication Services
PROBLEM DESCRIPTION
If an AD schema has been upgraded with new MSSFU/Vintela
extensions, after ActiveRoles Direct was deployed and used,
then you must run SchemaData.exe to update the cached schema
used by ActiveRoles Direct. If you do not update the schema
Web Client users will appear to have insufficient
permissions on UNIX attributes.
Running the Web Client on 64-bit IIS Servers
PROBLEM DESCRIPTION
The ActiveRoles Direct Web Client requires IIS configuration
changes to run on 64-bit machines. The ActiveRoles Direct
Web Client requires that IIS be configured to run in 32-bit
mode. This can have application compatibility issues with
other Web Applications installed on the same IIS Web Server,
particularly 64-bit applications. Therefore, it is
recommended that the Web Client be run only on machines
without other Web Applications.
To change the server to run in 32-bit mode, run the
following commands:
1. cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs
SET W3SVC/AppPools/Enable32bitAppOnWin64 1
2. If .NET Framework 1.1 is installed, run
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
-i
3. If .NET Framework 2.0 is installed, run
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.40607\aspnet_regiis.exe
–i
NOTE: the paths for the .NET Framework may vary slightly
depending on the version of the framework installed.
4. Restart the Web Server
For further information, please consult the Microsoft
Support Article:
http://support.microsoft.com/?id=894435
ActiveRoles Direct Core Application
Upgrading the Pre-defined Roles from Version 5.2 to
Version 5.4
PROBLEM DESCRIPTION
If a previous installation of Quest ActiveRoles Direct
exists, and the pre-defined roles were imported during
install, importing the roles again during upgrade may
overwrite any changes made in the existing roles.
Additionally, three empty role containers will be created:
"Quest ActiveRoles Direct", "ADUC User Interface
Delegation", and "Common AD Class Delegation". These
containers can be safely deleted.
NOTE: On a new install, these containers will contain roles.
Unix Management via Vintela Authentication Services
PROBLEM DESCRIPTION
Quest ActiveRoles Direct has been tested extensively with
VAS version 2.6.3. While testing has been performed against
VAS 3.0, some functionality may not be available.
Licensing
PROBLEM DESCRIPTION
When the Quest ActiveRoles Direct license expires, a message
displays stating that even though the license has expired,
the application will continue to function. This is not the
case: a valid license is required to run Quest ActiveRoles
Direct. If such a license is not present, the application
will not be accessible.
Operation Modes
PROBLEM DESCRIPTION
Clicking Next on the Determine Current Mode page in the
Configuration Utility, may take up to a minute before the
next page displays.
PROBLEM DESCRIPTION
Users must have the Readers role in ADAM to log in to an
ADAM mode domain through the web client. This only applies
if the forest is in ADAM mode.
PROBLEM DESCRIPTION
When managing objects in an ADAM mode domain, you are unable
to remove ActiveRoles or Business Rules from the right-click
menu in the bottom-right pane (item is grayed out). This
menu item is enabled and functional when managing a forest
mode domain.
PROBLEM DESCRIPTION
In ActiveRoles Direct console, the "New" context menu option
may not be available for some containers.
WORKAROUND
1. Start registry editor.
2. Remove the following key:
HKCU\Software\Quest Software\Quest Central for Windows\AR\SchemaUtility\<domain>\<class>,
where <domain> is the domain DNS name, <class> is the object
class of the container for which the "New" context
menu option is not available.
Domain Controller Focusing
PROBLEM DESCRIPTION
DC focusing in Quest ActiveRoles Direct relies heavily on
DNS entries and makes connections based on this information.
If you experience abnormal behavior connecting to a specific
DC or focusing on a particular DC, please ensure that your
DNS records are correct and complete.
Business Views
PROBLEM DESCRIPTION
The Hide Business Views and the Allow the expansion of
containers value is not retained on export.
Event Log
PROBLEM DESCRIPTION
The Event log logging is always sent to the PDC not the DC
with focus.
Naming Conventions
PROBLEM DESCRIPTION
Users may experience problems with Active Directory objects
containing a "/" character in their distinguished name.
WORKAROUND
We recommend that if problems are persistent with these
objects, that you either remove the "/" character or use
Active Directory Users and Computers to manage these
objects.
RSOP Calculations
PROBLEM DESCRIPTION
Current RSOP calculations do not support policy calculations
when domains from different forests are included. Currently
RSOP calculations only support scenarios where the objects
and associated domains are from the same forest.
PROBLEM DESCRIPTION
Regardless of the current setting of Link Order Display
(Hierarchal, Ascending Priority, or Descending Priority),
the Effective User Settings always display "Effective User
Settings" instead of correct entries such as "Links shown in
native tool order", "Links shown in processing order", etc.
Business Rules
PROBLEM DESCRIPTION
The "Execute scripts from" settings are not retained when
importing or exporting Business Rules scripts.
PROBLEM DESCRIPTION
Extended user attributes will not fire the first time the
properties are accessed. On all subsequent attempts to
access the user properties, the Business Rule will fire and
accept the appropriate data.
PROBLEM DESCRIPTION
When using the 64-bit version of Active Directory Users and
Computers, ActiveRoles Business Rules will not fire on
object edits or object creations. Additionally, the Quest
BusinessViews extension snap-in will not be available.
WORKAROUND
To access the ActiveRoles Active Directory Users and
Computers extensions, please run the 32-bit version.
Baselining
PROBLEM DESCRIPTION
When comparing a baseline to AD: The Delete permission will
not display in the Differences dialog box when it is used
with the create permission. The Write All permission will
not display in the Differences dialog when it is used with
the Read All permission.
ActiveRoles Direct Console
PROBLEM DESCRIPTION
You cannot create domain objects in Organizational Units
that contain a "/" in their name. This issue occurs only
with Windows 2000 - Windows 2003 and XP are fine.
Management of Group Policy Objects
PROBLEM DESCRIPTION
GPOs linked across domains will be displayed in the Unlinked
GPO container for each domain in the Group Policy Objects
container. Microsoft does not recommend linking GPOs across
domains for performance reasons.
PROBLEM DESCRIPTION
When applying several GPOs to an OU, the order in which the
GPOs are listed is the order in which they are processed.
PROBLEM DESCRIPTION
When you export a GPO, Public Key Information settings are
not preserved.
PROBLEM DESCRIPTION
GPO objects cannot be exported to, or imported from, any
directory which has Japanese characters in its path.
WORKAROUND
Export and import GPO objects to a directory without
Japanese characters.
PROBLEM DESCRIPTION
When you open the GPO editor from within the ActiveRoles
Direct console on a 64-bit version of Windows, a "Bad
Parameter" error is displayed.
WORKAROUND
Use GPMC or system Group Policy Editor.
User Permissions
PROBLEM DESCRIPTION
In order for the user to add multiple ActiveRoles and
Business Rules after the object has been taken under
control, they must have Write access to the following
properties of FastlaneControlledObjects in the Controlled
Objects container: friendlyNames, accountNameHistory,
userAccountControl.
ActivePolicies
PROBLEM DESCRIPTION
When you export an ActivePolicy, Public Key Information
settings are not preserved.
The following policies in ActivePolicies are not supported:
PUBLIC KEY POLICIES
- Encrypting File System
- Automatic Certificate Request Settings
- Trusted Root Certification Authorities
- Auto-Enrollment Settings
SOFTWARE RESTRICTION POLICIES
- Security Levels
- Additional Rules
- Enforcement
- Designated File Types
WIRELESS NETWORK POLICIES
IP SECURITY POLICIES
- Filtering
NOTE: The list of unsupported policies is based on the
original release of Group Policies with the Windows 2000
operating system.
This list may not contain all unsupported policies for the
following reasons:
1. Group Policies is an ever evolving technology, with
Microsoft releasing policies at irregular intervals through
Service Packs, Operating Systems, etc.
2. Applications have the ability to extend Group Policy
Objects.
If there is a particular policy that you find not supported,
please contact us through our regular support channels. We
can not guarantee support for all policies, however we will
endeavor to meet your needs.
Custom ADM Files and ActivePolicies
PROBLEM DESCRIPTION
ActiveRoles Direct does not support importing custom ADM
files from directories which have Japanese characters in
their path.
WORKAROUND
When working with Custom ADM files on Japanese machines,
ensure they are imported from directories with only English
characters in the path.
PROBLEM DESCRIPTION
Custom ADM file importing is not supported when the ADM file
exists on a file system path with Japanese characters.
WORKAROUND
Move the ADM file being imported to a directory that does
not contain Japanese characters in the path.
Refresh Related Issues
PROBLEM DESCRIPTION
The console may not always update properly after you perform
an action. Press F5 on the parent node to update the console
display.
PROBLEM DESCRIPTION
Invoking a task from an object properties page in the Web
Client will result in the loss of any unsaved changes
contained on the page prior to invoking the task. This
occurs because the page must refresh to update the
properties page with the changes resulting from the
completion of the task.
User Interface
PROBLEM DESCRIPTION
If a user does not have access to the information stored in
the ActiveRoles Direct install folders, then some icons may
appear incorrectly.
INetOrgPerson Properties
PROBLEM DESCRIPTION
The INetOrgPerson class does not exist in the Windows 2000
schema. To access all available properties tabs, you will
need to extend the schema with the appropriate class. You
can access the required download at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2C96869E-4CF3-40CC-97FE-7A68720F7D83&displaylang=en
Accessing the Help File with MMC 2.0
PROBLEM DESCRIPTION
You must select the ActiveRoles Direct node before
attempting to access the ActiveRoles Direct Help. If you try
to view the Help before the ActiveRoles Direct node is
loaded it will not be available.
WORKAROUND
Restart MMC, select the ActiveRoles Direct node, and then
access the Help.
Memory Leaks on Active Directory Group Operations on
Windows XP SP1, SP2
PROBLEM DESCRIPTION
Due to a defect with the Microsoft API used for Active
Directory group member enumeration, memory leaks will occur
in certain operations with groups when run on a Windows XP
SP1, or SP2 machine. Situations where this leak will be
manifest are: viewing and saving group objects on the web
client (not supported on Windows XP due to platform
requirements), and viewing a Business View in Quest
ActiveRoles Direct which expands group membership. This
issue has been raised with Microsoft and a solution may be
forthcoming in a Microsoft Hotfix or Knowledge Base article
in the near future.
Please refer to the following link for more information:
http://support.microsoft.com/default.aspx?scid=kb;en-us;893317
|