Quest® ActiveRoles™ Server

Version 6.0.4

Release Notes

March 13, 2008

Contents

Welcome to ActiveRoles Server

New in This Release

Resolved Issues and Enhancements

Known Issues

Upgrade and Compatibility

System Requirements

Global Operations

Getting Started

For More Information

 

Welcome to ActiveRoles Server

Quest ActiveRoles Server automates user provisioning in Active Directory, Exchange, and Windows. With role-based security, HR and ERP system integration, automated group management, easy-to-use Web interfaces, and comprehensive Resource Kit for fast implementation of custom components, ActiveRoles Server provides a practical approach to complete user lifecycle management for the Windows enterprise.

One of the most valuable features of the product is the ability to automate provisioning tasks on directory objects in compliance with corporate administrative policies in corporate Active Directory and Exchange environments.

By providing consistent enforcement of corporate policies, a role-based administrative model, and flexible, rule-based administrative views, ActiveRoles Server creates a reliable and secure environment for distributed administration and account provisioning.

 

Back to Top

New in This Release

This section discusses the new features added with the maintenance releases of ActiveRoles Server 6.0, as compared to the initial release of version 6.0. For more information about the many new features of ActiveRoles Server 6.0, refer to the What's New and Feature Guide documents, available from the Documentation page in the ActiveRoles Server CD Autorun window.
 

New Features Included in Version 6.0.4
 

Beginning with the 6.0.4 release, ActiveRoles Server adds automated attestation capabilities to its Active Directory change control offering. ActiveRoles Server provides a process for conducting reviews that enables managers and other responsible parties to verify the access rights the users have because of their membership in Windows groups. Periodic reviews of group membership help identify and manage user access rights in order to maintain compliance with security and regulatory requirements. The process of reviewing and certifying membership of groups is referred to as Attestation Review.

Important If multiple Administration Services are deployed so that they share common configuration data (whether using a common configuration database or through the ActiveRoles Server replication function), then all the Administration Services must be upgraded to version 6.0.4 in order for the Attestation Review feature to function.

For more information about this feature and instructions on how to use Attestation Review, refer to the "Attestation Review" section in the ActiveRoles Server Feature Guide and ActiveRoles Server Administrator Guide.

The 6.0.4 release of ActiveRoles Server introduces ActiveRoles Server Self-Service Manager - an add-on module for the ActiveRoles Server Web Interface. Self-Service Manager empowers end-users to accomplish IT-related tasks without recourse to outside support, such as assistance from the help desk. This helps both employees and their organization to save time, reduce errors, and increase productivity by directly connecting end-users to the information they need.

For more information and instructions on how to use Self-Service Manager, refer to the "Using Self-Service Manager" section in the ActiveRoles Server Web Interface User Guide.

Beginning with the 6.0.4 release, ActiveRoles Server adds support for the Microsoft Windows Server 2008 operating system. The ActiveRoles Server components such as the Administration Service, MMC Interface (console) and Web Interface can be installed and run on Windows Server 2008. You can use the CD Autorun interface to install ActiveRoles Server on Windows Server 2008-based computers.

Beginning with the 6.0.4 release, the ActiveRoles Server release package includes the 64-bit versions for the following components:

The 64-bit versions of ActiveRoles Server components take advantage of the new 64-bit CPUs that are produced and sold in most new computers. Separate installation packages are provided for the 32-bit and 64-bit versions of the ActiveRoles Server components. 32-bit components are normally intended for installing on a 32-bit operating system. 64-bit components require a 64-bit operating system.

The 6.0.4 release provides the ability to customize the Web Interface to seamlessly integrate custom applications together with the Web Interface pages. With the "Open the URL in a frame" option, a custom item on the Home page of a Web Interface site can now be configured to open a Web application so that the application's pages are embedded in a standard Web Interface page. This feature can be used, for instance, to integrate the Quest Password Manager application into the Web Interface.

The Active Directory data management section of the ActiveRoles Server console is now integrated with the change approval function of ActiveRoles Server. Not only the Web Interface but also the console is now capable of submitting operation requests for approval. For example, with approval rules configured so that creation of user accounts requires approval, creating a user account via the console starts the approval workflow instead of immediately making changes to the directory. The user account is created only after this operation is approved as prescribed by the approval rules.

Note The changes that are made to directory data by an AR Server Admin role holder bypass change approval, regardless of which tool is used to make changes (the ActiveRoles Server console or Web Interface). Thus, in the above example, the approval workflow does not start if user account creation is performed by an AR Server Admin role holder. Instead, the user account is created at once, without submitting the creation operation for approval. By default, any member of the Administrators local group on the computer running the ActiveRoles Server Administration Service is assigned to the AR Server Admin role.

The ActiveRoles Server SPML Provider, which was a part of ActiveRoles Quick Connect, is now packaged as a separate solution. The SPML Provider is no longer bundled with ActiveRoles Quick Connect, and does not require any Quick Connect components.

The SPML Provider allows ActiveRoles Server access using the Simple Object Access Protocol (SOAP) over HTTP based on the OASIS SPML V2.0 specification. With the SPML Provider, you can use the Service Provisioning Markup Language (SPML) to communicate with ActiveRoles Server and get provisioning services from ActiveRoles Server. By utilizing SPML to represent provisioning requests as XML documents, the SPML Provider enables XML-based enterprise applications to work together with ActiveRoles Server using SPML as a communication protocol.

The SPML Provider makes it possible for the existing SPML-compliant provisioning systems, such as Sun Java System Identity Manager, IBM Tivoli Identity Manager and IBM Tivoli Directory Integrator, to take advantage of the powerful functionality of ActiveRoles Server. Using the SPML Provider, XML-based enterprise applications can get provisioning services from ActiveRoles Server using SOAP over HTTP based on the OASIS SPML V2.0 specification.

The SPML Provider extends the power of ActiveRoles Server. Because the SPML Provider uses open standards such as HTTP, XML and SOAP, a greater level of interoperability is possible. In addition to the Active Directory Service Interfaces (ADSI), enterprise applications now have an alternative for communicating with ActiveRoles Server. An open-standard choice to access the features and functions of ActiveRoles Server provides enterprises with the flexibility they need when using ActiveRoles Server for provisioning and on-going management of users in heterogeneous environments.

The SPML Provider supports SPML version 2.0 (SPML V2.0), a standard approved by the Organization for the Advancement of Structural Information Standards (OASIS) and backed by many directory services vendors. Supporting the SPML V2.0 specification by ActiveRoles Server allows interoperability with the XML-based applications by other vendors who are also supporting this standard. For information about the SPML V2.0 specification and schema, see the OASIS Web site at http://www.oasis-open.org/.

The SPML Provider can be installed from the Solutions page in the ActiveRoles Server CD Autorun window. For more information, refer to the Administrator Guide for this feature. The SPML Provider Administrator Guide is included on the ActiveRoles Server CD.

New Features Included in Version 6.0.3
 

The AD LDS data management capabilities of ActiveRoles Server have been extended to include new search options for locating AD LDS users or groups and support for administration of AD LDS proxy objects:

For instructions on how to start using these features, refer to the "Enhancements in AD LDS Data Management" section in the ActiveRoles Server Feature Guide.

The home folder provisioning policies have been redesigned to provide:

For more information about these features, and instructions on how to configure a Home Folder AutoProvisioning policy, see the "Enhancements in Home Folder Provisioning Policies" section in the ActiveRoles Server Feature Guide and the "Home Folder AutoProvisioning" sub-section of the "Policy Configuration Tasks" section in the ActiveRoles Server Administrator Guide.

This release adds new options to policies of the "Property Generation and Validation" and "User Logon Name Generation" categories, making it possible to configure a list of characters that are not allowed in a property value or user logon name:

For instructions on how to start using these options, refer to the "Enhancements in Property Generation and Validation Policies" section in the ActiveRoles Server Feature Guide.

This release adds a number of new options for customizing the Web Interface, including:

For more information and instructions on how to start using these options, refer to the "New Customization Capabilities in the Web Interface" section in the ActiveRoles Server Feature Guide.

ActiveRoles Server now provides the ability to delegate the management of the “Send As” right, without requiring that the delegated administrator be authorized to modify all permission settings on user accounts. A delegated administrator can use the Web Interface to grant or revoke the “Send As” right on a user’s mailbox by making changes to the list of the users and groups that have the “Send As” right on the mailbox.

For more information and instructions on how to start using this feature, refer to the "Selective Delegation of the "Send As" Right Assignment" section in the ActiveRoles Server Feature Guide.

The change approval capabilities of ActiveRoles Server have been extended to provide new options for configuring approval rules and advanced search pages for locating approval-related data. The enhancements made to this feature include the following:

For more information, refer to the "Enhancements in Change Approval Workflow" section in the ActiveRoles Server Feature Guide.

New Features Included in Version 6.0.2
 

ActiveRoles Server now provides the ability to manage directory data in Microsoft Active Directory Lightweight Directory Services (AD LDS) - an independent mode of Active Directory formerly known as Active Directory Application Mode. The following management tasks are supported:

For more information about this feature, see "AD LDS Data Management" in the ActiveRoles Server Feature Guide. For detailed instructions on how to use this feature, refer to the "AD LDS Data Management" chapter in the ActiveRoles Server Administrator Guide.

ActiveRoles Server now fully supports Microsoft Exchange Server 2007. All the management tasks the earlier versions of ActiveRoles Server provided for Exchange recipients on Exchange Server 2000/2003 can now be performed on Exchange Server 2007 as well. These include:

For more information about this feature, refer to the "Support for Exchange Server 2007" section in the ActiveRoles Server Feature Guide. For information on how to get started with this feature, see "Exchange Server 2007 Organization" in the "Access to Exchange Organization" section in the ActiveRoles Server Quick Start Guide.

ActiveRoles Server now includes a command-line interface that is built on Microsoft Windows PowerShell technology. The command-line interface enables automation of directory data-related administrative tasks. With this interface, administrators can manage directory objects such as users and groups. Thus, they can create new users and groups, modify user properties, and add or remove members from groups.

The management operations are performed either via the ActiveRoles Server proxy service or by directly accessing directory data on domain controllers. In both cases, the command-line interface provides a flexible scripting platform that can reduce the complexity of current Microsoft Visual Basic scripts. Tasks that previously required many lines in Visual Basic scripts can now be done by using as little as one command.

By accessing directory services through the ActiveRoles Server proxy service, the command-line interface makes it possible to take full advantage of the security, workflow integration and reporting benefits of ActiveRoles Server. In this way, the directory data modifications made from a command line are supplemented and restricted by the data validation, provisioning and deprovisioning rules enforced by ActiveRoles Server.

The command-line interface can be installed from the Solutions page in the ActiveRoles Server CD Autorun window. For more information, refer to the Administrator Guide for this feature. The Administrator Guide is included on the ActiveRoles Server CD.

Version 6.0.2 of the ActiveRoles Server console (MMC Interface) adds support for the Microsoft Windows Vista operating system. The console can be installed and run on Windows Vista. The ActiveRoles Server CD Autorun program provides for compatibility with Windows Vista as well, so you can use the CD Autorun interface to install the console on Windows Vista-based computers.

With the 6.0.2 release, the change approval capabilities of ActiveRoles Server have been extended to provide new configuration options, enhanced user interface for performing approval-related tasks, and integration with add-on applications such as ActiveRoles Quick Connect. The enhancements made to the Change Approval feature include the following:

For more information, refer to the "Enhancements in Change Approval Workflow" section in the ActiveRoles Server Feature Guide.

The 6.0.2 release of ActiveRoles Server provides new, flexible options for configuring the Management History feature. In order to reduce network traffic caused by ActiveRoles Server replication, and to prevent performance degradation of ActiveRoles Server in replicated ActiveRoles Server environments, synchronization of the Management History data can be removed from the ActiveRoles Server replication process by implementing a common storage of that data for all replication partners. The common storage ensures the consolidation of the portions of Management History data that are generated by different Administration Services, while eliminating the need to synchronize that data between multiple storages.

For more information about this feature, see the "Centralized Management History Storage" section in the ActiveRoles Server Administrator Guide.

New Features Included in Version 6.0.1
 

This ensures the proper localization of the product in German-language environments. Thus, installing the Language Pack on the computers running the ActiveRoles Server components in such environments causes all the ActiveRoles Server menus, dialog boxes, error messages, and help files to be represented in German. The German-language version of ActiveRoles Server documentation is also available.

As opposed to standard Microsoft tools, such as the Microsoft DNS console, which are well suited for performing individual management tasks by highly authorized, skilled personnel, ActiveRoles DNS Manager provides the scalable and secure DNS data management capabilities that are necessary for large network environments: allows secure, efficient delegation of DNS data management tasks by providing role-based, fine-grained access control of DNS namespaces, and features a powerful, Web-based interface for delegating and performing DNS data management tasks.

The default option is to replicate Management History data, along with the other configuration-related data, between the Administration Service database servers participating in ActiveRoles Server replication. However, given the volume of Management History data (2-3 KB per change request to the directory), this may cause considerable network traffic. It is now possible to exclude from replication the Management History-related portion of the configuration database - Change Tracking log, thus improving manageability and performance of ActiveRoles Server in the environments where a high amount of changes to directory data causes a substantial increase in the Change Tracking log. It is also possible to turn replication of the Change Tracking log back on at any time, in order to take full advantage of the Management History feature.

With the 6.0.1 release of ActiveRoles Server, the Management Pack for Microsoft Operations Manager has been extended to include the processing rules for monitoring and alerting on the new events. The descriptions of the new processing rules can be found in the ActiveRoles Server Management Pack for MOM Technical Description, which is part of the ActiveRoles Server documentation set.

Back to Top

Resolved Issues and Enhancements

This section provides a list of issues that were resolved in ActiveRoles Server version 6.0.4 (as compared to version 6.0.3). Each item in the list includes an ID number, which identifies the item, and a brief description of the issue. The list is divided by component so that the items related to each individual component of the product are grouped together:

Setup Program

TF00019113
Fixed: When attempting to install the ActiveRoles Server Administration Service by directly running the respective MSI package (.msi file), you may encounter the following problem: Setup may fail to install the Administration Service while having successfully created the configuration database on SQL Server. Re-running the Setup program after that causes an error unless the database is deleted manually.

TF00019299
Fixed: Incorrect behavior of the ActiveRoles Server Collector Setup program on a Windows Server 2008 based computer: Installation fails with an error message stating that the MDAC components are missing.

TF00026058
Fixed: Incorrect behavior of the Setup program during upgrade of ActiveRoles Server version 5.2.5 with Language Pack installed: After upgrade to version 6.0, Language Pack version 5.2.5 remains installed on the upgraded system side-by-side with Language Pack version 6.0.

TF00026369
Fixed: When attempting to install the ActiveRoles Server console (MMC Interface) on a Windows Vista-based computer, you may encounter the following error: "Error 1606. Could not access network location %SystemDrive%\inetpub\wwwroot\"

TF00035467
Fixed: The Administration Service Installation Wizard does not allow you to install SDK documentation and samples without installing the Administration Service: If you configure the Administration Service feature not to be installed, the SDK and Resource Kit feature is not installed as well.
 

Back to Components List
 

Administration Service

TF00011563
Fixed: After upgrade to the latest version, the Administration Service may fail to decrypt data that was encrypted by the Administration Service of a prior version.

TF00011603; TF00011934
Fixed: Significant performance degradation of the Administration Service in an environment with a large number of user accounts and large Dynamic Groups that are based on Custom Stored Virtual Attributes (CSVAs). In such an environment, making changes to CSVAs on a user account may cause the Administration Service to steadily consume 100% of CPU resources.

TF00011609; TF00012000
Fixed: When mail-enabling a user or group that resides in a child domain within a multi-domain environment, the Administration Service may fail to populate the "edsaAdminGroup" attribute on that user or group.

TF00011974
Fixed: The change history report contains no records after the following sequence of actions: Create a custom stored multi-valued virtual attribute (CSVA); Set the CSVA to a certain value; Delete the CSVA; Create a new CSVA with the same name as the deleted one.

TF00011989
Fixed: The Administration Service may fail to process a request to modify an object if the request involves changes to more than 255 different Custom Stored Virtual Attributes on that object at a time.

TF00011992
Fixed: Significant increase of memory usage by the Administration Service and possible failure of the Administration Service in a scenario that involves changes to a large number (200+) of Custom Stored Virtual Attributes.

TF00012000
Fixed: The Administration Service may incorrectly generate the legacyExchangeDN attribute on a user or group object. In this condition, ActiveRoles Server fails to properly configure the Administrative Group setting on a user or group when performing the Create Mailbox or Establish E-mail Address task. The problem may occur if the name of an Administrative Group in the Exchange Organization or the name of the Exchange Organization contains a 'cn' substring.

TF00018015
Fixed: Querying for a large number (200+) of ActiveRoles Server Custom Stored Virtual Attributes (CSVAs) within a single Get request causes significant performance degradation in the Administration Service. The Administration Service exhibits poor performance when retrieving a large number of CSVAs from the underlying SQL Server database.

TF00018076
Fixed: Incorrect sort order in a list of AD LDS objects returned by the Administration Service to a client such as the Web Interface.

TF00018228
Fixed: In an environment with multiple Administration Services configured to share common configuration data via ActiveRoles Server replication, you may encounter the following problem when you make a series of successive changes to ARS configuration objects: The changes made via one of the Administration Services may not be replicated to the other Administration Services.

TF00018322
Fixed: The Administration Service may fail to properly execute the "GetInfo" method on an object (such as a user object) that is accessed from a script using of the ActiveRoles Server ADSI Provider: After the method is called, the property cache may not contain all property values as expected.

TF00018507
Fixed: The Administration Service may incorrectly generate the legacyExchangeDN attribute on a user or group object if the name of an Administrative Group in the Exchange Organization or the name of the Exchange Organization contains a 'cn' substring. In this condition, ActiveRoles Server fails to configure the Administrative Group setting on a user or group when performing the Create Mailbox or Establish E-mail Address task.

TF00018517
Fixed: Incorrect inheritance of permission settings from an Access Template that is applied to a Managed Unit: If the Access Template link on a Managed Unit has the "apply permissions onto this directory object" option un-selected, the permission settings have no effect on the Active Directory objects held in the Managed Unit.

TF00018520
Fixed: When adding a Subscriber to the ActiveRoles Server replication group, you may encounter an error if the Subscriber's Administration Service was earlier configured to use the database server that holds the Publisher role in the replication group. The error message reads as follows: "This Administration Service cannot respond due to configuration changes in progress. Use a different Administration Service, or try to connect to this Administration Service in a few minutes."

TF00018559
Fixed: Incorrect behavior of the "Set data" function in the Policy Check Results report: Clicking "Set data" on one attribute also causes the other attributes to be changed in accordance with the policy requirements.

TF00018571
Fixed: The Administration Service may fail to update dynamic group membership after adding an "Include by Query" membership rule that is configured to search for groups.

TF00018619
Fixed: Incorrect list of Exchange Task commands on a selection of multiple objects. The list may include commands that are not applicable to all the selected objects.

TF00018650
Fixed: The Dynamic Group update task may fail after the accountNameHistory attribute value has been modified on a newly created Dynamic Group. The following error event is reported to the EDM Server log in this case: "Data at the root level is invalid. Line 1, position 1."

TF00018702
Fixed: In an environment with multiple Administration Services configured to share common configuration data via ActiveRoles Server replication, you may encounter an error when you attempt to delete a Subscriber object from the Configuration Databases container after a separate database has been configured to store the management history data. The error message reads as follows: "Failed to retrieve attributes of the object."

TF00018710
Fixed: Incorrect display of the list of permission entries in the "User-Deprovision" Access Template: The name of the "Deprovision" extended right is missing from the list.

TF00018740
Fixed: In certain rare conditions, the Administration Service may incorrectly process property generation and validation policies on security groups if the policies are applied at the Managed Unit level.

TF00023628
Fixed: Incorrect behavior of Home Folder AutoProvisioning policies: When configured to create home folders on a network share that points to a disk root directory (such as C$), a Home Folder AutoProvisioning policy fails to create home shares. In this condition, ActiveRoles Server returns the following error: "Administration Service encountered an error when creating Home Share for the user. Details: The filename, directory name, or volume label syntax is incorrect. (Exception from HRESULT: 0x8007007B)".

TF00025677
Fixed: In an environment where multiple Administration Services share common configuration data via ActiveRoles Server replication, the replication function may fail to synchronize the deletion of an Access Template among the Administration Services. The problem occurs if the deletion of an Access Template on one of those Administration Services coincides with a management operation on another Administration Service that involves applying that same Access Template. As a result, the Administration Service that has applied the Access Template fails to commit the deletion of the Access Template, which causes an inconsistency condition in ActiveRoles Server.

TF00025688
Fixed: Incorrect contents of the report on deprovisioning results in the following scenario: The Deprovision operation is performed on a user object; then, the object is reverted to normal state by making changes to the edsvaDeprovisionStatus attribute; and, finally, the Deprovision operation is performed on that object again. In this scenario, the report on the second Deprovision operation does not contain records indicating the removal of the object from the groups to which the object was added after it was reverted to normal state following the first Deprovision operation.

TF00025934
Fixed: In the German-language version of the Administration Service, the user assistance information provided by the "arssvc.exe /?" command is displayed in English.

TF00025969
Fixed: Approval Rules with filtering by the source or destination container properties do not work as expected upon moving objects between containers. Thus, when you configure an Approval Rule so that the Move operation is subject to approval, you can specify additional filtering criteria by the properties of the source or destination container. If you add such filtering criteria, the Approval Rule has no effect.

TF00025976
Fixed: An exception condition in the Administration Service upon modification of a Custom Stored Virtual Attribute (CSVA): The "System.InvalidCastException: At least one element in the source array could not be cast down to the destination array type" entry is added to the ds.log file when changes are made to a CSVA of a type other than INTEGER8. This condition can be caused by the Deprovision operation on a user object, for example.

TF00025977
Fixed: Approval Rules with filtering by the "name" or "distinguishedName" property do not work as expected upon creating new objects. Thus, when you configure an Approval Rule so that the Create operation is subject to approval, you can specify additional filtering criteria by the properties of the objects being created. The properties such as "name" and "distinguishedName" are not supported in such filtering criteria.

TF00026024
Fixed: Incorrect behavior of Home Folder AutoProvisioning policies: In certain rare conditions, a Home Folder AutoProvisioning policy may assign a home drive or create a home folder that is out of compliance with the policy configuration settings.

TF00026042
Fixed: Incorrect behavior of the Administration Service in an environment where multiple Administration Services share a common configuration database: With an AD LDS instance registered using one of those Administration Services, another Administration Service may fail to manage the AD LDS instance, returning the following error upon service startup: "Failed to load data from AD LDS instance."

TF00026054
Fixed: Access Template-related log entries are missing from the ds.log file that is normally used as a primary source of information for troubleshooting issues in ActiveRoles Server.

TF00026254
Fixed: In certain rare conditions, the Administration Service encounters a deadlock when performing the Demote operation on the database server that holds the Publisher role in ActiveRoles Server replication.

TF00026259
Fixed: The Administration Service does not prevent registering a new Active Directory domain with the same name as an AD LDS instance that is already registered with ActiveRoles Server. Having registered an AD domain along with an AD LDS instance of the same name causes an error condition in the Administration Service.

TF00026263
Fixed: Incorrect behavior of Group Membership AutoProvisioning policies on AD LDS groups: When configured to add or remove objects from an AD LDS group based on object properties, a Group Membership AutoProvisioning policy may fail to function as expected if changes to object properties are made using a tool other than ActiveRoles Server.

TF00026306
Fixed: Incorrect behavior of the copy user operation: when creating a new user object by copying an existing user object, the Administration Service copies the profile path setting from the original object so that the new object has the same profile path setting as the original object. The expected behavior is that the profile path setting is updated according to the sAMAccountName property of the newly created user object.

TF00026389
Fixed: In script-based policies, both the onPostMove and onPostRename handlers do not support the DirObj object. An occurrence of DirObj in the onPostMove or onPostRename handler in a policy script causes the script to fail, with the "DirObj object is unavailable" error being recorded to the EDM Server event log. For example, the following script fails with this error:
  Sub onPostMove(Request)
    DirObj.Put "description", CStr(DirObj.name) + ": Moved"
    DirObj.SetInfo
  End Sub
This issue also occurs in the onPostModify handler if any changes to the Name property of the target object are requested.

TF00027863
Fixed: The Administration Service fails to propagate to Active Directory the permission settings specified using the "Domains - Generate Resultant Set of Policy (Planning)" Access Template.

TF00027915
Fixed: In certain rare conditions, the Administration Service may fail to complete a search request in a timely manner, which may result in slow response time during a directory search. The problem occurs if the Administration Service loses connection to the domain controller when performing certain operations.
 

Back to Components List
 

Console (MMC Interface)

TF00011474
Fixed: In the Select Objects dialog box, the "Check Names" function may not work as expected if the name to check includes an @ character (for example, user@company.com).

TF00011600; TF00026343
Fixed: Inappropriate options for Exchange Mailbox Deprovisioning policy if the "Hide the mailbox from the global address list" policy option is enabled.

TF00012096
Fixed: When configuring an Access Template in the ActiveRoles Server console, you may encounter the following problem: Some object classes are not displayed in the Add Permission Entries wizard even though the "Show all possible classes" option is selected.

TF00018224
Fixed: Incorrect behavior of the user interface for configuring Dynamic Groups in the ActiveRoles Server console:
 - The console does not prevent a query-based membership rule for a Dynamic Group from being configured so that the query searches for objects in a domain that is different from the domain of the Dynamic Group itself
 - The console does not prevent explicit inclusion or exclusion rules for a Dynamic Group from being configured by selecting objects from domains other than the Dynamic Group's domain
By design, a Dynamic Group can hold only those objects that reside in the same domain as the Dynamic Group; therefore, any of the two above-mentioned scenarios may cause an error condition in ActiveRoles Server.

TF00018557
Fixed: The console does not allow the "Manager" or "Managed By" property to be set to a group: Only users can be specified in the Select Object dialog box that is provided by the console to set a value for the "Manager" or "Managed By" property.

TF00018569
Fixed: In the Select Objects dialog box, the "Check Names" function may fail with the HRESULT:0x8007203E error if the name to check begins with a parenthesis character.

TF00018570
Fixed: Incorrect behavior of the console upon an attempt to explicitly exclude a certain user from a Dynamic Group to which that user is included by virtue of a query-based membership rule: The console may fail to apply the exclusion rule, returning the following error: "Failed to modify the object. Administrative Policy returned an error. ActiveRoles Administration Service cannot perform the requested operation in this domain."

TF00019021
Enhancement: The console now processes script-based policies in a synchronous fashion by default, so as to wait while post-processing event handlers complete the tasks prescribed by the script-based policies that are in effect.

TF00019024
Fixed: Incorrect behavior of the Copy operation on a group object in the ActiveRoles Server console: When you click Edit Attributes on the second page in the Copy Object - Group wizard, make changes to attributes (for example, modify the value of the Notes attribute), and then click OK to apply your changes, the following error occurs: "You must specify a value for the property 'GroupType'."

TF00019026
Fixed: Incorrect behavior of the Select Objects dialog box that is used to specify a Trustee in the Delegation of Control Wizard: The dialog box fails to find the "Self" account if the search scope is set to the entire "Active Directory" container.

TF00024571
Fixed: The console may fail to import an Access Template that was exported from ActiveRoles Server version 5.2.5, returning the following error message: "ActiveRoles Server snap-in encountered an error when performing the Export or Import operation." The problem occurs if the Access Template has other Access Templates nested in it.

TF00025643
Fixed: Incorrect behavior of the "Rename User" dialog box: No more than 29 characters can be entered in the "Last name" box. The same limitation applies to the New Object - User wizard.

TF00025909
Fixed: During a copy operation on a user account, the console may fail to apply the policies that are in effect. For example, even though a policy requires a certain property to be set on a user account, the console may allow a new user account to be created by copying an existing user account so that the required property is not set on the new account.

TF00026239
Fixed: Incorrect behavior of the console in the situation where you attempt to set a certain value on a Virtual Attribute of the GeneralizedTime syntax using the date/time control: The console fails to set the attribute value you have specified.

TF00026274
Fixed: On a Windows Vista-based computer, you may encounter incorrect behavior of text boxes on the pages for configuring Approval Rules in the ActiveRoles Server console. For example, when you type any text in the Description box and then click in another box, the text in the Description box disappears.

TF00026277
Fixed: The names of certain countries are missing from the "Country/region" list on the Address tab in the Properties dialog box for a user account in the ActiveRoles Server console. The "Country/region" list also includes some obsolete entries.

TF00026307
Fixed: Incorrect behavior of the Preview Rule function on a query-based membership rule for a Dynamic Group: The deprovisioned user objects are not filtered out of the preview list although, by design, deprovisioned user objects are never added to a Dynamic Group.

TF00026312
Fixed: When creating a new Scheduled Task in ActiveRoles Server, the console may fail to handle the error situation where incorrect task schedule settings are attempted: Although the console displays an error message as expected, clicking the Go To button in the error message box causes the console to close unexpectedly.

TF00026313
Fixed: A typo (space character is missing) in the description text for the Replica-Link syntax on the "Attribute Syntax" page in the Add Virtual Attribute wizard.

TF00026324
Enhancement: The ActiveRoles Server console now makes it possible to search for AD LDS proxy objects using regular (basic) options in the Find dialog box (the AD LDS Proxy Object item added to the list of object categories in the Find dialog box).

TF00026327
Fixed: Incorrect sort order in the list of Exchange custom attributes in the Custom Attributes dialog box in the ActiveRoles Server console: The lit is sorted in ascending alphanumeric order by attribute name instead of being sorted by attribute number so that the attributes from 10-th to 15-th follow the 9-th attribute rather than the first one.

TF00026338
Enhancement: The ActiveRoles Server console now provides the ability to add AD LDS proxy objects to AD LDS groups. It is also possible to configure membership rules (both static and query-based) that control inclusion or exclusion of AD LDS proxy objects from Managed Units.

TF00027855
Fixed: When delegating control of AD LDS objects, the console does not allow a domain local group to be selected as a Trustee.

TF00027856
Fixed: Incorrect behavior of the Properties dialog box on a selection of multiple user accounts: The list of UPN suffixes is missing from the "User logon name" field on the Account tab.

TF00027857
Fixed: Incorrect behavior of the Select Objects dialog box that is displayed by the Add Exchange Query-based Distribution Groups or Add Exchange Public Folders command on a group: The dialog box makes it possible to select objects from a domain other than the domain of the target group. An attempt to add such objects to the group causes an error.

TF00035138
Fixed: Incorrect behavior of the Block Inheritance function, which you use in the ActiveRoles Server Policy dialog box in the ActiveRoles Server console to prevent a certain object from being affected by an inherited policy: When you select the Blocked check box, a link to the respective Policy Object is created with the option to exclude the object from the scope of the Policy Object; however, clearing the check box after that does not cause the link to be deleted as expected. Instead, the link is retained and configured to explicitly include the object in the scope of the Policy Object.

TF00035140
Fixed: Incorrect behavior of the user interface for the Move Mailbox operation in the ActiveRoles Server console provided that an Exchange Mailbox AutoProvisioning policy is in effect, enforcing a certain list of mailbox stores: On the page for selecting a store to move the mailbox to, the console may incorrectly identify the store in which the mailbox originally resides. For example, if the list determined by the policy consists of 3 items, such as Store1, Store2 and Store3, and the mailbox is located in Store3, the console may erroneously indicate that the mailbox is in Store1. As a result, there is no way to move the mailbox from Store3 to Store1.

TF00035141
Fixed: The drag-and-drop function ceases to work in the console if the advanced details pane is turned on (the Advanced Details Pane item is checked on the View menu).

TF00035142
Fixed: Incorrect display of the "Desync to AD" menu item on the shortcut menu or Action menu for an Access Template link that is configured with the "Sync to AD" option enabled, on the AR Server Security tab in the advanced details pane in the ActiveRoles Server console: An irrelevant check mark is displayed next to the "Desync to AD" menu item.

TF00035144; TF00010362
Fixed: The operation summary text on final page in the New Object - User or Copy Object - User wizard states that a mailbox is going to be created even though the option to create a mailbox is un-selected in the wizard.
 

Back to Components List
 

Web Interface and ADSI Provider

TF00010240; TF00026320; TF00026276
Fixed: The Web Interface may fail to create an object in the directory, returning the following error message: "Administration Service encountered an error when retrieving properties of the object. Directory object not found. (Exception from HRESULT: 0x8007208D)"

TF00010266; TF00026334
Fixed: On the Member Of page for a directory object (user, group, computer, etc.), even though the "Show nested groups" option is selected, the Web Interface may not list all of the groups to which the object belongs because of group nesting.

TF00010718; TF00025652
Fixed: A User Logon Name Generation policy may not work as expected in the Web Interface if the policy generates a name that begins with a percent character (%).

TF00010763
Fixed: With the Web Interface and the Administration Service running on different computers, the Web Interface Sites Configuration tool may fail to create new Web Interface sites.

TF00011044; TF00026318
Enhancement: The Select Object dialog box in the Web Interface now uses ambiguous name resolution (ANR) to search for objects. For example, the dialog box can find user accounts by Last Name.

TF00011292
Fixed: After upgrade from an earlier version, with the option to retain the existing ActiveRoles Server configuration (import the existing configuration data to the new version of ActiveRoles Server), certain custom commands that were configured in the Web Interface you are upgrading may cease to work in the upgraded Web Interface.

TF00011750
Fixed: Hovering with the mouse pointer over the Browse button in the Select Object dialog box may cause a script error in the Web Interface.

TF00011751
Fixed: On the Account tab of the General Properties page for a user account in the Web Interface, the domain name may not be displayed in the left-hand text box under "User logon name (pre-Windows 2000)".

TF00011752
Fixed: In the computer management section of the Web Interface, you may encounter an error upon an attempt to access the pages for managing properties of a Windows service.

TF00011944; TF00026325
Fixed: With low screen resolution (800x600), scroll bars are missing from some of the Web Interface pages (these are, for example, the pages for managing users or groups). If a page is customized so that it includes a large number of tabs, the tabs that do not fit in the window are inaccessible.

TF00012008
Fixed: The "Color scheme" list on the Settings page includes an ineffective item - "desert".

TF00012011
Fixed: In the computer management section of the Web Interface, you may encounter an error upon an attempt to access the pages for managing properties of a network share.

TF00016692
Fixed: Incorrect tooltips on some UI elements in the Web Interface.

TF00017535
Fixed: In an environment where ActiveRoles Server Support Pack for Vintela Authentication Services is deployed, the Web Interface may fail to retrieve and display UNIX-specific properties as expected, returning "Error: The method or operation is not implemented."

TF00017931
Fixed: In some rare conditions, you may encounter an error on a customized page for managing object properties in the Web Interface. The error message reads as follows: "Error: Value was either too large or too small for an Int32."

TF00017981
Fixed: The Web Interface may fail to perform a custom LDAP query-based search task, returning "Error Exception has been thrown by the target of an invocation."

TF00017990
Fixed: An entry for a property of Boolean data type may contain the "false" value despite the fact that no value is assigned to the property (the property is not set).

TF00018023
Fixed: If no value is supplied in an entry for a property of the Integer data type, the Web Interface may fail to save property changes, returning "Error: Input string was not in a correct format."

TF00018146
Fixed: When managing a child domain in a multi-domain environment, the Web Interface may incorrectly display user accounts that reside in the parent domain.

TF00018538
Fixed: An entry for a multi-valued property may have an empty header.

TF00018539
Fixed: Incorrect display of the welcome message on the Self-Service Home page if the First Name and Last Name properties are not set on the user account of the logged-on user.

TF00018544
Fixed: The splitter control may not work as expected on certain Web Interface pages.

TF00018552; TF00026365
Fixed: In some rare conditions, a Property Generation and Validation policy that controls Custom Stored Virtual Attributes (CSVAs) may have no effect on customized pages for creating directory objects (for example, user accounts) in the Web Interface.

TF00018562
Fixed: After performing a search using the Quick Search function, the Web Interface may fail to display the left pane on the pages for managing directory objects.

TF00018564
Fixed: When customizing the Web Interface by adding entries to a form, you may encounter the following problem: If the property for which you have added an entry is under the control of a Property Generation and Validation policy, the entry fails to commit the property value generated by the policy. The problem occurs if the policy is applied to a Managed Unit that is based on "Include by Query" membership rules.

TF00018651
Fixed: Incorrect behavior of the "User logon name (pre-Windows 2000)" entry on the General Properties/Account page for a user object in the Web Interface: If the user logon name you have typed contains backslash characters (\), the backslash characters are not automatically removed upon saving the name as expected.

TF00018712
Fixed: Color text in a Web Interface message stating that a policy violation has occurred may appear as black rather than red text (red color is expected).

TF00018722; TF00025681
Fixed: On the pages for creating user accounts in the Web Interface, the "Create an Exchange mailbox" option is selected by default even though there is an ActiveRoles Server policy in effect that sets the default value of the edsaCreateMsExchMailbox attribute to False or clears that attribute.

TF00018726; TF00018727
Fixed: In the Web Interface Site for Help Desk, you may encounter an error when attempting to perform a management operation on an AD LDS user account, AD LDS proxy object, or AD LDS group.

TF00018727
Fixed: Inaccuracy in the default configuration of the Web Interface site for Help Desk: It is possible to search for AD LDS objects despite the fact that no pages for managing AD LDS objects are provided by default.

TF00018928
Fixed: Some text resources are missing from the dialog box for managing properties of a home page item in the Customization section of the Web Interface.

TF00018985
Fixed: The Quick Search function in the Web Interface fails to find AD LDS proxy objects.

TF00018989
Fixed: With a policy configured in ActiveRoles Server to control the Name property of objects, the Web Interface may fail to rename an object, returning a policy violation error on the Rename page.

TF00018991
Fixed: Misspelling in the name of the Print Jobs command in the Web Interface.

TF00018992
Fixed: Incorrect check-box label on the New Group page in the Web Interface ("Create an Exchange mailbox" instead of "Create an Exchange e-mail address").

TF00018994
Fixed: Incorrect behavior of the ""Find in" default setting" field on the Properties/Advanced page for an entry of DN syntax in the Customization section of the Web Interface: When you use the Browse for Object dialog box to modify the value in that field, clicking Cancel in the dialog box clears the existing value in the filed.

TF00018996
Fixed: Some settings (for example, "Account expires" or "Account is sensitive and cannot be delegated") are read-only on the General Properties/Account page for a user account in the Web Interface even though the Web Interface user has sufficient rights to modify those settings.

TF00019384
Fixed: On the page for configuring an Exchange mailbox in the Web Interface (for example, on the New User/Create Mailbox page), the list of mailbox stores is not sorted in alphanumeric order by store name as expected.

TF00019389
Fixed: A user is allowed to retrieve change history in the Web Interface even though the user does not have the "View Change History" permission.

TF00019402
Fixed: In an environment where multiple Administration Services share common configuration data via the ActiveRoles Server replication function, the Web Interface Sites Configuration tool may fail to start, returning the following error: "System.Runtime.InteropServices.COMException (0x80005000): Exception from HRESULT: 0x80005000" The problem may occur if the Web Interface is configured with the option to connect to any available Administration Service from the replication group and the Web Interface and the connected Administration Service are running on different computers.

TF00024863
Fixed: With Approval Rules configured to control changes to user accounts, the Web Interface may generate an approval request that indicates changes to certain Terminal Services-related properties even though no changes were made to those properties upon managing a user account. The following properties are affected by this issue:
 - edsaWTSUserConfigTerminalServerHomeDir
 - edsaWTSUserConfigTerminalServerHomeDirDrive
 - edsaWTSUserConfigTerminalServerProfilePath

TF00025452
Fixed: When using the "Change History" command on a directory object, such as a user account or group, in the Web Interface, you may encounter the following problem: There is no way to view the properties of the user who made changes to the object.

TF00025642
Fixed: After an upgrade of the ActiveRoles Server Administration Service and Web Interface to version 6.0 with the option to import the configuration data from the earlier version, custom commands of the Search Task type may fail to function as expected. Thus, the filter settings on such a command may be lost after the upgrade.

TF00025644
Fixed: Incorrect behavior of the "Delete Mailbox" command on user objects in the Web Interface Site for Help Desk: If the Site for Help Desk is customized so that the "Delete Mailbox" command is added to the menu for the User type of object, then clicking a user account in the Web Interface Site for Help Desk causes "Error binding to target method.DeleteMailBox."

TF00025645
Fixed: With an E-mail Alias Generation policy that sets e-mail alias to user logon name (pre-Windows 2000) and only allows manual edits of e-mail alias in the event of a naming conflict, the Web Interface fails to perform the Establish E-mail Address task on user accounts controlled by that policy, returning the following error: "E-mail alias specified for this user account is already assigned to a different object, such as a user or group. A different e-mail alias must be specified for this user account."

TF00025682
Fixed: If the name of a user contains an apostrophe character ('), the user is unable to access the Web Interface site for self-service: Clicking "My Account" causes an error with the following error description: "Error: Object expected" or "Error: Expected ')'"

TF00025684
Fixed: On a customized Web Interface page, you may encounter incorrect display of property entries that are under the control of ActiveRoles Server policies: No links to policy descriptions are displayed next to such entries on the customized page.

TF00025689
Fixed: The "Save to file" command in the Web Interface fails to save the entire list of objects to a .csv file if the number of objects to save exceeds the limit of 3,000 items. Only 3,000 objects are saved, with the remaining objects being omitted.

TF00025692
Fixed: When added to a form, an entry of the Custom type for the Member Of property does not function as expected: The Web Interface fails to display the form to which the entry was added, returning "Error: Method Get_memberOf, line 5443 For Each objGroup In objAd.Groups"

TF00025697
Fixed: The "Change operational DC" command does not work as expected in the Web Interface: It fails to maintain a change of the operational DC. When you select a different domain controller to be used as the operational DC, the new operational DC setting is not preserved. The Web Interface reverts back to the default setting.

TF00025788
Fixed: Incorrect tab order for controls on the pages for creating or editing Web Interface sites in the Web Interface Sites Configuration tool.

TF00025819
Fixed: Incorrect formatting of the list view on the "List Existing Menus" page in the Customization section of the Web Interface site for self-service.

TF00025966
Fixed: Incorrect behavior of the Web Interface in the situation where any error has occurred upon clicking OK in the Approval Confirmation dialog box that is displayed when the operation performed by the Web Interface user (for example, the deletion of a user account) requires approval: The Web Interface treats this error condition as if the user canceled the operation instead of displaying a message to clarify the error condition, such as "Access is denied."

TF00025970
Fixed: Incorrect behavior of the Web Interface in the situation where any error has occurred upon clicking OK in the Approval Confirmation dialog box that is displayed when the operation performed by the Web Interface user (for example, changing properties of a user account) requires approval: The data entered by the user is lost from the Web Interface page.

TF00025984
Fixed: Incorrect display of an entry for an attribute of the Boolean syntax (a check box) in the Web Interface if the attribute is under the control of a Property Generation and Validation policy that generates (but not enforces) a certain default value on that attribute: After you change the attribute value and save your changes in the Web Interface, the entry still displays the default value that is specified by the policy although the changes are properly committed to the directory. For example, if a certain check box is selected by default in accordance with the policy, clearing the check box and then clicking Save in the Web Interface causes the check box to be displayed as selected.

TF00025992
Fixed: After creating a new AD LDS user object by copying an existing AD LDS user object (through the use of the Copy command), the Web Interface displays a page for managing properties of an Active Directory user object.

TF00026025
Fixed: Incorrect behavior of the Customization section in the Web Interface upon adding entries to a form: In some limited scenarios, the "Add Entry | Select" function in the Form Editor makes it possible to configure the form to include multiple entries for the same property. As a result, the Web Interface fails to open that form in the "Directory Management" section. This problem may occur with existing, pre-defined entries each of which manages multiple properties. For example, the "Account options" entry that is specific to the AD LDS User type of object can be added to the form for managing Active Directory user accounts, although the form already contains the "Account options" entry to manage a subset of properties managed by the "Account options" entry for AD LDS user objects.

TF00026038
Fixed: In certain rare conditions, after an upgrade of the ActiveRoles Server Administration Service and Web Interface to version 6.0 with the option to import the configuration data from the earlier version, the Web Interface pages may fail to open in the Web browser, returning an error message similar to the following: "Error: The element 'FormEntry' in namespace 'arswi:customization-entries' has invalid child element 'AdAttributes' in namespace 'arswi:customization-entries'." This problem may occur if the Web Interface had the Properties pages customized prior to the upgrade.

TF00026055
Fixed: After an upgrade of the ActiveRoles Server Administration Service and Web Interface to version 6.0 with the option to import the configuration data from the earlier version, the New Printer command is missing from the default menu on organizational units in Active Directory domains.

TF00026066
Fixed: With certain language preferences set in Internet Explorer (for example, English (United Kingdom) [en-gb] or a user-defined language), the Web Interface may fail to open the Directory Management pages. Clicking Directory Management on the Home page causes the following error: "Administration Service encountered an error when searching the container object 'CN=<number>,CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration' Object 'CN=<number>,CN=Consolidated Display Specifiers,CN=Application Configuration,CN=Configuration' not found in the ActiveRoles Administration Database." The problem occurs if display specifiers for the specified language cannot be found in Active Directory.

TF00026122
Fixed: Incorrect behavior of the Connect option on the Profile tab of the "Terminal Services Properties" page for a user account in the Web Interface: The drive letter D: rather than Z: is selected by default for the Terminal Services home directory. In addition, the drive letter C: is missing from the list.

TF00026126
Fixed: Incorrect behavior of the "Add route" and "Delete route" buttons on the "Dial-in Properties" page for a user account in the Web Interface: These buttons are available by default although the "Apply static routes" check box is not selected.

TF00026158; TF00026065
Fixed: The Web Interface may fail to perform a search for AD LDS users or groups, returning the following error message: "Error: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index"

TF00026253
Fixed: The Change Operational DC command may cause a script error in the Web Interface, with the following error message: Expected ';'

TF00026265; TF00026258
Fixed: The New Organizational Unit command is missing from the default menu on an AD LDS organizational unit in the Web Interface.

TF00026275
Fixed: The Deprovision command on a user account may fail in the Web Interface Site for Help Desk, returning the "Invalid xml document" error message.

TF00026284
Fixed: The page for renaming a user account in the Web Interface does not provide the ability to change the Display Name property: By default, the page does not include an entry for that property.

TF00026286
Fixed: The tree view in the "Browse for Objects" dialog box in the Web Interface uses an incorrect image for the nodes that represent AD LDS instances: The domain object icon is used to denote an AD LDS instance.

TF00026289
Fixed: A script-based policy that has the onPostCreate handler configured to move newly created objects to another location may cause an error in the Web Interface.

TF00026293
Fixed: The Web Interface may fail to save the changes to a user account in the following scenario: On the Terminal Services Properties/Environment page, select the "Start the following program at logon" check box, fill in the "Program file name" and "Start in" fields, and then click Save.

TF00026294
Fixed: If the mailbox creation process is controlled by an ActiveRoles Server policy that generates an e-mail alias and enforces certain mailbox stores, the Web Interface may fail to create a mailbox-enabled user account, returning the following error message: "Exchange Server-related operation failed. A property that is required to perform the operation is not specified. Missing property: mailNickname"

TF00026302
Fixed: Incorrect behavior of the "Cancel All Documents" command on a printer in the computer management section of the Web Interface: Upon completion of that command, the Web Interface is not redirected to an appropriate page.

TF00026303
Fixed: Incorrect behavior of the Rename operation on an object (for example, an organizational unit) if the name of the object contains non-alphanumeric characters (such as ! # " , ; < > +): When assigning a new name, the Web Interface adds extra backslash characters (\) in front of some of the non-alphanumeric characters in the new name. The same problem occurs when you only click the commit button on the Rename page, without specifying a new name: backslash characters are added to the name of the object.

TF00026308; TF00026311
Fixed: After an upgrade of the ActiveRoles Server Administration Service and Web Interface to version 6.0 with the option to import the configuration data from the earlier version, any command of the Custom type (such as "Member Of") in the Web Interface Site for Help Desk (ARServerHelpDesk) fails, returning the following error: "A null or zero length string does not represent a valid Type."

TF00026314
Enhancement: It is now possible to access the My Account page of the Web Interface site for self-service using an URL that does not include any ID of the user whose account is going to be managed. Prior to version 6.0.4, the user's DN had to be included in the URL query string.

TF00026326
Fixed: The Web Interface Sites Configuration tool fails to create a virtual directory for a Web Interface site if the name of the directory contains an underscore character (_).

TF00026336
Fixed: When customizing a form so as to add an entry for an attribute of Boolean syntax, you may encounter the following problem: The name of the entry is duplicated on the form, with an extraneous instance of the name preceding the check box that represents the value of the attribute.

TF00026356
Fixed: In an environment with multiple Administration Services deployed, the ActiveRoles Server ADSI Provider may fail to connect to the Administration Service specified in a binding string, connecting to any available Administration Service instead.

TF00026357
Fixed: After finishing the New User wizard, the Web Interface may display an incorrect set of commands in the Command Menu area. The problem occurs if the option to display properties of the newly created object is un-selected in the wizard. In this case, the Command Menu area may display commands for managing that object instead of the commands for managing the container on which the wizard was invoked.

TF00026359
Fixed: Incorrect behavior of an entry for a single-value attribute of DN syntax (for example, the Manager attribute): An error occurs when you click the Change button to specify an attribute value and then click Add in the Select Object dialog box.

TF00026362
Enhancement: The Web Interface now provides the ability to add AD LDS proxy objects to AD LDS groups using the Add function on the Members page.

TF00026363
Enhancement: The Web Interface now provides the ability to search for AD LDS proxy objects using the regular Search pages.

TF00027881
Fixed: Incorrect sizing of the dialog box that displays the license violation message in the Web Interface site for Self-Service: The message text does not fit in the dialog box, which causes a scroll bar to appear.

TF00035146
Enhancement: It is now possible to select or un-select all objects at a time in the list of objects on the Members or Member Of page in the Web Interface.

TF00035150
Fixed: Truncated text on the French-language dialog box for managing properties of a home page item in the Customization section of the Web Interface.

TF00035157
Fixed: Incorrect behavior of the Logout command in the Web Interface: When logged out using that command, the Web Interface user cannot log back on to the Web Interface using different credentials (user name and password) without closing the Web browser.

TF00035158
Fixed: A policy violation error may occur in the Web Interface upon creation of a user account in the following conditions:
 - The pages for creating user accounts are customized by adding custom entry "Country/Region"
 - There is a property generation and validation policy in effect that generates certain user properties based on the Country Abbreviation property.

TF00035172
Fixed: The Web Interface site for Self-Service may fail to retain the user interface language setting in the following scenario:
 - Open the site in the Web browser and set a user interface language other than English
 - Close the Web browser; then, open the Web browser again and connect to the site by specifying the site address in all lowercase, such as arserverselfservice
As a result, the user interface language reverts to English.

TF00035440
Fixed: Incorrect behavior of the "User must change password at next logon" option during the Reset Password operation in the Web Interface: When you reset the password for a user account that has the "User must change password at next logon" option selected, and leave that option selected on the Reset Password page, the option is un-selected on the user account after the password is reset.
 

Back to Components List
 

ActiveRoles Server Collector

TF00035388
Fixed: Inaccurate data for the "Inactive User Accounts" report prepared by the Collector: The report may not list users who have never logged on, even though the "Never logged on" report option is selected.
 

Back to Components List
 

Management History Migration Wizard

TF00035444
Fixed: The Management History Migration Wizard may fail to transfer the Management History data from a large database (4 GB or more), returning the following error: "Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding."
 

Back to Components List
 

Documentation and SDK

TF00011341
Fixed: No Help topic is displayed when you click Help on the "Options" or "Properties to Be Updated" tab in the "User Account Deprovisioning Policy Properties" dialog box.

TF00025944
Fixed: Inaccuracy in topic "The Entries Settings" in SDK documentation: the Flags attribute on the FormEntry element must be marked as deprecated.

TF00026056
Fixed: Inaccuracy in topic "Creating a Page View Command" in SDK documentation: the Action="test.aspx?param1=value1&amp;param2=value2" entry in the sample script must read Action="test.asp?param1=value1&amp;param2=value2".

TF00026068
Fixed: Inaccuracies in topic "Creating Custom Entries" in SDK documentation: extra line-feeds and missing spaces in sample scripts. Using the scripts "as is" may cause an error in the Web browser.

TF00035405
Fixed: Inaccurate header section in some of the sample script files included with SDK documentation.

TF00035459
Enhancement: Instructions on how to monitor the status of operations that are pending for approval has been added to SDK documentation.

TF00035485
Fixed: Information about the numeric values of the ADS_SCOPEENUM enumeration constants (ADS_SCOPE_BASE, ADS_SCOPE_ONELEVEL, and ADS_SCOPE_SUBTREE) is missing from the "Searching for Directory Objects Using ADO" topic in SDK documentation.
 

Back to Components List

 

Back to Top

Known Issues

This section provides a list of the currently known issues that customers may experience with ActiveRoles Server version 6.0.4. For each issue, the list includes an ID number, which identifies the issue, a brief description of the problem, and a workaround, if any exists, for the problem. The list is divided by component so that the issues related to each individual component of the product are grouped together:

Setup Program

TF00024066
When upgrading the Administration Service from version 5.x to version 6.0.4 with the migration option selected in the Installation Wizard, you may encounter the following problem: At the end of the installation process, the Setup program requires that the computer be restarted.

WORKAROUND
You can avoid having to restart the computer as follows: Prior to running the Installation Wizard, stop the Administration Service that you are going to upgrade. To stop the Administration Service version 5.x, enter the following command at a command prompt on the computer running that Administration Service: net stop edmsvc

 

TF00024475
If the ActiveRoles Server Language Pack and Administration Service are installed on the same computer, uninstalling the Administration Service on that computer prior to uninstalling the Language Pack causes the following problem: When attempting to uninstall the Language Pack, you encounter "Error 1920: Service 'ArsSvc' (ArsSvc) failed to start. Verify that you have sufficient privileges to start system service." As a result, the Language Pack cannot be uninstalled since the Setup program requires the Administration Service.

WORKAROUND
Install the Administration Service, uninstall the Language Pack, and then uninstall the Administration Service.

 

TF00025903
Incorrect behavior of the Web Interface Setup program: Clicking Cancel in the Web Interface Installation Wizard and then clicking "Exit Setup" may not cancel the installation process.

WORKAROUND
Wait until the Setup program has completed the installation, and then use the Add or Remove Programs tool in Control Panel to un-install the Web Interface.

 

TF00018149
When installing the Administration Service, you may encounter the following error: "A short NETBIOS name should be used for connection to SQL Server. See Release Notes.htm file, "known issues" section for details."

This error occurs in any of the following cases:

Case 1. A data loss occurred in SQL Server system tables
Case 2. The computer running the SQL Server instance was renamed
Case 3. You have used an alias to identify the SQL Server instance

To determine which case you have encountered, run the following two queries on the SQL Server instance that you specified when installing the Administration Service (enter these queries "as is," without making any substitutions for the 'servername' parameter):

select @@servername

select serverproperty('servername')

Examine the results returned by these queries:

1. If "select @@servername" returns NULL, you have encountered Case 1.
2. If "select @@servername" and "select serverproperty('servername')" return different non-null values, you have encountered Case 2.
3. If "select @@servername" and "select serverproperty('servername')" return the same non-null value, you have encountered Case 3.

WORKAROUND
Use the following instructions, depending on the case you have encountered, and then re-run the Setup program to install the Administration Service.

Case 1:
Run the following query against the Master database on the SQL Server instance in question, and then restart the SQL Server instance:

declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'

Case 2:
Run the following two queries in succession against the Master database on the SQL Server instance in question, and then restart the SQL Server instance:

exec sp_dropserver @@servername, 'droplogins'

declare @sn sysname
select @sn = cast(serverproperty('servername') as sysname)
exec sp_addserver @sn, 'local'

In any case, use the following syntax to identify the SQL Server instance when installing the Administration Service:

"computername" - for the default instance
"computername\instancename" - for a named instance

In this syntax: "computername" stands for the NetBIOS name of the computer running SQL Server; "instancename" stands for the name of the SQL Server instance.

 

TF00021395
The Administration Service Setup program may fail to install the Administration Service, returning the following error:

Failed to create SQL database.
Failed to execute script. Script:
create proc GetReplicationData
                @getAll bit,
                @publication_name sysname,
                @sql_alias sysname = null,
                @database_name sysname = null

This issue occurs if the SQL Server instance you have selected to host the database for that Administration Service is configured to use case-sensitive collation.

WORKAROUND
Ensure that the SQL Server instance you want to host the database uses case-insensitive collation, and then try installing the Administration Service again.

 

TF00037391
When installing the Administration Service on a Windows Server 2008 based computer, you may encounter the following error: "Error 1920. Service 'Quest ActiveRoles Administration Service' (ArsSvc) failed to start. Verify that you have sufficient privileges to start system services."

WORKAROUND
Do not close the error message box. Use the Services tool to manage the service named Quest ActiveRoles Administration Service: On the Log On tab in the Properties dialog box for that service, specify the logon name and password of the account that you want the service to log on as, and click Apply; then, go to the General tab, and click Start. Once the service has been started, click Retry in the error message box that was displayed by the Administration Service Setup program.

 

TF00038939
After upgrade of the Web Interface, certain custom commands that were added in the earlier version of the Web Interface site for Help Desk may cease to function, returning an error: "Exception has been thrown by the target of an invocation." For example, this issue may occur with a new command of the "Form Task" type that opens the "Group Exchange Properties" form.

WORKAROUND
After you have upgraded the Web Interface, run the Setup program in maintenance mode to repair the Web Interface installation (you can run the Setup program in maintenance mode using the Add or Remove Programs tool in Control Panel: select the Quest ActiveRoles Server 6.0.x - Web Interface item and click Change).

Another option is to use the Assembly Registration tool (Regasm.exe) to register Quest.ArspWI.DirectoryServices.dll after the upgrade. The default location of the dll file to register is "%ProgramFiles%\Quest Software\ActiveRoles Server\Web Interface 6.0\6.0.4\Public\Bin\" (as applied to the Web Interface version 6.0.4). Regasm.exe can be located in the installation folder for .NET Framework. For example, if you use .NET Framework 2.0 on a 32-bit system, you can locate Regasm.exe in "C:\Windows\Microsoft.NET\Framework\v2.0.50727". So, to register the file, you could open a command prompt, change to the installation folder for .NET Framework, and enter a command of the following syntax:
    regasm.exe "<path>\Quest.ArspWI.DirectoryServices.dll"
In this syntax, <path> represents the full path to the folder containing the .dll file to register. For example, with the default installation folder for the Web Interface 6.0.4, you would enter the following command:
regasm.exe "%ProgramFiles%\Quest Software\ActiveRoles Server\Web Interface 6.0\6.0.4\Public\Bin\Quest.ArspWI.DirectoryServices.dll"

 

Back to Components List
 

Administration Service

TF00023177
If ActiveRoles Server is configured to access a managed domain using a Windows user account other than the Administration Service logon account, you may encounter the following failure events in the EDM Server event log on the computer running the Administration Service:

Event Type: Failure Audit
Event Source: EDM
Event Category: Policy
Event ID: 2001
Description:
Pre-processing operation on object caused a policy violation
Policy: DatabaseGuidLookup
Object:
Details: Administrative Policy returned an error. Login failed for user ''. The user is not associated with a trusted SQL Server connection.

This problem may occur if all of the following conditions are true:
 - ActiveRoles Server is configured to access one or more domains using a so-called "override account." When registering a domain with ActiveRoles Server, the Add Managed Domain wizard provides the option to explicitly specify the user name and password the Administration Service will use to access the domain. These are the credentials of the "override account."
 - The Administration Service uses Windows Authentication to connect to SQL Server hosting the ActiveRoles Server configuration database.

WORKAROUND
Disregard those events. The problems with the DatabaseGuidLookup policy indicated by those events should not cause any noticeable impact on the functionality or performance of ActiveRoles Server.

 

TF00022925
ActiveRoles Server may fail to update a Dynamic Group with large membership if InTrust for Active Directory is installed on the domain controller performing the update. In this case, the LSASS.exe process on the domain controller may consume a large amount of memory. In addition, the EDM Server event log may contain Warning events with the following description: "Not enough storage is available to complete the operation."

This problem occurs if all of the following conditions are true:
 - There is a Dynamic Group that includes 2000 members or more.
 - The "Built-in Policy - Dynamic Groups" policy is configured either to disallow nested groups (the "Create nested groups to accommodate extra members" check box is cleared) or to allow more than 2000 members per group.
 - Quest InTrust for Active Directory is installed on the domain controller used by the Administration Service to update the membership list of the group in question.

WORKAROUND
Use the ActiveRoles Server console to configure the "Built-in Policy - Dynamic Groups" Policy Object as follows:
 1. Locate the "Built-in Policy - Dynamic Groups" Policy Object in the "Configuration/Policy Objects/Builtin" container, and display the Properties dialog box for that Policy Object.
 2. On the Policies tab, select the policy entry from the list, and click the "View/Edit" button.
 3. On the "Policy Settings" tab, select the "Create nested groups to accommodate extra members" check box and specify a number less than 2000 in the "Maximum number of members per group" box.

 

TF00022929
When attempting to connect to a remote Administration Service using explicit credentials, you may encounter error messages providing no details on the error situation. Thus, in the ActiveRoles Server console, when you use the "Connect As" option in the "Change Administration Service" dialog box, the console may fail to establish a connection, returning an error such as the following:
 - IDispatch error #xxxx
 - Unknown error 0x8013xxxx

This problem may occur if all of the following conditions are true:
 - You are attempting to connect to a remote Administration Service, or to assign the Subscriber role to a remote Administration Service.
 - You have used the "Connect As" option in the "Change Administration Service" dialog box, and specified a different user name and password in the "Connect As" dialog box.
 - You do not have sufficient permissions to connect to the Administration Service without specifying a different user name and password. For example, the domain of your user account is not trusted by the domain of the Administration Service computer.
In this case, the console is unable to retrieve the correct error descriptions from the Administration Service. As a result, only the error codes are displayed.

WORKAROUND
Use the following steps to add the user name and password to the "Stored User Names and Passwords" list on the computer from which you want to connect to the remote Administration Service. You should add the user name and password to that list instead of specifying them in the "Connect As" dialog box provided by the ActiveRoles Server console. Note that this workaround only applies to computers running Windows XP or Windows Server 2003.
 1. Click Start, click Run, type 'control userpasswords2', and then click OK.
 2. Click the Advanced tab, and then click the "Manage Passwords" button.
 3. Add a new entry to the password list, specifying the following information:
    - Full DNS name of the remote Administration Service computer.
    - The user name and password you want to use to connect to that Administration Service.
After you complete these steps, you will be able to connect to the Administration Service without using the "Connect As" option.

 

TF00022786
When using the "Handle changes from DirSync control" option in a script-based policy, you may encounter the following problem: The policy does not execute the onPostDelete handler. This problem occurs if the Policy Object containing the policy in question is applied (linked) to an organizational unit.

WORKAROUND
Apply the Policy Object to a domain rather than to an organizational unit.

 

TF00023627
When configuring a Managed Unit to use a query-based membership rule, you may encounter the following problem: If the rule searches for Dynamic Groups, the Managed Unit is empty although the search returns a non-empty list of search results.

Some examples of membership rules causing the problem are as follows:
 - Rule type: "Include by Query"; Find: "Groups"; on the "Group Type" tab, both the "Show only groups" and "Dynamic Group" check boxes are selected.
 - Rule type: "Include by Query"; Find: "Custom Search"; LDAP query on the Advanced tab: (&(objectcategory=group)(edsaIsDynamicGroup=true))
With both these examples, the search returns the Dynamic Groups found in the scope of the search (you can verify this by clicking the "Preview Rule" button in the Find dialog box that is used to configure membership rules). However, after you add the rule to the Managed Unit, the rule has no effect: the Managed Unit does not include the Dynamic Groups matching the rule.

WORKAROUND
Configure the query-based membership rule to include the following LDAP query:
    (&(objectcategory=group)(accountNameHistory=*[DG*))
To enter an LDAP query, choose "Custom Search" from the Find list and go to the Advanced tab.

 

TF00023628
When configured to create home folders on a network share that points to a disk root directory (for example C$), the Home Folder AutoProvisioning policy fails to create home shares.

WORKAROUND
Configure the policy to create home folders on a network share that points to a certain directory within the disk root directory (for example, on a network share that points to the "C:\HOME\" directory).

 

TF00023848
Creation, modification, or deletion of a custom display specifier has no effect on a given Administration Service until that Service is restarted. A symptom is that the directory management section of the ActiveRoles Server console does not reflect the changes to custom display specifiers until you restart the Administration Service the console is connected to.

WORKAROUND
Restart each Administration Service after you have made changes to custom display specifiers.

 

TF00023885
When upgrading the Administration Service from version 5.1 to version 6.0, you may encounter the following problem: The configuration data migration option is not supported. This option is only supported when you upgrade the Administration Service from version 5.2. (See also TF00024191)

WORKAROUND
To transfer your ActiveRoles Server configuration data from version 5.1 to version 6.0, first upgrade the Administration Service to version 5.2.5 using the "in-place upgrade" option. Then, upgrade the Administration Service from version 5.2.5 to version 6.0 using the data migration option.

 

TF00024033
If the Administration Service cannot manage a domain due to insufficient rights of the service account, the console may provide no information on this error situation. Thus, you may encounter the "0x80005008" entry in the Status field on the object representing the domain in the "Configuration/Server configuration/Managed Domains" container. The problem occurs under the following conditions:
 - There are multiple Administration Services - say, Service 1 and Service 2 - that share common configuration data (for example, via ActiveRoles Server replication).
 - The domain was registered with ActiveRoles Server using Service 1, with the following option being selected: Access the domain using the service account information the Administration Service uses to log on.
 - The console is connected to Service 2, of which the service logon account does not have sufficient rights to access the domain.
In this case, Service 2 recognizes the domain as a managed domain, but cannot access it due to insufficient rights of the service account used by Service 2. Status of the managed domain reads "0x80005008". Note that the option to access the domain using the service account information causes each Service to use its own service account for that purpose, so Service 1 may be able to access the domain while Service 2 not.

WORKAROUND
Provide an override account the ActiveRoles Server will use to access the domain:
 1. Open the Properties dialog box for the object representing the domain in the "Configuration/Server configuration/Managed Domains" container.
 2. On the General tab, in the "Access the domain using" area, click "The Windows user account information specified below" and specify the user name, password, and domain of a user account that has sufficient rights to access the domain.
With this option, each Administration Service uses the specified user account (rather than the individual service account) when accessing the domain.

 

TF00024065
If you stop the Administration Service (for example, by entering 'net stop arssvc' at a command prompt), or if you shut down the Administration Service computer, the Administration Service may exit with an unexpected error. Depending on Windows configuration, the "Windows Error Reporting" dialog box may be displayed. In some cases, the "Windows Error Reporting" dialog box will be shown only upon the next interactive logon to the computer running the Administration Service.

 

TF00024227
When you export policy check results or change history results to a file in HTML format, and then send the file as an e-mail attachment, you may encounter the following problem: Opening the attachment in Outlook displays a corrupted HTML page, with extra spaces being inserted between page sections.

WORKAROUND
Archive the file to which you have exported the results and then send the archive file as an attachment instead of sending the original file.

 

TF00024229
When configuring a Managed Unit to use a query-based membership rule, you may encounter the following problem: A membership rule based on a custom LDAP query may not work as expected if the query includes a right bracket (]). For example, the following query causes an error: (&(objectcategory=group)(accountNameHistory=*[DG]*)).

WORKAROUND
If possible, modify your query to eliminate the right brackets. In the above example, the query can be modified as follows, without loss of functionality: (&(objectcategory=group)(accountNameHistory=*[DG*))
See also TF00023627

 

TF00024437
After you have registered a number of domains from different forests as managed domains with ActiveRoles Server, and then restarted the Administration Service, you may encounter a series of warning events in the EDM Server log in Event Viewer, with Event ID 2505 and the event description stating:
"ActiveRoles Server Administration Service encountered a non-critical error.
Details: Internal event: A conflict occurred between two controlAccessRight objects with the same name but different attribute values."

WORKAROUND
Disregard those events. The problems with the controlAccessRigh objects indicated by those events should not cause any noticeable impact on the functionality or performance of ActiveRoles Server.

 

TF00024439
When applying an Access Template to the "Active Directory" container in the ActiveRoles Server console, with the option to enable synchronization of the resulting permission entries to Active Directory, you encounter the following problem: The resulting permission entries are propagated from the "Active Directory" container to the managed domains held in that container, but not synchronized to Active Directory.

Thus, you can check "Advanced Details Pane" on the View menu in the console, select a managed domain under the "Active Directory" node in the console tree, and examine the permission entries on the "Native Security" tab in the lower sub-pane of the details pane, to see that the permission entries resulting from the Access Template you applied to the "Active Directory" container are marked as Absent, and displayed in red. In this case, the synchronization can only be performed manually, by right-clicking such entries on the "Native Security" tab, and then clicking the "Resync from ActiveRoles Server Security" command.

WORKAROUND
Avoid using the synchronization option when applying Access Templates to the "Active Directory" container. If you need to synchronize permission entries from ActiveRoles Server security to native Active Directory security, apply Access Templates to managed domains or objects and containers within managed domains.

 

TF00024484
When configuring ActiveRoles Server replication in a multi-forest environment, with SQL Servers located in different forests, you may encounter the following non-descriptive error message when performing the "Add Replication Partner" operation: "IDispatch error #3149."
The problem occurs if:
 - The SQL Server you are going to add as a Subscriber and the SQL Server that is the Publisher to which you are adding the Subscriber are located in different forests.
 - The "Impersonate the SQL Server Agent service account" option is selected in the New Replication Partner Wizard.
In this case, an authentication failure occurs when the Publisher SQL Server attempts to access the SQL Server you are adding as a Subscriber. The expected behavior is that the console displays a message providing some details on this error situation.

WORKAROUND
In the New Replication Partner Wizard, select the "Use SQL Server Authentication with the following login and password" and specify a login that belongs to the sysadmin role on the SQL Server you are going to add as a Subscriber. This workaround is only applicable if SQL Server authentication mode is enabled on that SQL Server.

 

TF00024486
When applying an Access Template to a Managed Unit, with the option to enable synchronization of the resulting permission entries to Active Directory, you encounter the following problem: The resulting permission entries are inherited by the directory objects held in the Managed Unit, but not synchronized to Active Directory. The same problem occurs when you apply an Access Template to a Managed Unit Container.

Thus, you can check "Advanced Details Pane" on the View menu in the console, select a directory object held in the Managed Unit, and examine the permission entries on the "Native Security" tab in the lower sub-pane of the details pane, to see that the permission entries resulting from the Access Template you applied to the Managed Unit are marked as Absent, and displayed in red.

WORKAROUND
Avoid using the synchronization option when applying Access Templates to Managed Units or to Managed Unit Containers. If you need to synchronize permission entries from ActiveRoles Server security to native Active Directory security, apply Access Templates to directory objects rather than to Managed Units or Managed Unit Containers.

 

TF00025236
The policy compliance check in the Administration Service may inappropriately handle a policy configuration where values of certain object properties in the directory are dependent on other property values that are to be generated by a policy. Thus, when a "Property Generation and Validation" policy is configured to assign a certain property value based on a user logon name generated by a "User Logon Name Generation" policy, you encounter a policy violation error when creating a user account using the ActiveRoles Server console unless you have clicked the Generate button to have the Administration Service generate a user logon name.

WORKAROUND
If you have encountered a policy violation error when using a page that includes the Generate button, click that button to have the Administration Service generate a property value.

 

TF00025352
If the configuration of the Administration Service includes a corrupted Managed Unit (for example, one of the membership rules of the Managed Unit refers to an object that no longer exists in the directory), you may encounter a significant delay before the Administration Service completes the startup process. While the Administration Service is being started, the ActiveRoles Server console fails to connect to the Administration Service, returning "Building startup information is in progress. Wait until the information is built, and then try again." Thus, you may encounter this problem with a query-based membership rule configured to search a container that no longer exists in the directory.

WORKAROUND
Wait for the Administration Service to complete the startup process. Then, open the ActiveRoles Server console and connect to the Administration Service that experiences the problem in question. Use the console to examine the membership rules of each Managed Unit defined on the Administration Service. Delete or re-configure the membership rules that refer to non-existent objects.

 

TF00025521
In an environment where Exchange Server 2007 and the Administration Service are deployed in different forests, the Administration Service fails to create a user with a mailbox on Exchange Server 2007.

WORKAROUND
Use the Administration Service running on a computer that belongs to the forest in which Exchange Server 2007 is deployed.

 

TF00025581
In an Exchange Server 2007 organization, the Administration Service performs the Exchange tasks in the security context of the user account under which the Administration Service is running (service account). This means that the service account must have the appropriate level of access to the Exchange organization regardless of whether the Administration Service uses the service account or a different, override account to access a managed domain. If the service account is not authorized to perform Exchange tasks, the Administration Service encounters an authorization error when attempting to perform an Exchange task even though it accesses the managed domain with an override account that has sufficient rights in the Exchange organization.

WORKAROUND
To enable the Administration Service to perform Exchange-related tasks in an Exchange Server 2007 organization, configure the service account as follows:

 1. Add the service account to the "Exchange Recipient Administrators" group, located in the "Microsoft Exchange Security Groups" container in Active Directory.
 2. Ensure that the service account has read/write permission on the attributes listed in the "Access to Exchange Organization/Exchange Server 2007 Organization" section in the ActiveRoles Server Quick Start Guide. For example, you might add the service account to a domain privileged security group, such as the "Account Operators" group.

If the Administration Service is already installed and running, you should restart it after you have changed the configuration of the service account: at a command prompt, enter "net stop arssvc" to stop the Administration Service, and then enter "net start arssvc".

 

TF00025722
With multiple Administration Services that synchronize configuration data using ActiveRoles Server replication, the Administration Service may fail to perform an operation requested by a client (for example, the ActiveRoles Server ADSI Provider or Console) because of a conflict between the operation execution and the configuration data synchronization process. This issue occurs in some limited scenarios and is due to certain problems with the Microsoft SQL Server replication function.

WORKAROUND
Cancel the operation and then re-attempt it after a while.

 

TF00025728
In some limited scenarios, you may encounter corruption of attribute names (wrong characters) on the page that displays a report produced by the "Change History" command. For example, this problem may occur with the Change History report on a user account that was deprovisioned via the ActiveRoles Server Web Interface using the Web browser with a non-English locale.

 

TF00025602; TF00026208; TF00026023
After an upgrade of the Administration Service, you may encounter an ActiveRoles Server replication failure in the following scenarios:

 - Configuring the database server of the upgraded Administration Service to hold the Subscriber role
 - Upgrading the Administration Service whose database server already holds the Subscriber or Publisher role

An indication of the failure could be the following statement in the replication status on one or more objects in the Configuration/Server Configuration/Configuration Databases container in the ActiveRoles Server console: "The merge process was unable to deliver the snapshot to the Subscriber." In addition, you may encounter a constraint violation-related error when attempting to add a Subscriber.

WORKAROUND
Upgrade each Administration Service in your ActiveRoles Server replication group to version 6.0.4:

 1. Use the ActiveRoles Server console to delete all Subscribers from the replication group and demote the Publisher of the replication group (for detailed instructions, refer to the "Removing Members from a Replication Group" section in the ActiveRoles Server Administrator Guide).

 2. Upgrade each Administration Service to version 6.0.4 (or later, when available); during the upgrade, choose the option to import configuration data from the database used by the Administration Service you are upgrading (for detailed instructions on how to upgrade the Administration Service, refer to the ActiveRoles Server Quick Start Guide).

NOTE When upgrading the Administration Service whose database server will hold the Subscriber role in the replication group after the upgrade, it is advisable to un-select the "Import configuration data" option since the imported data will anyway be overwritten with the data received from the Publisher upon configuring the replication group after the upgrade.

 3. Use the ActiveRoles Server console to re-create the replication group: configure the Publisher and then add the Subscribers (for detailed instructions, refer to the "Creating a Replication Group" and "Adding Members to a Replication Group" sections in the ActiveRoles Server Administrator Guide).

IMPORTANT To prevent data synchronization issues, do not add Administration Services of version earlier than 6.0.4 to the replication group you have upgraded as described in this resolution. Prior to adding the Administration Service to the replication group, you should upgrade that Administration Service so that it has the same version as the other Administration Services in the replication group.

 

TF00025620
There is no option to configure an ActiveRoles Server policy for generating a user principal name (UPN) so that the UPN Suffix part of the name automatically changes if the generated name is in use by another user account. Normally, the UPN Prefix part of the name (the value of the edsaUPNPrefix attribute) is the same as the pre-Windows 2000 user logon name (the value of the sAMAccountName attribute). This ensures the uniqueness of the user principal name regardless of the UPN Suffix sett