Chat now with support
Chat mit Support

Active Roles 8.1.3 - SP1 Release Notes

Resolved issues

The following is a list of issues addressed in Active Roles 8.1.3 SP1 (build 8.1.3.10) and 8.1.3 (build 8.1.3.2).

Resolved issues in Active Roles 8.1.3 SP1

NOTE: The following issues were fixed only in Active Roles 8.1.3 SP1 (build 8.1.3.10). To check the build of your Active Roles 8.1.3 installation:

  • In the Active Roles Configuration Center, navigate to (Information) > Technical Information.

  • Alternatively, open the Add or Remove Programs list of the operating system, search for One Identity Active Roles, then click its entry.

Table 3: Active Roles Web Interface resolved issues
Resolved Issue Issue ID

Previously, when configuring the Send on Behalf or Forwarding Address settings of a hybrid Azure user in the Exchange Online Properties > Mail flow settings > Delivery Options form, the Web Interface showed the available objects for these settings with their object GUIDs instead of their display names. This issue did not occur when checking the Send on Behalf or Forwarding Address settings of cloud-only Azure users.

This issue is now fixed, so these settings are now much easier to use when configuring them for hybrid Azure users.

415014

Previously, when configuring Full Access permission for a user to an Exchange Online mailbox, it could occur that Active Roles could not save the permission settings.

This issue is now fixed.

427713

Resolved issues in Active Roles 8.1.3

NOTE: The following issues were fixed both in Active Roles 8.1.3 (build 8.1.3.2) and 8.1.3 SP1 (build 8.1.3.10).

Table 4: General resolved issues
Resolved Issue Issue ID

Previously, when creating a new user with an Exchange mailbox either in the Active Roles Console or in the Web Interface, Active Roles did not populate the Mailbox database list if the performance fix described in Knowledge Base Article 4336544 was applied with a PerformanceFlag registry key value of 2 or 3.

This issue was caused by Active Roles also evaluating the values of 2 and 3 specified for the PerformanceFlag key, even though the key supports only two values: 0 (to deactivate the performance fix) and 1 (to enable it).

The issue was solved by making sure that Active Roles accepts only values 0 and 1 for the PerformanceFlag key.

417246

Previously, in Active Roles Log Viewer, the Active Roles verbose log did not use the correct delta request URL to retrieve more objects. This resulted in not all users being listed under Azure Users. This issue is now resolved.

417067

Previously, when checking the OneDrive settings of a hybrid or cloud Azure user, the Active Roles Web Interface and the Active Roles Management Shell:

  • Might not display the OneDrive site URL.

  • Showed 0 for the used and quota storage sizes.

This issue was caused by incorrect query parameters used for fetching the relevant OneDrive data, and is now fixed.

412967

Table 5: Active Roles Service resolved issues
Resolved Issue Issue ID

Previously, scheduled Active Roles operations could fail with the following error if the Active Directory domain controller (DC) assigned to perform the scheduled operation was unavailable:

The server is not operational.

This issue occurred because Active Roles did not fall back to another working DC in the Disaster Recovery Plan (DRP) process in such cases, and is now fixed.

407373

Table 6: Configuration Center resolved issues
Resolved Issue Issue ID

Previously, when importing a configuration database in the Active Roles Configuration Center, attempting to use a backup encryption key in the Import of the encrypted data tab did not work, and the encryption file could not be used to decrypt the imported database.

This issue occurred because even though the Administration Service validated the contents of the encryption file, it did not use it for the actual import process. This issue is now solved, and the key is used properly.

NOTE: As this issue is now fixed, make sure not to use the encryption file key to manually restore the encryption key after the import with the Restore-AREncryptionKey command. Use the file only when instructed during the import process.

405222

Previously, when opening the Active Roles Configuration Center and selecting the Web Interface tab, the following error could appear:

Object reference not set to an instance of an object.

This issue occurred due to errors in updating the Web Interface configuration during a product upgrade, and is now fixed.

387283

Table 7: Console (MMC Interface) resolved issues
Resolved Issue Issue ID

Previously, in rare occasions, navigating to Configuration > Server Configuration > Scheduled Tasks > Builtin, and running the Dynamic Group Updater scheduled task could result in Active Roles not being able to communicate with the Domain Controller. The Dynamic Group Updater accidentally removed all members of the dynamic group, and to re-add members, the dynamic group had to be manually rebuilt by clicking Rebuild.

The issue is now resolved.

414916

Previously, when navigating to Configuration > Server Configuration > Scheduled Tasks > Builtin, opening the Azure Manual Cache Control Properties and changing the Manual clear cache script parameter to true in Parameters, manually clearing the cache failed by right-clicking Azure Manual Cache Control > All Tasks > Execute. The following event log entry appeared:

ScriptModule: AzureCacheControl
An error occurred when executing scheduled task
The method or operation is not implemented.

The issue is now resolved: running the tasks is successful, and the Manual clear cache script parameter was removed as a result of code refactoring. The Manual clear cache script parameter was removed because it only deleted the cache, but did not refill it, which caused significant lag when using Microsoft Azure. To manually clear cache use the Manual reload cache, which deletes and refills cache, ensuring smooth functionality.

NOTE: If you set the values to true of both Manual delta processing and Manual reload cache script parameters, the script will not run and the following event log entry will appear:

More than one actions have been selected for execution in Scheduled Task parameters.

412644

Previously, when applying both an Access Template (AT) using a Full Control permission and another granular AT denying access to certain password-related attributes (such as PasswordNeverExpires, UserCannotChangePassword, UserMustChangePasswordAtNextLogon) to a user, the deny AT did not take effect for the user.

This issue was caused by the AT specifying an explicit deny not taking precedence over the AT using the Full Control permission.

The issue was fixed by ensuring that explicit deny ATs always take precedence over inherited allow permissions.

410412

Previously, in certain environments, Active Roles might not update Dynamic Groups in time when adding a new rule or forcing a rebuild. Also, in case of more than 1,000 changes, the changes were not processed until the nightly scheduled task.

To solve this problem, Active Roles features a rebuilt Dynamic Group logic that removes the 1,000 group member limit for normal group membership changes, and also ensures that changes are now always processed immediately.

 405859

Previously, when configuring the mail configuration in Configuration > Server Configuration > Mail Configuration > Default Mail Settings Properties to use Exchange Web Services with Exchange Online and send approval responses by email, response emails sent by approvers could stuck indefinitely without being processed by Active Roles. This problem did not affect approval workflows using on-premises Exchange Server mailboxes.

The issue was caused by approval notifications not supporting Exchange Web Service modern authentication, and is now fixed.

 404659

Previously, when configuring the mail configuration in Configuration > Server Configuration > Mail Configuration > Default Mail Settings Properties to use Exchange Web Services with Exchange Online and send approval responses by email, the mailto: links of approval workflow notification emails always contained the service account address even if an impersonated account was configured in the mail configuration settings.

The issue was caused by approval notifications not supporting Exchange Web Service modern authentication, so Active Roles could not collect emails from the impersonated account. Instead, it was falling back to the service account address.

This issue is now fixed, so when you configure an impersonated account address, that email address will appear properly in the approval workflow email messages.

404217

Previously, undoing the deprovision of a user object that was originally licensed via group-based licensing would result in the previous license reassigned to the object directly instead of inheriting it from the group.

The issue is fixed and now if a user has a license inherited from a group, after deprovisioning and undo-deprovisioning it, the license will be inherited from the group again instead of being reassigned directly.

388433

Previously, after upgrading Active Roles and importing a configuration that contained a scheduled automation workflow, the workflow schedule was disabled, so the workflow could not run as originally scheduled.

The issue was caused by unintended data modification: the scheduled workflow stores the Active Roles Service GUID in a database record, but new installations could change this GUID.

The issue is now resolved by replacing the previous service GUID with the current one when importing the configuration, so that automation workflows can run as scheduled even after upgrading or reinstalling Active Roles.

326759

Table 8: Installer resolved issues
Resolved Issue Issue ID

Previously, attempting to install Microsoft OLE DB Driver for SQL Server via the Active Roles installer required users to manually install the prerequisite Microsoft Visual C++ Redistributable for Visual Studio packages, as they were not included in the Active Roles installation package.

This issue was fixed by including the packages in the installer.

 411389
Table 9: Management Shell resolved issues
Resolved Issue Issue ID

Previously, the Active Roles Management Pack for SCOM showed an incorrect version number.

This issue is now fixed.

405577

Table 10: Synchronization Service resolved issues
Resolved Issue Issue ID

Previously, when synchronizing user licenses using the Azure AD or Microsoft 365 connectors, synchronization could fail. The issue was caused by querying the users' licenseDetails attribute as part of the synchronization process. When querying the licenseDetails attribute, in some cases, Microsoft Graph API responded with a 404 Not found error message, causing either the Azure AD or the M365 connector to abort the synchronization process.

The issue is now resolved: the users that get stuck in Azure AD are now bypassed during the synchronization process and do not cause any errors.

422136

Previously, when synchronizing Azure user licenses using the Azure AD or Microsoft 365 connectors, the synchronization process could fail with an Access token is expired error message.

This issue occurred in case of a very large amount of users because the access token from Microsoft Graph API was only valid for 1 hour, but synchronizing the licenses took longer, and Synchronization Service did not refresh the access token.

The issue is now resolved.

419838

Previously, if you used the Synchronization Service Console with a different user than the one used for running Synchronization Service, the following errors could occur:

  • Creating and consenting a new Azure AD Connector or Microsoft 365 Connector with the auto-configuration settings could result in the following error when testing the connection:

    Connection failed
Cannot connect using the specified connection settings.

  • Configuring Azure BackSync could fail with the following error:

    Synchronization Service has returned an error
Active Roles cannot acquire the access token.

This issue occurred because Active Roles Synchronization Service could not properly access the secret used for authenticating these connections when you accessed Synchronization Service with a user other than the one that runs the service.

The issue was fixed by making sure that Synchronization Service can properly access the certification store where the required secret is stored, regardless of the user you use.

418137

Previously, when running Azure BackSync (or any Update sync workflow that used the Azure AD Connector) to synchronize group members after making changes to a group, Azure BackSync (or the sync workflow) failed with the following error:

One or more added object references already exist for the following modified properties: 'members'.

This issue occurred because Synchronization Service used expand queries to retrieve Azure group members (and object reference type attributes in general) with two limitations:

  • They retrieved only the first 20 member objects.

  • They did not support pagination.

As Synchronization Service retrieved only the first 20 member objects, Azure BackSync or the Update sync workflow could run into data synchronization anomalies, such as trying to assign an object to a group where it was already a member.

The issue was fixed by removing the previous limitations of the expand query, so that it can retrieve every member of a group (or every other object reference type attribute). This fix affects the following object reference type attributes:

  • Members

  • MemberOf

  • Owners

  • TransitiveMembers

  • TransitiveMemberOf

  • MembersWithLicenseErrors

  • ResourceProvisioningOptions

418031

Previously, when running a sync workflow that used the Azure AD Connector for group object mapping, Synchronization Service could not map the object reference type attributes on Azure group objects, and showed the following error:

Synchronization steps aborted. Details: the given key was not present in the dictionary.

This issue occurred because the Azure AD Connector was processing the response incorrectly when querying the affected attributes from Graph API.

The issue was fixed by updating the mapping for the following object reference type attributes, so that the Azure AD Connector can process Graph API responses correctly:

  • Members

  • MemberOf

  • Owners

  • TransitiveMembers

  • TransitiveMemberOf

  • MembersWithLicenseErrors

  • ResourceProvisioningOptions

417804

Previously, the Microsoft 365 Connector (formerly known as Microsoft Office 365 Connector) could only synchronize up to 1,000 mail users.

This limitation has been removed.

405966

Previously, when running Azure BackSync with the Azure AD Connector for several thousand users, Synchronization Service did not indicate the number of processed user objects until all user objects were processed. Because of this, it could appear that nothing happened until the on-screen counter jumped to the total number of processed objects.

The issue is fixed, and now the counter of processed objects in the Azure AD Connector increases gradually, as expected.

401938

Previously, the Azure BackSync could only synchronize up to 1,000 contacts. The issue is now resolved.

387685

Table 11: Web Interface resolved issues
Resolved Issue Issue ID

Previously, after adding members to an Azure group, the value of the objectClass attribute cleared and the Azure group no longer appeared in the list of groups. This issue is now resolved.

417068

Previously, in a federated or synchronized identity Azure tenant, creating hybrid users with an Exchange Online Plan 2 license, then adding those hybrid users to a list of users with Full Access resulted in Active Roles not saving the Exchange Online delegation settings, even though the following message appeared when clicking Save:

The operation is successfully completed.

The issue is now resolved.

416873

Previously, using a personal view to open an Active Directory (AD) Organizational Unit (OU) whose name contains special character(s) resulted in the following error:

Administration Service encountered an error when retrieving properties of the object.

The issue was caused by special characters in the request URL of the Web Interface and are now resolved, with the exception of the < character. For more information, see issue 415590 in Known issues.

414564

Previously, in Customization > Global Settings, when enabling or disabling quick searches for AD LDS and Azure AD objects, clicking Save did not save your settings.

The issue is now resolved.

412961

Previously, when setting a custom global color scheme in Customization > Global settings > Color scheme, the customized Web Interface scheme could appear incorrectly in the user interface, with the sidebar colors, various selected elements and certain panes not following the base color of the scheme.

This issue was fixed by adjusting the management of customized Web Interface themes.

412961

Previously, when setting a custom global color scheme in Customization > Global settings > Color scheme, the customized Web Interface scheme could appear incorrectly in the user interface, with the sidebar colors, various selected elements and certain panes not following the base color of the scheme.

This issue was fixed by adjusting the management of customized Web Interface themes.

407336

Previously, customizing the Web Interface could negatively impact the functionality and performance of object search queries. Following customization, queries in the Web Interface could return too many objects, and query searches could slow down due to performing complex internal filtering before displaying query results in the Web Interface.

This issue is now fixed, so customized Web Interface instances now work without any such problems.

395064

Previously, searching for Azure objects took approximately 15-20 seconds.

The issue has been resolved by modifying Microsoft Graph API pagination to reduce network traffic. As a result, searching for Azure objects is now significantly faster.

389314

Previously, when configuring the Exchange Online Properties for the on-premises account of a remote shared mailbox, the Full Control permissions of the mailbox appeared blank in the Active Roles Web Interface.

388526

Previously, registering a custom primary domain name for the Azure tenant and using it in the -organization parameter in Exchange Online connection strings was not supported by Microsoft and could result in performance issues in the Active Roles Web Interface when fetching tenant information.

The issue is now resolved.

387657

Previously, when using the Customization > Directory Objects > Customize Navigation Bar > General option of the Web Interface to open the Item Properties of the Reload button or the Restore Default button, clicking OK to close the dialog without any changes and reloading the configuration resulted in the changed Reload or Restore Default button no longer working.

This issue occurred because Active Roles was unable to get the target URL of these buttons, resulting in the Item Properties > URL to open field appearing empty in the Web Interface. If this field was left empty, clicking OK in the dialog to save the button settings broke the button.

To fix the issue, the Web Interface now sends a pop-up alert to inform users that the URL to open field cannot be left empty.

322689

Previously, when enabling JavaScript and creating a button to run a workflow by following the instructions in Knowledge Base Article 4257804, the button did not work and caused the Web Interface to display the following error:

An error occurred during the last operation.
Error: Property accessor 'TaskOnclickJS' on object 'ActiveRoles.We-b.Application.Controls.TaskBoxList.TaskItemPresenter' threw the following exception:'Object reference not set to an instance of an object.'

The issue is fixed: adding a button to the homepage of the Active Roles Web Interface can run JavaScript and trigger workflows without breaking the Web Interface.

311021

Previously, when copying a shared, equipment or room mailbox in the Web Interface, the copied mailbox did not inherit the original mailbox type, and was created as a standard user mailbox instead. In other words, the value of its msExchRecipientDisplayType attribute was always set to 1073741824 instead of inheriting the original value.

This issue was caused by a Web Interface infrastructure problem, and was fixed by implementing a switch case to determine the type of mailbox and add the proper attribute during the copy process.

307164

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 12: General known issues
Known Issue Issue ID

Activating the EnableAntiForgery key (<add key="EnableAntiForgery" value="true"/> in web.config) may cause the following error message:

Session timeout due to inactivity. Please reload the page to continue.

Workaround

Update the IgnoreValidation key in the<appSettings> section by adding a property value in lowercase:

  1. Open IIS Manager.

  2. In the left pane, under Connections, expand the tree view to Sites > Default Web Site.

  3. Under Default Web Site, click on the Active Roles application (ARWebAdmin by default).

  4. Double-click Configuration Editor.

  5. From the Section drop-down, select appSettings.

  6. Find the IgnoreForValidation key.

  7. Append the comma-separated value to IgnoreForValidation, for example: lowercasecontrolname.

  8. In the right pane, under Actions, click Apply.

  9. Recycle the App pool.

91977

Table 13: Configuration Center known issues
Known Issue Issue ID

When configured for Groups and Contacts, the Office 365 and Azure Tenant Selection policy displays additional tabs.

229031

Tenant selection supports selecting only a single tenant.

229030

In the Starling Connect Connection Settings link, clicking Next displays progress, but the functionality is not affected, so the button is not required.

126892

Table 14: Console (MMC Interface) known issues
Known Issue Issue ID

Azure objects cannot be deleted.

Workaround

In the Delete Access Templates, grant the user Read right on the ObjectClass property.

392597

Automation workflows with the Microsoft 365 script fail, if multiple workflows share the same script and the script is scheduled to execute at the same time.

Workaround

One Identity recommends scheduling the workflows with different scripts or at a different time.

200328

When a workflow is copied from a built-in workflow, it may not run as expected.

153539

Azure Group Properties are not available if they are added to the Microsoft 365 Portal or Hybrid Exchange Properties from the forwarding address attribute of Exchange online users.

98186

In Active Roles with the Office 365 Licenses Retention policy applied, after deprovisioning the Azure AD user, the Deprovisioning Results for the Office 365 Licenses Retention policy are not displayed in the same window.

Workaround

To view the deprovisioning results of an Azure AD user:

  • In the Active Roles Console, right-click and select Deprovisioning Results.

  • In the right pane of the Active Roles Web Interface, click Deprovisioning Results.

  • To refresh the form, press F5.

91901

Table 15: Installer known issues
Known Issue Issue ID

After upgrading Active Roles, the pending approval tasks are not displayed in the Active Roles Web Interface.

91933

Table 16: Language Pack known issues
Known Issue Issue ID

In the Active Roles Configuration Center, changing the language in Global settings does not work properly.

Workaround

To change the language of the Web Interface, configure the language with the Active Roles 8.1.3 SP1 > Settings > User interface language option of the Web Interface.

125880

In the Active Roles Console, the O365 script execution configuration activity of the Workflow Designer is not completely localized to German.

151392

In the Active Roles Console, the German localization may contain visual issues and truncated texts.

91946

In the Active Roles Console, some strings are displayed in English instead of German in the German localization.

91942

In the Active Roles Synchronization Service, the Event Viewer messages are not translated to German.

91753

In the Active Roles Synchronization Service, the German localization does not have all connector strings translated.

91709

In the Active Roles Web Interface, some Azure-related strings are translated incorrectly for the supported languages. Translated texts may also contain link inconsistencies.

257995

In Active Roles, several German localization issues are present.

164713

In Active Roles, strings on the notification page are not localized.

153695

In the Language Pack installer, the link of the online EULA agreement in the EULA text does not work.

91925

Table 17: Synchronization Service known issues
Known Issue Issue ID

In the Synchronization Service, the following attributes of the Microsoft Azure AD Connector are currently not supported and cannot be queried via the Microsoft Graph API:

  • user attributes:

    • aboutMe

    • birthday

    • contacts

    • hireDate

    • interests

    • mySite

    • officeLocation

    • pastProjects

    • preferredName

    • responsibilites

    • schools

    • skills

  • group attributes:

    • acceptedSenders

    • allowExternalSenders

    • autoSubscribeNewMembers

    • hasMembersWithLicenseErrors

    • hideFromAddressLists

    • hideFromOutlookClients

    • isSubscribedByMail

    • membersWithLicenseErrors

    • rejectedSenders

    • unseenCount

This means that although these attributes are visible, they cannot be set in a mapping rule.

304074

After running the get-qcworkflowstatus cmdlet in the Synchronization Service, the workflow status is not accurate.

125768

Table 18: Web Interface known issues
Known Issue Issue ID

Using a personal view to open an Active Directory (AD) Organizational Unit (OU) whose name contains the < special character results in the following error:

An error occurred during the last operation.
Error: A potentially dangerous Request.Query.String was detected from the client (DN="OU\<name-property>").

The issue is caused by the special character in the request URL of the Web Interface, causing failures in the web functionality of Active Roles.

Workaround

One Identity recommends avoiding the use of the < character in the name property of an AD object.

415590

When attempting to modify or delete Azure users, contacts, or groups synchronized from an on-premises Active Directory to an Azure Active Directory, the operation either appears to be successful, but silently fails, or the operation fails with a generic error message.

If the operation appears to be successful, the following message appears:

The operation is successfully completed.

However, the operation silently fails, no error message appears, and the Azure user, contact or group is not deleted or modified.

If the operation fails, the following generic error message appears instead of a specific error message:

An error occurred during the last operation.

NOTE: Similar failures with either no error message or a generic error message may occur due to an architectural issue in the Active Roles Web Interface.

388062,

388063

If you click Azure > Resource Mailboxes to query room mailboxes after being idle for approximately 15-20 minutes, the Active Roles Web Interface will not list any room mailboxes.

Workaround

Restart the Administration Service.

293380

In the Active Roles Web Interface, Azure roles are not restored automatically after performing an Undo Deprovision action on a user.

Workaround

After the Undo Deprovision action is completed, assign the Azure roles to the user manually.

172655

Active Roles does not support creating Azure groups for existing groups.

117015

Active Roles Web Interface does not support setting the Exchange Online Property of the ProhibitSendQuota value in Storage Quotas.

91905

Table 19: Add-on Manager known issues

Known Issue

Defect ID

After installing an add-on that creates Web Interface customization items, the Web Interface may not display the customization items created by the add-on.

Workaround

In the Web Interface, click Reload.

179835

After installing an add-on that creates a virtual attribute, the virtual attribute may not appear in the Advanced Properties dialog of the affected object.

Workaround

After installing the add-on, reconnect to the Administration Service.

180508

After installing an add-on that creates a virtual attribute and a Web Interface customization item using that virtual attribute, an error may occur when opening any Web Interface site.

Workaround

Restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

If there is a replication group in your Active Roles environment, do the following:

  1. After the changes are propagated to all replication partners, click Reload in the Web Interface.

  2. If the Web Interface does not open, enter the following in the address bar of your browser to reload the Web Interface:

    <site url>/customization/metadata-Reload.aspx?ReloadFromWorkingCopy=1

  3. After the changes are propagated to all replication partners, restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

180524

When you use Add-on Manager to uninstall an add-on, the following error may occur:

Object 'objectDN' was not found.

This error can occur if the add-on modifies an existing object during installation, and then the modified object is deleted by a user after the add-on has been installed.

Workaround

Uninstall the add-on from the command line using the /ForceUninstall parameter. For example:

AddOnManager.exe /UninstallAddon /AddonName:"my-addon" /ForceUninstall /Service:"servicename" /User:"domain\user" /Password:"password"

180700

After uninstalling an add-on that creates a virtual attribute and a Web Interface customization item that uses that virtual attribute, the Web Interface customization item created by the add-on may not be removed, and the Web Interface may return the following error:

An error occurred during the last operation.

Workaround

Perform the following steps:

  1. In the Web Interface, click the Reload command.

    If the Web Interface does not open, reload the Web Interface by entering the following URL in the address bar of your browser:

    <site url>/customization/metadata-Reload.aspx?ReloadFromWorkingCopy=1

    NOTE: If there is a replication group in your Active Roles environment, reload the Web Interface only after the changes are propagated to all replication partners.

  1. Restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

    NOTE: If there is a replication group in your Active Roles environment, restart IIS only after the changes are propagated to all replication partners.

180721

After installing an add-on that creates Web Interface customization items, the Web Interface customization items created by the add-on may not be displayed.

This issue may occur if you provide incorrect user name and password for reloading Web Interface sites.

Workaround

In the Web Interface, click the Reload command.

180808

When you install Add-on Manager from the command-line, you may encounter the following error:

Command line option syntax error. Type Command /? for Help.

This error may occur if one or several parameters of the command contain more than 255 characters.

Workaround

Edit the command-line parameters (for example, the path to a file) so that each parameter is not longer than 255 characters.

183252

System requirements

Before installing Active Roles 8.1.3 SP1 in an on-premises environment, ensure that your system meets the following minimum hardware and software requirements.

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

To manage Azure Active Directory resources, you must install the following prerequisites in the Active Roles Configuration Center.

TIP: To run the PowerShell commands of the following modules, use the 64-bit version of Windows PowerShell.

Requirement

Version

Details

NuGet package provider

Minimum: 2.8.5.201

Maximum: 3.0.0.1

You must install the NuGet package provider on the computer(s) running Active Roles Administration Service.

For installation instructions, see Install-PackageProvider in the Microsoft Package Management documentation.

Exchange Online PowerShell V3 module

Minimum: 3.0.0

Maximum: 3.1.0

You must install the Exchange Online PowerShell module on the computer(s) running Active Roles Administration Service.

For installation instructions, see About the Exchange Online PowerShell module in the Microsoft Exchange PowerShell documentation.

Az.Accounts PowerShell module

Maximum: 2.10.3

You must install the Az.Accounts PowerShell module on the computer(s) running Active Roles Administration Service and Active Roles Synchronization Service.

For installation instructions, see Az.Accounts in the Microsoft PowerShell Gallery.

Az.Resources PowerShell module

Maximum: 6.4.1

You must install the Az.Resources PowerShell module on the computer(s) running Active Roles Administration Service.

For installation instructions, see Az.Resources in the Microsoft PowerShell Gallery.

Microsoft Graph PowerShell module

Maximum: 1.17.0

You must install the Microsoft Graph PowerShell module on the computer(s) running Active Roles Administration Service. For installation instructions, see Microsoft Graph in the Microsoft PowerShell Gallery.

Microsoft Edge WebView2 Runtime

N/A

You must install Microsoft Edge WebView2 Runtime on the computer running Active Roles Administration Service. For more information, see Introduction to Microsoft Edge WebView2 in the Microsoft Edge Developer documentation.

(Optional) One Identity certificate

N/A

If your organization enforces the AllSigned policy, you must install the One Identity certificate during the installation of Active Roles.

CAUTION: When importing PowerShell modules with the $context.O365ImportModules function, they are imported with the versions specified in the configuration of the Azure-specific prerequisites.

However, after importing the specified versions of the required PowerShell modules, running PowerShell cmdlets without passing them as a string to the $context.O365ImportModules function can cause inconsistent behavior in Active Roles. This is because if there are multiple versions of the same PowerShell module installed on the computer running the Active Roles server, PowerShell modules containing the script to run can be imported automatically with different versions.

To avoid inconsistent behavior in Active Roles by importing different PowerShell versions, run PowerShell modules only by passing them as a string to the $context.O365ImportModules function.

Hardware requirements
Table 20: Hardware requirements
Requirement Details

Processor

NOTE: The number of cores required depends on the size of the environment and the total number of managed objects.

For Administration Service, Web Interface and Synchronization Service, any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • Minimum 2 cores

  • CPU speed: 2.0 GHz or faster

NOTE: For Active Roles Synchronization Service, One Identity recommends using a multi-core CPU for the best performance.

For Console, SPML Provider and Management Tools, any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster.

Memory

NOTE: The amount of RAM required depends on the size of the environment and the total number of managed objects.

Administration Service:

A minimum of 4 GB of RAM.

Web Interface, Synchronization Service:

A minimum of 2 GB of RAM.

Console, SPML Provider and Management Tools:

A minimum of 1 GB of RAM.

Hard disk space

Administration Service, Web Interface, Console, SPML Provider and Management Tools:

A minimum of 100 MB of free disk space.

Synchronization Service:

A minimum of 250 MB of free disk space.

NOTE: If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.

Operating system

You can install any of the Active Roles components on a computer running:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Active Roles supports the Standard or Datacenter edition of these operating systems.

In addition, you can install the Active RolesConsole and Management Tools on a computer running:

  • Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).

  • Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).

Component requirements

CAUTION: To avoid inconsistent behavior in Active Roles when managing Azure Active Directory resources, you must enable Transport Layer Security (TLS) protocol version 1.2. For more information, see TLS 1.2 enforcement for Azure AD Connect in the Microsoft Azure documentation.

All Active Roles components require:

Table 21: Administration Service requirements
Requirement

Details
SQL Server

You can host the Active Roles database on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

Exchange Server

Active Roles is capable of managing Exchange recipients on:

  • Microsoft Exchange Server 2019

  • Microsoft Exchange Server 2016

Table 22: Web Interface requirements
Requirement

Details

Internet Services

Active Roles Web Interface requires the Web Server (IIS) server role with the following role services:

  • Web Server/Common HTTP Features/

    • Default Document

    • HTTP Errors

    • Static Content

    • HTTP Redirection

  • Web Server/Security/

    • Request Filtering

    • Basic Authentication

    • Windows Authentication

  • Web Server/Application Development/

    • .NET Extensibility

    • ASP

    • ASP.NET

    • ISAPI Extensions

    • ISAPI Filters

  • Management Tools/IIS 6 Management Compatibility/

    • IIS 6 Metabase Compatibility

Feature delegation

Internet Information Services (IIS) must provide Read/Write delegation for the following features:

  • Handler Mappings

  • Modules

To confirm that these features have the Read/Write delegation configured, use the Feature Delegation option of the native Internet Information Services (IIS) Manager tool of the operating system.

.NET Trust Levels

The .NET Trust Level must be set to Full (internal) on every computer where the Web Interface component is installed.

To configure this setting:

  1. In the system-provided Internet Information Services (IIS) Manager tool, under Connections, expand the node of the computer, and navigate to Sites > Default Web Site.

  2. On the Default Web Site Home page, double-click .NET Trust Levels.

  3. Under Trust level, select Full (internal).

NOTE: Setting the .NET Trust Level to any other value will result in a failure when attempting to load any of the configured Active Roles Web Interface sites.

Web browser

You can access Active Roles Web Interface using:

  • Mozilla Firefox 36 (or newer) on Windows.

  • Google Chrome 61 (or newer) on Windows.

  • Microsoft Edge 79 (or newer), based on Chromium on Windows 10.

You can use a later version of Firefox and Google Chrome to access Active Roles Web Interface. However, the Active Roles Web Interface was tested only with the browser versions listed above.

Minimum screen resolution

Active Roles Web Interface is optimized for screen resolutions of 1280x800 or higher.

The minimum supported screen resolution is 1024x768.

Table 23: Console requirements
Requirement

Details

Web browser

Active Roles Console requires Microsoft Edge 79 (or newer), based on Chromium.

Table 24: Management Tools requirements
Requirement

Details

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Remote Server Administration Tools (RSAT)

To manage Terminal Services user properties by using Active Roles Management Shell, Active Roles Management Tools requires Remote Server Administration Tools (RSAT) for Active Directory.

For more information on installing the RSAT version applicable to your operating system, see Remote Server Administration Tools (RSAT) for Windows in the Microsoft Windows Server documentation.

Table 25: Synchronization Service requirements
Requirement

Details

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

SQL Server

You can host the Active Roles Synchronization Service database on:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Supported connections

Active Roles Synchronization Service can connect to the following data systems:

  • Data sources accessible via an OLE DB provider.

  • Delimited text files.

  • IBM AS/400, IBM Db2, and IBM RACF systems.

  • LDAP directory service.

  • Micro Focus NetIQ Directory systems.

  • The following Microsoft services and resources:

    • Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.

    • Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.

    • Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.

    • Exchange Online services.

    • Exchange Server with the following versions:

      • Microsoft Exchange Server 2019

      • Microsoft Exchange Server 2016

    • Lync Server version 2013 with limited support.

    • SharePoint 2019, 2016, or 2013.

    • SharePoint Online service.

    • Skype for Business 2019, 2016 or 2015.

    • Skype for Business Online service.

    • SQL Server, any version supported by Microsoft.

  • One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.

  • One Identity Manager version 8.0 and 7.0 (D1IM 7.0).

  • OpenLDAP directory service.

  • Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.

  • MySQL databases.

  • Salesforce systems.

  • SCIM-based data systems.

  • ServiceNow systems.

Legacy Active Roles ADSI Provider

To connect to Active Roles version 6.9, install the Active Roles ADSI Provider. For more information, see Installing additional components in the Active Roles Quick Start Guide.

One Identity Manager API

To connect to One Identity Manager 7.0, install One Identity Manager Connector on the computer running Active Roles Synchronization Service. This connector works with the RESTful web service and no SDK installation is required.

Internet connection

To connect to cloud directories or online services, the machine running Active Roles Synchronization Service must have a stable Internet connection.

Table 26: Synchronization Service Capture Agent requirements
Requirement

Details

Operating system

The DCs on which you install Active Roles Synchronization Service Capture Agent must run one of the following operating systems with or without any Service Pack:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

For more information, see the Active Roles Synchronization Service Administration Guide.

Table 27: Language Pack requirements
Requirement

Details

Active Roles version

The Active Roles 8.1.3 SP1 Language Pack requires Active Roles version 8.1.3 SP1 of the Administration Service, Configuration Center, Console, Synchronization Service or the Web Interface installed on the target machine.

The Active Roles 8.1.3 SP1 Language Pack will not work properly with earlier versions of Active Roles.

Operating system

You can install the Active Roles Language Pack on 64-bit operating systems only.

Table 28: Add-on Manager requirements

Requirement

Details

Processor

Any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster

Memory

A minimum of 1 GB of RAM.

Hard Disk Space

A minimum of 100 MB of free disk space.

Operating System

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

In addition, you can also install Add-on Manager on a computer running:

  • Microsoft Windows 10, Professional or Enterprise edition, 64-bit (x64)

Active Roles Console

Add-on Manager requires Active Roles 8.1.3 SP1 Console installed.

Microsoft Windows PowerShell

Windows PowerShell 5.1 or later

Web Browser

Microsoft Edge 79 or newer (based on Chromium)

Table 29: Diagnostic Tools requirements

Requirement

Details

Processor

1.0 GHz or faster 32-bit (x86) or 64-bit (x64) CPU.

Memory

NOTE: The amount of RAM required depends on the size of the log file opened with the Log Viewer tool.

A minimum of 1 GB of RAM.

Hard disk space

A minimum of 10 MB of free disk space.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Table 30: Data Collector and Reporting Pack requirements

Requirement

Details

Processor

Any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 2.0 GHz or faster.

Memory

A minimum of 2 GB of RAM.

Hard disk space

  • 12 MB for the Data Collector and Reporting Pack.

  • 10 GB for the SQL Server Reporting Services.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

SQL Server and SQL Server Reporting Services

You can host the Active Roles Data Collector and Reporting Pack on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

Active Roles ADSI Provider

Active Roles 8.1.3 SP1 Management Tools must be installed.

Deployment requirements on AWS

Before deploying Active Roles 8.1.3 SP1 in Amazon Web Services (AWS) to manage AWS Managed Microsoft AD via AWS Directory Service, ensure that the following prerequisites are met.

Connectivity requirements

You must have:

  • Stable network connectivity to Amazon Web Services (AWS).

  • Port 1433 open and available for the Amazon Relational Database Service (RDS) service.

  • Access to the AWS service with the AWSAdministratorAccess permission.

    NOTE: Make sure that you have AWSAdministratorAccess permission, as it is required for certain configuration steps. The AWSPowerUserAccess permission is not sufficient for completing the entire configuration procedure.

Infrastructure requirements

To deploy and configure Active Roles for AWS Managed Microsoft AD, you must have access to the following AWS services and resources:

  • AWS Managed Microsoft AD deployed via AWS Directory Service.

  • One or more Amazon Elastic Compute Cloud (EC2) instance(s) hosting the Active Roles services and components.

    The EC2 instance(s) must have, at minimum:

    • 2 vCPUs running at 2.0 GHz.

    • 4 GB of RAM.

    TIP: One Identity recommends hosting the main Active Roles services and components (the Active Roles Service and Console, and the Active Roles Web Interface) on separate EC2 instances. If you deploy all Active Roles services and components in a single EC2 instance, use a more powerful instance to ensure a better user experience for the product.

    NOTE: AWS Managed Microsoft AD support was tested with a single t2.large EC2 instance.

  • An Amazon Relational Database Service for SQL Server (RDS for SQL Server).

    NOTE: AWS Managed Microsoft AD support was tested with an RDS instance running the latest version of Microsoft SQL Server.

Make sure that all these components are discoverable or visible to each other.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen