This section summarizes the major configuration, deployment, and maintenance features of Active Roles.
Introduction
About Active Roles
Main Active Roles features
Technical overview of Active Roles
Administrative rules and roles
Presentation components
Examples of use
Active Roles Console (MMC Interface)
Service components
Network data sources
Security and administration elements
Console tree
Details pane
Advanced pane
View mode
Trustees, permissions, roles and Managed Units
Finding directory objects
Active Roles Web Interface
Web Interface parts
Active Roles Management Shell
Custom interfaces
Active Roles ADSI Provider
Active Roles Reporting
Web Interface Navigation bar
Web Interface Browse pane
Web Interface Object list
Web Interface Toolbar
Web Interface Command pane
Web Interface Summary pane
Web Interface Personal views
Locating directory objects in the Web Interface
Access Templates for role-based administration
Policy Objects to enforce corporate rules
Managed Units to provide administrative views
Active Directory security management
Customization using ADSI Provider and script policies
Dynamic groups
Workflows
Operation in multi-forest environments
Managed Units
Access Templates
Configuring and administering Active Roles
How Access Templates work
Applying permissions with Access Template
Access Template link management
Synchronizing Access Template permissions to Active Directory
Adding, modifying, or removing permissions to Access Templates
Nesting Access Templates
Examples of using Access Templates
Access Rules
Scenario 1: Implementing a helpdesk
Deployment considerations for Access Templates
Preparing a helpdesk Access Template
Creating a helpdesk group
Applying the Help Desk Access Template
Scenario 2: Implementing Self-Administration
Understanding Access Rules
Conditional Access Template links
Management of Windows claims
Claim Type management overview
Active Roles Synchronization Service
Bidirectional synchronization
Delta processing
Group membership synchronization
Windows PowerShell scripting
Attribute synchronization rules
Rule-based generation of Distinguished Names
Synchronization scheduling
Extensive data system support
Exchange Resource Forest Management
Skype for Business Server User Management
Active Roles Setup wizard
Active Roles Configuration Center
Support for AWS Managed Microsoft AD
Configuration Center components
Configuring a local or remote Active Roles instance
Running the Configuration Center
Supported Configuration Center tasks
Active Roles Configuration Shell
Using the System Checker
Active Roles Log Viewer
Voluntary threshold for managed object count
Installation label
Safe mode
Initial configuration tasks
Configuration management tasks
Administration Service management tasks
Viewing the core Administration Service settings
Modifying the core Administration Service settings
Importing configuration data
Importing Management History data
Checking the state of the Administration Service
Starting, stopping or restarting the Administration Service
Web Interface management tasks
Identifying the Web Interface sites
Creating a Web Interface site
Modifying a Web Interface site
Deleting a Web Interface site
Exporting the configuration of a Web Interface site to a file
Delegating user access to the Active Roles Console
Configuring Active Roles logging settings
Configuring Solution Intelligence
Supported AWS Managed Microsoft AD deployment configuration
Supported Active Roles features with AWS Managed Microsoft AD
Active Roles feature limitations when using AWS Managed Microsoft AD
FIPS compliance
LSA protection support
Configuring and administering Active Roles
Configuring and administering Active Roles
Active Roles Setup wizard
The Active Roles Setup wizard facilitates the evaluation, deployment, upgrade and configuration of Active Roles. The key highlights of the wizard include the following:
-
Unified setup process: Active Roles is shipped with a single wizard for installing all core product components, including the Administration Service, the Web Interface, and the Console (also known as the MMC Interface).
-
Configuration Center: After installation, Active Roles launches the Configuration Center, an application that you can use to perform the core configuration tasks after installation, or to finish upgrading Active Roles. As such, the Configuration Center lets you configure Administration Service instances and deploy Web Interface sites. For more information on the Configuration Center, see Active Roles Configuration Center.
-
Side-by-side deployment: The Active Roles Setup allows you to deploy new Active Roles versions side-by-side on the same computers with Active Roles 6.9. This allows you to use the same hardware and infrastructure to run newer versions of Active Roles while also keeping Active Roles 6.9 deployed for your business needs.
CAUTION: Upgrading from Active Roles 6.9 to a newer version is only meant to be a temporary solution, as the side-by-side installation of two different Active Roles versions can have a negative impact on the environment.
Different versions of Active Roles are not supported in the same Active Directory domain. Different versions of Active Roles servers in the same AD domain will cause issues with dynamic groups, policies, workflows, or custom scripts, and can also cause conflicts in product functionality.
When upgrading Active Roles to a later version, One Identity recommends to upgrade all servers running Active Roles components to the same version to be in a supported configuration.
For more information, see Knowledge Base Article 4307177.
NOTE: To avoid potential conflicts with Active Roles 6.9, newer versions of the product use a different name for the Windows service of the Administration Service and for the default Web Interface sites.
-
Separate component installation files: Although the Active Roles Setup allows you to install every major product component at once, the installation *.iso delivers each component (such as the Administration Service, the Web Interface, the Add-on Manager, the SPML Provider, or the Management Shell) in separate *.msi files. This allows you to install the various Active Roles components individually without the need of running the Active Roles Setup.
Active Roles Configuration Center
The Active Roles Configuration Center is a configuration application that provides a unified configuration platform for the Active Roles Administration Service and the Web Interface component. This allows administrators to perform the core Active Roles configuration tasks from a single application, including the following:
-
Performing the initial configuration of Active Roles, such as setting up the Administration Service instances and the default Web Interface sites.
-
Importing the configuration database and the management history database from earlier Active Roles versions.
-
Managing the core Administration Service resources, such as the Active Roles Admin account, service account, and database connections.
-
Creating new Web Interface sites either based on the site configuration objects of the current Active Roles version, or by importing site configuration objects from earlier Active Roles versions.
-
Managing core Web Interface site settings, such as site addresses on the web server, or the configuration object in the Administration Service.
-
Configuring secure communication for the Active Roles Web Interface through forced SSL redirection.
-
Integrating Active Roles with One Identity Starling. For more information, see One Identity Starling Join and configuration through Active Roles in the Active Roles Administration Guide.
-
Managing user login settings for the Active Roles Console (also known as the MMC Interface).
-
Configuring Federated Authentication, allowing you to access an application or website by authenticating against a certain set of rules, known as "claims".
-
Configuring log management and Solution Intelligence.
For more information on these features, see the following subsections.
Getting Started
Active Roles Configuration Center is automatically installed and started by default if you select to install either the Administration Service or the Web Interface components to a computer. Later, you can start Configuration Center again either from the Windows Start menu, or from the Apps page of the operating system.
Configuration Center components
Configuring and administering Active Roles > Active Roles Configuration Center > Configuration Center components
The Configuration Center provides a unified, single, simple, wizard-based user interface for all core Active Roles configuration tasks, making it a single point of access to all management wizards for all configuration tasks.
The Configuration Center consists of the following elements.
Initial configuration wizards
After installing Active Roles, the Configuration Center allows administrators to run the initial configuration wizards and create the new Active Roles instance, including the Administration Service and the Web Interface.
Hub pages and management wizards
Once the initial configuration is completed, the Configuration Center provides a consolidated view of the core Active Roles configuration settings, and offers tools for changing those settings.
The hub pages of the Configuration Center show the current settings specific to the Administration Service and the Web Interface, including the commands to start the management wizards for changing those settings. The available hub pages are the following:
-
Administration Service: This page allows administrators to:
-
View or change the Active Roles Admin account, service account, and databases.
-
Import the configuration data and management history data either from an earlier Active Roles version or from the current Active Roles database.
-
View status information, such as whether the Administration Service is started and ready for use, stopped, or being restarted (along with the options to start, stop and restart the service).
-
-
Web Interface: This page allows administrators to:
-
View, create, modify or delete Web Interface sites. The configurable site settings include the site address, and the configuration object that stores the site configuration data in the Administration Service.
When creating or modifying a Web Interface site, administrators can either reuse an existing configuration object, or create a new one based on a template or by importing data from another configuration object or from an export file.
-
Export the configuration of any existing Web Interface site to a file.
-
Open each site in a web browser.
-
Configuration Shell
The ActiveRolesConfiguration module (also known as the Configuration Shell) of the Active Roles Management Shell allows administrators to access all Configuration Center features and functions from a Windows PowerShell command-line interface or with scripts, facilitating the unattended configuration of Active Roles components. The ActiveRolesConfiguration module provides cmdlets for key configuration tasks, such as:
-
Creating the Active Roles database.
-
Creating or modifying the Administration Service instances and the Web Interface sites.
-
Performing data exchange between Active Roles databases and between site configuration objects.
-
Querying the current state of the Administration Service.
-
Starting, stopping or restarting the Administration Service.