How To: Upgrading to Active Roles 8.0.x LTS from 8.0.0 LTS or later using in-place upgrade method (4371505)

How To: Upgrading to Active Roles 8.0.x LTS from 8.0.0 LTS or later using in-place upgrade method

Active Roles can be upgraded from 8.0.0 LTS to Active Roles 8.0.x LTS using one of the following methods:
 

• In-place upgrade: Install the latest version of Active Roles on the computer without removing the earlier version.
• New installation: Install the latest version of Active Roles and import the database from the earlier version of Active Roles.

This article will be detailed the method of an in-place upgrade, for instructions on how to install and initially configure Active Roles, see the Active Roles Quick Start Guide.

NOTE: Although this is just a patch release with no new features or functionality, it will be required to create a new Configuration and Management History DB and import them from the previous database into the new one.
 

For special considerations regarding the upgrade of Active Roles 8.0.x LTS, see the following information and prerequisites for an in-place upgrade from Active Roles 8.0.0 LTS

 

• Before upgrading, One Identity recommends backing up the Active Roles database. For more information on general best practices, see Create a Full Database Backup in the Microsoft SQL documentation. 
• One Identity recommends backing up the current Web Interfaces if any customizations have been implemented. Any Web Interface sites that were created in Active Roles 8.0.0 LTS will continue to function in 8.0.x. LTS. However, it is recommended to thoroughly test before upgrading.
• If there are any replication partners configured, it must be removed/broken before.
• As part of the upgrade process, Active Roles creates new databases with default names (ActiveRoles801 and ActiveRoles801_MH) make sure that the SQL Server has enough space available.
• If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.
• One Identity recommends approving all pending approval activities before performing the in-place upgrade.
• The in-place upgrade of Active Roles 8.0.x LTS does not upgrade the Active Roles solution components such as SPML Provider, Add-on Manager, Add-ins for Outlook, Diagnostic Tools, and so on. To upgrade the solution components installed with Active Roles, use the respective installers available in the Active Roles installation package.

 

IMPORTANT: During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:
 

• Active Roles database users with associated permissions.
• SQL logins mapped to Active Roles database users.
• Roles.

 

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:
 

• db_datareader fixed database role in the source database.
• db_owner fixed database role and the default schema of dbo in the destination database.
• sysadmin fixed server role in the destination database.

 

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:
 

• During in-place upgrade: in the Upgrade configuration window.
• Importing configuration: Import Configuration > Source Database > Configure advanced database properties.
• Importing management history: Import Management History > Source database > Configure advanced database properties.

Changes related to Azure tenants
NOTE: If the organization has any Azure tenants that are managed with Active Roles, it will be required to reauthenticate and reconsent them after installing Active Roles 8.0.x LTS. Otherwise, Active Roles will not receive the required permissions for managing existing Azure tenants, and tenant administration in Active Roles 8.0.x LTS will not work correctly.


Changes related to Active Roles Synchronization Service
NOTE: Active Roles 7.5 has introduced support for Modern Authentication in the Azure BackSync workflows of the Active Roles Synchronization Service. After upgrading to Active Roles 8.0.x LTS from an earlier version, if previously had an Azure BackSync workflow configured, it will be prompted to reconfigure it in the Active Roles Synchronization Service Console.

CAUTION: If previously had an Azure BackSync workflow configured in Active Roles Synchronization Service, and more than one Azure Active Directory (Azure AD) service is configured, it must specify the Azure AD for which want to configure Azure BackSync. Failure to do so may either result in directory objects not synchronized at all, or synchronized to unintended locations.
 

The following steps describe the in-place upgrade scenario for Active Roles 8.0.1

1. Log on with a user account that has administrator rights on the computer.
2. Navigate to the location of the Active Roles distribution package, and start the Setup wizard by double-clicking ActiveRoles.exe
3. Accept the licensing agreement and click Next.

4. Review the summary and warning. If the Office 365 Add-On is installed in the instance, uninstall it before continuing.

5. Make sure the minimum requirement are matches, otherwise the upgrade button will be greyed out.

6. Check the box "I want to perform configuration" and click finish, wait until the wizard upgrades all components listed in step 5;

7. Once Active Roles is installed, open the Active Roles Configuration Center in Windows. The Upgrade configuration wizard will automatically appear.
8. On the Upgrade configuration wizard, select the check box to confirm that you have read the instructions in the Quick Start guide regarding "Configuring Active Roles for in-place upgrade".

NOTE: If the disk space in SQL server is insufficient, then an error is displayed prompting you to increase the disk space.

9. To reauthenticate existing Azure tenants, proceed to the Reauthenticate tenants step and click Reauthenticate next to each Azure tenant.

10. Consider the following when reauthenticating existing Azure tenants:

• If reauthentication is successful, the Azure tenant will disappear from the list, and the Reauthenticate tenants step shows a confirmation message.
• If reauthentication fails, the Azure tenant will remain on the list. Reauthentication can typically fail if there is a service outage in Azure AD, or in case of internet connectivity issues in your network. If reauthentication keeps failing, try performing it later after completing the Upgrade configuration wizard by removing, reading and consenting the Azure tenants to Active Roles via the Azure AD Configuration tab of the Active Roles Configuration Center. For more information, see Reconfiguring Azure tenants manually.

NOTE: Consent permission once the upgrade has finished through the Configuration Center.

11. The Services association page allows the Active Roles Admin to configure the Administration services for executing Dynamic Groups, Group Families, and Scheduled tasks from the drop-down list.
The available options in the drop-down list are This Server and Other, where choosing Other allows to specify any other Administration Service in a fully qualified domain name (FQDN) format. If the value is empty, then the current administration service is used.
 

NOTE: Services association does not update certain scheduled tasks, For example, scheduled tasks that cannot be edited (Managed Object Counter) or scheduled tasks that are set to All servers option. It can choose to run the Services association immediately or schedule Services association.
 

NOTE: If Services association is scheduled at a certain time and the upgrade/import operation is still in progress or completes after the Services association scheduled time, the services are not associated. You have to run the built-in scheduled task Update Services To ExecuteOn from the Active Roles console to manually associate the Services.
 

To ensure Dynamic Groups, Group Families, and Scheduled tasks continue to function after an import the installation configures the new Active Roles server as the executing server for the tasks mentioned above. The configuration mentioned here runs after an upgrade.
 

NOTE: Alternatively, Services association can be performed at any time using the template workflow Update Services To Execute On available in the built-in Workflow Container. The parameters in the script used by the workflow can be configured to the required administration services, such as Dynamic Group Service, Group Family Service, and Scheduled Task Service. You can select the Administration Service from the drop-down list. The drop-down list displays all the currently running Administration Services that are connected to the current configuration database. If the parameter value is not selected, then the current Administration Service is used.

  12. Review the details provided and click Upgrade to start the upgrading process.

13. The upgrade starts and the Execution tab displays the Progress bar for the upgrade. After the database upgrade is complete, the Active Roles Service is automatically started and ready for use.

14. The Management History database is not imported during the in-place upgrade. In this case, it should be imported manually through Configuration Center. In order to further assist you, please refer to our KB146810

After the database upgrade is complete, the Active Roles Service is ready for use.

NOTE: To upgrade multiple Active Roles Service instances, log in to the individual systems where Active Roles Service was upgraded, and perform the in-place upgrade steps for each Service.

 

Upgrade steps detail additional instances in a scenario of using a shared database

If multiple instances of the Administration Service use a single database, then the upgrade can be performed as follows:

1. Upgrade one of the Administration Service instances as described in Upgrading the Administration Service. As a result of this step, there is an Administration Service instance of the new version connected to the new database containing the data imported from the old database. The other instances of the Administration Service are not upgraded at this point; they continue to use the old database.
2. Now that the upgraded instance has the database of the new version, all the remains instances of the Administration Service can be upgraded, one by one.
3. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Configuration Database Options page, and then, on the Connection to Database page, specify the database created during the upgrade of the first Administration Service instance. It doesn't need import configuration as the database already has that data imported.
4. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Management History Database Options page, and then, on the Connection to Database page, specify the database created during the upgrade of the first Administration Service instance. It doesn't need to import the management history as the database already has that data imported.

In case of any errors during the in-place upgrade, it must resolve the errors and re-open the Configuration Center to continue the in-place upgrade.

For complex scenarios, we recommend engaging with our Professional Service team to further assist and plan the upgrade with the minimum downtime and with any customizations.