Chat now with support
Chat mit Support

Active Roles 8.2.1 - Installation Guide

Introduction System requirements Prerequisites of installing Active Roles Installing Active Roles Deploying the Administration Service Deploying user interfaces Installing optional tools and components Uninstalling Active Roles Using Active Roles to manage Azure AD objects Active Roles availability on Azure and AWS Marketplace Configuring Active Roles for AWS Managed Microsoft AD

Installing the Administration Service

To create a new Administration Service instance, you must install the Administration Service and then perform the initial configuration.

To install the Active Roles Administration Service

  1. Log in with a user account that has administrator rights on the computer.

  2. Mount the Active Roles installation .iso file.

  3. To start installation, double-click ActiveRoles.exe.

  4. Accept the license agreement and click Next.

  5. On the Component Selection page, clear all check boxes except Administration Service, then click Next.

  6. On the Ready to Install page, review the summary and click Install.

  7. On the Completion page, make sure that I want to perform configuration is selected. Then, to launch the Configuration Center, click Finish.

The setup wizard only installs the files. After you have completed the installation, you must configure the newly-installed Administration Service instance via the Active Roles Configuration Center that opens automatically if you select the I want to perform configuration check box on the Completion page in the setup wizard.

Alternatively, you can open the Configuration Centerby selecting Active Roles 8.2.1 Configuration Center on the Apps page or Start menu, depending on the version of your Windows operating system.

Configuring the Administration Service

After installing Active Roles, perform the initial configuration of the Administration Service by specifying its service account, Active Roles Admin account, and database settings.

To configure the initial Administration Service

  1. In Configuration Center, under Administration Service, click Configure. The Configure Administration Service wizard appears.

  2. On the Service Account page, enter the name and password of the domain user account or the service account details of the Group Managed Service Account (gMSA) to be used as the Administration Service account. Then, click Next.

    NOTE: Make sure that the service account has the minimum required permissions. For more information, see Minimum required permissions for the Active Roles service account.

  3. On the Active Roles Admin page, accept the default account, or click Browse and select the group or user to be designated as Active Roles administrator. Then, click Next.

  4. On the Configuration Database Options page, select New Active Roles database or Existing Active Roles database. Then, click Next.

  5. On the Connection to Configuration Database page, specify a database type, SQL Server instance and database name. Then, select the authentication option for the configuration database:

    1. Select the required Database Type.

    2. In Database Server name, specify an SQL Server instance in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance), where <Computer> stands for the FQDN of the computer running SQL Server or the name of the Azure SQL database server.

      The wizard will create the database on the SQL Server instance that you specify.

    3. In Database name, enter a name for the database that will be created.

    4. Under Connect using, select the appropriate authentication option.

      • If your Windows logon account has sufficient rights to write data to the destination database, click Windows authentication.

      • If you have a SQL Server login with sufficient rights, click SQL Server authentication and enter the login name and password.

      • If you have an Azure AD login with sufficient rights, click Azure Active Directory authentication and enter the login name and password.

  6. On the Management History Database Options page, select New Active Roles database and click Next.

  7. On the Connection to Management History Database page, perform the same sub-steps for configuring the Management History database that you did for configuring the Configuration database. Then, click Next.

  8. On the Encryption Key Backup page, perform the steps as described in Backing up the encryption key.

    NOTE: This window appears only if the Administration Service is configured with the New Active Roles database option for either the configuration or management history database.

  1. Click Next, and follow the instructions in the wizard to complete the configuration.

If required by your organization and/or security policies, you can change the credentials of the Active Roles Administration Service account in the Active Roles Configuration Center immediately after performing the first-time configuration of the Administration Service.

(Optional) To change the Active Roles Administration Service account

  1. Launch the Active Roles Configuration Center.

  2. Click Administration Service.

  3. On the Service Account, click Change.

  4. Enter the new credentials and click Change.

  5. To apply your changes, click Finish.

  6. To start using the new credentials, restart the Active Roles Administration Service.

Backing up the encryption key

When you configure the initial Administration Service, the Active Roles Configuration Center creates a database along with a secret key that the Administration Service will use to encrypt and decrypt sensitive data in the database. This data can include, for example, credentials of the override accounts for managed domains and Azure administrator user passwords.

The secret key (or encryption key) is stored in the database using asymmetric cryptography, meaning that is has a private and public key pair. The secret key can only be retrieved and decrypted by the Administration Service instance that has the private key of the asymmetric key pair. Storing the secret key in this way ensures the optimal level of protection for security-sensitive data in the Active Roles database.

To retrieve the secret key, the private key that is the pair of the public key that was used for encrypting the secret key is required. Additional Administration Service instances that were configured for Active Roles after setting a secret key might not be able to retrieve the secret key and use the Active Roles database. This can occur if you:

  • Configure a new Administration Service instance for an Active Roles database that is used by another instance of the Administration Service, and there is no running instance that could decrypt the secret key.

  • Import Active Roles configuration data from another database (for example, the Configuration database of an earlier Active Roles version). In this case, you need the secret key that is used for data encryption in the source database. Otherwise, you cannot import the encrypted data.

If the Administration Service cannot retrieve the secret key from the database, you need a backup copy of the secret key. Configuration Center prompts you to create a backup of the secret key when you perform the initial configuration of the Administration Service via creating a new database.

On the Encryption Key Backup page, the Configure Administration Service wizard specifies a file to store a backup copy of the secret key. You can encrypt the backup by protecting the file with a password.

NOTE: Consider the following regarding encryption keys:

  • The encryption key is only used to encrypt passwords for domain override accounts (including AD LDS instances). It does not encrypt any other data.

  • By default, the encryption is saved to the following folder with the following default name:

    C:\ProgramData\One Identity\Active Roles\ARServiceEncryptionKey-dj-ars<version>.bin

  • If you lose your encryption key, you can still use Active Roles with one of the following workarounds:

    • As the encryption key is used for Managed Domain password encryption, you can reinstall Active Roles, and configure a new database by importing the settings from the old database. In this case, the wizard will prompt you to create a new encryption key file.

    • Configure an additional Administration Service instance, as it can retrieve the encryption key from an already running Administration Service instance.

    • If you are not using the latest available version of Active Roles, upgrade to the newest version and (optionally) create a new key when instructed.

    • If you have multiple Administration Service instances sharing the same database, Active Roles can fetch the encryption information from the other Administration Service instance.

  • You must configure an Active Roles encryption key if you:

    • Add another Administration Service instance to an existing shared database.

    • Have no services connected to the same database that is up and running.

    • Cannot afford retyping passwords for managed domains.

Additional considerations for Active Roles database encryption

Active Roles encrypts some data, stored in the Active Roles database.

To use the encrypted data, you need the encryption key as the file is password protected. Active Roles stores the encryption key inside the Active Roles database using asymmetric cypher. As such, Active Roles can get the value of this key from the database. Active Roles also has a logic that allows the service to share this key with other services (like several services per single database). If the key is lost, you must retype the passwords for the managed domains.

You only need this file if you want to use an existing Active Roles database but cannot retype passwords for Managed Domains.

To back up the Active Roles database encryption key

  1. (Optional) To change the name or location of the backup file, click Browse, then specify the desired file name and location. The wizard will save a copy of the secret key to the file specified.

  2. (Optional) To encrypt the backup, select Protect the backup file with a password, then type and confirm a password. To retrieve the key from the backup file later, you must enter the specified password.

    CAUTION: Do not lose or forget the password, as it cannot be recovered.

Configuring an additional Administration Service instance

This section covers the database-related steps of the Configure Administration Service wizard in a scenario where:

  • At least one instance of the Administration Service version Active Roles is up and running in your environment.

  • You are installing one more Administration Service instance for load distribution and fault tolerance.

To configure an additional Administration Service

  1. On the Database Options page in the Configure Administration Service wizard, select one of the following options, depending on how you want to synchronize the configuration of the new Administration Service instance with the configuration of the existing Administration Service instances:

    • Existing Active Roles database: Configures the new Administration Service instance to use the database of an existing Administration Service instance so that the new Administration Service instance has the same configuration as the existing instance.

    • New Active Roles database: After configuring the new Administration Service instance, you will need to set up Active Roles replication for the new Administration Service instance to have the same configuration as the existing instances.

  2. If you have selected the Existing Active Roles database option, see Using a common database for the Administration Service.

  3. If you have selected the New Active Roles database option, complete the wizard as described in Configuring the Administration Service.

The database created by this option holds the newest configuration of the Administration Service. To update and synchronize the new database with the configuration data of the Administration Service instances that were earlier deployed in your environment, you need to use the replication function. For instructions on how to set up replication of configuration data, see SQL Server replication in the Active Roles Administration Guide.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen