In Active Roles replication, SQL Server Replication Agents (Merge Agents) are used to synchronize data between the Publisher and Subscriber databases. Each Subscriber has a dedicated Replication Agent running on SQL Server that hosts the Publisher database. Since the agent’s role is to maintain the Publisher and Subscriber databases in sync with each other, the agent needs sufficient rights to access both the Publisher and Subscriber database servers.
The Administration Service creates and configures a Replication Agent when adding a Subscriber. In terms of SQL Server, this is a Merge Agent for a push subscription. According to SQL Server Books Online (see Replication Agent Security Model), Merge Agent for a push subscription requires the following permissions.
The Windows account under which the agent runs is used when it makes connections to the Publisher and Distributor. This account must:
-
At a minimum be a member of the db_owner fixed database role in the distribution database (AelitaDistributionDB database by default).
-
Be a member of the publication access list (PAL).
-
Be a login that is associated with a user in the publication database (the Active Roles database on the Publisher).
-
Have read permissions on the snapshot share (by default, this is the ReplData folder on the administrative share C$).
The account used to connect to the Subscriber must at minimum be a member of the db_owner fixed database role in the subscription database (the Active Roles database on the Subscriber).
By default, the security settings of a Merge Agent configured by Active Roles are as follows:
-
The account under which the Merge Agent runs and makes connections to the Publisher and Distributor is the Windows service account of the SQL Server Agent service.
-
The account the Merge Agent uses to connect to the Subscriber is the account under which the Merge Agent runs.
This means that, by default, Active Roles requires that the account of the SQL Server Agent service have all permissions the Merge Agent needs to make connections both to the Publisher/Distributor and to the Subscriber.
When adding a Subscriber, you have the option to supply a separate login for connection to the Subscriber. If you choose that option, the Merge Agent will use the login you supply (rather than the account of the SQL Server Agent service) to make connections to the Subscriber. In this case, it is the login you supply that must have db_owner rights in the subscription database. The SQL Server Agent service does not need to have any rights in the subscription database. However, it still must have all permissions the Merge Agent needs to make connections to the Publisher and Distributor.
You can install Active Roles by launching the installation wizard on the downloaded .iso file, provided that your environment meets all prerequisites.
Prerequisites
Make sure that all installation prerequisites are met. For more information on the hardware and software requirements for each component, see System requirements.
To install Active Roles and its components
-
Log in with a user account that has administrator rights on the computer.
-
Mount the Active Roles installation .iso file.
-
To start installation, double-click ActiveRoles.exe.
-
Accept the license agreement and click Next.
-
Based on the components selected by default, the setup wizard installs the Administration Service, Configuration Center, Web Interface, Management Shell, Console, and ADSI Provider components on the system. Change the selected components according to your needs, or review the default selection and follow the instructions of the wizard to proceed with the installation.
TIP: You can also install these components separately by launching their installers from their respective component directories in the Components folder.
NOTE: You will need to configure and run the Administration Service to configure and start any other Active Roles components later.
-
In addition to the Active Roles default components, you can install and configure the following additional tools provided by Active Roles:
For more information on installing and configuring these additional tools, see Installing optional tools and components.
Starting from version 8.2, Active Roles supports (and its installer is shipped with) Microsoft OLE DB Driver 19.x for SQL Server. However, Active Roles still supports earlier OLE DB Driver versions as well (18.4 or newer).
If you want to use a previous supported version of Microsoft OLE DB Driver for SQL Server with your Active Roles installation instead of version 19.x, you can roll back your Microsoft OLE DB Driver for SQL Server installation.
Prerequisite
You must have Active Roles 8.2.1 and Microsoft OLE DB Driver 19.x for SQL Server installed via clean installation.
To roll back to a previous supported Microsoft OLE DB Driver for SQL Server version
-
Download and install any supported version of Microsoft OLE DB Driver for SQL Server (18.4 or newer).
-
Stop the Active Roles Administration Service. To do so, in the Active Roles Configuration Center, navigate to Administration Service, then click Stop.
-
In the Windows Registry Editor, modify the Microsoft OLE DB Driver for SQL Server version entries. To do so:
-
In the Registry Editor, navigate to the following node:
HKEY_LOCAL_MACHINE > SOFTWARE > One Identity > Active Roles > Configuration > Service
-
In the CHDatabaseConnectionString and DatabaseConnectionString nodes, change the Provider key from MSOLEDBSQL19 to MSOLEDBSQL.
-
Start the Active Roles Administration Service. To do so, in the Active Roles Configuration Center, navigate to Administration Service, then click Start.
NOTE: Consider the following if you use a Microsoft OLE DB Driver for SQL Server version older than 19.x with Active Roles:
-
In the Active Roles Configuration Center, you can specify the database server hosting the Active Roles databases either with its short name (for example, ActiveRoles) or with its FQDN (for example, ActiveRoles.roles1.net).
-
If you install Microsoft OLE DB Driver 19.x for SQL Server later on the machine (outside of the Active Roles installer), the OLE DB Driver installer will automatically update the Provider keys from MSOLEDBSQL to MSOLEDBSQL19 in the Windows Registry. If you want to keep using Active Roles with a Microsoft OLE DB Driver for SQL Server version older than 19.x, make sure to revert this change.
Deploying the Administration Service
After configuring access to the SQL Server, install the Active Roles Administration Service.
This section describes how to install and configure a new instance of the Administration Service. For instructions on how to upgrade an existing Administration Service instance of an earlier version, see Upgrading the Administration Service in the Active Roles Upgrade Guide.
Detailed information about this topic