Assuming default security settings, the Domain Admins rights are sufficient to install the solution.
Active Roles Solutions Overview
ERFM Solution Overview
Understanding the problem
Understanding the solution
Configuration Transfer Wizard overview
AutoProvision
Synchronize
Deprovision
AutoProvision of distribution list manager
Mailbox type conversion
Technical description
Policy Object
Policy settings
Deploying the Solution
Container for new shadow accounts
Default description for new shadow accounts
Attribute to store a reference to shadow account
Synchronized properties
Substituted properties
Back-synchronized properties
Policy actions
Scheduled Task
Prerequisite conditions
Applying the Policy Object
Upgrade from an earlier version
Examples of Use
What's new
Solution components
Installing the solution
Using the solution
Understanding SPML Provider
General considerations
Using the Collection wizard and Deployment wizard
Using the ARSconfig command-line tool
Known issues
Features
Use scenarios
Basic concepts and definitions
How SPML Provider works
System requirements
Configuring Active Roles SPML Provider
Using Active Roles SPML Provider
Skype for Business Solution Overview
Operation mode
Support for Active Roles controls
SPML Provider terminology
Troubleshooting SPML Provider
Sending controls to the Active Roles Administration Service
Specifying controls to return to the SPML Provider client
Sample SPML request
Supported operations
Samples of use
Cannot remove the specified item because it was not found in the specified Collection
Some of the specified attributes for the '<object class name>’ object class are not defined in the schema
What’s new
Introducing Skype for Business Server User Management
Supported Active Directory topologies
User Management policy
Master Account Management policy
Management Pack for SCOM
Master Account Management policy settings
Access Templates for Lync Server
Deploying the Solution
Skype for Business Server forest mode
Container for new shadow accounts
Default description for new shadow accounts
Attribute to store a reference to shadow account
Synchronized properties
Substituted properties
Back-synchronized properties
Master Account Management policy actions
Scheduled synchronization
Prerequisite conditions
Deployment in a single-forest environment
Deployment in a multi-forest environment
Upgrade from an earlier version
Managing Skype for Business Server Users
Features
Getting started
Monitoring Active Roles Administration Service
General response - Script
General response - Alert
Replication monitoring - Script
Replication monitoring - Alert
Monitoring connection to configuration database
Monitoring of Dynamic Group-related operations
Monitoring of Group Family-related operations
Internal error - Alert
Critical error on startup - Alert
License system failure - Alert
Monitoring Active Roles Web Interface
Monitoring performance
AD changes processed/sec
Changes queue length (AD + Database)
Connected clients
Database changes processed/sec
LDAP operations in progress
LDAP operations/sec
Private bytes
Queued post-processing policies
Requests in progress
Requests/sec
Script module average execution time
Script modules executing
Installation procedure
Using the solution
General considerations
To use this solution, you must have the necessary security permissions. It is sufficient to be a member of the Active Roles Admin account, in both the source and destination environments. The Active Roles Admin account is specified during installation of the Administration Service and defaults to the Administrators group on the computer running the Administration Service.
IMPORTANT: Before transferring the Active Roles configuration data, ensure that the Active Directory Organizational Unit (OU) structure in the destination environment is identical to the OU structure in the source environment.
These are the general steps required to transfer Active Roles configuration data by using this solution:
- Collect configuration data from a source Active Roles environment In this step, you select the Active Roles configuration objects you want the configuration package to include, and then create a configuration package XML file. This step is performed in the source environment.
- Deploy the collected configuration data to a destination Active Roles environment In this step, the target Active Roles instance is populated with configuration objects from an earlier created package. This step is performed in the destination environment.
|
|
NOTE: If an object to deploy already exists in the target configuration, then the properties of the object are updated during the deployment process. |
To perform these steps, you can use either the Configuration Collection Wizard and Configuration Deployment Wizard, or the ARSconfig command-line tool. Both methods have the same effect and can be used interchangeably, depending on your requirements.
- You can use this solution to transfer Active Roles configuration objects of the following categories:
- Access Templates and containers that hold Access Templates
- Managed Units and containers that hold Managed Units
- Policy Objects and containers that hold Policy Objects
- Scheduled Task objects and containers that hold such objects
- Application objects and containers that hold such objects
- Script Modules and containers that hold Script Modules
- Virtual attributes
- Access Template Links (edsACE object type)
- Policy Object Links (edsPolicyObjectLink object type)
- Mail Configuration objects (edsMailConfiguration object type)
- Workflow definition objects (edsWorkflowDefinition object type)
- Automation Workflow definition objects (edsAutomationWorkflowDefinition object type)
- Policy Type objects (edsPolicyType object type)
- Entitlement Profile Specifier objects and containers (edsOneViewSpecifier or edsOneViewSpecifiersContainer object type) - requires Active Roles 6.7 or later
- Display specifiers and containers that hold display specifiers (displaySpecifier or edsDisplaySpecifierContainer object type)
The solution cannot be used to transfer configuration objects of the following categories:
- Built-in objects (the objects that have “built-in” as part of the name)
- Objects held in the Configuration/Application Configuration/Web Interface container (Web Interface configuration data)
If you need to roll back the changes made to the configuration of the target Active Roles instance, during the package deployment, you can do this by using the command-line tool included with the solution. For step-by-step instructions, see Scenario: Rolling back the configuration changes later in this document.
About dangling links
When collecting Access Templates and Policy Objects, the solution analyzes their links and writes the links to the destination package. Every link record includes information about the directory object and, if applicable, the trustee to which the respective Access Template or Policy Object is applied. In the configuration package file, this information normally takes the form of the distinguished name (DN), whereas in the Active Roles environment the links refer to the objects by security identifier (SID) or globally unique identifier (GUID). The solution needs DN rather than SID or GUID to identify an object as in a different environment, the object SID or GUID differs from that in the original environment. By identifying the link reference objects by DN, the solution enables the delegation and policy settings to be properly transferred from the source environment to the destination environment.
To have the link records identify the link reference objects by DN, the solution has to look up object SID or GUID to object DN. If this process fails for a given link, the link record is created that identifies the link reference object by SID or GUID. Such a record is referred to as dangling link.
If any dangling links have been recorded to the destination package, the solution informs of this condition. Deploying a package that contains dangling links may create links in the destination environment that refer to non-existent objects. As a result, some delegation and policy settings configured by deploying the package may not match the settings found in the source environment from which the package was collected.
The ARSconfig tool provides the danglingLinks parameter that allows you to specify how you want the deployment process to handle dangling links. For more information, see Using the ARSconfig command-line tool later in this document.