Chatee ahora con Soporte
Chat con el soporte

Active Roles 8.1.5 - Quick Start Guide

Introduction Active Roles Setup package Active Roles uninstallation System Requirements Deploying the Administration Service Deploying user interfaces Installing additional components Upgrade of an earlier version Performing a pilot deployment Deployment considerations Silent installation of Active Roles components Configuring Active Roles to Manage Hybrid Active Directory Objects Deploying Active Roles for AWS Managed Microsoft AD Active Roles on Windows Azure VM

Checking System Readiness with Active Roles System Checker

To check if a computer and your organization environment supports installing Active Roles, use the Active Roles System Checker tool.

To check system readiness with Active Roles System Checker

  1. From your operating system, launch Active Roles System Checker.

  2. Select Computer > System Readiness Checks.

  3. To check the computer specifications, in the Confirm System Readiness Checks window, select the appropriate components to check for and click Check.

  4. In the System Readiness Checks window, review the summary and confirm that the computer has passed the required checks. Take appropriate action before installing Active Roles. For example, if there is a warning about insufficient memory (RAM), then upgrade the computer's memory to the recommended amount.

  5. To check the SQL Server requirements of Active Roles, in the Active Roles System Checker, select Environment > SQL Server Checks.

  6. Enter the SQL Server name and appropriate credentials for the Active Roles service account, then click Check.

  7. Review the summary to confirm that the SQL Server passed the checks.

  8. To check the Active Directory requirements, in the Active Roles System Checker, select Environment > Active Directory Checks. Enter the domain controller (DC) name and the appropriate credentials for the Active Roles service account, then click Check.

    A progress window appears. Once the check completes, System Checker shows the summary.

  9. Review the summary to confirm the account has adequate permissions in Active Directory.

  10. To learn more about Active Roles. click Additional Resources. To finish the check, click Finish.

Steps to install Add-on Manager

Use the Active Roles Add-on Manager to install and manage Active Roles add-ons, or create new ones with the Add-on Editor.

To install Add-on Manager

  1. Mount the Active Roles installation .iso file, and navigate to the Solutions > Add-on Manager folder.

  2. Run the ActiveRolesAddonManager .exe file, and follow the on-screen instructions of the Setup wizard.

  3. In the configuration wizard that appears after installation completes, select how to register Add-on Manager to the Active Roles Administration Service.

    • Any available Administration Service: Select this option to register Add-on Manager with the nearest Administration Service, connecting to that Administration Service instance with the credentials of your current logon account. To apply this option, your current logon account must be an Active Roles Admin.

    • Administration Service on this computer: Select this option to register Add-on Manager with the Administration Service that runs on the computer you specify. The wizard will then connect to that Administration Service with the user name and password you supply. Make sure that you specify the user name and password of the Active Roles Admin.

  4. To apply your change, click Register.

Upgrade of an earlier version

You can upgrade from Active Roles 7.5 or later to the latest version of Active Roles using one of the following methods:

  • In-place upgrade: Install the latest version of Active Roles on the computer without removing the earlier version.
  • New installation with import of database from earlier version: Install the latest version of Active Roles and import the database from the earlier version of Active Roles.

NOTE:

  • To perform a clean installation of Active Roles, uninstall the currently installed version before installing Active Roles 8.1.5.
  • Active Roles supports selection of custom installation path only during a fresh installation. During an in-place upgrade, Active Roles does not support changing the custom installation path.

For information on importing configuration data from the database of an earlier version of Active Roles, see Import Configuration under Install and configure the Administration Service.

NOTE: Before upgrading to the latest version of Active Roles, the add-ons of the earlier versions must be uninstalled.

Upgrading from Active Roles 6.9 version to a newer version is a side-by-side upgrade. To ensure smooth upgrade to the new Active Roles version, first upgrade the Administration Service, then upgrade the Web Interface.

CAUTION: Upgrading from Active Roles 6.9 to a newer version is only meant to be a temporary solution, as the side-by-side installation of two different Active Roles versions can have a negative impact on the environment.

Different versions of Active Roles are not supported in the same Active Directory domain. Different versions of Active Roles servers in the same AD domain will cause issues with dynamic groups, policies, workflows, or custom scripts, and can also cause conflicts in product functionality.

When upgrading Active Roles to a later version, One Identity recommends to upgrade all servers running Active Roles components to the same version to be in a supported configuration.

For more information, see Knowledge Base Article 4307177.

Active Roles 6.x components are not used in the upgrade and neither are any components from the earlier version uninstalled.

IMPORTANT: During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:

  • Active Roles database users with associated permissions.

  • SQL logins mapped to Active Roles database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

Impact on Office 365 add-on

After an upgrade of Active Roles components to Active Roles 8.1.5, the Office 365 add-on which was supported in the earlier versions of Active Roles, ceases to work. Hence, it is recommended to uninstall the Office 365 add-on prior to the upgrade of Active Roles.

NOTE:

  • Uninstall the Office 365 add-on before installing the latest version of Active Roles as the add-on is not supported.
  • The latest version of Active Roles manages Office 365 and Azure AD natively. However, Active Roles does not support the following feature of Office 365 add-on that was supported in earlier versions:
    • Ability to manage and select Office 365 domains through policies.

Upgrading to Active Roles 8.1.5 from 7.5 or later using in-place upgrade method

To upgrade existing Active Roles 7.5 or later version to the latest version, perform the following steps.

NOTE: Before performing the in-place upgrade, One Identity recommends to approve all pending approval activities.

NOTE: Before performing the in-place upgrade, One Identity recommends backing up the Active Roles database. For more information on general best practices, see Create a Full Database Backup in the Microsoft SQL documentation.

Prerequisites for in-place upgrade from Active Roles 7.5 or later

One Identity recommends backing up the current Web Interface instances if any customizations have been implemented.

Any Web Interface sites that were created in Active Roles 7.5 or later will continue to function in 8.1.5. However, it is recommended to thoroughly test before upgrading, as some customizations may not work as expected in newer versions of Active Roles.

To back up the Web Interface configurations

  1. Launch the Active Roles Configuration Center.
  2. Click Web Interface.

  3. Select the site(s) to back up and click Export Configuration.

To upgrade Active Roles using in-place upgrade

NOTE: Before upgrading to the latest version of Active Roles:

  • Uninstall the add-ons of the earlier versions.

  • Remove replication partners (if there are any).

The in-place upgrade of Active Roles 7.5 upgrades the Active Roles 7.5 Administration Service and Web Interface components.

The in-place upgrade of Active Roles 7.5 does not upgrade the Active Roles solution components such as SPML Provider, Add-on Manager, Add-ins for Outlook, Diagnostic Tools, and so on. To upgrade the solution components installed with Active Roles, use the respective installers available in the Active Roles installation package.

During Active Roles upgrade, if the Active Roles database is not split into Configuration and Management History databases, the upgrade process creates a Management History database by default.

NOTE: If a limited SQL access account is used for performing the in-place upgrade, you must pre-create the new Active Roles databases manually. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

  1. Log in with a user account that has administrator rights on the computer.

  2. Navigate to the location of the Active Roles distribution package, and to start the Setup wizard, double-click ActiveRoles.exe.

  3. Follow the instructions in the Setup wizard.

    1. To continue, click Next.

    2. To accept the license agreement, select I accept the terms in the license agreement, and click Next.

    3. Review the summary and warning. If the Office 365 Add-On is installed in the 7.5 instance, uninstall it before continuing.

    4. On the Ready to Upgrade page, make sure that the prerequisite software are installed, then click Upgrade.

    5. On the Completion page, click Finish.

  4. After upgrading to Active Roles 7.5 or later, you are prompted to restart the system. Click Restart Now.

    1. If the system does not restart, launch the Configuration Center and click Update Service Instance.

    2. If the system restarts and the Configuration Center launches automatically, click Update Service Instance.

      Due to the update of the database schema, the 7.5 or later versions of the sites are no longer compatible.

NOTE: After upgrading the Active Roles package to 8.1.5, perform the steps of Configuring Active Roles during in-place upgrade.

Configuring Active Roles 8.1.5 during in-place upgrade

To configure Active Roles 8.1.5 during in-place upgrade

  1. After upgrading Active Roles to 8.1.5, restart the operating system.

  2. After the system restarts, the Configuration Center launches automatically, displaying the Upgrade configuration wizard.

    As part of this upgrade, Active Roles creates new databases with default names. The Upgrade configuration wizard displays the new databases information.

    NOTE: The names of the new databases must be unique. If a database with the same name already exists, you will get a Verification failed error message. To resolve the issue, rename the new database.

    CAUTION: When creating a new configuration database, you may encounter a Verification failed error message due to an Active Roles version mismatch. To resolve the issue, you must clear the existing Active Roles configuration. For more information, see Knowledge Base Article 4340880.

    1. (Optional) To change the default names of the new databases, click Click here to change or provide existing database names.

    2. Select the check box to confirm that you have read the instructions in this document about the in-place upgrade process, and click Next.

      NOTE: By default, during in-place upgrade, in the Upgrade configuration window, the Copy database users, permissions, logins, and roles option is selected.

  3. The Reauthenticate Tenants page lists the configured Azure tenants in the source database. To reauthenticate a tenant, click Reauthenticate next to its name.

    CAUTION: You must reauthenticate the tenant(s). Otherwise, Active Roles does not receive the required permissions to manage existing tenants, and tenant administration will not work correctly.

    NOTE: After a successful upgrade, in the Configuration Center, under Azure AD Configuration, you must consent the Azure tenants manually.

  4. In the Services association page, configure the Administration Service instances for running the following:

    • Dynamic groups

    • Group families

    • Scheduled tasks

    1. Select This Server or Other. Selecting Other allows you to specify another Administration Service instance in a fully qualified domain name (FQDN) format. If the value is empty, the current Administration Service is used.

      NOTE: Services association does not update certain scheduled tasks. For example, scheduled tasks that cannot be edited (Managed Object Counter) or scheduled tasks that are set to All servers.

    2. Select Run the Services association immediately or Schedule Services association.

      NOTE: If Services association is scheduled to a specific time, but the upgrade or import operation is still in progress or completes after the scheduled Services association time, then the services will not be associated. In such cases, you must associate the Services manually by running the built-in scheduled task Update Services To Execute On in the Active Roles Console.

    To ensure Dynamic Groups, Group Families, and Scheduled tasks continue to function after an import, the installation configures the new Active Roles server as the initiating server for the listed tasks. This configuration runs after an upgrade.

    NOTE: Alternatively, you can perform Services association any time using the template workflow Update Services To Execute On available in the built-in Workflow Container. You can configure the parameters in the script that the workflow uses to the required Administration Service instances, such as, Dynamic Group Service, Group Family Service, Scheduled Task Service. You can select the Administration Service instance to use from the drop-down list. The drop-down list displays all the currently running Administration Service instances connected to the current configuration database. If the parameter value is not selected, then the current Administration Service instance will be used.

  5. Click Next.

  6. In the Review upgrade page, review your settings and click Upgrade.

    The upgrade starts and the Execution page displays the progress bar for the upgrade.

    NOTE: If the disk space in SQL Server is insufficient, an error message will appear, prompting you to increase the disk space.

    In case of any errors during the in-place upgrade, you must resolve the errors and re-open the Configuration Center to continue the in-place upgrade.

  7. After the database upgrade, stop and then restart the Active Roles Service.

After the database upgrade is complete, the Active Roles Service is ready for use.

NOTE: To upgrade multiple Active Roles Service instances, log in to the individual systems where Active Roles Service was upgraded, and perform the in-place upgrade steps for each Service.

Compatibility of Active Roles components

The new Administration Service is only compatible with the Active Roles user interfaces (Web Interface and console) of version 8.1.5. Earlier versions of the user interfaces may not work with the new Administration Service. The user interfaces of Active Roles 8.1.5 are only compatible with the Administration Service of version 8.1.5. Therefore, to use the Active Roles console or Web Interface of version 8.1.5, you must first upgrade the Administration Service.

Impact on custom solutions

An upgrade of Active Roles may affect custom solutions (such as scripts or other modifications), if any, that rely on the Active Roles functions. Custom solutions that work fine with an earlier Active Roles version may cease to work after the upgrade. Prior to attempting an upgrade, you should test the existing solutions with the new Active Roles version in a lab environment to verify that the solutions continue to work.

Upgrading the Administration Service

To upgrade Active Roles Administration Service from a version earlier than 6.9 to 7.5 or later, you must first upgrade to version 6.9.

You can upgrade the Administration Service from version 6.9 through 7.5 to 8.1.5.

Upgrading the Administration Service implies creation of a new Administration Service instance of the latest version, with the configuration and management history data imported from your Administration Service of an earlier version. As a result, the new Administration Service instance inherits all of your existing Active Roles configuration settings, such as managed domains, managed units, permission assignments, policies, workflows, virtual attributes and so on. By importing management history data, you transfer change history, approval tasks, and temporal group membership tasks from your Administration Service of an earlier version to the new Administration Service instance.

To upgrade the new Administration Service instance from 7.5 or later to 8.1.5 perform the following steps:

NOTE: Before upgrading to the latest version of Active Roles, the add-ons of the earlier versions must be uninstalled.

  1. After upgrading the Active Roles package to 8.1.5, you are prompted to restart the system.
  2. After the system restarts, the Configuration Center opens by default, displaying the Upgrade configuration wizard.

    The fields in the wizard are auto-populated. The database name for Configuration and Management history are suggested, by default. However. if you want to update the database name, click Click here to change or provide existing database names link.

  1. Select the check box on the Upgrade configuration wizard, to confirm that you have read the instructions in the Quick Start guide regarding "Configuring Active Role for in-place upgrade".
  1. Click Next.

    NOTE: If you click Next without selecting the check box, an error is displayed prompting you to follow the instructions given against the check box and select the check box.

    The upgrade starts and the Execution tab displays the Progress bar for the upgrade.

After the database upgrade is complete, the Active Roles Service is automatically started and ready for use.

You can upgrade from Active Roles 7.5 or later to Active Roles 8.1.5 using in-place upgrade or a new installation of Active Roles with importing the database from an earlier version.

Upgrading from Active Roles 6.9 version to a newer version is a side-by-side upgrade. To ensure smooth upgrade to the new Active Roles version, first upgrade the Administration Service, then upgrade the Web Interface.

CAUTION: Upgrading from Active Roles 6.9 to a newer version is only meant to be a temporary solution, as the side-by-side installation of two different Active Roles versions can have a negative impact on the environment.

Different versions of Active Roles are not supported in the same Active Directory domain. Different versions of Active Roles servers in the same AD domain will cause issues with dynamic groups, policies, workflows, or custom scripts, and can also cause conflicts in product functionality.

When upgrading Active Roles to a later version, One Identity recommends to upgrade all servers running Active Roles components to the same version to be in a supported configuration.

For more information, see Knowledge Base Article 4307177.

If you no longer need the Administration Service of the earlier version, you can uninstall it using Programs and Features in Control Panel: Right-click Administration Service in the list of installed programs, and then click Uninstall.

Install and configure the Administration Service

To create a new Administration Service instance, you first install Administration Service files and then perform initial configuration.

To install the Administration Service files

  1. Log on with a user account that has administrator rights on the computer.
  2. Navigate to the location of the Active Roles distribution package, and start the Setup wizard by double-clicking ActiveRoles.exe.
  3. Follow the instructions in the Setup wizard.
  4. On the Component Selection page, ensure that the Administration Service component is selected, and click Next.
  5. On the Ready to Install page, click Install to perform installation.
  6. On the Completion page, select the I want to perform configuration check box, and click Finish.

The Setup wizard only installs the files. After you have completed the Setup wizard, you need to configure the newly installed Administration Service instance by using Active Roles Configuration Center. The Configuration Center opens automatically if you select the I want to perform configuration check box on the Completion page in the Setup wizard. Another way to open Configuration Center is by selecting Active Roles Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

To perform initial configuration

  1. In Configuration Center, under Administration Service, click Configure.
  2. On the Service Account page in the Configure Administration Service wizard that appears, enter the name and password of the domain user account or the service account details of the Group Managed Service Account to be used as the Administration Service account, and then click Next.
  3. On the Active Roles Admin page, accept the default account, or click Browse and select the group or user to be designated as Active Roles Admin. When finished, click Next.
  4. On the Configuration Database Options page, select the New Active Roles database option, and then click Next.
  5. On the Connection to Database page, specify a SQL Server instance and database name, and select the authentication option:
    1. Select the required Database Type, in the Database Server name. Specify an SQL Server instance in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance), where <Computer> stands for the short name of the computer running SQL server or name of the Azure SQL database server. The wizard will create the database on the SQL Server instance you specify.
    2. In the Database box, type a name for the database that will be created.
    3. Under Connect using, select the appropriate authentication option:
      • To have the Administration Service connect to the database using the service account, click Windows authentication.
      • To have the Administration Service connect to the database using a SQL Server login, click SQL Server authentication and type the login name and password.
      • To have the Administration Service connect to the database using Azure AD login, click Azure Active Directory authentication and type the login name and password.

  6. On the Management History Database Options page in the Configure Administration Service wizard, select the New Active Roles database option, and then click Next.

  7. On the Connection to Database page, perform the steps a to c for Management history database.

  8. Click Next, and then complete the Encryption Key Backup page as described in Backup of encryption key.

  9. Click Next, and follow the instructions in the wizard to complete the configuration.
Import configuration

After you have installed and initially configured the Administration Service of the new version, import the configuration data from the database used by your Administration Service of the earlier version. To import configurations, you must identify that database. To identify the database:

  1. Open the Active Roles console and connect to your Administration Service of the earlier version (see “Connecting to the Administration Service” in the Active Roles Administration Guide).
  2. Select the console tree root, and then, on the page in the details pane, expand the Configuration Databases and Replication area.

    You can identify the database name, SQL Server name, and database type from the first string in the Configuration Databases and Replication area that has the following format: Database <name> on SQL Server <name> Database Type <type>.

After identifying the database, perform the import using the Import configuration wizard of the Configuration Center. On the Source database page in the Import configuration wizard, supply the database name and SQL Server name that you have identified. For more information, see Importing configuration data.

NOTE: When an import configuration is performed from Active Roles version 7.5 to 8.1.5, the Web Interface does not get upgraded. However, the Configuration Center or any client report the Active Roles Web Interface version incorrectly as 8.1.5. To upgrade the Web Interface to the latest version, see Creating Web interface sites and importing configuration.

Import management history

After you have imported configuration of your earlier Active Roles version, import the management history data from the database used by your Administration Service of the earlier version. First, identify that database:

  1. Open the Active Roles console and connect to your Administration Service of the earlier version (see “Connecting to the Administration Service” in the Active Roles Administration Guide).
  2. Select the console tree root, and then, on the page in the details pane, expand the Management History Databases and Replication area.

    Identify the database name, SQL Server, database type name from the first string in the Management History Databases and Replication area that has the following format: Database <name> on SQL Server <name> Database Type <type>.

After identifying the database, perform the import. You can do this using the Import Management History wizard of the Configuration Center. On the Source database page in the Import Management History wizard, supply the database name and SQL Server name you have identified. For more information, see Importing management history data.

Upgrade in case of shared database

If multiple instances of the Administration Service use a single database, then you can perform the upgrade as follows:

  1. Upgrade one of the Administration Service instances as described in Upgrading the Administration Service.

    As a result of this step, you have an Administration Service instance of the new version connected to the new database containing the data imported from the old database. The other instances of the Administration Service are not upgraded at this point; they continue to use the old database.

  1. Now that you have the database of the new version, you can upgrade the remaining instances of the Administration Service, one by one.
  2. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Configuration Database Options page, and then, on the Connection to Database page, specify the database created during upgrade of the first Administration Service instance. You need not import configuration as the database already has that data imported.
  3. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Management History Database Options page, and then, on the Connection to Database page, specify the database created during upgrade of the first Administration Service instance. You need not import the management history as the database already has that data imported.

As a result of these steps, multiple Administration Service instances of the new version use a single database updated with the configuration and management history data of your earlier Active Roles version.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación