This document describes how to install One Identity Active Roles and its components, deploy its services in your organization, or uninstall it.
Active Roles simplifies creating and managing user accounts and groups in Windows Active Directory (AD) environments by automating the following:
-
User and group account management in AD and Azure AD.
-
Mailbox management in Exchange and Exchange Online.
-
Group population, and resource assignment in Windows.
Active Roles enforces security, automates directory management tasks, and provides change approval and a Web Interface.
Active Roles divides directory administration into 3 functional layers:
-
Presentation components
-
Service components
-
Network data sources.
Figure 1: Active Roles Components
-
Presentation components are client interfaces for Windows and the Web, allowing users with sufficient rights to perform a defined set of administrative operations. Active Roles can also generate reports on administrative operations.
-
Service components provide a secure layer between administrators and managed data sources. Service components enforce policies, provide automation capabilities, and integrate business processes for administrating Active Directory, Exchange and other corporate data sources.
-
Network data sources are managed by the Administration Service, a rules-based proxy that is the main component of Active Roles. The Administration Service acts as a bridge between the presentation components and network data sources.
You can use the Administration Service's delegation capabilities to enforce administrative policies that keep data up-to-date and accurate. In large networks, you can deploy multiple instances of Administration Services to improve performance and ensure fault tolerance.
The Administration Service uses the configuration database to store configuration data. Configuration data includes definitions of objects specific to Active Roles, assignments of administrative roles and policies, and procedures used to enforce policies.
The Administration Service provides a complete audit trail by creating records in the Active Roles event log. The log shows all actions performed, including unpermitted actions. The log entries display the success or failure of each action, as well as the attributes that were changed while managing objects in data sources.
The Active Roles folder contains the following files and folders:
-
ActiveRoles.exe
-
Components
-
Redistributables
-
Tools
|
ActiveRoles.exe |
The .exe file allows you to start the setup wizard and install the Active Roles components. |
|
Components |
This folder contains separate installer files for the following default components, allowing you to install them individually:
-
Administration Service: The core service of Active Roles, ensuring the reliable enforcement of administrative policies that keep directory data accurate and up-to-date.
-
ADSI Provider: Enables custom user interfaces and applications to access Active Directory services through Active Roles.
-
Configuration Center:
-
Console (also known as the MMC Interface): A comprehensive administrative tool used to manage Active Directory and Microsoft Exchange resources, configure access and administration policies, and set up automation or approval workflows.
-
Management Shell: Provides Windows PowerShell-based command-line tools (cmdlets), allowing you to run and automate administrative tasks in Active Roles.
-
: Automates the process of identity data synchronization among various data systems used in your enterprise environment.
-
Web Interface: A highly customizable web application, providing administrative coverage for all aspects of Active Directory and Azure AD data management. |
|
Redistributables |
This folder contains the following redistributables required by the latest Active Roles version:
-
Microsoft OLE DB Driver 19 for SQL Server
-
Microsoft .NET Framework 4.8
-
Microsoft .NET Framework 4.8 Developer Pack
-
Microsoft Visual C++ 2015-2022 Redistributable (x64, X86)
-
Microsoft Edge WebView2 Runtime |
|
Tools |
This folder contains the installer files for the following additional components:
-
Add-in for Outlook: Allows you to process and submit approvals via Microsoft Outlook. Install this component on a computer running Microsoft Outlook.
-
Add-on Manager: Allows you to install and manage addons for Active Roles, or even create new addons with its addon editor.
-
Administrative Template: Allows you to control the behavior and appearance of the Active Roles Console via Group Policy.
-
Data Collector and Report Pack: Allows you to collect Administration Service data and store them in an on-premises SQL Server or Azure SQL database for reporting purposes.
-
Configuration Transfer Wizard: Allows you to export your Active Roles configuration resources (such as Access Templates, Managed Units, Policy Objects, Policy Types and so on) to an XML file, then import them to another Active Roles instance.
-
Diagnostic Tools: Provides you optional tools to check system requirements, logs and changes in your Active Directory domain.
-
Management Pack for SCOM: Allows you to monitor your Active Roles environment and configure alerts for various error conditions.
-
: Allows you to exchange user, resource, and service-provisioning information between SPML-enabled enterprise applications and Active Directory.
-
Capture Agent: Allows you to synchronize user passwords between Active Directory domains managed by and other connected data systems. |
Before installing Active Roles 8.2 in an on-premises environment, ensure that your system meets the following minimum hardware and software requirements.
NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.
To authenticate and communicate with Azure, the Active Roles Service must have access to the following Microsoft endpoints:
-
https://login.microsoftonline.com/
-
https://developer.microsoft.com/graph
-
https://graph.windows.net/
To manage Azure Active Directory resources, you must install the following prerequisites in the Active Roles Configuration Center.
TIP: To run the PowerShell commands of the following modules, use the 64-bit version of Windows PowerShell.
|
NuGet package provider |
Minimum: 2.8.5.201
Maximum: 3.0.0.1 |
You must install the NuGet package provider on the computer(s) running an Active Roles Administration Service instance or Active Roles .
For more information, see Install-PackageProvider in the Microsoft Package Management documentation. |
|
Exchange Online PowerShell V3 module |
Minimum: 3.0.0
Maximum: 3.5.0 |
You must install the Exchange Online PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles .
For more information, see About the Exchange Online PowerShell module in the Microsoft Exchange PowerShell documentation. |
|
Az.Accounts PowerShell module
|
Minimum: 2.15.1
Maximum: 2.16.0 |
You must install the Az.Accounts PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles .
For more information, see Az.Accounts in the Microsoft PowerShell Gallery. |
|
Az.Resources PowerShell module |
Minimum: 6.15.1
Maximum: 6.16.0 |
You must install the Az.Resources PowerShell module on the computer(s) running an Active Roles Administration Service instance.
For more information, see Az.Resources in the Microsoft PowerShell Gallery. |
|
Microsoft Graph PowerShell module |
Maximum: 2.17.0 |
You must install the Microsoft Graph PowerShell module on the computer(s) running an Active Roles Administration Service instance. For installation instructions, see Microsoft Graph in the Microsoft PowerShell Gallery. |
|
Microsoft Edge WebView2 Runtime |
N/A |
If no web browser is installed on the machine where you want to install and use Active Roles, download the Microsoft Edge Webview 2 Runtime installer with the following PowerShell command:
Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$([System.IO.Path]::Combine([System.Environment]::GetFolderPath('UserProfile'), 'Downloads', 'MicrosoftEdgeWebView2Setup.exe'))"
After the download is finished, locate the installer in your Downloads folder and run it. |
|
(Optional) One Identity certificate |
N/A |
If your organization enforces the AllSigned policy, you must install the One Identity certificate during the installation of Active Roles. |
|
|
CAUTION: When importing PowerShell modules with the $context.O365ImportModules function, they are imported with the versions specified in the configuration of the Azure-specific prerequisites.
However, after importing the specified versions of the required PowerShell modules, running PowerShell cmdlets without passing them as a string to the $context.O365ImportModules function can cause inconsistent behavior in Active Roles. This is because if there are multiple versions of the same PowerShell module installed on the computer running the Active Roles server, PowerShell modules containing the script to run can be imported automatically with different versions.
To avoid inconsistent behavior in Active Roles by importing different PowerShell versions, run PowerShell modules only by passing them as a string to the $context.O365ImportModules function. |
Hardware requirements
Table 1: Hardware requirements
|
Processor
NOTE: The number of cores required depends on the size of the environment and the total number of managed objects. |
For Administration Service, Web Interface and , any of the following:
NOTE: For Active Roles , One Identity recommends using a multi-core CPU for the best performance. |
|
For Console, and Management Tools, any of the following:
|
|
Memory
NOTE: The amount of RAM required depends on the size of the environment and the total number of managed objects. |
Administration Service:
A minimum of 4 GB of RAM. |
|
Web Interface, :
A minimum of 2 GB of RAM. |
|
Console, and Management Tools:
A minimum of 1 GB of RAM. |
|
Hard disk space |
Administration Service, Web Interface, Console, and Management Tools:
A minimum of 100 MB of free disk space. |
|
:
A minimum of 250 MB of free disk space.
NOTE: If SQL Server and are installed on the same computer, the amount required depends on the size of the database. |
|
Operating system |
You can install any of the Active Roles components on a computer running:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
Active Roles supports the Standard or Datacenter edition of these operating systems.
In addition, you can install the Active RolesConsole and Management Tools on a computer running:
-
Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).
-
Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64). |
Component requirements
|
|
CAUTION: To avoid inconsistent behavior in Active Roles when managing Azure Active Directory resources, you must enable Transport Layer Security (TLS) protocol version 1.2. For more information, see TLS 1.2 enforcement for Azure AD Connect in the Microsoft Azure documentation. |
All Active Roles components require:
Table 2: Administration Service requirements
| SQL Server |
You can host the Active Roles database on the following SQL Server versions:
-
Microsoft SQL Server 2022, any edition.
-
Microsoft SQL Server 2019, any edition.
-
Microsoft SQL Server 2017, any edition.
-
Microsoft SQL Server 2016, any edition.
-
Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.
-
Azure SQL hosted databases.
To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).
IMPORTANT: Starting from version 8.2, Active Roles supports (and its installer is shipped with) Microsoft OLE DB Driver 19.x for SQL Server. However, Active Roles still supports earlier OLE DB Driver versions as well (18.4 or newer).
-
If you upgrade to 8.2 from an earlier version and you want to keep using an earlier version of Microsoft OLE DB Driver (version 18.4 or newer), this change has no impacts on your installation.
-
If you upgrade to 8.2 from an earlier version or performed a clean installation, and you want to use Microsoft OLE DB Driver 19.x for SQL Server due to security concerns, make sure that your SQL Server has a certificate trusted by the server that is assigned to the SQL service network protocols.
To use SSL with your SQL Server, configure a valid certificate. For more information on installing or viewing certificates for SQL Server via SQL Server Configuration Manager, see Certificate management in the Microsoft SQL Server documentation.
For general information about the encryption and certificate requirements of Microsoft OLE DB Driver 19.x, see Encryption and certificate validation in OLE DB and Certificate requirements for SQL Server in the Microsoft SQL Server documentation.
When configuring the SSL connection, consider the following:
-
Microsoft OLE DB Driver 19.x for SQL Server requires a certificate from a Certificate Authority and no longer accepts self-signed certificates. For more information on how to access a Certificate Authority, see Certification Authority Guidance in the Microsoft Windows Server documentation.
-
The Service Account running the SQL Server service must have permission to view the private key from the server certificate. For more information, see Configure SQL Server Database Engine for encrypting connections in the Microsoft SQL Server documentation.
-
Microsoft OLE DB Driver 19.x for SQL Server requires specifying the Service Principal Names (SPNs). For more information, see the following Microsoft SQL Server documentation resources:
-
You might need to change your SQL connection string to match the certificate and the SPN. For more information, see Using Connection String Keywords with OLE DB Driver for SQL Server in the Microsoft SQL Server documentation. |
| Windows Management Framework |
Windows Management Framework 5.1 (available for download) is required on all supported operating systems. |
|
Operating system on domain controllers |
The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
NOTE: The supported domain functional level is Windows Server 2008 R2 or higher. |
|
Exchange Server |
Active Roles is capable of managing Exchange recipients on:
|
Table 3: Web Interface requirements
|
Internet Services |
Active Roles Web Interface requires the Web Server (IIS) server role with the following role services:
-
Web Server/Common HTTP Features/
-
Default Document
-
HTTP Errors
-
Static Content
-
HTTP Redirection
-
Web Server/Security/
-
Request Filtering
-
Basic Authentication
-
Windows Authentication
-
Web Server/Application Development/
-
.NET Extensibility
-
ASP
-
ASP.NET
-
ISAPI Extensions
-
ISAPI Filters
-
Management Tools/IIS 6 Management Compatibility/
|
|
Feature delegation |
Internet Information Services (IIS) must provide Read/Write delegation for the following features:
To confirm that these features have the Read/Write delegation configured, use the Feature Delegation option of the native Internet Information Services (IIS) Manager tool of the operating system. |
|
.NET Trust Levels |
The .NET Trust Level must be set to Full (internal) on every computer where the Web Interface component is installed.
To configure this setting:
-
In the system-provided Internet Information Services (IIS) Manager tool, under Connections, expand the node of the computer, and navigate to Sites > Default Web Site.
-
On the Default Web Site Home page, double-click .NET Trust Levels.
-
Under Trust level, select Full (internal).
NOTE: Setting the .NET Trust Level to any other value will result in a failure when attempting to load any of the configured Active Roles Web Interface sites. |
|
Web browser |
You can access Active Roles Web Interface using:
-
Mozilla Firefox 36 (or newer) on Windows.
-
Google Chrome 61 (or newer) on Windows.
-
Microsoft Edge 79 (or newer), based on Chromium on Windows 10.
You can use a later version of Firefox and Google Chrome to access Active Roles Web Interface. However, the Active Roles Web Interface was tested only with the browser versions listed above. |
|
Minimum screen resolution |
Active Roles Web Interface is optimized for screen resolutions of 1280x800 or higher.
The minimum supported screen resolution is 1024x768. |
Table 4: Console requirements
|
Web browser |
Active Roles Console requires Microsoft Edge 79 (or newer), based on Chromium. |
Table 5: Management Tools requirements
|
Windows Management Framework |
Windows Management Framework 5.1 (available for download) is required on all supported operating systems. |
|
Remote Server Administration Tools (RSAT) |
To manage Terminal Services user properties by using Active Roles Management Shell, Active Roles Management Tools requires Remote Server Administration Tools (RSAT) for Active Directory.
For more information on installing the RSAT version applicable to your operating system, see Remote Server Administration Tools (RSAT) for Windows in the Microsoft Windows Server documentation. |
Table 6: requirements
|
Operating system on domain controllers |
The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
NOTE: The supported domain functional level is Windows Server 2008 R2 or higher. |
|
SQL Server |
You can host the database on:
-
Microsoft SQL Server 2022, any edition.
-
Microsoft SQL Server 2019, any edition.
-
Microsoft SQL Server 2017, any edition.
-
Microsoft SQL Server 2016, any edition.
-
Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.
-
Azure SQL hosted databases. |
|
Windows Management Framework |
Windows Management Framework 5.1 (available for download) is required on all supported operating systems. |
|
Supported connections |
can connect to the following data systems:
-
Data sources accessible via an OLE DB provider.
NOTE: To create a connection to an OLE DB-compliant relational database, the OLE DB Connector requires any version of Microsoft OLE DB Driver for SQL Server that is supported by Microsoft to be installed on the machine running .
The Active Roles installer is shipped with and automatically installs Microsoft OLE DB Driver 19.x for SQL Server.
-
Delimited text files.
-
IBM AS/400, IBM Db2, and IBM RACF systems.
-
LDAP directory service.
-
Micro Focus NetIQ Directory systems.
-
The following Microsoft services and resources:
-
Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.
-
Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.
-
Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.
-
Exchange Online services.
-
Exchange Server with the following versions:
-
Lync Server version 2013 with limited support.
-
SharePoint 2019, 2016, or 2013.
-
SharePoint Online service.
-
Skype for Business 2019, 2016 or 2015.
-
Skype for Business Online service.
-
SQL Server, any version supported by Microsoft.
-
One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.
-
One Identity Manager version 8.0 and 7.0 (D1IM 7.0).
-
OpenLDAP directory service.
-
Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.
-
MySQL databases.
-
Salesforce systems.
-
SCIM-based data systems.
-
ServiceNow systems. |
|
Legacy Active Roles ADSI Provider |
To connect to Active Roles version 6.9, install the Active Roles ADSI Provider. For more information, see Installing additional components in the Active Roles Installation Guide. |
|
One Identity Manager API |
To connect to One Identity Manager 7.0, install One Identity Manager Connector on the computer running . This connector works with the RESTful web service and no SDK installation is required. |
|
Internet connection |
To connect to cloud directories or online services, the machine running must have a stable Internet connection. |
Table 7: Capture Agent requirements
|
Operating system |
The DCs on which you install Capture Agent must run one of the following operating systems with or without any Service Pack:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
For more information, see the Administration Guide. |
Table 8: Language Pack requirements
|
Active Roles version |
The Active Roles 8.2 Language Pack requires Active Roles version 8.2 of the Administration Service, Configuration Center, Console, or the Web Interface installed on the target machine.
The Active Roles 8.2 Language Pack will not work properly with earlier versions of Active Roles. |
|
Operating system |
You can install the Active Roles Language Pack on 64-bit operating systems only. |
Table 9: Add-on Manager requirements
|
Processor |
Any of the following:
|
|
Memory |
A minimum of 1 GB of RAM. |
|
Hard Disk Space |
A minimum of 100 MB of free disk space. |
|
Operating System |
Any of the following Windows Server operating systems:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
In addition, you can also install Add-on Manager on a computer running:
|
|
Active Roles Console |
Add-on Manager requires Active Roles 8.2 Console installed. |
|
Microsoft Windows PowerShell |
Windows PowerShell 5.1 or later |
|
Web Browser |
Microsoft Edge 79 or newer (based on Chromium) |
Table 10: Diagnostic Tools requirements
|
Processor |
1.0 GHz or faster 32-bit (x86) or 64-bit (x64) CPU. |
|
Memory
NOTE: The amount of RAM required depends on the size of the log file opened with the Log Viewer tool. |
A minimum of 1 GB of RAM. |
|
Hard disk space |
A minimum of 10 MB of free disk space. |
|
Operating system |
Any of the following Windows Server operating systems:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016 |
Table 11: Data Collector and Reporting Pack requirements
|
Processor |
Any of the following:
|
|
Memory |
A minimum of 2 GB of RAM. |
|
Hard disk space |
|
|
Operating system |
Any of the following Windows Server operating systems:
-
Microsoft Windows Server 2022
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016 |
|
SQL Server and SQL Server Reporting Services |
You can host the Active Roles Data Collector and Reporting Pack on the following SQL Server versions:
-
Microsoft SQL Server 2022, any edition.
-
Microsoft SQL Server 2019, any edition.
-
Microsoft SQL Server 2017, any edition.
-
Microsoft SQL Server 2016, any edition.
-
Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.
-
Azure SQL hosted databases.
To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL). |
|
Active Roles ADSI Provider |
Active Roles 8.2 Management Tools must be installed. |
