サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Replication monitoring - Script

This rule uses a script to check the status of Active Roles replication. The script is intended to run on the Publisher Administration Service so as to verify the replication status of the Publisher and Subscribers. By default, this rule is scheduled to run every 30 minutes. The schedule can be adjusted by managing rule properties in the Operations Manager console.

Replication monitoring - Alert

This rule generates an alert when the Replication monitoring script detects that the Active Roles replication status indicates a replication failure.

Possible causes of the alert include:

  • The SQL Server Agent service is not started on the computer running the Publisher SQL Server.

  • The Snapshot Agent or a Merge Agent is not started at the Publisher SQL Server.

  • The Merge Agent uses incorrect credentials when connecting to the Publisher or a Subscriber.

  • The Snapshot Agent uses incorrect credentials when connecting to the Publisher.

For more information, and details on how resolve replication-related problems, see Identifying replication-related problems.

Monitoring connection to configuration database

This category includes the event-based processing rules to monitor health of the connection to the configuration database:

  • Connection to database has been lost: Administration Service has lost connection to the configuration database, and is attempting to re-establish the connection.

  • Connection to database has been restored: Administration Service restored connection to the configuration database.

The following sub-sections elaborate on each of these processing rules.

Connection to database has been lost - Alert

This rule generates an alert indicating that the Administration Service has lost a connection to the configuration database, and is making attempts to restore the connection. For details, refer to the alert description generated by this rule. Losing the connection to the database does not affect the directory management functions of the Administration Service. All operations related to Active Directory management continue to work as expected.

As long as there is no connection to the database, the following Administration Service functions will not be available:

  • Collecting data related to change history and user activity.

  • Retrieving and updating configuration data.

  • Retrieving changes to configuration data made by other Administration Service instances (both directly and via replication).

  • Retrieving and updating virtual attributes stored in the configuration database.

Connection to database has been restored - Alert

This rule generates an alert indicating that the Administration Service has restored the connection to the configuration database. For details, refer to the alert description generated by this rule. Once the connection has been restored, all Administration Service functions that require access to the database will be restored.

Monitoring of Dynamic Group-related operations

This category includes the event-based processing rules to monitor the background activities of Active Roles related to Dynamic Groups:

  • Rebuilding has been started: Administration Service has been forced to re-calculate (rebuild) the membership list of a Dynamic Group.

  • Failed to add object to Dynamic Group: Administration Service failed to add an object to a Dynamic Group.

  • Failed to remove object from Dynamic Group: Administration Service failed to remove an object from a Dynamic Group.

  • Failed to process membership rule: Administration Service failed to apply a query-based membership rule when updating the membership list of a Dynamic Group.

  • Failed to update membership list: Administration Service failed to update the membership list of a Dynamic Group in accordance with the membership rules.

  • Failed to update membership list of nested group: Administration Service failed to update the membership list of an additional (nested) group generated to accommodate extra members of a Dynamic Group.

  • Failed to update membership rule upon deletion of object: When updating a Dynamic Group, Administration Service failed to delete or update a membership rule of a Dynamic Group upon deletion of an object.

  • Failed to look up object when updating: When updating a Dynamic Group, Administration Service failed to locate an object that is referred to by a certain membership rule. The object may have been deleted.

  • Failed to retrieve information from domain: Administration Service failed to retrieve information about Dynamic Groups from a certain domain.

  • Membership rule domain unavailable: When updating a Dynamic Group, Administration Service failed to apply a membership rule because the rule applies to a domain unavailable on the network.

  • Membership rule failed: When updating a Dynamic Group, Administration Service failed to apply one of the membership rules, which prevented all rules from being applied and stopped changes to the members list of the Dynamic Group.

The following sub-sections provide more details about these processing rules.

Dynamic Group - Rebuilding has been started - Alert

This rule generates an alert indicating that an administrator has forced Active Roles to re-calculate (rebuild) the membership list of a Dynamic Group. For details, refer to the alert description generated by this rule.

You can start rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Failed to add object to Dynamic Group - Alert

This rule generates an alert indicating that the Administration Service failed to add an object to a Dynamic Group due to a certain problem. The object is missing from the Dynamic Group until after the problem has been resolved. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Failed to remove object from Dynamic Group - Alert

This rule generates an alert indicating that the Administration Service failed to remove an object from a Dynamic Group due to a certain problem. The object remains in the Dynamic Group until after the problem has been resolved. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to process membership rule - Alert

This rule generates an alert indicating that the Administration Service failed to apply a query-based membership rule when updating the membership list of a Dynamic Group. The failed rule is not taken into account, so the membership list may not comply with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console. Check membership rules by using the Membership Rules tab in that dialog.

Dynamic Group - Failed to update membership list - Alert

This rule generates an alert indicating that the Administration Service failed to update the membership list of a Dynamic Group in accordance with the membership rules. The membership list may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to update membership list of nested group - Alert

This rule generates an alert indicating that the Administration Service failed to update the membership list of an additional (nested) group generated to accommodate extra members of a Dynamic Group. The membership list of the nested group may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, try to force rebuilding the Dynamic Group from the Properties > Members tab of the Dynamic Group, in the Active Roles Console.

Dynamic Group - Failed to update membership rule upon deletion of object - Alert

This rule generates an alert indicating that the Administration Service failed to delete or update a membership rule of a Dynamic Group when deleting a certain object. The membership rule could be one of the following:

  • Implicit inclusion or exclusion of that object from the Dynamic Group.

  • Query with a filter referring to that object.

  • Inclusion or exclusion of the members of the group represented by that object.

For details, refer to the alert description generated by this rule.

To resolve the issue, delete or update membership rules with the Properties > Membership Rules tab of the Dynamic Group in the Active Roles Console. Then, force rebuilding of the Dynamic Group from the Members tab in that dialog.

Dynamic Group - Failed to look up object when updating - Alert

This rule generates an alert indicating that the Administration Service failed to locate an object when updating the membership list of a Dynamic Group in accordance with the membership rules. The object may have been deleted. The object could be referred to by:

  • A membership rule to explicitly include or exclude that object from the Dynamic Group.

  • A query-based membership rule (the object may represent the base of a search or be a member of the search result set).

  • A membership rule to include or exclude the members of a certain group (the object may represent the domain of that group).

  • A directory synchronization (DirSync) query (this may be one of the objects returned by that query).

For details, refer to the alert description generated by this rule.

The membership rules referring to that object are inoperative and are not taken into account when updating the Dynamic Group, so the membership list may not be compliant with the membership rules.

To prevent issues with the membership list of the Dynamic Group, check membership rules by using the Properties > Membership Rules tab of the Dynamic Group in the Active Roles Console. Then, force rebuilding of the Dynamic Group from the Members tab in that dialog.

Dynamic Group - Failed to retrieve information from domain - Alert

This rule generates an alert indicating that the Administration Service failed to retrieve information about Dynamic Groups from a certain domain. The Dynamic Groups contained in that domain are inoperative until after the problem has been resolved. For details, refer to the alert description generated by this rule.

Dynamic Group - Membership rule domain unavailable - Alert

This rule generates an alert indicating that Active Roles failed to update the members list of the Dynamic Group in accordance with one of the membership rules. The failed membership rule applies to a domain that is currently unavailable. The membership rule is disregarded, so the members list of the Dynamic Group may not be compliant with the membership rules. For details, refer to the alert description generated by this rule.

To solve the problem, ensure that the domain is available on the network, then update the Dynamic Group by clicking Properties > Members > Rebuild in the dialog of the group in the Active Roles Console. Alternatively, wait for Active Roles to update the Dynamic Group on a schedule.

Dynamic Group - Membership rule failed - Alert

This rule generates an alert indicating that Active Roles failed to update the members list of the Dynamic Group in accordance with one of the membership rules. As one of the membership rules failed, no membership rules are applied until the issue is resolved, so the members list of this Dynamic Group remains unchanged. For details, refer to the alert description generated by this rule.

To solve the problem, try to force update the Dynamic Group by clicking Properties > Members > Rebuild in the dialog of the group in the Active Roles Console. Check the membership rules on the Membership Rules tab in that dialog.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択