지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.4.1 - Quick Start Guide

Introduction Active Roles Setup package Active Roles uninstallation System Requirements Deploying the Administration Service Deploying user interfaces Installing additional components Upgrade of an earlier version Performing a pilot deployment Deployment considerations Silent installation of Active Roles components Configuring Active Roles to Manage Hybrid Active Directory Objects Active Roles on Windows Azure VM

Active Roles uninstallation

To uninstall Active Roles and its components

  1. On the system where Active Roles is installed, go to the Control Panel, and navigate to Programs| Programs and Features.
  2. In the list of installed programs, right-click on One Identity Active Roles, and click Uninstall/Change.

    The Active Roles Setup window is displayed.

  3. Click Remove.

    The Active Roles Setup - Ready to Remove dialog box is displayed.

  1. Click Remove, to uninstall Active Roles.

NOTE: Alternatively, click Modify to add or remove the Active Roles components. Click Repair to re-install the corrupt files in Active Roles.

System Requirements

Active Roles Setup includes the following components:

  • Administration Service
  • Console (MMC Interface)
  • Web Interface
  • Management Tools
  • Synchronization Service

The Active Roles Release Notes document, included on the Active Roles distribution media, provides information about the hardware and software requirements for each of these components.

The Active Roles distribution media includes separate installation packages for additional components, such as Add-in for Outlook, Collector and Report Pack. The system requirements for these components are as follows:

Table 2:

Active Roles Add-in for Outlook requirements

Requirement

Details

Microsoft Office Outlook

Microsoft Office Outlook 2010 or later

Other Microsoft Office features
  • .NET Programmability Support for Microsoft Office Outlook
  • Microsoft Forms 2.0 .NET Programmability Support

Microsoft .NET Framework

Microsoft .NET Framework 4.7.2

 

Table 3:

Active Roles Collector and Report Pack requirements

Requirement

Details

Operating system

Any operating system listed in requirements for Active Roles Console

SQL Server

Any SQL Server version listed in requirements for Administration Service

SQL Server Reporting Services

Any SQL Server version listed in requirements for Administration Service

Microsoft .NET Framework

Microsoft .NET Framework 4.7.2

Active Roles ADSI Provider

Management Tools of the current Active Roles version must be installed

Deploying the Administration Service

Use the following checklist to ensure that you are ready to install the Administration Service.

Table 4: Checklist: Deploying the Administration Service

Item to Check

Description

Administration Service computer

The Administration Service can be installed on any computer that meets the hardware and software requirements.

It is not mandatory to install the Administration Service on a domain controller. However, the Administration Service computer must have reliable network connections with at least one of the domain controllers for each managed domain.

SQL Server

The Administration Service requires Microsoft SQL Server. It is possible to use SQL Server on the computer running the Administration Service or on a different computer that has a reliable network connection with the computer running the Administration Service.

Administration Service account

The Administration Service logs on with the account that you specify during installation. The account must have sufficient rights for Active Roles to function properly.

Active Roles uses the Administration Service account when accessing a managed domain unless an override account is specified when registering the domain with Active Roles. Therefore, the Administration Service account must have the appropriate rights in any domain for which an override account is not specified.

Additionally, the Administration Service account must have sufficient permissions to publish the Administration Service in Active Directory.

Information about how to configure the Administration Service account and an override account can be found later in this document.

Account used for connection to SQL Server

When installing the Administration Service you may configure it to use Windows authentication or SQL Server authentication for connection to SQL Server.

If you choose Windows authentication, the connection is established using the Administration Service account. In this case, the service account must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in the Active Roles database.

If you choose SQL Server authentication, the connection is established with the login you are prompted to specify when installing the Administration Service. This login must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in the Active Roles database.

For more information on what permissions must be granted to the account for connection to SQL Server, see SQL Server permissions later in this document.

Active Roles Admin

Active Roles Admin is a group for which Active Roles does not perform permission checking. If the Administration Service itself has sufficient rights to perform a certain task, then Active Roles Admin can also perform that task using Active Roles.

In addition, Active Roles Admin is authorized to perform any task related to the Active Roles configuration, such as adding managed domains and managing replication settings. Therefore, the membership in the Active Roles Admin group should be restricted to highly trusted individuals.

By default, Active Roles Admin is the Administrators local group on the computer running the Administration Service. You can change this setting when installing the Administration Service.

Configuring the Administration Service account

When installing the Administration Service, you are prompted for the name and password of the Administration Service account—the account the Administration Service logs on to. This account must have sufficient permissions to:

  • Gain administrative access to the computer running the Administration Service.
  • Publish the Administration Service in Active Directory.
  • Access any managed domain for which an override account is not specified.

NOTE: When registering a domain with Active Roles, you can specify an override account. If you specify an override account, the Administration Service uses the override account rather than the service account to access the domain.

Access to the Administration Service computer

The service account must be a member of the Administrators group on the computer running the Administration Service. Because of this requirement, installing the Administration Service on a domain controller effectively grants the service account administrator rights in the entire domain.

Service publication in Active Directory

The Administration Service must be able to publish itself in Active Directory. This enables Active Roles clients to automatically discover the Administration Service. Service publication requires that the service account have the following permissions on the Aelita sub-container of the System container in the domain of the computer running the Administration Service:

  • Create Container Objects
  • Create serviceConnectionPoint Objects

  • Delete the serviceConnectionPoint objects in the System container

  • Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

In addition, the service account (or the override account, if specified), must have these permissions on the Aelita sub-container of the System container in every managed domain. If an account has the domain administrator rights, then it has the required permissions by default. Otherwise, give these permissions to the account by using the ADSI Edit console. The following instructions apply to the ADSI Edit console that ships with Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019.

To grant permissions for Administration Service publication in Active Directory

  1. Open the ADSI Edit console and connect to the Domain naming context.
  2. In the console tree, expand the System container, right-click the Aelita sub-container, and then click Properties.

    If the Aelita container does not exist, create it: right-click System, point to New, click Object, and then, in the Create Object wizard, select the Container class and specify Aelita for the cn value.

  1. On the Security tab in the Properties dialog box, click Advanced.
  2. On the Permissions tab in the Advanced Security Settings dialog box, click Add.
  3. On the Permission Entry page, configure the permission entry:
    1. Click the Select a principal link, and select the desired account.
    2. Verify that the Type box indicates Allow.
    3. Verify that the Applies onto box indicates This object and all descendant objects.
    4. In the Permissions area, select the Create container objects and Create serviceConnectionPoint objects check boxes.
    5. Click OK.
  4. Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.

Access to managed domains

Active Roles access to a domain is limited by the access rights of the service account, or the override account, if specified. For all managed domains with no override account specified, you should configure the service account to have permissions you want Active Roles to have in those domains. If you use an override account when registering a domain with Active Roles, ensure that the override account (rather than the service account) has these permissions for the domain. In addition, the service account (or the override account, if any) must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you are planning to use the Active Roles security synchronization feature.

For example, you may configure the service account (or the override account) to have full control of certain organizational units. In this way, the administrative scope of Active Roles is limited to those organizational units. Another option is to give Active Roles administrative access to a domain by adding the account to the Domain Admins group of that domain, or give Active Roles administrative access to an entire forest by adding the account to the Domain Admins group of the forest root domain.

Access to Exchange Organizations

To manage Exchange recipients on Exchange Server 2019, 2016, 2013, or 2010 the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. See the following steps for details.

To configure the service account or the override account

  1. Add the account to the Recipient Management role group.

For instructions for Exchange 2019, see “Add Members to a Role Group” at https://technet.microsoft.com/en-in/library/jj657492(v=exchg.160).aspx.

  1. Add the account to the Account Operators domain security group.
  2. Enable the account to use remote Exchange Management Shell.

    For instructions for Exchange 2019, see “Enable Remote Exchange Management Shell for a User” at https://technet.microsoft.com/en-us/library/dd335083(v=exchg.160).aspx.

  1. Ensure that the account can read Exchange configuration data (see Configuring the Administration Service account).
  2. Restart the Administration Service after you have changed the configuration of the account: Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administration Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.

NOTE:

  • For instructions for Exchange 2010, 2013, 2016, and 2019, see the relevant Microsoft Exchange pages at https://technet.microsoft.com/en-us/library.

  • ARS service account must be a part of Recipient Management group to run exchange hybrid commands.

The Exchange 2016 management tools are not required on the computer running the Administration Service.

Permission to read Exchange configuration data

To perform Exchange recipient management tasks, Active Roles requires read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights (for example, is a member of the Domain Admins or Organization Management group). Otherwise, you should give the account the Read permission in the Microsoft Exchange container. You can do this by using the ADSI Edit console as follows (these instructions apply to the ADSI Edit console that ships with Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019):

  1. Open the ADSI Edit console and connect to the Configuration naming context.
  2. In the ADSI Edit console, navigate to the Configuration | Services container, right-click Microsoft Exchange in that container, and then click Properties.
  3. On the Security tab in the Properties dialog box that appears, click Advanced.
  4. On the Permissions tab in the Advanced Security Settings dialog box, click Add.
  5. On the Permission Entry page, configure the permission entry:
    1. Click the Select a principal link, and select the desired account.
    2. Verify that the Type box indicates Allow.
    3. Verify that the Applies onto box indicates This object and all descendant objects.
    4. In the Permissions area, select the List contents and Read all properties check boxes.
    5. Click OK.
  6. Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.
Support for remote Exchange Management Shell

When performing Exchange recipient management tasks on Exchange Server 2010 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server, so you do not need to install the Exchange management tools on the computer running the Administration Service.

To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:

Remote Shell also requires the following:

  • TCP port 80 must be open between the computer running the Administration Service and the remote Exchange server.
  • The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
  • Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window.

Access to managed AD LDS instances

Active Roles access to Active Directory Lightweight Directory Services (AD LDS) instances is limited by the access rights of the service account, or the override account, if specified. For all managed AD LDS instances with no override account specified, you should configure the service account to have permissions you want Active Roles to have in those instances. If you use an override account when registering an AD LDS instance with Active Roles, ensure that the override account (rather than the service account) has these permissions for that instance.

To control access to directory data, AD LDS provides four default, role-based groups: Administrators, Instances, Readers, and Users. These groups reside in the configuration partition and in each application partition, but not in the schema partition. To register an AD LDS instance with Active Roles, the service account or, if specified, the override account must, at a minimum, be a member of the following groups:

  • Instances (CN=Instances,CN=Roles) in the configuration partition
  • Readers (CN=Readers,CN=Roles) in the configuration partition and in each application partition

To allow Active Roles full access to the AD LDS instance, add the account to the following group:

  • Administrators (CN=Administrators,CN=Roles) in the configuration partition

If you add the account to the Administrators group, you don’t need to add it to the Instances or Readers group.

Access to file servers

To enable Active Roles to perform the provisioning and deprovisioning tasks related to user home folders and home shares, the service account (or the override account, if specified) must belong to the Server Operators or Administrators group on each file server that hosts the user home folders to be administered by Active Roles.

Active Roles provides the following policy categories to automate the management of user home folders and home shares:

  • Home Folder AutoProvisioning  Performs the provisioning actions needed to assign home folders and home shares to user accounts, including the creation of home folders for newly created user accounts and renaming home folders upon renaming of user accounts. Specifies the server on which to create home folders and shares, and configures access rights to the newly created home folders and shares.
  • Home Folder Deprovisioning  Makes the changes needed to prevent deprovisioned users from accessing their home folders, including the removal of the user’s permissions on the home folder, changing the ownership of the home folder, and deleting the home folder when the user account is deleted.

The service account or override account must be configured so that it has sufficient rights to perform the operations provided for by those policies: create, modify (including the ability to change permission settings and ownership), and delete folders and shares on the designated file servers.

You can give the required permissions to the service account or override account by adding that account to the appropriate administrative group (Administrators or Server Operators) on each file server where you are planning Active Roles to manage user home folders.

Access to BitLocker recovery information

Viewing BitLocker recovery passwords in Active Roles requires the domain administrator rights for the account being used by the Active Roles Administration Service to access the domain. Ensure that the service account or, if specified, the override account is a member of the Domain Admins group in each managed domain where you want to use Active Roles for viewing BitLocker recovery passwords.

With the domain administrator rights given to the Active Roles Administration Service, Active Roles allows delegated administrators to locate and view BitLocker recovery passwords held in the Active Directory domain. To view BitLocker recovery passwords, the delegated administrator must be granted the appropriate permissions in Active Roles. The following Access Template provides sufficient permissions to view BitLocker recovery passwords:

  • Computer Objects - View BitLocker Recovery Keys

In addition, viewing BitLocker recovery passwords in a given domain requires the following:

The BitLocker recovery information is displayed on the BitLocker Recovery tab in the computer object’s Properties dialog box, in the Active Roles console. It is also possible to perform domain-wide searches for BitLocker recovery passwords.

관련 문서