지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.4.1 - Quick Start Guide

Introduction Active Roles Setup package Active Roles uninstallation System Requirements Deploying the Administration Service Deploying user interfaces Installing additional components Upgrade of an earlier version Performing a pilot deployment Deployment considerations Silent installation of Active Roles components Configuring Active Roles to Manage Hybrid Active Directory Objects Active Roles on Windows Azure VM

Hardware requirements

After calculating the resource usage of an Administration Service and mapping the business workflow of the network sites, an organization will have the necessary information to start assessing any need for additional hardware.

There is no technical need for installing the Administration Service on dedicated hardware. In fact, current customers do not use only dedicated hardware. They use a combination of dedicated and shared hardware to host the Administration Service. For example, a current customer manages 2,000,000 AD objects in a global deployment with a total of five Administration Services, two of which are dedicated and the other three are shared with other applications.

An organization’s current infrastructure, including existing servers, sites and connections, will greatly determine the need for additional hardware to run Active Roles. The Administration Service can be installed on any server, although organizations should consider these two guidelines:

  • It is not recommended that the Administration Service be installed on a domain controller.
  • Typically, organizations install the Administration Service on other application, file, or print servers.

Depending on service level agreements or goals, if existing servers are currently fully loaded or overloaded, then a new server should be purchased, and the Administration Service and additional services should be moved onto the new equipment. Not only will this enable Active Roles deployment, it will also improve the performance of the currently deployed services. Since Active Roles is often deployed during migration to Active Directory, Active Roles deployment can be included in planning for new hardware and server consolidation.

The need for redundancy and availability also will affect the hardware requirements. See the sub-section “Availability and Redundancy” for further details.

Web Interface: IIS Server required

If an organization plans to use the Active Roles Web Interface, IIS must be installed on the server running the Web Interface.

It is recommended that organizations use the Active Roles Web Interface because it offers more flexibility than the MMC Interface. Users can access it from almost anywhere on the network. It shows administrators only the data they can administer and the tasks they can perform, which makes it easy to learn and highly secure.

Availability and redundancy

One of the benefits of Active Roles is that administrators do not need permissions on Active Directory to perform user management and other tasks. This forces administrators to use Active Roles and assures secure administration with the enforcement of “Rules and Roles” provided by Active Roles. However, this lack of AD permissions might be a problem if the Administration Service becomes unavailable. The impact of this potential problem depends on the specifics of the situation, but the problem can be addressed with the following guidelines.

Major sites

Two guidelines should be followed for major sites:

  • Our customers typically deploy two Administration Services per major location/site where AD data administration and user management is performed. This redundant service solution would be effective if both the primary Administration Service and all connections to other sites failed.

    Again, organizations should use their administration framework and their experience with other management services, such as SMS, to determine the need for an Administration Service at a site.

  • Most customers do not place all of their Administration Services at one location/site. If access to that one location/site should fail, all Administration Service of AD would stop. Instead, they install Administration Services at two or sometimes more sites.

    In most scenarios, even if the server hosting the Administration Service fails, connections to other sites will be maintained. Administrators can access Administration Services at another site and force AD replication to make the changes appear on the local domain controller as soon as possible.

Remote sites

Three approaches can be used for remote sites where either no or only a low level of administration work is performed (e.g., creating a few users, updating employee information, or unlocking accounts). One or more approaches can be used, and they should eliminate the possible problem of administrators not having AD permissions and an Administration Service failing. The approaches used depend on business workflow.

  • If few AD administration tasks are performed at a site, then local administrators might access a remote Administration Service. Administrators at remote sites can access an Administration Service at a major location/site. If necessary, native Windows administrative tools can be used to force AD to replicate the changes so that they appear on the local domain controller as soon as possible.
  • If local administrators at a site do not normally need access to AD, then an Administration Service would not have to be installed in that site. An administrator at a major site can make changes for a user at a remote site, and if necessary forced replication can cause the changes to appear quickly at the user’s local domain controller.

    NOTE: With Active Roles user interfaces, the administrator can deliberately choose the domain controller where to apply the changes, thus eliminating data replication delays.

  • An organization might provide one or more administrators at each site with permissions to AD. For example, if a site has five administrators, one administrator would be given permissions to AD. This solution would be acceptable for most sites, except for small sites managed by very low-level administrators.

    NOTE: Active Roles allows administrators to push (synchronize) permissions from Active Roles to Active Directory, thus making it easier to manage permissions to AD.

Replication traffic

Active Roles employs the Microsoft SQL Server to maintain the configuration database. The replication capabilities of SQL Server facilitate the implementation of multiple equivalent configuration databases used by different Administration Services.

Replication traffic can be judged by considering what is replicated and what is not. Active Roles configuration information is replicated only if it is changed. This means that if administrators are not creating Managed Units, Access Templates, Policies and delegating permissions that often, there is not much replication traffic.

Locations and number of services

After considering the major factors that might influence the locations and number of Administration Services, organizations should have a network diagram that illustrates a high-level design for the Active Roles deployment.

The following high-level sample network diagrams illustrate potential Active Roles deployments using the guidelines described earlier.

Centralized

This diagram shows a centralized network and workflow (the ARS abbreviation refers to the Active Roles Administration Service).

In this centralized structure, all AD data management is done from the corporate headquarters by a group of network administrators and the Help Desk staff. The headquarters is a large campus location with several well-connected sites. Most employees work at the headquarters. Large remote sites will have networking personnel who are responsible for the tasks such as hardware and software setup and maintenance. Small remote sites are staffed by non-technical employees. Network maintenance for these sites is done by IT staff that travels to them or by contractors.

The number of Administration Services depends on the number of managed objects and administrators. In the diagram, there is one dedicated Active Roles Administration Service (Dedicated ARS) and two Administration Services on shared hardware. This number should assure both availability and redundancy. Other services on the shared hardware include printing and applications.

A small number of administrators use the Active Roles console, while the majority of administrators and all Help Desk personnel use the Web Interface.

Typically, customers do not install all Administration Services at one location, but in this case, one or both of the following business workflow and technical factors over rule that guideline:

  • The remote sites are lightly populated and require very little AD data management work.
  • It is determined that if the connection to the central site fails, the organization’s primary concern would be restoring the connection, not managing AD.

Distributed with no remote management

This diagram shows a distributed network and workflow (the ARS abbreviation refers to the Active Roles Administration Service).

Figure 2: Distributed network and workflow

In this scenario, AD data management is performed at major locations by a group of network administrators and the Help Desk staff. These locations can be campuses or single locations connected by LAN/WAN connections.

Large remote sites have networking personnel who are responsible for tasks such as hardware and software setup and maintenance. Small remote sites are staffed by non-technical employees. Network maintenance for these sites is done by IT staff that travels to them or by contractors.

Again, the number of Administration Services depends on the number of managed objects and administrators. In the diagram, there is one dedicated and one shared Administration Service per location. This setup assures both redundancy and availability at each major location and through out the network. If one Administration Service fails, the other Service at the location can be used. If both services at a location fail, AD data management can be done at the other location. As long as the connections function, administrators at the failed location can access the Administration Services at the functioning location.

At both locations a small number of administrators use the Active Roles console, while the majority of administrators and all Help Desk personnel use the Web Interface.

Distributed with remote management

This diagram illustrates a highly distributed network and workflow (the ARS abbreviation refers to the Active Roles Administration Service).

Figure 3: Highly distributed network and workflow

In this scenario, AD data management is performed at all locations. These locations can be campuses or single locations connected by LAN/WAN connections. The work is done by a group of network administrators and the Help Desk staff. Work group managers perform very low-level work such as access to specific file directories and distribution lists.

The number of Administration Services depends on the number of managed objects, administrators, and locations. In the diagram, there is one dedicated and one shared Administration Service at the large locations. This setup assures both redundancy and availability at each major location and through out the network. If one Administration Service fails, the other server at the location can be used. If both Administration Services at a location fail, AD management can be done at the other location. As long as the connections function, administrators at the failed location can access the Administration Services at the functioning location.

A third, midsize location has an Administration Service installed on shared hardware. Administrators at this location use a Web interface, so the hardware also hosts IIS. An Administration Service was installed at this location because the location had a significant number of users that needed AD management work and Help Desk support. Placing an Administration Service in this location balances the load on the services while improving redundancy and availability. If this location and the network grow, the need might develop for establishing connections and replication between the three largest sites.

Administrators at the smallest locations access the Administration Services at the large locations via the Web Interface. The reason for this is the number of users and administrators and their workload.

At both large locations a small number of administrators use the Active Roles console, while the majority of administrators and all Help Desk personnel and work group managers use the Web Interface.

관련 문서