This scenario explains how to use the ARSconfig command-line tool to transfer a set of configuration objects from a test Active Roles instance to a production instance.
Suppose you need to transfer the following configuration objects from a test Active Roles instance to a production Active Roles instance:
Also, assume that the names of the domains managed by the test (source) Active Roles instance are test1.company.com and test2.company.com, and the two corresponding domains managed by the production (target) Active Roles instance are prod1.company.com and prod2.company.com.
To implement this scenario, complete the following steps:
In this step, you create a list of the configuration objects that you want to collect into the configuration package, and define how you want to collect their child objects.
<?xml version="1.0" encoding="utf-8"?>
<include DN="CN=Common,CN=Access Templates,CN=Configuration" collectSelf="True" collectChildren="True"/>
<include DN="CN=Development,CN=Managed Units,CN=Configuration" collectSelf="True" collectChildren="False"/>
<include DN="CN=Priority Access,CN=Corporate Policy,CN=Script Modules,CN=Configuration" collectSelf="False" collectChildren="True"/>
To create the configuration data package file
Cscript.exe arsconfig.wsf /task:collect /selection:selection.xml
If the names of the managed domains are different in the test and production environments, you must add domain mapping that defines the correspondence between the domain names. When the configuration package is deployed in the target environment, the domain names specified as a part of the objects' attributes are replaced with the names of the production domains, according to the name mapping entries.
In this step, you create the CSV domain name mapping file—mapping.csv, and then save that file to the solution installation folder: <Active Roles installation folder>\Configuration Transfer Wizard\Scripts. In this scenario, the mapping.csv file contains the following lines:
In this step, you use the ARSconfig command-line tool to deploy the package.xml configuration package in the production Active Roles environment. When running the arsconfig.wsf script, specify the package file to deploy (package.xml), and the domain name mapping file (mapping.csv) you have created in Step 3.
To deploy the package
Cscript.exe arsconfig.wsf /task:deploy /package:package.xml /map:mapping.csv
This step may be required if you have encountered any errors when deploying a configuration package in the production environment. By rolling back changes in the target configuration, you bring it to the state it was in before the package was deployed. Use the following instruction to roll back the changes made by the deployment of the package.xml file described in the scenario outlined above.
To roll back configuration changes
Cscript.exe arsconfig.wsf /task:rollback /package:package.xml
This section provides a list of the currently known issues that customers may experience with Configuration Transfer Wizard. For each issue, the list includes an ID number, which identifies the issue, a brief description of the problem, and a workaround, if any exists, for the problem.
Manually specify those properties with the use of the Active Roles console.
Configuration Deployment Wizard fails to deploy some of Access Templates. The solution log file contains the error message similar to the following text:
"Error : Administrative Policy returned an error. The object <Object DN> not found."
This error occurs if the source configuration contains nested Access Templates.
On the Collect Active Roles Configuration Data page of the wizard, select all the nested Access Templates you want to collect. If you are using ARSconfig, ensure that the selection file includes the nested Access Templates into the configuration export package.
After transferring a Policy Object that includes the “User Account Relocation Deprovisioning” policy entry, the “Description” and the “Error message returned by this policy” text boxes available on the User Account Relocation Policy Properties dialog box contain invalid target domain name.
After deploying the target configuration, manually edit those text elements using the Active Roles console.
When collecting Script Modules, Configuration Transfer Wizard may not collect the library Script Modules that are used by the Script Modules being exported. As a result, the deployment of the exported Script Modules may cause an error condition in the destination environment.
On the Collect Active Roles Configuration Data page of the wizard, select all the library Script Modules that are used by the Script Modules you want to collect. If you are using ARSconfig, ensure that the selection file includes the library Script Modules into the configuration export package.
When collecting Display Specifiers, Configuration Transfer Wizard may not collect the Active Roles virtual attributes for which the Display Specifiers are being exported. As a result, the deployment of the exported Display Specifiers may cause an error condition in the destination environment.
On the Collect Active Roles Configuration Data page of the wizard, select all the Active Roles virtual attributes for which the Display Specifiers are being exported. If you are using ARSConfig, ensure that the selection file includes the Active Roles virtual attributes into the configuration export package.
In a situation where an object to be exported does not exist in the source environment, Configuration Transfer Wizard stops the export process. As a result, the configuration export package may not include all objects that were selected for export.
Ensure that all objects you selected for export exist in the source environment.
Configuration Transfer Wizard does not provide the ability to export links that involve pre-defined or built-in objects, nor does it make possible to export pre-defined or built-in objects. As a result, you do not have the option to transfer, for example, the links of pre-defined Access Templates.
When transferring a configuration that includes any links of pre-defined or built-in objects, create the required links manually in the destination environment.
When using the Configuration Collection Wizard or Configuration Deployment Wizard, you may encounter an error message such as “A generic error occurred in GDI+.”
Disregard the error message. Click OK to close the error message box.
When using ARSconfig with the 'rollback' task option, you may encounter an error: “This script module is in use, and cannot be deleted.” This issue is most likely to occur with a PowerShell based Script Module containing a library script, and is due to the fact that the Script Module remains locked for a certain time period after all the Script Modules that use the library script have been deleted.
Run ARSconfig with the 'rollback' task option once more, or delete the Script Module manually, with the use of the Active Roles console.
With the display DPI setting of 'Large size (120 DPI)' you may encounter some minor visual defects on Configuration Transfer Wizard pages.
Use the display DPI setting of 'Normal size (96 DPI)'.
Active Roles SPML Provider is designed to exchange the user, resource, and service provisioning information between SPML-enabled enterprise applications and Active Directory.
Active Roles SPML Provider supports the Service Provisioning Markup Language Version 2 (SPML v2), an open standard approved by the Organization for the Advancement of Structured Information Standards (OASIS). SPML - is an XML-based provisioning request-and-response protocol that provides a means of representing provisioning requests and responses as SPML documents. The use of open standards provides the enterprise architects and administrators with the flexibility they need when performing user management and user provisioning in heterogeneous environments.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책