지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 8.2 - Installation Guide

Introduction System requirements Prerequisites of installing Active Roles Installing Active Roles Deploying the Administration Service Deploying user interfaces Installing optional tools and components Uninstalling Active Roles Using Active Roles to manage Azure AD objects Active Roles availability on Azure and AWS Marketplace Configuring Active Roles for AWS Managed Microsoft AD

Introduction

This document describes how to install One Identity Active Roles and its components, deploy its services in your organization, or uninstall it.

Active Roles simplifies creating and managing user accounts and groups in Windows Active Directory (AD) environments by automating the following:

  • User and group account management in AD and Azure AD.

  • Mailbox management in Exchange and Exchange Online.

  • Group population, and resource assignment in Windows.

Active Roles enforces security, automates directory management tasks, and provides change approval and a Web Interface.

Active Roles components

Active Roles divides directory administration into 3 functional layers:

  • Presentation components

  • Service components

  • Network data sources.

Figure 1: Active Roles Components

  • Presentation components are client interfaces for Windows and the Web, allowing users with sufficient rights to perform a defined set of administrative operations. Active Roles can also generate reports on administrative operations.

  • Service components provide a secure layer between administrators and managed data sources. Service components enforce policies, provide automation capabilities, and integrate business processes for administrating Active Directory, Exchange and other corporate data sources.

  • Network data sources are managed by the Administration Service, a rules-based proxy that is the main component of Active Roles. The Administration Service acts as a bridge between the presentation components and network data sources.

    You can use the Administration Service's delegation capabilities to enforce administrative policies that keep data up-to-date and accurate. In large networks, you can deploy multiple instances of Administration Services to improve performance and ensure fault tolerance.

    The Administration Service uses the configuration database to store configuration data. Configuration data includes definitions of objects specific to Active Roles, assignments of administrative roles and policies, and procedures used to enforce policies.

    The Administration Service provides a complete audit trail by creating records in the Active Roles event log. The log shows all actions performed, including unpermitted actions. The log entries display the success or failure of each action, as well as the attributes that were changed while managing objects in data sources.

Active Roles Setup package

The Active Roles folder contains the following files and folders:

  • ActiveRoles.exe

  • Components

  • Redistributables

  • Tools

Content

Description

ActiveRoles.exe

The .exe file allows you to start the setup wizard and install the Active Roles components.

Components

This folder contains separate installer files for the following default components, allowing you to install them individually:

  • Administration Service: The core service of Active Roles, ensuring the reliable enforcement of administrative policies that keep directory data accurate and up-to-date.

  • ADSI Provider: Enables custom user interfaces and applications to access Active Directory services through Active Roles.

  • Configuration Center:

  • Console (also known as the MMC Interface): A comprehensive administrative tool used to manage Active Directory and Microsoft Exchange resources, configure access and administration policies, and set up automation or approval workflows.

  • Management Shell: Provides Windows PowerShell-based command-line tools (cmdlets), allowing you to run and automate administrative tasks in Active Roles.

  • Synchronization Service: Automates the process of identity data synchronization among various data systems used in your enterprise environment.

  • Web Interface: A highly customizable web application, providing administrative coverage for all aspects of Active Directory and Azure AD data management.

Redistributables

This folder contains the following redistributables required by the latest Active Roles version:

  • Microsoft OLE DB Driver 19 for SQL Server

  • Microsoft .NET Framework 4.8

  • Microsoft .NET Framework 4.8 Developer Pack

  • Microsoft Visual C++ 2015-2022 Redistributable (x64, X86)

  • Microsoft Edge WebView2 Runtime

Tools

This folder contains the installer files for the following additional components:

  • Add-in for Outlook: Allows you to process and submit approvals via Microsoft Outlook. Install this component on a computer running Microsoft Outlook.

  • Add-on Manager: Allows you to install and manage addons for Active Roles, or even create new addons with its addon editor.

  • Administrative Template: Allows you to control the behavior and appearance of the Active Roles Console via Group Policy.

  • Data Collector and Report Pack: Allows you to collect Administration Service data and store them in an on-premises SQL Server or Azure SQL database for reporting purposes.

  • Configuration Transfer Wizard: Allows you to export your Active Roles configuration resources (such as Access Templates, Managed Units, Policy Objects, Policy Types and so on) to an XML file, then import them to another Active Roles instance.

  • Diagnostic Tools: Provides you optional tools to check system requirements, logs and changes in your Active Directory domain.

  • Management Pack for SCOM: Allows you to monitor your Active Roles environment and configure alerts for various error conditions.

  • SPML Provider: Allows you to exchange user, resource, and service-provisioning information between SPML-enabled enterprise applications and Active Directory.

  • Synchronization Service Capture Agent: Allows you to synchronize user passwords between Active Directory domains managed by Synchronization Service and other connected data systems.

System requirements

Before installing Active Roles 8.2 in an on-premises environment, ensure that your system meets the following minimum hardware and software requirements.

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

To authenticate and communicate with Azure, the Active Roles Service must have access to the following Microsoft endpoints:

  • https://login.microsoftonline.com/

  • https://developer.microsoft.com/graph

  • https://graph.windows.net/

To manage Azure Active Directory resources, you must install the following prerequisites in the Active Roles Configuration Center.

TIP: To run the PowerShell commands of the following modules, use the 64-bit version of Windows PowerShell.

Requirement

Version

Details

NuGet package provider

Minimum: 2.8.5.201

Maximum: 3.0.0.1

You must install the NuGet package provider on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see Install-PackageProvider in the Microsoft Package Management documentation.

Exchange Online PowerShell V3 module

Minimum: 3.0.0

Maximum: 3.5.0

You must install the Exchange Online PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see About the Exchange Online PowerShell module in the Microsoft Exchange PowerShell documentation.

Az.Accounts PowerShell module

Minimum: 2.15.1

Maximum: 2.16.0

You must install the Az.Accounts PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see Az.Accounts in the Microsoft PowerShell Gallery.

Az.Resources PowerShell module

Minimum: 6.15.1

Maximum: 6.16.0

You must install the Az.Resources PowerShell module on the computer(s) running an Active Roles Administration Service instance.

For more information, see Az.Resources in the Microsoft PowerShell Gallery.

Microsoft Graph PowerShell module

Maximum: 2.17.0

You must install the Microsoft Graph PowerShell module on the computer(s) running an Active Roles Administration Service instance. For installation instructions, see Microsoft Graph in the Microsoft PowerShell Gallery.

Microsoft Edge WebView2 Runtime

N/A

If no web browser is installed on the machine where you want to install and use Active Roles, download the Microsoft Edge Webview 2 Runtime installer with the following PowerShell command:

Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$([System.IO.Path]::Combine([System.Environment]::GetFolderPath('UserProfile'), 'Downloads', 'MicrosoftEdgeWebView2Setup.exe'))"

After the download is finished, locate the installer in your Downloads folder and run it.

(Optional) One Identity certificate

N/A

If your organization enforces the AllSigned policy, you must install the One Identity certificate during the installation of Active Roles.

CAUTION: When importing PowerShell modules with the $context.O365ImportModules function, they are imported with the versions specified in the configuration of the Azure-specific prerequisites.

However, after importing the specified versions of the required PowerShell modules, running PowerShell cmdlets without passing them as a string to the $context.O365ImportModules function can cause inconsistent behavior in Active Roles. This is because if there are multiple versions of the same PowerShell module installed on the computer running the Active Roles server, PowerShell modules containing the script to run can be imported automatically with different versions.

To avoid inconsistent behavior in Active Roles by importing different PowerShell versions, run PowerShell modules only by passing them as a string to the $context.O365ImportModules function.

Hardware requirements
Table 1: Hardware requirements
Requirement Details

Processor

NOTE: The number of cores required depends on the size of the environment and the total number of managed objects.

For Administration Service, Web Interface and Synchronization Service, any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • Minimum 2 cores

  • CPU speed: 2.0 GHz or faster

NOTE: For Active Roles Synchronization Service, One Identity recommends using a multi-core CPU for the best performance.

For Console, SPML Provider and Management Tools, any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster.

Memory

NOTE: The amount of RAM required depends on the size of the environment and the total number of managed objects.

Administration Service:

A minimum of 4 GB of RAM.

Web Interface, Synchronization Service:

A minimum of 2 GB of RAM.

Console, SPML Provider and Management Tools:

A minimum of 1 GB of RAM.

Hard disk space

Administration Service, Web Interface, Console, SPML Provider and Management Tools:

A minimum of 100 MB of free disk space.

Synchronization Service:

A minimum of 250 MB of free disk space.

NOTE: If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.

Operating system

You can install any of the Active Roles components on a computer running:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Active Roles supports the Standard or Datacenter edition of these operating systems.

In addition, you can install the Active RolesConsole and Management Tools on a computer running:

  • Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).

  • Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).

Component requirements

CAUTION: To avoid inconsistent behavior in Active Roles when managing Azure Active Directory resources, you must enable Transport Layer Security (TLS) protocol version 1.2. For more information, see TLS 1.2 enforcement for Azure AD Connect in the Microsoft Azure documentation.

All Active Roles components require:

Table 2: Administration Service requirements
Requirement

Details

SQL Server

You can host the Active Roles database on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

IMPORTANT: Starting from version 8.2, Active Roles supports (and its installer is shipped with) Microsoft OLE DB Driver 19.x for SQL Server. However, Active Roles still supports earlier OLE DB Driver versions as well (18.4 or newer).

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

Exchange Server

Active Roles is capable of managing Exchange recipients on:

  • Microsoft Exchange Server 2019

  • Microsoft Exchange Server 2016

Table 3: Web Interface requirements
Requirement

Details

Internet Services

Active Roles Web Interface requires the Web Server (IIS) server role with the following role services:

  • Web Server/Common HTTP Features/

    • Default Document

    • HTTP Errors

    • Static Content

    • HTTP Redirection

  • Web Server/Security/

    • Request Filtering

    • Basic Authentication

    • Windows Authentication

  • Web Server/Application Development/

    • .NET Extensibility

    • ASP

    • ASP.NET

    • ISAPI Extensions

    • ISAPI Filters

  • Management Tools/IIS 6 Management Compatibility/

    • IIS 6 Metabase Compatibility

Feature delegation

Internet Information Services (IIS) must provide Read/Write delegation for the following features:

  • Handler Mappings

  • Modules

To confirm that these features have the Read/Write delegation configured, use the Feature Delegation option of the native Internet Information Services (IIS) Manager tool of the operating system.

.NET Trust Levels

The .NET Trust Level must be set to Full (internal) on every computer where the Web Interface component is installed.

To configure this setting:

  1. In the system-provided Internet Information Services (IIS) Manager tool, under Connections, expand the node of the computer, and navigate to Sites > Default Web Site.

  2. On the Default Web Site Home page, double-click .NET Trust Levels.

  3. Under Trust level, select Full (internal).

NOTE: Setting the .NET Trust Level to any other value will result in a failure when attempting to load any of the configured Active Roles Web Interface sites.

Web browser

You can access Active Roles Web Interface using:

  • Mozilla Firefox 36 (or newer) on Windows.

  • Google Chrome 61 (or newer) on Windows.

  • Microsoft Edge 79 (or newer), based on Chromium on Windows 10.

You can use a later version of Firefox and Google Chrome to access Active Roles Web Interface. However, the Active Roles Web Interface was tested only with the browser versions listed above.

Minimum screen resolution

Active Roles Web Interface is optimized for screen resolutions of 1280x800 or higher.

The minimum supported screen resolution is 1024x768.

Table 4: Console requirements
Requirement

Details

Web browser

Active Roles Console requires Microsoft Edge 79 (or newer), based on Chromium.

Table 5: Management Tools requirements
Requirement

Details

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Remote Server Administration Tools (RSAT)

To manage Terminal Services user properties by using Active Roles Management Shell, Active Roles Management Tools requires Remote Server Administration Tools (RSAT) for Active Directory.

For more information on installing the RSAT version applicable to your operating system, see Remote Server Administration Tools (RSAT) for Windows in the Microsoft Windows Server documentation.

Table 6: Synchronization Service requirements
Requirement

Details

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

SQL Server

You can host the Active Roles Synchronization Service database on:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Supported connections

Active Roles Synchronization Service can connect to the following data systems:

  • Data sources accessible via an OLE DB provider.

    NOTE: To create a connection to an OLE DB-compliant relational database, the OLE DB Connector requires any version of Microsoft OLE DB Driver for SQL Server that is supported by Microsoft to be installed on the machine running Active Roles Synchronization Service.

    The Active Roles installer is shipped with and automatically installs Microsoft OLE DB Driver 19.x for SQL Server.

  • Delimited text files.

  • IBM AS/400, IBM Db2, and IBM RACF systems.

  • LDAP directory service.

  • Micro Focus NetIQ Directory systems.

  • The following Microsoft services and resources:

    • Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.

    • Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.

    • Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.

    • Exchange Online services.

    • Exchange Server with the following versions:

      • Microsoft Exchange Server 2019

      • Microsoft Exchange Server 2016

    • Lync Server version 2013 with limited support.

    • SharePoint 2019, 2016, or 2013.

    • SharePoint Online service.

    • Skype for Business 2019, 2016 or 2015.

    • Skype for Business Online service.

    • SQL Server, any version supported by Microsoft.

  • One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.

  • One Identity Manager version 8.0 and 7.0 (D1IM 7.0).

  • OpenLDAP directory service.

  • Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.

  • MySQL databases.

  • Salesforce systems.

  • SCIM-based data systems.

  • ServiceNow systems.

Legacy Active Roles ADSI Provider

To connect to Active Roles version 6.9, install the Active Roles ADSI Provider. For more information, see Installing additional components in the Active Roles Installation Guide.

One Identity Manager API

To connect to One Identity Manager 7.0, install One Identity Manager Connector on the computer running Active Roles Synchronization Service. This connector works with the RESTful web service and no SDK installation is required.

Internet connection

To connect to cloud directories or online services, the machine running Active Roles Synchronization Service must have a stable Internet connection.

Table 7: Synchronization Service Capture Agent requirements
Requirement

Details

Operating system

The DCs on which you install Active Roles Synchronization Service Capture Agent must run one of the following operating systems with or without any Service Pack:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

For more information, see the Active Roles Synchronization Service Administration Guide.

Table 8: Language Pack requirements
Requirement

Details

Active Roles version

The Active Roles 8.2 Language Pack requires Active Roles version 8.2 of the Administration Service, Configuration Center, Console, Synchronization Service or the Web Interface installed on the target machine.

The Active Roles 8.2 Language Pack will not work properly with earlier versions of Active Roles.

Operating system

You can install the Active Roles Language Pack on 64-bit operating systems only.

Table 9: Add-on Manager requirements

Requirement

Details

Processor

Any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster

Memory

A minimum of 1 GB of RAM.

Hard Disk Space

A minimum of 100 MB of free disk space.

Operating System

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

In addition, you can also install Add-on Manager on a computer running:

  • Microsoft Windows 10, Professional or Enterprise edition, 64-bit (x64)

Active Roles Console

Add-on Manager requires Active Roles 8.2 Console installed.

Microsoft Windows PowerShell

Windows PowerShell 5.1 or later

Web Browser

Microsoft Edge 79 or newer (based on Chromium)

Table 10: Diagnostic Tools requirements

Requirement

Details

Processor

1.0 GHz or faster 32-bit (x86) or 64-bit (x64) CPU.

Memory

NOTE: The amount of RAM required depends on the size of the log file opened with the Log Viewer tool.

A minimum of 1 GB of RAM.

Hard disk space

A minimum of 10 MB of free disk space.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Table 11: Data Collector and Reporting Pack requirements

Requirement

Details

Processor

Any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 2.0 GHz or faster.

Memory

A minimum of 2 GB of RAM.

Hard disk space

  • 12 MB for the Data Collector and Reporting Pack.

  • 10 GB for the SQL Server Reporting Services.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

SQL Server and SQL Server Reporting Services

You can host the Active Roles Data Collector and Reporting Pack on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

Active Roles ADSI Provider

Active Roles 8.2 Management Tools must be installed.

셀프 서비스 도구
지식 기반
공지 및 알림
제품 지원
소프트웨어 다운로드
기술 설명서
사용자 포럼
비디오 자습서
RSS 피드
문의처
라이센싱 지원가져오기
기술 지원
모두 보기
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택