When installing the Administration Service, you are prompted for the name and password of the Administration Service account—the account the Administration Service logs on to. This account must have sufficient permissions to:
|
NOTE: When registering a domain with Active Roles, you can specify an override account. If you specify an override account, the Administration Service uses the override account rather than the service account to access the domain. |
The service account must be a member of the Administrators group on the computer running the Administration Service. Because of this requirement, installing the Administration Service on a domain controller effectively grants the service account administrator rights in the entire domain.
The Administration Service must be able to publish itself in Active Directory. This enables Active Roles clients to automatically discover the Administration Service. Service publication requires that the service account have the following permissions on the Aelita sub-container of the System container in the domain of the computer running the Administration Service:
In addition, the service account (or the override account, if specified), must have these permissions on the Aelita sub-container of the System container in every managed domain. If an account has the domain administrator rights, then it has the required permissions by default. Otherwise, give these permissions to the account by using the ADSI Edit console. The following instructions apply to the ADSI Edit console that ships with Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016.
To grant permissions for Administration Service publication in Active Directory
If the Aelita container does not exist, create it: right-click System, point to New, click Object, and then, in the Create Object wizard, select the Container class and specify Aelita for the cn value.
Active Roles access to a domain is limited by the access rights of the service account, or the override account, if specified. For all managed domains with no override account specified, you should configure the service account to have permissions you want Active Roles to have in those domains. If you use an override account when registering a domain with Active Roles, ensure that the override account (rather than the service account) has these permissions for the domain. In addition, the service account (or the override account, if any) must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you are planning to use the Active Roles security synchronization feature.
For example, you may configure the service account (or the override account) to have full control of certain organizational units. In this way, the administrative scope of Active Roles is limited to those organizational units. Another option is to give Active Roles administrative access to a domain by adding the account to the Domain Admins group of that domain, or give Active Roles administrative access to an entire forest by adding the account to the Domain Admins group of the forest root domain.
To manage Exchange recipients on Exchange Server 2016, 2013, or 2010 the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. See the following steps for details.
To configure the service account or the override account
For instructions for Exchange 2016, see “Add Members to a Role Group” at https://technet.microsoft.com/en-in/library/jj657492(v=exchg.160).aspx.
For instructions for Exchange 2016, see “Enable Remote Exchange Management Shell for a User” at https://technet.microsoft.com/en-us/library/dd335083(v=exchg.160).aspx.
|
NOTE: For instructions for Exchange 2010 and 2013, see the relevant Microsoft Exchange pages at https://technet.microsoft.com/en-us/library. |
The Exchange 2016 management tools are not required on the computer running the Administration Service.
To perform Exchange recipient management tasks, Active Roles requires read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights (for example, is a member of the Domain Admins or Organization Management group). Otherwise, you should give the account the Read permission in the Microsoft Exchange container. You can do this by using the ADSI Edit console as follows (these instructions apply to the ADSI Edit console that ships with Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016):
When performing Exchange recipient management tasks on Exchange Server 2010 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server, so you do not need to install the Exchange management tools on the computer running the Administration Service.
To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:
Remote Shell also requires the following:
Set-User
cmdlet with the RemotePowerShellEnabled parameter set to $True.
Active Roles access to Active Directory Lightweight Directory Services (AD LDS) instances is limited by the access rights of the service account, or the override account, if specified. For all managed AD LDS instances with no override account specified, you should configure the service account to have permissions you want Active Roles to have in those instances. If you use an override account when registering an AD LDS instance with Active Roles, ensure that the override account (rather than the service account) has these permissions for that instance.
To control access to directory data, AD LDS provides four default, role-based groups: Administrators, Instances, Readers, and Users. These groups reside in the configuration partition and in each application partition, but not in the schema partition. To register an AD LDS instance with Active Roles, the service account or, if specified, the override account must, at a minimum, be a member of the following groups:
To allow Active Roles full access to the AD LDS instance, add the account to the following group:
If you add the account to the Administrators group, you don’t need to add it to the Instances or Readers group.
To enable Active Roles to perform the provisioning and deprovisioning tasks related to user home folders and home shares, the service account (or the override account, if specified) must belong to the Server Operators or Administrators group on each file server that hosts the user home folders to be administered by Active Roles.
Active Roles provides the following policy categories to automate the management of user home folders and home shares:
The service account or override account must be configured so that it has sufficient rights to perform the operations provided for by those policies: create, modify (including the ability to change permission settings and ownership), and delete folders and shares on the designated file servers.
You can give the required permissions to the service account or override account by adding that account to the appropriate administrative group (Administrators or Server Operators) on each file server where you are planning Active Roles to manage user home folders.
Viewing BitLocker recovery passwords in Active Roles requires the domain administrator rights for the account being used by the Active Roles Administration Service to access the domain. Ensure that the service account or, if specified, the override account is a member of the Domain Admins group in each managed domain where you want to use Active Roles for viewing BitLocker recovery passwords.
With the domain administrator rights given to the Active Roles Administration Service, Active Roles allows delegated administrators to locate and view BitLocker recovery passwords held in the Active Directory domain. To view BitLocker recovery passwords, the delegated administrator must be granted the appropriate permissions in Active Roles. The following Access Template provides sufficient permissions to view BitLocker recovery passwords:
In addition, viewing BitLocker recovery passwords in a given domain requires the following:
The BitLocker recovery information is displayed on the BitLocker Recovery tab in the computer object’s Properties dialog box, in the Active Roles console. It is also possible to perform domain-wide searches for BitLocker recovery passwords.
This section discusses the SQL Server permissions required to:
The account that you use when configuring the Administration Service must have sufficient rights on SQL Server to perform the configuration tasks.
Which account is used to access SQL Server during configuration of the Administration Service depends upon the SQL Server connection option you select in the wizard for configuring the Administration Service. If you select the option to use Windows authentication, the wizard accesses SQL Server with the Windows user account under which the wizard is running. If you select the option to use SQL Server authentication, then the wizard accesses SQL Server with the SQL login and password that you specify in the wizard.
The required rights of the account that is used to access SQL Server during configuration vary depending on your configuration scenario:
The Administration Service accesses its database with the account specified during configuration:
In either case, the account must have sufficient rights on SQL Server to retrieve data from, and make changes to, the database. The required rights vary depending on the role of the Administration Service’s database server in the Active Roles replication environment.
When initially installed, the Administration Service’s database is configured not to participate in Active Roles replication. This configuration is referred to as standalone Administration Service. The account that the standalone Administration Service uses to access the database must at a minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database.
If the Administration Service’s database server holds the role of the Publisher in Active Roles replication, then the account the Administration Service uses to access the database must at a minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database. Additional rights are required if you want to see the replication status information and error messages in the Active Roles console. These additional rights are as follows:
If the Administration Service’s database server holds the role of a Subscriber in Active Roles replication, then the account that the Administration Service uses to access the database requires the same rights as in standalone mode: The account must at a minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database.
After you install and configure two or more Administration Service instances, each with its own database, you can deploy replication, if necessary, to synchronize the databases so that all your Administration Service instances have the same configuration and management history. Replication deployment begins when you configure the Publisher. Once the Publisher has been configured, the next step is to configure Subscribers. The task of configuring the Publisher or a Subscriber requires more rights on SQL Server than the Administration Service needs for normal operation. To elevate the rights of the Administration Service, Active Roles prompts for an alternative account. The following topics elaborate on the permissions needed to create the Publisher or add a Subscriber.
To create the Publisher, the Administration Service needs sysadmin rights on SQL Server. If the Administration Service’s account for database access does not belong to the sysadmin role, then Active Roles prompts you to supply an alternative account. The alternative account must:
Active Roles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Publisher.
The same permissions are required for removing (demoting) the Publisher.
To add a Subscriber, the Administration Service’s database server must hold the Publisher role. When adding a Subscriber, the Administration Service makes changes on the Publisher database server and on the database server being configured as a Subscriber (Subscriber database server). Therefore, the Administration Service needs sufficient rights on both database servers.
On the Publisher database server, the Administration Service needs sysadmin rights. If the Administration Service’s account for database access does not belong to the sysadmin role, then Active Roles prompts you to supply an alternative account for connection to the Publisher database server. The alternative account must:
Active Roles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber.
On the database server you are going to make a Subscriber, the Administration Service needs db_owner rights in the Active Roles database. If the Administration Service’s account for database access does not have sufficient rights on the Subscriber database server, then Active Roles prompts you to supply an alternative account for connection to the Subscriber database server. The alternative account must:
Active Roles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber.
The same permissions are required for removing a Subscriber.
In Active Roles replication, SQL Server replication agents (Merge Agents) are used to synchronize data between the Publisher and Subscriber databases. Each Subscriber has a dedicated replication agent running on SQL Server that hosts the Publisher database. Since the agent’s role is to maintain the Publisher and Subscriber databases in sync with each other, the agent needs sufficient rights to access both the Publisher and Subscriber database servers.
The Administration Service creates and configures a replication agent when adding a Subscriber. In terms of SQL Server, this is a Merge Agent for a push subscription. According to SQL Server Books Online (see “Replication Agent Security Model” at msdn.microsoft.com/en-us/library/ms151868.aspx), Merge Agent for a push subscription requires the following permissions.
The Windows account under which the agent runs is used when it makes connections to the Publisher and Distributor. This account must:
The account used to connect to the Subscriber must at minimum be a member of the db_owner fixed database role in the subscription database (the Active Roles database on the Subscriber).
By default, the security settings of a Merge Agent configured by Active Roles are as follows:
This means that, by default, Active Roles requires that the account of the SQL Server Agent service have all permissions the Merge Agent needs to make connections both to the Publisher/Distributor and to the Subscriber.
When adding a Subscriber, you have the option to supply a separate login for connection to the Subscriber. If you choose that option, the Merge Agent will use the login you supply (rather than the account of the SQL Server Agent service) to make connections to the Subscriber. In this case, it is the login you supply that must have db_owner rights in the subscription database. The SQL Server Agent service does not need to have any rights in the subscription database. However, it still must have all permissions the Merge Agent needs to make connections to the Publisher and Distributor.
Active Roles requires Microsoft .NET Framework 4.6.2. See https://www.microsoft.com/en-us/download/details.aspx?id=53345 for instructions on how to update .NET Framework.
The Administration Service requires Microsoft SQL Server. SQL Server may be installed on the Administration Service computer or on a different network computer. If you do not have Microsoft SQL Server deployed in your environment, you can Microsoft SQL Server 2012 Express from “Microsoft SQL Server 2012 Service Pack 1 (SP1) Express” at http://go.microsoft.com/fwlink/?LinkID=267905.
Now that you have access to SQL Server, you can install the Administration Service.
This section provides a guidance on how to install and configure a new instance of the Administration Service. for instructions on how to upgrade an existing Administration Service instance of an earlier version, see Upgrading the Administration Service later in this document.
To install the Administration Service files
The Setup wizard only installs the files. After you have completed the Setup wizard, you need to configure the newly installed Administration Service instance by using Active Roles Configuration Center that opens automatically if you select the I want to perform configuration check box on the Completion page in the Setup wizard. Another way to open Configuration Center is by selecting Active Roles 7.2 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.
To configure the Administration Service
The database options are related to setting up the database for the Administration Service you are configuring. These options and the corresponding wizard steps are discussed in the sections that follow.
This section covers the database-related steps of the Configure Administration Service wizard in a scenario where you are configuring the first Administration Service in your environment.
To configure the initial Administration Service
When you configure the initial Administration Service, Configuration Centers creates a database along with a secret key that the Administration Service will use to encrypt and decrypt sensitive data in the database, such as the credentials of the override accounts for managed domains. The secret key, also referred to as encryption key, is stored in the database using asymmetric cryptography so that it can only be retrieved and decrypted by the Administration Service that knows the private portion of the asymmetric key pair. Storing the secret key in this way ensures the optimal level of protection for security-sensitive data in the Active Roles database.
As the retrieval of the secret key requires knowing the private key related to the public key that was used to encrypt the secret key, you may encounter a situation where a new Administration Service instance attached to an existing Active Roles database is unable to retrieve the secret key. Typically, this is the case when you:
If the Administration Service cannot retrieve the secret key from the database, you need a backup copy of the secret key. Configuration Center prompts you to create a backup of the secret key whenever you perform initial configuration of the Administration Service with the option to create a new database.
On the Encryption Key Backup page, the Configure Administration Service wizard specifies a file to store a backup copy of the secret key. You can encrypt the backup by protecting the file with a password.
On the Encryption Key Backup page, the Configure Administration Service wizard specifies a file to store a backup copy of the secret key. You can encrypt the backup by protecting the file with a password.
|
NOTE:
|
Additional Information
Active Roles encrypts some data, stored in the ARS database. Encryption is performed using a symmetric cypher. To use the encrypted data you need the encryption key as the file is password protected. ARS stores the encryption key inside the ARS database using asymmetric cypher. Thus ARS can get the value of this key from the database. ARS also has logic that allows the service to share this key with other services (like several services per single database). In case the key is lost, you need to re-type passwords for the managed domains. The only situation when you would need this file, would be when you want to use existing ARS database but cannot afford retyping passwords for Managed Domains.
To complete the Encryption Key Backup page
This section covers the database-related steps of the Configure Administration Service wizard in a scenario where:
To configure an additional Administration Service
The database created by this option holds the pristine configuration of the Administration Service. To update and synchronize the new database with the configuration data of the Administration Service instances that were earlier deployed in your environment, you need to use the replication function. For instructions on how to set up replication of configuration data, see the Active Roles Administrator Guide.
If you select the Existing Active Roles database option on the Database Options page, the Configure Administration Service wizard causes the new Administration Service instance to connect to the database of an existing Administration Service instance. The new instance automatically becomes a replica of the existing one.
This option allows you to centralize the Active Roles configuration storage. You can deploy multiple Administration Service instances of the same configuration without having to synchronize them via replication. Rather, you have the option for multiple Administration Service instances to share configuration data held in a single database on centrally deployed SQL Server.
This option also ensures that the newly deployed Administration Service instance can immediately be used as a replacement for the existing one. Switching between Administration Service instances is transparent to Active Roles users as both instances of the Administration Service have the same configuration.
To configure the Administration Service to share a database
Specify the SQL Server instance in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance), where <Computer> stands for the short name of the computer running SQL Server.
This section covers the database-related steps of the Configure Administration Service wizard in the following scenarios:
When you deploy the Administration Service, you may need to configure it to use the database of an earlier installation of the Administration Service instead of creating a new database. You may need to do so in the following scenarios:
|
NOTE: All these scenarios assume that the database has the same version as the Administration Service you are configuring. If the Administration Service version is greater than the database version, you should choose the option to create a new database and import data from the existing database (see Steps to deploy the Administration Service later in this document). |
Provided that the database is of the same Active Roles version as the Administration Service you are configuring, you can use the following steps to make the Administration Service use that database.
To use the database of an earlier Administration Service installation
When you choose the option to create a new Active Roles database, the Configure Administration Service wizard uses default values for database properties, such as the location and other parameters of the database files and transaction log files. If you need specific database properties, then you can use SQL Server tools to create a blank database with the properties that meet your requirements, and have the wizard create the new Active Roles database by adding the Active Roles tables and data to that blank database. The following steps assume that you have a blank database already created.
To use a pre-created blank database
When deploying the Administration Service, you may need to import configuration data from an existing database in order to ensure that the new Administration Service instance has the same configuration as the existing one. Importing configuration data to a newly created database instead of attaching the Administration Service to an existing database is necessary if the version of the Administration Service you are deploying is greater than the version of the database you want to use. Some examples of such a situation are as follows:
The following instructions on how to import configuration data are applicable to any situation where you choose to create a new database when configuring the Administration Service. In this case, after you have initially configured the Administration Service instance, Active Roles Configuration Center enables you to import the configuration data to the newly created database.
To import configuration data
You can start Configuration Center by selecting Active Roles 7.2 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.
The Destination Database page identifies the database of the Administration Service to which you are going to import data (destination database), and allows you to select the authentication option.
|
NOTE: The Add-ons must be uninstalled manually from the earlier version using the Active Roles Add-on Manager and from the system where ever applicable, before continuing configuration import. |
A part of the Active Roles database, the management history data storage is empty after you have configured the Administration Service with the option to create a new database. During import of configuration data (see Steps to deploy the Administration Service), Configuration Center transfers only the administrative right assignments, policy definitions, administrative view settings, workflow definitions and other parameters that determine the Active Roles work environment. Management history data is excluded from the import operation in order to reduce the time it takes to upgrade the configuration of the Administration Service.
The management history data describes the changes that were made to directory data via Active Roles. This includes information about who did what and when it was done as applied to the directory data management tasks. The management history data is used as a source of information for the change history and user activity reports. In addition, the management history data storage holds information about various tasks related to approval workflow and temporal group membership.
After you have configured the Administration Service with the option to create a new database, and imported the configuration data from an existing database, you need to take additional steps to transfer the management history data from that database to the new database. Configuration Center provides the Import Management History wizard to perform this task.
The wizard is intended to populate a new storage of management history data with the data found in an existing Active Roles database, to make the data available to the Active Roles user interfaces after your configure a new Administration Service instance. The wizard merges the management history data from the source database with the data stored in the destination database. Note that the wizard only adds new data, keeping intact any data that already exists in the destination database. You may import your legacy management history data at any time after you have configured the Administration Service, without being afraid of losing any data.
To import management history data
You can start Configuration Center by selecting Active Roles 7.2 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.
The Destination Database page identifies the database of the Administration Service to which you are going to import data (destination database), and allows you to select the authentication option.
You may choose not to import all the data records as importing a large volume of data may take hours or more. Later, you can import additional data by choosing a different range of data records. During subsequent import sessions, the wizard only imports the data records that were not imported earlier.
Active Roles provides user interfaces for the Windows system and the Web, allowing users with appropriate rights to perform administrative activities. The user interfaces include:
By default, the Active Roles Setup wizard installs all core Active Roles components, including the console (MMC Interface) and Web Interface. You can choose to install individual components, if needed.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy