Active Roles simplifies and streamlines creation and ongoing management of user accounts and groups in Windows Active Directory (AD) environments by automating user and group account creation in AD, mailbox creation in Exchange, group population, and resource assignment in Windows. It provides strictly enforced security, rich capabilities for automating directory management tasks, change approval and easy-to-use Web interfaces, to achieve practical user and group account management for the Windows enterprise.
This document is for individuals responsible for deploying Active Roles in their organization. It provides step-by-step instructions for preparing the environment and installing the Active Roles components.
Active Roles divides the workload of directory administration into three functional layers: presentation components, service components, and network data sources.
Figure 1: Active Roles Components
The presentation components include client interfaces for the Windows platform and the Web, which allow users with appropriate rights to perform a precisely defined set of administrative activities. Active Roles also includes the reporting solution to generate reports on the administrative activities.
The service components constitute a secure layer between administrators and managed data sources. It ensures consistent policy enforcement, provides automation capabilities, and enables the integration of business processes for administration of Active Directory, Exchange and other corporate data sources.
The main component of Active Roles is the Administration Service—a powerful rules-based proxy for the management of network data sources. The Administration Service features advanced delegation capabilities and provides the ability to enforce administrative policies that keep data current and accurate. The Administration Service acts as a bridge between the presentation components and network data sources. In large networks, multiple instances of the Administration Services can be deployed to improve performance and ensure fault tolerance.
The Administration Service uses the configuration database to store configuration data that includes definitions of objects specific to Active Roles, assignments of administrative roles and policies, and procedures used to enforce policies.
The Administration Service provides a complete audit trail by creating records in the Active Roles event log. The log shows all actions performed and by whom, including actions that were not permitted. The log entries display the success or failure of each action, as well as which attributes were changed while managing objects in data sources.
Active Roles Setup includes the following components:
The Active Roles Release Notes document, included on the Active Roles distribution media, provides information about the hardware and software requirements for each of these components.
The Active Roles distribution media includes separate installation packages for additional components, such as Add-in for Outlook, Collector and Report Pack. The system requirements for these components are as follows:
Requirement |
Details |
Microsoft Office Outlook |
Microsoft Office Outlook 2007 or later |
Other Microsoft Office features |
|
Microsoft .NET Framework |
Microsoft .NET Framework 4.5 |
Requirement |
Details |
Operating system |
Any operating system listed in requirements for Active Roles Console |
SQL Server |
Any SQL Server version listed in requirements for Administration Service |
SQL Server Reporting Services |
Any SQL Server version listed in requirements for Administration Service |
Microsoft .NET Framework |
Microsoft .NET Framework 4.5 |
Active Roles ADSI Provider |
Management Tools of the current Active Roles version must be installed |
Use the following checklist to ensure that you are ready to install the Administration Service.
Item to Check |
Description |
Administration Service computer |
The Administration Service can be installed on any computer that meets the hardware and software requirements. It is not mandatory to install the Administration Service on a domain controller. However, the Administration Service computer must have reliable network connections with at least one of the domain controllers for each managed domain. |
SQL Server |
The Administration Service requires Microsoft SQL Server. It is possible to use SQL Server on the computer running the Administration Service or on a different computer that has a reliable network connection with the computer running the Administration Service. |
Administration Service account |
The Administration Service logs on with the account that you specify during installation. The account must have sufficient rights for Active Roles to function properly. Active Roles uses the Administration Service account when accessing a managed domain unless an override account is specified when registering the domain with Active Roles. Therefore, the Administration Service account must have the appropriate rights in any domain for which an override account is not specified. Additionally, the Administration Service account must have sufficient permissions to publish the Administration Service in Active Directory. Information about how to configure the Administration Service account and an override account can be found later in this document. |
Account used for connection to SQL Server |
When installing the Administration Service you may configure it to use Windows authentication or SQL Server authentication for connection to SQL Server. If you choose Windows authentication, the connection is established using the Administration Service account. In this case, the service account must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in the Active Roles database. If you choose SQL Server authentication, the connection is established with the login you are prompted to specify when installing the Administration Service. This login must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in the Active Roles database. For more information on what permissions must be granted to the account for connection to SQL Server, see SQL Server permissions later in this document. |
Active Roles Admin |
Active Roles Admin is a group for which Active Roles does not perform permission checking. If the Administration Service itself has sufficient rights to perform a certain task, then Active Roles Admin can also perform that task using Active Roles. In addition, Active Roles Admin is authorized to perform any task related to the Active Roles configuration, such as adding managed domains and managing replication settings. Therefore, the membership in the Active Roles Admin group should be restricted to highly trusted individuals. By default, Active Roles Admin is the Administrators local group on the computer running the Administration Service. You can change this setting when installing the Administration Service. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy