Chat now with support
Chat with Support

Active Roles 7.3.3 - How-To Guide

Changes to System requirements

Active Roles 7.3 introduces the following changes to system requirements:

  • Active Roles can no longer be installed on Window Server 2008.
  • Microsoft SQL Server 2005 is no longer supported. Microsoft SQL Server versions 2008 and later including 2017 are supported. The Configuration Center may be used to import Active Roles databases from SQL Server 2005 to a later SQL Server version. For details, see “Upgrading the Administration Service” in the Active Roles Quick Start Guide.
  • To manage Exchange recipients on Exchange Server 2010, Active Roles no longer requires the Exchange 2010 Management Tools on the computer running the Administration Service.
  • Active Roles supports the following browsers only: Internet Explorer 11, Google Chrome, Mozilla Firefox, and Microsoft Edge.
  • Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.
  • Active Roles console requires Internet Explorer 11.

Active Roles 7.3 introduces the following changes to supported platforms:

  • Exchange 2007 and earlier versions are no longer supported.

  • Microsoft Exchange 2013 CU11 is not supported.

System Requirements

For the complete system requirements, please refer to the Active Roles 7.3 Release Notes. The following are the important system requirements for Active Roles installation:

  • Operating Systems Supported for Active Roles installation: Microsoft Windows 2008 R2 and later, including 2016
  • SQL Server requirements: Microsoft SQL 2008 and later, including SQL 2017
  • Microsoft .NET Framework: .NET 4.6.2
  • Other software required for Active Roles may be installed from the Redistributables folder on the installation media.
Resource Usage

The sizing of disk space and the SQL database capacities are best planned out by using the Resource Usage Calculator, which is found in the Documentation folder on the installation disk or image.

The Resource Usage Calculator is included with the installation media and can be found under:

Documentation\ ActiveRoles_7.3_ResourceUsageCalc.xls

For more information on the system requirements, please see the Pre-Installation and Upgrade section for the Active Roles Diagnostic and System Readiness Checker tools.

Ports Used by Active Roles

If the environment managed by Active Roles is located behind a firewall, then the following ports must be open between Active Roles Administration Service and the managed environment:

Access to DNS Servers
  • Port 53 TCP/UDP Inbound/Outbound
Access to domain controllers
  • Port 88 (Kerberos) TCP/UDP Inbound/Outbound
  • Port 135 (RPC endpoint mapper) TCP Inbound/Outbound
  • Port 139 (SMB/CIFS) TCP Inbound/Outbound
  • Port 445 (SMB/CIFS) TCP Inbound/Outbound
  • Port 389 (LDAP) TCP/UDP Outbound
  • Port 636 (LDAP SSL) TCP Outbound
  • Port 3268 (Global Catalog LDAP) TCP Outbound

This port is required if Active Roles is configured to access the domain by using SSL.

  • Port 3269 (Global Catalog LDAP SSL) TCP Outbound

This port is required if Active Roles is configured to access the domain by using SSL.

  • The TCP port allocated by RPC endpoint mapper for communication with the domain controller

Active Directory domain controllers can be configured to use specific port numbers for RPC communication. For instructions, see http://support.microsoft.com/kb/224196.

Access to Exchange servers
  • Port 135 (RPC endpoint mapper) TCP Inbound/Outbound
  • The TCP port allocated by RPC endpoint mapper for communication with the Exchange server

Exchange servers can be configured to use specific port numbers for RPC communication. For instructions, see http://support.microsoft.com/kb/270836.

Computer resource management
  • Port 139 (SMB/CIFS on the managed computers) TCP Inbound/Outbound
  • Port 445 (SMB/CIFS on the managed computers) TCP Inbound/Outbound
Computer restart
  • Port 139 (SMB/CIFS on the managed computers) TCP Inbound/Outbound
  • Port 137 (WINS) UDP Outbound
  • Port 138 (NetBIOS datagrams) UDP Outbound
Home folder provisioning and deprovisioning
  • Port 139 (SMB/CIFS on the servers that host home folders) TCP Inbound/Outbound
  • Port 445 (SMB/CIFS on the servers that host home folders) TCP Inbound/Outbound
Access to SMTP server for e-mail integration
  • Port 25 (Default SMTP port) TCP Outbound

Active Roles uses SMTP port 25 by default. The default port number can be changed in the properties of the Mail Configuration object in the Active Roles console. If Mail Configuration specifies a different port, open that port rather than port 25.

Access to AD LDS instances
  • The TCP port specified when registering the AD LDS instance with Active Roles
Access to SQL Server

If SQL Server that hosts the Active Roles database is located behind the firewall, open the following ports between Active Roles Administration Service and SQL Server:

  • Port 1433 (Default SQL Server instance) TCP Inbound/Outbound

Open this port if the Active Roles database is on the default instance of SQL Server. If a different port is assigned to the default instance, open that port rather than port 1433.

  • Port 1434 (SQL Server Browser service) UDP Inbound/Outbound

Open this port if the Active Roles database is on a named instance of SQL Server. In this case Active Roles uses UDP port 1434 to determine the port assigned to the named instance, open port 1434 along with the TCP port assigned to the named instance.

Access to Active Roles Administration Service

If a firewall is required between Active Roles clients, such as MMC Interface, Web Interface, ADSI Provider or Management Shell, and Active Roles Administration Service, open the following ports in the firewall:

  • Port 15172 TCP Inbound/Outbound
Access to Web Interface

If the Active Roles Web Interface will be accessed through a firewall, open the following ports:

  • Port 80 (Default HTTP) TCP Inbound/Outbound
  • Port 443 (Default HTTPS) TCP Inbound/Outbound

The Web Interface normally runs over port 80, or over port 443 if SSL is enabled (off by default).

Synchronization Service

The Synchronization Service requires the following port to be open:

  • Port 15173 TCP Outbound

The Capture Agent requires this port to be open (on the Domain Controller):

  • Port 7148 TCP Inbound

Required Permissions and Access

As Active Roles performs operations on objects on behalf of delegated users, the Active Roles service account requires adequate permissions. The officially supported configuration is to manage Active Directory domains by using a Domain Admin account.

If a Domain Admin's membership is restricted, it is necessary to grant the Active Roles service account the following minimum permissions and access:

NOTE: Contact One Identity Sales for any assistance in engaging One Identity Professional Services.

Access to the Administration Service Computer

The service account must be a member of the local Administrators group on the computer running Active Roles Administration service.

Service Publication in Active Directory

For Active Roles clients to discover available Active Role services, the service account must be able to publish itself in Active Directory. On the One Identity sub-container, under the System container in the domain, grant the following rights:

• Create Container Objects

• Create ServiceConnectionPoint Objects

Access to Managed Domains

The service account must have at least Read Permissions in any Managed Domain. In addition, the service account must have Modify Permissions rights on the Active Directory objects and containers where the Active Roles security synchronization feature will be utilized.

Access to Exchange Organizations

Exchange 2010

To manage Exchange recipients on Exchange Server 2010, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. See the following steps for details.

To configure the service account or the override account

  1. Add the account to the Recipient Management role group. For instructions, see “Add Members to a Role Group” at http://technet.microsoft.com/library/dd638143(EXCHG.141).aspx.
  2. Add the account to the Account Operators domain security group.
  3. Enable the account to use remote Exchange Management Shell. For instructions, see “Enable Remote Exchange Management Shell for a User” at http://technet.microsoft.com/library/dd298084(exchg.141).aspx.
  4. Ensure that the account can read Exchange configuration data (see Permission to read Exchange configuration data).
  5. Restart the Administration Service after changing the configuration of the account:
    • Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.

The Exchange 2010 management tools are not required on the computer running the Administration Service.

Exchange 2013 and 2016

To manage Exchange recipients on Exchange Server 2013 or 2016, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used; otherwise, the rights must be delegated to the override account. For details, see the steps that follow.

To configure the service account or the override account

  1. Add the account to the Recipient Management role group. For instructions, see “Manage Role Group Members” at http://technet.microsoft.com/library/jj657492(exchg.150).aspx.
  2. Add the account to the Account Operators domain security group.
  3. Enable the account to use remote Exchange Management Shell. For instructions, see “Enable remote Shell for a user” in the topic “Manage Exchange Management Shell Access” at http://technet.microsoft.com/library/dd638078(exchg.150).aspx.
  4. Ensure that the account can read Exchange configuration data (see Permission to read Exchange configuration data).
  5. Restart the Administration Service after changing the configuration of the account: Start Active Roles Configuration Center (see “Running Configuration Center” in the Active Roles Administrator Guide), go to the Administration Service page in the Configuration Center main window, and then click the Restart button at the top of the Administration Service page.
Permission to read Exchange configuration data

To perform Exchange recipient management tasks, Active Roles requires Read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights. For example the service account , is a member of the Domain Admins or Organization Management group. Otherwise, provide the account Read permission in the Microsoft Exchange container, using the ADSI Edit console.

NOTE: The following instructions apply to the ADSI Edit console that ships with Windows Server 2012 or Windows Server 2012 R2.

To provide Read access to the service account using the ADSI Edit console:

  1. Open the ADSI Edit console, and connect to the Configuration naming context.
  2. In the ADSI Edit console, navigate to the Configuration/Services container, right-click Microsoft Exchange in that container, and then click Properties.
  3. On the Security tab in the Properties dialog box that appears, click Advanced.
  4. On the Permissions tab in the Advanced Security Settings dialog box, click Add.
  5. On the Permission Entry page, configure the permission entry:
    1. Click Select a principal, and select the desired account.
    2. Ensure that the Type box indicates Allow.
    3. Ensure that the Applies onto box indicates: This object and all descendant objects.
    4. In the Permissions area, select the List contents and Read all properties check boxes.
    5. Click OK.
  6. Click OK to close the Advanced Security Settings dialog box, and then click OK to close the Properties dialog box.
Support for Exchange Remote Shell

When performing Exchange recipient management tasks on Exchange Server 2010 or later, Active Roles uses remote Exchange Management Shell to communicate with Exchange Server. Hence, it is not required to install the Exchange management tools on the computer running the Administration Service.

To use remote Exchange Management Shell, the Administration Service must be running on a computer that has:

Remote Shell also requires the following:

  • TCP port 80 must be open between the computer running the Administration Service and the remote Exchange server.
  • The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.
  • Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window.
Related Documents