Active Directory domains registered with Active Roles are referred to as managed domains. Each Administration Service maintains a list of managed domains, and stores this list in the Administration Database as part of the service configuration.
In the Active Roles console, the Add Managed Domain wizard is used to register domains for management. You can access the wizard as follows: Click the console tree root; then, in the details pane, in the Domains area, click Add Domain.
The Add Managed Domain wizard prompts you for the following information:
You have the option to use the default credentials (the service account of the Administration Service) or enter the user name and password of a different account (override account). In both cases, the account must have adequate rights in the managed domain. For more information, refer to the “Access to Managed Domains” section in the Active Roles Quick Start Guide.
If you choose the option to access the managed domain using the service account information, consider the following. This option applies to all Administration Services in your environment. Each Administration Service in your environment will use its own service account to access the domain. Since different service accounts may have different levels of access to the domain, Active Roles may have different access rights to the domain, depending on which Administration Service is being used to manage the domain. The result is that the behavior of Active Roles may vary when you switch to a different Administration Service.
After you add a managed domain, the Administration Service retrieves the domain information, such as the Active Directory schema and the hierarchy of containers. This process is referred to as loading domain information.
It may take a few minutes for the Administration Service to load the domain information. Once this process is completed, the domain is available for management. Select the Active Directory item in the console tree and press F5 to refresh the details pane and display the new domain. To start managing the domain, select it in the details pane and press ENTER; or expand the domain item in the console tree.
It is possible to remove a domain from the list of managed domains. Once removed, the domain and all directory objects contained in the domain can no longer be managed with Active Roles. To remove a managed domain, select the console tree root and click Go to Managed Domains in the details pane, in the Domains area. This causes the details pane to display a list of managed domains. In the list, right-click the domain you want to remove, and click Delete.
The operation of adding a managed domain results in the creation of an object that holds the registration information about the domain. For this reason, it is also referred to as registering a domain with Active Roles.
To add a managed domain
If you choose the second option, type the user name and password of the user account you want Active Roles to use when accessing the domain.
After you’ve registered an Active Directory domain with Active Roles, you have the option to use the domain as an unmanaged domain. An unmanaged domain is basically a domain that is registered with Active Roles for read-only access. The use of the unmanaged domain option allows you to reduce licensing costs since the user count that corresponds to the unmanaged domains is not added to product usage statistics (see Evaluating product usage).
Unmanaged domains are instrumental in the following scenarios:
As applied to a registered unmanaged domain, the features and functions of Active Roles are limited to those that do not require write access to the objects held in that domain (including write access to the object data that is stored by Active Roles as virtual attributes). Thus, you can use Active Roles to:
Since Active Roles has read-only access to unmanaged domains, it cannot:
To configure an unmanaged domain
Once applied to a domain, the Built-in Policy - Exclude from Managed Scope Policy Object stops product usage statistics from counting objects in the domain and prevents any changes to the objects held in that domain, making the objects available for read access only. For more information, see Managed scope to control product usage.