Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

Using AlwaysOn Availability Groups

You can improve the availability of the Active Roles Administration Service by using the AlwaysOn Availability Groups feature introduced in Microsoft SQL Server 2012. With the AlwaysOn Availability Groups feature, SQL Server provides a failover environment, known as an availability group, for a set of availability databases that fail over together from one SQL Server instance to another. You can add the Active Roles database to an availability group, and have the Administration Service automatically reconnect to the database when the availability group fails over to another SQL Server instance.

An availability group defines a set of availability replicas to host copies of each availability database. Each availability group has at least two availability replicas: the primary replica and a secondary replica. The primary replica hosts the read-write copy of each availability database held in the availability group; a secondary replica hosts a read-only copy of each availability database, and serves as a potential failover target for the availability group. During a failover, a secondary replica transitions to the primary role, becoming the new primary replica. The new primary replica brings its databases online as the primary databases for read-write access.

Adding the Active Roles database to an availability group helps ensure uninterrupted operation of the Active Roles Administration Service. If a server or software failure occurs on the SQL Server side, the availability group can instantly switch the database to a secondary replica, enabling the Administration Service to reconnect seamlessly to the database in the new location.

For detailed information about the AlwaysOn Availability Groups feature, see “AlwaysOn Availability Groups (SQL Server)” at http://go.microsoft.com/fwlink/p/?LinkId=245660.

Availability Group setup in Active Roles

Availability Group setup in Active Roles

Suppose you have the Active Roles Administration Service installed and configured as described in the Active Roles Quick Start Guide. This section provides instructions on how to configure the Administration Service to use the database that belongs to an availability group (an availability database).

Note that the Administration Service whose database belongs to an availability group cannot participate in Active Roles replication. Active Roles does not support the replication function for availability databases. If you attempt to perform the “Promote to Publisher” or “Add Subscriber” operation with the Administration Service connected to an availability database, you receive an error.

Here we assume that the Active Roles database is already added to an availability group on SQL Server. For instructions on how to configure an availability group, and how to add a database to an availability group, refer to Microsoft's documentation (see “Getting Started with AlwaysOn Availability Groups (SQL Server)” at http://technet.microsoft.com/en-us/library/gg509118.aspx). We also assume that Active Roles replication is not configured, neither for Configuration data nor for Management History data.

Under these conditions, you can configure the Administration Service to connect to the database via the availability group listener. By using the listener, the Administration Service can connect to the current primary replica of the availability group that holds the Active Roles database without knowing the name of the physical instance of SQL Server that hosts the primary replica. The listener enables support for failover redirection. In case of a failover, the listener automatically redirects the Administration Service’s connection to the new primary replica.

Configuring the database connection to use the listener

To enable the use of the availability group listener, you need to modify the database connection setting of the Administration Service. You can specify the availability group listener in the SQL Server field on the Change Active Roles Database wizard pages provided by Active Roles Configuration Center.

Depending upon the location of the Management History database in your Active Roles environment, you need to specify the listener in the SQL Server field on the Connection to Database page, on the Connection to Management History Database page, or on both pages. The value in the SQL Server field must identify the DNS host name and, optionally, the TCP port of the listener of the availability group to which the database belongs. For example, if the DNS host name of the listener is AGListener and the TCP port used by this listener is 1234, the value is AGListener,1234. You may omit the port number in case of the default port, 1433.

Management History data stored in a separate database

Using Active Roles, it is mandatory to store the Management History data in a separate database. If you do this, then you have two databases, the Configuration database and the Management History database, each of which (or both) can belong an availability group. In this case:

  • If the Configuration database belongs to an availability group, specify the listener of that availability group in the SQL Server field on the Connection to Database page in the Change Active Roles Database wizard. Otherwise, leave the value data intact.
  • If the Management History database belongs to an availability group, specify the listener of that availability group in the SQL Server field on the Connection to Management History Database page in the Change Active Roles Database wizard. Otherwise, leave the value data intact.

To specify the listener

  1. Start Configuration Center on the computer running the Administration Service, or connect Configuration Center to that computer.

    You can start Configuration Center by selecting Active Roles Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system. For detailed instructions, see Running Configuration Center.

  1. On the Dashboard page in the Configuration Settings main window, click Manage Settings in the Administration Service area.
  2. On the Administration Service page that opens, click Change in the Active Roles databases area.
  3. On the Connection to Database page in the Change Active Roles Database wizard that appears, do the following:
    1. If the Configuration database belongs to an availability group, then, in the SQL Server field, supply the DNS host name and, optionally, the TCP port of the listener of that availability group. Otherwise, don’t change the value in the SQL Server field.
    2. If the Administration Service uses the SQL Server authentication option, type the password of the SQL login used for connection to the Configuration database.
    3. Click Next.
  4. On the Management History Database Options page, select the Existing Active Roles database option (if not already selected), and then click Next.
  5. On the Connection to Management History Database page, do the following:
    1. If the Management History database belongs to an availability group, then, in the SQL Server field, supply the DNS host name and, optionally, the TCP port of the listener of that availability group. Otherwise, don’t change the value in the SQL Server field.
    2. If the Administration Service uses the SQL Server authentication option, type the password of the SQL login used for connection to the Management History database.
    3. Click Next.
  6. Follow the instructions in the wizard to complete the configuration.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating