Chat now with support
Chat with Support

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Verifying connectivity between the EC2 and RDS instances

After you created the RDS instance, you can test in the EC2 instance with the telnet client or Microsoft SQL Server Management Studio (SSMS) if the RDS connectivity was successfully configured.

To verify RDS connectivity in the EC2 instance

  1. Log in to the EC2 instance created for Active Roles.

  2. To test connectivity to RDS, install the telnet client. To do so:

    1. Open Windows Server Manager.

    2. On the Dashboard, click Add roles and features.

    3. In Installation Type, select Role-based or feature-based installation, then click Next.

    4. In Server Selection, choose Select a server from the server pool, and make sure that the local server (the EC2 instance) is selected.

    5. In Server Roles, just click Next.

    6. In Features, select Telnet Client.

    7. In Confirmation, click Install, then Close the application.

  3. To verify connectivity to the RDS instance, open the Windows Command Prompt, and run the following command:

    telnet <rds-server-endpoint> <port-number>

    To find the RDS server endpoint and port to specify, open the entry of the RDS instance in the AWS console, and check the values under Connectivity & Security > Endpoint & port.

    NOTE: If the command returns an empty prompt, that indicates connectivity between the EC2 instance and the RDS instance.

  4. Download and install Microsoft SQL Server Management Studio (SSMS) on the EC2 instance.

  5. To test the connection with SSMS, start the application, then in the Connect to Server dialog, specify the following attributes:

    • Server type: Select Database Engine.

    • Server name: The same RDS instance endpoint used in the telnet command.

    • Authentication: Select SQL Server Authentication, then specify the admin user name and password created when configuring the RDS instance.

  6. After you specified all connection properties, click Connect.

Installing and configuring Active Roles on the EC2 instance

After you checked the connectivity between the EC2 and RDS instances, you can deploy and configure Active Roles on the EC2 instance.

Prerequisites

Before starting the procedure, make sure that the following requirements are met:

To install Active Roles on the EC2 instance

  1. Download the Active Roles installation media to the EC2 instance.

  2. Run the setup and install Active Roles with all required prerequisites as described in Active Roles installation in the Active Roles Quick Start Guide.

After installing Active Roles, configure the Active Roles Administration Service.

To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in SQL Server Management Studio

  1. Start Microsoft SQL Server Management Studio (SSMS) and connect to the RDS for SQL Server instance as described in Verifying connectivity between the EC2 and RDS instances.

  2. Under the Databases node of the Object Explorer, create two new empty databases to be used later for configuring Active Roles:

    • A database for the Management History database. Name it, for example, ARMH.

    • A database for the Active Roles Configuration database. Name it, for example, ARConfig.

  3. Create a new user that Active Roles will use to connect to the SQL database in the RDS instance. To do so, right-click the Security > Logins node of the Object Explorer, then select New login and specify the following details:

    1. Under General > Login name, enter the name of the user (for example, sql-activeroles). Then, select SQL Server authentication.

    2. Under User Mapping, select the databases that you created (in this example, ARMH and ARConfig), and assign the db_owner role to both of them.

To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in Active Roles Configuration Center

  1. Start the Active Roles Configuration Center.

  2. On the Dashboard, under Administration Service, click Configure.

  3. In Service Account, enter the user name and password of the Active Roles Service account. This can be, for example, the domain admin account supplied by Amazon Web Services (AWS).

  4. In Active Roles Admin, specify the security group or administrator user in the EC2 instance who will hold Active Roles Admin permissions.

  5. In Configuration Database Options, select New Active Roles database and Use a pre-created blank database.

  6. In Connection to Configuration Database, configure the following settings:

    • Database type: Select On Premise. In the context of Active Roles, the Amazon RDS for SQL Server instance functions like an on-premises SQL Server.

    • Database Server name: Specify the endpoint URL of the RDS instance. This is the same endpoint you specified during Verifying connectivity between the EC2 and RDS instances.

    • Database name: Specify the name of the blank database that you created as the Active Roles Configuration database (in this example, ARConfig).

    • Connect using: Select SQL Server authentication, and enter the user name and password of the user created as the owner of the database.

  7. In Management History Database Options, select New Active Roles database and Use a pre-created blank database.

  8. In Connection to Management History Database, specify the same Database type, Database Server name and connection settings that you set for the Configuration database. However, for Database name, enter the name of the blank database that you created for use as the Active Roles Management History database (in this example, ARMH).

  9. In Encryption Key Backup, specify the file name and save location of the Active Roles database encryption key.

  10. (Optional) Still in Encryption Key Backup, specify a password for additional protection. To continue, click Next.

  11. Review your settings. Then, to apply your changes, click Configure.

After you configured the Active Roles Administration Service, you can also configure the Active Roles Console to manage your AWS Managed Microsoft AD instance.

To configure Active Roles Console for managing AWS Managed Microsoft AD

  1. Start the Active Roles Console.

  2. Due to limitations with Service Connection Points (SCPs) in the Amazon cloud, Active Roles Console is likely unable to automatically discover the Administration Service instance you configured previously.

    To manually connect to the Administration Service, in the Connect to Administration Service dialog, under Service, specify localhost. Under Connect as, select Current user, then click Connect.

    NOTE: If you cannot connect to the Administration Service by specifying localhost, then specify the full Device name as indicated in the Settings > About page of the operating system.

  3. After you connected, in the Active Roles Console landing page, click Add Domain.

  4. In the Add Managed Domain Wizard, in Domain Selection, click Browse and select the domain configured by AWS for the EC2 instance.

  5. In Active Roles Credentials, select The service account information the Administration Service uses to log on.

  6. To finish adding the domain, click Next, then Finish.

  7. To make sure that the contents of the AWS Managed Microsoft AD domain appear in the Active Roles Console, click Refresh or right-click the Active Roles node, then click Reconnect.

    NOTE: The connected AWS Managed Microsoft AD environment will contain several built-in and AWS-specific containers with read-only access. You can create and manage AD objects only in the Organizational Unit whose name matches the shortname of the connected domain's name (specified during Creating the AWS Managed Microsoft AD instance).

Azure AD, Microsoft 365, and Exchange Online Management

Active Roles facilitates the administration and provisioning of Active Directory (AD), Exchange, and Azure AD resources in on-premises, cloud-only and hybrid environments as well. You can manage all these resources through the Active Roles Web Interface.

  • In an on-premises environment, when you create new AD objects (users, guest users, groups, contacts, and so on), Active Roles creates and stores these new objects in the local infrastructure of your organization.

  • In a cloud-only environment, when you create new AD objects (users, guest users, groups, contacts, and so on), Active Roles creates and stores these new objects in the Azure Cloud.

  • In hybrid environments, when you create new AD objects (users, guest users, contacts, and so on) Active Roles synchronizes the on-premises AD objects and their properties to the AD cloud. This synchronization is performed by the Active Roles Synchronization Service between Active Roles and Microsoft Microsoft 365, whenever you configure an AD object with the Active Roles Web Interface.

NOTE: Active Roles Web Interface supports AD-related operations only on sites based on the Administrators template. While some of the configuration procedures described in this document are also supported through the Active Roles Management Shell, they are all described with using the Active Roles Web Interface.

Fore more information about the management of Azure AD, Microsoft 365, and Exchange Online objects, see Managing Azure AD, Microsoft 365, and Exchange Online objects in the Active Roles Web Interface User Guide.

Configuring Active Roles to manage Hybrid AD objects

When a user signs up for a Microsoft cloud service, for example, Azure Active Directory, details about the user’s organization and the organization’s Internet domain name registration are provided to Microsoft. This information is then used to create a new Azure AD instance for the organization. The same directory is used to authenticate sign-in attempts when you subscribe to multiple Microsoft cloud services.

The Azure AD instance of the organization (also called the Azure AD tenant) stores the users, groups, applications, and other information pertaining to an organization and its security. To access the Azure AD tenant, we need an application that is registered with the tenant. Active Roles uses this application (also called the Azure AD application), to communicate to Azure AD tenant after providing the required consent.

The Active Roles Web Interface and Management Shell can be used to perform the Azure AD configuration tasks. You can add or modify existing tenants to the management scope through the Web Interface and Management Shell. Active Roles also supports the Multiple tenants model.

NOTE: Administrative users or users with sufficient privileges only can view Azure configuration.

The following section guides you through the Active Roles Web Interface and Management Shell to configure Azure AD tenants and applications and synchronize existing AD objects to Azure AD.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating