Chat now with support
Chat with Support

Active Roles 8.2.1 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

Support for AWS Managed Microsoft AD

NOTE: This feature is officially supported starting from Active Roles 8.1.3 SP1 (build 8.1.3.10). It is not supported on Active Roles 8.1.3 (build 8.1.3.2) and earlier versions.

Active Roles supports deployment and configuration in the Amazon cloud to manage AWS Managed Microsoft AD instances hosted via AWS Directory Service.

This allows you to:

  • Perform Active Directory management tasks in your AWS Managed Microsoft AD environment.

  • Synchronize directory data from an on-premises AD environment to AWS Managed Microsoft AD.

  • Synchronize passwords from an on-premises Active Directory to AWS Managed Microsoft AD (with certain limitations).

For more information on configuring Active Roles to manage AWS Managed Microsoft AD environments, see Configuring Active Roles for AWS Managed Microsoft AD in the Active RolesInstallation Guide or Active RolesAdministration Guide documents.

For more information on configuring Active RolesSynchronization Service to synchronize resources to or from AWS Managed Microsoft AD, see Installing and configuring Synchronization Service for use with AWS Managed Microsoft AD in the Active RolesSynchronization ServiceAdministration Guide.

Supported AWS Managed Microsoft AD deployment configuration

To manage AWS Managed Microsoft AD environments, you must deploy Active Roles in Amazon Web Services (AWS) in the following configuration:

  • Active Roles must be deployed on an Amazon Elastic Compute Cloud (EC2) instance or instances. For more information, see the Amazon Elastic Compute Cloud documentation.

  • The SQL Server required by Active Roles Administration Service must run on a separate Amazon Relational Database Service for Microsoft SQL Server (RDS for SQL Server) instance. For more information, see the Amazon RDS documentation.

  • The Active Directory environment must be hosted in AWS via AWS Directory Service. For more information, see the AWS Directory Service documentation.

NOTE: Support for AWS Managed Microsoft AD by Active Roles was tested only in this configuration. Active Roles does not officially support managing AWS Managed Microsoft AD environments in a hybrid deployment, that is, using an on-premises Active Roles and/or SQL Server installation and hosting AD via AWS Directory Service.

Supported Active Roles features with AWS Managed Microsoft AD

If configured to manage AWS Managed Microsoft AD, Active Roles offers a feature set similar to managing an on-premises AD service. This includes:

  • Performing the day-to-day administration tasks of AD objects (users, contacts, computers, distribution and security groups, Organizational Units, shared folders) in the Active Roles Console or the Web Interface.

  • Rule-based and role-based administrative views and permissions for AD objects (Managed Units and Access Templates).

  • Automation and approval workflows for AD objects.

  • Importing the Management History database and/or Configuration database from an on-premises Active Roles installation of the same version. This is useful if you want to migrate the configuration of an existing on-premises Active Roles installation to your Active Roles installation running in an EC2 instance to manage AWS Managed Microsoft AD.

  • Synchronization Service connections and sync workflows based on the following Active Roles Synchronization Service connectors:
    • Active Directory Connector

    • Active Roles Connector

    • Delimited Text File Connector

  • Synchronizing passwords with Active Roles Synchronization Service from on-premises AD to AWS Managed Microsoft AD.

NOTE: For the limitations of password synchronization from on-premises AD to AWS Managed Microsoft AD, see Active Roles feature limitations when using AWS Managed Microsoft AD.

Active Roles feature limitations when using AWS Managed Microsoft AD

When using Active Roles to manage AWS Managed Microsoft AD resources, consider the following limitations.

Amazon Web Services limitations

For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for SQL Server) instances, the known EC2 and RDS limitations apply.

AD LDS, Azure AD, Exchange and Exchange Online support

Active Roles components (such as the Active Roles Console or Web Interface) that also support directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD-related configuration and administration tasks.

Likewise, Active Roles features (such as Managed Units or Access Templates) that also support managing objects from directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD object and permission management.

Domain Admin account management

As AWS has exclusive control over Domain Admin accounts, managing such accounts with Active Roles is not possible in AWS Managed Microsoft AD.

For more information, see Admin account in the AWS Directory Service documentation.

Federated authentication support

Federated authentication with WS-Fed was not tested to work with AWS Managed Microsoft AD.

Non-AD specific Active Roles features

Active Roles features used to manage non-AD directory services (such as Exchange Resource Forest Management) were not tested to work with AWS Managed Microsoft AD.

Service Connection Point discovery

Active Roles connected services (such as the Active Roles Console) rely on AD Discovery to create Service Connection Points (SCPs) and find other Active Roles services.

As AWS Directory Service does not support AD Discovery, Active Roles services installed on an EC2 instance to manage AWS Managed Microsoft AD may not be able to automatically discover the Active Roles Administration Service, impacting the user experience.

Synchronization Service limitations
  • When synchronizing directory data or passwords from on-premises Active Directory to AWS Managed Microsoft AD, Active Roles Synchronization Service has the following limitations:

    • Active Roles Synchronization Service was only tested to work with connections and sync workflows based on the following connectors:

      • Active Directory Connector

      • Active Roles Connector

      • Delimited Text File Connector

      Sync workflows and connections based on other connectors are not officially supported.

    • When synchronizing passwords from an on-premises Active Directory to AWS Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing then populating the SIDHistory attribute to AWS Managed Microsoft AD is not supported. This is because the Synchronization Service Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.

  • Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with Active Roles Synchronization Service is not supported. This is because the Synchronization Service Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.

SQL Server replication support

As Active Roles uses RDS for SQL Server when managing AWS Managed Microsoft AD, the SQL server replication feature of Active Roles is not supported.

Usable Organizational Unit in the AD domain

After you connect the Active Roles Console to your AWS Managed Microsoft AD environment, the AD domain and its containers will appear in the Active Roles Console (and if configured, in the Web Interface as well). By default, the AWS Managed Microsoft AD environment contains three types of containers:

  • AWS-specific containers.

  • The default AD-specific containers (such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, and so on).

  • An Organizational Unit container matching the NetBIOS (or shortname) of the AWS Managed Microsoft AD deployment. For example, if the shortname of your AD domain is ARDEMO, the name of this container will also be ARDEMO.

Consider that out of these three container types, you can manage AD resources only in the Organizational Unit with the name matching the shortname of your AWS Managed Microsoft AD environment. All other containers will be read-only.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating