立即与支持人员聊天
与支持团队交流

Active Roles 7.5.3 - Quick Start Guide

Introduction Active Roles Setup package Active Roles uninstallation System Requirements Deploying the Administration Service Deploying user interfaces Installing additional components Upgrade of an earlier version Performing a pilot deployment Deployment considerations Silent installation of Active Roles components Configuring Active Roles to Manage Hybrid Active Directory Objects Active Roles on Windows Azure VM

Upgrading the Administration Service

To upgrade Active Roles Administration Service from a version earlier than 6.9 to 7.x, you must first upgrade to version 6.9.

You can upgrade the Administration Service from version 6.9 through 7.4 to 7.5.3.

Upgrading the Administration Service implies creation of a new Administration Service instance of the latest version, with the configuration and management history data imported from your Administration Service of an earlier version. As a result, the new Administration Service instance inherits all of your existing Active Roles configuration settings, such as managed domains, managed units, permission assignments, policies, workflows, virtual attributes and so on. By importing management history data, you transfer change history, approval tasks, and temporal group membership tasks from your Administration Service of an earlier version to the new Administration Service instance.

To upgrade the new Administration Service instance from 7.0.x or later to 7.5.3 perform the following steps:

NOTE: Before upgrading to the latest version of Active Roles, the add-ons of the earlier versions must be uninstalled.

  1. After upgrading the Active Roles package to 7.5.3, you are prompted to restart the system.
  2. After the system restarts, the Configuration Center opens by default, displaying the Upgrade configuration wizard.

    The fields in the wizard are auto-populated. The database name for Configuration and Management history are suggested, by default. However. if you want to update the database name, click Click here to change or provide existing database names link.

  1. Select the check box on the Upgrade configuration wizard, to confirm that you have read the instructions in the Quick Start guide regarding "Configuring Active Role for in-place upgrade".
  1. Click Next.

    NOTE: If you click Next without selecting the check box, an error is displayed prompting you to follow the instructions given against the check box and select the check box.

    The upgrade starts and the Execution tab displays the Progress bar for the upgrade.

After the database upgrade is complete, the Active Roles Service is automatically started and ready for use.

You can upgrade from Active Roles 7.0.x or later to Active Roles 7.x using in-place upgrade or a new installation of Active Roles with import of database from an earlier version.

Upgrading from Active Roles 6.9 version to 7.x version is a side-by-side upgrade, which does not interrupt operations or affect the configuration of your earlier Active Roles version. To ensure smooth upgrade to the new Active Roles version, you must first upgrade the Administration Service and then upgrade the Web Interface.

If you no longer need the Administration Service of the earlier version, you can uninstall it using Programs and Features in Control Panel: Right-click Administration Service in the list of installed programs, and then click Uninstall.

Install and configure the Administration Service

To create a new Administration Service instance, you first install Administration Service files and then perform initial configuration.

To install the Administration Service files

  1. Log on with a user account that has administrator rights on the computer.
  2. Navigate to the location of the Active Roles distribution package, and start the Setup wizard by double-clicking ActiveRoles.exe.
  3. Follow the instructions in the Setup wizard.
  4. On the Component Selection page, ensure that the Administration Service component is selected, and click Next.
  5. On the Ready to Install page, click Install to perform installation.
  6. On the Completion page, select the I want to perform configuration check box, and click Finish.

The Setup wizard only installs the files. After you have completed the Setup wizard, you need to configure the newly installed Administration Service instance by using Active Roles Configuration Center. The Configuration Center opens automatically if you select the I want to perform configuration check box on the Completion page in the Setup wizard. Another way to open Configuration Center is by selecting Active Roles Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

To perform initial configuration

  1. In Configuration Center, under Administration Service, click Configure.
  2. On the Service Account page in the Configure Administration Service wizard that appears, enter the name and password of the domain user account or the service account details of the Group Managed Service Account to be used as the Administration Service account, and then click Next.
  3. On the Active Roles Admin page, accept the default account, or click Browse and select the group or user to be designated as Active Roles Admin. When finished, click Next.
  4. On the Configuration Database Options page, select the New Active Roles database option, and then click Next.
  5. On the Connection to Database page, specify a SQL Server instance and database name, and select the authentication option:
    1. Select the required Database Type, in the Database Server name. Specify an SQL Server instance in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance), where <Computer> stands for the short name of the computer running SQL server or name of the Azure SQL database server. The wizard will create the database on the SQL Server instance you specify.
    2. In the Database box, type a name for the database that will be created.
    3. Under Connect using, select the appropriate authentication option:
      • To have the Administration Service connect to the database using the service account, click Windows authentication.
      • To have the Administration Service connect to the database using a SQL Server login, click SQL Server authentication and type the login name and password.
      • To have the Administration Service connect to the database using Azure AD login, click Azure Active Directory authentication and type the login name and password.

  6. On the Management History Database Options page in the Configure Administration Service wizard, select the New Active Roles database option, and then click Next.

  7. On the Connection to Database page, perform the steps a to c for Management history database.

  8. Click Next, and then complete the Encryption Key Backup page as described in Steps to deploy the Administration Service, earlier in this document.
  9. Click Next, and follow the instructions in the wizard to complete the configuration.

Import configuration

After you have installed and initially configured the Administration Service of the new version, import the configuration data from the database used by your Administration Service of the earlier version. To import configurations, you must identify that database. To identify the database:

  1. Open the Active Roles console and connect to your Administration Service of the earlier version (see “Connecting to the Administration Service” in the Active Roles Administration Guide).
  2. Select the console tree root, and then, on the page in the details pane, expand the Configuration Databases and Replication area.

    You can identify the database name, SQL Server name, and database type from the first string in the Configuration Databases and Replication area that has the following format: Database <name> on SQL Server <name> Database Type <type>.

After identifying the database, perform the import using the Import configuration wizard provided by Configuration Center. On the Source database page in the Import configuration wizard, supply the database name and SQL Server name that you have identified. For detailed instructions, see Steps to deploy the Administration Service earlier in this document.

NOTE: When an import configuration is performed from Active Roles version 7.0 to 7.5.3, the Web Interface does not get upgraded. However, the Configuration Center or any client report the Active Roles Web interface version incorrectly as 7.5.3. To upgrade the Web interface to the latest version see Upgrading the Web Interface.

Import management history

After you have imported configuration of your earlier Active Roles version, import the management history data from the database used by your Administration Service of the earlier version. First, identify that database:

  1. Open the Active Roles console and connect to your Administration Service of the earlier version (see “Connecting to the Administration Service” in the Active Roles Administration Guide).
  2. Select the console tree root, and then, on the page in the details pane, expand the Management History Databases and Replication area.

    Identify the database name, SQL Server, database type name from the first string in the Management History Databases and Replication area that has the following format: Database <name> on SQL Server <name> Database Type <type>.

After identifying the database, perform the import. You can do this using the Import Management History wizard provided by Configuration Center. On the Source database page in the Import Management History wizard, supply the database name and SQL Server name you have identified. For detailed instructions, see Steps to deploy the Administration Service earlier in this document.

Upgrade in case of shared database

If multiple instances of the Administration Service use a single database, then you can perform the upgrade as follows:

  1. Upgrade one of the Administration Service instances as described earlier (see Upgrading the Administration Service).

    As a result of this step, you have an Administration Service instance of the new version connected to the new database containing the data imported from the old database. The other instances of the Administration Service are not upgraded at this point; they continue to use the old database.

  1. Now that you have the database of the new version, you can upgrade the remaining instances of the Administration Service, one by one.
  2. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Configuration Database Options page, and then, on the Connection to Database page, specify the database created during upgrade of the first Administration Service instance. You need not import configuration as the database already has that data imported.
  3. In the Configure Administration Service wizard, select the Existing Active Roles database option on the Management History Database Options page, and then, on the Connection to Database page, specify the database created during upgrade of the first Administration Service instance. You need not import the management history as the database already has that data imported.

As a result of these steps, multiple Administration Service instances of the new version use a single database updated with the configuration and management history data of your earlier Active Roles version.

Reconfiguring Azure tenants during upgrade configuration

If your organization has any Azure tenants managed in Active Roles, you will need to reauthenticate and reconsent each Azure tenant after installing a new version of Active Roles. Otherwise, you may experience difficulties with Exchange Online connectivity and managing Azure AD resources (for example, assigning Azure AD roles).

To reauthenticate and reconsent Azure tenants after installing Active Roles

  1. Once Active Roles is installed, open the Active Roles Configuration Center in Windows. The Upgrade configuration wizard will automatically appear.

  2. To reauthenticate existing Azure tenants, proceed to the Reauthenticate tenants step and click Reauthenticate next to each Azure tenant.

    NOTE: Consider the following when reauthenticating existing Azure tenants:

    • If reauthentication is successful, the Azure tenant will disappear from the list, and the Reauthenticate tenants step shows a confirmation message.

    • If reauthentication fails, the Azure tenant will remain in the list. Reauthentication can typically fail if there is a service outage in Azure AD, or in case of internet connectivity issues in your network. If reauthentication keeps failing, try performing it later after completing the Upgrade configuration wizard by removing, readding and consenting the Azure tenants to Active Roles via the Azure AD Configuration tab of the Active Roles Configuration Center. For more information, see Reconfiguring Azure tenants manually.

  3. Complete the rest of the steps in the Upgrade configuration wizard.

  4. To make the reauthenticated Azure tenants appear in the Active Roles Web Interface, you must restart the Administration Service. Click Administration Service on the left pane, then either click Restart, or first click Stop and then Start.

  5. Once the Active Roles Configuration Center successfully restarted, navigate to Azure AD Configuration.

  6. To reconsent Active Roles as an Azure application for the reauthenticated Azure tenants, click Consent in each tenant row.

  7. To complete consenting, click Accept on the Microsoft Permissions Requested page that appears.

Reconfiguring Azure tenants manually

If your organization has any Azure tenants managed in Active Roles, you will need to reauthenticate and reconsent each Azure tenant after installing a new version of Active Roles. Otherwise, you may experience difficulties with Exchange Online connectivity and managing Azure AD resources (for example, assigning Azure AD roles).

Azure tenant reauthentication is part of the in-place Upgrade configuration process by default (for more information, see Reconfiguring Azure tenants during upgrade configuration). However, if reauthentication fails during that process for any reason, you can complete the reauthentication and reconsenting of existing Azure tenants with the following manual steps later.

To reconfigure Azure tenants after upgrading from Active Roles 7.4.1 or 7.4.3 to Active Roles 7.5

  1. In the Active Roles Configuration Center, navigate to Azure AD Configuration.

  2. To reconfigure the existing Azure tenants, select a tenant and click Reauthenticate in its row. Repeat the process for each existing Azure tenant.

  3. To make the configured Azure tenant appear in the Active Roles Web Interface, you must restart the Administration Service. Click Administration Service on the left pane, then either click Restart, or first click Stop and then Start.

  4. Once the Administration Service is restarted, consent Active Roles as an Azure application for each reconfigured Azure tenant. To do so, navigate again to Azure AD Configuration, select the Azure tenant and click Consent.

  5. To complete consenting, click Accept on the Microsoft Permissions Requested page that appears.

  6. Repeat the previous two steps for each Azure tenant.

To reconfigure Azure tenants when upgrading from Active Roles 7.4.4 to 7.5

  1. In the Active Roles Configuration Center, navigate to Azure AD Configuration.

  2. Remove all Azure tenants. To do so, select an Azure tenant and first click Remove Azure Application, and then click Remove.

  3. Repeat the previous step for each remaining Azure tenant.

  4. Add the removed Azure tenants again to the list. To do so, use the drop-down box to select the type of domain assigned to the Azure tenant (Non-Federated Domain, Federated Domain, Synchronized Identity Domain), and click Add.

    Upon successful authentication, the new Azure tenant appears in the list.

  5. Repeat the previous step for each Azure tenant that you previously removed.

  6. To make the configured Azure tenants appear in the Active Roles Web Interface, you must restart the Administration Service. Click Administration Service on the left pane, then either click Restart, or first click Stop and then Start.

  7. Once the Administration Service is restarted, consent Active Roles as an Azure application for the reconfigured Azure tenants. To do so, navigate to Azure AD Configuration, select an Azure tenant and click Consent.

  8. To complete consenting, click Accept on the Microsoft Permissions Requested page that appears.

  9. Repeat the previous two steps for each Azure tenant.

Upgrading the Web Interface

You can upgrade the Web Interface of version 7.0, 7.1, 7.2, or 7.3 to version 7.4.x.

Upgrading the Web Interface implies creation of a new Web Interface instance of the latest version that has the same Web Interface sites as your Web Interface of an earlier version, with the site configuration data imported from your Active Roles configuration of the earlier version. As a result, the new Web Interface sites inherit all customizations that were made to the menus, commands, forms, and other elements of your Web Interface sites of the earlier version.

When an import configuration is performed from Active Roles version 7.3 to 7.5.3, the web interface does not get upgraded. However, the Configuration Center or any client report the Active Roles Web interface version incorrectly as 7.5.3. To upgrade the Web interface to the latest version see Upgrading the Web Interface.

Creating Web interface sites and importing configuration

To create a new Web interface instance of the latest version and import the site configurations perform the following steps:

  1. For each Web Interface site of your earlier Active Roles version, identify and note down the name of the configuration object that the Administration Service uses to store the site’s configuration data.
  2. Install and configure the Web Interface instance of the latest Active Roles version, choosing the new Administration Service to which you have imported configuration of your earlier Active Roles version (see Upgrading the Administration Service earlier in this document).
  3. On the new Web Interface instance that you installed and configured in Step 2, create sites based on information you noted down in Step 1, importing data from the configuration objects used by your earlier Web Interface version. Those configuration objects were copied to the new Administration Service during configuration data import (see Upgrading the Administration Service earlier in this document).
  4. Optionally, delete the default sites that were created when you configured the Web Interface in Step 2. The default sites are unaware of your existing site customizations, and have the default configuration of menus, command, forms and other elements.

These steps are covered in the topics that follow.

You can install the Web Interface of version Active Roles side-by-side with the Web Interface of version 6.9 on the same computer, and perform the upgrade without interrupting operations or affecting the configuration of your Web Interface sites of the earlier Active Roles version.

If you no longer need the Web Interface of the earlier version, you can uninstall it using Programs and Features in Control Panel: Right-click Web Interface in the list of installed programs, and then click Uninstall.

Identify configuration objects

When creating Web Interface sites of the new Active Roles version, you need to know which configuration objects are used by your Web Interface sites of the earlier version. Each site stores its configuration in a certain object on the Administration Service, referred to as the site configuration object. Upgrade of the Administration Service copies the existing site configuration objects to the new Administration Service, retaining the name of each object.

To create a Web Interface site of the new Active Roles version that inherits your existing site customizations, you need to specify the name of the corresponding site configuration object of the earlier version. Then, Active Roles creates a site configuration object of the new version, imports the site configuration data to that object, and causes the new Web Interface site to use that object. As a result, the new Web Interface site has the same configuration as the Web Interface site of the earlier version.

To identify the configuration object of the Web Interface site of an earlier Active Roles version

  1. On the Web server running your Web Interface of the earlier Active Roles version, start the Web Interface Sites Configuration wizard.

    To start the wizard, select Web Interface Sites Configuration on the Apps page or Start menu, depending upon the version of the Windows operating system on the Web server.

  1. Proceed to the Web Interface Configuration page in the Web Interface Sites Configuration wizard.

    The page lists your Web Interface sites of the earlier Active Roles version.

  1. On the Web Interface Configuration page, click the list item representing the desired site, and then click the Edit button.

    You can distinguish sites by alias, shown in the Virtual Directory column on the Web Interface Configuration page. The alias defines the virtual path used in the address of the Web Interface site on the Web server.

  1. Note down the name of the site’s configuration object shown in the Configuration settings area of the dialog box that appears.

    The name of the object is displayed in the Name box under the Use existing configuration option, and includes the version number.

  1. Click Cancel to close the dialog box.

 

To identify the configuration object of the Web Interface site of the current Active Roles version

  1. Start the Configuration Center on the computer running the Administration Service instance on which you want to identify the web interface sites.

    You can start Configuration Center by selecting Active Roles 7.4 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

  2. On the Configuration Settings main window, on the left pane, click Web Interface.

    The Web Interface page is displayed, which lists the Web Interface sites of the current Active Roles version that are deployed on the Web server running the Web Interface.

    For each Web Interface site, the list provides the following information:

    • IIS Web site The name of the Web site that holds the Web application implementing the Web Interface site
    • Web app alias The alias of the Web application that implements the Web Interface site, which defines the virtual path of that application on the Web server.
    • Configuration Identifies the object that holds the Web Interface site’s configuration and customization data on the Active Roles Administration Service.

  3. From the Web Interface page, you can open Web Interface sites in your Web browser:
    1. Click an entry in the list of Web Interface sites.
    2. Click Open in Browser on toolbar.

You can also use Configuration Center to:

  • Create, modify or delete Web Interface sites
  • Export a Web Interface site’s configuration object to a file

For more information, see the Web Interface management tasks section in the One Identity Active Roles Administration Guide.

Identify the configuration object for each of your existing Web Interface sites, and note down the name of each object. You will need these names when creating the Web Interface sites of the new Active Roles version.

Install and configure the Web Interface

To create a new Web Interface instance, you first install Web Interface files and then perform initial configuration.

To install the Web Interface files

  1. Log on with a user account that has administrator rights on the computer.
  2. Navigate to the location of the Active Roles distribution package, and start the Setup wizard by double-clicking ActiveRoles.exe.
  3. Follow the instructions in the Setup wizard.
  4. On the Component Selection page, ensure that the Web Interface component is selected, and click Next.
  5. On the Ready to Install page, click Install to perform installation.
  6. On the Completion page, confirm that the I want to perform configuration check box is selected, and click Finish.

The Setup wizard only installs the files. After you have completed the Setup wizard, you need to configure the newly installed Web Interface instance by using Active Roles Configuration Center that opens automatically if you select the I want to perform configuration check box on the Completion page in the Setup wizard. Another way to open Configuration Center is by selecting Active Roles 7.5.3 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

To perform initial configuration

  1. In Configuration Center, under Web Interface, click Configure.

    This starts the wizard that will perform initial configuration of the Web Interface.

  1. On the Administration Service page, specify the new Administration Service instance created during upgrade (see Upgrading the Administration Service earlier in this document).

    If the new Administration Service instance runs on the computer on which you are installing the new Web Interface, choose the option Administration Service on the computer running the Web Interface. Otherwise, choose the option Administration Service on this computer, and supply the fully qualified domain name of the computer running the new Administration Service instance.

  1. Click the Configure button, and wait while the wizard completes the configuration.

Create sites based on old configuration objects

After you have installed and configured the Web Interface instance of the new Active Roles version, you can use Configuration Center to create Web Interface sites of the new version, importing site configuration data from the configuration objects used by your existing Web Interface sites of the earlier Active Roles version (see Upgrading the Web Interface earlier in this document). As a result, the new Web Interface sites will inherit all customizations that were made to the menus, commands, forms and other elements of your Web Interface sites of the earlier version.

To create a Web Interface site based on an old configuration object

  1. Open Configuration Center.

    You can open Configuration Center by selecting Active Roles 7.5.3 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

  1. In the Configuration Center main window, under Web Interface, click Manage Sites.
  2. On the Sites page, click Create.
  3. On the Web Application page in the Create Web Interface Site that appears, choose the IIS Web site to contain the Web application that implements the Web Interface site, and specify an alias for that application.

    The alias defines the virtual path that is a part of the Web Interface site’s address. You can view the resulting address on the Web Application page.

  1. Click Next to proceed to the Configuration page.
  2. From the list on the Configuration page, select the Import from an existing configuration option.
  3. Complete the fields on the Configuration page:
    1. In the Configuration name field, supply the name of the configuration object for the new Web Interface site. You can accept the default name.
    2. The wizard will create a configuration object with the specified name, and import configuration data to that object.
    3. From the list in the Configuration to import box, select the name of the configuration object from which to import the configuration data.

    This must be the name of the configuration object used by one of your existing Web Interface sites of the earlier Active Roles version (see Upgrading the Web Interface earlier in this document).

  1. Click the Create button, and wait while the wizard creates the new Web Interface site.

Perform these steps for each of your Web Interface sites of the earlier version, selecting the appropriate object name in Step 7b.

Delete default sites

After you have created the Web Interface sites of the new version that inherit the configuration of your Web Interface sites of the earlier version, you might delete the default Web Interface sites that were created by initial configuration of the Web Interface (see Upgrading the Web Interface earlier in this document).

To delete the default Web Interface sites

  1. Open Configuration Center.

    You can open Configuration Center by selecting Active Roles 7.5.3 Configuration Center on the Apps page or Start menu, depending upon the version of your Windows operating system.

  1. In the Configuration Center main window, under Web Interface, click Manage Sites.
  2. On the Sites page, identify list entries representing default Web Interface sites, and use the Delete button to delete them one by one.

    You can distinguish list entries representing default Web Interface sites by the name in the Configuration column:

  • Site for Administrators (7.5.3) indicates the default site for administrators
  • Site for HelpDesk (7.5.3) indicates the default site for Help Desk
  • Site for Self-Administration (7.5.3) indicates the default site for self-administration
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级