立即与支持人员聊天
与支持团队交流

Active Roles 8.0 LTS - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Microsoft 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta Active Roles Language Pack

Steps for adding members to a replication group

To add a member to a replication group, designate a standalone database server as a Subscriber of the group’s Publisher.

To add a replication partner to a replication group

  1. Connect to the Administration Service whose database server holds the Publisher role.

    For instructions on how to connect to the Administration Service, see Connecting to the Administration Service earlier in this chapter.

  1. In the console tree, expand Configuration | Server Configuration, and click Configuration Databases.
  2. In the details pane, right-click the Publisher, and click Add Replication Partner.
  3. Follow the instructions in the New Replication Partner wizard.
  4. On the Database Selection page, click Browse.
  5. Use the Connect to Administration Service dialog box to select the Administration Service whose SQL Server is to be configured as a Subscriber to this Publisher.

    If Active Roles does not have sufficient rights to perform the Add Replication Partner operation on SQL Server, then the wizard prompts you to supply an alternative account for that operation (see “Permissions for adding or removing a Subscriber” in the Active Roles Quick Start Guide).

    The next page of the wizard displays the database name and location retrieved from the specified Administration Service, and prompts you to select one of the following options that determine how the replication agent running on the Publisher SQL Server will connect to the Subscriber SQL Server

  1. Choose one of these options:
    • Impersonate the SQL Server Agent service account  Select this option if the SQL Server Agent service on the Publisher SQL Server is configured to log on as a Windows user account that has sufficient rights on the Subscriber SQL Server. If this option is selected, the replication agent connects to the Subscriber SQL Server under the logon account of the SQL Server Agent service running on the Publisher SQL Server.
    • Use SQL Server Authentication with the following login and password  Select this option if the SQL Server Agent service logon account cannot be configured to have sufficient rights on the Subscriber SQL Server. You are prompted to specify the SQL Server login and password that the replication agent running on the Publisher SQL Server will use to connect to the Subscriber SQL Server.

    The account that the replication agent uses to connect to the Subscriber SQL Server must at minimum be a member of the db_owner fixed database role in the subscription database (Active Roles’ database on the Subscriber). For further details, see “Replication agent permissions” in the Active Roles Quick Start Guide.

  1. Click Next, and the click Finish.

NOTE:

  • After you click Finish, the database server is added to the replication group. The replication process updates the database of the new Subscriber with the data retrieved from the Publisher.
  • The Publisher copies new data to the database, overwriting the existing data. If the database contains valuable information, such as custom Access Templates or Policy Objects, you should export those objects before designating the database as a Subscriber, and import them back after the operation is completed.
  • A database cannot be added to a replication group if it already belongs to another replication group. To add the database to another replication group, you must first remove it from its current replication group, and then add it to the other one.

Removing members from a replication group

You can remove Subscribers from a replication group by using the Active Roles console:

  1. Connect to the Publisher Administration Service.
  2. Select a Subscriber from the Configuration Databases container, right-click the Subscriber, and click Delete.

If Active Roles does not have sufficient rights to perform the operation on SQL Server, then the Active Roles console prompts you to supply an alternative account for that operation (see “Permissions for adding or removing a Subscriber” in the Active Roles Quick Start Guide).

Using this method, you can remove only Subscribers. The Publisher cannot be removed from its replication group when the group includes Subscribers.

To remove the Publisher, you must first remove all Subscribers, and then demote the Publisher. This action deletes the entire replication group.

After you remove all Subscribers, you can demote the Publisher: in the Configuration Databases container, right-click the Publisher and click Demote.

If Active Roles does not have sufficient rights to perform the Demote operation on SQL Server, then the Active Roles console prompts you to supply an alternative account for that operation (see “Permissions for creating or removing the Publisher” in the Active Roles Quick Start Guide).

Steps for removing members from a replication group

To remove Subscribers from a replication group

  1. Connect to the Publisher Administration Service.
  2. In the console tree, expand Configuration | Server Configuration, and click Configuration Databases.
  3. In the details pane, right-click the Subscriber, and then click Delete.

To remove the Publisher from a replication group

  1. Connect to the Publisher Administration Service.
  2. In the console tree, expand Configuration | Server Configuration, and click Configuration Databases.
  3. In the details pane, right-click the Publisher, and then click Demote.

NOTE:

  • For information on how to connect to an Administration Service, see Connecting to the Administration Service earlier in this chapter.
  • The Publisher cannot be removed from its replication group when the group includes Subscribers. To remove the Publisher, you must first remove all Subscribers, and then demote the Publisher. This action deletes the replication group. After you remove all Subscribers, you can demote the Publisher.
  • The Demote command is not displayed unless the Publisher is the only member of the replication group.
  • If Active Roles does not have sufficient rights to perform the operation on SQL Server, then the Active Roles console prompts you to supply an alternative account for that operation (see “Replication configuration permissions” in the Active Roles Quick Start Guide).

Monitoring replication

Active Roles makes it possible to monitor the status of replication partners. Monitoring allows you to determine whether Active Roles replication is working efficiently and correctly. You can view the status of a replication partner via the Active Roles console:

  1. Connect to any Administration Service within the replication group.
  2. Open the Properties dialog box for the replication partner and go to the Replication Status tab.

To connect to the Administration Service, use the instructions provided earlier in this chapter (see Connecting to the Administration Service).

Once connected to the Administration Service, perform the following steps to open the Properties dialog box for a replication partner:

  1. In the console tree, expand Configuration | Server Configuration, and select Configuration Databases.
  2. In the details pane, right-click the replication partner, and click Properties.

The Replication Status tab in the Properties dialog box provides information about the last replication action of the partner and indicates whether the action completed successfully, failed, or is in progress.

If there are any replication failures in Active Roles, the Active Roles console provides a visual indication of this issue by modifying the icon of the Server Configuration and Configuration Databases containers in the console tree. This allows you to detect a replication failure without examining individual databases.

For more information on how to monitor the health of Active Roles replication, refer to the Active Roles Replication: Best Practices and Troubleshooting document.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级