立即与支持人员聊天
与支持团队交流

Active Roles 8.0.1 LTS - Feature Guide

Introduction Administrative rules and roles Using Active Roles Configuring and administering Active Roles FIPS compliance LSA protection support

Rule-based generation of Distinguished Names

Synchronization Service provides flexible rules for generating the Distinguished Names (DNs) for the created objects. These DN generation rules allow you to ensure that the created objects are named in full compliance with the naming conventions existing in your organization.

Synchronization scheduling

To meet your organizational policies and save both time and effort, you can schedule and automate the configured data synchronization tasks with Synchronization Service.

Extensive data system support

To access external data systems, Synchronization Service uses so-called "connectors", enabling Synchronization Service to read and synchronize identity data from the specific data systems.

Active Roles Synchronization Service can connect to the following data systems:

  • Data sources accessible via an OLE DB provider.

  • Delimited text files.

  • IBM AS/400, IBM Db2, and IBM RACF systems.

  • LDAP directory service.

  • Micro Focus NetIQ Directory systems.

  • The following Microsoft services and resources:

    • Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.

    • Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.

    • Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.

    • Exchange Online services.

    • Exchange Server with the following versions:

      • Microsoft Exchange Server 2019

      • Microsoft Exchange Server 2016

      NOTE: Microsoft Exchange 2013 and 2013 CU11 are no longer supported. For more information, refer to Knowledge Base Article 202695.

    • Lync Server version 2013 with limited support.

    • SharePoint 2019, 2016, or 2013.

    • SharePoint Online service.

    • Skype for Business 2019, 2016 or 2015.

    • Skype for Business Online service.

    • SQL Server, any version supported by Microsoft.

  • One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.

  • One Identity Manager version 8.0 and 7.0 (D1IM 7.0).

  • OpenLDAP directory service.

  • Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.

  • MySQL databases.

  • Salesforce systems.

  • SCIM-based data systems.

  • ServiceNow systems.

For more information on using these connectors, see External data systems supported with built-in connectors in the Active Roles Synchronization Service Administration Guide.

Exchange Resource Forest Management

The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.

Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:

  • Aim for an extra layer of data security.

  • Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).

  • Abide by certain legal or regulatory requirements.

AD deployments following the resource forest model use two types of AD forests:

  • Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.

  • Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.

With ERFM, you can automate the provisioning, synchronization and deprovisioning of linked mailboxes in the resource forest for user accounts in the account forest(s).

  • During provisioning, Active Roles can automatically create linked mailboxes for new users (if you select to create a mailbox for the user), or create linked mailboxes for existing users without a mailbox.

    In both cases, Active Roles creates a disabled shadow user account in the resource forest for the user, then links it to the user account of the user in the account forest (also known as the master account).

    NOTE: By default, the shadow user account has the same name as the master user account in the account forest. However, if a shadow account with the same name already exists (for example, because Active Roles has already created a linked mailbox for a user in a different account forest), Active Roles uses a different shadow account name to maintain uniqueness.

  • Once a linked mailbox is created, Active Roles automatically synchronizes the properties of the master user accounts with their shadow accounts, whenever you modify them.

  • Finally, if the master user account is deprovisioned, Active Roles automatically deprovisions its shadow account as well, provided that you applied mailbox deprovisioning policies to the container that holds the shadow accounts in the resource forest.

    NOTE: Like other AD objects, you can un-deprovision master user accounts as well. However, their shadow accounts are un-deprovisioned automatically only if the container of the deprovisioned master accounts has the ERFM - Mailbox Management built-in policy applied on them.

Getting started

For more information on the prerequisites and configuration of ERFM and linked mailboxes, see Configuring linked mailboxes with Exchange Resource Forest Management in the Active Roles Administration Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级