立即与支持人员聊天
与支持团队交流

Active Roles 8.2 - Best Practices Guide

Example: Using a job server for Active Roles Synchronization Service

This example scenario describes how to set up an Active Roles Synchronization Service server that will perform hourly updates from an HR system (involving a total number of 80,000 users) to Active Roles.

To create a job server for Active Roles Synchronization Service

  1. Create a new IP subnet.

  2. Install or move a domain controller (DC) to this new subnet.

  3. Install Active Roles and Synchronization Service on a new host in this new subnet. The database configuration can either be a new subscriber or it can use an existing database.

  4. Prevent Active Roles from publishing its Service Connection Point to ensure no users connect to this instance. For more information, see Knowledge Base Article 4216122 on the One Identity support portal.

  5. Configure this Active Roles instance to only use the DC.

    1. Navigate to Configuration > Server Configuration > Administration Services, then select the server.

    2. Right-click Properties.

    3. Select DirSync Servers > Change.

    4. Select Only specified Domain Controller and choose the DC that you installed or moved to the subnet.

  6. Configure Synchronization Service to use this Active Roles instance to perform all workflow steps as required.

Configuring Active Roles to handle real-time dynamic group updates

If you have an environment where all dynamic group membership rules are configured to use system-provided Active Directory attribute values, you can create a dedicated Active Roles configuration in the Active Roles Console specifically for handling real-time dynamic group updates.

This has two advantages:

  • Dynamic group processing might be resource-intensive. Therefore, using a dedicated configuration for it can free up resources in the primary Active Roles Administration Service configuration for other operations, for example servicing client requests.

  • Using a dedicated configuration also hides operation logging for dynamic group processing on the primary Active Roles configuration.

NOTE: Dynamic groups that are scoped to Managed Units (MUs) or other dynamic groups might negatively impact performance. Dynamic groups and MUs are technically search results, and they add additional overhead. For this reason, One Identity does not recommend using MUs or dynamic groups in membership rules.

To create a configuration for handling real-time dynamic group updates

  1. To open the Active Roles Console, on the Apps page or Start menu—depending on the version of your Windows operating system—open Active Roles 8.2 Console.

  2. In the Console tree, navigate to Configuration > Policies > Administration > Builtin.

  3. In the details pane, right-click Built-in Policy - Dynamic Groups, then select Policy Scope.

  4. To remove scope links, in the Policy Scope window, select all links, click Remove, then click OK.

  5. In the details pane, right-click Built-in Policy - Dynamic Groups, then select Properties.

  6. In the Properties window, select the Policies tab, then select the policy and click View/Edit.

  7. In the Policy Properties window, select the Policy Settings tab, and clear the Receive directory changes from DirSync control check box. Then, in the pop-up dialog, click OK.

  8. To apply turning off receiving directory changes from DirSync control, in both Properties windows, click OK.

  9. On the dynamic group job server, do the following:

    1. In the Console tree, navigate to Configuration > Server Configuration.

    2. In the details pane, double-click Change Tracking Log Configuration.

    3. Under the Log Settings tab, set the value to a low number, such as 1 day.

    4. Configure membership rules for dynamic groups as preferred. For more information, see Adding a membership rule to a dynamic group in the Active Roles Administration Guide.

Performance bottlenecks

When using Active Roles, the following components and factors can cause performance bottlenecks:

  • Scripts

  • Internet Information System (IIS). In particular, do not install the WebDAV feature.

    NOTE: For general best practices on optimizing IIS performance, see Optimizing IIS Performance in the Microsoft BizTalk Server documentation.

  • Incorrect virtual memory (pagefile) settings. The virtual memory must be managed by the system.

  • Antivirus software. To add exclusions, follow the instructions of Knowledge Base Article 4216244 in the One Identity support portal.

  • Firewall ports. To add exclusions, follow the instructions of Knowledge Base Article 4227036 in the One Identity support portal.

NOTE: Make sure that the Active Roles service account is not a member of the Active Roles administrator group.

Known performance issues and workarounds

When using Active Roles, consider the following known performance issues and their workarounds:

  • In environments with many Active Roles Virtual Attributes, the Active Roles Administration Service host and the Microsoft SQL Server host might experience high CPU utilization and poor performance. This might be related to a known issue that was addressed but is not enabled by default. For more information on resolving this issue, see Knowledge Base Article 4216183 on the One Identity support portal.

  • In environments with many Microsoft Exchange mailboxes, retrieving accounts with Microsoft Exchange attributes might be noticeably slower than retrieving accounts without Microsoft Exchange attributes. For more information on resolving this issue, see Knowledge Base Article 4336544 on the One Identity support portal.

  • The Application Policy Script Module might be incorrectly configured after an upgrade. For more information on resolving this issue, see Knowledge Base Article 4338971 on the One Identity support portal.

  • If you experience performance issues only with the Active Roles Web Interface, then SignalR might be blocked. For more information on resolving this issue, see Knowledge Base Article 4319280 on the One Identity support portal.

  • If you experience performance issues specifically when listing groups or viewing the memberOf tab of an Active Directory object, then an expensive Managed Unit might be responsible for the performance impact. For more information on resolving this issue, see Knowledge Base Article 4371881 on the One Identity support portal.

  • In environments where the Replicating Directory Changes extended right was not granted to the domain management account, Active Roles Managed Unit rules might break. These broken rules might negatively impact the performance of all Active Roles clients. For more information on resolving this issue, see Knowledge Base Article 4373208 on the One Identity support portal.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级