立即与支持人员聊天
与支持团队交流

Active Roles 8.1.3 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
Presentation components Service components Network data sources Security and administration elements Active Directory security management Customization using ADSI Provider and script policies Dynamic groups Workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
Managed Units Access Templates Access Rules Active Roles Synchronization Service Exchange Resource Forest Management Skype for Business Server User Management
Configuring and administering Active Roles Support for AWS Managed Microsoft AD FIPS compliance LSA protection support

Supported Active Roles features with AWS Managed Microsoft AD

If configured to manage AWS Managed Microsoft AD, Active Roles offers a feature set similar to managing an on-premises AD service. This includes:

  • Performing the day-to-day administration tasks of AD objects (users, contacts, computers, distribution and security groups, Organizational Units, shared folders) in the Active Roles Console or the Web Interface.

  • Rule-based and role-based administrative views and permissions for AD objects (Managed Units and Access Templates).

  • Automation and approval workflows for AD objects.

  • Importing the Management History database and/or Configuration database from an on-premises Active Roles installation of the same version. This is useful if you want to migrate the configuration of an existing on-premises Active Roles installation to your Active Roles installation running in an EC2 instance to manage AWS Managed Microsoft AD.

  • Synchronization Service connections and sync workflows based on the following Active Roles Synchronization Service connectors:
    • Active Directory Connector

    • Active Roles Connector

    • Delimited Text File Connector

  • Synchronizing passwords with Active Roles Synchronization Service from on-premises AD to AWS Managed Microsoft AD.

NOTE: For the limitations of password synchronization from on-premises AD to AWS Managed Microsoft AD, see Active Roles feature limitations when using AWS Managed Microsoft AD.

Active Roles feature limitations when using AWS Managed Microsoft AD

When using Active Roles to manage AWS Managed Microsoft AD resources, consider the following limitations.

Amazon Web Services limitations

For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for SQL Server) instances, the known EC2 and RDS limitations apply.

AD LDS, Azure AD, Exchange and Exchange Online support

Active Roles components (such as the Active Roles Console or Web Interface) that also support directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD-related configuration and administration tasks.

Likewise, Active Roles features (such as Managed Units or Access Templates) that also support managing objects from directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD object and permission management.

Domain Admin account management

As AWS has exclusive control over Domain Admin accounts, managing such accounts with Active Roles is not possible in AWS Managed Microsoft AD.

For more information, see Admin account in the AWS Directory Service documentation.

Federated authentication support

Federated authentication with WS-Fed was not tested to work with AWS Managed Microsoft AD.

Non-AD specific Active Roles features

Active Roles features used to manage non-AD directory services (such as Exchange Resource Forest Management) were not tested to work with AWS Managed Microsoft AD.

Service Connection Point discovery

Active Roles connected services (such as the Active Roles Console) rely on AD Discovery to create Service Connection Points (SCPs) and find other Active Roles services.

As AWS Directory Service does not support AD Discovery, Active Roles services installed on an EC2 instance to manage AWS Managed Microsoft AD may not be able to automatically discover the Active Roles Administration Service, impacting the user experience.

Synchronization Service limitations
  • When synchronizing directory data or passwords from on-premises Active Directory to AWS Managed Microsoft AD, Active Roles Synchronization Service has the following limitations:

    • Active Roles Synchronization Service was only tested to work with connections and sync workflows based on the following connectors:

      • Active Directory Connector

      • Active Roles Connector

      • Delimited Text File Connector

      Sync workflows and connections based on other connectors are not officially supported.

    • When synchronizing passwords from an on-premises Active Directory to AWS Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing then populating the SIDHistory attribute to AWS Managed Microsoft AD is not supported. This is because the Synchronization Service Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.

  • Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with Active Roles Synchronization Service is not supported. This is because the Synchronization Service Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.

SQL Server replication support

As Active Roles uses RDS for SQL Server when managing AWS Managed Microsoft AD, the SQL server replication feature of Active Roles is not supported.

Usable Organizational Unit in the AD domain

After you connect the Active Roles Console to your AWS Managed Microsoft AD environment, the AD domain and its containers will appear in the Active Roles Console (and if configured, in the Web Interface as well). By default, the AWS Managed Microsoft AD environment contains three types of containers:

  • AWS-specific containers.

  • The default AD-specific containers (such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, and so on).

  • An Organizational Unit container matching the NetBIOS (or shortname) of the AWS Managed Microsoft AD deployment. For example, if the shortname of your AD domain is ARDEMO, the name of this container will also be ARDEMO.

Consider that out of these three container types, you can manage AD resources only in the Organizational Unit with the name matching the shortname of your AWS Managed Microsoft AD environment. All other containers will be read-only.

FIPS compliance

Active Roles 8.1.3 supports cryptography libraries and algorithms compliant with Federal Information Processing Standards (FIPS) 140-2. For more information on FIPS-compliant libraries and algorithms, see FIPS 140-2: Security Requirements for Cryptographic Modules.

NOTE: Consider the following when planning to use FIPS-compliant cryptography libraries or algorithms:

  • Although Active Roles continues to support non-FIPS compliant cryptography libraries and algorithms, it will not work properly if it is configured to use non-FIPS compliant solutions in a FIPS-compliant environment.

  • If you already use FIPS-compliant security algorithms in your environment (such as the TripleDES security algorithm, or the SHA256 hash algorithm), you must export your existing configuration, and import it in a new Active Roles installation.

LSA protection support

The Active Roles Synchronization Service Capture Agent supports Local Security Authority (LSA). For more information, see Configuring Additional LSA Protection in the Microsoft Windows Server documentation.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级