I have recently added a source domain in the ARS by configuring the service account. Is there a way I can start managing that domain from the ARS console ? because currently I can only view the source domain...
Assuming you mean - "How do I add new\additional domains to the console for management"
- navigate to the path "Configuration \ Server Configuration" and locate 'Managed Domains' in the exposed node.
- right-click over "Managed Domains' and choose "New \ Managed Domain" and follow the prompts.
Is your connected account in the group you setup as the 'Active Roles Admin' - configured during setup?
Check 'Active Roles 7.3 Quick Start Guide' - pages 8 and 17
And - Role Based Administration from Active Roles 7.3 Administration Guide - page 85
Something tells me a similar question came up on this forum in the relatively recent past ...
Delegation issues can be very frustrating to troubleshoot - but keep at it. Someone else here will chime in. It's late for me - and I'm off to count electric sheep.
Try this search link - type in your relevant terms and see if the published resources here give you any relief.
Are you getting access denied within the Active Roles user interface?
What are the Active Roles permissions of the account you are testing with - is it an Active Roles admin or a delegated user / trustee?
If the latter, can you tell us a bit about how you have setup your delegation - is the account a member of a trustee AD security group that you have delegated rights to in Active Roles by way of an Access Template? If yes, what rights are in the Access Template you have used to setup the delegation? Are you sure you are performing your test in the same OU where you have delegated the rights?
just a note. ARS is per domain app and can managed Untrusted Domains.
#1. Ports. No trust between ARS Admin Service Windows Server and the Target Managed Domain is needed. Given required ports are open between Server and untrusted Domain (see documentation appendix)
#2. Target Managed Domain\svc-ars-proxy (AD\Domain ADmins) overwrite account to be set inside ARS. (I recommend to have svc-ars-proxy per each domain from the that domain)
#3. Delegation. ARS uses login user token (SID) to identify and grant delegated granular Roles (via Access Template) to the "HelpDesk" user. Therefore ARS acts as Network Resource (File Server) asking DC to verify and authenticate the binded user identity and grant Kerberos Ticket for this session to access the network resource (itself).
#4. Given #3 dictates which groups to use to grant access to the target domain AD02 fromAD01\ARServer. For example, AD01\HelpDesk_AD02_group (member AD01\HelpDesk_user_AD02) accesses AD01\ARServer to manager target untrusted AD02 managed Domain (with AD02\svc-ars-proxy set)
This sounds like you are connecting in the Active Roles Console using an account which is not in the Active Roles Admin role group.
Check in your Active Roles Configuration Center:
In this lab, I have the "Active Roles Admin" role group set to a custom domain group, TC3\Active Roles Admins
The default group is Builtin\Administrators
If the account which you are using to connect in the Active Roles Console is not a member of this group, then you only get the access which you are granted by delegated Access Templates.
To confirm your account, right-click on the root in the Active Roles Console and check "About Active Roles" and then the "Technical Information" tab:
If your "Role" is not "Active Roles Admin", then you are not in the configured role group.