This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to access source domain from ARS


I have recently added a source domain in the ARS by configuring the service account. Is there a way I can start managing that domain from the ARS console ? because currently I can only view the source domain...

  • Assuming you mean - "How do I add new\additional domains to the console for management"

    - navigate to the path "Configuration \ Server Configuration" and locate 'Managed Domains' in the exposed node.

    - right-click over "Managed Domains' and choose "New \ Managed Domain" and follow the prompts.

  • I have added the new domain, the question was more from "How can I manage it?" because right now I can only view the new/additional domain and cannot manage (create/delete/reset etc)

  • Is your connected account in the group you setup as the 'Active Roles Admin' -  configured during setup?  

     Check 'Active Roles 7.3 Quick Start Guide' - pages 8  and 17

    And - Role Based Administration from Active Roles 7.3 Administration Guide - page 85

  • I did add the override Service Account in the Domain Admin of the managed domain (as per the guide) but still getting access denied when trying to make changes..

  • Something tells me a similar question came up on this forum in the relatively recent past ...
    Delegation issues can be very frustrating to troubleshoot - but keep at it.  Someone else here will chime in. It's late for me - and I'm off to count electric sheep.

    Try this search link - type in your relevant terms and see if the published resources here give you any relief.[Active%20Roles]&f:supportandservices=[FAQ,Solution]

  • As per the docs it says to make the override SA the domain admin of the managed domain but it is not working, nothing much available on the forums ...

    Anyone who can guide me...

  • Are you getting access denied within the Active Roles user interface?

    What are the Active Roles permissions of the account you are testing with - is it an Active Roles admin or a delegated user / trustee?

    If the latter, can you tell us a bit about how you have setup your delegation - is the account a member of a trustee AD security group that you have delegated rights to in Active Roles by way of an Access Template?  If yes, what rights are in the Access Template you have used to setup the delegation?  Are you sure you are performing your test in the same OU where you have delegated the rights?

  • A further thought - did you restart the Active Roles Administrative Service after you added the account to the Domain Admins group?

  • just a note. ARS is per domain app and can managed Untrusted Domains.

    #1. Ports. No trust between ARS Admin Service Windows Server and the Target Managed Domain is needed. Given required ports are open between Server and untrusted Domain (see documentation appendix)

    #2. Target Managed Domain\svc-ars-proxy (AD\Domain ADmins) overwrite account to be set inside ARS. (I recommend to have svc-ars-proxy per each domain from the that domain)

    #3. Delegation. ARS uses login user token (SID) to identify and grant delegated granular Roles (via Access Template) to the "HelpDesk" user. Therefore ARS acts as Network Resource (File Server) asking DC to verify and authenticate the binded  user identity and grant Kerberos Ticket for this session to access the network resource (itself). 

    #4. Given #3 dictates which groups to use  to grant access to the target domain AD02 fromAD01\ARServer. For example, AD01\HelpDesk_AD02_group (member AD01\HelpDesk_user_AD02) accesses AD01\ARServer to manager target untrusted AD02 managed Domain (with AD02\svc-ars-proxy set)

  • This sounds like you are connecting in the Active Roles Console using an account which is not in the Active Roles Admin role group.

    Check in your Active Roles Configuration Center:

    Active Roles Configuration Center

    In this lab, I have the "Active Roles Admin" role group set to a custom domain group, TC3\Active Roles Admins

    The default group is Builtin\Administrators

    If the account which you are using to connect in the Active Roles Console is not a member of this group, then you only get the access which you are granted by delegated Access Templates.

    To confirm your account, right-click on the root in the Active Roles Console and check "About Active Roles" and then the "Technical Information" tab:

    Technical Information

    If your "Role" is not "Active Roles Admin", then you are not in the configured role group.