Unifying the Management of your On-prem and Azure AD Environments with Active Roles
Active Roles On Demand automates a wide variety of tasks, including:
It also automates the process of reassigning and removing user access rights in AD, AAD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifecycles. When a user’s access needs to be changed or removed, updates are made automatically across all relevant systems and applications in the hybrid AD/AAD environment, as well as AD-joined systems, including UNIX, Linux, Mac OS X rich (replace ‘as well as’ with ‘and’) and a growing collection of popular SaaS applications via the One Identity Starling Connect solution.
With Active Roles On Demand, you can easily manage all of the following for both the on-prem and Azure AD environments:
Active Roles On Demand includes intuitive interfaces to optimize day-to- day administration and help-desk operations of the hybrid AD/AAD environment via both an MMC snap-in and a web interface.
Active Roles On Demand complements your existing technology and IAM strategy. It simplifies and consolidates management points by ensuring easy integration with many One Identity products, including Identity Manager, Safeguard, Authentication Services, Password Manager and ChangeAuditor. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable web interfaces.
Active Roles On Demand comes with all the synchronization technology necessary to manage and secure:
Before installing Active Roles 7.4, ensure that your system meets the following minimum hardware and software requirements.
Active Roles includes the following components:
This section lists the hardware and software requirements for installing and running each of these components.
Any of the following:
For best results, a multi-core processor recommended.
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the Active Roles database.
You can install Administration Service on a computer running:
NOTE: Active Roles is not supported on Windows Server Core mode setup.
Administration Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
You can host the Active Roles database on:
On all supported operating systems, the Administration Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at http://go.microsoft.com/fwlink/?LinkId=272757).
Active Roles retains all features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Pack:
Active Roles deprecates managed domains with the domain functional level lower than Windows Server 2012. We recommend that you raise the functional level of the domains managed by Active Roles to Windows Server 2012 or higher.
NOTE: Active Roles is not supported on Windows Server Core mode setup.
Active Roles is capable of managing Exchange recipients on:
Any of the following:
At least 2 GB of RAM. The amount required depends on the total number of managed objects.
About 100 MB of free disk space.
You can install Web Interface on a computer running:
NOTE:Active Roles is not supported on Windows Server Core mode setup.
Web Interface requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
On Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 Web Interface requires the Web Server (IIS) server role with the following role services:
Internet Information Services (IIS) must be configured to provide Read/Write delegation for the following features:
Use Feature Delegation in Internet Information Services (IIS) Manager to confirm that these features have delegation set to Read/Write.
You can access Web Interface using:
You can use a later version of Firefox, Google Chrome or Internet Explorer to access Web Interface; however, Web Interface 7.4 has been tested only against the browser versions listed above.
Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.
Any of the following:
At least 1 GB of RAM. The amount required depends on the total number of managed objects.
About 100 MB of free disk space.
You can install Active Roles console on a computer running:
NOTE: Active Roles is not supported on Windows Server Core mode setup.
Active Roles console requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
Active Roles console requires Internet Explorer 11.
Management Tools is a composite component that includes the Active Roles Management Shell, ADSI Provider, and SDK. On a 64-bit (x64) system, Management Tools also include the Active Roles Configuration Center.
Any of the following:
At least 1 GB of RAM.
About 100 MB of free disk space.
You can install Management Tools on a computer running:
NOTE: Active Roles is not supported on Windows Server Core mode setup.
Management Tools require Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
On all supported operating systems, Management Tools require Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/enus/download/details.aspx?id=54616).
To manage Terminal Services user properties by using Active Roles Management Shell, Management Tools require Remote Server Administration Tools (RSAT) for Active Directory. See Microsoft’s documentation for instructions on how to install Remote Server Administration Tools appropriate to your operating system.
Any of the following:
For best results, a multi-core processor recommended.
At least 2 GB of RAM. The amount required depends on the number of objects being synchronized.
250 MB or more of free disk space. If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.
You can install the Synchronization Service on a computer running:
NOTE:Active Roles is not supported on Windows Server Core mode setup.
Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).
You can host the Synchronization Service database on:
On all supported operating systems, the Synchronization Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/enus/download/details.aspx?id=54616).
The Synchronization Service can connect to:
NOTE: Microsoft Exchange 2013 CU11 is no longer supported. Refer KB article 202695.
To connect to Active Roles version 6.9, the Active Roles ADSI Provider of the respective version must be installed on the computer running the Synchronization Service. For installation instructions, see the Quick Start Guide for the appropriate Active Roles version.
To connect to Exchange Server 2007, the Exchange 2007 SP3 management tools must be installed on the computer running the Synchronization Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.
To connect to the Office 365 directory, the following module must be installed on the computer running the Synchronization Service:
For installation instructions, see “Install the Azure AD Module” at https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.
To connect to the Lync Online service, Windows PowerShell Module for Lync Online must be installed on the computer running the Synchronization Service. For installation instructions, see “Windows PowerShell Module for Lync Online” at http://go.microsoft.com/fwlink/?LinkId=294688.
To connect to the SharePoint Online service, SharePoint Online Management Shell must be installed on the computer running the Synchronization Service. For installation instructions, see “SharePoint Online Management Shell” at http://go.microsoft.com/fwlink/?LinkId=255251.
To connect to One Identity Manager 7.0, One Identity Manager Connector must be installed on the computer running the Synchronization Service. This connector works with RESTful web service and SDK installation is not required.
To connect to cloud directories or online services, the computer running the Synchronization Service must have a reliable connection to the Internet.
Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=294688
To synchronize passwords from an Active Directory domain to some other connected data system, you must install the Sync Service Capture Agent on all domain controllers in the source Active Directory domain.
The domain controllers on which you install Sync Service Capture Agent must run one of the following operating systems with or without any Service Pack (both x86 and x64 platforms are supported):
For more information, see the Active Roles Synchronization Service Administrator Guide.
For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.
When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).
Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.
The following table shows the version upgrade path that you can take from one version of the product to another. Source version refers to the current product version that you have installed. Destination version refers to the highest version of the product to which you can upgrade.
6.9.0
7.4
7.0
7.4
7.1
7.4
7.2
7.4
7.3
7.4