For the best web experience, please use IE10+, Chrome, Firefox, or Safari

Active Roles

Hybrid Active Directory, simple and secure

Active Roles is a single, unified and rich tool to automate the most troublesome user and group management tasks.

Administrators struggle to keep up with requests to create, change or remove access in today’s hybrid AD environments and with the limited capabilities of Microsoft Active Directory (AD) and Azure Active Directory (AAD) native tools. Thankfully, help has arrived.

With One Identity Active Roles, you can streamline user and group administration, solve security issues – and meet those never-ending compliance requirements by managing and securing on-prem, and cloud AD resources simply and efficiently with a single, intuitive solution.

Single Pane of Glass

Single Pane of Glass

Manage all systems in your hybrid AD environment with a single pane of glass

Access Templates

Access Templates

Accelerate provisioning with simple, easily managed access templates

Drag and Drop Workflows

Drag and Drop Workflows

Enjoy simplicity with drag-and-drop workflows for user, admin and group tasks

Security Policy

Security Policy

Place 'guard rails' around data in AD for efficiency and security

Change History

Change History

Single-mouse-click view of the "who/what/when/where" of particular objects

Identity Analytics

Identity Analytics

Elegant user-rights interface heads off potential problems and reduces risk

Features

Automate user lifecycle management

Active Roles automates a wide variety of tasks, including:

Creating, removing, or modifying user and group accounts in AD and AAD
Creating mailboxes in Exchange and Exchange Online
administering groups across AD and AAD
Assigning resource in Windows

Day-to-day directory management

Active Roles easily manages:

Exchange/Exchange Online recipients, including mailbox/OCS assignment, creation, movement, deletion, permissions and distribution list management
AD and AAD Groups
Computers, including shares, printers, local users and groups
Active Directory and Azure Active Directory

Identity Analytics

Mitigate risks before an issue occurs through comprehensive insight into user entitlements in a hybrid AD environment with Starling Identity Analytics & Risk Intelligence

Manage groups and users in a hosted environment

Synchronize AD domain clients with a host AD domain in hosted environments. Utilize out-of-the-box connectors to synchronize your on-premises AD accounts to Microsoft Office 365, Lync Online and SharePoint Online.

Integrate with enterprise IAM programs

Active Roles complements your existing technology and IAM strategy through easy integration with many One Identity products, including Identity Manager, Privileged Password Manager, Authentication Services, Defender, Password Manager, Cloud Access Manager and Quest ChangeAuditor. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable web interfaces.

One Identity Hybrid Subscription

Expand the capabilities of Active Roles with the One Identity Hybrid Subscription, and get immediate access to cloud-delivered features and services, including two-factor authentication to protect administrative access, Starling Identity Analytics & Risk Intelligence and Active Roles access analysis.

Automatic, consistent, and complete management

Active Roles overcomes the shortcomings of native tools for hybrid Active Directory management and security

Specifications

Before installing Active Roles 7.1, ensure that your system meets the following minimum hardware and software requirements.

Active Roles includes the following components:

Administration Service
Web Interface
Console (MMC Interface)
Management Tools
Synchronization Service

This section lists the hardware and software requirements for installing and running each of these components.

Administration Service

Platform

Any of the following:

Intel 64 (EM64T)

AMD64

Processor speed: 2.0 GHz or faster

For best results, a multi-core processor recommended.

Memory: At least 2 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: 100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the Active Roles database.

Operating System

You can install Administration Service on a computer running:

Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
Microsoft Windows Server 2012, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft .NET Framework: Administration Service requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

SQL Server

You can host the Active Roles database on:

Microsoft SQL Server 2008, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pac
Microsoft SQL Server 2008 R2, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack

Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft SQL Server 2012 Native Client is required on the computer running the Administration Service
Microsoft SQL Server 2016, any edition

Windows Management Framewor: On Windows Server 2008 R2, the Administration Service requires Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).

Microsoft Exchange Server Management Tools: To manage Exchange 2007 recipients, Active Roles requires the Exchange 2007 SP3 management tools installed on the computer running the Administration Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.

Operating system on domain controllers

Active Roles retains all features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Pack:

Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012

Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016

NOTE:

Active Roles does not support domain controllers running Microsoft Windows 2000 Server. Ensure that the Active Directory domains managed by Active Roles do not have Windows 2000 Server based domain controllers.
Active Roles deprecates managed domains with the domain functional level lower than Windows Server 2008. We recommend that you raise the functional level of the domains managed by Active Roles to Windows Server 2008 or higher.

Exchange Serve

Active Roles is capable of managing Exchange recipients on:

Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 3

Microsoft Exchange Server 2013

NOTE: Microsoft Exchange Server 2003 is not supported.

Web Interface

Platform

Any of the following:

Intel 64 (EM64T)

AMD64

Processor speed: 2.0 GHz or faster

Memory: At least 2 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Web Interface on a computer running:

Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
Microsoft Windows Server 2012, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft .NET Framework: Web Interface requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Internet Services

On Windows Server 2008 R2, Web Interface requires the Web Server (IIS) server role with the following role services:

Web Server/Common HTTP Features/
- Static Content
- Default Document
- HTTP Errors
- HTTP Redirection
Web Server/Application Development/
- ASP.NET
- .NET Extensibility
- ASP
- ISAPI Extensions
- ISAPI Filters
Web Server/Security/
- Basic Authentication
- Windows Authentication
- Request Filtering
Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility

On Windows Server 2012 or Windows Server 2012 R2, Web Interface requires the Web Server (IIS) server role with the following role services:

Web Server/Common HTTP Features/
- Default Document
- HTTP Errors
- Static Content
- HTTP Redirection
Web Server/Security/
- Request Filtering
- Basic Authentication
- Windows Authentication
Web Server/Application Development/
- .NET Extensibility 4.5
- ASP
- ASP.NET 4.5
- ISAPI Extensions
- ISAPI Filters
Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility

Internet Information Services (IIS) must be configured to provide Read/Write delegation for the fo;llowing features:

Handler Mappings
Modules

Use Feature Delegation in Internet Information Services (IIS) Manager to confirm that these features have delegation set to Read/Write.

Web browser

You can access Web Interface using:

Firefox 36 on Windows
Google Chrome 41 on Windows

Windows Internet Explorer 11
Microsoft Edge on Windows 10

You can use a later version of Firefox, Google Chrome or Internet Explorer to access Web Interface; however, Web Interface 7.1 has been tested only against the browser versions listed above.

Minimum screen resolution: Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.

Console (MMC Interface)

Platform

Any of the following:

Intel x86
Intel 64 (EM64T)

AMD64

Processor speed: 1.0 GHz or faster

Memory (RAM): At least 1 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Active Roles console on a computer running:

Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
Microsoft Windows Server 2012, Standard or Datacenter edition
Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows 7, Ultimate, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64), Service Pack 1

Microsoft Windows 8, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft .NET Framework: Active Roles console requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Web browser: Active Roles console requires Internet Explorer 11.

Management Tools

Management Tools is a composite component that includes the Active Roles Management Shell, ADSI Provider, and SDK. On a 64-bit (x64) system, Management Tools also include the Active Roles Configuration Center.

Platform

Any of the following:

Intel x86
Intel 64 (EM64T)

AMD64

Processor speed: 1.0 GHz or faster

Memory (RAM): At least 1 GB of RAM.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Management Tools on a computer running:

Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
Microsoft Windows Server 2012, Standard or Datacenter edition
Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows 7, Ultimate, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64), Service Pack 1

Microsoft Windows 8, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft .NET Framework: Management Tools require Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Windows Management Framework: On Windows Server 2008 R2 or Windows 7, Management Tools require Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).

Remote Server Administration Tools (RSAT): To manage Terminal Services user properties by using Active Roles Management Shell, Management Tools require Remote Server Administration Tools (RSAT) for Active Directory. See Microsoft’s documentation for instructions on how to install Remote Server Administration Tools appropriate to your operating system.

Synchronization Service

Synchronization Service requirements

Platform

Any of the following:

Intel 64 (EM64T)

AMD64

Processor speed: 2.0 GHz or faster

For best results, a multi-core processor recommended.

Memory: At least 2 GB of RAM. The amount required depends on the number of objects being synchronized.

Hard disk space: 250 MB or more of free disk space. If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.

Operating System

You can install the Synchronization Service on a computer running:

Microsoft Windows Server 2008 R2, Standard or Enterprise edition, Service Pack 1
Microsoft Windows Server 2012, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft .NET Framework: Synchronization Service requires Microsoft .NET Framework 4.5 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

SQL Server

You can host the Synchronization Service database on:

Microsoft SQL Server 2008, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft SQL Server 2008 R2, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack ;
Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack

Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft SQL Server 2016, any edition

Windows Management Framework: On Windows Server 2008 R2, the Synchronization Service requires Windows Management Framework 3.0 (see “Windows Management Framework 3.0” at http://go.microsoft.com/fwlink/?LinkId=272757).

Supported connections

The Synchronization Service can connect to:

Microsoft Active Directory Domain Services with the domain or forest functional level of Windows Server 2008 or higher
Microsoft Active Directory Lightweight Directory Services running on any Windows Server operating system supported by Microsoft
Microsoft Exchange Server version 2013, 2010 or 2007
Microsoft Lync Server version 2013 or 2010
Microsoft Windows Azure Active Directory using the Azure AD Graph API version 2013-04-05
Microsoft Office 365 directory
Microsoft Exchange Online service
Microsoft Lync Online service

Microsoft SharePoint Online service
Microsoft SQL Server, any version supported by Microsoft
Active Roles version 7.1, 7.0, and 6.9
Quest One Identity Manager version 6.1 or 6.0 (Q1IM 6.01 or 6.0)
One Identity Manager version 7.0 (D1IM 7.0)
Data sources accessible through an OLE DB provider
Delimited text files

Legacy Active Roles ADSI Provider: To connect to Active Roles version 6.9, 6.8 or 6.7, the Active Roles ADSI Provider of the respective version must be installed on the computer running the Synchronization Service. For installation instructions, see the Quick Start Guide for the appropriate Active Roles version.

Microsoft Exchange Server Management Tools: To connect to Exchange Server 2007, the Exchange 2007 SP3 management tools must be installed on the computer running the Synchronization Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.

Azure AD Module for Windows PowerShell

To connect to the Office 365 directory, the following software must be installed on the computer running the Synchronization Service:

Microsoft Online Services Sign-In Assistant for IT Professionals

Azure Active Directory Module for Windows PowerShell

For installation instructions, see “Install the Azure AD Module” at http://go.microsoft.com/fwlink/?linkid=320628.

Windows PowerShell Module for Lync Online: To connect to the Lync Online service, Windows PowerShell Module for Lync Online must be installed on the computer running the Synchronization Service. For installation instructions, see “Windows PowerShell Module for Lync Online” at http://go.microsoft.com/fwlink/?LinkId=294688.

SharePoint Online Management Shell: To connect to the SharePoint Online service, SharePoint Online Management Shell must be installed on the computer running the Synchronization Service. For installation instructions, see “SharePoint Online Management Shell” at http://go.microsoft.com/fwlink/?LinkId=255251.

One Identity Manager API

To connect to One Identity Manager 7.0, One Identity Manger Connector must be installed on the computer running the Synchronization Service. This connector works with RESTful web service and SDK installation is not required.

To connect to One Identity Manager 6.0, the Quest One Identity Manager Connector must be installed on the computer running the Synchronization Service. This connector works only when the Q1IM API SDK is installed on the system. For installation instructions, see Knowledge Article 100525 at https://support.oneidentity.com/kb/SOL100525.

Internet Connection: To connect to cloud directories or online services, the computer running the Synchronization Service must have a reliable connection to the Internet.

Synchronization Service Capture Agent

Microsoft .NET Framework: Microsoft .NET Framework 4.5

Additional Requirements

To synchronize passwords from an Active Directory domain to some other connected data system, you must install the Sync Service Capture Agent on all domain controllers in the source Active Directory domain.

The domain controllers on which you install Sync Service Capture Agent must run one of the following operating systems with or without any Service Pack (both x86 and x64 platforms are supported):

Microsoft Windows Server 2016
Microsoft Windows Server 2012 R2

Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2

For more information, see the Active Roles Synchronization Service Administrator Guide.

Upgrade and compatibility

For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.

When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).

Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.

Impact on add-ons

After an upgrade of Active Roles components to the Active Roles 7.1, the add-ons which were supported in the earlier versions of Active Roles, cease to work. Hence, it is recommended to uninstall the add-ons prior to the upgrade of Active Roles.

Note: Office 365 add-ons are not supported on the Active Roles 7.1.