ActiveRoles 6.9. Quick Start Guide

Transcription

1 ActiveRoles 6.9 Quick Start Guide

2 2013 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA [email protected] Refer to our Web site ( for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, Simplicity at Work, and ActiveRoles are trademarks and registered trademarks of Quest Software, Inc. For a complete list of Quest Software's trademarks, see Other trademarks are property of their respective owners. Third Party Contributions This product contains some third party components (listed below). Copies of their licenses may be found at Source code for components marked with an asterisk (*) is available at COMPONENT.NET logging library 1.0 JQuery JQuery UI ObjectBuilder LICENSE OR ACKNOWLEDGEMENT BSD 4.4 license MIT 1.0 license MIT 1.0 license Contains software or other content adapted from Microsoft patterns & practices ObjectBuilder, 2006 Microsoft Corporation. All rights reserved. Quest One ActiveRoles - Quick Start Guide Updated - September 17, 2013 Software Version - 6.9

3 CONTENTS INTENDED AUDIENCE CONVENTIONS ABOUT QUEST SOFTWARE, INC CONTACTING QUEST SOFTWARE CONTACTING QUEST SUPPORT INTRODUCTION QUEST ONE ACTIVEROLES COMPONENTS SYSTEM REQUIREMENTS INSTALLING THE ADMINISTRATION SERVICE CONFIGURING THE ADMINISTRATION SERVICE ACCOUNT ACCESS TO THE ADMINISTRATION SERVICE COMPUTER SERVICE PUBLICATION IN ACTIVE DIRECTORY ACCESS TO MANAGED DOMAINS ACCESS TO EXCHANGE ORGANIZATION ACCESS TO FILE SERVERS ACCESS TO BITLOCKER RECOVERY INFORMATION SQL SERVER PERMISSIONS INSTALLATION PERMISSIONS OPERATION PERMISSIONS REPLICATION CONFIGURATION PERMISSIONS REPLICATION AGENT PERMISSIONS STEPS TO INSTALL THE ADMINISTRATION SERVICE INSTALLING INITIAL SERVICE INSTALLING ADDITIONAL SERVICE IMPORTING CONFIGURATION DATA ADVANCED SCENARIOS VERIFYING THE SERVICE INSTALLATION INSTALLING USER INTERFACES STEPS TO INSTALL THE CONSOLE STEPS TO INSTALL THE WEB INTERFACE CHECKING WEB INTERFACE PREREQUISITES INSTALLING AND CONFIGURING THE WEB INTERFACE INSTALLING ADDITIONAL FEATURES STEPS TO INSTALL SDK AND ADSI PROVIDER STEPS TO INSTALL THE REPORTING COMPONENTS INSTALLING THE QUEST ONE ACTIVEROLES COLLECTOR INSTALLING THE QUEST ONE ACTIVEROLES REPORT PACK SILENT INSTALLATION iii

4 Quest One ActiveRoles UPGRADING AN EARLIER VERSION COMPONENTS COMPATIBILITY UPGRADE ISSUES IMPACT ON QUEST ONE ACTIVEROLES REPLICATION IMPACT ON CUSTOM SOLUTIONS IMPACT ON UNMANAGED DOMAINS UPGRADING THE ADMINISTRATION SERVICE IMPORTING MANAGEMENT HISTORY DATA UPGRADING OTHER COMPONENTS UPGRADE OF THE REPORTING COMPONENTS SEPARATE MANAGEMENT HISTORY DATABASE CREATING A NEW DATABASE USING AN EXISTING DATABASE PERFORMING A PILOT DEPLOYMENT INSTALLING THE PILOT ADMINISTRATION SERVICE INSTALLING THE PILOT WEB INTERFACE UPGRADING THE PILOT ADMINISTRATION SERVICE UPGRADING THE PILOT WEB INTERFACE INSTALLING THE QUEST ONE ACTIVEROLES CONSOLE TRANSFER TO NEW OS OR SQL SERVER VERSION TRANSFERRING DATABASE TO NEW SQL SERVER VERSION DEPLOYMENT CONSIDERATIONS BUSINESS WORKFLOW HARDWARE REQUIREMENTS WEB INTERFACE: IIS SERVER REQUIRED AVAILABILITY AND REDUNDANCY MAJOR SITES REMOTE SITES REPLICATION TRAFFIC LOCATIONS AND NUMBER OF SERVICES CENTRALIZED DISTRIBUTED WITH NO REMOTE MANAGEMENT DISTRIBUTED WITH REMOTE MANAGEMENT PHYSICAL DESIGN CENTRALIZED DEPLOYMENT DISTRIBUTED DEPLOYMENT ACTIVEROLES ON WINDOWS AZURE VM STEP 1. PREREQUISITES STEP 2. DEPLOY MICROSOFT SQL SERVER STEP 3. DEPLOY ACTIVEROLES ADMINISTRATION SERVICE iv

5 Quick Start Guide STEP 4. DEPLOY ACTIVEROLES WEB INTERFACE v

6 Quest One ActiveRoles Intended Audience This document has been prepared to assist you in becoming familiar with the Quest One ActiveRoles. The Quick Start Guide contains the information required to install and use Quest One ActiveRoles. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest Software products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. 5

7 Quick Start Guide About Quest Software, Inc. Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit Contacting Quest Software Mail Web site Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our Support Portal at From our Support Portal, you can do the following: Retrieve thousands of solutions from our Knowledge Base Download the latest releases and service packs Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at: 6

8 Quest One ActiveRoles Introduction Quest One ActiveRoles simplifies and streamlines creation and ongoing management of user accounts and groups in Windows Active Directory (AD) centric environments by automating user and group account creation in AD, mailbox creation in Exchange, group population, and resource assignment in Windows. It provides strictly enforced security, rich capabilities for automating directory management tasks, change approval and easy-to-use Web interfaces, to achieve practical user and group account management for the Windows enterprise. This document is for individuals responsible for deploying Quest One ActiveRoles in their organization. It provides step-by-step instructions for preparing the environment and installing the Quest One ActiveRoles components. Quest One ActiveRoles Components Quest One ActiveRoles divides the workload of directory administration into three functional layers: presentation components, service components, and network data sources. Service Components Presentation Components Access Check Administration Service Data Processing Component Policy Enforcement Network Data Sources MMC Interface Web Interface Active Directory Domains & Forests ActiveRoles ADSI Provider Microsoft Exchange Servers Custom Interfaces Reporting Solution Audit Trail Administration Database Other Data Sources The presentation components include client interfaces for the Windows platform and the Web, which allow users with appropriate rights (delegated administrators) to perform a precisely defined set of administrative activities. Quest One ActiveRoles also includes the reporting solution to generate reports on the administrative activities. The service components constitute a secure layer between administrators and managed data sources. It ensures consistent policy enforcement, provides automation capabilities, and enables the integration of business processes for administration of Active Directory, Exchange and other corporate data sources. The main component of Quest One ActiveRoles is the Administration Service a powerful rules-based proxy for the management of network data sources. The Administration Service features advanced delegation capabilities and provides the ability to enforce administrative policies that keep data current and accurate. The Administration Service acts as a bridge between the presentation components and network data sources. In large networks, multiple Administration Services can be deployed to improve performance and ensure fault tolerance. 7

9 Quick Start Guide The Administration Service uses the Administration Database to store configuration data. The configuration data includes definitions of objects specific to Quest One ActiveRoles, assignments of administrative roles and policies, and procedures used to enforce policies. The Administration Service provides a complete audit trail by creating records in Quest One ActiveRoles event log. The log shows all actions performed and by whom, including actions that were not permitted. The log entries display the success or failure of each action, as well as which attributes were changed while managing objects in data sources. System Requirements Quest One ActiveRoles includes the following components: Administration Service Console (MMC Interface) Web Interface Collector Report Pack Add-in for Outlook The Quest One ActiveRoles Release Notes document, included on the Quest One ActiveRoles distribution media, provides information on the hardware and software requirements for each of these components. 8

10 Quest One ActiveRoles Installing the Administration Service Use the following checklist to ensure that you are ready to install the Administration Service. ITEM TO CHECK Administration Service computer DESCRIPTION The Administration Service can be installed on any computer that meets the hardware and software requirements. It is not mandatory to install the Administration Service on a domain controller. However, the Administration Service computer must have reliable network connections with at least one of the domain controllers for each managed domain. SQL Server Administration Service account The Administration Service requires Microsoft SQL Server. It is possible to use SQL Server on the Administration Service computer or on a different network computer. The Administration Service logs on with the account that you specify during installation. The account must have sufficient rights for Quest One ActiveRoles to function properly. Quest One ActiveRoles uses the Administration Service account when accessing a managed domain unless an override account is specified when registering the domain with Quest One ActiveRoles. Therefore, the Administration Service account must have the appropriate rights in any domain for which an override account is not specified. Additionally, the Administration Service account must have sufficient permissions to publish the Administration Service in Active Directory. Information about how to configure the Administration Service account and an override account can be found later in this document. Account used for connection to SQL Server When installing the Administration Service you may configure it to use Windows authentication or SQL Server authentication for connection to SQL Server. If you choose Windows authentication, the connection is established using the Administration Service account. In this case, the service account must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in Quest One ActiveRoles database. If you choose SQL Server authentication, the connection is established with the login you are prompted to specify when installing the Administration Service. This login must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in Quest One ActiveRoles database. For more information on what permissions must be granted to the account for connection to SQL Server, see SQL Server Permissions later in this document. ActiveRoles Admin ActiveRoles Admin is a group for which Quest One ActiveRoles does not perform permission checking. If the Administration Service itself has sufficient rights to perform a certain task, then ActiveRoles Admin can also perform that task using Quest One ActiveRoles. In addition, ActiveRoles Admin is authorized to perform any task related to the Quest One ActiveRoles configuration, such as adding managed domains and managing replication settings. Therefore, the membership in the ActiveRoles Admin group should be restricted to highly trusted individuals. By default, ActiveRoles Admin is the Administrators local group on the computer running the Administration Service. You can change this setting when installing the Administration Service. 9

11 Quick Start Guide Configuring the Administration Service Account When installing the Administration Service, you are prompted for the name and password of the Administration Service account the account the Administration Service logs on to. This account must have sufficient permissions to: Gain administrative access to the computer running the Administration Service. Publish the Administration Service in Active Directory. Access any managed domain for which an override account is not specified. When registering a domain with Quest One ActiveRoles, an override account may be specified. If an override account is specified, this account rather than the service account is used to access the domain. Access to the Administration Service Computer The service account must be a member of the Administrators group on the computer running the Administration Service. Because of this requirement, installing the Administration Service on a domain controller effectively grants the service account administrator rights in the entire domain. Service Publication in Active Directory The Administration Service must be able to publish itself in Active Directory. This enables Quest One ActiveRoles clients to automatically discover the Administration Service. Service publication requires that the service account have the following permissions on the Aelita sub-container of the System container in the domain of the computer running the Administration Service: Create Container Objects Create serviceconnectionpoint Objects In addition, the service account, or the override account, if specified, must have these permissions on the Aelita sub-container of the System container in every managed domain. If an account has the domain administrator rights, then it has the required permissions by default. Otherwise, you must give these permissions to the account using the ADSI Edit tool. To grant permissions for Administration Service publication in Active Directory 1. Open the ADSI Edit tool and connect to the Domain naming context. 2. In the console tree, expand the System container, right-click the Aelita sub-container, and then click Properties. If the Aelita container does not exist, create it: right-click System, point to New, click Object, and then, in the Create Object wizard, select the Container class and specify Aelita as cn. 3. On the Security tab in the Properties dialog box, click Advanced. 4. On the Permissions tab in the Advanced Security Settings dialog box, click Add. 5. In the Select User, Computer, or Group window, enter the name of the account. 6. On the Object tab in the Permission Entry dialog box, ensure that the Apply onto box indicates This object and all child objects, and then, in the Permissions box, select the check boxes next to Create Container Objects and Create serviceconnectionpoint Objects in the Allow column. 7. In the Permission Entry dialog box, click OK. 10

12 Quest One ActiveRoles Access to Managed Domains Quest One ActiveRoles access to a domain is limited by the access rights of the service account, or the override account, if specified. For all managed domains with no override accounts specified, you should configure the service account to have permissions you want Quest One ActiveRoles to have in those domains. If you use an override account when registering a domain with Quest One ActiveRoles, ensure that the override account (rather than the service account) has these permissions for the domain. In addition, the service account (or the override account, if any) must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you are planning to use the Quest One ActiveRoles security synchronization feature. For example, you may configure the service account (or the override account) to have full control of certain organizational units. In this way, Quest One ActiveRoles administrative scope is limited to those organizational units. Another option is to give Quest One ActiveRoles administrative access to a domain by adding the account to the Domain Admins group of that domain, or give Quest One ActiveRoles administrative access to an entire forest by adding the account to the Domain Admins group of the forest root domain. Access to Exchange Organization Exchange 2003 The task of moving Exchange 2003 mailboxes requires the Exchange 2007 Management Tools on the computer running the Administration Service. The other Exchange 2003 related tasks do not require the Exchange Management Tools. For instructions on how to install the Exchange 2007 Management Tools, see To enable Quest One ActiveRoles to perform Exchange-related tasks in the Exchange 2003 organization, the Exchange View-only Administrator role must be assigned to the service account if an override account is not used. With an override account, the role must be assigned to the override account. The Move Mailbox task requires that the Exchange Administrator role be assigned either to the service account (if no override account is used) or to the override account. A role can be assigned using the Exchange Administration Delegation wizard. To start the wizard, select the Exchange organization in the Exchange System Manager tool, and then, on the Action menu, click Delegate Control. The service account (or the override account) must also have Read and Write access to certain attributes in Active Directory, depending on the task. You can use the following links to view the comprehensive lists of those attributes grouped by task: Mailbox-enabling user objects ( Moving mailboxes ( Mailbox-disabling user objects ( Mail-enabling user objects ( Mail-disabling user objects ( Removing Exchange attributes on user objects ( Mail-enabling group objects ( Mail-disabling group objects ( Hiding group membership ( 11

13 Quick Start Guide Removing Exchange attributes on group objects ( Mail-enabling contact objects ( Mail-disabling contact objects ( Removing Exchange attributes on contact objects ( For more information, refer to the Working with Active Directory Permissions in Exchange Server guide at Exchange 2007 In order to manage Exchange recipients in the Exchange 2007 organization, the following conditions must be met: The Administration Service must run in the Active Directory forest in which the Exchange organization is deployed. Install the Administration Service on a server belonging to any domain in that forest. On the computer running the Administration Service, the Exchange 2007 Management Tools must be installed and updated with Exchange Server 2007 Service Pack 2 (or a later update for Exchange Server 2007). See the steps below for details. The service account or the override account must be configured so that it has the appropriate rights in the Exchange organization. See instructions later in this section. To install the Exchange 2007 Management Tools 1. Insert the Exchange Server 2007 DVD into the DVD drive. If Setup.exe does not start automatically, navigate to the DVD drive and double-click Setup.exe. 2. Follow the instructions on the Exchange Server 2007 Setup pages. 3. On the Installation Type page, click Custom Exchange Server Installation. 4. On the Server Role Selection page, select the Management Tools check box. Leave the other check boxes cleared. 5. Follow the instructions on the Exchange Server 2007 Setup pages to complete the installation. For details, see topic How to Install the Exchange 2007 Management Tools ( in Microsoft s documentation for Exchange Server Update the Exchange 2007 Management Tools by installing Exchange Server 2007 Service Pack 2. You can download Exchange Server 2007 Service Pack 2 from Microsoft s Web site at The appropriate rights in the Exchange 2007 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for detail. If you want Quest One ActiveRoles to perform the Move Mailbox task in the Exchange 2007 organization, do not use an override account when registering domains with Quest One ActiveRoles. In this scenario, a domain must be registered with the option to access the domain using the service account information. 12

14 Quest One ActiveRoles To configure the service account or the override account 1. Add the account to the Exchange Recipient Administrator role. If you plan to use Quest One ActiveRoles for managing mailbox rights, then add the account to the Exchange Organization Administrators role. For instructions, see topic How to Add a User or Group to an Administrator Role ( in Microsoft s documentation for Exchange Server If you plan to perform the Move Mailbox task using Quest One ActiveRoles, add the service account to the Exchange Server Administrator role and to the Administrators local group on every Exchange Server. Note that Quest One ActiveRoles does not support the Move Mailbox task in Exchange 2007 if an override account is used. This task requires the domain registration option that directs the Administration Service to access the domain using the service account information (instead of using override account information). 3. Add the account to the Account Operators domain security group. 4. If the Administration Service is already installed and running, restart it after you have changed the configuration of the account: at a command prompt, enter net stop arssvc to stop the service, and then enter net start arssvc. Exchange 2010 In order to manage Exchange recipients in the Exchange 2010 organization, the following conditions must be met: The Administration Service must run in the Active Directory forest in which the Exchange organization is deployed. Install the Administration Service on a server belonging to any domain in that forest. On the computer running the Administration Service, the Exchange 2010 Management Tools must be installed. For installation instructions, see topic Install the Exchange 2010 Management Tools in Microsoft s documentation for Exchange Server 2010 ( The service account or the override account must be configured so that it has the appropriate rights in the Exchange organization. See instructions later in this section. The appropriate rights in the Exchange 2010 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for details. If you want Quest One ActiveRoles to perform the Move Mailbox task in the Exchange 2010 organization, do not use an override account when registering domains with Quest One ActiveRoles. In this scenario, a domain must be registered with the option to access the domain using the service account information. 13

15 Quick Start Guide To configure the service account or the override account 1. Make the account a member of the Recipient Management role group. For information about this role group, see the Recipient Management topic in the Built-in Role Groups section in Microsoft s documentation for Exchange Server 2010 ( For instructions on how to add a member to a role group, see the Add Members to a Role Group topic in Microsoft s documentation for Exchange Server 2010 ( Note that Quest One ActiveRoles does not support the Move Mailbox task in Exchange 2010 if an override account is used. This task requires the domain registration option that directs the Administration Service to access the domain using the service account information (instead of using override account information). 2. Add the account to the Account Operators domain security group. 3. If the Administration Service is already installed and running, restart it after you have changed the configuration of the account: at a command prompt, enter net stop arssvc to stop the service, and then enter net start arssvc. Exchange 2013 In order to manage Exchange recipients in the Exchange 2013 organization, the service account or the override account must be configured so that it has the appropriate rights in the Exchange Organization. See instructions later in this section. The Exchange 2013 management tools are not required on the computer running the Administration Service. The appropriate rights in the Exchange 2013 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for details. To configure the service account or the override account 1. Make the account a member of the Recipient Management role group. For information about this role group, see the Recipient Management topic in the Built-in Role Groups section in Microsoft s documentation for Exchange Server 2013 ( For instructions on how to add a member to a role group, see the Manage Role Group Members topic in Microsoft s documentation for Exchange Server 2013 ( 2. Add the account to the Account Operators domain security group. 3. If the Administration Service is already installed and running, restart it after you have changed the configuration of the account: at a command prompt, enter net stop arssvc to stop the service, and then enter net start arssvc. 14

16 Quest One ActiveRoles Support for Exchange 2013 Remote Shell When performing management tasks on Exchange 2013 servers, Quest One ActiveRoles uses Windows PowerShell remoting to establish a connection between the computer running the ActiveRoles Administration Service and the server running Exchange This removes the requirement to install the Exchange 2013 management tools on the computer running the Administration Service. Quest One ActiveRoles uses the Exchange Management Shell to perform Exchange management tasks. Normally, the Exchange Management Shell is installed as part of the Exchange management tools on each computer running the ActiveRoles Administration Service. However, with Exchange 2013 servers, you don t need to install the Exchange 2013 management tools on the computers running the Administration Service. In this case, the Administration Service connects to the closest Exchange 2013 server and uses remote Shell to execute Exchange commands on that server. Remote Shell enables Quest One ActiveRoles to connect to Exchange 2013 servers without having the Exchange 2013 management tools installed on the computers running the ActiveRoles Administration Service. To use remote Shell, the Administration Service must be running on a computer that has: Windows Server 2012 or Windows Server 2008 R2 SP1 operating system. Microsoft.NET Framework 4.5 installed (see Installing the.net Framework 4.5 at Windows Management Framework 3.0 installed (see Windows Management Framework 3.0 at Remote Shell also requires the following: TCP port 80 must be open between the computer running the Administration Service and the remote Exchange 2013 server. The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True. Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the Set-ExecutionPolicy RemoteSigned command in an elevated Windows PowerShell window. 15

17 Quick Start Guide Access to File Servers To enable Quest One ActiveRoles to perform the provisioning and deprovisioning tasks related to user home folders and home shares, the service account (or the override account, if specified) must belong to the Server Operators or Administrators group on each file server that hosts the user home folders to be administered by Quest One ActiveRoles. Quest One ActiveRoles provides the following policy categories to automate the management of user home folders and home shares: Home Folder AutoProvisioning Performs the provisioning actions needed to assign home folders and home shares to user accounts, including the creation of home folders for newly created user accounts and renaming home folders upon renaming of user accounts. Specifies the server on which to create home folders and shares, and configures access rights to the newly created home folders and shares. Home Folder Deprovisioning Makes the changes needed to prevent deprovisioned users from accessing their home folders, including the removal of the user s permissions on the home folder, changing the ownership of the home folder, and deleting the home folder when the user account is deleted. The service account or override account must be configured so that it has sufficient rights to perform the operations provided for by those policies: create, modify (including the ability to change permission settings and ownership), and delete folders and shares on the designated file servers. You can give the required permissions to the service account or override account by adding that account to the appropriate administrative group (Administrators or Server Operators) on each file server where you are planning Quest One ActiveRoles to manage user home folders. Access to BitLocker Recovery Information Viewing BitLocker recovery passwords in Quest One ActiveRoles requires the domain administrator rights for the account being used by the ActiveRoles Administration Service to access the domain. Ensure that the service account or, if specified, the override account is a member of the Domain Admins group in each managed domain where you want to use Quest One ActiveRoles for viewing BitLocker recovery passwords. With the domain administrator rights given to the ActiveRoles Administration Service, Quest One ActiveRoles allows delegated administrators to locate and view BitLocker recovery passwords held in the Active Directory domain. To view BitLocker recovery passwords, the delegated administrator must be granted the appropriate permissions in Quest One ActiveRoles. The following Access Template provides sufficient permissions to view BitLocker recovery passwords: Computer Objects - View BitLocker Recovery Keys In addition, viewing BitLocker recovery passwords in a given domain requires the following: The domain must be configured to store BitLocker recovery information (see The computers protected by BitLocker must be joined to the domain. BitLocker Drive Encryption must have been enabled on the computers. The BitLocker recovery information is displayed on the BitLocker Recovery tab in the computer object s Properties dialog box, in the ActiveRoles console. It is also possible to perform domain-wide searches for BitLocker recovery passwords. 16

18 Quest One ActiveRoles SQL Server Permissions This section discusses the SQL Server permissions required to: Install Quest One ActiveRoles Administration Service (installation permissions) Run Quest One ActiveRoles Administration Service (operation permissions) Configure replication in Quest One ActiveRoles (replication configuration permissions) Run Quest One ActiveRoles replication (replication agent permissions) Installation Permissions The account that you use when installing the Administration Service must have sufficient rights on SQL Server to perform the installation tasks. Which account is used to access SQL Server during installation of the Administration Service depends upon the SQL Server connection option you select in the Administration Service Setup wizard. If you select the option to use Windows authentication, the Setup program accesses SQL Server with the Windows user account under which the Setup wizard is running. If you select the option to use SQL Server authentication, then the Setup program accesses SQL Server with the SQL login and password that you specify in the Setup wizard. The required rights of the account that is used to access SQL Server during installation vary depending on your installation scenario: If you want the Setup program to create a new database for the Administration Service, then the account must be a member of the dbcreator fixed server role. If you want the Setup program to import data from Quest One ActiveRoles database of an earlier version (upgrade scenario), then the account must be a member of the db_owner fixed database role in the database from which the data is to be imported, and have the default schema of dbo in that database. If you want the Setup program to configure the Administration Service to use an existing database of the current version (scenario where multiple Administration Service instances share a single database or the database is restored from a backup), then the account must be a member of the db_owner fixed database role and have the default schema of dbo in that database. If you want the Setup program to use an existing blank database for the Administration Service (scenario where a database is created prior to installing the Administration Service), then the account must be a member of the db_owner fixed database role and have the default schema of dbo in that database. 17

19 Quick Start Guide Operation Permissions The Administration Service accesses its database with the account specified during installation: If the option to use Windows authentication is selected in the Administration Service Setup wizard, then the Administration Service uses its Windows service account to access the database. If the option to use SQL Server authentication is selected, then the Administration Service accesses the database with the SQL login and password supplied in the Setup wizard. In either case, the account must have sufficient rights on SQL Server to retrieve data from, and make changes to, the database. The required rights vary depending on the role of the Administration Service s database server in Quest One ActiveRoles replication environment. Standalone mode When initially installed, the Administration Service s database is configured not to participate in Quest One ActiveRoles replication. This configuration is referred to as standalone Administration Service. The account being used by the standalone Administration Service to access the database must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database. Publisher mode If the Administration Service s database server holds the role of the Publisher in Quest One ActiveRoles replication, then the account being used by the Administration Service to access the database must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database. Additional rights are required if you want to see the replication status information and error messages in the Quest One ActiveRoles console. These additional rights are as follows: Default schema of dbo in the msdb system database. SELECT permission on the sysjobs, sysjobsteps and MSagent_parameters system tables in the msdb system database. SELECT permission on the sysservers system view in the master system database. EXECUTE permission on the xp_sqlagent_enum_jobs system extended stored procedure in the master system database. SELECT permission on the MSmerge_agents, MSmerge_history, MSmerge_sessions, MSsnapshot_agents and MSsnapshot_history system tables in the distribution database (AelitaDistributionDB database by default). Subscriber mode If the Administration Service s database server holds the role of a Subscriber in Quest One ActiveRoles replication, then the account being used by the Administration Service to access the database requires the same rights as in standalone mode: the account must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database. 18

20 Quest One ActiveRoles Replication Configuration Permissions After you install two or more Administration Service instances, each with its own database, you can deploy replication, if necessary, to synchronize the databases so that all your Administration Service instances have the same configuration and management history. Replication deployment begins when you configure the Publisher. Once the Publisher has been configured, the next step is to configure Subscribers. The task of configuring the Publisher or a Subscriber requires more rights on SQL Server than the Administration Service needs for normal operation. To elevate the rights of the Administration Service, Quest One ActiveRoles prompts for an alternative account. The following topics elaborate on the permissions needed to create the Publisher or add a Subscriber. Permissions for creating or removing the Publisher To create the Publisher, the Administration Service needs sysadmin rights on SQL Server. If the Administration Service s account for database access does not belong to the sysadmin role, then Quest One ActiveRoles prompts you to supply an alternative account. The alternative account must: Be a member of the sysadmin fixed server role on the database server you are going to make the Publisher. ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Publisher. The same permissions are required for removing (demoting) the Publisher. Permissions for adding or removing a Subscriber To add a Subscriber, the Administration Service s database server needs to hold the Publisher role. When adding a Subscriber, the Administration Service makes changes on the Publisher database server and on the database server being configured as a Subscriber (Subscriber database server). Therefore, the Administration Service needs sufficient rights on both database servers. On the Publisher database server, the Administration Service needs sysadmin rights. If the Administration Service s account for database access does not belong to the sysadmin role, then Quest One ActiveRoles prompts you to supply an alternative account for connection to the Publisher database server. The alternative account must: Be a member of the sysadmin fixed server role on the Publisher database server. ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber. On the database server you are going to make a Subscriber, the Administration Service needs db_owner rights on Quest One ActiveRoles database. If the Administration Service s account for database access does not have sufficient rights on the Subscriber database server, then Quest One ActiveRoles prompts you to supply an alternative account for connection to the Subscriber database server. The alternative account must: Be a member of the db_owner fixed database role in Quest One ActiveRoles s database on the database server you are going to make a Subscriber. Have the default schema of dbo in that database. ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber. The same permissions are required for removing a Subscriber. 19

21 Quick Start Guide Replication Agent Permissions In Quest One ActiveRoles replication, SQL Server replication agents (Merge Agents) are used to synchronize data between the Publisher and Subscriber databases. Each Subscriber has a dedicated replication agent running on SQL Server that hosts the Publisher database. Since the agent s role is to maintain the Publisher and Subscriber databases in sync with each other, the agent needs sufficient rights to access both the Publisher and Subscriber database servers. The Administration Service creates and configures a replication agent when adding a Subscriber. In terms of SQL Server, this is a Merge Agent for a push subscription. According to SQL Server Books Online (see Replication Agent Security Model at msdn.microsoft.com/en-us/library/ms aspx), Merge Agent for a push subscription requires the following permissions. The Windows account under which the agent runs is used when it makes connections to the Publisher and Distributor. This account must: At minimum be a member of the db_owner fixed database role in the distribution database (AelitaDistributionDB database by default). Be a member of the publication access list (PAL). Be a login that is associated with a user in the publication database (Quest One ActiveRoles database on the Publisher). Have read permissions on the snapshot share (by default, this is the ReplData folder on the administrative share C$). The account used to connect to the Subscriber must at minimum be a member of the db_owner fixed database role in the subscription database (Quest One ActiveRoles database on the Subscriber). By default, the security settings of a Merge Agent configured by Quest One ActiveRoles are as follows: The account under which the Merge Agent runs and makes connections to the Publisher and Distributor is the Windows service account of the SQL Server Agent service. The account the Merge Agent uses to connect to the Subscriber is the account under which the Merge Agent runs. This means that, by default, Quest One ActiveRoles requires that the account of the SQL Server Agent service have all permissions the Merge Agent needs to make connections both to the Publisher/Distributor and to the Subscriber. When adding a Subscriber, you have the option to supply a separate login for connection to the Subscriber. If you choose that option, the Merge Agent will use the login you supply (rather than the account of the SQL Server Agent service) to make connections to the Subscriber. In this case, it is the login you supply that must have db_owner rights in the subscription database. The SQL Server Agent service does not need to have any rights in the subscription database. However, it still must have all permissions the Merge Agent needs to make connections to the Publisher and Distributor. 20

22 Quest One ActiveRoles Steps to Install the Administration Service Quest One ActiveRoles requires Microsoft.NET Framework 4.5. You can use the following steps to update Microsoft.NET Framework on your server. To update Microsoft.NET Framework 1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window, click Redistributables. 3. On the Redistributables page, click Microsoft.NET Framework 4.5. The Administration Service requires Microsoft SQL Server. SQL Server may be installed on the Administration Service computer or on a different network computer. If you do not have Microsoft SQL Server deployed in your environment, you can install Microsoft SQL Server Express Edition from the Quest One ActiveRoles DVD. To install Microsoft SQL Server Express Edition On the Redistributables page in the Quest One ActiveRoles DVD Autorun window, click SQL Server Express. Now that you have access to SQL Server, you can install the Administration Service. The installation procedure depends on whether your computer already has the Administration Service installed. The following steps provide the guidance on how to install the Administration Service on a computer with no Administration Service installed. If you have the Administration Service installed on your computer, you should use the instructions given later in this document (see Upgrading the Administration Service). To install the Administration Service 1. In the Quest One ActiveRoles DVD Autorun window, click Quest One ActiveRoles, and then click Administration Service in the list of the product components. 2. Follow the instructions in the Setup Wizard. 3. On the Select Features page, ensure that the Administration Service feature is selected for installation. The Administration Service requires ActiveRoles Management Shell for Active Directory, so the Setup program automatically installs the appropriate version of Management Shell if it was not installed earlier. 4. On the Service Account Information page, enter the name and password of the domain user account to be used as the Administration Service account. 5. On the ActiveRoles Admin Account page, accept the default account, or click Browse and select the group or user to be designated as ActiveRoles Admin. 6. If the Distributed COM Security Configuration page appears, click either Yes or No. Click Yes to add Authenticated Users to the Distributed COM Users group; otherwise, remote clients may not be able to access the Administration Service on this computer. 7. On the Service Deployment Options page, select the appropriate option, and then follow the instructions in the Setup Wizard. The deployment options along with the remaining steps of the Setup Wizard are related to setting up the database that will hold configuration data of the Administration Service you are installing. These options and the corresponding steps are discussed in the sections that follow. 21

23 Quick Start Guide Installing Initial Service This section covers the database-related steps of the Setup Wizard in the assumption that you are installing the first Administration Service in your environment. To install initial Service 1. On the Service Deployment Options page, click Install initial Service. 2. On the Database and Connection Settings page, complete the Database area: a) In SQL Server, type the name of SQL Server in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance). Setup will create the database on the SQL Server instance you specify. b) In Database name, type a name for the database to be created. 3. Complete the Connection area: To have the new Administration Service connect to SQL Server using the Administration Service account, click Use Windows authentication. To have the new Administration Service connect to SQL Server using a SQL Server login, click Use SQL Server authentication and type the login name and password. On the Database and Connection Settings page you can select the Store Management History in a separate database check box. For information about this option and instructions on how to use this option, see Installing a Separate Management History Database later in this document. 4. On the Configuration Database Summary page, review the database and connection settings you are going to use. 5. Complete the Backup of Encryption Keys page, as described later in this section (see Backup of Encryption Keys ). 6. Follow the instructions in the wizard to complete the installation. Backup of Encryption Keys When creating the database, the Setup program generates a key set that the Administration Service will use to encrypt data in the database. The key set is specific to the database. You should save a backup copy of the encryption keys to a file and keep it in a secure location for database reuse, and for maintenance and troubleshooting procedures. You need a backup copy of the encryption keys when moving the Administration Service to another environment while preserving its configuration, or when restoring the database from a backup. On the Backup of Encryption Keys page, the Setup Wizard prompts you to specify a file in which to save a copy of the encryption keys. You have the option to use password protection for that file. To create a backup copy of encryption keys 1. On the Backup of Encryption Keys page, click the Browse button to specify the file name and location. When creating the database, the Setup Wizard will export the database encryption keys to that file. 2. Optionally, select the Use password protection for this file check box, and then type and confirm a password. You will have to enter the specified password whenever you need to restore the keys from the file. If you lose or forget the password, it cannot be recovered. 22

24 Quest One ActiveRoles Installing Additional Service This section covers the database-related steps of the Setup Wizard in the following assumptions: You have at least one Administration Service version 6.9 up and running in your environment. You are installing one more Administration Service for load distribution and fault tolerance. To install additional Service 1. On the Service Deployment Options page, click Install additional Service. 2. On the Configuration Synchronization Options page, click one of the following options, depending on how you want to synchronize the configuration of the new Administration Service with the configuration of the existing Administration Services: Share common configuration database Lets the new Administration Service use the database of an existing Administration Service so that the new Administration Service has the same configuration as the existing one. Create new database, to be synchronized via replication After installing the Administration Service, you will need to set up Quest One ActiveRoles replication for the new Administration Service to have the same configuration as existing ones. 3. If you have selected the option Share common configuration database, follow the instructions provided later in this section (see Using Common Configuration Database ). 4. If you have selected the option Create new database, to be synchronized via replication, use the instruction provided in the previous section (see Installing Initial Service ) to complete the wizard. The database created by this option holds the pristine configuration of the Administration Service. To update and synchronize the new database with the configuration data of the Administration Services that were earlier deployed in your environment, you need to use the replication function. For instructions on how to set up replication of configuration data, refer to the Quest One ActiveRoles Administrator Guide. Using Common Configuration Database By selecting the option Share common configuration database you set up the new Administration Service so that it connects to the database of an existing Administration Service. The newly installed Administration Service automatically becomes a replica of the existing one. This option makes it possible to centralize configuration storage. You can deploy multiple Administration Services of the same configuration without having to synchronize multiple databases via replication. Rather, you have the option for multiple Administration Services to share configuration data held in a single database on centrally deployed SQL Server. This option also ensures that the newly installed Administration Service can immediately be used as a replacement for the existing Administration Service. Switching between Administration Services is transparent to Quest One ActiveRoles users as both instances of the Administration Service have the same configuration. To have Administration Services use common configuration database 1. On the Configuration Synchronization Options page, click Share common configuration database. 2. On the Database and Connection Settings page, in the Database area, specify the SQL Server and database being used by an existing Administration Service version

25 Quick Start Guide 3. On the Database and Connection Settings page, in the Connection area, select the appropriate authentication option: To have the new Administration Service connect to SQL Server using the Administration Service account, click Use Windows authentication. To have the new Administration Service connect to SQL Server using a SQL Server login, click Use SQL Server authentication, and type the login name and password. On the Database and Connection Settings page you can select the Store Management History in a separate database check box. For information about this option and instructions on how to use this option, see Installing a Separate Management History Database later in this document. 4. On the Configuration Database Summary page, review the database and connection settings you are going to use. 5. Complete the Provision of Encryption Keys page, as described later in this section (see Encryption Keys Provisioning ). 6. Follow the instructions in the wizard to complete the installation. Encryption Keys Provisioning In the configuration database, certain data is encrypted. For example, if an override account is specified for a managed domain, the credentials of that account are encrypted. To gain access to encrypted data, the newly installed Administration Service needs encryption keys. The Provision of Encryption Keys page prompts you to choose how you want the new Administration Service to obtain the keys that are used to encrypt data in the specified database. You can choose from these options: Retrieve keys from existing Service The Setup program retrieves the keys and passes them to the Administration Service you are installing. You need to have at least one Administration Service up and running that uses the specified database. Restore keys from a backup copy You must provide the file to which the encryption keys were exported (see Backup of Encryption Keys in the Installing Initial Service section, earlier in this document). Generate new keys The Setup program generates new encryption keys for the database and passes them to the Administration Service you are installing. The encrypted data that was previously stored in the database is lost. To automatically provision encryption keys On the Provision of Encryption Keys page, click Retrieve keys from existing Service. To restore encryption keys from a backup 1. On the Provision of Encryption Keys page, click Restore keys from a backup copy. 2. On the Restore of Encryption Keys page, specify the file containing a backup copy of the encryption keys you need. If the file is password-protected, type the password. 24

26 Quest One ActiveRoles To generate new encryption keys 1. On the Provision of Encryption Keys page, click Generate new keys. 2. On the Backup of Encryption Keys page, click the Browse button to specify the file name and location: a backup copy of the new encryption keys will be saved in that file. 3. Optionally, select the Use password protection for this file check box, and then type and confirm a password. The new encryption keys are passed only to the Administration Service you are installing. The other Administration Services are not provided with the new keys, and therefore may need to be reconfigured. For example, generating new keys causes the existing Administration Services that use the database in question to lose the credentials of the override accounts for access to managed domains. As a result, you would have to re-register Active Directory domains with those Administration Services. Importing Configuration Data When installing the Administration Service, you may need to import configuration data from an existing database in order to ensure that the newly installed Administration Service has the same configuration as the existing one. Importing configuration data to a newly created database instead of attaching the Administration Service to the existing database is necessary if the version of the Administration Service you are installing is greater than the version of the database you want to use. Some examples of such a situation are as follows: Restoring configuration data from a backup copy of the database whose version does not match the version of the Administration Service. Upgrading the Administration Service while preserving its configuration. The following instructions on how to import configuration data are applicable to any situation where you choose to create a new database when installing the Administration Service. In this case, the Database and Connection Settings page includes the option Import data from this database that is intended to direct the Setup program to copy the configuration data to the newly created database. To import configuration data 1. In the Database area on the Database and Connection Settings page, select the Import data from this database check box. 2. In the box next to Import data from this database, type the name of the database from which you want to import data. The source database must be located on SQL Server that hosts the database for the new Administration Service installation. 3. In the Connection area, select the authentication mode you want the Administration Service to use on SQL Server. 4. On the Configuration Database Summary page, review the database and connection settings you are going to use. 5. On the Import of Encrypted Data page, choose whether to import the encrypted data from the source database. Importing the encrypted data requires a backup copy of the encryption keys of the source database. 6. If you have chosen to import the encrypted data, on the Restore of Encryption Keys page, specify the file containing a backup copy of the source database encryption keys. If the file is password-protected, type the password. 25

27 Quick Start Guide 7. On the Backup of Encryption Keys page, specify where to store a backup copy of the encryption keys for the new database. 8. Follow the instructions in the wizard to complete the installation. Advanced Scenarios This section covers the database-related steps of the Setup Wizard in the following scenarios: Using the database of an earlier Administration Service installation Using a pre-created, blank database To implement any of these scenarios, you should select the Perform custom installation option on the Service Deployment Options page in the Setup Wizard. Using the Database of an Earlier Administration Service Installation When installing the Administration Service, you may need to have it use the database of an earlier installation of the Administration Service instead of creating a new database. The situations where the need arises to re-use an existing database include the following scenarios: Repairing the Administration Service installation by using Add or Remove Programs in Control Panel. Restoring the configuration database from a backup, and then reinstalling the Administration Service so that it uses the restored database. Installing a maintenance release of the Administration Service to update the existing Administration Service installation. All of these scenarios presuppose that the database has the same version as the Administration Service you are installing. If the Administration Service version is greater than the database version, you should choose the option to create a new database and import data from the existing database (see Importing Configuration Data earlier in this document). Assuming that the database has the same version as the Administration Service you are installing, you can use the following instructions to make the Administration Service use that database. To use the database of an earlier Administration Service installation 1. On the Service Deployment Options page, click Perform custom installation. 2. On the Configuration Storage Options page, click Database of an earlier installed Service. 3. On the Database and Connection Settings page, specify SQL Server and the name of the database, and select the authentication mode you want the Administration Service to use on SQL Server. 4. On the Configuration Database Summary page, review the database and connection settings you are going to use. 5. Complete the Provision of Encryption Keys page by using the instructions given in the Installing Additional Service section earlier in this document (see Encryption Keys Provisioning ). 6. If you have chosen the option to generate new keys, use the Backup of Encryption Keys page to specify where to store a backup copy of the newly generated keys. 7. Follow the instructions in the wizard to complete the installation. 26

28 Quest One ActiveRoles Using a Pre-created, Blank Database When creating a database, the Setup program uses default values for database properties, such as the location and other parameters of the database files and transaction log files. If you need to adjust these properties, you should first create a blank database with the parameters that meet your requirements, and then have the Setup program attach the database to the Administration Service you are installing. Assuming that the database is already created, you can use the following instructions to implement this scenario. To use a pre-created, blank database 1. On the Service Deployment Options page, click Perform custom installation. 2. On the Configuration Storage Options page, click Existing blank database. 3. On the Database and Connection Settings page, specify SQL Server and the name of the database, and select the authentication mode you want the Administration Service to use on SQL Server. 4. On the Configuration Database Summary page, review the database and connection settings you are going to use. 5. On the Backup of Encryption Keys page, specify where to store a backup copy of the encryption keys that the Setup program will generate for the database. 6. Follow the instructions in the wizard to complete the installation. Verifying the Service Installation To make certain that the Administration Service is up and running you might enter net start arssvc at a command prompt. Normally, this command should return the following message: The requested service has already been started. The Setup program tries to grant the following privileges on the Administration Service computer to the Administration Service account: SeServiceLogonRight Log on as a service SeTcbPrivilege Act as part of the operating system SeAssignPrimaryTokenPrivilege Replace a process level token If the Setup program fails to grant these privileges, it cannot install the Administration Service. You need to grant these privileges with User Rights Assignment in Group Policy, and then run the Setup Wizard again. 27

29 Quick Start Guide Installing User Interfaces Quest One ActiveRoles provides user interfaces for the Windows system and the Web, allowing users with appropriate rights to perform administrative activities. The user interfaces include: MMC Interface, also referred to as the Quest One ActiveRoles console An MMC snap-in that provides full access to the capabilities and functions of Quest One ActiveRoles. Web Interface A customizable Web application for performing day-to-day administrative tasks through the use of Quest One ActiveRoles. Steps to Install the Console The Quest One ActiveRoles console can be installed on any computer that meets the system requirements and has a reliable network connection to a computer running the Administration Service. It can also be installed on the Administration Service computer. To install the Quest One ActiveRoles console 1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In Autorun window, click Quest One ActiveRoles, and then click Console (MMC Interface) in the list of the product components. 3. Follow the instructions in the Setup Wizard to complete the installation. Steps to Install the Web Interface The Quest One ActiveRoles Web Interface can be installed on any computer that meets the system requirements and is running Internet Information Services (IIS) 7.0 or later. It is not necessary to install the Web Interface on the computer running the Administration Service. However, the computer that hosts the Web Interface must have a reliable network connection to a computer running the Administration Service. Checking Web Interface Prerequisites Windows Server 2008 On a Windows Server 2008 or Windows Server 2008 R2 based computer, ensure that the Web Server (IIS) server role with the following role services is installed: Web Server/Common HTTP Features/ Static Content Default Document HTTP Errors HTTP Redirection Web Server/Application Development/ ASP.NET.NET Extensibility ASP ISAPI Extensions ISAPI Filters 28

30 Quest One ActiveRoles Web Server/Security/ Basic Authentication Windows Authentication Request Filtering Management Tools/IIS 6 Management Compatibility/ IIS 6 Metabase Compatibility The Web Interface Setup program automatically installs the required server role and role services. You can use Server Manager to verify that the required server role and role services are installed. Windows Server 2012 On a Windows Server 2012 based computer, ensure that the Web Server (IIS) sever role is installed, including: Web Server/Common HTTP Features/ Default Document HTTP Errors Static Content HTTP Redirection Web Server/Security/ Request Filtering Basic Authentication Windows Authentication Web Server/Application Development/.NET Extensibility 4.5 ASP ASP.NET 4.5 ISAPI Extensions ISAPI Filters Management Tools/IIS 6 Management Compatibility/ IIS 6 Metabase Compatibility The Web Interface Setup program configures the Web Server (IIS) server role to meet the Web Interface requirements. You can use Server Manager to verify that the server role is configured properly. Feature Delegation Web Interface requires Internet Information Services to provide Read/Write delegation for the following features: Handler Mappings Modules Use Feature Delegation in the Internet Information Services (IIS) Manager tool to confirm that these features have delegation set to Read/Write. 29

31 Quick Start Guide Installing and Configuring the Web Interface The Setup program allows you to configure the Web Interface to use: Administration Service that runs on the same computer as the Web Interface Administration Service that runs on a specified computer Any available Administration Service that belongs to a specified replication group Unless you choose the first option (Local Administration Service), you should ensure that the Web Interface users have the Log on locally privilege on the computer running the Web Interface. By default, all domain users have this privilege on workstations and member servers. However, for domain controllers, only domain administrators have this privilege by default. Before installing the Web Interface, ensure that the Administration Service is up and running. Otherwise, Setup will fail to install the Web Interface. You might use the net start arssvc syntax to check the health of the Administration Service. The procedure for deploying the Web Interface includes two stages: Installing the Web Interface At this stage, the files are copied to the computer, and three Web Interface sites are created based on the default configuration templates. Creating, modifying or deleting Web Interface sites At this stage, you can create additional sites, and modify or delete existing sites. When creating Web Interface sites, you have the option to apply the configuration of an existing Web Interface site to the newly created one. If you have the Web Interface site tailored to meet your requirements, and need to deploy its instance on another Web server, this option ensures that the new Web Interface site has the same set of menus, commands and pages as the existing one. The Setup Wizard creates three Web Interface sites based on the following configuration templates that are available out of the box: Default Site for Administrators Supports a broad range of tasks, including the management of directory objects and computer resources. Default Site for Help Desk Handles typical tasks performed by Help Desk operators, such as enabling/disabling accounts, resetting passwords, and modifying select properties of users and groups. Default Site for Self-Administration Provides User Profile Editor, allowing end users to manage personal or emergency data through a simple-to-use Web interface. Each configuration template provides an individual set of commands installed by default. Once a Web Interface site has been created, you can customize its configuration by adding or removing commands, and by modifying Web pages (forms) associated with commands. The relevant procedures are outlined in the Quest One ActiveRoles Web Interface Administrator Guide. To install the Web Interface 1. In the Quest One ActiveRoles DVD Autorun window, click Quest One ActiveRoles, and then click Web Interface in the list of the product components. 2. Follow the instructions in the Setup Wizard. 30

32 Quest One ActiveRoles 3. On the Administration Service Selection page, choose from the following options to specify what Administration Service you want the Web Interface to use: Administration Service on this computer Use the Administration Service running on the computer where you are installing the Web Interface. Administration Service on the specified computer Enter the name of the computer running the Administration Service you want the Web Interface to use. Any Administration Service of the same configuration Specify any Administration Service whose database holds the necessary configuration, by typing in the DNS name of the computer running that Administration Service. If Quest One ActiveRoles replication is used to synchronize configuration data, this must be any Administration Service whose database server acts as the Publisher for the configuration database. 4. On the Ready to Install the Application page, click Next to start the installation process. 5. Wait while the wizard completes the installation. The Setup Wizard creates three Web Interface sites based on the default configuration templates. Once installation has been completed, you can modify the Web server-related parameters, such as the virtual directory name, for these Web Interface sites, or delete Web Interface sites. You can also create additional Web Interface sites. To create, modify or delete a Web Interface site 1. Start the Web Interface Sites Configuration wizard: click Start, and select All Programs Quest Software Quest One ActiveRoles Web Interface Sites Configuration. 2. Follow the instructions in the wizard. 3. On the Web Interface Configuration page, do one of the following: To create a site, click New. To modify a site, select it from the list and click Edit. To delete a site, select it from the list and click Delete. 4. If you have selected New or Edit, set up the following parameters: Location The Web site where the Web Interface site (virtual directory) is located. Virtual directory The name of the IIS virtual directory to which the Web Interface site is installed. Application name This name is used to help identify the Web Interface site. Configuration settings Create a new configuration based on a template and apply it to the Web Interface site, or use the configuration of an existing Web Interface site. Configuration specifies customizable settings of user interface elements, such as menus, commands, and Web pages (forms), displayed by the Web Interface. The configuration of a Web Interface site is stored as part of Quest One ActiveRoles configuration data. Multiple sites may use the same configuration. 5. Once you have completed the Web Interface Configuration page, click Next to continue. 6. On the Begin Configuration Process page, click Next for the wizard to start configuring the Web Interface site. During the configuration process, the wizard restarts the World Wide Web Publishing Service. While that service is being restarted, all Web applications deployed on this Web server are unavailable. 7. On the Configuration Results page, review the summary of the operations performed by the wizard, and check for success or failure of each operation. When you have done, click Finish to close the wizard. 31

33 Quick Start Guide Each Web Interface site can be accessed using the URL based the name of the site s virtual directory: In this notation, <WebSite> identifies the Web site where the virtual directory is located. For example, if the virtual directory is located under the default Web site, the URL is where <Computer> stands for the network name of the computer running the Web Interface and <Directory> stands for the name of the Web Interface site s virtual directory, as specified in the Web Interface Sites Configuration wizard. Normally, Web Interface users connect to the Web Interface using an HTTP transport. An HTTP transport does not encrypt the data transferred from a Web browser to the Web Interface. If your business process requires a secure transport for passing data to the Web Interface, you should use an HTTPS transport. The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the Web server for data encryption. For instructions on how to enable SSL on your Web server, see Configuring Secure Sockets Layer in IIS 7 at Installing Additional Features In addition to the Administration Service, MMC Interface and Web Interface, Quest One ActiveRoles Setup allows you to install the following features: Quest One ActiveRoles SDK Provides developers with documentation and samples to help them customize Quest One ActiveRoles by creating custom client applications and user interfaces, and implementing business rules nd policies based on custom scripts. ADSI Provider Enables custom applications and scripts to access directory data via Quest One ActiveRoles by using standard COM interfaces. Collector Gathers data required for reporting. When scheduled to run automatically, the Collector retrieves data, accessing specified data sources through the Administration Service, and stores the data on SQL Server. Report Pack A comprehensive suite of report definitions that cover all administrative actions available in Quest One ActiveRoles. Steps to Install SDK and ADSI Provider When installing the Administration Service, you have the option to also install Quest One ActiveRoles SDK. This feature installs documentation and samples to help customize Quest One ActiveRoles. Once installed, the SDK documentation can be accessed from the Start menu: All Programs Quest Software Quest One ActiveRoles SDK and Resource Kit. The ADSI Provider is automatically installed when you install any of these features: Administration Service Quest One ActiveRoles SDK Web Interface MMC Interface (Quest One ActiveRoles console) 32

34 Quest One ActiveRoles The ADSI Provider enables custom scripts and applications to access the Administration Service using standard ADSI COM interfaces. The ADSI Provider documentation is included in Quest One ActiveRoles SDK. To install the Quest One ActiveRoles SDK and ADSI Provider 1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window, click Quest One ActiveRoles, and then click Administration Service in the list of the product components. 3. Follow the instructions in the Setup Wizard. 4. On the Feature Selection page, ensure that the SDK and Resource Kit feature is selected for installation. You may install SDK and ADSI Provider without installing the Administration Service. To do so, unselect the Administration Service feature. 5. Follow the instructions in the wizard to complete the installation. The ADSI Provider can also be installed from a separate installation package. The package file is located in the folder ADSI Provider on the Quest One ActiveRoles DVD. To install the ADSI Provider, run setup.exe, located in that folder. You can also install the ADSI Provider from the Free Tools area on the Solutions page in the Quest One ActiveRoles DVD Autorun window. Steps to Install the Reporting Components Quest One ActiveRoles comes with a comprehensive suite of report definitions, contained in the Quest One ActiveRoles Report Pack. To work with reports, you must install the following features: Collector Report Pack Installing the Quest One ActiveRoles Collector The Quest One ActiveRoles Collector is used to prepare data for reporting, allowing you to configure, schedule, and execute data collection jobs. To install the Collector 1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window: a) Click Quest One ActiveRoles. b) In the Reporting Components list, click Data Collector. 3. Follow the instructions in the Setup Wizard. The Quest One ActiveRoles Collector stores report data in a database on SQL Server, and requires Microsoft SQL Server 2005 or a later version of SQL Server. 33

35 Quick Start Guide Installing the Quest One ActiveRoles Report Pack The Report Pack requires Microsoft SQL Server Reporting Services (SSRS). Make sure that you have SSRS deployed in your environment. The Report Pack Setup Wizard prompts you for the address (URL) of the Report Server Web service. You can check for this address using the Report Server Virtual Directory Settings page in the Reporting Services Configuration Manager tool on the server where SSRS is installed. To install the Report Pack 1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window: a) Click Quest One ActiveRoles. b) In the Reporting Components list, click Report Pack. 3. Follow instructions in the Setup Wizard. 4. When prompted for the address of the Report Server Web service, type the URL of your SSRS report server. By default, the URL is where <ComputerName> stands for the name of the computer on which SSRS is installed. 5. When prompted to configure the data source, do the following: a) Click the Configure Data Source button. b) Use the Configure Data Source dialog box to specify the SQL Server instance that hosts the database you have prepared by using the Quest One ActiveRoles Collector, the name of the database, and the authentication method to use for connection to the database. Configuring the data source is an optional step. You may simply click Next in the Setup Wizard. If you do so, you will have to configure the data source after installing the Report Pack. For instructions, see the Working with Reports section in the Quest One ActiveRoles Administrator Guide. 6. Follow the instructions in the wizard to complete the installation. Quest One ActiveRoles reports can be administered using Report Manager, a Web-based tool included with SSRS. Another option is to use Quest Knowledge Portal. For information on how to install, configure and use Quest Knowledge Portal, refer to Quest Knowledge Portal documentation that is included on the Quest One ActiveRoles DVD. Silent Installation The Quest One ActiveRoles setup program provides for silent installation of the following components: Quest One ActiveRoles console Web Interface Quest One ActiveRoles ADSI Provider You can perform a silent installation of these components on a computer that meets the system requirements for the component being installed. For example, prior to installing the MMC or Web Interface, you must ensure that the Microsoft.NET Framework and Microsoft Visual C++ redistributables are installed on the computer. A silent installation is done entirely from the command line, and requires no interaction. 34

36 Quest One ActiveRoles Use the following instructions to perform silent installations of Quest One ActiveRoles components. A basic command-line syntax is provided for each component, along with the component-specific arguments. Depending on your requirements, you can also configure the standard Windows Installer (Msiexec.exe) command-line options. For more information about Windows Installer command-line options, see Command-Line Options at Use the following Windows Installer command-line syntax for silent installations of the Quest One ActiveRoles components: msiexec /i "<Path to the.msi file>" /qn arguments To have Windows Installer write information to a log file, thus documenting the installation process, you might alter this syntax as follows: msiexec /i "<Path to the.msi file>" /qn /l*v "C:\Log.txt" arguments The.msi file is specific to the component you want to install. For each component, you can find the respective.msi file on the Quest One ActiveRoles DVD using the path specified in the following table. COMPONENT Console Web Interface ADSI Provider PATH TO THE FOLDER CONTAINING THE.MSI FILE <root>\quest One ActiveRoles 6.9\MMC Interface\ <root>\quest One ActiveRoles 6.9\Web Interface\ <root>\solutions\free Tools\ActiveRoles ADSI Provider\ The following two tables list the component-specific arguments you can use to complete the syntax. Arguments for silent installation of the Quest One ActiveRoles console ARGUMENT PF_ARS_MMC=Path DESCRIPTION Use this argument to specify the location where you want to install the console (installation folder). If this argument is omitted, the default value is the following path: %ProgramFiles%\Quest Software\Quest One ActiveRoles\ Arguments for silent installation of the Web Interface ARGUMENT PF_ARS_WI=Path DESCRIPTION Use this argument to specify the location where you want to install the Web Interface (installation folder). If this argument is omitted, the default value is the following path: %ProgramFiles%\Quest Software\Quest One ActiveRoles\Web Interface 6.9\ 35

37 Quick Start Guide SERVICE_LOCATION= LOCAL REMOTE ANYREPGROUP Use this argument to choose the Administration Service to which the Web Interface will connect. Specify one of the following: SERVICE_LOCATION=LOCAL for the Web Interface to connect to the Administration Service running on the same computer as the Web Interface. SERVICE_LOCATION=REMOTE for the Web Interface to connect to a certain Administration Service running on a different computer; the name of the computer must be specified by using REMOTE_SERVICE_NAME. SERVICE_LOCATION=ANYREPGROUP for the Web Interface to connect to any available Administration Service from a certain replication group; the Publisher of the replication group must be specified by using REMOTE_SERVICE_NAME. If this argument is omitted, the default value is SERVICE_LOCATION=LOCAL. REMOTE_SERVICE_NAME= Servername If SERVICE_LOCATION=REMOTE, the Servername value specifies the fully qualified DNS name of the computer running the Administration Service you want the Web Interface to connect to. If SERVICE_LOCATION=ANYREPGROUP, the Servername value specifies the fully qualified DNS name of the computer running the Administration Service whose SQL Server is the Publisher of the replication group you want the Web Interface to use. In both cases, this argument is required. If SERVICE_LOCATION=LOCAL, this argument is ignored. ENABLEWEBLOG=0 1 Use this argument to enable diagnostic logging in the Web Interface Sites Configuration utility, which might be helpful in isolating problems, if any, with the creation of Web Interface sites. Specify either ENABLEWEBLOG=1 to enable or ENABLEWEBLOG=0 to disable diagnostic logging. If this argument is omitted, the default value is ENABLEWEBLOG=0. WEBLOGURL=Path\Filename If ENABLEWEBLOG=1, the Path\Filename value specifies the path and name of the file where you want the diagnostic records to be written. If this argument is omitted, the default value is the following path and file name: "C:\Quest.ArspWI.WebSitesConfigurationConsole.log" If ENABLEWEBLOG=0, this argument is ignored. 36

38 Quest One ActiveRoles Upgrading an Earlier Version If an earlier version of the product is already installed, the Setup program first uninstalls the features of the old version, and then installs the features you have selected from the new version. Setup allows you to import configuration data stored by the previous version. When upgrading the Administration Service, you have the option to copy all data from the old database to the new one. In this way, Setup ensures that the configuration settings, including all permission and policy definitions and assignments, are identical to those used in the earlier installation. Components Compatibility To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Quest One ActiveRoles console and Web Interface) once you have upgraded the Administration Service. When upgrading the Administration Service, you should check that the user interfaces are compatible with the new version of the Administration Service. The new Administration Service is only compatible with the Quest One ActiveRoles console (MMC Interface) and Web Interface of version 6.9. Earlier versions of the user interfaces may not work with the new Administration Service and thus need to be upgraded. The user interfaces of Quest One ActiveRoles 6.9 are only compatible with the Administration Service version 6.9. Therefore, to use the Quest One ActiveRoles console or Web Interface version 6.9, you first need to upgrade the Administration Service. Upgrade Issues Impact on Quest One ActiveRoles Replication The upgrade process of the Administration Service does not preserve the replication settings. An upgrade can only be performed if the Administration Service is not configured for replication. Before upgrading the Administration Service, you should ensure that its database server is not configured as a Subscriber or Publisher. Replication for the new Administration Service needs to be configured after the upgrade. Impact on Custom Solutions An upgrade of Quest One ActiveRoles components may affect custom solutions, if any, that rely on the functions of Quest One ActiveRoles. Custom solutions (such as scripts or other modifications) that work fine with the earlier version of Quest One ActiveRoles may cease to work after the upgrade. Prior to attempting an upgrade, you should test the existing solutions with the new version of Quest One ActiveRoles in a lab environment to verify that the solutions continue to work. Impact on Unmanaged Domains Upgrade of the Administration Service to version 6.9 converts unmanaged domains to regular managed domains. If you have any domains registered as unmanaged domains with an earlier version of Quest One ActiveRoles, then, after the upgrade, you will need to make them unmanaged by applying the build-in Policy Object Exclude from Managed Scope. For further information and instructions, see Configuring an Unmanaged Domain in the ActiveRoles Administrator Guide for version

39 Quick Start Guide Upgrading the Administration Service You can upgrade the Administration Service of version 6.7 or 6.8. Direct upgrade of an earlier version to version 6.9. To upgrade an earlier version, you should first upgrade to version 6.8. This section covers the instructions on how to upgrade the Administration Service of version 6.7 or 6.8 to version 6.9. When upgrading the Administration Service, you must choose the option to create a new database along with the option to update that new database by importing data from the old database of the Administration Service you are upgrading. This requires the database server to act as a stand-alone server as applied to Quest One ActiveRoles replication. If the database server is the Subscriber or Publisher role holder, use the Quest One ActiveRoles console to change replication settings as follows: For a Subscriber, connect to the Administration Service whose database server holds the Publisher role and remove that Subscriber. For the Publisher, connect to the Administration Service that uses the Publisher database server, remove all of its Subscribers, and then demote the Publisher. Then, use the steps below to perform the upgrade. To upgrade the Administration Service 6.7 or Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window, click Quest One ActiveRoles, and then click Administration Service in the list of the product components. 3. Follow the instructions in the Setup Wizard. 4. On the Service Account Information page, enter the name and password of the user account to be used as the Administration Service account. 5. On the ActiveRoles Admin Account page, accept the default setting, or click Browse and select the group or user to be designated as ActiveRoles Admin. 6. On the Configuration Storage Options page, verify that the New database, to be created by this setup option is selected. 7. On the Database and Connection Settings page, in the Database area, configure the following settings: SQL Server Identifies the SQL Server instance on which the database for the new Administration Service will be created. Database name The name of the database to be created for the new Administration Service. Import data from this database Identifies the database of the Administration Service you are upgrading. To import data from that database to the database of the new Administration Service, select the Import data from this database check box. The database from which to import data must be located on the SQL Server instance specified in the SQL Server box. 8. On the Database and Connection Settings page, in the Connection area, select one of these options: Use Windows authentication Configures the Administration Service to connect to SQL Server using the Administration Service account. Use SQL Server authentication Configures the Administration Service to connect to SQL Server using a SQL Server login. Type in the login name and password. 38

40 Quest One ActiveRoles On the Database and Connection Settings page you can select the Store Management History in a separate database check box. For information about this option and instructions on how to use this option, see Installing a Separate Management History Database later in this document. 9. Follow the instructions in the wizard to complete the installation. Upgrade in Case of Shared Database If multiple instances of the Administration Service use a single database, then you can perform an upgrade as follows: 1. On the computer running one of the Administration Service instances in question, install the Administration Service of the new version. When installing, choose to create a new database and import data from the database that was used by the earlier version of the Administration Service. As a result of this step, you will have an Administration Service instance of the new version connected to the new database containing the data imported from the old database. The other instances of the Administration Service are not upgraded at this point; they continue to use the old database. 2. Now that you have the database of the new version, you can upgrade the remaining instances of the Administration Service, one by one. On the computer running such an instance, install the Administration Service of the new version. When installing, choose the option to use an existing database and specify the database that was created on the previous step, when you upgraded the first instance of the Administration Service. Once all the instances of the Administration Service are upgraded, the task is accomplished: multiple Administration Service instances of the new version use a single database updated with the data from your old Quest One ActiveRoles installation. Importing Management History Data A part of the Quest One ActiveRoles database, the Management History data storage is empty after the upgrade of the Administration Service if you choose the option to import data from the database of your existing installation. This behavior is due to the fact that the import operation performed by the Setup Wizard transfers only the configuration data administrative right assignments, rule-based policy definitions, administrative view settings, and other parameters that determine the Quest One ActiveRoles work environment. The Management History data is excluded from the import operation in order to reduce the time it takes for the Setup Wizard to upgrade the Administration Service. The Management History data describes the changes that were made to directory data via Quest One ActiveRoles. This includes information on who did what and when it was done as applied to the directory data management tasks. In Quest One ActiveRoles, the Management History data is used as a source of information for the Change History and User Activity reports. After you have upgraded the Administration Service using the option to import data from the existing database, you need to take some additional steps to transfer the Management History data from your old Quest One ActiveRoles database to the new Quest One ActiveRoles database.the Administration Service installation includes the Management History Migration Wizard to help you perform this task. 39

41 Quick Start Guide To start the Management History Migration Wizard On the computer on which you have installed the new version of the Administration Service, click Start, and select All Programs Quest Software Quest One ActiveRoles Management History Migration Wizard. The wizard is intended to populate a new storage of Management History data with your existing Management History data, to make the data available to the Quest One ActiveRoles user interfaces after your upgrade to the new version of the Administration Service. The wizard merges the Management History data found in the source database with the data stored in the destination database. Note that the wizard only adds new data, keeping intact any data that already exists in the destination database. You may import your old data at any time after you have upgraded the Administration Service, without being afraid of losing any data. To import Management History data 1. Start the Management History Migration Wizard, and follow the instructions on the wizard pages. 2. On the Choose the Source Database page, specify the database from which you want to import data (normally, this should be the database that was in use by your earlier version of the Administration Service): a) Type the name of the SQL Server instance that hosts the database. Specify the name in the form computername for the default instance or computrname\instancename for a named instance. b) Type the name of the database. c) Specify the authentication mode. Depending on the option you select, either your Windows account or the SQL Server login you provide must have sufficient rights to retrieve data from the database. 3. On the Choose the Destination Database page, specify the database to which you want to import data (normally, this should be the database that is in use by the newly installed Administration Service, which is the default setting on this page): a) Verify the name of the SQL Server instance that hosts the database. If necessary, type a different name. The name should be in the form computername for the default instance or computrname\instancename for a named instance. b) Verify the name of the database. If necessary, type a different name. c) Specify the authentication mode. Depending on the option you select, either your Windows account or the SQL Server login you provide must have sufficient rights to update data in the database. 4. On the Records to Migrate page, specify whether you want to import all the data records or a certain range of data records. You may choose not to import all the data records since importing a large volume of data may take hours or more. 5. On the Ready to Start page, click Next to start the import operation. Upgrading Other Components Quest One ActiveRoles components normally allow upgrade by installing the component of a later version over an earlier one (seamless upgrade). You can upgrade Quest One ActiveRoles components of version 6.7 or 6.8. If you have an earlier version, you should first upgrade to version 6.8. To upgrade, install the component on the computer with the old version installed, as described earlier in this document. Setup first uninstalls the earlier version, and then installs the later version of the component, leaving the component s configuration intact. 40

42 Quest One ActiveRoles The seamless upgrade is available for the following components: Console (MMC Interface) To upgrade, install a later version on the computer where an earlier version is installed. For instructions, see the steps To install the Quest One ActiveRoles console earlier in this document. Web Interface To upgrade, install a later version on the computer where an earlier version is installed. For instructions, see the steps To install the Web Interface earlier in this document. ADSI Provider and SDK To upgrade, install a later version on the computer where an earlier version is installed. For instructions, see the Steps to Install SDK and ADSI Provider section earlier in this document. Note that you do not need to install or upgrade the ADSI Provider on the computers running any of the Quest One ActiveRoles components that have it as a part of the component installation, such as the Quest One ActiveRoles console, Web Interface, Administration Service, or ActiveRoles Management Shell. ActiveRoles Management Shell To upgrade, install a later version on the computer where an earlier version is installed. For installation instructions, see the ActiveRoles Management Shell Administrator Guide included on the Quest One ActiveRoles distribution media. Upgrade of the Reporting Components The Quest One ActiveRoles reporting components should be upgraded in the following order: Quest Knowledge Portal Quest One ActiveRoles Collector Quest One ActiveRoles Report Pack Quest Knowledge Portal If Quest Knowledge Portal is used to view Quest One ActiveRoles reports in your environment, upgrade Quest Knowledge Portal. For instructions, see the Upgrade section in the Quest Knowledge Portal Installation and Configuration Guide included on the Quest One ActiveRoles distribution media. Quest One ActiveRoles Collector To upgrade, first uninstall your earlier version of the Collector and then install the new version. You can uninstall the Collector by using Programs and Features in Control Panel. Once you have uninstalled your earlier version of the Collector, install the new version. For instructions, see Installing the Quest One ActiveRoles Collector earlier in this document. Quest One ActiveRoles Report Pack To upgrade, first uninstall your earlier version of the Report Pack and then install the new version. The Report Pack should be uninstalled on the computer that was initially used to install the Report Pack. You can uninstall the Report Pack by using Programs and Features in Control Panel. Once you have uninstalled your earlier version of the Report Pack, install the new version. You can do this on the same computer that was used to install the earlier version of the Report Pack. For installation instructions, see Installing the Quest One ActiveRoles Report Pack earlier in this document. 41

43 Separate Management History Database Quick Start Guide When installing the Administration Service, you have the option to specify a separate database for storing Management History data. This installation option is intended to support advanced deployment scenarios where it is impractical to use the same database for both Management History data and Configuration data. The use of a separate Management History database could be justified by reducing replication traffic when multiple Administration Service instances synchronize their configuration data via Quest One ActiveRoles replication, or by reducing database size when multiple Administration Service instances share the same Configuration database. It is important to note that multiple Administration Service instances can be configured to share common Management History data only if they share common Configuration data. Data sharing may be achieved by means of Quest One ActiveRoles replication or by having multiple Administration Service instances use the same Configuration or Management History database. For example, if you want two instances of the Administration Service to use the same Management History database, you have to ensure that any one of these conditions is fulfilled: (1) both instances use the same Configuration database or (2) if each of the two instances uses its own Configuration database, the two databases are synchronized by using Quest One ActiveRoles replication; otherwise, the Administration Service will fail to start. The Management History data includes: Information about the changes to directory data that were made by Quest One ActiveRoles users. This information is used to prepare the Change History and User Activity reports. Information about the approval, temporal group membership, and deprovisioning tasks. This information is used by the Quest One ActiveRoles features such as Approval Workflow, Temporal Group Memberships, and Undo Deprovisioning. Many important features and functions of Quest One ActiveRoles heavily rely on consistency and availability of Management History data. With multiple Administration Service instances of common configuration, it is highly advisable for the Administration Service instances to share the same Management History data. The default installation of the Administration Service meets this requirement by using a single database to store both Configuration data and Management History data. However, if you decide to separate the Management History data store from the Configuration data store, you can do this when installing the Administration Service: the option to store Management History in a separate database is available on the Database and Connection Settings page in the Administration Service Setup Wizard. The behavior of the option depends upon whether you choose to create a new database or use an existing database for the Administration Service you are installing. 42

44 Quest One ActiveRoles Creating a New Database The Administration Service Setup program creates a new Configuration database in the following deployment scenarios: Installation of the new Administration Service instance on a clean computer. Upgrade of the Administration Service instance that uses the database of an earlier schema version. In both scenarios, the Setup Wizard provides the option to create a separate Management History database. By default, that option is not selected with the first scenario: we recommend that the same database be used to hold both Configuration and Management History data. As for the second scenario, the Setup program checks to see whether the Administration Service instance you are upgrading is already configured to use a separate Management History database. If so, the option is selected by default; otherwise, the option is not selected. During the upgrade, the Setup Wizard creates a new Configuration database and, if the option to use a separate Management History database is selected, it also creates a new Management History database. The default behavior of the Setup Wizard in this scenario is to import the existing configuration data to the new Configuration database. However, the existing Management History data is not imported during the upgrade. You have to use the Management History Migration Wizard to import the Management History data after the upgrade. The data should be imported to the database you chose to store Management History: the database that also stores Configuration data or a separate database. For more information and instructions, see Importing Management History Data earlier in this document. You can use the following steps to upgrade an Administration Service instance of an earlier version in the situation where the instance is configured to use a separate Management History database. 1. Ensure that the Administration Service instance you are going to upgrade does not participate in Quest One ActiveRoles replication: a) In the Quest One ActiveRoles console connected to that Administration Service instance, and inspect the contents of the Configuration/Server Configuration/Configuration Databases container to verify that the replication role of the database server is Standalone. b) If the database server has the replication role of Subscriber, connect to the Publisher Administration Service and delete that Subscriber from the Configuration Databases container. c) If the database server has the replication role of Publisher, delete all the Subscribers from the Configuration Databases container and then run the Demote command on the Publisher in that container. 2. Start the Administration Service Setup program from the Quest One ActiveRoles page in the Quest One ActiveRoles DVD Autorun window (click the corresponding link on that page). 3. Follow the steps in the Setup Wizard until you reach the Database and Connection Settings step. 4. Verify the settings on the Database and Connection Settings page to ensure that the Store Management History in a separate database check box is selected, and then click Next. 43

45 Quick Start Guide 5. On the Management History Database page, specify the location and name of the database to be used for storing Management History by the Administration Service after the upgrade. This cannot be the database that is used by the Administration Service instance you are upgrading. Setup needs to create a new database since the existing one is incompatible with the new version of Quest One ActiveRoles. 6. Follow the steps in the Setup Wizard to complete the upgrade. Using an Existing Database Another deployment scenario that involves the use of a separate Management History database is as follows: You already have an Administration Service instance deployed that stores Management History in a separate database. You want to install an additional Administration Service instance and configure the new instance to use the same Management History database as the existing instance. In this scenario, when installing the new Administration Service, you select the corresponding option on the Database and Connection Settings page in the Setup Wizard, and then specify the location and the name of the Management History database that is used by the existing instance of the Administration Service. With this scenario, you configure two instances of the Administration Service to use the same Management History database, so you need to ensure that both instances have the same configuration data. When installing the additional Administration Service instance, choose the option to share common configuration database. For more information and instructions on how to separate the Management History data store from the Configuration data store, see the Replication of Management History Data and Centralized Management History Storage sections in the Quest One ActiveRoles Administrator Guide. 44

46 Quest One ActiveRoles Performing a Pilot Deployment In a large enterprise environment, a pilot project may need to be conducted before upgrading to the new version of the product. In a pilot project, you deploy components of the new version in your production environment side-by-side with the existing installation of the components you are going to upgrade, evaluate the results, and fix problems. Normally, a pilot project is conducted with a small group of users in the production environment where select individuals perform particular tasks using the new version of the product. This demonstrates that the new version works as expected and that it meets the organization s requirements. A pilot project is a deployment of the new product version to a subset of the user group. Those who do not participate in the pilot project perform their regular, daily work using the old version of the product. This requires that the old version be up and running in the production environment side-by-side with the pilot deployment. When the pilot project is deemed successful and ready for production, you can upgrade your existing production components to the new version. Deploying a pilot project involves the following steps: 1. Installing the pilot Administration Service Install a new Administration Service instance of the version that you have in your production Quest One ActiveRoles environment, and update the new instance with the configuration data from your production Administration Service. 2. Installing the pilot Web Interface Install a new Web Interface instance of your production Quest One ActiveRoles version so that the new instance connects to the Administration Service you installed in Step 1. If any non-default Web Interface sites are created in your production environment, you need to create the corresponding site or sites in the newly installed Web Interface. You also have to ensure that each site in the newly installed Web Interface uses the same configuration as the respective site in your production Web Interface. 3. Upgrading the pilot Administration Service Upgrade the Administration Service you installed in Step 1, with the option to preserve the configuration data. 4. Upgrading the pilot Web Interface Upgrade the Web Interface you installed in Step 2, with the option to connect to the Administration Service you upgraded in Step Installing the console Install the ActiveRoles console of the new version. To successfully deploy a pilot project, you have to perform these steps in exactly the same order as they are listed above. 45

47 Quick Start Guide Installing the Pilot Administration Service When creating your pilot instance of the Administration Service, you need to ensure that it has the same configuration as your production instances of the Administration Service. This can be achieved as follows: 1. Install an additional Administration Service of the same version as you have in your production environment, with the option to create a new, separate configuration database for that Administration Service. Use the installation instructions included in the Quick Start Guide for the respective version of Quest One ActiveRoles. This Administration Service instance will become your pilot Administration Service. 2. Have the newly installed Administration Service replicate configuration data from your existing instances of the Administration Service. For instructions on how to configure Quest One ActiveRoles replication, refer to the Administrator Guide for the respective version of Quest One ActiveRoles. If Quest One ActiveRoles replication is already set up in your environment, simply add the newly installed Administration Service as a Subscriber for the Administration Service acting as the Publisher in the Quest One ActiveRoles replication group. Otherwise, make your production Administration Service the Publisher, and then add the newly installed Administration Service as a Subscriber. Once the Quest One ActiveRoles replication function has completed copying the data to the new Subscriber, remove the newly installed Administration Service from the Quest One ActiveRoles replication group. In this way you ensure that your pilot Administration Service has the same configuration as your production Administration Service, while isolating the configuration of your pilot Quest One ActiveRoles deployment. Installing the Pilot Web Interface Once you have installed your pilot Administration Service and updated its configuration, you are ready to install the Web Interface for your pilot project. Install a new Web Interface instance of the same version as you have in your production environment. Use the installation instructions included in the Quick Start Guide for the respective version of the Administration Service. This Web Interface instance will become your pilot Web Interface. When prompted by the Setup Wizard to specify the Administration Service, choose one of these options depending upon the location of your pilot Administration Service: If the Administration Service is installed on the computer on which you are installing the Web Interface, then choose the option to use the local Administration Service. If the Administration Service is installed on a different computer, then choose the option to use the Administration Service running on a specific computer and supply the name of that computer. After you have installed the Web Interface, you need to ensure that the sites of the newly installed Web Interface match the sites of your production Web Interface. Use the Web Interface Sites Configuration tool to examine and compare the production Web Interface sites and the newly installed Web Interface sites, and, if necessary, create additional sites or delete the unwanted sites for your pilot Web Interface. To start the tool, select Start All Programs Quest Software Quest One ActiveRoles Web Interface Sites Configuration. 46

48 Quest One ActiveRoles Start the Web Interface Sites Configuration tool on the computer running your production Web Interface. If the Welcome page appears, click Next. Examine the list on the Web Interface Configuration page: each entry in the list identifies a certain Web Interface site in you production Quest One ActiveRoles environment. For each list entry, note down the name displayed in the Configuration column. Start the Web Interface Sites Configuration tool on the computer running your pilot Web Interface and proceed to the Web Interface Configuration page. Examine the list on that page and compare the names in the Configuration column with the names you noted down earlier. Use the Web Interface Sites Configuration tool to create additional sites and delete unwanted sites as needed: If a list entry with a certain configuration name exists on the production Web Interface but is missing from the pilot Web Interface, then you need to create an additional site: click New, choose the Use existing configuration option, and select the same configuration name as in the respective list entry on the production Web Interface. Repeat this for each list entry that is missing from your pilot Web Interface. If a list entry with a certain configuration name exists on your pilot Web Interface but does not exist on the production Web Interface, then you should delete the respective site from the pilot Web Interface: select that entry from the list and click Delete. Repeat this for each list entry that does not exist on the production Web Interface. Now that you have installed and configured the Web Interface for your pilot project, you can upgrade the pilot Administration Service, and then upgrade the pilot Web Interface to the new version. Upgrading the Pilot Administration Service When performing the upgrade, you need to preserve the existing configuration of the Administration Service. This can be done by importing the configuration data from the database of the Administration Service you are upgrading. For instructions, see the Upgrading the Administration Service section earlier in this document. Upgrading the Pilot Web Interface Once you have upgraded the pilot Administration Service, upgrading the Web Interface is straightforward. Install the new version of the Web Interface on the computer on which you have installed your pilot Web Interface. When the Setup Wizard prompts you for the Administration Service, ensure that the Web Interface is configured to use your pilot Administration Service. Select the option to use the Administration Service either on the local computer or on the specified computer, depending on where your pilot Administration Service is installed. Installing the Quest One ActiveRoles Console You need the latest version of the Quest One ActiveRoles console if you want to connect to the latest version of the Administration Service. Since the latest version of the console does not connect to the Administration Service of an earlier version, the use of the latest console version for your pilot project assures automatic connection to the pilot Administration Service. For installation instructions, see the Steps to Install the Console section earlier in this document. 47

49 Transfer to New OS or SQL Server Version Quick Start Guide When performing a pilot deployment, you may want to have the new version of the Quest One ActiveRoles components installed on a server running the latest Windows operating system which is not necessarily supported by your current version of Quest One ActiveRoles. For example, version 6.7 of the Administration Service or Web Interface cannot run on Windows Server 2012 whereas version 6.8 or later can. Additionally, you may need the new Quest One ActiveRoles database to be hosted on the latest version of SQL Server which is not necessarily supported by your current product version. For example, the database of version 6.7 cannot be hosted on SQL Server 2012 whereas the database of version 6.8 or later can. These limitations may not allow you to deploy the pilot Quest One ActiveRoles components by directly upgrading their earlier version on a single server running the latest release of the Microsoft Windows operating system or Microsoft SQL Server. To deploy the pilot Quest One ActiveRoles components on a server running the Windows operating system that is not supported by your current product version, you have to use an interim server. You first install and upgrade your pilot Quest One ActiveRoles components on the interim server so as to create a replica of your production configuration based on the new version of Quest One ActiveRoles, and then install the new product version on a server with the appropriate Windows operating system, leveraging the configuration replica you have created using the interim server. The interim server should run the Windows operating system that is supported by both your current and new product versions (for example, Windows Server 2008 in case of versions 6.7 and 6.9). If you also plan to move the product s database to a new version of SQL Server, the interim server should also run SQL Server of version that is supported by both versions of the product (for example, SQL Server 2008 in case of versions 6.7 and 6.9). Once you have prepared the interim server, you first install and upgrade the pilot components on that server as described earlier in this document: 1. Install your current version of the Administration Service on the interim server and use the replication function to update the newly installed Administration Service with the configuration data from your production environment (see Installing the Pilot Administration Service). Important The use of replication ensures that your production configuration is correctly copied to the pilot environment. We recommend the use of replication to transfer configuration data from the production environment to the pilot environment. After replication is finished, remove the Administration Service from replication partnership with your production environment. 2. Install your current version of the Web Interface on the interim server. Choose the option that directs the Web Interface to use the local Administration Service (select the Administration Service on this computer option button on the Administration Service Selection page in the Setup wizard). 48

50 Quest One ActiveRoles 3. Use the Web Interface Sites Configuration tool on the interim server to make sure that the sites of the newly installed Web Interface match the Web Interface sites configured in your production environment. Note that custom sites, if any were created in your production environment, do not automatically appear in the pilot Web Interface you installed. You have to create them, selecting the appropriate configuration in the Web Interface Sites Configuration tool. For more information, see Installing the Pilot Web Interface. Important Installation of the Web Interface, as opposed to upgrade, only creates the three default Web Interface sites, even though the Administration Service s database contains the configuration data specific to any non-default (custom) Web Interface sites. After installation is complete, you must use the Web Interface Sites Configuration tool to create custom Web Interface sites based on the configuration data hosted by the Administration Service. 4. Upgrade the Administration Service on the interim server. During the upgrade, let the Administration Service Setup wizard create a new database and import data from the database of the Administration Service you are upgrading. For more information, see the Upgrading the Administration Service steps earlier in this document. 5. Upgrade the Web Interface on the interim server, by installing the new version of the Web Interface. Choose the option that directs the Web Interface to use the local Administration Service (select the Administration Service on this computer option button on the Administration Service Selection page in the Setup wizard). As a result of these steps, on the interim server you have a replica of your production configuration upgraded to the new version. Important The upgrade requires your earlier version of both the Administration Service and the Web Interface to be installed. You should first upgrade the Administration Service and then upgrade the Web Interface; otherwise, the upgrade of the Web Interface s configuration will fail. The installation of the earlier Web Interface version is mandatory for the upgrade process to perform correctly. 6. Install the new version of the Administration Service on your target server, with the option to use the same database that is used by the Administration Service running on the interim server. Choose the following options in the Setup wizard: a) On the Service Deployment Options page, select Install additional Service. b) On the Configuration Synchronization Options page, select Share common configuration database. c) On the Database and Connection Settings page: In SQL Server, specify the SQL Server instance that hosts the database of the Administration Service running on the interim server. In Database name, type the name of the database that is used by the Administration Service running on the interim server. Under Connection, choose the appropriate authentication method for connection of the Administration Service to the database. d) On the Provision of Encryption Keys page, select Retrieve keys from existing Service. For this option to perform as expected, ensure that the Administration Service on interim server is up and running. 7. Install the new version of the Web Interface on your target server. On the Administration Service Selection page in the Setup wizard, select Any Administration Service of the same configuration and type the fully qualified DNS name of the computer running the Administration Service you installed in the previous step. 49

51 Quick Start Guide 8. On the target server where you have installed the Web Interface, use the Web Interface Sites Configuration tool to create the custom sites based on existing custom configurations. This step is required if any custom Web Interface sites, in addition to the three default Web Interface sites, are deployed in your production environment. 9. Decommission the interim server by uninstalling the product components on that server, in the following order: a) Uninstall the console (MMC Interface). Skip this step if you did not install the console on the interim server. b) Uninstall the Web Interface. c) Uninstall the Administration Service. As a result of these steps you achieve a pilot deployment of the new version of Quest One ActiveRoles with the following characteristics: The pilot Administration Service on the target server running the new version of the Microsoft Windows Server operating system The pilot Web Interface on the target server running the new version of the Microsoft Windows Server operating system The pilot Administration Service and Web Interface have the same configuration as in your production environment. To add the Quest One ActiveRoles console (MMC Interface) to the pilot deployment, simply install the new version of the console on an appropriate server and have the console connect to your pilot Administration Service. Transferring Database to New SQL Server Version The steps are somewhat different in case of migration to a new version of SQL Server. For the purpose of this discussion, let us assume the following names: IntrmSRV Interim server; for instance, a Windows Server 2008 based computer running SQL Server This server should meet the system requirements of both your current production version and new version of Quest One ActiveRoles. TgtSQLSRV SQL Server that will host the Quest One ActiveRoles database for your pilot deployment; for instance, Microsoft SQL Server This SQL Server should meet the system requirements of the new version of Quest One ActiveRoles. TgtARSRV Computer that will run your pilot Administration Service; for instance, a Windows Server 2012 based computer. This server should meet the system requirements of the new version of Quest One ActiveRoles. TgtARSWI Computer that will run you pilot Web Interface; for instance, a Windows Server 2012 based computer. This server should meet the system requirements of the new version of Quest One ActiveRoles. 50

52 Quest One ActiveRoles Given these assumptions, the steps will look as follows: 1. Install your current production version of the Administration Service on IntrmSRV, with the option to create the database on SQL Server running on IntrmSRV. Use the replication function to update the newly installed Administration Service with the configuration data from your production environment. 2. Install your current production version of the Web Interface on IntrmSRV, with the option to use the Administration Service running on IntrmSRV (select the Administration Service on this computer option button on the Administration Service Selection page in the Setup wizard). 3. On IntrmSRV, use the Web Interface Sites Configuration tool to create the custom sites based on existing custom configurations. This step is required if any custom Web Interface sites, in addition to the three default Web Interface sites, are deployed in your production environment. 4. Use SQL Server Management Studio to create a backup of the Administration Service s database on SQL Server running on IntrmSRV: a) In Object Explorer, right-click the database and select Tasks Back Up. b) On the Back Up Database page, in the Destination area, confirm the default path and name of the backup file or specify a different path and name of the backup file, and then click OK. c) Wait while SQL Server creates the backup. 5. Use SQL Server Management Studio to create a database on TgtSQLSRV by restoring it from the backup you created on IntrmSRV: a) In Object Explorer, right-click Databases and click Restore Database. b) On the Restore Database page, type the database name in To database, click From device and select the database backup file you created on IntrmSRV, select the check box next to the name of the backup set to restore, and then click OK. c) Wait while SQL Server restores the database. 6. Upgrade the Administration Service on IntrmSRV by installing the new version of the Administration Service with the option to create a new database. On the Database and Connection Settings page in the Setup wizard, complete the following settings: a) In SQL Server, specify the SQL Server instance running on TgtSQLSRV. b) In Database name, type the name of the database to be created by the Setup wizard for the upgraded Administration Service. c) In Import data from this database, type the name of the Administration Service s database you have restored on TgtSQLSRV. d) Under Connection, choose the appropriate authentication method for connection of the Administration Service to the database. 7. Upgrade the Web Interface on IntrmSRV by installing the new version of the Web Interface. On the Administration Service Selection page in the Setup wizard, verify that the Administration Service on this computer option is selected. 51

53 Quick Start Guide 8. Install the new version of the Administration Service on TgtARSRV, with the option to use the database of the new version you have prepared on TgtSQLSRV. When installing the Administration Service, choose the following options in the Setup wizard: a) On the Service Deployment Options page, select Install additional Service. b) On the Configuration Synchronization Options page, select Share common configuration database. c) On the Database and Connection Settings page: In SQL Server, specify the SQL Server instance running on TgtSQLSRV. In Database name, type the name of the database you have prepared on TgtSQLSRV (this is the database name you specified in Step 6, sub-step b). Under Connection, choose the appropriate authentication method for connection of the Administration Service to the database. d) On the Provision of Encryption Keys page, select Retrieve keys from existing Service. For this option to perform as expected, ensure that the Administration Service on IntrmSRV is up and running. 9. Install the new version of the Web Interface on TgtARSWI. On the Administration Service Selection page in the Setup wizard, select Any Administration Service of the same configuration and type the fully qualified DNS name of the TgtARSRV computer. 10. On TgtARSWI, use the Web Interface Sites Configuration tool to create the custom sites based on existing custom configurations. This step is required if any custom Web Interface sites, in addition to the three default Web Interface sites, are deployed in your production environment. 11. Decommission server IntrmSRV by uninstalling the product components on that server, in the following order: a) Uninstall the console (MMC Interface). Skip this step if you did not install the console on IntrmSRV. b) Uninstall the Web Interface. c) Uninstall the Administration Service. As a result of these steps you achieve a pilot deployment of the new version of Quest One ActiveRoles with the following characteristics: The pilot Administration Service on a computer running the new version of the Microsoft Windows Server operating system (TgtARSRV) The Quest One ActiveRoles database on the new version of SQL Server (TgtSQLSRV) The pilot Web Interface on a computer running the new version of the Microsoft Windows Server operating system (TgtARSWI) The pilot Administration Service and Web Interface have the same configuration as in your production environment. To add the Quest One ActiveRoles console (MMC Interface) to the pilot deployment, simply install the new version of the console on an appropriate server and have the console connect to your pilot Administration Service. 52

54 Quest One ActiveRoles Deployment Considerations This section addresses issues concerning the deployment of Quest One ActiveRoles Administration Service. Information for this section was collected from: Feedback from our current customers who have enterprise class deployments with multiple sites/locations Extensive testing of Quest One ActiveRoles in our software development labs Comparisons and testing of Quest One ActiveRoles to competitors solutions There are no technical requirements for installing many Administration Services in a location or in different locations. The number of Administration Services in a location and the number of locations with Administration Services depends on an organization s needs and expectations, the current infrastructure and hardware, and the business workflow. When considering an To add the Quest One ActiveRoles console (MMC Interface) to the pilot deployment, simply install the new version of the console on an appropriate server and have the console connect to your pilot Administration Service. deployment, administrators should consider the following issues: Business workflow Hardware requirements Need for availability Replication traffic When an organization has gathered and assessed the information above, it will be able to determine the locations and number of Administration Services to be installed. The last sub-section provides network diagrams that illustrate potential Quest One ActiveRoles deployments. Business Workflow This factor focuses on Active Directory (AD) data management processes and practices, including who will perform these tasks and from where they access the management services. Generally, these tasks will be divided among several groups, which might include both high- and low-level administrators, a Help Desk, HR personnel, and work group managers. Possible business workflows for AD data management processes might be: Centralized at one location and performed by one group Centralized at one location or LAN site and performed by multiple groups Distributed at multiple sites but performed by one business group Distributed at multiple sites and performed by multiple independent business groups Organizations should diagram the locations/sites at which AD data management is done, their network connections, the number of users performing tasks, the type of work they do. For example, Help Desk personnel will make more use of the Administration Service than regular employees who are occasionally changing their personal information. 53

55 Quick Start Guide Finally, the number of users at each site should be added to the diagram. Current customers report that there has been no need to install additional services in order to improve Quest One ActiveRoles performance. Adding the number of users is not intended to indicate the workload on or the performance of the Administration Service. The number of users is intended to help organizations to estimate and understand their own administration workload and how Quest One ActiveRoles will fit into that workload. Hardware Requirements After calculating the resource usage of an Administration Service and mapping the business workflow of the network sites, an organization will have the necessary information to start assessing any need for additional hardware. There is no technical need for installing the Administration Service on dedicated hardware. In fact, current customers do not use only dedicated hardware. They use a combination of dedicated and shared hardware to host the Administration Service. For example, a current customer manages 2,000,000 AD objects in a global deployment with a total of five Administration Services, two of which are dedicated and the other three are shared with other applications. An organization s current infrastructure, including existing servers, sites and connections, will greatly determine the need for additional hardware to run Quest One ActiveRoles. The Administration Service can be installed on any server, although organizations should consider these two guidelines: It is not recommended that the Administration Service be installed on a domain controller. Typically, organizations install the Administration Service on other application, file, or print servers. Depending on service level agreements or goals, if existing servers are currently fully loaded or overloaded, then a new server should be purchased, and the Administration Service and additional services should be moved onto the new equipment. Not only will this enable Quest One ActiveRoles deployment, it will also improve the performance of the currently deployed services. Since Quest One ActiveRoles is often deployed during migration to Active Directory, Quest One ActiveRoles deployment can be included in planning for new hardware and server consolidation. The need for redundancy and availability also will affect the hardware requirements. See the sub-section Availability and Redundancy for further details. Web Interface: IIS Server Required If an organization plans to use the Quest One ActiveRoles Web Interface, IIS must be installed on the server running the Web Interface. It is recommended that organizations use the Quest One ActiveRoles Web Interface because it offers more flexibility than the MMC Interface. Users can access it from almost anywhere on the network. It shows administrators only the data they can administer and the tasks they can perform, which makes it easy to learn and highly secure. 54

56 Quest One ActiveRoles Availability and Redundancy One of the benefits of Quest One ActiveRoles is that administrators do not need permissions on Active Directory to perform user management and other tasks. This forces administrators to use Quest One ActiveRoles and assures secure administration with the enforcement of Rules and Roles provided by Quest One ActiveRoles. However, this lack of AD permissions might be a problem if the Administration Service becomes unavailable. The impact of this potential problem depends on the specifics of the situation, but the problem can be addressed with the following guidelines. Major Sites Two guidelines should be followed for major sites: Our customers typically deploy two Administration Services per major location/site where AD data administration and user management is performed. This redundant service solution would be effective if both the primary Administration Service and all connections to other sites failed. Again, organizations should use their administration framework and their experience with other management services, such as SMS, to determine the need for an Administration Service at a site. Most customers do not place all of their Administration Services at one location/site. If access to that one location/site should fail, all Administration Service of AD would stop. Instead, they install Administration Services at two or sometimes more sites. Remote Sites In most scenarios, even if the server hosting the Administration Service fails, connections to other sites will be maintained. Administrators can access Administration Services at another site and force AD replication to make the changes appear on the local domain controller as soon as possible. Three approaches can be used for remote sites where either no or only a low level of administration work is performed (e.g., creating a few users, updating employee information, or unlocking accounts). One or more approaches can be used, and they should eliminate the possible problem of administrators not having AD permissions and an Administration Service failing. The approaches used depend on business workflow. If few AD administration tasks are performed at a site, then local administrators might access a remote Administration Service. Administrators at remote sites can access an Administration Service at a major location/site. If necessary, native Windows administrative tools can be used to force AD to replicate the changes so that they appear on the local domain controller as soon as possible. If local administrators at a site do not normally need access to AD, then an Administration Service would not have to be installed in that site. An administrator at a major site can make changes for a user at a remote site, and if necessary forced replication can cause the changes to appear quickly at the user s local domain controller. With Quest One ActiveRoles user interfaces, the administrator can deliberately choose the domain controller where to apply the changes, thus eliminating data replication delays. 55

57 Quick Start Guide An organization might provide one or more administrators at each site with permissions to AD. For example, if a site has five administrators, one administrator would be given permissions to AD. This solution would be acceptable for most sites, except for small sites managed by very low-level administrators. Quest One ActiveRoles allows administrators to push (synchronize) permissions from Quest One ActiveRoles to Active Directory, thus making it easier to manage permissions to AD. Replication Traffic Quest One ActiveRoles employs the Microsoft SQL Server to maintain the configuration database. The replication capabilities of SQL Server facilitate the implementation of multiple equivalent configuration databases used by different Administration Services. Replication traffic can be judged by considering what is replicated and what is not. Typically, only Quest One ActiveRoles configuration information is replicated and only if it is changed. This means that if administrators are not creating Managed Units, Access Templates, Policies and delegating permissions that often, there is not much replication traffic. Locations and Number of Services After considering the major factors that might influence the locations and number of Administration Services, organizations should have a network diagram that illustrates a high-level design for the Quest One ActiveRoles deployment. The following high-level sample network diagrams illustrate potential Quest One ActiveRoles deployments using the guidelines described earlier. Centralized This diagram shows a centralized network and workflow (the ARS abbreviation refers to Quest One ActiveRoles Administration Service). Remote Site Dedicated ARS/IIS ARS ARS/IIS Remote Site ARS Replication AD Replication Remote Site 56

58 Quest One ActiveRoles In this centralized structure, all AD data management is done from the corporate headquarters by a group of network administrators and the Help Desk staff. The headquarters is a large campus location with several well-connected sites. Most employees work at the headquarters. Large remote sites will have networking personnel who are responsible for the tasks such as hardware and software setup and maintenance. Small remote sites are staffed by non-technical employees. Network maintenance for these sites is done by IT staff that travels to them or by contractors. The number of Administration Services depends on the number of managed objects and administrators. In the diagram, there is one dedicated Administration Service (ARS Service) and two Administration Services on shared hardware. This number should assure both availability and redundancy. Other services on the shared hardware include printing and applications. A small number of administrators use the Quest One ActiveRoles console, while the majority of administrators and all Help Desk personnel use the Web Interface. Typically, customers do not install all Administration Services at one location, but in this case, one or both of the following business workflow and technical factors over rule that guideline: The remote sites are lightly populated and require very little AD data management work. It is determined that if the connection to the central site fails, the organization s primary concern would be restoring the connection, not managing AD. Distributed with No Remote Management This diagram shows a distributed network and workflow (the ARS abbreviation refers to Quest One ActiveRoles Administration Service). Dedicated ARS/IIS Remote Site ARS/IIS Remote Site Remote Site Dedicated ARS/IIS Remote Site Remote Site ARS/IIS Remote Site ARS Replication AD Replication In this scenario, AD data management is performed at major locations by a group of network administrators and the Help Desk staff. These locations can be campuses or single locations connected by LAN/WAN connections. 57

59 Quick Start Guide Large remote sites have networking personnel who are responsible for tasks such as hardware and software setup and maintenance. Small remote sites are staffed by non-technical employees. Network maintenance for these sites is done by IT staff that travels to them or by contractors. Again, the number of Administration Services depends on the number of managed objects and administrators. In the diagram, there is one dedicated and one shared Administration Service per location. This setup assures both redundancy and availability at each major location and through out the network. If one Administration Service fails, the other Service at the location can be used. If both services at a location fail, AD data management can be done at the other location. As long as the connections function, administrators at the failed location can access the Administration Services at the functioning location. At both locations a small number of administrators use the Quest One ActiveRoles console, while the majority of administrators and all Help Desk personnel use the Web Interface. Distributed with Remote Management This diagram illustrates a highly distributed network and workflow (the ARS abbreviation refers to Quest One ActiveRoles Administration Service). Dedicated ARS/IIS Remote Site ARS/IIS ARS/IIS Remote Site Dedicated ARS/IIS Remote Site Remote Site ARS/IIS Remote Site ARS Replication AD Replication In this scenario, AD data management is performed at all locations. These locations can be campuses or single locations connected by LAN/WAN connections. The work is done by a group of network administrators and the Help Desk staff. Work group managers perform very low-level work such as access to specific file directories and distribution lists. 58

60 Quest One ActiveRoles The number of Administration Services depends on the number of managed objects, administrators, and locations. In the diagram, there is one dedicated and one shared Administration Service at the large locations. This setup assures both redundancy and availability at each major location and through out the network. If one Administration Service fails, the other server at the location can be used. If both Administration Services at a location fail, AD management can be done at the other location. As long as the connections function, administrators at the failed location can access the Administration Services at the functioning location. A third, midsize location has an Administration Service installed on shared hardware. Administrators at this location use a Web interface, so the hardware also hosts IIS. An Administration Service was installed at this location because the location had a significant number of users that needed AD management work and Help Desk support. Placing an Administration Service in this location balances the load on the services while improving redundancy and availability. If this location and the network grow, the need might develop for establishing connections and replication between the three largest sites. Administrators at the smallest locations access the Administration Services at the large locations via the Web Interface. The reason for this is the number of users and administrators and their workload. At both large locations a small number of administrators use the Quest One ActiveRoles console, while the majority of administrators and all Help Desk personnel and work group managers use the Web Interface. Physical Design This section covers two typical installation configurations for Quest One ActiveRoles. In both installations the architecture is designed to maximize the effectiveness of the Quest One ActiveRoles software based on how the network is configured and how administrative duties are assigned. Several software components must be considered when deploying Quest One ActiveRoles: ARS Service Quest One ActiveRoles Administration Service (ARS Service) communicates directly with an Active Directory domain controller (DC), and is responsible for making all changes to Active Directory. The DC to which the ARS Service speaks is selected automatically and can be changed by the Quest One ActiveRoles user. The ARS Service is also responsible for performing access checks to prevent un-authorized users from connecting to Quest One ActiveRoles interfaces and to ensure that authorized users are performing tasks according to the role they hold and the rules that have been put in place. Console Quest One ActiveRoles console provides an MMC-based interface to configure Quest One ActiveRoles as well as perform administration of Active Directory. The Console only connects to the ARS Service and is not capable of making changes directly in Active Directory. Web Interface Three Web Interfaces are provided with Quest One ActiveRoles out of the box: the Web Interface for Administrators; the Web Interface for Help Desk; and the Web Interface for Self-administration. During the setup of the Web Interfaces the administrator must make a decision to connect the Web Interface to a specific ARS Service or allow the ARS Service to be selected dynamically. All of the Web Interfaces connect only to the ARS Service and are not capable of making changes directly in Active Directory. The decision where to place servers running the Quest One ActiveRoles software components should leverage the strengths of the existing network and the associated IT Service structure. 59

61 Quick Start Guide Deploying for Fault Tolerance and Load Balancing In the same way Active Directory is not fault tolerant with a single domain controller Quest One ActiveRoles would not be fault tolerant when a single server running the ARS Service is deployed. It is critical that at least two servers running the ARS Service be deployed to have a fault-tolerant Quest One ActiveRoles environment. None the less, even in the worst case scenario where all ARS Service instances fail, Active Directory will continue to function normally. The only result of a complete failure is that day-to-day administration or help desk functions may be interrupted until a server running the ARS Service is brought back on-line. An additional benefit of deploying multiple ARS Service instances is that both the Console and the Web Interfaces will fail-over to a new ARS Service if the first one becomes un-responsive. The user experience is slightly different depending upon which interface the user is using when the ARS Service fails. Within the Console the user will notice the ARS Service has failed and will only have to use the Connect command to get automatically connected to the next available ARS Service. Users of the Web Interface will have a more seamless transition as the Web Interface fails over automatically to the next ARS Service. One important item to note is that automatic failover only works if the option to use any available Administration Service was selected during the Web Interface setup. It is possible to deploy the Web Interface and ARS Service components on separate servers, for security concerns or business reasons. However, when the Web Interface and ARS Service are deployed on separate servers, basic authentication is normally used to authenticate the Web Interface users, causing the user credentials to be transferred over the network in clear text. In this case we highly recommend that a secure (SSL) channel be configured on the server running the Web Interface to encrypt traffic between the server and the Web browser. However it is best to keep the ARS Service and Web Interface components together, on the same server, for integrated authentication and better performance. 60

62 Quest One ActiveRoles Centralized Deployment The first installation configuration is known as the Centralized model. In this model administration is controlled from a single larger site. In the centralized model the deployment places servers in one physical location. This allows all the ARS Service instances to share a single configuration and management history database, or replicate their configuration changes to a partner, providing a fault tolerant configuration. While a centralized deployment may involve smaller physical locations or branch offices, administration is probably not usually performed from those locations. NORTH AMERICA ARSInstance#1 ARS Service IIS ARSInstance#2 AMER DC EMEA DC ARS Service IIS ARSInstance#3 SQL Server Configuration DB Management History DB APAC DC EMEA ARS Service IIS APAC Web Interface Client EMEA DC Web Interface Client APAC DC This diagram illustrates a centralized deployment of Quest One ActiveRoles with the following characteristics: All the Quest One ActiveRoles (ARS) instances are placed in a single location. Each instance is hosted on a server running the ARS Service along with a Web server (IIS) running the Web Interfaces. All Quest One ActiveRoles instances share the same database for storing the configuration and management history data (Configuration DB and Management History DB). The EMEA and APAC branch offices use the Web Interface to perform administrative tasks, help desk operations or self-service actions. DC Focusing Normally, Quest One ActiveRoles Administration Service (ARS Service) itself chooses the Active Directory domain controller (DC) to communicate with, which is the nearest DC by default. With a centralized deployment model, this means that the ARS Service will select DC found in the same location where the corresponding ARS instance resides, so even the regionally local changes calls (those submitted from the EMEA or APAC location) are performed against DC located in North America (rather than a locally-placed DC) thereby causing an additional slow-down due to Active Directory replication latency. 61

63 Quick Start Guide The preferred behavior would be as follows: Regionally local changes calls are executed against locally-placed DC. Cross-site changes calls are executed against DC located at the target site. The appropriate choice of DC would ensure that the changes appear on the target site without an Active Directory replication related slow-down. Quest One ActiveRoles users can choose an appropriate DC by using the Change Operational DC command on the menu for the domain object, in the Quest One ActiveRoles console or Web Interface. If operational DC is explicitly specified by the user, the ARS Service submits the change requests to that DC instead of the nearest DC. Distributed Deployment The second installation configuration is the Distributed model where servers are deployed by analysis of how the network is configured and how administrative duties are assigned and performed. In a distributed environment there are three primary criteria for the determination of the placement of Quest One ActiveRoles: 1. Where will administration be performed? 2. How are domain controllers placed? 3. What is the interface of choice for the administrators? If both administrators and domain controllers reside in the same physical location, the ARS Service should be placed in that location. In this situation either the Console or the Web Interface could be used by the administrators. However, if the Web Interface is the primary interface of choice, it is important to ensure that the ARS Service the Web Interface connects to points to a domain controller in the same location so that changes are not passed over a WAN connection. If the administrators reside in one location and domain controllers reside in another, the determining factor would be WAN reliability. It is important to understand that the ARS Service writes all administrative changes to a domain controller to which it has been associated. The critical point here is that Quest One ActiveRoles client applications never interface directly with a domain controller. Consequently it is more important that the ARS Service be located close to its associated domain controller than where the client application is deployed in relation to the domain controller. However, from either the Console or the Web Interfaces it is possible to choose a specific domain controller to which the ARS Service writes the changes. 62

64 Quest One ActiveRoles ARSInstance#1 NORTH AMERICA NYC Site Failover/Load Balance ARS.AMER.company,com ARSInstance#2 SQL Server - Publisher Configuration DB Management History DB SQL Database Replication IIS ARS Service ARS Service IIS ARSInstance#3 Web Interface Clients EMEA DC AMER DC APAC DC EMEA LONDON Site Failover/Load Balance ARS.EMEA.company,com ARSInstance#4 SQL Server - Subscriber Configuration DB Management History DB SQL Database Replication SQL Database Replication SQL Server - Subscriber Configuration DB Management History DB IIS ARS Service ARS Service IIS ARSInstance#5 Web Interface Clients EMEA DC AMER DC APAC DC APAC HONG KONG Site Failover/Load Balance ARS.APAC.company,com ARSInstance#6 SQL Server - Subscriber Configuration DB Management History DB SQL Database Replication SQL Server - Subscriber Configuration DB Management History DB IIS ARS Service ARS Service IIS Web Interface Clients EMEA DC AMER DC APAC DC SQL Server - Subscriber Configuration DB Management History DB This diagram illustrates a distributed deployment of Quest One ActiveRoles with the following characteristics: Each of the three sites has two Quest One ActiveRoles (ARS) instances deployed, for the sake of fault tolerance and load balancing. Each Quest One ActiveRoles instance is hosted on a server running the ARS Service along with a Web server (IIS) running the Web Interface. Each Quest One ActiveRoles instance has a separate database for storing the configuration and management history data (Configuration DB and Management History DB). The databases are synchronized by means of SQL Server replication function. One of the database servers holds the Publisher role while the others are Subscribers to that Published (in terms of SQL Server replication). Administration is performed using the Web Interface on a per-site basis, by connecting Web Interface clients (Web browsers) to any of the two ARS instances deployed within the site. Total of six Quest One ActiveRoles instances are deployed across the world-wide enterprise, with two instances located in each of three major regions North America, EMEA (Europe, Middle East and Africa), and APAC (Asia Pacific). This per-site deployment model provides an efficient and fast way for Active Directory data changes initiated via Quest One ActiveRoles to take an effect by minimizing or eliminating wait time for cross-site Active Directory replication. 63

65 Quick Start Guide All Quest One ActiveRoles instances provide the same Active Directory access delegation workflow and can be treated as a single delegation mechanism. Sharing the same configuration settings between instances is achieved by means of SQL replication. Each region has two Quest One ActiveRoles instances for failover and load balancing purposes. For failover purposes each instance is independent from a hardware and software standpoint by having its own dedicated ARS Service, Web Interface (IIS) and SQL Server. This deployment is flexible in regards to hardware extension: new hardware can be added into the project for load balancing or troubleshooting purposes without changing the deployment. DC Focusing The ARS Service normally selects the nearest Active Directory domain controller (DC) to communicate with. Therefore, the ARS instance located in a given site normally communicates with a DC found in than site. This has the following implications: The ARS instance normally applies Active Directory data changes to a DC found in the local site. This DC is referred to as Operational DC. The ARS instance normally retrieves the data changes that occur in Active Directory from a DC found in the local site. This DC is referred to as DirSync DC. By default, the ARS Service chooses the same domain controller to hold the role of both the Operational DC and DirSync DC. ARS Instance #1 NORTH AMERICA NYC Site Failover/Load Balance ARS.AMER.company,com ARSInstance#2 IIS ARS Service ARS Service IIS AMER DirSync DC AMER Operational DC ARS Instance #3 EMEA LONDON Site Failover/Load Balance ARS.EMEA.company,com ARSInstance#4 IIS ARS Service ARS Service IIS EMEA DirSync DC EMEA Operational DC ARS Instance #5 APAC HONG KONG Site Failover/Load Balance ARS.APAC.company,com ARSInstance#6 IIS ARS Service ARS Service IIS APAC DirSync DC APAC Operational DC 64

66 Quest One ActiveRoles The ARS Service is permanently listening to the DirSync DC for changes related to Quest One ActiveRoles dynamic configuration objects, such as Dynamic Groups and Managed Units. Every operation that involves the retrieval or modification of Active Directory data, requested by Quest One ActiveRoles client interfaces or by ARS Service internal logic, is performed against this DC. The user can specify another DC for the client operations, by using the Change Operational DC command in the Quest One ActiveRoles console or Web Interface. Each 10 minutes the ARS Service validates the availability of the selected DirSync DC. If the ARS Service identifies that the DC is not available, it selects another DC. Until the ARS Service selects another DC, every user of Quest One ActiveRoles who does not explicitly specify the Operational DC will receive an error when trying to perform any operation with Active Directory. If you have a single DC in the same site with the ARS Service, and that DC becomes unavailable for some reason (for example, it was restarted), then the ARS Service will select a DC from other site. After the DC in its home site becomes available, the ARS Service will switch back to DC in its home site. If you have multiple DCs in the same site with the ARS Service, it will not randomly switch from one DC to other each 10 minutes. When other than the current DC is identified as the nearest DC, the ARS Service will switch to the new DC only if the new one is in its home site and the current DC is located in another site, so the ARS Service never switches between 2 available DCs in the same site. By default, the ARS Service selects any nearest available DC for a managed domain. This behavior can be configured on a per-service or per-domain basis. To configure this behavior, use the DirSync Servers tab, on the property sheet for a Managed Domain object in the Configuration/Server Configuration/Managed Domains folder on the property sheet for an Administration Service object in the Configuration/Server Configuration/Administration Services folder, in the Quest One ActiveRoles console). If you choose the Only specified domain controller option and the specified DC becomes unavailable, the ARS Service will not switch to other DC and the domain will be unavailable for management. For more information, refer to Quest One ActiveRoles Help: click Help on the DirSync Servers tab, or press F1 in the DirSync Server Selection dialog box that appears when you click Change on the DirSync Servers tab. 65

67 Quick Start Guide SQL Database Total of six SQL Server instances are deployed across the world-wide enterprise to host Quest One ActiveRoles database, with two instances located in each of three major regions North America, EMEA, and APAC. Each ARS instance has a separate SQL database. The databases are synchronized by means of SQL Server replication function. One of the database servers holds the Publisher role while the others are Subscribers to that Published. NORTH AMERICA ARSInstance#1 Failover/Load Balance ARS.AMER.company,com ARSInstance#2 IIS ARS Service ARS Service IIS SQL Server - Publisher Configuration DB Management History DB SQL Server - Subscriber Configuration DB Management History DB SQL Database Replication ARSInstance#3 EMEA Failover/Load Balance ARS.EMEA.company,com ARSInstance#4 SQL Database Replication IIS ARS Service ARS Service IIS SQL Database Replication SQL Server - Subscriber Configuration DB Management History DB SQL Server - Subscriber Configuration DB Management History DB SQL Database Replication APAC ARSInstance#5 Failover/Load Balance ARS.APAC.company,com ARSInstance#6 IIS ARS Service ARS Service IIS SQL Server - Subscriber Configuration DB Management History DB SQL Server - Subscriber Configuration DB Management History DB Quest One ActiveRoles normally uses the same database to store both the Configuration and Management History data. The Configuration data applies to the delegation and workflow related objects, such as Access Templates, Police Objects and Managed Units. The virtual attributes created with Quest One ActiveRoles are also stored as part of the Configuration data. The Management History data comprises history of changes that were made to directory objects via Quest One ActiveRoles. In addition, the approval, temporal group membership, and deprovisioning tasks are stored as part of the Management History data. Given a large volume of Management History data, it may be advisable to create a separate Management History database (see Centralized Management History Storage in the Quest One ActiveRoles Administrator Guide). 66

68 Quest One ActiveRoles Quest One ActiveRoles uses SQL Server merge replication to synchronize the Configuration and Management History data among the databases. One of the databases is configured on the SQL Server instance that holds the Publisher role; the remaining databases are configured as Subscriber role holders. The instructions on how to configure replication can be found in the Quest One ActiveRoles Administrator Guide (see the Configuring Replication chapter). Separate instructions are provided in connection with replication of the Management History data (see Replication of Management History Data in the Quest One ActiveRoles Administrator Guide). To successfully configure replication, ensure that all your SQL Server instances run the same version of SQL Server. If a SQL Server Service Pack is installed on one of the instances, the same Service Pack must be installed on all the instances. Web Interface Each of the six ARS instances has a separate Web Interface installation, with the ARS Service and Web Interface components running together, on the same server. A design where both the ARS Service and Web Interface are installed on a single server takes advantage of integrated authentication, which allows domain users to access the Web Interface without being prompted for their user name and password. ARS Instance #1 NORTH AMERICA NYC Site Web Load Balance ARS.AMER.company,com ARSInstance#2 IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager Web Interface Clients IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager ARS Instance #3 EMEA LONDON Site Web Load Balance ARS.EMEA.company,com ARSInstance#4 IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager Web Interface Clients IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager ARS Instance #5 APAC HONG KONG Site Web Load Balance ARS.APAC.company,com ARSInstance#6 IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager Web Interface Clients IIS/ARS Web Interface Site for Administrators Site for Help Desk Self-Service Manager Total of six Web Interface instances are deployed across the world-wide company enterprise, with two instances installed in each of three major regions. In each region two Web Interface instances provide load balancing and failover capabilities. Initially, each ARS Service has one dedicated Web Interface instance; later it will be possible to introduce another Web Interface instance for the same ARS Service if performance needs to be increased. 67

69 Quick Start Guide Each Web Interface instance comprises several websites. The website configuration is synchronized among the Web Interface instances by means of SQL database replication (the website configuration settings are stored as a part of Quest One ActiveRoles configuration data). This allows you to customize a website on a single Web Interface instance and be sure that the replication function will apply the customization changes across all Web Interface instances. The Web Interface provides rich customization capabilities out of the box, so Web Interface sites can be easily configured to show or hide certain fields or attributes to the end-user, including custom (extended) schema attributes. It is also possible to add or remove commands, create new forms or customize existing pages by adding forms (tabs) and form fields (entries). The Web Interface ships with three built-in website templates: Default site for Administrators Default site for Help Desk Default site for Self-administration You can use these templates to create new Web Interface sites and then customize each of the new sites as needed. Thus, you may deploy multiple Help Desk sites, having each customized individually. To create new Web Interface sites and site configurations Quest One ActiveRoles provides the Web Interface Sites Configuration wizard. You can open the wizard from the Start menu on any server running the Web Interface. The wizard is mainly intended to: Create a new Web Interface site with an existing configuration. This option only allows you to select a Web Interface site configuration that already exists in your Quest One ActiveRoles environment. Use this option when deploying a new Web Interface instance to add an existing custom Web Interface site to that instance. Create a new Web Interface site with a new configuration. This option only allows you to select one of the three built-in website templates, and creates a new Web Interface site configuration based on the template you select. Use this option to create a new Web Interface site on one of your Web Interface instances. On the other instances the new site should be deployed by selecting the site configuration you have created. When deploying a new Web Interface instance, it is important to understand that only three default Web Interface sites are installed out of the box. To add a custom Web Interface site to a newly installed Web Interface instance, you should use the Web Interface Sites Configuration wizard. 68

70 Quest One ActiveRoles ActiveRoles on Windows Azure VM This section outlines the recommended steps for deploying Quest One ActiveRoles in the Windows Azure Infrastructure Services environment. After you complete these steps, you ll have the following services deployed in Windows Azure using Windows Azure virtual machines: SQL Server 2012 to host the ActiveRoles database ActiveRoles Administration Service ActiveRoles Web Interface Step 1. Prerequisites This guide assumes that you already have the following prerequisites: Microsoft account with at least one valid, active Windows Azure subscription At least one writable replica domain controller installed in your Windows Azure account For instructions on how to install a replica domain controller, see Install a Replica Active Directory Domain Controller in Windows Azure Virtual Networks. Step 2. Deploy Microsoft SQL Server 2012 Perform the following tasks to deploy SQL Server: 1. Create a virtual machine based on a SQL Server 2012 image published in Windows Azure. When creating the virtual machine, on the Virtual machine configuration page, select the Create a new cloud service option and choose the Virtual Network used by your replica domain controller in Windows Azure. For instructions on how to deploy SQL Server 2012 in Windows Azure, see Provisioning a SQL Server Virtual Machine on Windows Azure. 2. Join the SQL Server 2012 virtual machine to your Active Directory domain. 3. Using SQL Server Management Studio, grant the sysadmin fixed server role to the domain user account that will be used as the service account for the ActiveRoles Administration Service. 4. Configure Windows Firewall to allow connections to TCP Port 1433 from computers in your Virtual Network. Because SQL Server will be accessed from within the Virtual Network, you do not need to create public endpoints in Windows Azure. 69

71 Quick Start Guide Step 3. Deploy ActiveRoles Administration Service Perform the following tasks to deploy the ActiveRoles Administration Service: 1. Create a virtual machine based on a Windows Server 2012 image published in Windows Azure. When creating the virtual machine, on the Virtual machine configuration page, select the Cloud Service that you created for the SQL Server virtual machine in Step 2. Deploy Microsoft SQL Server This will automatically select the correct Virtual Network as this Cloud Service is already used to host the SQL Server virtual machine. For further information, see Add a Virtual Machine to a Virtual Network, section Create Virtual Machine and Deploy to Virtual Network. 2. Join the newly created virtual machine to your Active Directory domain. 3. Connect to the virtual machine using Remote Desktop, and run the ActiveRoles Setup wizard to install the ActiveRoles Administration Service (see Steps to Install the Administration Service earlier in this document). When prompted for the service account, specify the appropriate user account defined in your Active Directory domain. Ensure that this user account is a member of the Administrators local group on the virtual machine where you re installing the Administration Service. For example, this could be a domain user account that belongs to the Domain Admins group of your Active Directory domain. When prompted for SQL Server, specify the name of SQL Server you deployed in Step 2. Deploy Microsoft SQL Server Run the following Windows PowerShell command on the virtual machine where you ve installed the ActiveRoles Administration Service, to configure Windows Firewall: $allowedclientsubnets ' /12', ' /16'); New-NetFirewallRule -DisplayName "ActiveRoles Server" -Direction Inbound ` -Action Allow -Service 'arssvc' -RemoteAddress $allowedclientsubnets ` -Enabled True Step 4. Deploy ActiveRoles Web Interface Perform the following tasks to deploy the ActiveRoles Web Interface: 1. Create a virtual machine based on a Windows Server 2012 image published in Windows Azure. When creating the virtual machine, on the Virtual machine configuration page, select the Cloud Service that you created for the SQL Server virtual machine in Step 2. Deploy Microsoft SQL Server This will automatically select the correct Virtual Network as this Cloud Service is already used to host the ActiveRoles Administration Service and SQL Server virtual machines. For further information, see Add a Virtual Machine to a Virtual Network, section Create Virtual Machine and Deploy to Virtual Network. 2. Join the newly created virtual machine to your Active Directory domain. 3. Connect to the virtual machine using Remote Desktop, and run the ActiveRoles Setup wizard to install the ActiveRoles Web Interface (see Installing and Configuring the Web Interface earlier in this document). When prompted, choose the option to connect to the Administration Service on the specified computer, and specify the fully qualified domain name of the virtual machine you deployed in Step 3. Deploy ActiveRoles Administration Service. 70