ActiveRoles 6.9. Quick Start Guide

(1)

6.9 ActiveRoles

®

(2)

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters

LEGAL Dept 5 Polaris Way

Aliso Viejo, CA 92656 email: [email protected]

Refer to our Web site (www.quest.com) for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, Simplicity at Work, and ActiveRoles are trademarks and registered trademarks of Quest Software, Inc. For a complete list of Quest Software's trademarks, see

http://www.quest.com/legal/trademarks.aspx. Other trademarks are property of their respective owners.

Third Party Contributions

This product contains some third party components (listed below). Copies of their licenses may be found at

http://www.quest.com/legal/third-party-licenses.aspx. Source code for components marked with an asterisk (*) is available at http://rc.quest.com.

Quest One ActiveRoles - Quick Start Guide Updated - September 17, 2013

Software Version - 6.9

COMPONENT LICENSE OR ACKNOWLEDGEMENT

.NET logging library 1.0 BSD 4.4 license

JQuery 1.7.1 MIT 1.0 license

JQuery UI 1.8.14 MIT 1.0 license

(3)

INTENDED AUDIENCE. . . 5

CONVENTIONS. . . 5

ABOUT QUEST SOFTWARE, INC. . . 6

CONTACTING QUEST SOFTWARE . . . 6

CONTACTING QUEST SUPPORT . . . 6

INTRODUCTION . . . 7

QUEST ONE ACTIVEROLES COMPONENTS. . . 7

SYSTEM REQUIREMENTS. . . 8

INSTALLINGTHE ADMINISTRATION SERVICE . . . 9

CONFIGURINGTHE ADMINISTRATION SERVICE ACCOUNT . . . 10

ACCESSTOTHE ADMINISTRATION SERVICE COMPUTER . . . 10

SERVICE PUBLICATION IN ACTIVE DIRECTORY. . . 10

ACCESSTO MANAGED DOMAINS. . . 11

ACCESSTO EXCHANGE ORGANIZATION. . . 11

ACCESSTO FILE SERVERS . . . 16

ACCESSTO BITLOCKER RECOVERY INFORMATION. . . 16

SQL SERVER PERMISSIONS. . . 17

INSTALLATION PERMISSIONS . . . 17

OPERATION PERMISSIONS. . . 18

REPLICATION CONFIGURATION PERMISSIONS . . . 19

REPLICATION AGENT PERMISSIONS . . . 20

STEPS TO INSTALLTHE ADMINISTRATION SERVICE. . . 21

INSTALLING INITIAL SERVICE. . . 22

INSTALLING ADDITIONAL SERVICE. . . 23

IMPORTING CONFIGURATION DATA . . . 25

ADVANCED SCENARIOS . . . 26

VERIFYINGTHE SERVICE INSTALLATION. . . 27

INSTALLING USER INTERFACES. . . 28

STEPS TO INSTALLTHE CONSOLE . . . 28

STEPS TO INSTALLTHE WEB INTERFACE . . . 28

CHECKING WEB INTERFACE PREREQUISITES. . . 28

INSTALLING AND CONFIGURINGTHE WEB INTERFACE . . . 30

INSTALLING ADDITIONAL FEATURES. . . 32

STEPS TO INSTALL SDK AND ADSI PROVIDER . . . 32

STEPS TO INSTALLTHE REPORTING COMPONENTS . . . 33

INSTALLING THE QUEST ONE ACTIVEROLES COLLECTOR. . . 33

INSTALLING THE QUEST ONE ACTIVEROLES REPORT PACK . . . 34

(4)

UPGRADINGAN EARLIER VERSION. . . 37

COMPONENTS COMPATIBILITY. . . 37

UPGRADE ISSUES. . . 37

IMPACT ON QUEST ONE ACTIVEROLES REPLICATION. . . 37

IMPACT ON CUSTOM SOLUTIONS. . . 37

IMPACT ON UNMANAGED DOMAINS . . . 37

UPGRADINGTHE ADMINISTRATION SERVICE. . . 38

IMPORTING MANAGEMENT HISTORY DATA . . . 39

UPGRADING OTHER COMPONENTS . . . 40

UPGRADEOF THE REPORTING COMPONENTS. . . 41

SEPARATE MANAGEMENT HISTORY DATABASE. . . 42

CREATINGA NEW DATABASE. . . 43

USINGAN EXISTING DATABASE . . . 44

PERFORMING A PILOT DEPLOYMENT . . . 45

INSTALLING THE PILOT ADMINISTRATION SERVICE . . . 46

INSTALLING THE PILOT WEB INTERFACE . . . 46

UPGRADINGTHE PILOT ADMINISTRATION SERVICE. . . 47

UPGRADINGTHE PILOT WEB INTERFACE . . . 47

INSTALLING THE QUEST ONE ACTIVEROLES CONSOLE. . . 47

TRANSFERTO NEW OS OR SQL SERVER VERSION. . . 48

TRANSFERRING DATABASETO NEW SQL SERVER VERSION. . . 50

DEPLOYMENT CONSIDERATIONS . . . 53

BUSINESS WORKFLOW. . . 53

HARDWARE REQUIREMENTS. . . 54

WEB INTERFACE: IIS SERVER REQUIRED . . . 54

AVAILABILITYAND REDUNDANCY. . . 55

MAJOR SITES . . . 55

REMOTE SITES . . . 55

REPLICATION TRAFFIC . . . 56

LOCATIONSAND NUMBER OF SERVICES. . . 56

CENTRALIZED . . . 56

DISTRIBUTED WITH NO REMOTE MANAGEMENT . . . 57

DISTRIBUTED WITH REMOTE MANAGEMENT . . . 58

PHYSICAL DESIGN . . . 59

CENTRALIZED DEPLOYMENT. . . 61

DISTRIBUTED DEPLOYMENT . . . 62

ACTIVEROLESON WINDOWS AZURE VM . . . 69

STEP 1. PREREQUISITES. . . 69

STEP 2. DEPLOY MICROSOFT SQL SERVER 2012 . . . 69

(5)

(6)

Intended Audience

This document has been prepared to assist you in becoming familiar with the Quest®_{One ActiveRoles}®_. The Quick Start Guide contains the information required to install and use Quest One ActiveRoles. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface

elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest Software products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Used for emphasis.

Blue text Indicates a cross-reference. When viewed in Adobe®_Reader®_{, this format can be}

used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same

time.

| A pipe sign between elements means that you must select the elements in that

(7)

About Quest Software, Inc.

Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management,

data protection, identity and access management, monitoring, user workspace management to Windows

management. For more information, visit www.quest.com.

Contacting Quest Software

Email [email protected]

Mail Quest Software, Inc. World Headquarters 5 Polaris Way

Aliso Viejo, CA 92656 USA

Web site www.quest.com

Refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our Support Portal at www.quest.com/support.

From our Support Portal, you can do the following:

• Retrieve thousands of solutions from our Knowledge Base • Download the latest releases and service packs

• Create, update and review Support cases

(8)

Introduction

Quest®_{One ActiveRoles}®_{simplifies and streamlines creation and ongoing management of user accounts} and groups in Windows Active Directory (AD) centric environments by automating user and group account creation in AD, mailbox creation in Exchange, group population, and resource assignment in Windows. It provides strictly enforced security, rich capabilities for automating directory management tasks, change approval and easy-to-use Web interfaces, to achieve practical user and group account management for the Windows enterprise.

This document is for individuals responsible for deploying Quest One ActiveRoles in their organization. It provides step-by-step instructions for preparing the environment and installing the Quest One ActiveRoles components.

Quest One ActiveRoles Components

Quest One ActiveRoles divides the workload of directory administration into three functional layers: presentation components, service components, and network data sources.

The presentation components include client interfaces for the Windows platform and the Web, which allow users with appropriate rights (delegated administrators) to perform a precisely defined set of administrative activities. Quest One ActiveRoles also includes the reporting solution to generate reports on the administrative activities.

The service components constitute a secure layer between administrators and managed data sources. It ensures consistent policy enforcement, provides automation capabilities, and enables the integration of business processes for administration of Active Directory, Exchange and other corporate data sources. The main component of Quest One ActiveRoles is the Administration Service—a powerful rules-based proxy for the management of network data sources. The Administration Service features advanced delegation capabilities and provides the ability to enforce administrative policies that keep data current and accurate. The Administration Service acts as a bridge between the presentation components and network data sources. In large networks, multiple Administration Services can be deployed to improve performance and ensure fault tolerance.

Network Data Sources

Microsoft Exchange Servers Active Directory Domains & Forests Presentation Components

Service Components

Administration Service Policy Enforcement

(9)

The Administration Service uses the Administration Database to store configuration data. The configuration data includes definitions of objects specific to Quest One ActiveRoles, assignments of administrative roles and policies, and procedures used to enforce policies.

The Administration Service provides a complete audit trail by creating records in Quest One ActiveRoles’ event log. The log shows all actions performed and by whom, including actions that were not permitted. The log entries display the success or failure of each action, as well as which attributes were changed while managing objects in data sources.

System Requirements

Quest One ActiveRoles includes the following components: • Administration Service

• Console (MMC Interface) • Web Interface

• Collector • Report Pack • Add-in for Outlook

(10)

Installing the Administration Service

Use the following checklist to ensure that you are ready to install the Administration Service.

ITEM TO CHECK DESCRIPTION

Administration

Service computer The Administration Service can be installed on any computer that meets the hardware and software requirements. It is not mandatory to install the Administration Service on a domain controller. However, the Administration Service computer must have reliable network connections with at least one of the domain controllers for each managed domain.

SQL Server The Administration Service requires Microsoft SQL Server. It is possible to use SQL

Server on the Administration Service computer or on a different network computer. Administration

Service account The Administration Service logs on with the account that you specify during installation. The account must have sufficient rights for Quest One ActiveRoles to function properly. Quest One ActiveRoles uses the Administration Service account when accessing a managed domain unless an override account is specified when registering the domain with Quest One ActiveRoles. Therefore, the Administration Service account must have the appropriate rights in any domain for which an override account is not specified. Additionally, the Administration Service account must have sufficient permissions to publish the Administration Service in Active Directory.

Information about how to configure the Administration Service account and an override account can be found later in this document.

Account used for connection to SQL Server

When installing the Administration Service you may configure it to use Windows authentication or SQL Server authentication for connection to SQL Server. If you choose Windows authentication, the connection is established using the

Administration Service account. In this case, the service account must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in Quest One ActiveRoles’ database.

If you choose SQL Server authentication, the connection is established with the login you are prompted to specify when installing the Administration Service. This login must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in Quest One ActiveRoles’ database.

For more information on what permissions must be granted to the account for connection to SQL Server, see SQL Server Permissions later in this document. ActiveRoles Admin ActiveRoles Admin is a group for which Quest One ActiveRoles does not perform

permission checking. If the Administration Service itself has sufficient rights to perform a certain task, then ActiveRoles Admin can also perform that task using Quest One ActiveRoles.

In addition, ActiveRoles Admin is authorized to perform any task related to the Quest One ActiveRoles configuration, such as adding managed domains and managing replication settings. Therefore, the membership in the ActiveRoles Admin group should be restricted to highly trusted individuals.

By default, ActiveRoles Admin is the Administrators local group on the computer running the Administration Service. You can change this setting when installing the

(11)

Configuring the Administration Service Account

When installing the Administration Service, you are prompted for the name and password of the Administration Service account—the account the Administration Service logs on to. This account must have sufficient permissions to:

• Gain administrative access to the computer running the Administration Service. • Publish the Administration Service in Active Directory.

• Access any managed domain for which an override account is not specified.

Access to the Administration Service Computer

The service account must be a member of the Administrators group on the computer running the Administration Service. Because of this requirement, installing the Administration Service on a domain controller effectively grants the service account administrator rights in the entire domain.

Service Publication in Active Directory

The Administration Service must be able to publish itself in Active Directory. This enables Quest One ActiveRoles clients to automatically discover the Administration Service. Service publication requires that the service account have the following permissions on the Aelita sub-container of the System container in the domain of the computer running the Administration Service:

• Create Container Objects

• Create serviceConnectionPoint Objects

In addition, the service account, or the override account, if specified, must have these permissions on the Aelita sub-container of the System container in every managed domain. If an account has the domain administrator rights, then it has the required permissions by default. Otherwise, you must give these permissions to the account using the ADSI Edit tool.

To grant permissions for Administration Service publication in Active Directory

1. Open the ADSI Edit tool and connect to the Domain naming context.

2. In the console tree, expand the System container, right-click the Aelita sub-container, and then click Properties.

If the Aelita container does not exist, create it: right-click System, point to New, click

Object, and then, in the Create Object wizard, select the Container class and specify Aelita

as cn.

3. On the Security tab in the Properties dialog box, click Advanced.

4. On the Permissions tab in the Advanced Security Settings dialog box, click Add. 5. In the Select User, Computer, or Group window, enter the name of the account. 6. On the Object tab in the Permission Entry dialog box, ensure that the Apply onto box

indicates This object and all child objects, and then, in the Permissions box, select the check boxes next to Create Container Objects and Create serviceConnectionPoint Objects in the Allow column.

7. In the Permission Entry dialog box, click OK.

(12)

Access to Managed Domains

Quest One ActiveRoles access to a domain is limited by the access rights of the service account, or the override account, if specified. For all managed domains with no override accounts specified, you should configure the service account to have permissions you want Quest One ActiveRoles to have in those domains. If you use an override account when registering a domain with Quest One ActiveRoles, ensure that the override account (rather than the service account) has these permissions for the domain. In addition, the service account (or the override account, if any) must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you are planning to use the Quest One ActiveRoles security synchronization feature.

For example, you may configure the service account (or the override account) to have full control of certain organizational units. In this way, Quest One ActiveRoles’ administrative scope is limited to those organizational units. Another option is to give Quest One ActiveRoles administrative access to a domain by adding the account to the Domain Admins group of that domain, or give Quest One ActiveRoles administrative access to an entire forest by adding the account to the Domain Admins group of the forest root domain.

Access to Exchange Organization

Exchange 2003

The task of moving Exchange 2003 mailboxes requires the Exchange 2007 Management Tools on the computer running the Administration Service. The other Exchange 2003 related tasks do not require the Exchange Management Tools. For instructions on how to install the Exchange 2007 Management Tools,

see http://technet.microsoft.com/en-us/library/bb232090(EXCHG.80).aspx.

To enable Quest One ActiveRoles to perform Exchange-related tasks in the Exchange 2003 organization, the Exchange View-only Administrator role must be assigned to the service account if an override account is not used. With an override account, the role must be assigned to the override account. The Move Mailbox task requires that the Exchange Administrator role be assigned either to the service account (if no override account is used) or to the override account.

A role can be assigned using the Exchange Administration Delegation wizard. To start the wizard, select the Exchange organization in the Exchange System Manager tool, and then, on the Action menu, click Delegate Control.

The service account (or the override account) must also have Read and Write access to certain attributes in Active Directory, depending on the task. You can use the following links to view the comprehensive lists of those attributes grouped by task:

• Mailbox-enabling user objects (http://technet.microsoft.com/en-us/library/aa997743.aspx) • Moving mailboxes (http://technet.microsoft.com/en-us/library/aa998937.aspx)

• Mailbox-disabling user objects (http://technet.microsoft.com/en-us/library/bb123963.aspx) • Mail-enabling user objects (http://technet.microsoft.com/en-us/library/aa997755.aspx) • Mail-disabling user objects (http://technet.microsoft.com/en-us/library/aa998758.aspx) • Removing Exchange attributes on user objects

(http://technet.microsoft.com/en-us/library/bb124311.aspx)

(13)

• Removing Exchange attributes on group objects

(http://technet.microsoft.com/en-us/library/aa998951.aspx)

• Mail-enabling contact objects (http://technet.microsoft.com/en-us/library/bb123562.aspx) • Mail-disabling contact objects (http://technet.microsoft.com/en-us/library/bb123846.aspx) • Removing Exchange attributes on contact objects

(http://technet.microsoft.com/en-us/library/aa996633.aspx)

For more information, refer to the “Working with Active Directory Permissions in Exchange Server” guide

at http://technet.microsoft.com/en-us/library/bb124223.aspx.

Exchange 2007

In order to manage Exchange recipients in the Exchange 2007 organization, the following conditions must be met:

• The Administration Service must run in the Active Directory forest in which the Exchange organization is deployed. Install the Administration Service on a server belonging to any domain in that forest.

• On the computer running the Administration Service, the Exchange 2007 Management Tools must be installed and updated with Exchange Server 2007 Service Pack 2 (or a later update for Exchange Server 2007). See the steps below for details.

• The service account or the override account must be configured so that it has the appropriate rights in the Exchange organization. See instructions later in this section.

To install the Exchange 2007 Management Tools

1. Insert the Exchange Server 2007 DVD into the DVD drive. If Setup.exe does not start automatically, navigate to the DVD drive and double-click Setup.exe.

2. Follow the instructions on the Exchange Server 2007 Setup pages.

3. On the Installation Type page, click Custom Exchange Server Installation.

4. On the Server Role Selection page, select the Management Tools check box. Leave the other check boxes cleared.

5. Follow the instructions on the Exchange Server 2007 Setup pages to complete the installation. For details, see topic “How to Install the Exchange 2007 Management Tools”

(http://technet.microsoft.com/en-us/library/bb232090(EXCHG.80).aspx) in Microsoft’s

documentation for Exchange Server 2007.

6. Update the Exchange 2007 Management Tools by installing Exchange Server 2007 Service Pack 2.

You can download Exchange Server 2007 Service Pack 2 from Microsoft’s Web site at

http://go.microsoft.com/fwlink/?LinkId=151885

The appropriate rights in the Exchange 2007 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for detail.

(14)

To configure the service account or the override account

1. Add the account to the Exchange Recipient Administrator role.

If you plan to use Quest One ActiveRoles for managing mailbox rights, then add the account to the Exchange Organization Administrators role.

For instructions, see topic “How to Add a User or Group to an Administrator Role” (http://technet.microsoft.com/en-us/library/aa998008(EXCHG.80).aspx) in Microsoft’s documentation for Exchange Server 2007.

2. If you plan to perform the Move Mailbox task using Quest One ActiveRoles, add the service account to the Exchange Server Administrator role and to the Administrators local group on every Exchange Server.

Note that Quest One ActiveRoles does not support the Move Mailbox task in Exchange 2007 if an override account is used. This task requires the domain registration option that directs the Administration Service to access the domain using the service account information (instead of using override account information).

3. Add the account to the Account Operators domain security group.

4. If the Administration Service is already installed and running, restart it after you have changed the configuration of the account: at a command prompt, enter net stop arssvc to stop the service, and then enter net start arssvc.

Exchange 2010

In order to manage Exchange recipients in the Exchange 2010 organization, the following conditions must be met:

• The Administration Service must run in the Active Directory forest in which the Exchange organization is deployed. Install the Administration Service on a server belonging to any domain in that forest.

• On the computer running the Administration Service, the Exchange 2010 Management Tools must be installed.

For installation instructions, see topic “Install the Exchange 2010 Management Tools” in Microsoft’s documentation for Exchange Server 2010

(http://technet.microsoft.com/en-us/library/bb232090(EXCHG.141).aspx).

• The service account or the override account must be configured so that it has the appropriate rights in the Exchange organization. See instructions later in this section.

The appropriate rights in the Exchange 2010 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for details.

(15)

1. Make the account a member of the Recipient Management role group.

For information about this role group, see the “Recipient Management” topic in the “Built-in Role Groups” section in Microsoft’s documentation for Exchange Server 2010

(http://technet.microsoft.com/en-us/library/dd298028(EXCHG.141).aspx).

For instructions on how to add a member to a role group, see the “Add Members to a Role Group” topic in Microsoft’s documentation for Exchange Server 2010

(http://technet.microsoft.com/en-us/library/dd638143(EXCHG.141).aspx)

Note that Quest One ActiveRoles does not support the Move Mailbox task in Exchange 2010 if an override account is used. This task requires the domain registration option that directs the Administration Service to access the domain using the service account information (instead of using override account information).

3. If the Administration Service is already installed and running, restart it after you have changed the configuration of the account: at a command prompt, enter net stop arssvc to stop the service, and then enter net start arssvc.

Exchange 2013

In order to manage Exchange recipients in the Exchange 2013 organization, the service account or the override account must be configured so that it has the appropriate rights in the Exchange Organization. See instructions later in this section. The Exchange 2013 management tools are not required on the computer running the Administration Service.

The appropriate rights in the Exchange 2013 organization must be delegated to the service account if an override account is not used. With an override account, the rights must be delegated to the override account. See the steps below for details.

1. Make the account a member of the Recipient Management role group.

For information about this role group, see the “Recipient Management” topic in the “Built-in Role Groups” section in Microsoft’s documentation for Exchange Server 2013

(http://technet.microsoft.com/en-us/library/dd298028.aspx).

For instructions on how to add a member to a role group, see the “Manage Role Group Members” topic in Microsoft’s documentation for Exchange Server 2013

(http://technet.microsoft.com/en-us/library/jj657492.aspx)

(16)

Support for Exchange 2013 Remote Shell

When performing management tasks on Exchange 2013 servers, Quest One ActiveRoles uses Windows PowerShell remoting to establish a connection between the computer running the ActiveRoles

Administration Service and the server running Exchange 2013. This removes the requirement to install the Exchange 2013 management tools on the computer running the Administration Service.

Quest One ActiveRoles uses the Exchange Management Shell to perform Exchange management tasks. Normally, the Exchange Management Shell is installed as part of the Exchange management tools on each computer running the ActiveRoles Administration Service. However, with Exchange 2013 servers, you don’t need to install the Exchange 2013 management tools on the computers running the

Administration Service. In this case, the Administration Service connects to the closest Exchange 2013 server and uses remote Shell to execute Exchange commands on that server.

Remote Shell enables Quest One ActiveRoles to connect to Exchange 2013 servers without having the Exchange 2013 management tools installed on the computers running the ActiveRoles Administration Service. To use remote Shell, the Administration Service must be running on a computer that has:

• Windows Server 2012 or Windows Server 2008 R2 SP1 operating system.

• Microsoft .NET Framework 4.5 installed (see Installing the .NET Framework 4.5 at

http://go.microsoft.com/fwlink/p/?LinkId=257868).

• Windows Management Framework 3.0 installed (see Windows Management Framework 3.0 at

http://go.microsoft.com/fwlink/p/?LinkId=272757).

Remote Shell also requires the following:

• TCP port 80 must be open between the computer running the Administration Service and the remote Exchange 2013 server.

• The user account the Administration Service uses to connect to the remote Exchange server (the service account or the override account) must be enabled for remote Shell. To enable a user account for remote Shell, update that user account by using the Set-User cmdlet with the RemotePowerShellEnabled parameter set to $True.

• Windows PowerShell script execution must be enabled on the computer running the Administration Service. To enable script execution for signed scripts, run the

(17)

Access to File Servers

To enable Quest One ActiveRoles to perform the provisioning and deprovisioning tasks related to user home folders and home shares, the service account (or the override account, if specified) must belong to the Server Operators or Administrators group on each file server that hosts the user home folders to be administered by Quest One ActiveRoles.

Quest One ActiveRoles provides the following policy categories to automate the management of user home folders and home shares:

• Home Folder AutoProvisioning Performs the provisioning actions needed to assign home folders and home shares to user accounts, including the creation of home folders for newly created user accounts and renaming home folders upon renaming of user accounts. Specifies the server on which to create home folders and shares, and configures access rights to the newly created home folders and shares.

• Home Folder Deprovisioning Makes the changes needed to prevent deprovisioned users from accessing their home folders, including the removal of the user’s permissions on the home folder, changing the ownership of the home folder, and deleting the home folder when the user account is deleted.

The service account or override account must be configured so that it has sufficient rights to perform the operations provided for by those policies: create, modify (including the ability to change permission settings and ownership), and delete folders and shares on the designated file servers.

You can give the required permissions to the service account or override account by adding that account to the appropriate administrative group (Administrators or Server Operators) on each file server where you are planning Quest One ActiveRoles to manage user home folders.

Access to BitLocker Recovery Information

Viewing BitLocker recovery passwords in Quest One ActiveRoles requires the domain administrator rights for the account being used by the ActiveRoles Administration Service to access the domain. Ensure that the service account or, if specified, the override account is a member of the Domain Admins group in each managed domain where you want to use Quest One ActiveRoles for viewing BitLocker recovery passwords.

With the domain administrator rights given to the ActiveRoles Administration Service, Quest One ActiveRoles allows delegated administrators to locate and view BitLocker recovery passwords held in the Active Directory domain. To view BitLocker recovery passwords, the delegated administrator must be granted the appropriate permissions in Quest One ActiveRoles. The following Access Template provides sufficient permissions to view BitLocker recovery passwords:

• Computer Objects - View BitLocker Recovery Keys

In addition, viewing BitLocker recovery passwords in a given domain requires the following: • The domain must be configured to store BitLocker recovery information (see

http://technet.microsoft.com/en-us/library/dd875529.aspx).

• The computers protected by BitLocker must be joined to the domain. • BitLocker Drive Encryption must have been enabled on the computers.

(18)

SQL Server Permissions

This section discusses the SQL Server permissions required to:

• Install Quest One ActiveRoles’ Administration Service (installation permissions) • Run Quest One ActiveRoles’ Administration Service (operation permissions)

• Configure replication in Quest One ActiveRoles (replication configuration permissions) • Run Quest One ActiveRoles replication (replication agent permissions)

Installation Permissions

The account that you use when installing the Administration Service must have sufficient rights on SQL Server to perform the installation tasks.

Which account is used to access SQL Server during installation of the Administration Service depends upon the SQL Server connection option you select in the Administration Service Setup wizard. If you select the option to use Windows authentication, the Setup program accesses SQL Server with the Windows user account under which the Setup wizard is running. If you select the option to use SQL Server authentication, then the Setup program accesses SQL Server with the SQL login and password that you specify in the Setup wizard.

The required rights of the account that is used to access SQL Server during installation vary depending on your installation scenario:

• If you want the Setup program to create a new database for the Administration Service, then the account must be a member of the dbcreator fixed server role.

• If you want the Setup program to import data from Quest One ActiveRoles’ database of an earlier version (upgrade scenario), then the account must be a member of the db_owner fixed database role in the database from which the data is to be imported, and have the default schema of dbo in that database.

• If you want the Setup program to configure the Administration Service to use an existing database of the current version (scenario where multiple Administration Service instances share a single database or the database is restored from a backup), then the account must be a member of the db_owner fixed database role and have the default schema of dbo in that database.

(19)

Operation Permissions

The Administration Service accesses its database with the account specified during installation: • If the option to use Windows authentication is selected in the Administration Service Setup

wizard, then the Administration Service uses its Windows service account to access the database.

• If the option to use SQL Server authentication is selected, then the Administration Service accesses the database with the SQL login and password supplied in the Setup wizard. In either case, the account must have sufficient rights on SQL Server to retrieve data from, and make changes to, the database. The required rights vary depending on the role of the Administration Service’s database server in Quest One ActiveRoles’ replication environment.

Standalone mode

When initially installed, the Administration Service’s database is configured not to participate in Quest One ActiveRoles replication. This configuration is referred to as standalone Administration Service. The account being used by the standalone Administration Service to access the database must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database.

Publisher mode

If the Administration Service’s database server holds the role of the Publisher in Quest One ActiveRoles replication, then the account being used by the Administration Service to access the database must at minimum be a member of the db_owner fixed database role and have the default schema of dbo in that database. Additional rights are required if you want to see the replication status information and error messages in the Quest One ActiveRoles console. These additional rights are as follows:

• Default schema of dbo in the msdb system database.

• SELECT permission on the sysjobs, sysjobsteps and MSagent_parameters system tables in the msdb system database.

• SELECT permission on the sysservers system view in the master system database. • EXECUTE permission on the xp_sqlagent_enum_jobs system extended stored procedure

in the master system database.

• SELECT permission on the MSmerge_agents, MSmerge_history, MSmerge_sessions, MSsnapshot_agents and MSsnapshot_history system tables in the distribution database (AelitaDistributionDB database by default).

Subscriber mode

(20)

Replication Configuration Permissions

After you install two or more Administration Service instances, each with its own database, you can deploy replication, if necessary, to synchronize the databases so that all your Administration Service instances have the same configuration and management history. Replication deployment begins when you configure the Publisher. Once the Publisher has been configured, the next step is to configure Subscribers. The task of configuring the Publisher or a Subscriber requires more rights on SQL Server than the Administration Service needs for normal operation. To elevate the rights of the Administration Service, Quest One ActiveRoles prompts for an alternative account. The following topics elaborate on the permissions needed to create the Publisher or add a Subscriber.

Permissions for creating or removing the Publisher

To create the Publisher, the Administration Service needs sysadmin rights on SQL Server. If the Administration Service’s account for database access does not belong to the sysadmin role, then Quest One ActiveRoles prompts you to supply an alternative account. The alternative account must:

• Be a member of the sysadmin fixed server role on the database server you are going to make the Publisher.

ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Publisher.

The same permissions are required for removing (demoting) the Publisher.

Permissions for adding or removing a Subscriber

To add a Subscriber, the Administration Service’s database server needs to hold the Publisher role. When adding a Subscriber, the Administration Service makes changes on the Publisher database server and on the database server being configured as a Subscriber (Subscriber database server). Therefore, the Administration Service needs sufficient rights on both database servers.

On the Publisher database server, the Administration Service needs sysadmin rights. If the

Administration Service’s account for database access does not belong to the sysadmin role, then Quest One ActiveRoles prompts you to supply an alternative account for connection to the Publisher database server. The alternative account must:

• Be a member of the sysadmin fixed server role on the Publisher database server.

ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber.

On the database server you are going to make a Subscriber, the Administration Service needs db_owner rights on Quest One ActiveRoles’ database. If the Administration Service’s account for database access does not have sufficient rights on the Subscriber database server, then Quest One ActiveRoles prompts you to supply an alternative account for connection to the Subscriber database server. The alternative account must:

• Be a member of the db_owner fixed database role in Quest One ActiveRoles’s database on the database server you are going to make a Subscriber.

• Have the default schema of dbo in that database.

ActiveRoles does not store the login name and password of this account. It only uses the login name and password of this account to configure the Subscriber.

(21)

Replication Agent Permissions

In Quest One ActiveRoles replication, SQL Server replication agents (Merge Agents) are used to synchronize data between the Publisher and Subscriber databases. Each Subscriber has a dedicated replication agent running on SQL Server that hosts the Publisher database. Since the agent’s role is to maintain the Publisher and Subscriber databases in sync with each other, the agent needs sufficient rights to access both the Publisher and Subscriber database servers.

The Administration Service creates and configures a replication agent when adding a Subscriber. In terms of SQL Server, this is a Merge Agent for a push subscription. According to SQL Server Books Online (see “Replication Agent Security Model” at msdn.microsoft.com/en-us/library/ms151868.aspx), Merge Agent for a push subscription requires the following permissions.

The Windows account under which the agent runs is used when it makes connections to the Publisher and Distributor. This account must:

• At minimum be a member of the db_owner fixed database role in the distribution database (AelitaDistributionDB database by default).

• Be a member of the publication access list (PAL).

• Be a login that is associated with a user in the publication database (Quest One ActiveRoles’ database on the Publisher).

• Have read permissions on the snapshot share (by default, this is the ReplData folder on the administrative share C$).

The account used to connect to the Subscriber must at minimum be a member of the db_owner fixed database role in the subscription database (Quest One ActiveRoles’ database on the Subscriber). By default, the security settings of a Merge Agent configured by Quest One ActiveRoles are as follows:

• The account under which the Merge Agent runs and makes connections to the Publisher and Distributor is the Windows service account of the SQL Server Agent service.

• The account the Merge Agent uses to connect to the Subscriber is the account under which the Merge Agent runs.

This means that, by default, Quest One ActiveRoles requires that the account of the SQL Server Agent service have all permissions the Merge Agent needs to make connections both to the

Publisher/Distributor and to the Subscriber.

(22)

Steps to Install the Administration Service

Quest One ActiveRoles requires Microsoft .NET Framework 4.5. You can use the following steps to update Microsoft .NET Framework on your server.

To update Microsoft .NET Framework

1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In the Autorun window, click Redistributables.

3. On the Redistributables page, click Microsoft .NET Framework 4.5.

The Administration Service requires Microsoft SQL Server. SQL Server may be installed on the

Administration Service computer or on a different network computer. If you do not have Microsoft SQL Server deployed in your environment, you can install Microsoft SQL Server Express Edition from the Quest One ActiveRoles DVD.

To install Microsoft SQL Server Express Edition

• On the Redistributables page in the Quest One ActiveRoles DVD Autorun window, click SQL Server Express.

Now that you have access to SQL Server, you can install the Administration Service. The installation procedure depends on whether your computer already has the Administration Service installed.

The following steps provide the guidance on how to install the Administration Service on a computer with no Administration Service installed. If you have the Administration Service installed on your computer, you should use the instructions given later in this document (see Upgrading the Administration Service).

To install the Administration Service

1. In the Quest One ActiveRoles DVD Autorun window, click Quest One ActiveRoles, and then click Administration Service in the list of the product components.

2. Follow the instructions in the Setup Wizard.

3. On the Select Features page, ensure that the Administration Service feature is selected for installation.

The Administration Service requires ActiveRoles Management Shell for Active Directory, so the Setup program automatically installs the appropriate version of Management Shell if it was not installed earlier.

4. On the Service Account Information page, enter the name and password of the domain user account to be used as the Administration Service account.

5. On the ActiveRoles Admin Account page, accept the default account, or click Browse and select the group or user to be designated as ActiveRoles Admin.

6. If the Distributed COM Security Configuration page appears, click either Yes or No.

Click Yes to add Authenticated Users to the Distributed COM Users group; otherwise, remote clients may not be able to access the Administration Service on this computer.

7. On the Service Deployment Options page, select the appropriate option, and then follow the instructions in the Setup Wizard.

(23)

Installing Initial Service

This section covers the database-related steps of the Setup Wizard in the assumption that you are installing the first Administration Service in your environment.

To install initial Service

1. On the Service Deployment Options page, click Install initial Service.

2. On the Database and Connection Settings page, complete the Database area:

a) In SQL Server, type the name of SQL Server in the form <Computer>\<Instance> (for named instance) or <Computer> (for default instance). Setup will create the database on the SQL Server instance you specify.

b) In Database name, type a name for the database to be created. 3. Complete the Connection area:

• To have the new Administration Service connect to SQL Server using the Administration Service account, click Use Windows authentication.

• To have the new Administration Service connect to SQL Server using a SQL Server login, click Use SQL Server authentication and type the login name and password.

On the Database and Connection Settings page you can select the Store Management

History in a separate database check box. For information about this option and

instructions on how to use this option, see “Installing a Separate Management History Database” later in this document.

4. On the Configuration Database Summary page, review the database and connection settings you are going to use.

5. Complete the Backup of Encryption Keys page, as described later in this section (see “Backup of Encryption Keys”).

6. Follow the instructions in the wizard to complete the installation.

Backup of Encryption Keys

When creating the database, the Setup program generates a key set that the Administration Service will use to encrypt data in the database. The key set is specific to the database.

You should save a backup copy of the encryption keys to a file and keep it in a secure location for database reuse, and for maintenance and troubleshooting procedures. You need a backup copy of the encryption keys when moving the Administration Service to another environment while preserving its configuration, or when restoring the database from a backup.

On the Backup of Encryption Keys page, the Setup Wizard prompts you to specify a file in which to save a copy of the encryption keys. You have the option to use password protection for that file.

To create a backup copy of encryption keys

1. On the Backup of Encryption Keys page, click the Browse button to specify the file name and location.

When creating the database, the Setup Wizard will export the database encryption keys to that file.

2. Optionally, select the Use password protection for this file check box, and then type and confirm a password.

(24)

Installing Additional Service

This section covers the database-related steps of the Setup Wizard in the following assumptions: • You have at least one Administration Service version 6.9 up and running in your environment. • You are installing one more Administration Service for load distribution and fault tolerance.

To install additional Service

1. On the Service Deployment Options page, click Install additional Service.

2. On the Configuration Synchronization Options page, click one of the following options, depending on how you want to synchronize the configuration of the new Administration Service with the configuration of the existing Administration Services:

• Share common configuration database Lets the new Administration Service use the database of an existing Administration Service so that the new Administration Service has the same configuration as the existing one.

• Create new database, to be synchronized via replication After installing the Administration Service, you will need to set up Quest One ActiveRoles replication for the new Administration Service to have the same configuration as existing ones.

3. If you have selected the option Share common configuration database, follow the instructions provided later in this section (see “Using Common Configuration Database”). 4. If you have selected the option Create new database, to be synchronized via

replication, use the instruction provided in the previous section (see “Installing Initial Service”) to complete the wizard.

The database created by this option holds the pristine configuration of the Administration Service. To update and synchronize the new database with the configuration data of the Administration Services that were earlier deployed in your environment, you need to use the replication function. For instructions on how to set up replication of configuration data, refer to the Quest One ActiveRoles Administrator Guide.

Using Common Configuration Database

By selecting the option Share common configuration database you set up the new Administration Service so that it connects to the database of an existing Administration Service. The newly installed Administration Service automatically becomes a replica of the existing one.

This option makes it possible to centralize configuration storage. You can deploy multiple Administration Services of the same configuration without having to synchronize multiple databases via replication. Rather, you have the option for multiple Administration Services to share configuration data held in a single database on centrally deployed SQL Server.

This option also ensures that the newly installed Administration Service can immediately be used as a replacement for the existing Administration Service. Switching between Administration Services is transparent to Quest One ActiveRoles users as both instances of the Administration Service have the same configuration.

To have Administration Services use common configuration database

1. On the Configuration Synchronization Options page, click Share common configuration database.

(25)

3. On the Database and Connection Settings page, in the Connection area, select the appropriate authentication option:

• To have the new Administration Service connect to SQL Server using the Administration Service account, click Use Windows authentication.

• To have the new Administration Service connect to SQL Server using a SQL Server login, click Use SQL Server authentication, and type the login name and password.

On the Database and Connection Settings page you can select the Store Management

History in a separate database check box. For information about this option and

instructions on how to use this option, see “Installing a Separate Management History Database” later in this document.

5. Complete the Provision of Encryption Keys page, as described later in this section (see “Encryption Keys Provisioning”).

Encryption Keys Provisioning

In the configuration database, certain data is encrypted. For example, if an override account is specified for a managed domain, the credentials of that account are encrypted. To gain access to encrypted data, the newly installed Administration Service needs encryption keys.

The Provision of Encryption Keys page prompts you to choose how you want the new Administration Service to obtain the keys that are used to encrypt data in the specified database. You can choose from these options:

• Retrieve keys from existing Service The Setup program retrieves the keys and passes them to the Administration Service you are installing. You need to have at least one Administration Service up and running that uses the specified database.

• Restore keys from a backup copy You must provide the file to which the encryption keys were exported (see “Backup of Encryption Keys” in the “Installing Initial Service” section, earlier in this document).

• Generate new keys The Setup program generates new encryption keys for the database and passes them to the Administration Service you are installing. The encrypted data that was previously stored in the database is lost.

To automatically provision encryption keys

• On the Provision of Encryption Keys page, click Retrieve keys from existing Service.

To restore encryption keys from a backup

1. On the Provision of Encryption Keys page, click Restore keys from a backup copy. 2. On the Restore of Encryption Keys page, specify the file containing a backup copy of the

(26)

To generate new encryption keys

1. On the Provision of Encryption Keys page, click Generate new keys.

2. On the Backup of Encryption Keys page, click the Browse button to specify the file name and location: a backup copy of the new encryption keys will be saved in that file.

3. Optionally, select the Use password protection for this file check box, and then type and confirm a password.

Importing Configuration Data

When installing the Administration Service, you may need to import configuration data from an existing database in order to ensure that the newly installed Administration Service has the same configuration as the existing one. Importing configuration data to a newly created database instead of attaching the Administration Service to the existing database is necessary if the version of the Administration Service you are installing is greater than the version of the database you want to use. Some examples of such a situation are as follows:

• Restoring configuration data from a backup copy of the database whose version does not match the version of the Administration Service.

• Upgrading the Administration Service while preserving its configuration.

The following instructions on how to import configuration data are applicable to any situation where you choose to create a new database when installing the Administration Service. In this case, the Database and Connection Settings page includes the option Import data from this database that is intended to direct the Setup program to copy the configuration data to the newly created database.

To import configuration data

1. In the Database area on the Database and Connection Settings page, select the Import data from this database check box.

2. In the box next to Import data from this database, type the name of the database from which you want to import data.

The source database must be located on SQL Server that hosts the database for the new Administration Service installation.

3. In the Connection area, select the authentication mode you want the Administration Service to use on SQL Server.

5. On the Import of Encrypted Data page, choose whether to import the encrypted data from the source database.

Importing the encrypted data requires a backup copy of the encryption keys of the source database.

6. If you have chosen to import the encrypted data, on the Restore of Encryption Keys page, specify the file containing a backup copy of the source database encryption keys. If the file is password-protected, type the password.

(27)

7. On the Backup of Encryption Keys page, specify where to store a backup copy of the encryption keys for the new database.

Advanced Scenarios

This section covers the database-related steps of the Setup Wizard in the following scenarios: • Using the database of an earlier Administration Service installation

• Using a pre-created, blank database

To implement any of these scenarios, you should select the Perform custom installation option on the Service Deployment Options page in the Setup Wizard.

Using the Database of an Earlier Administration Service Installation

When installing the Administration Service, you may need to have it use the database of an earlier installation of the Administration Service instead of creating a new database. The situations where the need arises to re-use an existing database include the following scenarios:

• Repairing the Administration Service installation by using Add or Remove Programs in Control Panel.

• Restoring the configuration database from a backup, and then reinstalling the Administration Service so that it uses the restored database.

• Installing a maintenance release of the Administration Service to update the existing Administration Service installation.

Assuming that the database has the same version as the Administration Service you are installing, you can use the following instructions to make the Administration Service use that database.

To use the database of an earlier Administration Service installation

1. On the Service Deployment Options page, click Perform custom installation. 2. On the Configuration Storage Options page, click Database of an earlier installed

Service.

3. On the Database and Connection Settings page, specify SQL Server and the name of the database, and select the authentication mode you want the Administration Service to use on SQL Server.

5. Complete the Provision of Encryption Keys page by using the instructions given in the “Installing Additional Service” section earlier in this document (see “Encryption Keys Provisioning”).

6. If you have chosen the option to generate new keys, use the Backup of Encryption Keys page to specify where to store a backup copy of the newly generated keys.

(28)

Using a Pre-created, Blank Database

When creating a database, the Setup program uses default values for database properties, such as the location and other parameters of the database files and transaction log files. If you need to adjust these properties, you should first create a blank database with the parameters that meet your requirements, and then have the Setup program attach the database to the Administration Service you are installing. Assuming that the database is already created, you can use the following instructions to implement this scenario.

To use a pre-created, blank database

1. On the Service Deployment Options page, click Perform custom installation. 2. On the Configuration Storage Options page, click Existing blank database.

3. On the Database and Connection Settings page, specify SQL Server and the name of the database, and select the authentication mode you want the Administration Service to use on SQL Server.

5. On the Backup of Encryption Keys page, specify where to store a backup copy of the encryption keys that the Setup program will generate for the database.

Verifying the Service Installation

To make certain that the Administration Service is up and running you might enter net start arssvc at a command prompt. Normally, this command should return the following message: “The requested service has already been started.”

The Setup program tries to grant the following privileges on the Administration Service computer to the Administration Service account:

• SeServiceLogonRight Log on as a service

• SeTcbPrivilege Act as part of the operating system

• SeAssignPrimaryTokenPrivilege Replace a process level token

(29)

Installing User Interfaces

Quest One ActiveRoles provides user interfaces for the Windows system and the Web, allowing users with appropriate rights to perform administrative activities. The user interfaces include:

• MMC Interface, also referred to as the Quest One ActiveRoles console An MMC snap-in that provides full access to the capabilities and functions of Quest One ActiveRoles.

• Web Interface A customizable Web application for performing day-to-day administrative tasks through the use of Quest One ActiveRoles.

Steps to Install the Console

The Quest One ActiveRoles console can be installed on any computer that meets the system

requirements and has a reliable network connection to a computer running the Administration Service. It can also be installed on the Administration Service computer.

To install the Quest One ActiveRoles console

1. Run autorun.exe, located in the root folder of the Quest One ActiveRoles DVD. 2. In Autorun window, click Quest One ActiveRoles, and then click Console (MMC

Interface) in the list of the product components.

3. Follow the instructions in the Setup Wizard to complete the installation.

Steps to Install the Web Interface

The Quest One ActiveRoles Web Interface can be installed on any computer that meets the system requirements and is running Internet Information Services (IIS) 7.0 or later. It is not necessary to install the Web Interface on the computer running the Administration Service. However, the computer that hosts the Web Interface must have a reliable network connection to a computer running the

Administration Service.

Checking Web Interface Prerequisites

Windows Server 2008

On a Windows Server 2008 or Windows Server 2008 R2 based computer, ensure that the Web Server (IIS) server role with the following role services is installed:

• Web Server/Common HTTP Features/ • Static Content

• Default Document • HTTP Errors • HTTP Redirection

• Web Server/Application Development/ • ASP.NET

• .NET Extensibility • ASP

(30)

• Web Server/Security/ • Basic Authentication • Windows Authentication • Request Filtering

• Management Tools/IIS 6 Management Compatibility/ • IIS 6 Metabase Compatibility

The Web Interface Setup program automatically installs the required server role and role services. You can use Server Manager to verify that the required server role and role services are installed.

Windows Server 2012

On a Windows Server 2012 based computer, ensure that the Web Server (IIS) sever role is installed, including:

• Web Server/Common HTTP Features/ • Default Document • HTTP Errors • Static Content • HTTP Redirection • Web Server/Security/ • Request Filtering • Basic Authentication • Windows Authentication

• Web Server/Application Development/ • .NET Extensibility 4.5

• ASP

• ASP.NET 4.5 • ISAPI Extensions • ISAPI Filters

• Management Tools/IIS 6 Management Compatibility/ • IIS 6 Metabase Compatibility

The Web Interface Setup program configures the Web Server (IIS) server role to meet the Web Interface requirements. You can use Server Manager to verify that the server role is configured properly.

Feature Delegation

Web Interface requires Internet Information Services to provide Read/Write delegation for the following features:

• Handler Mappings • Modules

(31)

Installing and Configuring the Web Interface

The Setup program allows you to configure the Web Interface to use:

• Administration Service that runs on the same computer as the Web Interface • Administration Service that runs on a specified computer

• Any available Administration Service that belongs to a specified replication group Unless you choose the first option (Local Administration Service), you should ensure that the Web Interface users have the “Log on locally” privilege on the computer running the Web Interface. By default, all domain users have this privilege on workstations and member servers. However, for domain controllers, only domain administrators have this privilege by default.

Before installing the Web Interface, ensure that the Administration Service is up and running. Otherwise, Setup will fail to install the Web Interface. You might use the net start arssvc syntax to check the health of the Administration Service.

The procedure for deploying the Web Interface includes two stages:

• Installing the Web Interface At this stage, the files are copied to the computer, and three Web Interface sites are created based on the default configuration templates.

• Creating, modifying or deleting Web Interface sites At this stage, you can create additional sites, and modify or delete existing sites.

When creating Web Interface sites, you have the option to apply the configuration of an existing Web Interface site to the newly created one. If you have the Web Interface site tailored to meet your requirements, and need to deploy its instance on another Web server, this option ensures that the new Web Interface site has the same set of menus, commands and pages as the existing one.

The Setup Wizard creates three Web Interface sites based on the following configuration templates that are available out of the box:

• Default Site for Administrators Supports a broad range of tasks, including the management of directory objects and computer resources.

• Default Site for Help Desk Handles typical tasks performed by Help Desk operators, such as enabling/disabling accounts, resetting passwords, and modifying select properties of users and groups.

• Default Site for Self-Administration Provides User Profile Editor, allowing end users to manage personal or emergency data through a simple-to-use Web interface.

Each configuration template provides an individual set of commands installed by default. Once a Web Interface site has been created, you can customize its configuration by adding or removing commands, and by modifying Web pages (forms) associated with commands. The relevant procedures are outlined in the Quest One ActiveRoles Web Interface Administrator Guide.

To install the Web Interface

1. In the Quest One ActiveRoles DVD Autorun window, click Quest One ActiveRoles, and then click Web Interface in the list of the product components.