Data
Reader small image

You're reading from  Microsoft Forefront Identity Manager 2010 R2 Handbook

Product typeBook
Published inAug 2012
PublisherPackt
ISBN-139781849685368
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Author (1)
Kent Nordstrom
Kent Nordstrom
author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Right arrow

Chapter 3. Installation

As we have already discussed, Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is not one product, but a family of products.

This also means that there are many different ways of installing the product, depending on what parts you want and how you would like to separate them on different systems.

We can choose to separate the different components based on load or just because we like it clean.

As an example, we will look at the setup used by The Company. They are doing a split installation for the production environment, but for test and development around FIM Sync and FIM Service, they use a single-box approach.

In this chapter we will look at the following:

  • Prerequisites for installing different components of FIM 2010 R2

  • How to actually install the components

  • A few post-installation steps to get it working

Development versus production

If you are using FIM Synchronization Service and FIM Service, you are likely in need of a test/development environment. As I will show you later, migrating from test to production is not that hard with FIM.

The problem is to make your test/development environment look as close as possible to the production environment. The problem with FIM in this case is Connected Data Sources. How to get a representation of each CDS in the test environment is a difficult problem.

Ideally, you would have a mirrored environment where all systems are represented. But that's not available to everyone. If you do, you're lucky!

The Company is running the test/development FIM Server parallel to the production environment using the same Active Directory. This gives them some special problems that we will discuss in this chapter.

Capacity planning

At the Microsoft download center, you can download the Forefront Identity Manager Capacity Planning Guide (http://aka.ms/FIMCapacityPlanning). I will not dig deep into capacity planning in this book, but rather make sure your setup is made in a way that allows you to easily make your FIM environment expand to cope with future needs.

If you look at the following table, you'll see that capacity planning is not easy since there is no straight answer to the problem. If I have 10,000 users, how should I plan my FIM environment? There are too many other parameters to look at.

Separating roles

If we look at all the FIM features we are about to install, we need to understand that in theory, we might be able to put them all in one box. But, that is not practical, and in some cases is not even supported by Microsoft.

The example setup I use in this book, for The Company, can be used as a starting point.

Databases

As you will see, you will need quite a few databases. Depending on load and other factors, you can choose to install the databases locally on each box hosting a FIM feature or choose to have them all in a central Microsoft SQL server. Or, you can even mix the two approaches.

If you find that your initial approach was not optimal, don't be alarmed. Moving the databases is fully supported. In this book I will use so-called SQL aliases when referencing the databases; one reason for this is that it will make moving the databases simpler.

The System Center Service Manager Data Warehouse, required by the FIM Reporting feature, is usually using a separate SQL server...

Hardware

Whether to virtualize or not is the question for many companies today. All components of FIM 2010 R2 can be virtualized. If you have chosen to virtualize your SQL servers, I guess every other service will be virtualized as well. A starting point for the discussion on virtualization is available at http://aka.ms/VirtualizationBestPractices.

If I have noticed one thing during my years as a consultant, it is that customers tend to give virtual machines only one virtual CPU. However, almost every FIM feature can benefit from multiple CPUs, and I would recommend giving at least two to three CPUs to your FIM servers, depending on how you co-locate different FIM features.

The FIM development server at The Company, for example, has two CPUs and 4 GB of RAM. If your test development server is to load and manage all your identities, you will likely need to add more RAM to that system.

Installation order

The FIM CM components can be installed regardless of the other FIM pieces.

If you have an existing SCSM environment, the SCSM Servers might already be in place but might still need some updates to support FIM 2001 R2 Reporting.

Note

At the time of writing, there is no official support for using SCSM 2012.

The following SCSM Servers need to be installed before we install the FIM Reporting feature:

  • SCSM Management (if the FIM Reporting feature is to be used)

  • SCSM Data Warehouse (if the FIM Reporting feature is to be used)

The FIM components also have some dependencies that make it logical to install them in a certain order. They should be installed in the following order:

  1. FIM Synchronization Service

  2. FIM Service

  3. FIM Portals

  4. FIM Reporting

If you have a setup similar to The Company, the order of installation could be to start off with the test/development environment. I am using the syntax server name: feature to install, in the following installation lists. The server names refer to...

Prerequisites

Before we can start installing any components, there are a number of prerequisites that we need to make sure we have in place.

The main reason for errors in FIM is mistakes made during this phase of the installation. Sometimes, it is hard to backtrack the errors, especially if you get Kerberos authentication errors.

Databases

The Company will have several servers running Microsoft SQL Server. The server names in the following list refer to the server names used in the description of the environment in Chapter 1, The Story in this Book:

  • FIM-Dev: This SQL server will be used by the FIM Sync and FIM Service running on the FIM-Dev server. But, this instance will also be used to develop and test SQL Server Integration Services (SSIS) packages and test versions of SQL-based CDSs.

  • SQL: This is the central SQL server holding all production databases. This will be used by the FIM-Sync, FIM-Service, and FIM-CM servers. This is also where SQL-based CDSs such as the HR system will be found...

Installation

The installation of the different components is quite straightforward, once the prerequisites are in place.

FIM Synchronization Service

The Company will have two separate instances of FIM Synchronization Service, one on the FIM-Dev server and one on the FIM-Sync server.

The FIM Synchronization Service setup creates five security groups. The first three groups correspond with the FIM Synchronization Service user roles—Administrator, Operator, and Joiner. The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces—Connector Browse and Password Set.

By default, the FIM Synchronization Service creates the five security groups as local computer groups instead of domain global groups. If you plan to use domain global groups, you must create the groups before you install FIM Synchronization Service.

The account doing the installation needs to be a local administrator on the server and also needs to have enough permission on the SQL server...

Post-installation configuration

Before we can start to use our new FIM environment, we need to perform some post-installation tasks.

Granting FIM Service access to FIM Sync

In order for the FIM Service to manage the FIM Synchronization Service, we need to add the FIM Service service account to the FIMSyncAdmins group. If you are implementing Password Reset, you also need to add the FIM Service service account to the FIMSyncPasswordSet group.

After adding the FIM Service service account to the new groups, you need to restart the FIM Service service in order for the new group membership to take effect.

In the example of The Company, this means that the FIM Service account on the Dev-FIM server should be a member of the FIMSyncAdmins group on the Dev-FIM server and the FIM Service account on the FIM-Service server should be a member of FIMSyncAdmins on the FIM-Sync server.

Securing the FIM Service mailbox

It is not required but it is a best practice to take a look at the mailbox used by the...

Summary

Installing the prerequisites is, as you can see, the toughest part, while installing the products involved in the FIM family is quite straightforward.

In this chapter, I have shown what it would look like if you installed all FIM 2010 R2 components using the setup that my example company, The Company, is using.

In my opinion, the key to a successful FIM 2010 R2 installation is to really understand the prerequisites, making sure you understand all your service accounts, aliases, and Kerberos settings.

Please remember that if you are not planning to use parts of the product, you might be able to reduce the number of machines involved. If you, for example, are not interested in FIM Reporting, the whole setup of the SCSM infrastructure is not required.

Now that we have our installation in place, it is time to start using our FIM 2010 R2 infrastructure. In the next chapter, we will start off by looking at the initial configuration of the FIM Synchronization, FIM Service, and FIM Portal components...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 9 of 21
Next Chapter
You have been reading a chapter from
Microsoft Forefront Identity Manager 2010 R2 Handbook
Published in: Aug 2012Publisher: PacktISBN-13: 9781849685368
© 2012 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages

Design factor

Considerations

Topology

The distribution of the FIM services among computers on the network.

Hardware

The physical hardware and any virtualized hardware specifications that you are running for each FIM component. This includes CPU, memory, network adapter, and hard drive configurations.

FIM policy configuration objects

The number and type of FIM policy configuration objects, which...