Post-Installation and Configuration Guide
Applies To: Forefront Identity Manager 2010
The Microsoft® Forefront® Identity Manager (FIM) 2010 Post-Installation Configuration Guide provides information and procedures to information technology (IT) professionals regarding common post-installation FIM 2010 configuration steps. Depending on your deployment scenarios, some of the steps in this guide may be optional.
What This Document Covers
This document describes common configuration steps to perform after your installation of FIM 2010 is complete. The steps presented here are one-time configuration steps and procedures to be performed after a successful installation. This document assumes that you have successfully installed the product and followed the procedures in the Installation Guide.
This document assumes that you have a basic understanding of the following:
Active Directory® Domain Services (AD DS)
Microsoft® SQL Server® 2008
Windows® SharePoint® Services 3.0
Microsoft Exchange Server® 2007 or Exchange Server 2010
This document assumes that you also have a basic understanding of FIM 2010 and its main concepts. While not required, it is highly recommended that you familiarize yourself with the concept of inbound synchronization rules and how they work, as described in Understanding Data Synchronization with External Systems. This guide refers to settings that you used during your installation of FIM 2010. We recommend that you have those settings available before you begin the procedures.
This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010.
If you have questions regarding the content of this document or if you have general feedback, post a message to the Microsoft Forefront Identity Manager Discussion Forum. (http://go.microsoft.com/fwlink/?LinkId=163230).
The configuration procedures in this guide may be optional, depending on your deployment scenarios. In addition to the procedures in this guide, you should also review Best Practices.
This guide provides instructions for the following configurations:
Create a Backup Administrator account
SQL Server Database configuration
Synchronization rule provisioning
Active Directory–to–FIM 2010 initial data load
Configuration of general management policy rules (MPRs)
Configuration of Windows Communication Foundation (WCF) Performance Counters
Create a Backup Administrator account for the FIMService after installation
Members of the FIMService Administrators set have unique permissions critical to the operation of your FIM deployment. If you are unable to logon as part of the Administrators set, the only resolution is to roll back to a previous backup of the system. To mitigate this situation, we recommend that you add other users to the FIM Administrative set as part of your post-installation configuration.
Deleting or modifying certain resources Deleting or modifying certain default resources within the FIM Portal can disrupt operations or even render the portal inoperable. The following is a list of resources that should never be deleted from the FIM portal:
- Default Administrator in the Administrators Set
- Administrators Set
- Default RCDC objects
- Default MPRs
SQL Server Database Configuration
Configuration of SQL Server is critical for optimal system performance. Achieving optimal FIM performance in large-scale deployment scenarios depends on applying best practices for SQL Server. The guidance in this section applies to both the FIM Service Database and the FIM Synchronization Database. We recommend that you apply the following SQL Server best practices:
Presize data and log files
Do not rely on AUTOGROW. Instead, manage the growth of these files manually. You may leave AUTOGROW ON for safety reasons, but you should manage the growth of the data files proactively. You can find sample sizes for the FIM database in the FIM Capacity Planning Guide.
To presize data and log files
Start SQL Server Enterprise Manager.
Right-click the database FIMService, and then click Properties.
On the Files page, expand the database files to the required size.
Isolate log files from data files
Follow SQL Server best practices for isolating the transaction files and the data log files for the databases onto separate physical disks.
Create additional tempdb files
For optimal performance, we recommend that you create one data file per CPU core in the tempdb. As for log and data files, you should also adequately presize your tempdb files and rely on AUTOGROW ON only for safety reasons.
To create additional tempdb files
Start SQL Server Enterprise Manager.
Navigate to the database tempdb in System Databases, right-click tempdb, and then click Properties.
On the Files page, create one data file per CPU core. Make sure that you separate the tempdb Data and Log files on different drives and spindles.
Ensure adequate space for log files
Make sure that you know your recovery model’s disk requirements. Simple recovery mode may be appropriate during initial system load, to limit the use of disk space, but you might have exposure to data loss since the most recent backup. When you use full recovery mode, you have to manage the disk use through backups, which includes frequent backups of the transaction log to prevent high disk space usage. For more information about managing recovery, see Recovery Model Overview (http://go.microsoft.com/fwlink/?LinkID=185370)
Limit SQL Server memory use
Depending on how much memory you have on your computer running SQL Server and if you share the SQL Server on that computer with other services, such as FIMService and FIMSynchronizationService, you might want to restrict the memory consumption of SQL Server. You can use the following procedure to limit SQL Server memory use.
To limit SQL Server memory use
Start SQL Enterprise Manager.
Click New Query.
Run the following query:
USE master EXEC sp_configure 'show advanced options', 1 RECONFIGURE WITH OVERRIDE
The following example reconfigures SQL Server so that it will not use more than 12 gigabytes (GB) of memory.
USE master EXEC sp_configure 'max server memory (MB)', 12000--- max=12G RECONFIGURE WITH OVERRIDE
Verify the setting using the following query:
USE master EXEC sp_configure 'max server memory (MB)'--- verify the setting USE master EXEC sp_configure 'show advanced options', 0 Reconfigure with override
Configure synchronization rule provisioning
This section explains how to configure the FIM Synchronization Service to support declarative provisioning and the use of synchronization rules in FIM. First, you have to turn on synchronization rule processing in the Synchronization Service Manager.
To perform this procedure, you must be a member of the FIMSyncAdmins role for the FIM Synchronization Service.
To turn on synchronization rule provisioning
Open the Synchronization Service Manager.
On the Tools menu, click Options.
Select Enable Synchronization Rule Provisioning.
To close the Options dialog box, click OK.
Active Directory–to–FIM 2010 Initial Data Load
One basic requirement of an identity management system is the ability to import and process identity data from an external system. One of the first steps in your deployments is to import and process existing users and possibly groups from Active Directory or AD DS to FIM 2010. Before you do this, you should have completed the System Data Flow design to establish the connection systems relationships and required data flows. This is a one-time operation; it is not a continuous synchronization.
For details about setting up the synchronization of user data from Active Directory to FIM, see How Do I Synchronize Users from Active Directory Domain Services to FIM. Before you perform the procedures in this guide, complete the following steps to optimize your system for the initial, one-time configuration. The settings described here are temporary. You should set them only for the initial load of the data into the system.
Step 1: Configure SQL Server for the initial data load
When you load a lot of data, you can shorten the time it takes to populate the database by temporarily turning off the full text search. You can enable it again after the export on the FIM Management Agent is complete. Complete the following steps to temporarily turn off full text search:
To configure SQL Server for the initial data load
Start SQL Enterprise Manager.
Select New Query.
Run the following SQL statements:
ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = MANUAL
ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = MANUAL
It is important to understand the disk requirements in the SQL Server recovery model. Depending on your backup schedule, you may consider using simple recovery mode during initial system load to limit disk space usage. However, you should be aware of the implications regarding potential data loss. When you use full recovery mode, you must manage disk use through backups, including frequent backups of the transaction log to prevent high disk space use.
Not implementing these procedures can result in high disk space use, possibly resulting in running out of disk space. For more information, see Recovery Model Overview (http://go.microsoft.com/fwlink/?LinkID=185370). The FIM 2010 Backup and Restore Guide contains additional information.
Step 2: Apply minimum necessary FIM configuration during the load process
During the initial load process, apply only the minimum configuration required to your FIM configuration in terms of MPRs and et definitions. After the data is loaded, create the additional sets required for your deployment. Use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.
Step 3: Configure and populate the FIM Service with external identity data
At this point, you should follow the procedures in How Do I Synchronize Users from Active Directory Domain Services to FIM to configure and synchronize your system with users from Active Directory or AD DS. To synchronize Group information, see How Do I Synchronize Groups from Active Directory Domain Services to FIM.
Step 4: Apply your full FIM configuration
When your initial data load is complete, you are ready to apply the full FIM configuration for your deployment. Depending on your scenarios, this may include the creation of additional sets, MPRs, and workflows. For any policies that you need to apply retroactively to all existing objects in the system, use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.
Step 5: Reconfigure SQL Server to previous settings
Remember to change the SQL Server settings to the normal settings, including the following:
Turning on full text search
Updates to your backup policy in accordance with your organization policies
When you complete the initial data load, turn on full text search again. Run the following Structured Query Language (SQL) statements to turn on full text search again:
ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = AUTO
ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = AUTO
If you have switch to simple recovery mode, ensure that you reconfigure your backup schedule in accordance with your organization’s backup policy. Additional details of FIM backup schedules are available in the FIM 2010 Backup and Restore Guide.
Configuring General MPRs
If you plan to allow nonadministrator users to have access to the portal and the ability to view other users’ basic information, enable this configuration in the FIM Service. You do this by configuring existing MPRs in the system.
Configure the MPRs in the following table.
General: Users can read non-administrative configuration resources
User management: Users can read attributes of their own
To enable required MPRs
To open the FIM Portal, start Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.
You may need to substitute this with the URL you have configured for your FIM portal.
On the FIM Portal home page, click Management Policy Rules in the navigation bar to open the Management Policy Rules page.
In the Search for text box, type the display name of each of the MPRs from the previous table, and then click the Search for button.
For each MPR that is listed as disabled, do the following:
To open the configuration dialog box, click the Display Name of the disabled MPR.
Clear the Policy is disabled check box, and then click OK.
On the Summary page, click Submit.
You may plan to allow users to view the basic attributes of other users, for example, to be able to search and view information of users before adding them to distribution groups. If so, you should also configure the MPR in the following table using the previous procedure.
User management: Users can read selected attributes of other users
You may need to customize the list of attributes in this MPR based on your organizational policy and needs.
You may need to set further MPR configuration based on your scenarios. See the Documentation Roadmap for additional details in the suggested topics.
Enable WCF Performance Counters
FIM 2010 uses WCF performance counters to monitor service use. Monitoring service use with WCF performance counters is an optional step to enable when you are diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see WCF Performance Counters (http://go.microsoft.com/fwlink/?LinkId=164848).
We recommend that you configure ServiceOnly WCF performance counters. However, to see Endpoint and Operation instances, it is necessary to configure all WCF performance counters.
The procedures in this guide are common configuration steps to complete after the installation of FIM 2010. You will have to perform additional configuration, depending on the types of scenarios that you plan to implement in your deployment. For example, if you plan to deploy password reset capabilities, you should continue your configuration based on the recommendations in Password Reset Deployment Guide. See the Documentation Roadmap for additional details in suggested topics.