Note: this post applies to the RTM version of FIM 2010.
I’m starting a new series of posts today showing how to build an identity management environment with FIM 2010. A lot of the concepts are covered in the Getting Started documentation, which you should of course read, however I think it’s often useful to see the same information presented in a couple of different ways – here with pictures!
To kick things off by starting at the beginning – Installation.
When you first run the FIM setup program, you will see a screen with a number of different components to install. For an initial identity management installation you will want to install the Synchronization Service and the Service and Portal.
Following are the major requirements for these components. For a full list see Technet: Hardware and Software Requirements.
- Synchronization Service
- Windows Server 2008/2008r2 Standard x64
- SQL Server 2008 SP1
- Database Engine
- Service and Portal (which includes Workflows, Codeless Sync Rules and Password Reset)
If you’re just planning a test environment then the simplest thing is to install everything on the one server. I wouldn’t do it with any less than 4GB of RAM, though 8GB is better. I have run FIM 2010 on virtual machines, both ESX and Hyper-V.
The Preinstallation and Topoloy Configuration document will give you more information if you want to install some components on different servers, or use load-balancing or redundancy features.
In this example I’m going to show you how to install The Sync Service and the Portal on a single server. For detailed instructions see the official documentation.
The server is called “FIM”, has 4GB of RAM and is a member of the domain “mydomain.local” which also includes an Exchange 2007 server. I’ve installed the following:
- Windows 2008 Standard x64
- SQL 2008 SP1
- WSS 3.0 (and I’ve run the Sharepoint Products and Technologies Configuration Wizard from the Administrative Tools menu)
- Exchange 2007 management tools
|First, create the service accounts in the domain. All accounts are regular users in the domain, and on the FIM server.
Install the Sync Service
|Now we’re ready to start installing.From the setup splash screen click Install Synchronization Service.|
|I’ve skipped the initial screens, which are click-Next types. The first one you have to think about is specifying your SQL server. Sometimes you’ll get an error here about the SQL server not being found. This is usually either because your SQL server is the wrong version (minimum 2008 SP1) or because you haven’t properly specified the named instance.|
|Specify the service account you created for the Sync Service.|
|The installation creates these local groups for you.It will make it easier to move the Sync Service to another server if you use domin groups.Â To do this, create the equivalent domain groups yourself, and then specify them here in the format “domain\group”.|
|If you have the Windows Firewall enabled then you will need to tick this option.|
|You will now be prompted to save the keyset for the database. This is needed if you want to transfer to database to another server (it doesn’t actually encryt the database). You should save it somewhere you can find it again, though if the FIM server is available you can export the keyset again any time using miiskmu.exe. (Found in the Microsoft Forestfront Identity Manager/2010/Synchronization Service/bin folder.)The Sync Service should then install.|
Install the FIM Service and Portal
|Now go back to the splash screen and choose Install Service and Portal.You need to be a bit careful about the acount you use to do this part with, as it will become the builtin Administrator account in the Portal. One idea is to create a “FIM Administrator” account in the domain, make it a local and SQL administrator, and install using that.Click through the first screens. Typically you would just leave this as default settings, unless you were doing an installation split across different servers.|
|Enter the name of the SQL Server and “FIMService” for the database name.Now I’m just using the local server here, and this screen pre-configures itself with the netbios name of the server rather than “localhost”, so I just leave it that way. If you were using a remote SQL server you would enter the fqdn, or fqdn/NamedInstance.|
|Enter the name of your email server.Ideally this will be a self-hosted Exchange 2007/2010 server, though you can also use non-Exchange or MSOnline.|
|It should be fine to use the default here. The certificate is used for internal, and not client, communications.|
|Now specify the (mail-enabled) account you created for the FIM Service.|
|Next you specify the account you created for the FIM Management Agent.|
|Here I’m just using the server name again, but in a production environment I’d probably be specifying some sort of publically acceptable CName, like “identity.mydomain.local”. You can change it later or add extra names, though you have to be careful with the Kerberos stuff.|
|With the FIM Service running on the WSS server you just reference localhost.|
|You need to select the first option if you have Windows Firewall enabled. And you definitely need options two and three, otherwise you’ll just be configuring it manually later.|
|The installation should now complete. To check that it’s working browse http://fimserver/identitymanagement.|