{"id":717,"date":"2010-04-21T18:04:51","date_gmt":"2010-04-21T18:04:51","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=717"},"modified":"2022-10-31T03:07:21","modified_gmt":"2022-10-31T03:07:21","slug":"fim-walkthroughs-planning-and-installation","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/fim-walkthroughs-planning-and-installation","title":{"rendered":"FIM Walkthroughs &#8211; Planning and Installation"},"content":{"rendered":"<blockquote><p>Note: this post applies to the RTM version of FIM 2010.<\/p><\/blockquote>\n<p>I&#8217;m starting a new series of posts today showing how to build an identity management environment with FIM 2010. A lot of the concepts are covered in the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ee621259(WS.10).aspx\">Getting Started<\/a> documentation, which you should of course read, however I think it&#8217;s often useful to see the same information presented in a couple of different ways &#8211; here with pictures!<\/p>\n<p>To kick things off by starting at the beginning &#8211; Installation.<!--more--><\/p>\n<h1>Planning<\/h1>\n<h3>FIM Components<\/h3>\n<p>When you first run the FIM setup program, you will see a screen with a number of different components to install. For an initial identity management installation you will want to install the<strong> Synchronization Service<\/strong> and the <strong>Service and Portal<\/strong>.<\/p>\n<p>Following are the major requirements for these components. For a full list see Technet: <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ff512684(WS.10).aspx\" target=\"_blank\" rel=\"noopener noreferrer\">Hardware and Software Requirements<\/a>.<\/p>\n<ol>\n<li>Synchronization Service\n<ul>\n<li>Windows Server 2008\/2008r2 Standard x64<\/li>\n<li>SQL Server 2008 SP1\n<ul>\n<li>Database Engine<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Service and Portal (which includes Workflows, Codeless Sync Rules and Password Reset)\n<ul>\n<li>Windows Server 2008\/2008r2 Standard x64<\/li>\n<li>SQL Server 2008 SP1\n<ul>\n<li>Database Engine<\/li>\n<li>Full-text Indexing<\/li>\n<\/ul>\n<\/li>\n<li>Windows Sharepoint Service 3.0<\/li>\n<li>Exchange 2007\/2010 (see <a href=\"http:\/\/www.identitychaos.com\/2010\/03\/fim-2010-email-notifications-without.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+idchaos+%28identity+chaos%29\">Brad Turner&#8217;s post<\/a> on the subject if you don&#8217;t have Exchange, or <a href=\"https:\/\/www.wapshere.com\/missmiis\/using-a-bpos-service-account-with-fim\">mine<\/a>\u00a0if you have BPOS.)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3>Servers<\/h3>\n<p>If you&#8217;re just planning a test environment then the simplest thing is to install everything on the one server. I wouldn&#8217;t do it with any less than <strong>4GB of RAM<\/strong>, though 8GB is better. I have run FIM 2010 on virtual machines, both ESX and Hyper-V.<\/p>\n<p>The <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ff602886(WS.10).aspx\">Preinstallation and Topoloy Configuration<\/a> document will give you more information if you want to install some components on different servers, or use load-balancing or redundancy features.<\/p>\n<h1>Installation<\/h1>\n<p>In this example I&#8217;m going to show you how to install The Sync Service and the Portal on a single server. For detailed instructions see the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ff512686(WS.10).aspx\">official documentation<\/a>.<\/p>\n<h3>Server Config<\/h3>\n<p>The server is called &#8220;FIM&#8221;, has 4GB of RAM and is a member of the domain &#8220;mydomain.local&#8221; which also includes an Exchange 2007 server. I&#8217;ve installed the following:<\/p>\n<ul>\n<li>Windows 2008 Standard x64<\/li>\n<li>SQL 2008 SP1<\/li>\n<li>WSS 3.0 (and I&#8217;ve run the Sharepoint Products and Technologies Configuration Wizard from the Administrative Tools menu)<\/li>\n<li>Exchange 2007 management tools<\/li>\n<\/ul>\n<h3>Service Accounts<\/h3>\n<table border=\"1\">\n<tbody>\n<tr>\n<td>First, create the service accounts in the domain. All accounts are regular users in the domain, and on the FIM server.<\/p>\n<ol>\n<li>Account for the FIM service\n<ul>\n<li>Mail-enabled<\/li>\n<\/ul>\n<\/li>\n<li>Account for the Sync Service<\/li>\n<li>Account for the FIM Management Agent, which will connect the Sync Service to the Portal.<\/li>\n<\/ol>\n<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2001%20service%20accounts.jpg\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Install the Sync Service<\/h3>\n<table border=\"1\">\n<tbody>\n<tr>\n<td>Now we&#8217;re ready to start installing.From the setup splash screen click <strong>Install Synchronization Service<\/strong>.<\/td>\n<td width=\"400\"><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2002%20splash.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>I&#8217;ve skipped the initial screens, which are click-Next types. The first one you have to think about is specifying your SQL server. Sometimes you&#8217;ll get an error here about the SQL server not being found. This is usually either because your SQL server is the wrong version (minimum 2008 SP1) or because you haven&#8217;t properly specified the named instance.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2003%20sql.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Specify the service account you created for the Sync Service.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2004%20svc%20account.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>The installation creates these local groups for you.It will make it easier to move the Sync Service to another server if you use domin groups.\u00c2\u00a0 To do this, create the equivalent domain groups yourself, and then specify them here in the format &#8220;domain\\group&#8221;.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2005%20groups.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>If you have the Windows Firewall enabled then you will need to tick this option.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2006%20fw.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>You will now be prompted to save the keyset for the database. This is needed if you want to transfer to database to another server (it doesn&#8217;t actually encryt the database). You should save it somewhere you can find it again, though if the FIM server is available you can export the keyset again any time using miiskmu.exe. (Found in the Microsoft Forestfront Identity Manager\/2010\/Synchronization Service\/bin folder.)The Sync Service should then install.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2007%20keyset.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Install the FIM Service and Portal<\/h3>\n<table border=\"1\">\n<tbody>\n<tr>\n<td>Now go back to the splash screen and choose <strong>Install Service and Portal<\/strong>.You need to be a bit careful about the acount you use to do this part with, as it will become the builtin Administrator account in the Portal. One idea is to create a &#8220;FIM Administrator&#8221; account in the domain, make it a local and SQL administrator, and install using that.Click through the first screens. Typically you would just leave this as default settings, unless you were doing an installation split across different servers.<\/td>\n<td width=\"400\"><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2009%20service%20and%20portal.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Enter the name of the SQL Server and &#8220;FIMService&#8221; for the database name.Now I&#8217;m just using the local server here, and this screen pre-configures itself with the netbios name of the server rather than &#8220;localhost&#8221;, so I just leave it that way. If you were using a remote SQL server you would enter the fqdn, or fqdn\/NamedInstance.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2010%20sql.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Enter the name of your email server.Ideally this will be a self-hosted Exchange 2007\/2010 server, though you can also use<a href=\"http:\/\/www.identitychaos.com\/2010\/03\/fim-2010-email-notifications-without.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+idchaos+%28identity+chaos%29\"> non-Exchange <\/a>or <a href=\"https:\/\/www.wapshere.com\/missmiis\/using-a-bpos-service-account-with-fim\">MSOnline<\/a>.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2011%20exchange.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>It should be fine to use the default here. The certificate is used for internal, and not client, communications.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2012%20cert.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Now specify the (mail-enabled) account you created for the FIM Service.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2013%20svc%20account.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Next you specify the account you created for the FIM Management Agent.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2014%20ma%20account.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>Here I&#8217;m just using the server name again, but in a production environment I&#8217;d probably be specifying some sort of publically acceptable CName, like &#8220;identity.mydomain.local&#8221;. You can change it later or add extra names, though you have to be careful with the Kerberos stuff.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2015%20server.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>With the FIM Service running on the WSS server you just reference localhost.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2016%20sharepoint.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>You need to select the first option if you have Windows Firewall enabled. And you definitely need options two and three, otherwise you&#8217;ll just be configuring it manually later.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2017%20sharepoint%20access.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<tr>\n<td>The installation should now complete. To check that it&#8217;s working browse <a href=\"http:\/\/fimserver\/identitymanagement\">http:\/\/<em>fimserver<\/em>\/identitymanagement<\/a>.<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.wapshere.com\/images\/install\/install%2018%20portal.jpg\" alt=\"\" width=\"400\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Note: this post applies to the RTM version of FIM 2010. I&#8217;m starting a new series of posts today showing how to build an identity management environment with FIM 2010. A lot of the concepts are covered in the Getting Started documentation, which you should of course read, however I think it&#8217;s often useful to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[42,19],"tags":[],"class_list":["post-717","post","type-post","status-publish","format-standard","hentry","category-fim-2010","category-newbie"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-bz","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=717"}],"version-history":[{"count":47,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/717\/revisions"}],"predecessor-version":[{"id":3312,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/717\/revisions\/3312"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}