Forefront Identity Manager 2010 R2 Export Performance Guide

This document introduces performance improvements in the Microsoft® Forefront® Identity Manager (FIM) 2010 R2 designed to speed FIM Management Agent (MA) Export. Specifically, the FIM MA export is now configured by default to use an asynchronous, batch-request evaluation mode for requests created by the FIM Synchronization engine account.

A full copy of this document is available for offline viewing here.

Note

Batch-request evaluation capability is only available for requests originating from the FIM MA; all other requests will continue to run through the regular process.

Internal testing has that export runs with clean data saw an up to 10X improvement in performance (run execution time).

Note

The presence and distribution of “bad data” (adds/updates that FIM rejects on the basis of schema validation, duplicated account names, etc…) within your exported data set (FIM MA Connector Space pending exports) will have a pronounced impact on the performance gains that you realize in your testing. See Addressing Bad Data and Tuning FIM MA Export Settings.

What This Document Covers

This document provides guidance for evaluating the performance of the re-designed FIM Export as well as an overview of new settings. It should be used in conjunction with existing documentation containing detailed procedures.

Prerequisite Knowledge

This document assumes that you have a basic understanding of Active Directory® Domain Services (AD DS), Microsoft SQL Server® 2008 database software, Windows® SharePoint® Services 3.0, and Microsoft Exchange Server 2007 or 2010. This document assumes that you have a working installation of FIM 2010 R2.

Audience

This document is intended for systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who wish to evaluate or deploy FIM 2010 R2.

Scenario Description

This scenario explains how to complete the initial system load from AD DS into FIM, utilizing the improved performance capabilities provided the new implementation of the FIM MA Export.

The Testing Environment

The walkthrough is designed for you to gauge the time it takes to build your own unique environment using FIM 2010 R2.

Configuration Options

In order to obtain the performance improvements, you do not need to make any changes to the default configuration. However, there are a number of options that can be adjusted to further affect the performance of Export based on your configuration and data. The configuration options, together with other FIM MA configuration settings, are specified in the synchronization engine configuration file miiserver.exe.config, which is located in <FIMInstallDirectory>\2010\Synchronization Service\Bin.

Warning

You must stop and re-start the Synchronization Service for any of the setting changes to take effect.

The available settings are:

Section Property Default Value Notes

resourceManagementService

externalHostName

Defined at Setup

The external host name of your FIM Service instance or farm, or alternatively it can be set to localhost.

Note

This setting must be set if you wish to change the two previous settings.

resourceSynchronizationClient

asynchronous

True

Changing this value to false will return the FIM MA to the FIM 2010 RTM default behavior of synchronous export. If you encounter an export error that cannot be resolved you can try switching to this mode as a last resort. If this option is set to false, the remaining settings, if set, are ignored.

resourceSynchronizationClient

aggregate

True

This setting determines whether the FIM MA leverages batched, or aggregated, requests.

resourceSynchronizationClient

aggregationThreshold

1000

This setting determines the size of the aggregated batches. The value is the number of attributes (not resources) that are included in a batch.

resourceSynchronizationClient

gateAsynchronousExportsOnAcknowledgements

false

This setting determines whether or not the code will hold issuing exports once a threshold (see next setting) is reached, if responses for previously issues exports are not received.

resourceSynchronizationClient

exportRequestsInProcessMaximum

50

This setting only applies if the previous setting is set to true. This governs the maximum number of exports that will be issued prior to receiving a response to the already issued exports.

Note

Increased performance for the FIM MA may impact your overall FIM Service performance. The performance improvements included in R2, result in the FIM Service being asked to perform more work concurrently. By default all FIM Service instances, irrespective of any existing service partitions, will be utilized to process the increased load.

The following settings can be used to isolate and mitigate any negative overall impacts from the change in default behavior. These settings are in a different configuration file than the one specified above. These options are specified in the FIM Service configuration file Microsoft.ResourceManagement.Service.exe.config, which is located in <FIMInstallDirectory>\2010\Service\Bin.

Warning

You must stop and re-start the FIM Service for any of the setting changes to take effect.

Property Default Value Notes

receiveSynchronizationRequestsEnabled

true

Determines whether this instance of the FIM Service should process export requests.

maxSimultaneousSynchronizationRequests

6

Determines the number of concurrent synchronization requests being processed.

synchronizationDataReadTimeoutInSeconds

1200

Read timeout for the synchronization requests

synchronizationDataWriteTimeoutInSeconds

1200

Write timeout for the synchronization requests

Evaluation Instructions

The goal of the test procedures is to evaluate the performance of the FIM 2010 R2 build in your environment. If you have a large amount of “bad data” in your dataset you may wish to run your scenario again after cleaning up your data or tuning the export settings.

noteNote
If you encounter errors during one of your runs, the following information will help you in determining the root cause and will also assist in investigating cases where you did not experience the performance improvement that you anticipated.
  • Management agent run statistics

    In Synchronization Service Manager, click Operations, select the run you wish to export, select Actions, and then click Save to File.

  • Server configuration

    • In Synchronization Service Manager, click File, click Export Server Configuration…, select a target folder, and then click OK.

      Note

      The target folder must be empty.

  • The following Event Logs on the server hosting the Synchronization Service:

    • Application

    • Forefront Identity Manager Management Agent

  • The following Event Logs on the server hosting the FIM Service

    • Application

    • Forefront Identity Manager Service

    • Look for failed requests created by the “Built-In Synchronization” account

    • Failed requests to Create CompositeTypes from the “Built-in Synchronization” account represent failed batch requests

Evaluation Steps:

  1. Configure your system to run FIM 2010 R2.

  2. Perform all necessary steps before running the FIM MAExport Note: See below for an overview of evaluating “Initial Load”

  3. Perform FIM-Export using the default mode and record your results.

  4. Review the logs listed above to determine whether or not your export run was affected by the presence of bad data.

  5. Rerun FIM-Export to ensure that no errors are encountered and record your results.

Addressing Bad Data and Tuning FIM MA Export Settings

As noted above, internal performance testing has shown that the presence of bad data in the data set has a pronounced impact on performance. Bad data will result in synchronization errors which can viewed within the synchronization service manager. There are several types of known bad data:

Bad Data Ways to resolve

Duplicate Account

Correct data in the source connected system

FIM Schema Violation

  • Correct data in the source connected system

  • Loosen the FIM Schema validation (regular expressions) as appropriate

If you’re unable to address your “bad data” you may choose to reduce the value assigned to the aggregationThreshold configuration option above. In the description please note that this is value controls the number of resource attribute values contained within a single batch. Reducing the batch size will decrease the odds that a batch will contain “bad data”; however if you reduce it too far you will in effect return the FIM MA to asynchronous mode.

Evaluating Initial System Load

This scenario focuses on evaluating performance during an initial system setup. The test should simulate as closely as possible the scale of deployment that your organization would target for FIM deployment.

The following procedures contain a minimal set of steps to perform the initial load of user and groups from AD DS into the FIM installation. If your configuration imports data from other sources, you should use that configuration to simulate your specific requirements.

Step Description Operation

1

Initial setup and configuration of your system including the Management Agent configuration and synchronization rule configuration

Configuration of the Synchronization Engine and FIM Service

2

Disable outbound provisioning policies that generate EREs

Disable Transition MPRs that are part of an outbound provisioning policy

3

Import FIM configuration (such as sync rules )

FIM MA Full Import

4

Synchronize imported resources from FIM

FIM MA Full Sync

5

Import users and groups from Active Directory

AD FIM Full Import

6

Synchronize imported users and groups

AD FIM Full Sync

7

Perform FIM MA Export of users and groups from Active Directory

FIM MA Export

8

Enable and run outbound provisioning policies that generate EREs. NOTE: FIM R2 now includes support for Filter Based Synchronization Rules. If these meet your requirements then you may not require this step.

FIM use “run on policy update” (ROPU) for T-MPRs that are part of an outbound provisioning policy.

9

Confirm import on the FIM MA load of users and groups and move ERE resources to the sync engine

FIM MA delta import

10

Delta sync to apply any provisioning rules into the metaverse

FIM MA delta sync

Best Practices

While you’re configuring FIM 2010 R2, it’s important to ensure the following:

  • The SQL Server Service Broker is enabled after restoring the database. In the FIMService database, you can enable the SQL Server Service Broker using the following command:
    ALTER DATABASE [FIMService] SET ENABLE_BROKER WITH NO_WAIT
    or use SQL Server Management Studio to set the option Broker Enabled to True.

    Note

    The Service Broker must be enabled after every restore of the FIM database.

  • When loading groups as part of the initial load data, the following MPR must be enabled: Synchronization Account Controls Groups it Synchronizes

  • The workflows in your system match the version of the product. The FIM Service may fail to start workflow activities with the incorrect version number. Specifically, the WorkflowDefinition and ActivityInformationConfiguration resources require the version number to refer precisely to workflow activities in the target environment.

Detailed information describing how to load user and group information from AD DS into FIM is available from the following guides, which includes best practices for configuring your initial load process. You should apply these best practices for both your baseline and FIM 2010 R2 evaluation configurations and procedures.