Post-Installation and Configuration Guide

Applies To: Forefront Identity Manager 2010

The Microsoft® Forefront® Identity Manager (FIM) 2010 Post-Installation Configuration Guide provides information and procedures to information technology (IT) professionals regarding common post-installation FIM 2010 configuration steps. Depending on your deployment scenarios, some of the steps in this guide may be optional.

What This Document Covers

This document describes common configuration steps to perform after your installation of FIM 2010 is complete. The steps presented here are one-time configuration steps and procedures to be performed after a successful installation. This document assumes that you have successfully installed the product and followed the procedures in the Installation Guide.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following:

  • Active Directory® Domain Services (AD DS)

  • FIM 2010

  • Microsoft® SQL Server® 2008

  • Windows® SharePoint® Services 3.0

  • Microsoft Exchange Server® 2007 or Exchange Server 2010

This document assumes that you also have a basic understanding of FIM 2010 and its main concepts. While not required, it is highly recommended that you familiarize yourself with the concept of inbound synchronization rules and how they work, as described in Understanding Data Synchronization with External Systems. This guide refers to settings that you used during your installation of FIM 2010. We recommend that you have those settings available before you begin the procedures.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Microsoft Forefront Identity Manager Discussion Forum. (https://go.microsoft.com/fwlink/?LinkId=163230).

Configuration Procedures

The configuration procedures in this guide may be optional, depending on your deployment scenarios. In addition to the procedures in this guide, you should also review Best Practices.

This guide provides instructions for the following configurations:

  • Create a Backup Administrator account

  • SQL Server Database configuration

  • Synchronization rule provisioning

  • Active Directory–to–FIM 2010 initial data load

  • Configuration of general management policy rules (MPRs)

  • Configuration of Windows Communication Foundation (WCF) Performance Counters

Create a Backup Administrator account for the FIMService after installation

Members of the FIMService Administrators set have unique permissions critical to the operation of your FIM deployment. If you are unable to logon as part of the Administrators set, the only resolution is to roll back to a previous backup of the system. To mitigate this situation, we recommend that you add other users to the FIM Administrative set as part of your post-installation configuration.

Warning

Deleting or modifying certain resources Deleting or modifying certain default resources within the FIM Portal can disrupt operations or even render the portal inoperable. The following is a list of resources that should never be deleted from the FIM portal:

  • Default Administrator in the Administrators Set

  • Administrators Set

  • Default RCDC objects

  • Default MPRs

To resolve this issue, you will need to restore the FIM database from backup or contact Microsoft Product Support. Additionally, changes to certain default RCDC resource attributes will result in the RCDC object being replaced. The FIM Portal references default RCDC resources by their GUID. When these are deleted the GUID is no longer available and the FIM Portal is unable to reference them. The following is a list of these attributes:
  • DisplayName

  • AppliesToCreate

  • AppliesToEdit

  • AppliesToView

When these attributes are modified, a new GUID is created for the RCDC object. At this point, the FIM Portal is unaware of the RCDC object because it is unaware of the new GUID.

SQL Server Database Configuration

Configuration of SQL Server is critical for optimal system performance. Achieving optimal FIM performance in large-scale deployment scenarios depends on applying best practices for SQL Server. The guidance in this section applies to both the FIM Service Database and the FIM Synchronization Database. We recommend that you apply the following SQL Server best practices:

Presize data and log files

Do not rely on AUTOGROW. Instead, manage the growth of these files manually. You may leave AUTOGROW ON for safety reasons, but you should manage the growth of the data files proactively. You can find sample sizes for the FIM database in the FIM Capacity Planning Guide.

To presize data and log files

  1. Start SQL Server Enterprise Manager.

  2. Right-click the database FIMService, and then click Properties.

  3. On the Files page, expand the database files to the required size.

Isolate log files from data files

Follow SQL Server best practices for isolating the transaction files and the data log files for the databases onto separate physical disks.

Create additional tempdb files

For optimal performance, we recommend that you create one data file per CPU core in the tempdb. As for log and data files, you should also adequately presize your tempdb files and rely on AUTOGROW ON only for safety reasons.

To create additional tempdb files

  1. Start SQL Server Enterprise Manager.

  2. Navigate to the database tempdb in System Databases, right-click tempdb, and then click Properties.

  3. On the Files page, create one data file per CPU core. Make sure that you separate the tempdb Data and Log files on different drives and spindles.

Ensure adequate space for log files

Make sure that you know your recovery model’s disk requirements. Simple recovery mode may be appropriate during initial system load, to limit the use of disk space, but you might have exposure to data loss since the most recent backup. When you use full recovery mode, you have to manage the disk use through backups, which includes frequent backups of the transaction log to prevent high disk space usage. For more information about managing recovery, see Recovery Model Overview (https://go.microsoft.com/fwlink/?LinkID=185370)

Limit SQL Server memory use

Depending on how much memory you have on your computer running SQL Server and if you share the SQL Server on that computer with other services, such as FIMService and FIMSynchronizationService, you might want to restrict the memory consumption of SQL Server. You can use the following procedure to limit SQL Server memory use.

To limit SQL Server memory use

  1. Start SQL Enterprise Manager.

  2. Click New Query.

  3. Run the following query:

    USE master
    EXEC sp_configure 'show advanced options', 1
    RECONFIGURE WITH OVERRIDE
    

    The following example reconfigures SQL Server so that it will not use more than 12 gigabytes (GB) of memory.

    USE master
    EXEC sp_configure 'max server memory (MB)', 12000--- max=12G
    RECONFIGURE WITH OVERRIDE
    
  4. Verify the setting using the following query:

    USE master
    EXEC sp_configure 'max server memory (MB)'--- verify the setting
    
    USE master
    EXEC sp_configure 'show advanced options', 0
    Reconfigure with override
    

Configure synchronization rule provisioning

This section explains how to configure the FIM Synchronization Service to support declarative provisioning and the use of synchronization rules in FIM. First, you have to turn on synchronization rule processing in the Synchronization Service Manager.

Note

To perform this procedure, you must be a member of the FIMSyncAdmins role for the FIM Synchronization Service.

To turn on synchronization rule provisioning

  1. Open the Synchronization Service Manager.

  2. On the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Active Directory–to–FIM 2010 Initial Data Load

One basic requirement of an identity management system is the ability to import and process identity data from an external system. One of the first steps in your deployments is to import and process existing users and possibly groups from Active Directory or AD DS to FIM 2010. Before you do this, you should have completed the System Data Flow design to establish the connection systems relationships and required data flows. This is a one-time operation; it is not a continuous synchronization.

For details about setting up the synchronization of user data from Active Directory to FIM, see How Do I Synchronize Users from Active Directory Domain Services to FIM. Before you perform the procedures in this guide, complete the following steps to optimize your system for the initial, one-time configuration. The settings described here are temporary. You should set them only for the initial load of the data into the system.

Step 1: Configure SQL Server for the initial data load

When you load a lot of data, you can shorten the time it takes to populate the database by temporarily turning off the full text search. You can enable it again after the export on the FIM Management Agent is complete. Complete the following steps to temporarily turn off full text search:

To configure SQL Server for the initial data load

  1. Start SQL Enterprise Manager.

  2. Select New Query.

  3. Run the following SQL statements:

    ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = MANUAL

    ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = MANUAL

It is important to understand the disk requirements in the SQL Server recovery model. Depending on your backup schedule, you may consider using simple recovery mode during initial system load to limit disk space usage. However, you should be aware of the implications regarding potential data loss. When you use full recovery mode, you must manage disk use through backups, including frequent backups of the transaction log to prevent high disk space use.

Important

Not implementing these procedures can result in high disk space use, possibly resulting in running out of disk space. For more information, see Recovery Model Overview (https://go.microsoft.com/fwlink/?LinkID=185370). The FIM 2010 Backup and Restore Guide contains additional information.

Step 2: Apply minimum necessary FIM configuration during the load process

During the initial load process, apply only the minimum configuration required to your FIM configuration in terms of MPRs and et definitions. After the data is loaded, create the additional sets required for your deployment. Use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 3: Configure and populate the FIM Service with external identity data

At this point, you should follow the procedures in How Do I Synchronize Users from Active Directory Domain Services to FIM to configure and synchronize your system with users from Active Directory or AD DS. To synchronize Group information, see How Do I Synchronize Groups from Active Directory Domain Services to FIM.

Step 4: Apply your full FIM configuration

When your initial data load is complete, you are ready to apply the full FIM configuration for your deployment. Depending on your scenarios, this may include the creation of additional sets, MPRs, and workflows. For any policies that you need to apply retroactively to all existing objects in the system, use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 5: Reconfigure SQL Server to previous settings

Remember to change the SQL Server settings to the normal settings, including the following:

  • Turning on full text search

  • Updates to your backup policy in accordance with your organization policies

When you complete the initial data load, turn on full text search again. Run the following Structured Query Language (SQL) statements to turn on full text search again:

  • ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = AUTO

  • ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = AUTO

If you have switch to simple recovery mode, ensure that you reconfigure your backup schedule in accordance with your organization’s backup policy. Additional details of FIM backup schedules are available in the FIM 2010 Backup and Restore Guide.

Configuring General MPRs

If you plan to allow nonadministrator users to have access to the portal and the ability to view other users’ basic information, enable this configuration in the FIM Service. You do this by configuring existing MPRs in the system.

Configure the MPRs in the following table.

Display name

General: Users can read non-administrative configuration resources

User management: Users can read attributes of their own

To enable required MPRs

  1. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

    Note

    You may need to substitute this with the URL you have configured for your FIM portal.

  2. On the FIM Portal home page, click Management Policy Rules in the navigation bar to open the Management Policy Rules page.

  3. In the Search for text box, type the display name of each of the MPRs from the previous table, and then click the Search for button.

  4. For each MPR that is listed as disabled, do the following:

    1. To open the configuration dialog box, click the Display Name of the disabled MPR.

    2. Clear the Policy is disabled check box, and then click OK.

    3. On the Summary page, click Submit.

You may plan to allow users to view the basic attributes of other users, for example, to be able to search and view information of users before adding them to distribution groups. If so, you should also configure the MPR in the following table using the previous procedure.

Display name

User management: Users can read selected attributes of other users

Note

You may need to customize the list of attributes in this MPR based on your organizational policy and needs.

You may need to set further MPR configuration based on your scenarios. See the Documentation Roadmap for additional details in the suggested topics.

Enable WCF Performance Counters

FIM 2010 uses WCF performance counters to monitor service use. Monitoring service use with WCF performance counters is an optional step to enable when you are diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see WCF Performance Counters (https://go.microsoft.com/fwlink/?LinkId=164848).

We recommend that you configure ServiceOnly WCF performance counters. However, to see Endpoint and Operation instances, it is necessary to configure all WCF performance counters.

Summary

The procedures in this guide are common configuration steps to complete after the installation of FIM 2010. You will have to perform additional configuration, depending on the types of scenarios that you plan to implement in your deployment. For example, if you plan to deploy password reset capabilities, you should continue your configuration based on the recommendations in Password Reset Deployment Guide. See the Documentation Roadmap for additional details in suggested topics.