Updated: January 11, 2013
Applies To: Forefront Identity Manager 2010
Microsoft® BHOLD Suite Service Pack 1 (SP1) is a collection of applications that, when used with Microsoft Forefront Identity Manager 2010 R2 SP1 (FIM), adds effective role management, analytics, and attestation to FIM. Microsoft BHOLD Suite SP1 consists of the following modules:
Access Management Connector
BHOLD FIM Integration
BHOLD Model Generator
This document explains how to plan your BHOLD deployment to meet your business needs and install each BHOLD module. For each module, relevant hardware, infrastructure, and software requirements, preinstallation network configuration, information required during setup, and postinstallation steps, if any, are detailed.
This document assumes that you have a basic understanding of how to install software on server computers. It also assumes that you have basic knowledge of Active Directory® Domain Services, Microsoft Forefront Identity Manager 2010 R2 SP1 (FIM), and Microsoft SQL Server 2008 database software. A description of how to set up and configure dependent technologies such as AD DS and FIM is out of the scope of this documentation. For information about the functions that the Microsoft BHOLD modules perform, see Microsoft BHOLD Suite Concepts Guide.
This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy Microsoft BHOLD Suite SP1.
Most often, the BHOLD and FIM are used in a large infrastructure environment. You can tailor your BHOLD and FIM architecture to meet your particular business needs. The following sections provide some possible architectural solutions. This overview is not a comprehensive list of all possible options, but suggests ways you can deploy BHOLD in your network.
This section covers the following topics:
SQL Server recommendations
For deployment in small organizations or for development purposes, you can install BHOLD and FIM on the same server as SQL Server and AD DS, as shown in the following figure.
When BHOLD Suite SP1 and the FIM Portal are installed together on a single server, you must create different host aliases (CNAME or A records) in DNS for BHOLD and for FIM. This allows separate service principal names (SPNs) to be created for the BHOLD and FIM services. For more information, see BHOLD Core Installation.
For guidance on installing FIM in a single-server configuration, see Common Configuration for Getting Started Guides in the Microsoft TechNet Library.
Installing BHOLD Core and FIM on separate servers provides greater performance and flexibility for medium-size organizations that do not require a more complex deployment, such as that provided by multitier architectures. The following figure shows BHOLD and FIM installed on their own servers; the FIM server is also running SQL Server to provide database services to BHOLD and FIM. The FIM Synchronization Service running on the FIM server synchronizes changes between the FIM and BHOLD databases. Note that if end-user self-service is required, the BHOLD FIM Integration module must be installed on the same server as the FIM Service and FIM Portal. The BHOLD FIM Integration module requires that the FIM Service and the BHOLD FIM Integration module are installed on the same server.
The reporting feature of the BHOLD FIM Integration module requires the BHOLD and FIM databases to be installed on the same SQL Server instance, and the BHOLD service account must have access rights to the FIM Service database.
In most environments, especially those where performance is important, you should run the BHOLD Suite SP1, FIM, and SQL Server on separate servers (two-tier architecture). With a two-tier architecture, memory and CPU resources are dedicated for each tier. The following illustration shows one possible way to configure a two-tier architecture. The FIM Synchronization Service running on the FIM server synchronizes changes between the FIM and BHOLD databases. Note that if end-user self-service is required, the BHOLD FIM Integration module must be installed on the same server as the FIM Service and Portal.
If you are deploying BHOLD in a large organization, it is highly recommended that you follow these guidelines for setting up the Microsoft SQL Server database:
Deploy SQL Server on a server separate from any FIM or BHOLD services.
Isolate the log file from the data file at the physical disk level.
If you are using RAID to provide storage redundancy, use RAID level 10 (1+0). Do not use RAID level 5.
Be sure to configure the correct settings when using more than 2 GB of physical memory for the server running SQL Server.
For optimum BHOLD performance, use Microsoft SQL Server 2008 R2.
For more information about SQL Server best practices, see Storage Top 10 Best Practices in the Microsoft TechNet Library.
Windows can be configured to validate certificate chains prior to starting a service. On such systems, a service cannot start if the executable code of the service was signed with a certificate that is not in the trusted certificates list (TCL) of the server. The Microsoft BHOLD Suite SP1 software is code signed using a code signing certificate chain that originates with the Microsoft Root Certificate Authority 2010 certificate.
Windows can be configured to retrieve root certificates from Microsoft over an Internet connection. On a disconnected system, however, Windows Server includes only those certificates that were present in the root program at a time before Windows was released. In releases of Windows Server prior to Windows Server 2010, these certificates will not include the root certificate needed for validating the BHOLD Suite SP1 code signing certificate chain. If you intend to install one or more Microsoft BHOLD Suite SP1 modules on a system that might not have an up-to-date TCL, you must download and install the root-update package, or use Group Policy to install the root-update package, before installing a BHOLD Suite SP1 module. For more information, see Windows root certificate program members.
If you install BHOLD Suite SP1 on Windows Server 2012, the BHOLD web pages will not be available until you modify the applicationHost.config file located in C:\Windows\System32\inetsrv\config. In the
<globalModules> section, add
preCondition="bitness64 to the entry that begins
<add name="SPNativeRequestModule" so that it reads as follows:
<add name="SPNativeRequestModule" image="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\isapi\spnativerequestmodule.dll" preCondition="bitness64"/>
After editing and saving the file, run the
iisreset command to reset the IIS server.
You cannot upgrade an existing BHOLD Suite installation to BHOLD Suite SP1. Instead, you must uninstall an existing BHOLD Suite installation before you can install any BHOLD Suite SP1 modules. If you have an existing BHOLD role model, you can upgrade the BHOLD database and use it when you install the BHOLD Core module of BHOLD Suite SP1. For more information, see Replacing BHOLD Suite with BHOLD Suite SP1.
The following topics describe how to install and configure the BHOLD Suite SP1 modules:
If you are installing both BHOLD Reporting and BHOLD Attestation, you must install BHOLD Reporting before installing BHOLD Attestation.
You cannot use Programs and Features in Control Panel to change or repair the installation of any BHOLD Suite SP1 module.