Considerations for New Installation of FIM 2010 R2

Information technology (IT) professionals can use this Microsoft® Forefront® Identity Manager (FIM) 2010 R2 Deployment Guide to install and maintain FIM 2010 R2. A FIM 2010 R2 deployment has two major groups of components—server side components and client side components.

The server-side components are as follows:

  • FIM Synchronization Service

  • FIM Service

  • FIM Portal

  • FIM Certificate Management

  • FIM Reporting

  • FIM Service and Portal Language Packs

  • FIM Password Registration Portal

  • FIM Password Reset Portal

The client-side components are as follows:

  • FIM Add-in for Outlook®

  • FIM Password Reset Extensions

  • FIM Add-ins and Extensions Language Pack

What This Document Covers

This document covers planning considerations, the installation or upgrade of FIM 2010 R2 and several topics to help maintain a FIM 210 R2 environment. It includes the steps that you need to successfully deploy FIM 2010 R2 in your environment. It also describes the installation of each of the components and subcomponents that make up a FIM 2010 R2 installation.

Note

For a structured walkthrough of a complete FIM 2010 R2 test environment, see:.

  • Test Lab Guide: Installing Microsoft® Forefront® Identity Manager (FIM) 2010 R2

  • Test Lab Guide: Upgrading to Microsoft® Forefront® Identity Manager (FIM) 2010 R2

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following:

  • Installing software on server and client computers.

  • Active Directory® Domain Services (AD DS), Microsoft SQL Server® 2008 or Microsoft SQL Server® 2008 R2 database software, Windows® SharePoint® Services 3.0 or Windows SharePoint Foundation 2010, System Center Management Server, and Microsoft Exchange Server 2007 or 2010.

    A description of how to set up and configure dependent technologies such as AD DS, SQL Server, SharePoint, and Exchange Server is outside the scope of this document.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010 R2 .

Topology

FIM 2010 R2 supports a variety of deployment topologies. Each of the main components may either be installed separately or in combination on individual servers. They include the following:

  • FIM Service

  • FIM Synchronization Service

  • FIM Portal

  • FIM Password Registration Portal

  • FIM Password Reset Portal

  • FIM Reporting

  • SQL Server 2008 database for the FIM Service

  • SQL Server 2008 database for the FIM Synchronization Service

In addition, the FIM Service and the FIM Portal can be scaled to support multiple servers. For more information, see Overview of Network Load Balancing (https://go.microsoft.com/fwlink/?LinkID=164080) and SharePoint Server Farm Architecture (https://go.microsoft.com/fwlink/?LinkID=129821).

Service Accounts

The following is a list of service accounts and there use with FIM 2010 R2. Before installing FIM 2010 R2 either as a new installation or an upgrade, depending on the specific server components that are to be installed, these service accounts will need to be created.

Account Server Component Recommended additional Permissions Additonal Group Requirements SPN Required for Constrained Delegation

FIM Synchronization Service Account

FIM Synchronization Service

  • Deny logon as a batch job

  • Deny logon locally

  • Deny access to this computer from the network

NA

NA

FIM Service Account

FIM Service and Portal

  • Deny logon as a batch job

  • Deny logon locally

  • Deny access to this computer from the network

  • WMI and DCOM permissions for SSPR

  • FIMSyncAdmins

  • FIMSyncBrowse and FIMSyncPasswordSet - for SSPR

FIMService/<FIM Service Server>

FIM Management Agent Service Account

FIM Management Agent

NA

NA

NA

SharePoint Application Pool Account

SharePoint

NA

NA

HTTP/<FIM Portal Server>

FIM Password Registration Application Pool Account

FIM Password Registration

NA

NA

HTTP/<passwordregistration portal server>

See FIM 2010 R2 SSPR Deployment guide for more information

FIM Password Reset Application Pool Account

FIM Password Reset

NA

NA

HTTP/<passwordreset portal server>

See FIM 2010 R2 SSPR Deployment guide for more information

FIM CM Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

NA

FIM CM Authorization Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

NA

FIM CM CA Manager Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

NA

FIM CM Enrollment Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

NA

FIM CM Key Recovery Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

NA

FIM CM Web Pool Agent

FIM Certificate Management

No additional permissions required. Permissions will be set by the Configuration Wizard.

NA

HTTP/<FIM CM Server> See FIM CM Deployment documentation