Step 5: Perform FIM 2010 Prerequisite Tasks

  • Article

FIM1 prerequisites for the Forefront Identity Manager 2010 Synchronization Service test lab consists of the following:

  • Create the FIM Service Accounts

  • Secure the CORP\FIMSynchService Account

  • Set the SQL Server Agent Service to Start Automatically

  • Enable SQL Firewall Ports

  • Enable SQL Server Network Protocols

Create the FIM Service Accounts

One service accounts need to be created in corp.contoso.com that will be used with the Forefront Identity Manager 2010 installation.

Table 1 – Service Accounts

Full name User logon name Forest Password

FIM Synch Service

FIMSynchService

corp.contoso.com

Pass1word$

To create the Service Accounts

  1. Log on to DC1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com.

  4. Now, right-click ServiceAccounts, select New, and then select User. This will bring up the New Object – User window.

  5. On the New Object – User screen, in the Full Name box, type the following text:
    FIM Synch Service

  6. On the New Object – User screen, in the User logon name box, type the following text, and then click Next:
    FIMSynchService

  7. On the New Object – User screen, in the Password box, type the following text:
    Pass1word!

  8. On the New Object – User screen, in the Confirm Password box, type the following text:
    Pass1word!

  9. On the New Object – User screen, clear the User must change password at next logon check box.

  10. On the New Object – User screen, select Password never expires, and then click Next.

  11. Click Finish.

  12. Log off DC1.corp.contoso.com.

Secure the CORP\FIMSynchService Account

Now, you will secure the CORP\FIMSynchService account by restricting its permissions.

Table 2 – FIMSynchService Permissions

Account Permissions

CORP\FIMSynchService
  • Deny logon as batch job

  • Deny logon locally

  • Deny access to this computer from the network

To secure the CORP\FIMSynchService account

  1. Log on to FIM1.corp.contoso.com as Administrator.

  2. Click Start, select Administrative Tools, and then click Local Security Policy. This will open the Local Security Policy MMC.

  3. In the Local Security Policy MMC, on the left, expand Local Policies, and then click User Rights Assignment.

  4. Now, on the right, scroll down and double-click Deny access to the computer from the network.This will open the Deny access to the computer from the network Properties window.

  5. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  6. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMSynchService.
    This should resolve to the FIM Synch Service account. Click OK.

  7. On the Deny access to the computer from the network Properties screen, click Apply, and then click OK.

  8. In the Local Security Policy, scroll down and double-click Deny logon as batch job. This will open the Deny logon as batch job Properties window.

  9. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  10. In the box, below Enter the object names to select (examples), type the following text, and then click Check Names:
    FIMSynchService
    This should resolve to the FIM Synch Service account. Click OK.

  11. On the Deny logon as batch Properties screen, click Apply, and then click OK.

  12. In the Local Security Policy, scroll down and double-click Deny logon locally. This will open the Deny logon locally Properties window.

  13. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  14. In the box, below Enter the object names to select (examples), type then following text, and then click Check Names:
    FIMSynchService
    This should resolve to the FIM Synch Service account. Click OK.

  15. On the Deny logon locally Properties screen, click Apply, and then click OK.

  16. Close the Local Security Policy.

Set the SQL Server Agent Service to Start Automatically

To set SQL Server Agent service to start automatically

  1. Log on to APP1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click Services.

  3. Scroll down to SQL Server Agent (MSSQLSERVER) and double-click it. This will bring up the SQL Server Agent (MSSQLSERVER) Properties.

  4. In the middle, next to Startup Type, select Automatic from the drop-down list. Click Apply, and then click OK.

    SQL Server Agent Automatic

  5. In Services, right-click SQL Server Agent (MSSQLSERVER), and then click Start. This will start the SQL Server Agent.

  6. When this completes, verify that the SQL Server Agent (MSSQLSERVER) has a status of Started.

  7. Close Services.

Enable SQL Firewall Ports

To enable the firewall ports on APP1

  1. Click Start, select Administrative Tools, and then click Windows Firewall with Advanced Security. This will bring up Windows Firewall with Advanced Security.

  2. On the left, select Inbound Rules, and on the right click New Rule. This will bring up the New Inbound Rule Wizard.

  3. On the Rule Type page, select Port, and then click Next.

  4. On the Protocol and ports page, select TCP, and type the following text in the box next to Specific local ports, and then click Next:
    445

  5. On the Action page, select Allow the connection, and then click Next.

  6. On the Profile page, select Domain, Private, and Public, and then click Next.

  7. On the Name page, type the following text in the box, and then click Finish:
    SQL Server Named Pipes

  8. Repeat these steps for all of the entries in the table below.

    SQL Firewalls

  9. Close Windows Firewall with Advanced Security.

Table 3 – SQL Server Firewall Port Exceptions

Protocol Port number Name

TCP

445

SQL Server Named Pipes

TCP

1433

SQL Server Listening Port

UDP

1434

SQL Server Browser Service

Enable SQL Server Network Protocols

To enable SQL Server Network Protocols

  1. Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and then select SQL Server Configuration Manager. This will bring up the SQL Server Configuration Manager.

  2. In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration, and then click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their statuses.

  3. On the right, right-click Disabled next to Named Pipes, and then select Enable. This will bring up a pop-up box that says Any changes made will be saved; however, they will not take effect until the service is stopped and restarted. Click OK.

    SQL Network Protocols

  4. In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the right pane with three services and their states.

  5. On the right, right-click SQL Server (MSSQLSERVER), and select Stop. This will bring up a pop-up box that says stopping this service will also stop the SQLServerAgent. Do you wish to continue? Click Yes. This will stop the SQL Server service.

  6. In the SQL Services pane, right-click on a blank area of the screen. This will bring up a small pop-up box. Click Refresh. You should now see both services stopped.

  7. On the right, right-click SQL Server (MSSQLSERVER), and select Start. This will start the SQL Server service.

  8. On the right, right-click SQL Server Agent, and select Start. This will start the SQL Server Agent service.

  9. Close SQL Server Configuration Manager.