SuperG Web Log

Installing the FIM 2010 Server Components

The Bulk of the information here was taken from http://technet.microsoft.com/en-us/library/ff512686.aspx

FIM Synchronization Service

The FIM Synchronization Service consists of the metadirectory, provisioning engine, and management agents (MA) for various connected data sources. It supports synchronization of data between the FIM Synchronization Service database and other identity stores in the enterprise.
During the installation of the Synchronization Service, the firewall on the server hosting this service is configured to allow Dynamic RPC and RPC endpoint mapper access to the FIM Synchronization Service.
The FIM Synchronization Service creates five security groups. The first three groups correspond to the FIM Synchronization Service user roles: Administrator, Operator, and Joiner.
The other two groups are used for granting access to the Windows Management Instrumentation (WMI) interfaces: Connector Browse and Password Set.
By default, the FIM Synchronization Service creates the five security groups as local computer groups instead of domain global groups. If you plan to use domain global groups, you must create the groups before you install the FIM Synchronization Service.
Using ADUC – I made these groups ahead of time.

Only one FIM Synchronization Service instance can exist in a deployment.
To install the FIM Synchronization Service

1. On the FIM 2010 startup screen, click the Install Synchronization Service link.

   
   

2. Follow the instructions in the installation wizard.

   Important: Make sure all installs are done with elevated privileges and the account has the correct rights or installation may fail.

   I am installing to an Off-Box SQL
   

   
   

   Enter in the information for the FIM Synchronization Service Account
   

   
   

3. On the Group Information page, when you are prompted for the five security groups, enter in the inforamtion for the Domain Global groups made earlier.

   
   

FIM Service, FIM Portal and FIM Password Reset Portal

Installing the FIM Service installs the Web services parts of FIM 2010 and also configures the FIM Service database on the server that hosts SQL Server 2008.
During the installation of FIM Service, port 5725 and 5726 are opened and exceptions for these ports are added to the Windows Server 2008 firewall settings. Opening these ports permits communication to the FIM 2010 Service from the FIM Portal, FIM Password Reset Portal, FIM Synchronization Service and FIM Password Reset Extensions components installed on other computers in your organization.
To install the FIM Service

1. On the FIM 2010 startup screen, click the Install Service and Portal link.

   
   

2. Follow the instructions in the installation wizard.

   Important: The SQL Agent must be running on the server running SQL before you run the installation of the FIM Service

3. On the Custom Setup page, you are prompted for the applications that you want to install.

   I installed all parts as I am using only one server. If you are using multiple servers you can set those part you are not using as shown in the picture otherwise leave them all selected
   
   THIS IS NOT HOW I DID IT – I KEPT THE DEFAULT
   

   
   

4. Click Next.
5. On the Configure Common Services page, in the Database Server box, type the name of the server that hosts SQL Server 2008.

   
   

6. Click Next.
7. On the Configure Common Services – Configure mail server connection page, in Mail Server, type the name of the server hosting the Exchange Web services.

Important

If you have several FIM Service servers using the same database, ensure that you select only the Enable polling of Exchange Server 2007check box on one of the servers. This setting is also applicable for Exchange 2010. This server is responsible for obtaining e-mail messages from the Exchange Web Service interface and turning them into requests.

1. Click Next.
2. On the Configure Common Services – Configure service certificate page, select the option to generate a new self-issued FIM certificate that is used by the Web service to validate communication from the clients, or select a certificate from the certificate store, and then click Next.

   
   

3. On the Configure Common Services – Configure the FIM service account page, provide the credentials for the FIM domain service account.

   
   

4. Click Next.
5. On the Configure Common Services – Configure the Forefront Identity Manager synchronization connection, in the Synchronization Server box, type the name of the server that is hosting the FIM Synchronization Service component.
   In the FIM 2010 Management Agent Account* box, type the domain\account of the FIM MA account.

   
   

6. Click Next.
7. In Configure FIM Service and Portal – Configure connection to the FIM Service, type the name of the server that the clients should use to contact the FIM Service.

   The names should match the Service Principal Names (SPNs) that you created in the preinstallation tasks.

   
   

8. In Enter the URL to the SharePoint, type the address to the SharePoint site where the FIM Portal should be installed. This is the full address, including the port number, if necessary, to access the site collection. This address is whatever you set it to when you setup the sharepoint server.
9. To add to the list of known addresses, start SharePoint 3.0 Central Administration, and navigate to Operations, Alternate Access Mappings, Edit Public Zone URLs. Add the URLyou want to use to the Intranet zone, leaving the Default zone with the SharePoint server farm address.

   
   

1. Click Next.
2. On the Configure FIM Service and Portal – Configure security changes configured by setup, to allow clients to contact the Web service interface, select Open ports 5725 and 5726 in firewall, Grant authenticated users access to the FIM Portal site and Grant authenticated users access to the FIM Password Reset site (if you are going to use them)

   
   

3. Click Next, then click Install.
4. Test the FIM Portal by opening Internet Explorer and navigating to http://servername/identitymanagement

When using the FIM Portal in Windows Server 2008 or Windows Server 2008 R2, the controls or buttons do not work unless the browser security settings for Internet Explorer are adjusted to turn on JavaScript.
Post-Installation Tasks

After you install the FIM 2010 server components, you must complete several configuration tasks.
Installing the latest update for FIM

Updates for FIM are posted on Microsoft Update. Ensure that you install the latest update from Microsoft Update.

1. In Windows Server 2008, click Start, and then click Windows Update.
2. Click Check for updates. Install any new updates for FIM that are available.

• If you are using an Off-Box SQl server you will need the “Microsoft SQL Server 2008 Native Client”
  
  • If you do not install this when you update FIM you may see this error: Error 25070.
    

    

  • To fix this install the “Microsoft SQL Server 2008 Native Client” found here http://www.microsoft.com/download/en/details.aspx?id=16177
    
  • The download you want is mid way down the page.
    

Add the FIM Service service account to the FIM Synchronization Service security groups

• Add the service account used by the FIM Service to the FIMSyncAdmins group. This allows the FIM Service to configure the FIM Synchronization service.
  
• If you plan to use the Password Reset feature of FIM 2010, add the service account that the FIM Service uses to the security group FIMSyncPasswordSet.
• So that the group membership is effective, restart the FIMService service.

  

Configuring the FIM Service service Exchange mailbox

The following are best practices for configuring Exchange Server for the FIM Service service account.

1. Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically, the service account mailbox should never be able to receive mail from external SMTP servers.

In the Exchange Management Console, select the FIM Service service account, click Properties, click Mail Flow Settings, and then click Mail Delivery Restrictions. Select the Require that all senders are authenticatedcheck box. For more information, see:

• Configure the service account so that it rejects mail messages with sizes greater than 1 MB.

  
  

• Configure the service account so that it has a mailbox storage quota of 5 gigabytes (GB).
  Where I work we never prohibit receive as that could effect business .

  
  

Disabling SharePoint indexing

It is recommended that you disable SharePoint indexing. There are no documents that need to be indexed, and indexing causes many error log entries and potential performance problems with FIM 2010.

To disable SharePoint indexing

1. On the server that hosts the FIM 2010 Portal, click Start.
2. Click All Programs.
3. In the All Programs list, click Administrative Tools.
4. Under Administrative Tools, click SharePoint 3.0 Central Administration.
5. On the Central Administration page, click Operations.
6. On the Operations page, under Global Configuration, click Timer job definitions.

   
   

7. On the Timer Job Definitions page, click SharePoint Services Search Refresh.

   
   

8. On the Edit Timer Job page, click Disable.

   
   

Activating the Kerberos protocol only

It is highly recommend that you turn off portal authentication that uses NTLM. The Kerberos protocol is a more secure protocol to use.

To activate Kerberos protocol only

1. Open the Web.config file, which is usually located at C:\inetpub\wwwroot\wss\VirtualDirectories\80.

   Note : You need an elevated command prompt or Windows Explorer to access this folder.

2. Locate the element <resourceManagementClient . . . />
3. Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos=”true” . . . />
4. Save the Web.config file.

   
   

5. Run iisreset from a command prompt.

   There are other setting in the base source Blog that I am not using, mostly dealing with Exchange