Share via


FIM 2010: decommissioning Checklist

This article is covering the following topics

 


Introduction

It sounds strange and it's kind of controversial way of supporting the FIM product, but uninstalling FIM properly is part of the FIM administrators job too.

There might be various reasons to remove the product from your environment.

  • after a merger, the product is migrated to another FIM installation on another network
  • only particular and limited functionality is used (and more specifically served by another product)
  •  functionality is phased out, installed functions are not used anymore
  •  (feel free to add more scenarios in here)

Whatever the reason, you should do it properly and thoroughly.

What are the things you should think about?

It's not as simple as just reversing the installation procedure, you need to make sure all security components are reset/reconfigured and removed from the systems.

 


Inventory

Before you can start to decommision you FIM infrastructure, make sure to get a proper inventory.

Server infrastructure

List all servers involved in you FIM configuration

  • FIM Servers
  • Database servers
  • Web servers

Databases

  • Databases
    • FIM Service
    • FIM Sync
    • SharePoint

Security & AD

  • FIM security groups
    • FIM Sync Admins
    • FIM SYnc Browse
    • FIM Sync Joiners
    • FIM Sync Operators
    • FIM Sync Password set
  • Service Accounts 
    • FIM Service
    • FIM Sync
    • FIM portal (sharepoint/IIS)
    • SharePoint application pool account
    • FIM MA account
    • Management agent accounts
  • AD security
    • Service Account Rights & Permissions on OUs
    • Replicating directory changes rights
    • SPN settings
    • Service Settings

Client software

  • Lotus Notes client for administrator access on FIM server
  • Oracle DB client
  • other 3rd party client software
  • ...

Certificates

Revoke / decommision certificates that will not be used anymore.

 

Exchange

  • Mailbox on Exchange
  • Exchange provisioning permissions for any FIM MA

 


Backup

Just in case you need to revert your decision at a later stage, or you need to recover information for the existing FIM environment, it's highly suggested to backup your FIM environment.

More information: http://aka.ms/FIMDRP

 


Removing components

  • Uninstalling FIM Portal
  • Uninstall Password reset & Password registration portal 
  • Uninstall FIM Service
  • Uninstall FIM Sync
  • Removing DB
  • Uninstall SQL 
  • Uninstall PCNS
  • Uninstall SharePoint Foundation
  • Remove client software 
  • Remove FIM SPN configuration
    • List SPN configuratoin
      • setspn -l service
    • setspn –S FIMService/<alias> <domain>\serviceaccount>                     
  • Remove service account rights from AD
  • Check for Kerberos delegation
    • Turn on Kerberos delegation for the FIM Service and FIM Password service accounts in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
  •  Remove service accounts
  • Remove SQL Server alias information
  • setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\ssprPortalMachineAccount$>,
To check the SQL Server alias for Setup to be able to contact the server running SQL Server
  1. Start the SQL Server Configuration Manager.
  2. Navigate to SQL Native Client 10.0 Configuration/Aliases.
  3. Create a new alias with your server information.

Remove uninstalled file left overs

  • logs
  • ma data

Hints & tips

 


Source references

 


See also