FIM 2010: decommissioning Checklist
This article is covering the following topics
Introduction
It sounds strange and it's kind of controversial way of supporting the FIM product, but uninstalling FIM properly is part of the FIM administrators job too.
There might be various reasons to remove the product from your environment.
- after a merger, the product is migrated to another FIM installation on another network
- only particular and limited functionality is used (and more specifically served by another product)
- functionality is phased out, installed functions are not used anymore
- (feel free to add more scenarios in here)
Whatever the reason, you should do it properly and thoroughly.
What are the things you should think about?
It's not as simple as just reversing the installation procedure, you need to make sure all security components are reset/reconfigured and removed from the systems.
Inventory
Before you can start to decommision you FIM infrastructure, make sure to get a proper inventory.
Server infrastructure
List all servers involved in you FIM configuration
- FIM Servers
- Database servers
- Web servers
Databases
- Databases
- FIM Service
- FIM Sync
- SharePoint
Security & AD
- FIM security groups
- FIM Sync Admins
- FIM SYnc Browse
- FIM Sync Joiners
- FIM Sync Operators
- FIM Sync Password set
- Service Accounts
- FIM Service
- FIM Sync
- FIM portal (sharepoint/IIS)
- SharePoint application pool account
- FIM MA account
- Management agent accounts
- AD security
- Service Account Rights & Permissions on OUs
- Replicating directory changes rights
- SPN settings
- Service Settings
Client software
- Lotus Notes client for administrator access on FIM server
- Oracle DB client
- other 3rd party client software
- ...
Certificates
Revoke / decommision certificates that will not be used anymore.
Exchange
- Mailbox on Exchange
- Exchange provisioning permissions for any FIM MA
Backup
Just in case you need to revert your decision at a later stage, or you need to recover information for the existing FIM environment, it's highly suggested to backup your FIM environment.
More information: http://aka.ms/FIMDRP
Removing components
- Uninstalling FIM Portal
- Uninstall Password reset & Password registration portal
- Uninstall FIM Service
- Uninstall FIM Sync
- Removing DB
- Uninstall SQL
- Uninstall PCNS
- Uninstall SharePoint Foundation
- Remove client software
- Remove FIM SPN configuration
- List SPN configuratoin
- setspn -l service
- setspn –S FIMService/<alias> <domain>\serviceaccount>
- List SPN configuratoin
- Remove service account rights from AD
- Check for Kerberos delegation
- Turn on Kerberos delegation for the FIM Service and FIM Password service accounts in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
- Remove service accounts
- Remove SQL Server alias information
- setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\ssprPortalMachineAccount$>,
To check the SQL Server alias for Setup to be able to contact the server running SQL Server
- Start the SQL Server Configuration Manager.
- Navigate to SQL Native Client 10.0 Configuration/Aliases.
- Create a new alias with your server information.
Remove uninstalled file left overs
- logs
- ma data
Hints & tips
Source references
- Uninstalling Forefront Identity Manager 2010 R2: http://technet.microsoft.com/en-us/library/jj200258(v=ws.10).aspx
- To configure IIS to use the service account for Kerberos delegation, set useAppPoolCredentials as described in Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=188290.
See also
- FIM 2010: Planning security setup for accounts, groups and services: http://aka.ms/FIM2010Security