FIM Reference: Migrating from MIIS or ILM to FIM 2010

PURPOSE

The purpose of this document is to cover migration topics from Microsoft Identity Integration Server 2003 (MIIS) or Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (ILM). The document will cover things to think about prior to migrating, as well as cover issues that you may encounter when migrating.

 

↑ Back to top

---

OVERVIEW

Microsoft Forefront Identity Manager 2010 (FIM 2010) introduces some new features to the identity product. The document will focus on the Synchronization Service Manager which is the feature that is in common with the previous products. FIM 2010 is strictly a 64-Bit product. We will be moving from a 32-Bit to a 64-Bit product platform.

We will cover things like:

• Moving the backend database to a SQL Server 2008 x64 machine
•  Backing up and moving synchronization configurations
• FIM 2010 Topology recommendations
  • FIM 2010 Builds

 

↑ Back to top

---

Migrations steps outline

1. Plan your migration
   1. Questions to ask
   2. Plan your FIM 2010 Architecture
2. Execute Migration Steps
   1. Back up current environment
   2. Install FIM 2010

 

Plan your migration

Planning your migration is very important. This will allow you to document, and understand how you will move your existing environment to the new environment.

The first thing to understand when planning your migration is your current configuration. This is important, because you may need to execute extra steps before you are able to migrate to the new environment.

 

↑ Back to top

QUESTIONS

Here are some questions you will want to ask yourself when executing your migration:

1. Am I going to keep the existing backend database in the new FIM 2010 environment?
   1. The backend SQL Server database holds all of your configuration information as well as the data that you have being passed through the system. 
   2. If you choose not to keep the backend database you will have to re-create each of your management agents.  You can still keep your extensions.
      • Backup Source Code and Extensions
      • Save Management Agents to XML to view in HTML when re-creating the management agents
   3. If you choose to keep you backend database then your configuration and extension DLLs will come along with it.  However, it is still recommended to back up your extensions as a safe guard if a DLL is missing, or doesn’t appear after the upgrade.
      • Backup Source Code and Extensions
2. What is the build of MIIS, IIFP or ILM in my environment?
   1. If you are using a MIIS or IIFP build that is less than 3.2.0559.0 (MIIS 2003 SP2 / IIFP SP2), then you will need to upgrade your current environment to Service Pack 2 prior to migrating your current environment.
      • Steps to upgrade to MIIS 2003 SP2 or IIFP SP2
3. What is the build of the backend SQL Server?
4. What hardware will I need for my FIM deployment?
   • Review the FIM 2010 Architecture Planning

 

↑ Back to top

FIM 2010 ARCHITECTURE PLANNING

Planning the Forefront Identity Manager 2010 deployment is very important. It is important to understand how many machines need to be utilized in a Forefront Identity Manager deployment. It can differ depending on the size of an organization. However, some key basics to remember when deploying Forefront Identity Manager 2010 are:

Understanding what needs to be installed

Understanding what needs to be installed will help make the installation process smoother. The first step in setting up a FIM environment is to understand the reason behind why you are using the FIM product.

This is important to know to help identify which parts of Forefront Identity Manager 2010 need to be installed.

An example would be if the goal is a Global Address List Synchronization (GalSync) solution, then you will just need to install the Forefront Identity Manager 2010 Synchronization Service. If your goal is to use Self-Service Password Reset (SSPR), then you will need all parts of Forefront Identity Manager 2010. Below here are some examples of solutions, and the pieces of Forefront Identity Manager 2010 that you will need to install. It does not include prerequisites and the SQL Server install.

1. GalSync Solution (FIM Synchronization Service)
2. SSPR Solution (FIM Portal, FIM Service, FIM Password Reset Portal, FIM Synchronization Service)
3. User and/or Group Management via the portal (FIM Portal, FIM Service, FIM Synchronization Service)

Environments to install

We highly recommend the following environments in the overall development of your FIM architecture.  The environments are important to help test the initial coding, code changes, structure changes, etc. These environments can help prevent disasters in production environments. Here are a few examples:

• The moving of all objects to a disabled state
• The resetting of all users passwords
• Performance issues

Development Environment

This environment does not need to be a huge environment. You could possibly get away with using an All-In-One, or possibly a two machine setup. This environment is strictly for developing the FIM Solution based on your business rules and processes.

In some cases, people do not have the hardware to setup more Active Directory Servers, Exchange Servers, etc. In those cases, we actually recommend using an organizational unit for testing purposes that would have a structure under it to help for testing purposes.

Staging Environment

Staging Environment should be an environment that mimics production. Around 10-20% of the user base in production should assist in developing a good understanding of scalability and performance of the FIM Solution.

This is a critical environment, in that it will give you an insight for as to how it should work in production.

Production Environment

The production environment is where the actual live data is, and what the FIM solution will now be working with here.

Topology

Topology is very important to understand and follow when planning a Forefront Identity Manager 2010 deployment. Here are some links that discuss Topology for Forefront Identity Manager 2010. You will see that it is recommended in the documentation to run the FIM Service database and the FIM Synchronization Service database on separate SQL Servers. This is highly recommended.

Topology Considerations

http://technet.microsoft.com/en-us/library/ff400273(WS.10).aspx

 

Best Practices

http://technet.microsoft.com/en-us/library/ff608274(WS.10).aspx

If there is a concern about the number of servers for SQL Server, then the recommendation is to run the backend SQL Server databases on different SQL Server instances within the same SQL Server.

You can also find documentation on load balancing Forefront Identity Manager 2010 inside of the topology documentation as well.

Machine Recommendations

Here we will present some recommendations for machine setup for the FIM 2010 environment. These are not the FIM 2010 System Requirements, but are recommendations based on support experiences.

Synchronization Service Only:

• 2 Machine setup
  • Synchronization Service Machine (at least 4 GB of RAM)
  • SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

Everything

•  At least a 2 Machine Setup, but more appropriate would be a 3 machine setup.
•  FIM Portal, FIM Service, Synchronization Service Machine (at least 4 GB of RAM)
•  SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

 * remember run the databases on separate SQL Server instances

OR

Combined Portal & Service (1 SQL)

FIM Portal, FIM Service Machine (at least 4 GB of RAM)

Synchronization Service Machine (at least 4 GB of RAM)

SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

* remember run the databases on separate SQL Server instances

 OR

Combined Portal & Service (2 SQL)

FIM Portal, FIM Service Machine (at least 4 GB of RAM)

Synchronization Service Machine (at least 4 GB of RAM)

SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

 OR

All functions separated (5 servers)

FIM Portal Machine(at least 4 GB of RAM)

FIM Service Machine (at least 4 GB of RAM)

Synchronization Service Machine (at least 4 GB of RAM)

SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

SQL Server Machine (at least 16 GB of RAM, and a large amount of disk space)

 

↑ Back to top

MIGRATION STEPS

The steps documented here, will guide you through the necessary steps to prepare your current environment for migration, and guide you through moving to the FIM 2010 servers and preparing for the installation.

1. Clear the run history
2. Backup your information
3. Moving the backend SQL Server database
4. Install FIM 2010
5. Post Install FIM 2010

Clear the run history

Clearing the run history helps reduce the size of the MDF (backend database file). The recommendation would be to clear all of the runs from the run history. If this information is important to your business then the recommendation is to save to an XML file during the clearing of runs. You will be prompted for this information.

Review Appendix B if you need the steps to guide you through the clearing of the run history.

Backing up information

This section will cover the necessary items to back up and move in your current configuration. It is important to cover all of the steps, because it will prevent you from having to re-do the configurations, as well as help in preventing possible problems in working with the backend database.

1. Backup the encryption key
   1. It is very important to back up the encryption key if you plan to use the existing database.  The reason for this is that the server configuration, extension DLLs and other vital information is stored in the database.  It will make life much easier in your migration upgrade.
2. Backup the extensions folder
   1. This is not absolutely necessary unless you plan to start with a clean database.  The extension DLLs are actually stored in the backend database as well as the extensions folder.  If you backed up the encryption key before moving or restoring the existing database from MIIS or ILM, then these DLLs will be re-populated into the extensions folder.
   2. If for some reason you do not see the DLLs, then utilize your backup of the previous extensions folder to repopulate your Extensions.
3. Backup the source code
4. Backup the backend SQL Server
   1. Review Appendix E for guided steps on how to back up the SQL Server database

 

↑ Back to top

Moving the backend SQL Server database to SQL Server 2008 x64

It is important to understand the version of SQL Server that you are using for the backend SQL Server. It is also vital to understand how you will be getting the backend database to the new SQL Server 2008 instance.

The best way to do this is to use the SQL Server Backup and Restore feature. If you have a backend database that is in SQL Server 2000 Service Pack 4, the Backup and Restore Feature is the best way to go about upgrading the backend database.

If you decide to simply copy the MDF and LDF files over to the new SQL Server 2008, and your backend is SQL Server 2000, then there will be additional steps you will need to take. Review Appendix F for more information on the copy of the MDF/LDF files.

For information on backing up the database, please review one of the following links:

•  SQL Server 2000 Performing Complete Database Backup
•  SQL Server 2005: How to back up a database
•  SQL Server 2008: How to back up a database

If a reason exists that you need to copy the MDF and LDF files, review the below information.

↑ Back to top

Install FIM 2010

It is recommended to follow the Installation Guide for installing Microsoft Forefront Identity Manager 2010.

Post Install FIM 2010

Microsoft Forefront Identity Manager 2010 RTM is build 4.00.2592.2. We have several updates since the release of build 4.00.2592.2. It is recommended that you update to the latest build of Microsoft Forefront Identity Manager 2010. Please review Appendix D for a build list.

Source Code

Your source code! It is important to understand how you compiled your extensions to understand if you need to re-compile or re-code any of your existing extensions. You can find this information in the Project Properties window. This is normally found under the Project menu in Visual Studio.

If the source code was compiled to Target CPU AnyCPU then your extension code should be ok. However, we do recommend running through a good test of the code. If your Target CPU is specifically set to x86 you may want to consider re-compiling your code to either AnyCPU or x64.

Here is some information regarding moving to 64-Bit.

• Migrating 32-Bit managed code to 64-Bit: http://msdn.microsoft.com/en-us/library/ms973190.aspx

• 64-Bit Applications: http://msdn.microsoft.com/en-us/library/ms241064.aspx

↑ Back to top

---

FIM 2010 - Common Installation & configuration issues

(Review Appendix D for a build list of the builds post FIM 2010 RTM)

1. Error 25009 error when trying to upgrade to FIM 2010
   • Fixed in build 4.0.3547.2
2. Creating the FIM Service Management Agent – Invalid Column Name
   • Fixed in build 4.0.3547.2
3. Support for SQL Server 2008 R2 as the backend SQL Server
   • Fixed in build 4.0.3531.2 )
4. TempDB issues – Issues concerning the file growth and problems with Full Text Searches
   • Fixed by running the backend databases, FIMService and FIMSynchronizationService) on separate machines, or separate SQL Server instances

 

↑ Back to top

---

Additional Information

Books

•  FIM Best Practices Volume 1: Introduction, Architecture and Installation of Forefront Identity Manager 2010

Links

•  Migrating from ILM 2007 to FIM 2010
•  FIM 2010 Installation Guide
•  Forefront Identity Manager 2010 Community Forums
•  Forefront Identity Manager 2010 TechCenter
•  Forefront Identity Manager 2010 Resource Wiki

 

↑ Back to top

---

APPENDIX

A. Steps to upgrade to MIIS 2003 SP2 or IIFP SP2

1. Download the appropriate Service Pack 2 build
   1. MIIS 2003 SP2: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16880
   2. IIFP SP2: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11149
2. Clear the Run History
   1. The size of the run history can determine how much time is spent on the upgrade.  If you have a very large run history, then the upgrade will be slow.  Reduce the size of the run history as much as possible.
3. Backup backend SQL Server database
   1. It is always a good idea before any upgrade to execute a backup of the backend SQL Server database.
4. Install the appropriate Service Pack 2
5. Open the Synchronization Service Manager Console ( Identity Manager Console) to confirm all is well.
6. In the Synchronization Service Manager Console ( Identity Manager Console)
7. Select Operations
8. From the Actions menu, select Clear Runs
9. Decide if you will clear all runs, or for a specified date range
10. Decide if you will save data to XML
11. Click Ok
12. Download and install the Microsoft Identity Integration Server 2003 Resource Tool Kit 2.0
    1. You may want to install this on the FIM Synchronization Service Machine, so that you can view the management agents there, or you may want to install on your workstation if you have multiple monitors.
13. Save each management agent individually to an XML file. 

 

↑ Back to top

B. Steps to clear the Run History

 

↑ Back to top

C. Steps to save management agents to XML to view as HTML

*NOTE: The tool in the resource kit cannot read the management agents when exported through Export Server Configuration.

1. In the Synchronization Service Manager Console (Identity Manager Console)
2. Select Management Agents
3. Select the first management agent, and from the Actions menu select Export Management Agent
4. Save to an easy to remember location, as you will be navigating back to it.  Be sure that the location you installed the resource kit can navigate to this location.
5. Execute steps C and D until all management agents are executed.
6. Review the management agent in a HTML format
   1. Click the Start button then All Programs
   2. In Microsoft Identity Integration Server Resource Kit select Management Agent Configuration Viewer
   3. Click Browse
   4. Navigate to where you have the management agent XML files
   5. Select a management agent xml file and click ok
   6. Click Show Configuration

 

↑ Back to top

D. Build list for Forefront Identity Manager 2010

The below list is current as of June 13, 2011.

1. 4.0.2592.2 = Forefront Identity Manager 2010 RTM
2. 4.0.3531.2 = Forefront Identity Manager 2010 UPDATE 1
3. 4.0.3547.2 = Forefront Identity Manager 2010 POST UPDATE 1 FIX
4. 4.0.3558.2 = Forefront Identity Manager 2010 POST UPDATE 1 FIX
5. 4.0.3573.2 = Forefront Identity Manager 2010 POST UPDATE 1 FIX
6. 4.0.3576.2 = Forefront Identity Manager 2010 POST UPDATE 1 FIX
7. 4.0.3578.2= Forefront Identity Manager 2010 POST UPDATE 1 FIX

 

↑ Back to top

E. Steps to back up and restore the backend SQL Server

*NOTE* Depending on the version of SQL Server that you have currently, the menu options may be a little different. ****

Backup

1. Open SQL Server Management Studio (Enterprise Manager if SQL 2000)
2. Connect to the SQL Server that is housing the MicrosoftIdentityIntegrationServer database
3. Right mouse click on the MicrosoftIdentityIntegrationServer database and select Tasks and then Backup
4. Click Ok to back up the database

Additional information on executing a SQL Server Database Backup

• SQL Server 2000 Performing Complete Database Backup
• SQL Server 2005: How to back up a database
• SQL Server 2008: How to back up a database

Restore

1. Restore the database in SQL Server 2008 or SQL Server 2008 R2
   1. Open SQL Server Management Studio
   2. Right click on Databases and select Restore Database
   3. Follow the wizard to restore the database

*NOTE* If you should decide to copy the MDF and LDF files, review Appendix F

 

↑ Back to top

F. Steps for Detach, Copy and Attach on the backend database

SQL SERVER 2000

If you are running SQL Server 2000 (32-Bit) you will need to attach the database to a SQL Server 2005 instance first. If you do not have SQL Server 2005, then you will need to start with a fresh database inside of FIM. This does not mean that you will lose your configurations. You will back the configurations up later in this document. Here is the high level steps you will need to go through from SQL Server 2000: (Find detailed instructions later in the document)

1. Backup the MicrosoftIdentityIntegrationServer database
2. Detach the MicrosoftIdentityIntegrationServer database from the backend SQL Server
3. Copy/Move the MDF and LDF files to the SQL Server 2005 machine
4. Attach the MDF file to the SQL Server 2005 instance and let the database be converted
5. Detach the database from the SQL Server 2005 instance
6. Copy/Move the MDF and LDF files to the SQL Server 2008 instance
7. Rename the MDF file to FIMSynchronizationService.MDF
8. Rename the LDF file to FIMSynchronizationService_log.LDF
9. Attach the MDF file to the SQL Server 2008 instance

 

↑ Back to top

SQL SERVER 2005 or SQL SERVER 2008 (+R2)

If your backend SQL Server is either SQL Server 2005 or SQL Server 2008 then you will be able to upgrade the backend database pretty easily. Here are the basic steps.

*NOTE* If you intend to use SQL Server 2008 R2 as your backend SQL Server for FIM 2010, then you will need to ensure that you apply at least 4.0.3561.2 patch.

Backup

1. Backup the MicrosoftIdentityIntegrationServer database
2. Detach the MicrosoftIdentityIntegrationServer database from the backend SQL Server
3. Copy/Move the MDF and LDF files to the SQL Server 2008 instance
4. Rename the MDF file to FIMSynchronizationService.MDF
5. Rename the LDF file to FIMSynchronizationService_log.LDF
6. Attach the MDF file to the SQL Server 2008 instance

 

↑ Back to top

---