Common Post-installation Configuration for Forefront Identity Manager 2010 R2

The Microsoft® Forefront® Identity Manager (FIM) 2010 R2 Post-Installation Configuration provides information and procedures to information technology (IT) professionals regarding common post-installation FIM 2010 R2 configuration steps. Depending on your deployment scenarios, some of the steps in this guide may be optional.

This section provides information on the following:

• Create a Backup Administrator account for the FIMService after installation

• Isolate log files from data files

• Create additional tempdb files

• Ensure adequate space for log files

• Limit SQL Server memory use

• SQL Server Database Configuration - General

• Presize data and log files

• Configure synchronization rule provisioning

• Active Directory–to–FIM 2010 R2 Initial Data Load

• Configuring General MPRs

• Enable WCF Performance Counters

Create a Backup Administrator account for the FIMService after installation

Members of the FIMService Administrators set have unique permissions critical to the operation of your FIM 2010 R2 deployment. If you are unable to logon as part of the Administrators set, the only resolution is to roll back to a previous backup of the system. To mitigate this situation, we recommend that you add other users to the FIM Administrative set as part of your post-installation configuration.

Warning

Deleting or modifying certain resources Deleting or modifying certain default resources within the FIM Portal can disrupt operations or even render the portal inoperable. The following is a list of resources that should never be deleted from the FIM portal:

• Default Administrator in the Administrators Set
  
  
• Administrators Set
  
  
• DefaultRCDC objects
  
  
• Default MPRs
  
  

To resolve this issue, you will need to restore the FIM database from backup or contact Microsoft Product Support. Additionally, changes to certain default RCDC resource attributes will result in the RCDC object being replaced. The FIM Portal references default RCDC resources by their GUID. When these are deleted the GUID is no longer available and the FIM Portal is unable to reference them. The following is a list of these attributes:

• DisplayName
  
  
• AppliesToCreate
  
  
• AppliesToEdit
  
  
• AppliesToView
  
  

When these attributes are modified, a new GUID is created for the RCDC object. At this point, the FIM Portal is unaware of the RCDC object because it is unaware of the new GUID.

Isolate log files from data files

Follow SQL Server best practices for isolating the transaction files and the data log files for the databases onto separate physical disks. For more information see Storage Top 10 Practices

Create additional tempdb files

For optimal performance, we recommend that you create one data file per CPU core in the tempdb. As for log and data files, you should also adequately presize your tempdb files and rely on AUTOGROW ON only for safety reasons.

To create additional tempdb files

1. Start SQL Server Enterprise Manager.

2. Navigate to the database tempdb in System Databases, right-click tempdb, and then click Properties.

3. On the Files page, create one data file per CPU core. Make sure that you separate the tempdb Data and Log files on different drives and spindles.

Ensure adequate space for log files

Make sure that you know your recovery model’s disk requirements. Simple recovery mode may be appropriate during initial system load, to limit the use of disk space, but you might have exposure to data loss since the most recent backup. When you use full recovery mode, you have to manage the disk use through backups, which includes frequent backups of the transaction log to prevent high disk space usage. For more information about managing recovery, see Recovery Model Overview (https://go.microsoft.com/fwlink/?LinkID=185370)

Limit SQL Server memory use

Depending on how much memory you have on your computer running SQL Server and if you share the SQL Server on that computer with other services, such as FIMService and FIMSynchronizationService, you might want to restrict the memory consumption of SQL Server. You can use the following procedure to limit SQL Server memory use.

To limit SQL Server memory use

1. Start SQL Enterprise Manager.

2. Click New Query.

3. Run the following query:

   USE master
   EXEC sp_configure 'show advanced options', 1
   RECONFIGURE WITH OVERRIDE
   

   The following example reconfigures SQL Server so that it will not use more than 12 gigabytes (GB) of memory.

   USE master
   EXEC sp_configure 'max server memory (MB)', 12000--- max=12G
   RECONFIGURE WITH OVERRIDE
   

4. Verify the setting using the following query:

   USE master
   EXEC sp_configure 'max server memory (MB)'--- verify the setting
   
   USE master
   EXEC sp_configure 'show advanced options', 0
   Reconfigure with override
   

SQL Server Database Configuration - General

Configuration of SQL Server is critical for optimal system performance. Achieving optimal FIM performance in large-scale deployment scenarios depends on applying best practices for SQL Server. The guidance in this section applies to both the FIM Service Database and the FIM Synchronization Database. We recommend that you apply the following SQL Server best practices:

• Storage Top 10 Best Practices (https://go.microsoft.com/fwlink/?LinkID=183663)

• Optimizing tempdb Performance (https://go.microsoft.com/fwlink/?LinkId=188267)

• Predeployment I/O Best Practices (https://go.microsoft.com/fwlink/?LinkId=188268)

• Reorganizing and Rebuilding Indexes (https://go.microsoft.com/fwlink/?LinkId=188269)

Presize data and log files

Do not rely on AUTOGROW. Instead, manage the growth of these files manually. You may leave AUTOGROW ON for safety reasons, but you should manage the growth of the data files proactively. You can find sample sizes for the FIM database in the FIM Capacity Planning Guide.

To presize data and log files

1. Start SQL Server Enterprise Manager.

2. Right-click the database FIMService, and then click Properties.

3. On the Files page, expand the database files to the required size.

Configure synchronization rule provisioning

This section explains how to configure the FIM Synchronization Service to support declarative provisioning and the use of synchronization rules in FIM 2010 R2. First, you have to turn on synchronization rule processing in the Synchronization Service Manager.

Note

To perform this procedure, you must be a member of the FIMSyncAdmins role for the FIM Synchronization Service.

To turn on synchronization rule provisioning

1. Open the Synchronization Service Manager.

2. On the Tools menu, click Options.

3. Select Enable Synchronization Rule Provisioning.

4. To close the Options dialog box, click OK.

Active Directory–to–FIM 2010 R2 Initial Data Load

One basic requirement of an identity management system is the ability to import and process identity data from an external system. One of the first steps in your deployments is to import and process existing users and possibly groups from Active Directory or AD DS to FIM 2010 R2. Before you do this, you should have completed the System Data Flow design to establish the connection systems relationships and required data flows. This is a one-time operation; it is not a continuous synchronization.

For details about setting up the synchronization of user data from Active Directory to FIM, see How Do I Synchronize Users from Active Directory Domain Services to FIM. Before you perform the procedures in this guide, complete the following steps to optimize your system for the initial, one-time configuration. The settings described here are temporary. You should set them only for the initial load of the data into the system.

Step 1: Configure SQL Server for the initial data load

When you load a large amount of data, you can shorten the time it takes to populate the database by temporarily turning off the full text search. You can enable it again after the export on the FIM Management Agent is complete. Complete the following steps to temporarily turn off full text search:

To configure SQL Server for the initial data load

1. Start SQL Enterprise Manager.

2. Select New Query.

3. Run the following SQL statements:

   ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = MANUAL

   ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = MANUAL

It is important to understand the disk requirements in the SQL Server recovery model. Depending on your backup schedule, you may consider using simple recovery mode during initial system load to limit disk space usage. However, you should be aware of the implications regarding potential data loss. When you use full recovery mode, you must manage disk use through backups, including frequent backups of the transaction log to prevent high disk space use.

Important

Not implementing these procedures can result in high disk space use, possibly resulting in running out of disk space. For more information, see Recovery Model Overview (https://go.microsoft.com/fwlink/?LinkID=185370). The FIM 2010 Backup and Restore Guide (https://technet.microsoft.com/en-us/library/fim-2010-backup-and-restore-guide(WS.10).aspx) contains additional information.

Step 2: Apply minimum necessary FIM configuration during the load process

During the initial load process, apply only the minimum configuration required to your FIM configuration in terms of MPRs and set definitions. After the data is loaded, create the additional sets required for your deployment. Use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 3: Configure and populate the FIM Service with external identity data

At this point, you should follow the procedures in How Do I Synchronize Users from Active Directory Domain Services to FIM to configure and synchronize your system with users from Active Directory or AD DS. To synchronize Group information, see How Do I Synchronize Groups from Active Directory Domain Services to FIM.

Step 4: Apply your full FIM configuration

When your initial data load is complete, you are ready to apply the full FIM configuration for your deployment. Depending on your scenarios, this may include the creation of additional sets, MPRs, and workflows. For any policies that you need to apply retroactively to all existing objects in the system, use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 5: Reconfigure SQL Server to previous settings

Remember to change the SQL Server settings to the normal settings, including the following:

• Turning on full text search

• Updating your backup policy in accordance with your organization policies

When you complete the initial data load, turn on full text search again. Run the following Structured Query Language (SQL) statements to turn on full text search again:

• ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = AUTO

• ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = AUTO

If you have switch to simple recovery mode, ensure that you reconfigure your backup schedule in accordance with your organization’s backup policy. Additional details of FIM backup schedules are available in the FIM 2010 Backup and Restore Guide (https://technet.microsoft.com/en-us/library/fim-2010-backup-and-restore-guide(WS.10).aspx).

Configuring General MPRs

If you plan to allow non-administrator users to have access to the portal and the ability to view other users’ basic information, enable this configuration in the Service. You do this by configuring existing MPRs in the system.

Configure the MPRs in the following table.

Display name
General: Users can read schema related resources
General: Users can read non-administrative configuration resources
User management: Users can read attributes of their own

To enable required MPRs

1. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

   Note

   You may need to substitute this with the URL you have configured for your FIM portal.

2. On the FIM Portal home page, click Management Policy Rules in the navigation bar to open the Management Policy Rules page.

3. In the Search for text box, type the display name of each of the MPRs from the previous table, and then click the Search for button.

4. For each MPR that is listed as disabled, do the following:

   1. To open the configuration dialog box, click the Display Name of the disabled MPR.

   2. Clear the Policy is disabled check box, and then click OK.

   3. On the Summary page, click Submit.

You may plan to allow users to view the basic attributes of other users, for example, to be able to search and view information of users before adding them to distribution groups. If so, you should also configure the MPR in the following table using the previous procedure.

Display name
User management: Users can read selected attributes of other users

Note

You may need to customize the list of attributes in this MPR based on your organizational policy and needs.

Enable WCF Performance Counters

FIM 2010 R2 uses WCF performance counters to monitor service use. Monitoring service use with WCF performance counters is an optional step to enable when you are diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see WCF Performance Counters (https://go.microsoft.com/fwlink/?LinkId=164848).

We recommend that you configure ServiceOnly WCF performance counters. However, to see Endpoint and Operation instances, it is necessary to configure all WCF performance counters.