FIM CM Backup and Restore Guide

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

You can back up and restore the Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) service for increased reliability and security of your data. To back up FIM CM data, you will complete the following basic steps:

  1. Identify the locations of the FIM CM data and ensure that the data is backed up regularly.

  2. Verify the backup copy by restoring the backup in a test environment.

For a downloadable version of this guide, see the Microsoft Download Center FIM CM 2010 Backup and Restore (

What This Guide Covers

This document describes the recommended backup schedule for the FIM CM Service. Also, this document covers the important configuration data that must be backed up for the FIM CM Service. This document also walks you through the steps required to restore the service.


This document assumes that all data is backed up and restored in the same Active Directory® forest. Moving data across forests is not supported.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of FIM CM (previously known as Microsoft Certificate Lifecycle Manager (CLM)). This guide also assumes that you know the following:


This document is intended for information technology (IT) planners, systems administrators, architects, technology decision-makers, consultants, infrastructure planners, and personnel.

Time Requirements

The procedures in this guide take approximately 30 minutes to complete with a default installation. The actual time for a production system depends on the amount of data, network connections, and server hardware.

The schedule recommended for FIM backup is as follows:

Component Full backup frequency Incremental backup frequency

FIM CM database


Per organizational policies

FIM CM application configuration files

Every time after installing or changing configuration file values

Same as full backup frequency

FIM CM account certificates

Every time after installing or renewing the certificates

Same as full backup frequency

Backing Up the FIM CM Service

Before you proceed, you must have access to the six FIM CM agents. These agents are user accounts in Active Directory Domain Services (AD DS). You must know the user account names and passwords. If you allowed the FIM CM Configuration Wizard to set these accounts using the default account names and location, you can find them in the default Users container in the domain in which FIM was installed. The default user account names are:

  • FIM CM agent – clmAgent

  • FIM CM key recovery agent – clmKRAgent

  • FIM CM authorization agent – clmAuthAgent

  • FIM CM certification authority (CA) manager agent – clmCAMngr

  • FIM CM Web pool agent – clmWebPool

  • FIM CM enrollment agent – clmEnrollAgent

You need to provide the passwords for these accounts during the restoration process. If you used the default settings in the Certificate Management Configuration Wizard, you should reset the account passwords to a known value before you start the backup process. For specific steps, see Reset a User Password (

In addition, three FIM CM agent accounts that require certificates—FIM CM agent, key recovery agent, and enrollment agent—must have exportable keys in their certificates if the keys are stored locally on the FIM CM server. If you are using a Hardware Security Module (HSM) for agent keys, the keys are stored on the HSM, but the certificates must still be exported as part of the backup process. HSM keys must be backed up from the HSM by using the HSM vendor’s tools.

To ensure your ability to properly preserve and restore your FIM environment, you must back up the following items:

  1. SQL Server database, which is called FIMCertificateManagement by default.

  2. Certificates, specifically:

    1. FIM CM agent’s user certificate with its private key

    2. FIM CM key recovery agent’s recovery agent certificate with its private key

    3. FIM CM enrollment agent’s enrollment agent certificate with its private key

  3. Microsoft .NET application configuration files, which are located under the Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management folder path, as:

    1. \web\Web.config

    2. \Bin\Microsoft.CLM.service.exe.config

    3. \Bin\Microsoft.Clm.Config.exe.config

    4. \Bin\ClmUtil.exe.config

Restoring the FIM CM Service

You should restore backups to a test computer in the same domain as your production computers regularly to ensure that your backup process and media are functioning properly. After you restore FIM 2010, ensure that the request objects that completed before the backup are in their correct state. Also, ensure that the FIM CM service starts and functions properly. Whether you are testing your backups or restoring after an actual failure, you can use the following procedure to restore the FIM CM Service.

To restore the FIM CM Service

  1. Install the FIM CM Service on the computer to host the Certificate Management Service, if necessary.

  2. To open the Certificate Management Config Wizard, click Start. Type Certificate Management Config Wizard, and then click the Certificate Management Config Wizard program link when it appears in the Start menu.

    1. On the Configuration Wizard, click Next.

    2. On the CA Configuration page, ensure that Certification Authority has the name of the computer acting as the FIM CA. If it does not, click Browse, and in the Select Certification Authority dialog box, click the appropriate computer name, and then click OK. Click Next.

    3. On the Set up the SQL Server Database page, in Name of SQL Server, type the name of the server running SQL server hosting the FIM CM Service database. If you want to use a different account to create the SQL database, enter those credentials (user account name and password). Otherwise, ensure that Use my credentials to create the database is selected. Click Next.

    4. On the Database Settings page, ensure that the name you want appears for the database name (by default, the name is FIMCertificateManagement). You can leave Specify a location for the database file blank. Or, if you want to specify an alternate location for the database, type the alternate location.

      1. Select either SQL integrated authentication (the default option) or SQL mixed mode authentication, depending upon your environment.

      2. If you select SQL mixed mode authentication, you need to supply the appropriate Mixed Mode Settings, which requires an additional user name and password to log on to the server. Click Next.

    5. Ensure that the appropriate Service Connection Point is displayed on the Set up Active Directory page. Click Next.


      You can verify the service connection point by looking in the Web.config file that you previously backed up. You can find the connection point information in the following place in the file: <add key=”Clm.ServiceConnectionPoint” value=”LDAP path”/>, where LDAP path is specific to your installation. For example, a Lightweight Directory Access Protocol (LDAP) path for a domain named would be LDAP://cn=DENVER,cn=Certificate Lifecycle Manager,cn=Microsoft,cn=System,DC=woodgrovebank,DC=com.

    6. On the Agents – FIM CM page, clear the Use the FIM CM default settings check box. Click Custom Accounts.

      1. In the Agents – FIM CM dialog box, six tabs are displayed: FIM CM Agent, Key Recovery Agent, Authorization Agent, Enrollment Agent, Web Pool Process Worker Agent, and CA Manager Agent.

      2. On each tab, select Use an existing user, and then type the appropriate User name, Password, and Confirm password based on the user names of the previous FIM CM agent accounts and the passwords that you set or reset. Click OK.

      3. In Specify a container where user accounts will be created, ensure the existing location of the user accounts is selected. If not, click Browse, select the existing location of the user accounts, and then click OK. Click Next.

  3. On the Set up Server Certificates page, ensure that the appropriate certificate templates are selected for the FIM CM key recovery agent certificate, FIM CM agent certificate, and FIM CM enrollment agent certificate, select Create and configure certificates manually, and then click Next.

    1. clmAgent

    2. clmEnrollAgent

    3. clmKRAgent

  4. On the Set up E-mail Server Document Printing page, ensure that the STMP server name or IP address and the print location are configured correctly for your environment. Click Next.

  5. On the Ready to Configure page, click Configure. If you receive a warning that the SQL database that you specified already exists, confirm that this is what you want, and then click Yes to continue.


    If the FIM CM Portal IIS virtual directory is not configured to require Secure Sockets Layer (SSL) communications, you may see a warning indicating that during installation. You can require SSL communications on the CertificateManagement virtual directory through the Internet Information Services (IIS) Manager. For specific instructions about how to configure SSL communications on IIS 7, see Require Secure Sockets Layer (IIS 7) (

  6. Import the appropriate certificates for each of the FIM CM agent accounts that require certificates.

    1. FIM CM agent

    2. FIM CM key recovery agent

    3. FIM CM enrollment agent

    During the importing process, ensure that you select Mark this key as exportable.

  7. Restore the .NET Application Configuration files, which are located under the following file system path <Program Files>\Microsoft Forefront Identity Manager\2010\Certificate Management folder path, as:

    1. \web\Web.config

    2. \Bin\Microsoft.CLM.service.exe.config

    3. \Bin\Microsoft.Clm.Config.exe.config

    4. \Bin\ClmUtil.exe.config

  8. Reset IIS by running the IISRESET command.

See Also


FIM 2010 Backup and Restore Guide