Best Practice Analyzer for Forefront Identity Manager 2010 R2
In Forefront Identity Manager 2010 R2 management, best practices are guidelines that are considered the ideal way, under normal circumstances, to configure a server as defined by experts. While best practice violations, even critical ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.
Topics in this section can help you bring FIM 2010 R2 running on Windows Server® 2008 R2 into compliance with best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of FIM 2010 R2, and who want information about how to interpret and resolve scan results that identify areas of FIM 2010 R2 that are noncompliant with best practices.
For more information about Best Practices Analyzer and scans, see Best Practices Analyzer.
FIM 2010 R2 BPA Pre-requisite Software
The Forefront Identity Manager 2010 R2 Best Practice Analyzer requires the Microsoft Baseline Configuration Analyzer 2.0 or later before it can be installed and run. The Microsoft Baseline Configuration Analyzer 2.0 (MBCA 2.0) can help you maintain optimal system configuration by analyzing configurations of your computers against a predefined set of best practices, and reporting results of the analyses. Best practices are developed by a product development team or domain experts, and are packaged in the form of a best practice model.You can download the Microsoft Baseline Configuration Analyzer 2.0 here (https://www.microsoft.com/en-us/download/details.aspx?displaylang=en\&id=16475).
FIM 2010 R2 BPA Pre-requisite Tasks
In order to use the FIM 2010 R2 BPA you must ensure that Windows PowerShell Remoting is enabled on the server or servers that you wish to run the Best Practice Analyzer against. For more information on Windows PowerShell Remoting see Enable-PSRemoting.
If you receive an error while running Enable-PSRemoting see FIM 2010 R2: Powershell remoting should be enabled on the remote server.
FIM 2010 R2 BPA Installation
To install the FIM 2010 R2 BPA use the following procedure.
To install the FIM 2010 R2 BPA
Open a command prompt with elevated permissions, navigate to the directory that contains the FIM2010R2BPA.msi and enter the following:
msiexec /i FIM2010R2BPA.msi /l*v c:\FIMBPALOG.txt
This will start the installation wizard and creates a log file in case there are any issues with the installation.
On the welcome screen click next.
On the EULA screen, read the EULA and if you accept place a check in the I accept the terms in the License Agreement checkbox and click Next.
On the Ready to Install screen click Install.
Once the installation has finished, click Finish.
Using the FIM 2010 R2 BPA
To start the FIM 2010 R2 BPA use the following procedure:
Using the FIM 2010 R2 BPA
Click start, select All Programs, and select Microsoft Baseline Configuration Analyzer 2.0. This will bring up the Microsoft Baseline Configuration Analyzer 2.0.
In the drop-down under Select a product, select Forefront Identity Manager 2010 R2 BPA.
Click Start Scan.
Once the scan has completed any Non-compliant rules will appear under the Noncompliant tab. Under the All tab you can view all of the Compliant rules.
You can also view the data that was collected by selecting the Collected Data radio button.
At this point you can export the report to XML.
FIM 2010 R2 BPA Parameters
The following table is a list of parameters that can be set when using the FIM 2010 R2 BPA.
The server that you want to run the scan against. You can use either the NetBios or the FQDN of the server. Example: APP1 or app1.corp.contoso.com.
The name of the database you wish to scan. This can be left blank and you can simply enable Analyze_FIM_Service_Database and Analyze_FIM_Sync_Service_Database.
The name of the SQL instance that the databases are running under. If nothing is specified then the default instance will be used.
Compares the current environment with the best practices for the FIM Service. To enable this select the checkbox.
Compares the current environment with the best practices for the FIM Service Database. To enable this select the checkbox.
Compares the current environment with the best practices for the FIM Sync Service. To enable this select the checkbox.
Compares the current environment with the best practices for the FIM Sync Service Database. To enable this select the checkbox.
Compares the current environment with the best practices for the FIM Certificate Management. To enable this select the checkbox.
Compares the current environment with the best practices for BHOLD. To enable this select the checkbox.
More information about Forefront Identity Manager 2010 R2
Common identity is an important tool in ensuring your users have appropriate access to corporate information. Without an efficient method of establishing and maintaining a common identity across complex heterogeneous systems, significant challenges arise. These can include high help-desk costs for password resets and smart card deployment, loss of productivity as users struggle to access the resources they need, and serious risk to the business due to noncompliance with internal and external regulations.
Microsoft Forefront Identity Manager (FIM) 2010 R2 helps you resolve these issues by providing self-service identity management for your users, automated lifecycle management across heterogeneous platforms for your administrators, and a rich policy framework for enforcing corporate security policies and detailed audit capabilities.
FIM 2010 R2 integrates new functionality through the Microsoft BHOLD suite to provide role-based access control and allow administrators to review access rights continually across the organization. The FIM 2010 R2 release also adds an improved self-service password reset experience, along with performance, diagnostic, and reporting improvements.
For more information about FIM 2010 R2, see Forefront Identity Manager 2010 R2.