Post-Installation Tasks and Configurations
Applies To: Forefront Identity Manager 2010
Post-Installation Tasks and Configurations
After you install the FIM 2010 server components, you must complete several configuration tasks.
Tasks in the domain:
Add the FIM Service service account to the FIM Synchronization Service security groups.
Configure the FIM Service service Exchange Server mailbox.
Tasks on FIM Portal:
Turn off the SharePoint indexing.
Turn on the Kerberos 5 protocol only.
Tasks on FIM Service:
Install Exchange 2007 and Exchange 2010 Web Service Certificate.
Turn on Windows Communication Foundation (WCF) performance counters.
Task on the server running SQL and hosting the FIM Service:
- Configure the SQL Server Database.
Tasks on all servers:
Install the latest update for FIM.
Install the Management Pack for FIM.
Note
The FIM Portal is installed on https://FIM Portal Server name/identitymanagement. To access the FIM Portal site, open a Web browser and type this address.
Add the FIM Service service account to the FIM Synchronization Service security groups
Add the service account used by the FIM Service to the FIMSyncAdmins group. This allows the FIM Service to configure the FIM Synchronization service.
If you plan to use the Password Reset feature of FIM 2010, add the service account used by FIM Service to the security group FIMSyncPasswordSet.
For group membership to be effective, restart the FIMService service.
Configuring the FIM Service service Exchange mailbox
The following are best practices for configuring Exchange Server for the FIM Service service account.
Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically, the service account mailbox should never be able to receive mail from external SMTP servers.
In the Exchange Management Console, select the FIM Service service account, click Properties, click Mail Flow Settings, and then click Mail Delivery Restrictions. Select the Require that all senders are authenticated check box. For further information, see:
Configure Message Delivery Restrictions (https://go.microsoft.com/fwlink/?LinkId=183625)
Configure the service account so that it rejects mail with sizes greater than 1 MB.
Follow the best practice of configuring the Exchange 2007 message size limits:
Configure Message Size Limits for a Mailbox or a Mail-enabled Public Folder (https://go.microsoft.com/fwlink/?LinkId=183626)
Configure the service account so that it has a mailbox storage quota of 5 GB.
Follow the best practice of configuring the Exchange 2007 mailbox size limits:
Configure Storage Quotas for a Mailbox (https://go.microsoft.com/fwlink/?LinkId=156929)
Disabling SharePoint indexing
It is recommended that you disable SharePoint indexing. There are no documents that need to be indexed, and indexing causes many error log entries and potential performance problems with FIM 2010.
To disable SharePoint indexing
On the server that hosts the FIM 2010 Portal, click Start.
Click All Programs.
In the All Programs list, click Administrative Tools.
Under Administrative Tools, click SharePoint 3.0 Central Administration.
On the Central Administration page, click Operations.
On the Operations page, under Global Configuration, click Timer job definitions.
On the Timer Job Definitions page, click SharePoint Services Search Refresh.
On the Edit Timer Job page, click Disable.
Activating the Kerberos protocol only
It is highly recommended that you turn off portal authentication that uses NTLM. The Kerberos protocol is a more secure protocol to use.
To activate Kerberos protocol only
Open the web.config file, usually located in C:\inetpub\wwwroot\wss\VirtualDirectories\80.
Note
You need an elevated command prompt or Windows Explorer to access this folder.
Locate the element <resourceManagementClient . . . />
Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos="true" . . . />
Save the web.config file.
Run iisreset from a command prompt.
Installing the Exchange 2007 and Exchange 2010 Web Service (EWS) Certificate
If your server running Exchange is using a certificate that is untrusted by the FIM Service, the certificate used by the Exchange server must be added to the local certificate store.
You can verify if you have an untrusted certificate by opening Internet Explorer and navigating to https://mailserver/ews/exchange.asmx. If you receive a certificate error, then you must complete the all the steps in this section. Mailserver is the server running Exchange that you specified when you installed the FIM 2010 component.
If you have several FIM Service servers, this task must be completed on every server.
Note
You must run the installation of the Exchange certificate with elevated rights. If User Account Control (UAC) is turned on, installing the Exchange certificate without elevated rights causes the installation to fail.
To install the Exchange certificate on the FIM Service server
Open Internet Explorer.
In the address bar, type **https://**mailserver/EWS/exchange.asmx.
Mailserver is the server running Exchange that you specified when you installed the FIM 2010 component.
Select Continue to this Web site.
In the Security Alert dialog box (where it reads Certificate Error), click View Certificate.
In the Certificate dialog box, click Install Certificate.
On the Welcome to the Certificate Import Wizard page, click Next.
On the Certificate Store page, select Place all certificates in the following store, and then click Browse.
Select the Show physical stores check box, navigate to Trusted People\Local Computer, and select this store. Click OK.
Click Next.
Click Finish to import the certificate.
Verifying that the certificate and verify that the EWS can be reached
In this procedure, you will ensure that the Exchange 2007 or Exchange 2010 Web Service (EWS) is running and can be accessed as the FIM service account.
To ensure that the Exchange 2007 or Exchange 2010 Web service (EWS) is running and is accessible as the FIM service account
Open Internet Explorer as the FIM 2010 administrator.
In the address bar, type https://<mail server>/EWS/Exchange.asmx. This ensures that you can access EWS by using the FIM service account.
Activating WCF performance counters
FIM 2010 uses Windows Communication Foundation (WCF) performance counters to monitor service usage. Activating the monitoring service usage with WCF performance counters is an optional step when diagnosing performance problems. It is not necessary to leave performance counters turned on for normal operations. To activate and configure WCF performance counters, see WCF Performance Counters (https://go.microsoft.com/fwlink/?LinkId=164848) in MSDN.
Recommended configuration
Activating ServiceOnly WCF performance counters is recommended. However, to see Endpoint and Operation instances, it is necessary to turn on all WCF performance counters. For more information, see the Troubleshooting Guide in the FIM documentation.
Configuring the SQL Server database configuration
Assigning the database owner (dbo) role to administrators
The FIM Service installation does not grant administrators access to the FIM Service database. To be able to install future upgrades, run a change or repair installation, and perform database maintenance, you should grant the administrators of FIM Service the dbo role for the FIMService database.
Start SQL Server Enterprise Manager.
Navigate to Security/Logins. Create a logon for every administrator. On the User Mappings page for the logon, assign the role db_owner in the FIMService database to the administrator.
Assigning enough space for the database
The FIM Service database does not autogrow even if those settings are turned on by default by SQL Server. You should manually expand the Data and Log files to be able to hold all data needed.
Start SQL Server Enterprise Manager.
Navigate to the database FIMService, right-click the database name and click Properties. On the Files page, expand the database files to the required size.
For more information, see the FIM 2010 Capacity Planning Guide in the FIM documentation.
Creating additional tempdb files
For optimal performance, it is recommended that you create one data file per CPU core in the tempdb.
Start SQL Server Enterprise Manager.
Navigate to the database tempdb in System Databases, right-click the database name and select Properties. On the Files page, create one Data file per CPU core. Ensure that you separate the tempdb Data and Log files to different drives and spindles.
Limiting SQL server memory usage
Depending on how much memory you have on your server running SQL and if you share the SQL server with other services (that is, FIMService and FIMSynchronizationService) you might want to restrict the memory consumption of SQL. You can do this by following the steps below.
To limit the SQL server memory usage
Start SQL Enterprise Manager.
Select New Query.
Run the following query:
USE master EXEC sp_configure 'show advanced options', 1 RECONFIGURE WITH OVERRIDE USE master EXEC sp_configure 'max server memory (MB)', 12000--- max=12G RECONFIGURE WITH OVERRIDE
This example reconfigures the server running SQL to use no more than 12 GB of memory.
Verify the setting by using the following query:
USE master EXEC sp_configure 'max server memory (MB)'--- verify the setting USE master EXEC sp_configure 'show advanced options', 0 RECONFIGURE WITH OVERRIDE
The most optimal value to reserve for SQL changes from installation to installation. Ensure that SQL is giving other applications such as backup software enough memory to run efficiently.
Installing the latest update for FIM
Updates for FIM are posted on Microsoft Update. Ensure that you install the latest update from Microsoft Update.
In Windows Server 2008, click Start, and then click Windows Update.
Click Check for updates. Install any new updates for FIM that are available.
Populating the FIM Service database
FIM Portal access
Every user who accesses the FIM Portal must have an account in Active Directory Domain Services (AD DS) and a resource in the FIM Service database with the ObjectSID, Domain, and Accountname attributes representing the user in AD DS.
Note
For more information about synchronizing users between FIM 2010 and AD DS, see Publishing Active Directory User from Two Authoritative Data Sources included in the FIM 2010 documentation.
In addition, the administrator must turn on two Management Policy Rules (MPRs) to grant an end user permission to view the FIM Portal. You only need to grant these permissions once. For more information about MPRs and how to use them to grant permission to resources, see Modeling Business Policy Rules with FIMin the FIM 2010 documentation.
To enable the “User management: Users can read attributes of their own” and “General: Users can read non-administrative configuration resources” MPRs
Log on to the FIM Portal as an administrator.
On the navigation bar, click Management Policy Rules.
On the Management Policy Rules page, in the Search box, type User management, and then click the Search icon.
In the Search results page, click User management: Users can read attributes of their own.
On the General tab, ensure that you clear the Disabled check box.
Click OK, and then click Submit.
Repeat these steps for the General: Users can read non-administrative configuration resources MPR.
Note
You can give the end user rights to read their own attributes by using the User management: Users can read attributes of their own MPR. An end user must use this rule to grant themselves permission to read attributes that are important for their authentication such as Domain and AccountName. With these attributes, end users can view the FIM Portal functionalities.
The General: Users can read non-administrative configuration resources MPR gives the end user rights to see the basic FIM Portal configurations mentioned in this document. If these rights are not granted, the end user receives a FIM Portal permission error when they attempt to view the configurations.AD DS to FIM 2010 initial data load
If you have existing data that you want synchronized from AD DS to FIM 2010, you need to perform an initial data load. This is a one-time operation and is not a continuous synchronization. It is not required to complete this to successfully set up FIM 2010.
Note
For more information about synchronizing users between FIM 2010 and AD DS, see the Publishing Active Directory User from Two Authoritative Data Sources document included in the FIM 2010 documentation.
Configuring the SQL Server for initial data load
When you plan to initially load a lot of data, you can shorten the time it takes to populate the database by temporarily turning off the full-text search and turning it on again after the export on the FIM MA has completed.
To temporarily turn off Full-Text Search
Start SQL Enterprise Manager.
Select New Query
Run the following SQL statements:
ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = MANUAL ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = MANUAL
Complete the export of the FIM MA.
Run the following SQL statements to turn on Full-Text search again:
ALTER FULLTEXT INDEX ON [fim].[ObjectValueString] SET CHANGE_TRACKING = AUTO ALTER FULLTEXT INDEX ON [fim].[ObjectValueXml] SET CHANGE_TRACKING = AUTO
Change the installation
Note
If you need to run a change install operation to change any of the settings you set during the initial installation, temporarily turn off UAC before you run change install. After you have completed the installation, you can turn on UAC again.
Uninstalling the FIM 2010 Service and Portal Component of FIM 2010
If you encounter an unrecoverable error and need to uninstall and then reinstall the FIM Service and Portal component of FIM 2010, follow the instructions in the procedure below to uninstall this component of FIM 2010.
To uninstall the FIM Service component of FIM 2010
On the FIM 2010 startup screen, click the Install Service and Portal link.
Run Setup.exe, and then follow the instructions in the installation wizard to remove the installation.
Delete the FIM 2010 Service database.
Open SQL Server Management Studio.
Select the FIMService database.
Right-click the database name and select Delete.
Note
To be able to uninstall the FIM Portal component, you must be a SharePoint administrator. A local server administrator is not by default granted administrator permissions in Office SharePoint. You must explicitly grant either SharePoint site administrator or secondary administrator permissions.