external link  :

How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG 

Can I do this on ISA Server? No, but you can with TMG

Learn more about Forefront TMG 2010

Below are some resources that are available for learning about and trying Forefront TMG 2010:

• Forefront TMG Virtual Lab – excellent resource for trying out TMG without having to install it first.
• Forefront TMG Trial version – 120 day, fully functional, trial version to install and test in your own labs.
• Microsoft Business Ready Security Lab - The Microsoft Business Ready Security trial environment provides an end to end trial experience across all of the Business Ready Security solutions. The environment provides an opportunity to evaluate protection, access, management and identity technologies as a pre-configured set of VHDs
• Case Studies Site
• Using Forefront TMG 2010 as a Secure Web Gateway solution – TechNet Magazine article.
• Forefront TMG Pricing and Licensing.
• MS Tech Edge Video about TMG migration from ISA.
• MS Tech Edge Video about TMG Web Access Protection.
• Forefront TMG Web Casts:
  • Forefront Threat Management Gateway 2010: Protection Features and Underlying Technologies
  • Forefront Threat Management Gateway: Deployment, Migration, and Licensing
• TMG Team Blog
• Forefront Edge Community Site
• Microsoft Press Forefront TMG 2010 Administrator’s Companion Book

Microsoft Forefront TMG Core Capabilities

Microsoft Forefront TMG 2010 is positioned as a Secure Web Gateway. The core new features of this product are:

• URL filtering: improves blocking of malicious or inappropriate sites using aggregated data from multiple URL filtering vendors and the anti-phishing and malware technologies that also protect Internet Explorer 8 users.
• HTTPS Inspection: inspect outbound HTTPS traffic in order to protect your organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as viruses and other malicious content that could infiltrate the organization undetected.
• Intrusion Prevention (NIS): Protects against browser-based and other Microsoft vulnerabilities.
• Web anti-malware: Provides highly accurate malware detection with the same world-class engine that is used by Microsoft Security Essentials and Microsoft Forefront products.
• Support for Windows Server 2008 R2 (x64): first Microsoft Edge protection product that leverages the scalability and increased memory space improvements of the Windows 64 bit platform.

FIM Server Roles

 

 



Federating FIM 2010 using UAG/ADFS and KCD

This post is about leveraging ADFS/UAG to publish FIM to identities outside the trusted security realms for delegation and/or self-service identity related tasks. Before getting into the technical stuff, this post is not meant to be a “How To” guide. It’s really just to demonstrate the capabilities of our identity stack.

Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.

• Protocol transition is a Kerberos extension introduced in Windows 2003 which allows a service that uses Kerberos to obtain a Kerberos service ticket on behalf of a Kerberos principal to the service without requiring the principal to initially authenticate to the KDC with credentials.
• Constrained delegation is an extension which allows a service to obtain service tickets (under the delegated users identity) to a subset of other services after it has been presented with a service ticket that is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition extension.

The architecture should look and works as diagramed below:
 

To get this working you need the following:

1. Kerberos-enabled WSS 3.0 (FIM Portal Server) + working FIM 2010 installation
2. ADFS 2.0 Server (STS-RP and STS-IP)
3. UAG 2010 SP1

There are many online references for configuring WSS for Kerberos; therefore, I’m just going to summarize the key configuration tasks and troubleshooting notes.
Configuring WSS for Kerberos

1. Reference the following TechNet article to configure Kerberos authentication within WSS:
   • Configure Kerberos Authentication (Office SharePoint Server)
2. Insure Kerberos enabled end-to-end:
   • Run the following query to determine Kerberos is being used for SQL:
     • SELECT SESSION_ID,AUTH_SCHEMA,NET_TRANSPORT FROM SYS.DM_EXEC_CONNECTIONS WHERE @@SSPID = SESSION_ID
     • Verify Kerberos is being used on the WSS Web Front-end event logs. You should be able to filter the log to Event ID: 4624.
       • You can also use Fiddler to validate WWW-Authentication from the client browser to IIS.
3. Once you’re sure Kerberos is configured end-to-end within WSS, you should be good to proceed.

Configure UAG with ADFS 2.0
For the ADFS and UAG configuration make sure the common pre-requisites are configured properly. What I’m referring to is name resolution, certificates, and a working configuration. To insure this, I recommend configuring a sample claims-aware application to insure ADFS is working. This can be accomplished by using any of the step-by-step guides published by the PG.

• ADFS 2.0 Step-by-Step and How To Guides

The next step is to create a portal trunk in UAG and wire it up to the STS.

1. Within the UAG Management Tool, add an ADFS Authentication Server.
2. Specify the URL of the federation metadata and select the “Retrieve Metadata” button.
   • Select the claim value to be used as lead user value. I used Name but this can be something like UPN or Windows Account Name; whatever you want really.
3. Create a portal trunk which will use ADFS as an authentication mechanism.
4. Save and activate the configuration. The next step would be configuring UAG as an RP in ADFS.
   • Verify the federation metadata on UAG and save it to a file for later use.
5. Configure UAG as an RP Trust in ADFS. To do this, you will need to import the federation metadata from the file created in the previous step.
6. Edit the Claims Rules to pass data from the attribute store. In my configuration, the minimum was SAM-Account-Name mapping to Name. Save and test the configuration.
7. As a test, you should attempt to access the UAG Portal. You should be redirected to your IDP. If you have more than one identity provider, then the requestor will need to select their IdP within the HRD page. Otherwise, you should get the FBA login page presented by the IdP. Enter the appropriate credentials to successfully authenticate and be redirected to the RP (UAG Portal). The RP will consume the AuthN token and the end result is to successfully long into the UAG Portal.

Publish FIM through UAG
Now that requestors can successfully log into UAG using Federated AuthN, the next step is to publish FIM 2010 as an application within UAG.

1. Add an application within the existing trunk. UAG comes with a template to use with FIM 2010.
2. Specify the URL for FIM under the web servers’ properties.
3. Enable SSO under the authentication properties. Select “Use Kerberos constrained delegation for single sign-on. Additionally, select a value from this claim type as the shadow account user name for KCD when using federated authentication.The final step is to configure the SPNs in Active Directory for KCD to the UAG server object. Using the UAG Management Tool, Export KCD Settings to Active Directory. Then use Ldifde.exe to import the SPN value which is set on the msDS-AllowToDelegateTo attribute of the UAG computer object.
   • I prefer publishing applications directly through UAG. To do this, uncheck “Add portal and toolbar link” and “Open in a new window” within the Portal Link properties. Within the Portal Trunk configuration, I modify the “Portal home page” to the FIM Application and uncheck “Display home page within portal frame. Assuming, the FIM SPNs are configured properly…we can assume a working FIM Portal.
4. The final step is to test the configuration. Browse the FIM URL from an untrusted workstation outside of the network. The end result is the FIM Portal being rendered in the same way as if you were accessing it internally.

Chris Calderon

MSFT

Release Notes for Forefront Identity Manager 2010 R2

           

by MS Technet

 

Welcome to the release notes for Microsoft® Forefront® Identity Manager (FIM) 2010 R2. Before you install this application, we recommend that you read this entire document and the Forefront Identity Manager 2010 R2 Deployment Guide. You can use these notes to guide you as you troubleshoot issues that may arise when you use FIM 2010 R2.

Release Notes for Forefront Identity Manager 2010 R2 – Known Issues

These release notes are broken down into 3 main areas of focus. These areas are Pre-Installation and Upgrade, Installation and Upgrade, and Post-Installation. Each of these areas is then subdivided into the various features that make up FIM 2010 R2. This will provide easy and quick reference to the features and components that pertain to you.

Area	Description
Pre-Installation and Upgrade	Includes known issues that need to be understood prior to installing or upgrading to FIM 2010 R2
Installation and Upgrade	Includes known issues that may occur during installation or upgrade
Post-Installation	Includes known issues may occur once FIM 2010 R2 is installed and running.

Pre-Installation and Upgrade

This section includes known issues that can occur and must be understood prior to installing and upgrading FIM 2010 R2. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area	Includes Information on the following components
Service and Portal – Pre-Installation and Upgrade	FIM Portal FIM Service FIM Service Database Password Registration Portal Password Reset Portal Reporting
Service and Portal Language Packs – Pre-Installation and Upgrade	Service and Portal Language Packs

Service and Portal – Pre-Installation and Upgrade

• FIM Service: Domain and DomainConfiguration attributes default behavior for user and groups has now been extended to all resources in FIM
  If you have used either of these attributes as part of your current implementation in FIM, this change may result in unexpected behavior and/or failed requests. If you have used either of these attributes please test prior to upgrading your production environment.
  
• FIM Service Database: Custom Schedules for FIM SQL Agent jobs are overwritten during upgrade
  If you have a customized the schedules for the FIM SQL Server agent jobs, you will need to reapply your changes.
  
• Password Registration Portal ,Password Reset Portal: Upgrading the SSPR portals from RC/RC Refresh to RTM is not possible.
  If you try and upgrade the SSPR portal from RC/RC Refresh to R2 RTM it will fail with an “invalid port” error. The fix for this is to uninstall the SSPR portals and install the new versions from the R2 RTM media.
  
• FIM Synchronization Service: Users who installed FIM 2010 RTM from the MSDN website are un-able to upgrade the Synchronization Service.
  If you have deployed FIM 2010 RTM from the MSDN website an in-place upgrade is not supported for the Synchronization Service. However, the database can be preserved and used in FIM 2010 R2 RTM. To do this, you must uninstall the FIM 2010 RTM Synchronization Service and then install FIM 2010 R2 RTM using the existing database. The uninstall and then subsequent install of FIM 2010 R2 is supported. The FIM Service and Portal can then be upgraded using the normal method. This only affects users who have installed FIM 2010 RTM from MSDN and only the Synchronization Service. This is a known issue.
  
• Reporting: Upgrading from FIM 2010 R2 RC/RC Refresh Reporting to FIM 2010 R2 RTM Reporting is only supported for TAP customers who deployed the schema hotfix for RC
  Only customers that have participated in the TAP program and installed the shcema hot fix for RC are supported when upgrading from FIM 2010 R2 RC/RC Refresh. To be supported you must meet the following criteria:
  
  
  1. Participated in the TAP program for FIM 2010 R2 RC
     
  2. Have deployed RC Reporting into production
     
  3. Have deployed RC using the schema hotfix
     
  If you meet all of the following requirements, it is recommended that you contact Microsoft Support for assistance with the upgrade.
  

Service and Portal Language Packs – Pre-Installation and Upgrade

• Service and Portal Language Packs: Customers should back-up their customized RCDC symbol-value pairs for non-English languages
  It is a known bug in upgrade that those non-English string resource values will be overwritten.
  
  Backing up involves exporting these RCDCs. To make these customizations appear again, you will need to re-do the customizations looking at the differences between the old and new symbol value pairs.
  
  For more information see Considerations for Upgrading to FIM 2010 R2 in the Forefront Identity Manager 2010 Deployment Guide.
  

Installation and Upgrade

This section includes known issues that can occur with installation and upgrade. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area	Includes Information on the following components
Add-ins and extensions – Installation Upgrade	FIM Add-in for Outlook FIM Password and Authentication Extensions
Certificate Management –Installation and Upgrade	All Certificate Management Features
Service and Portal – Installation and Upgrade	FIM Portal FIM Service FIM Service Database Password Registration Portal Password Reset Portal Reporting
Service and Portal Language Packs – Installation and Upgrade	Service and Portal Language Packs
Synchronization Service – Installation and Upgrade	ECMA 2.0 FIM Management Agent Synchronization Service

Add-ins and extensions – Installation Upgrade

• FIM Password and Authentication Extensions After installing the FIM Password and Authentication Extensions a reboot is required
  The reason is is that when these extensions are installed, changes are made to the Windows Authentication Framework. This requires a reboot. Likewise, if the FIM Password and Authentication Extensions are uninstalled, a reboot will be required.
  

Certificate Management –Installation and Upgrade

• Certificate Management: FIM CM configuration fails if database name contains an apostrophe (‘)
  The FIM CM database name should not contain any apostrophe characters within it. The presence of an apostrophe in the database name causes an error when the FIM CM Configuration Wizard runs.
  
• Certificate Management: FIM CM configuration fails if username or password contains an apostrophe (‘) as first or last character
  The FIM CM database username or password should not contain an apostrophe as the first or last character. The presence of an apostrophe as the first or last character causes an error when the FIM CM Configuration Wizard runs.
  

Service and Portal – Installation and Upgrade

• FIM Portal: Running setup with a non-default SharePoint site URL or a SharePoint site that uses SSL will fail
  If you attempt to upgrade and are using a non-default SharePoint site URL (other than localhost) or you are using SSL on your SharePoint site the upgrade will fail. To workaround this add http://localhost into the SharePoint alternative mappings and re-run setup.
  
• FIM Portal, FIM Service: Object reference not set to an instance of an object
  If you receive this error while attempting to install the FIM 2010 R2 Service and Portal, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.
  
• FIM Service: Administrator must open firewall ports manually
  During a change installation, there is no option to open the firewall ports. The administrator must open the firewall ports manually.
  
• Password Registration Portal: FIM Service Installer does not mask password for Self Service Password Reset accounts
  When running the FIM 2010 R2 Service and Portal MSI from the command line using the verbose log parameter (msiexec /i "Service and Portal.msi" /l*v log.txt), the REGISTRATION_ACCOUNT_PASSWORD property in the log file is not masked to “*” as it should be. This is a known issue that only occurs when verbose logging is turned on.
  
• FIM Service Database: Database should use a collation that supports surrogate pair characters or searches on string attributes may return improper results
  If your environment contains string data with surrogate pair characters, you must have a SQL Database collation that supports them. Failure to do so will result in invalid search results. For more information on the available options refer to this article: http://msdn.microsoft.com/en-us/library/ms143503(v=sql.105).aspx
  
  After installation of the FIMService, run the following TSQL statement to determine the FIMService database collation.
  
  
  Copy

  SELECT DATABASEPROPERTYEX('FimService', 'Collation') SQLCollation;
  
  

  A Collation that works with a large variety of environments is this one: Latin1_General_100_CI_AS
  
  Follow the SQL Server documentation for how to change collation if you need to do so to support your environmenthttp://msdn.microsoft.com/en-us/library/ms175835(v=sql.105)
  

Service and Portal Language Packs – Installation and Upgrade

• Service and Portal Language Packs: Installing language packs from the command line may fail
  Installing language packs from the command line using the following syntax will fail:
  
  msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,FIMServiceLP /l* Install.log
  
  To install language packs:
  
  
  • Do not use the command line. Double click the .msi to launch the installation.
    
    or
    
  • You may use the command line to install one language pack at a time, using the following format (example shown is for the Russian locale (ruRU)):
    
    msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortalruRU,FIMServiceLP,MTruRU /l* Install.log
    
• Service and Portal Language Packs: Service and Portal Language Packs are uninstallable if FIM components that depend on SharePoint are uninstalled
  If you have installed the FIM Portal Language Pack or the FIM Password Reset Portal Language Pack (the old RTM password portal, not R2 SSPR Portals) and then you uninstall all of the FIM components that depend on SharePoint (the FIM Portal and the old FIM Password Reset Portal) you will not be able to uninstall or upgrade the language pack.
  
  This is because both the FIM Portal and old FIM Password portal rely on SharePoint and hence store the SharePoint base site collection URL in the registry (BaseSiteCollectionUrl). The Service and Portal language packs (for FIM portal, old password portal) also rely on that key to be in the registry.
  
  Therefore, uninstalling the FIM components that rely on SharePoint will result in the inability to uninstall/upgrade the language packs because you lost that registry key.
  
  To correct this issue do the following:
  
  
  1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.
     
  2. Create a string regkey named BaseSiteCollectionUrl.
     
  3. Inside that key, enter the SharePoint URL at which the FIM Portal/Password Reset Portal was deployed.
     
  4. You can now either uninstall or upgrade the language pack.
     
• Service and Portal Language Packs: Object reference not set to an instance of an object
  If you receive this error while attempting to install the FIM 2010 R2 Service and Portal Language Pack, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.
  

Synchronization Service – Installation and Upgrade

• FIM MA: Interactive logon required for setting up the FIM Service Management Agent
  The FIM MA requires the interactive logon right during setup. This requirement is a Windows behavior. When the Service account impersonates the MA account, Windows will do an interactive logon to be able to load the user profile (etc). If the user isn’t allowed to login interactively you will see an access denied in the security eventlog. This is needed for all operations.
  

Post-Installation

This section includes known issues that can occur once FIM 2010 R2 is installed and running. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area	Includes Information on the following components
Add-ins and extensions – Post-Installation	FIM Add-in for Outlook FIM Password and Authentication Extensions
Certificate Management – Post Installation	All Certificate Management Features
Service and Portal – Post-Installation	FIM Portal FIM Service FIM Service Database Password Registration Portal Password Reset Portal Reporting
Synchronization Service – Post-Installation	ECMA 2.0 FIM Management Agent Synchronization Service

Add-ins and extensions – Post-Installation

• FIM Add-in for Outlook Unicode is not fully supported when launching the Outlook add-in for users with names that contains Unicode characters.
  This is because of a bug in Outlook.
  

Certificate Management – Post Installation

• Certificate Management: User PIN dialog may not display on IE9
  FIM CM portal users may be blocked from completing a request when the FIM CM client is unable to display the user PIN dialog. This issue occurs intermittently for IE9 users who have not yet applied the IE 9 cumulative update located at here.
  

Service and Portal – Post-Installation

• FIM Portal: Double Quote in Contains Search Fails
  Entering a search string containing double quotes into a search scope that uses Contains functionality will fail with the following stack trace:
  
  
  
  Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
  Other ---> System.Data.SqlClient.SqlException: Syntax error near 'User' in the full-text search condition '""User 1"*"'
  
  
  
• FIM Portal: Authentication functionality changes
  With FIM 2010 R2, the following functionality is deprecated: interactive registration for an authentication workflow from the FIM 2010 R2 Portal, and interactive authentication for a request from the FIM 2010 R2 portal.
  
• FIM Portal: Wildcard character * is not supported in Filter builder
  
  
  

  Important
  If you create a filter that uses the * character, for example DisplayName contains * the * character will be discarded from the filter definition and the resulting expression will be considered invalid, and will fail.

  
  
• FIM Portal: Custom resources with ":", "(", or ")" in the name render the FIM Portal inoperable
  In this release, do not use a colon [:] or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name cause the FIM 2010 R2 Portal to become inoperable and requires a reinstallation of the FIM 2010 R2 Portal.
  
• FIM Portal: User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on group and user resources
  In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on groups and user resources. To work around the issue, you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the Management Policy Rule (MPR) named Administration - Schema: Administrators can change selected attributes of schema-related resources. It is important to revert the changes after the modification since the MPR is there to protect against illegal modification to elements important to the system schema.
  
• FIM Portal: Default DisplayName and Description is not submitted during creation of BindingDescription
  In this release, if the user does not modify the existing DisplayName or Description of a BindingDescription resource, the BindingDescription is created without DisplayName or Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default value. The workaround is to update the DisplayName and Description after creation or supply a different value for these attributes during creation.
  
• FIM Portal: Custom resources with hyphens in their names do not create RCDC configuration XML correctly
  You can create a custom attribute or custom resource type with a hyphen “-“ in the system name. However, if you create an RCDC for this new resource, the RCDC configuration file that is created automatically is not correct. The RCDC uses the attribute name as the control name, but the control name does not support “-“. The workaround is to remove “-“ from the control names in the RCDC configuration file.
  
• FIM Portal: Timeouts while previewing dynamic membership of a set or group may prevent display of actual membership
  When previewing dynamic members of a group or set, an error message is displayed if the request times out. If you subsequently click Preview a second time, the query may show no members in the group or set, even if they do contain members. If this happens, click Cancel to close the dialog box and retry the preview operation. If the request times out again, the administrator may need to increase the server timeout.
  
• FIM Portal: Default search operator for DisplayName has been changed to starts-with from contains
  As a result of working with a number of internal and external customers, on portal search performance we chose to change the default search operator used by the FIM Portal (Search Scopes, Identity Picker) to leverage starts-with rather than contains for the DisplayName attribute. This will impact your existing FIM Portal implementation and your FIM portal administrative searches. If you wish to return to the default search behavior for one or more search scopes, we have added the ability to configure an "Advanced Filter". Please see FIM 2010 R2 Search Changes for more information.
  
• FIM Portal: ObjectPicker will not automatically resolve entered names when navigating to the next page
  When the user enters a name into an object picker and clicks the "next" button down below, the user is prompted to finish resolving names.
  
• FIM Portal: Matching Usage Keywords are necessary for a search scope to appear on a given page of the site
  For example, the “Pending from Today” search scope may be expected to appear on the “Search Requests” page. The Usage Keywords for the “Pending from Today” search scope must be updated manually to include the Usage Keywords configured for the “Search Requests” page which, by default, are the following:
  
  
  • customized
    
  • Request
    
  • SearchRequests
    
• FIM Portal: Disable SharePoint 2010 job: “SharePoint Foundation Search Refresh”
  The SharePoint Foundation 2010 job “SharePoint Foundation Search Refresh” will continuously generate FIM 2010 R2 event log entries. The errors can be ignored, but the FIM 2010 R2 event log will become unnecessarily cluttered. To disable the job, in SharePoint 2010 Central Administration, click Check job status, then disable the job “SharePoint Foundation Search Refresh”.
  
• FIM Portal: Supplying no input for a Search Scope with the Advanced Filter configured does not produce search results
  As a work around you can type a % in to the Search box.
  
• FIM Service, FIM Portal:Unicode not fully supported in certain cases
  The FIM 2010 R2 Portal and Service does not fully support Unicode in the case of User Names of new users created through the portal. This is to limit the format of User Names to those that can be used to create mailboxes through SharePoint.
  
• FIM Service: Custom workflows, that run under the context of the requestor (Actor) may fail with permission denied
  If you encounter this error you will need to update your existing custom workflow(s) to explicitly set the ActorId and ensure that the appropriate MPRs have been configured.
  
• FIM Service: Contains searches on String attributes relies on SQL Full Text Search (FTS) as part of the implementation
  The FTS parser may break the search string into multiple search tokens if any word break characters are found. This may lead to the Contains search returning invalid results. You may notice missing rows, or extra rows being returned that do not match your search string. You can use the SQL FTS parser http://technet.microsoft.com/en-us/library/cc280463(v=sql.105) to test the behavior of search strings commonly used in your environment. If you find that the SQL FTS parser is not returning the expected results, consider setting up search scopes using Starts-With instead which do not use FTS.
  
• FIM Service: Starts-With, and Ends-With searches on String and Text attributes are implemented using the TSQL LIKE operator with standard SQL wildcard behaviors
  This means that the following characters %, _, [, ^ are treated as wildcards (http://msdn.microsoft.com/en-us/library/ms179859.aspx). If your use cases require these characters to be treated as literals, then you must escape them per the TSQL LIKE documentation by enclosing the wildcard character in brackets.
  
• FIM Service::Running repair on the FIM Service does not repair SQL Server Agent jobs
  When running a repair operation on the FIM 2010 R2 Service, SQL agent jobs are not repaired, as the repair operation does not have SQL Server Agent permissions.
  
• FIM Service: Diagnostics tracing file format has changed for FIM 2010 R2
  If you currently use data from the diagnostics tracing file, you will need to modify your tools or scripts to accommodate the new format.
  
• FIM Service: The FIM Service web service contract for faults has changed
  The fault contract for FIM 2010 R2 includes additional information to support the troubleshooting enhancements in this release. You will need to regenerate the client proxy based on the updated fault contracts.
  
• FIM Service: New resource type CompositeType may interfere with custom Action workflows
  A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a CompositeType.
  
• FIM Service: UpdateRequestActivity has been removed from FIM 2010 R2
  UpdateRequestActivity has been removed from FIM 2010 R2. If you have any custom code that references UpdateRequestActivity, it will no longer compile. Moving forward, you should use UpdateResourceActivity instead.
  
• FIM Service: For asynchronous exports from the FIM MA, multiple FIM Service instances will process synchronization requests
  In R2, all FIM service instances, irrespective of whether they belong to a particular service partition will process synchronization requests. In order to avoid performance impacts on specific FIM service instances and/or service partitions you will need to update the Microsoft.ResourceManagment.service.exe.config setting receiveSynchronizationRequestsEnabled as documented in the configuration file.
  
• FIM Service: Do not reuse your existing Microsoft.ResourceManagement.Service.exe.config file
  Reusing an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.
  
• FIM Service: A request may fail when multiple workflows attempt to modify the same single valued attribute on the same object
  The most likely scenario would be in the PostProcessing phase of a Request in which two or more Action workflows execute in parallel and they are trying to operate on the same object within a narrow time frame. The Request will fail with PostProcessingError and you will likely find this stack trace in the Event Log.
  
  
  
  Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
  Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
  ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure
  ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
  UpdateResource, Line 525, Message: Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index
  'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'.
  
  
  
  If your system has this issue, you should consider merging the functionality into a single workflow that can perform the operations in a synchronous manner to avoid the race conditions.
  
• FIM Service: Configuration Migration Compare-FIMConfig cmdlet comparisions today are case insensitive
  When comparing settings, the Compare-FIMConfig cmdlet will not detect changes if the only difference is the case of the strings. For example if you compare the DisplayName attribute where source = "User1" and target = "user1" the tool will consider this as the same value.
  
• FIM Service: Date time strings are not constructed or parsed properly when running on Windows 2008 Italian
  FIM Service expects DateTime strings to be of this format "yyyy-MM-ddTHH:mm:ss.fff" and parses them with this code: DateTime.Parse(input, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal);
  
  A customer has reported issues trying to run FIM Service on an Italian Server in which dates were represented as follows:"yyyy-MM-ddTHH.mm.ss.fff". In this case, the FIMService did not run properly and reported Exceptions like this:
  
  mscorlib.dll!System.DateTimeParse.Parse(string s, System.Globalization.DateTimeFormatInfo dtfi, System.Globalization.DateTimeStyles styles)
  mscorlib.dll!System.DateTime.Parse(string s, System.IFormatProvider provider, System.Globalization.DateTimeStyles styles)
  Microsoft.ResourceManagement.dll!Microsoft.ResourceManagement.Utilities.DateTimeSerializer.ReadCoordinatedUniversalTimeString(string input = "2010-02-25T09.14.12.237")
  
  
  The work-around was to change the Server to format dates per this format "yyyy-MM-ddTHH:mm:ss.fff"
  
• FIM Service: Viewing an Objects' Resource page in the Portal will fail if you mark the Description attribute as Required on the Object in the FIM Schema
  When trying to view the Object's Resource page in the portal, you will end up on the ErrorPage.aspx page. To fix the problem, you must remove the Required setting, restart IIS, and then try again.
  
• FIM Service: Deletion of an Attribute or ObjectType from FIM Schema must follow a specific order of steps or you will get an Unwilling to Perform exception
  
  
  Exception: Other Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level
  16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message:
  Reraised Error 547, Level 16, State 1, Procedure PostProcessObjectTypeDescriptionUpdate, Line 90, Message: The DELETE statement conflicted with the REFERENCE constraint
  "FK_BindingInternal_ObjectTypeInternal". The conflict occurred in database "FIMService", table "fim.BindingInternal", column 'ObjectTypeKey'.
  
  
  
  To delete an Attribute or ObjectType from the FIM Schema, do the following:
  
  
  1. Delete all instances of any Objects that currently use those schema elements.
     
  2. If it is desired that the reporting data warehouse capture the deletion of the attribute or objects instances from the previous step. Run and complete an Incremental job. Failure to do this will not result in an error, however any Object changes recorded in the system since the last Incremental job will not have the history for these schema items once they are deleted.
     
  3. Search for any Set or Dynamic Group Filter that currently includes the FIM Schema items you plan to delete and delete the Set or Dynamic Group. If the Set is used in an MPR, you will first need to delete the MPR.
     
  4. Delete all Bindings that reference the FIM Schema items you plan to delete.
     
  5. Delete the Schema item.
     
• FIM Service: Request will Fail and throw Unwilling to Perform Exception if duplicate MPRs trigger the same Action Workflow on the Request
  If 2 or more MPRs are configured to execute the same Action Workflow and get triggered on the same Request, the Request will fail with the following exception:
  
  
  Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
  ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
  DoProcessRequest, Line 267, Message: Cannot insert duplicate key row in object 'fim.PolicyApplication' with unique index
  'IX_PolicyApplication_RequestKey_TargetKey_WorkflowDefinitionKey'.
  
  
  To fix the problem you can use the Portal to search all enabled MPRs, locate the duplicate, and delete it.
  
• FIM Service:Set or Dynamic Group Membership may be invalid if the Set or Dynamic Group Filter attribute contains a reference to Deleted Attributes or ObjectTypes in the FIM schema
  The system will allow deletion of Attribute and ObjectTypes from the FIM schema without detecting whether or not these items may be in-use in Set or Dynamic Group definitions. As a result, the affected Set or Dynamic Groups will have invalid membership and should be deleted. To locate the affected Sets or Dynamic Groups, use advanced search in the portal on the Filter attribute of the Sets or Dynamic Groups to find these deleted schema items and delete the affected Set or Dynamic Group objects.
  
• FIM Service: synchronizationExportThrottle not supported in FIM 2010 R2
  The hotfix rollup package for build 4.0.3573.2 introduced a property, synchronizationExportThrottle, that is not supported in R2. For more information, see KB2417774. If this property exists in your FIM 2010 R2 Service configuration file, the FIM Service will fail to start. To resolve the issue, remove the property from the configuration file.
  
• FIM Service: If your deployment contains multiple FIM Portal or FIMService machines and you are leveraging the FIM Approval workflow, you need to ensure that each machine can authenticate with each other
  This is done by creating a service principal name for each FIMService and then configuring each FIM Portal to use constrained delegation to each FIMService. If your deployment takes advantage of receiving Group Management and Approval Requests to the FIM Service mailbox, the FIMService that has mailbox polling enabled (there is only supposed to be 1 instance) must also be configured to use constrained delegation to each FIMService.
  
  Approval Responses are submitted directly by the FIM Portal and the FIM Service (receiving mail) to a Workflow Endpoint on the FIM Service that received the original Request. For example, assume your deployment has FIM Portal 1 and 2, and also FIM Service 1 and 2. A user issues a Request to join a Group on FIM Portal 1. That Request is processed by FIM Service 1 and this is where the Approval Workflow Instance lives. If the Approver approves by Email and that email response is processed by FIM Service 2, it is FIMService 2 that will try to communicate with FIMService 1 to send the Approval Response. If the same Approver went to FIM Portal 2 and approved the Request, it is the FIM Portal 2 that will communicate with FIMService 1 to send the Approval Response.
  
  For instructions for how to setup SPNs and constrained delegation, see the following article: http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx
  
• Password Registration Portal:GateRegistration Objects can accumulate over time
  Because GateRegistration Objects can accumulate over time, periodic deletion is a recommended best practice. GateRegistration Objects may accumulate in the system that are no longer necessary due to various events in and around password reset scenarios. One such event is when an administrator updates an AuthN workflow and checks "force re-registration". When users re-register, new Gate Registration Objects are created, but the original ones are not removed. Periodic deletion of these unnecessary GateRegistration Objects would be a best practice to ensure your system maintains the minimum objects necessary to enable your scenarios.
  
• Password Registration Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  This error can occur when a user attempts to navigate to the Password Registration Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.
  
  For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.
  
• Password Reset Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  This error can occur when a user attempts to navigate to the Password Reset Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.
  
  For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.
  
• Reporting: Filtering the Request History or Group History reports on an MPR name, you may receive incorrect results
  When filtering the Request History or Group History reports on an MPR name, you may receive incorrect results. While the data represented in the report is accurate, you may need to export this report to a third party format (such as Excel) and then filter it there.
  
• Reporting: Certain reports may time out on large datasets
  You may experience SSRS timeouts when running reports on large data sets. The default SSRS timeout is set to 1800 seconds for all reports. You may change this timeout by navigating to the Site settings link in the upper right hand of the SSRS web interface, opening the General tab, and then changing the timeout to either no timeout or a value larger than the default 1800 seconds.
  
• Reporting: Reports do not show Created Time for requests which exist before initial ETL was run
  The Created Time column will appear blank for requests which were in the system before reporting setup was completed. There is no workaround for this issue, but since the request’s committed time will be captured, you will still be able to correlate when the change was made in the FIM 2010 R2 database.
  
• Reporting: When the creator of a request is not a person resource in FIM (ie, FIMService, Anonymous User), no creator is shown in the out of box reports
  Currently, if the FIM 2010 R2 service or an anonymous user issues a request in the FIM 2010 R2 portal, the creator is shown as blank in the out of box reports. This is due to the fact that these resources are not moved over as part of our ETL processes, since they are not person resources in FIM 2010 R2.
  
• Reporting: Unique key constraint violation when running reporting synchronization jobs
  If you attempt to run reporting synchronization jobs on a default System Console System Manager SP1 (SCSM SP1) installation, you may receive the error “Violation of UNIQUE KEY constraint ‘idx_ManagedEntityManagedTypeId’. Cannot insert duplicate key…”. To address this issue, please make sure you have the following updates installed on your System Center Service Manager Management Server, Data Warehouse Server, and any machines that have the System Center Service Manager Console installed on them:
  
  
  1. KB2542118– System Center Service Manager Cumulative Update 2
     
  2. KB2542118– System Center Service Manager FIM 2010 R2 Hotfix
     
     

     Note
     You must have the SCSM Cumulative Update 2 installed before installing KB2542118.

     
     
• Reporting: If a resource is created and deleted inside one SCDW extract batch, that resources will not show up in the SCDW
  When an instance of a resource is created and deleted inside one extract batch, the deleted instance will never be extracted from the SCSM Management Server to be moved over to the Data Warehouse. This is a known issue with the System Center Service Manager Product. You may see this issue in testing environments if you, for example, create a person in FIM 2010 R2, delete that person, and then run the SCSM ETL job. Because the creation and deletion event occur in the same ETL batch, these events do not get sent to the System Center Data Warehouse.
  
• Reporting: When running on PowerShell version 1.0, running Get-Help on Import-FIMReportingReport results in an error
  You may receive the error: “Error loading help content for Import-FIMReportingReport” in certain cases when attempting to load help information for Import-FIMReportingReport. If this occurs, try the alternate method of outputting the parameter list by typing “Import-FIMReportingReport -?”. If this also fails, refer to the Deployment Guide for Forefront Identity Manger 2010 R2 – PowerShell Reference.
  
• Reporting:Out-of-box reports may not return data with default filtering parameters
  The default end date for the out-of-box reports is defined as Todays Date in UTC + 1. As a result, running reports with the default filtering parameters may result in an empty data set, depending on what time zone the user is running in. This is a known issue that you can resolve by manually specifying the date range with which you wish to filter your report.
  
• Reporting:Running an incremental synchronization after a large export from Active Directory may take several days to complete
  Depending on the size of the export job, the incremental synchronization process may take up to several days to complete. This is due to the large number of requests generated by the export process that are then moved over to the Data Warehouse. You may safely continue to run this incremental synchronization job without regressing performance on the FIM 2010 R2 service or other components. However, if this waiting period is unacceptable, and you would like to ignore the requests generated by the export process, please contact the product support for assistance (see How and when to Contact Microsoft Customer Service and Support).
  
• Reporting:Data does not appear in reports even after all synchronization processes are completed
  For data consistency purposes, SCSM will not move data that has been modified in the last 30 seconds. Therefore, if you run the FIM 2010 R2 reporting synchronization processes immediately followed by the SCSM ETL jobs, the changes made in the reporting synchronization job may not appear in the Data Warehouse. You can solve this issue by either:
  
  
  • Waiting 30 seconds before starting the SCDW ETL jobs
    
  • Running the SCDW ETL jobs again
    
  Because the SCDW ETL jobs run every 20 minutes to 1 hour (depending on job type), you can be assured that data will flow to the DataMart within a 24 hour Service Level Agreement. For testing purposes, however, it is important to consider this 30 second delay when exercising certain scenarios.
  
• Reporting:Certain Chinese Characters may cause the SCSM console to fail to load a report
  Double-byte length Chinese characters (surrogate pairs) in report data may cause the SCSM console to fail to load a report. This is caused by an issue in version 9.0.0.0 of the report viewer used by the SCSM console. To work around this issue, you can either:
  
  
  • Continue viewing the reports through the SQL Server Reporting Service (SSRS) web interface (which does not have this issue), or
    
  • Delete the bad data, restart the SSRS service, and attempt to view the reports via the SCSM console
    
• Reporting:Status of requests is different for initial and incremental synchronizations
  In this release, during initial synchronization, FIM 2010 R2 Reporting moves finished requests with the final state of “completed” to the Data Warehouse, but it only moves finished requests with the final state of “committed” during incremental synchronization. This is a known issue that does not affect data integrity.
  
• Reporting:FIM reporting initial sync moves over failed requests
  In this release, during initial synchronization, FIM 2010 R2 Reporting moves both successful and failed requests to the Data Warehouse, whereas during incremental synchronization it only moves the successful requests. This will result in a small amount of extra data being present in the Data Warehouse in certain cases. This does not affect data integrity.
  

Synchronization Service – Post-Installation

• ECMA 2.0: ECMA 2.0 does not support "Multi-Partition" file based Connectors
  ECMA 2.0 does not prevent a programmer from creating a file-based "multi-partition" Connector, however, it should be noted that these scenario are not supported and may result in unexpected or 'broken' behaviors.
  
  Programmers should not try to use/implement the GetPartition() or GetHierarchy() interfaces when writing a file-based ECMA 2.0 connector, as they will not work properly.
  
• ECMA 2.0: CustomData for OpenImportConnectionRunStep.CustomData comes from GetImportEntriesResults
  The watermark data returned in OpenImportConnectionRunStep.CustomData does not come from CloseImportConnectionResults.CustomData as would be expected. Instead, the CustomData field is coming from the GetImportEntriesResults.CustomDataThis issue would be encountered by Connector programmers when writing their connectors to have watermark data passed between MA runs.
  
• ECMA 2.0: ECMA 2.0 does not allow a page/batch size of greater than 9999
  When configuring the batch size for a ECMA 2.0 based MA, you may not configure a batch size larger than 9999 objects. The UI will not allow a larger number to be configured, and there is no way to exceed this size in your Connector's configuration.
  
• ECMA 2.0:: Generic Style DN's do not accept all characters
  Generic Style DN's have the same character limitations as LDAP Style DN's, even though there is no specific reason for that limitation.
  
• FIM MA: Using Service Partitioning to isolate FIM MA Export load is not supported for FIM 2010 R2.
  Those customers who have more than one FIM 2010 R2 Service instance installed and who wish to control which of these FIM 2010 R2 Service instances processes the load from the FIM MA during an Export run will need to use the following setting in the FIM 2010 R2 Service configuration file, under resourceManagementService:
  receiveSynchronizationRequestsEnabled
  
  By default, the value is "True", meaning that that FIM 2010 R2 Service instance processes FIM MA Export requests. Setting the value to “False” would indicate that that FIM 2010 R2Service instance does not process export requests.
  
  

  Note
  Although you specify a FIM 2010 R2 Service address in the FIM MA properties in Synchronization Service Manager, all FIM 2010 R2 Service instances attached to a single FIM 2010 R2 Service database will process these requests.

  
  
• FIM MA: A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation
  A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation. Example: A request based MPR that sends an email to a manager of the created person. An error similar to the following will be written to FIM Service eventlog.
  
  EXCEPTION DATA\r\n\r\nMESSAGE: Cannot deference non-instantiated attribute Manager\r\n\r\n**METHOD:System.Exception ThrowException(System.Exception)\r\n\r\n**METHOD:System.Object ResolveAttribute(System.String, Boolean, ResolverOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveToLine(System.String)\r\n\r\n**METHOD:System.String ResolveRecipientLine(Microsoft.ResourceManagement.WFActivities.Resolver, System.String, System.Text.StringBuilder ByRef)\r\n\r\n**METHOD:Microsoft.ResourceManagement.Workflow.Runtime.MessageContent ResolveMailMessage(System.Guid, System.Guid, System.Guid, System.Collections.Generic.Dictionary`2[System.String,System.Object], System.String, System.String, System.String, System.Guid, Microsoft.ResourceManagement.Workflow.Activities.EmailResolutionOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveMail(System.Object, System.EventArgs)\r\n\r\n**METHOD:Void RaiseEvent(System.Workflow.ComponentModel.DependencyProperty, System.Object, System.EventArgs)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(T, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.Activity, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n
  
  This is expected. Reference attributes are not guaranteed to be part of the original Create request.
  
  Workaround: The MPR should be on an update attribute instead of Create request.
  
• FIM MA: FIM MA export of sets and dynamic groups filter attributes will impact performance
  Synchronization requests containing updates to set or dynamic group filters will only be processed using the single object FIM MA export behavior.
  
• Synchronization Service: Changing MV Object type during runtime is not supported
  The FIM 2010 R2 code does not yet actively prohibit this so it must be stated that doing so is not supported.
  
• Synchronization Service: Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''.
  The FIM Service eventlog might have the following error: Request 'ca6a8db0-c084-4783-bb9b-5be054d38a10' failed while trying to commit the changes to the database. Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''. The ‘MembershipLocked’ attribute missing happens under the following conditions.
  
  
  1. Sync engine sends an update request with attributes that got modified.
     
  2. The FIM MA does a quick lookup and finds the object missing in FIM Service (probably deleted through portal).
     
  3. The FIM MA treats the update as 'Create' request.
     
  4. The create request in FIM Service fails because it has missing attributes like ‘MembershipLocked’.
     
  Doing a delta import and delta sync followed by Export will fix the error. Sync service will understand the object as deleted from FIM Service and will not send a pending update during the next FIM MA export operation.
  
• Synchronization Service: Do not reuse your existing miiserver.exe.config file
  Re-using an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.
  
• Synchronization Service: Sync Service manager shows a User object deleted when linked ERE was actually deleted
  During migration from policy based sync rule to filter based sync rule, the sync engine will delete EREs which are linked to filter based sync rules. However, the Identity Manager statistics falsely show that the User linked to the ERE being deleted was deleted. The user was not, in fact deleted, it was the ERE that was deleted. Customers should only run into this problem once, when they are migrating from policy based to filter based rules. There is no action needed to be taken by the customer. The User object was not actually deleted.
  
• Synchronization Service: The value of boolean type outbound scoping filter in Filter based Sync Rule is case sensitive.
  It must be all lowercase.ie. "true" or "false" If the casing is different, it will crash.

Preinstallation and Topology Configuration

            by MS Technet

 

This document provides an overview of the major components of a FIM 2010 deployment with recommendations for topology architecture, load-balancing, and high-availability scenarios.

Components to Deploy

FIM 2010 consists of these main components:

• FIM Service
  
• FIM Synchronization Service
  
• FIM Portal
  
• FIM Certificate Management
  

FIM Service

Deploying the FIM Service component consists of installing the FIM Service and configuring the FIM Service SQL database. This section discusses the options and recommendations for deploying the FIM Service. It also discusses the options and recommendations for deploying the FIM Service SQL database.
You can deploy the FIM Service:

• On a stand-alone server
  
• On a shared server with the FIM Portal and Windows® SharePoint® Services 3.0
  
• On multiple servers, we recommend that you use:
  
  
  • Network Load Balancing (NLB) to distribute the processing load.
    
  • Aliases (for instance, A or CNAME records) so that one common name is exposed to the user.
    
  • A separate alias for a dedicated FIM Service server as an alternative to offload intensive administration tasks to one or more servers so that the end-user tasks are not affected.
    

  Important
  If you use a load-balancing technology other than the NLB feature in Windows Server 2008 or Windows Server 2008 R2, make sure your solution will redirect one session to the same server and not to a random server.

  
  

When you install the FIM Service SQL database:

• We strongly recommend that the FIM Service SQL database exist on a dedicated server.
  
• The server running Microsoft SQL Server® can be a single server or part of a failover cluster.
  
• You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
  

FIM Synchronization Service

Deploying the FIM Synchronization Service consists of installing the FIM Synchronization Service, configuring management agents for various connected data sources, and configuring the FIM Synchronization Service SQL database. This section discusses the options and recommendations for deploying the FIM Synchronization Service.
FIM Synchronization Service requirements:

• Only one FIM Synchronization Service instance can exist in a deployment.
  
  

  Warning
  Having more than one Synchronization Service instance can cause errors when attempting to upgrade a FIM deployment.

  
  
• The FIM Synchronization Service may be installed on a stand-alone server or on the same server as the SQL Server database. If you connect the FIM Synchronization Service and the database with at least a 1-GB network, there is no significant performance difference when you separate the two components.
  

FIM Synchronization Service SQL database requirements:

• The server running SQL Server can be a stand-alone server or part of a failover cluster.
  
• You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
  

FIM Portal

Deploying the FIM Portal consists of installing the FIM Portal component and configuring Windows SharePoint Services. This section discusses the options and recommendations for deploying Windows SharePoint Services and the options and recommendations for deploying the FIM Portal.

Deploying Windows SharePoint Services 3.0

• Deployment - You can deploy Windows SharePoint Services on either a stand-alone server or as a Windows SharePoint Services server farm. There is no performance advantage in either deployment, but a stand-alone deployment is in most configurations easier to manage. You can also deploy Windows SharePoint Services on a single server, along with the FIM Service and the FIM Portal.
  
• Load balancing
  
  
  • If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
    
  • NLB can also be used in addition to Windows SharePoint Services load-balancing to distribute the processing load. If you use another solution other than NLB, ensure that the solution makes sure that one user always is directed to the same server (also known as pinning).
    
  • In a load-balanced environment, we also recommend that you use an alias (for example, CNAME record) so that one common name is exposed to the user.
    
• A SharePoint server farm will need one shared SQL database for its configuration. Make sure this database has the same high available solution as the other FIM databases to not have a single point of failure.
  
• SharePoint products and technologies - The following products are currently not supported:
  
  
  • Microsoft Office SharePoint Server
    
  • Microsoft SharePoint Foundation 2010
    

Deploying the FIM Portal

The FIM Portal is a component that does not demand intensive resources and can be deployed on the same server as the FIM Service. For more information, see the illustrations in the following sections.

Topology Considerations

How you deploy Microsoft® Forefront® Identity Manager (FIM) 2010 depends almost entirely on the size and complexity of the environment you need to support. This section is intended to help you determine an optimal network topology for your environment. It addresses ways to deploy FIM beginning with a basic topology typically used by smaller organizations, followed by more advanced topologies to meet the requirements of larger organizations. In general terms, the topology, hardware profiles, and related system requirements described in this document can be applied to organizations based on the following scale:

• Small organization of up to 20,000 users and 10,000 groups. Basic deployment with multitier topology and network load balancing.
  
• Medium organization of up to 50,000 users and 50,000 groups. Advanced deployment with multitier topology, network load balancing, and dedicated servers for FIM services.
  
• Large organization of up to 200,000 users and 450,000 groups. Advanced deployment with multitier topology, network load balancing, and multiple multiple servers for FIM services.
  

The multitier topology is the most commonly used topology, offering the greatest flexibility. The FIM 2010 R2 Portal, FIM 2010 R2 Service, and databases are separated into tiers and deployed on multiple computers. This topology adds flexibility in scaling the different FIM 2010 R2 components. For example, you can scale the FIM 2010 R2 Portal horizontally by adding additional servers in an NLB cluster. Similarly, you can scale the FIM 2010 R2 service by using an NLB cluster and by increasing the number of computers (nodes) in the cluster as needed.
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.

Basic FIM deployment

A basic deployment which could be used in a small organization may be deployed on three to four servers running Microsoft Windows Server® operating systems.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.

FIM deployment with multiple dedicated servers

In this example, which could be used in a medium-sized organization, the basic components, are deployed among five servers running Windows Server with both the FIM Portal and Windows SharePoint Services installed on the same stand-alone server.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.

Load-balancing the FIM Service with multiple servers

A more advanced deployment, which could be used in a larger organization, is to load balance FIM Services using multiple dedicated servers with some designated to handle user requests and others reserved for administrative requests. Synchronization of data with external systems can add a considerable load to the system and run over an extended period of time. If the synchronization configuration results in triggering policies with workflows, these policies contend for resources with end-user workflows. Such issues can be pronounced with authentication workflows, such as password resets, which are done in real time with an end user waiting for the process to complete. By providing one instance of the FIM 2010 R2 Service for end user operations and a separate portal for administrative data synchronization, you can provide better responsiveness for end-user operations.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.

Unattended Installation of FIM 2010 R2

            by MS Technet

 

 

All components of the FIM 2010 R2 accept properties that allow unattended and silent installation. Those properties can either be set in a Windows Installer Transform (MST) file or specified at the command line during installation.
The FIM 2010 R2 installation packages do not support advertisement (msiexec /j) or administrative (msiexec /a) installations.
There are several different ways to install FIM 2010 R2 silently (unattended). Two methods are described in this section: pass-in parameters in a command line and MST files. It is outside the scope of this document to describe unattended installations in general.

Pass-in parameters on the command line

This can be used with Microsoft System Center Configuration Manager 2007. To install silently, use the command msiexec with an option, followed by properties, for example:
Msiexec /q /i NameofMSI.msi /Option ADDLOCAL=MSIFeatureName Property=Value
The possible values of MSIFeatureName and Property can be found in Features and properties later in this document. Note that all parameters are case sensitive.
The following is an example command for an installation of FIM Add-ins and Extensions from a file server where only the FIM Outlook add-in is installed:
msiexec /i “\\MyServer\Distribution\FIM\32\Add-ins and extensions.msi” /quiet ADDLOCAL=OfficeClient PORTAL_LOCATION=MyPortalServer PORTAL_PREFIX=https MONITORED_EMAIL=fimservice@contoso.com
Msiexec has several command line switches for silent installations. Of those, only a limited number are supported. The following table is a list of supported switches.

Switch	Supported or Not Supported	Description
/quiet/q:n	Supported	Installation with no UI at all
/q:f	Supported	(Full UI) The usual User Interface Wizard behavior.
/q:b	Not supported	(Basic) No pop-ups, except error messages.
/q:r	Not supported	(Reduced) Similar to basic.
/a	Not supported	(Admin) Will unpack an MSI to have all files external. Since this is how we deliver the MSI, no need to support this. Will run the Admin sequences, but no compelling scenario for this.
/x	Supported	Uninstall of the product
/j	Not supported	No scenarios. (We don’t have install on demand.)

Note
Windows Installer has a limit of 256 characters in the path when for installation of applications. Ensure that you do not place the root of the tree in a very deep structure, or the installation might fail.

Create an MST file

Another solution is to use an MST file. MST files can be created with tools such as Orca (shipped with the Windows Software Development Kit (SDK)), and they contain the same settings as are passed in on the command line.

Troubleshoot an installation

If an unattended installation fails, add the option /l*v NameOfLogFile.txt to the command line. This option creates a log file that you can use for troubleshooting. You can identify an error in a Windows Installer log file by looking for the text Return Value 3.
Also, you can you the msiexec file without the /q switch. This will cause the UI to appear and the values you have specified in the msiexec command-line will be populated in their respective locations. This is good for determining if the correct value is being set or not.

Features and properties

The first table is listing the feature name in the UI and its feature name in the Synchronization Service.msi, Service and Portal.msi and the Add-ins and Extensions.msi. The second table is listing the feature name in the UI and its feature name in the Add-ins and Extensions.msi. The third table is the feature name in the UI and its feature name in the Service and Portal Language Pack.msi. These can all be used by the ADDLOCAL, REINSTALL, and REMOVE properties above.The tables in this section list the settings in the order that they appear during the user interface (UI) installation. Default values are in brackets.
Table 1 FIM 2010 R2 Windows Installer Features

Name of the feature in the UI	Windows Installer feature name
FIM Add-in for Outlook	OfficeClient
FIM Password and Authentication Extensions	PasswordClient
FIM Service	CommonServices
FIM Portal	WebPortals
FIM Password Reset Portal	PwdPortals
FIM Synchronization Service	N/A (only one feature in the installer)
Forefront Identity Manager Certificate Management (FIM CM) Update Service	CLM_Service
FIM CM Portal	Web_Files
FIM CM CA Modules	CA_Modules
FIM CM Smart Card PIN Reset Tool	ChangePin
FIM CM Smart Card Personalization Control	AppletManagement
FIM CM Smart Card Client	SelfServiceControl
FIM CM Update Client	ProfileUpdateControl
FIM CM Bulk Issuance Client	ClientFiles
Microsoft Password Change Notification Service	PCNSSVC
FIM Password and Authentication Extensions FIM Password and Authentication Extensions for Windows XP FIM Password and Authentication Extensions for Windows Vista	PasswordClient
FIM Password Registration Portal	RegistrationPortal
FIM Password Reset Portal	ResetPortal

Table 2 Service and Portal Language Pack Features

Feature	Description
FIMPortalLP	Installs Languages for the FIM Portal
FIMServiceLP	Installs Languages for the FIM Service
FIMResetPortalLP	Installs Languages for the FIM Password Reset Portal
FIMRegistrationPortalLP	Installs Languages for the FIM Password Registration Portal
PortalzhCN	Chinese (Simplified) language pack for FIM Portal.
PortalzhTW	Chinese (Taiwan) language pack for FIM Portal.
PortalcsCZ	Czech language pack for FIM Portal.
PortaldaDK	Danish language pack for FIM Portal.
PortalnlNL	Dutch language pack for FIM Portal.
PortalfiFI	Finnish language pack for FIM Portal.
PortalfrFR	French language pack for FIM Portal.
PortaldeDE	German language pack for FIM Portal.
PortalitIT	Italian language pack for FIM Portal.
PortaljaJP	Japanese language pack for FIM Portal.
PortalkoKR	Korean language pack for FIM Portal.
PortalnbNO	Norwegian language pack for FIM Portal.
PortalplPL	Polish language pack for FIM Portal.
PortalptBR	Portuguese (Brazil) language pack for FIM Portal.
PortalptPT	Portuguese (Portugal) language pack for FIM Portal.
PortalruRU	Russian language pack for FIM Portal.
PortalesES	Spanish language pack for FIM Portal.
PortalsvSE	Swedish language pack for FIM Portal.
PortaltrTR	Turkish language pack for FIM Portal.
MTzhCN	Chinese (Simplified) language pack for FIM Service.
MTzhTW	Chinese (Taiwan) language pack for FIM Service.
MTcsCZ	Czech language pack for FIM Service.
MTdaDK	Danish language pack for FIM Service.
MTnlNL	Dutch language pack for FIM Service.
MTfiFI	Finnish language pack for FIM Service.
MTfrFR	French language pack for FIM Service.
MTdeDE	German language pack for FIM Service.
MTitIT	Italian language pack for FIM Service.
MTjaJP	Japanese language pack for FIM Service.
MTkoKR	Korean language pack for FIM Service.
MTnbNO	Norwegian language pack for FIM Service.
MTplPL	Polish language pack for FIM Service.
MTptBR	Portuguese (Brazil) language pack for FIM Service.
MTptPT	Portuguese (Portugal) language pack for FIM Service.
MTruRU	Russian language pack for FIM Service.
MTesES	Spanish language pack for FIM Service.
MTsvSE	Swedish language pack for FIM Service.
MTtrTR	Turkish language pack for FIM Service.
ResetbgBG	Bulgarian language pack for FIM Password Reset Portal.
ResetzhCN	Chinese (Simplified) language pack for FIM Password Reset Portal.
ResetzhTW	Chinese (Taiwan) language pack for FIM Password Reset Portal.
ResethrHR	Croatian language pack for FIM Password Reset Portal.
ResetcsCZ	Czech language pack for FIM Password Reset Portal.
ResetdaDK	Danish language pack for FIM Password Reset Portal.
ResetnlNL	Dutch language pack for FIM Password Reset Portal.
ResetetEE	Estonian language pack for FIM Password Reset Portal.
ResetfiFI	Finnish language pack for FIM Password Reset Portal.
ResetfrFR	French language pack for FIM Password Reset Portal.
ResetdeDE	German language pack for FIM Password Reset Portal.
ResetelGR	Greek language pack for FIM Password Reset Portal.
ResethiIN	Hindi language pack for FIM Password Reset Portal.
ResethuHU	Hungarian language pack for FIM Password Reset Portal.
ResetitIT	Italian language pack for FIM Password Reset Portal.
ResetjaJP	Japanese language pack for FIM Password Reset Portal.
ResetkoKR	Korean language pack for FIM Password Reset Portal.
ResetlvLV	Latvian language pack for FIM Password Reset Portal.
ResetltLT	Lithuanian language pack for FIM Password Reset Portal.
ResetnbNO	Norwegian language pack for FIM Password Reset Portal.
ResetplPL	Polish language pack for FIM Password Reset Portal.
ResetptBR	Portuguese (Brazil) language pack for FIM Password Reset Portal.
ResetptPT	Portuguese (Portugal) language pack for FIM Password Reset Portal.
ResetroRO	Romanian language pack for FIM Password Reset Portal.
ResetruRU	Russian language pack for FIM Password Reset Portal.
ResetsrCS	Serbian language pack for FIM Password Reset Portal.
ResetskSK	Slovak language pack for FIM Password Reset Portal.
ResetslSI	Slovenian language pack for FIM Password Reset Portal.
ResetesES	Spanish language pack for FIM Password Reset Portal.
ResetsvSE	Swedish language pack for FIM Password Reset Portal.
ResetthTH	Thai language pack for FIM Password Reset Portal.
ResettrTR	Turkish language pack for FIM Password Reset Portal.
ResetukUA	Ukranian language pack for FIM Password Reset Portal.
RegistrationbgBG	Bulgarian language pack for FIM Password Registration Portal.
RegistrationzhCN	Chinese (Simplified) language pack for FIM Password Registration Portal.
RegistrationzhTW	Chinese (Taiwan) language pack for FIM Password Registration Portal.
RegistrationhrHR	Croatian language pack for FIM Password Registration Portal.
RegistrationcsCZ	Czech language pack for FIM Password Registration Portal.
RegistrationdaDK	Danish language pack for FIM Password Registration Portal.
RegistrationnlNL	Dutch language pack for FIM Password Registration Portal.
RegistrationetEE	Estonian language pack for FIM Password Registration Portal.
RegistrationfiFI	Finnish language pack for FIM Password Registration Portal.
RegistrationfrFR	French language pack for FIM Password Registration Portal.
RegistrationdeDE	German language pack for FIM Password Registration Portal.
RegistrationelGR	Greek language pack for FIM Password Registration Portal.
RegistrationhiIN	Hindi language pack for FIM Password Registration Portal.
RegistrationhuHU	Hungarian language pack for FIM Password Registration Portal.
RegistrationitIT	Italian language pack for FIM Password Registration Portal.
RegistrationjaJP	Japanese language pack for FIM Password Registration Portal.
RegistrationkoKR	Korean language pack for FIM Password Registration Portal.
RegistrationlvLV	Latvian language pack for FIM Password Registration Portal.
RegistrationltLT	Lithuanian language pack for FIM Password Registration Portal.
RegistrationnbNO	Norwegian language pack for FIM Password Registration Portal.
RegistrationplPL	Polish language pack for FIM Password Registration Portal.
RegistrationptBR	Portuguese (Brazil) language pack for FIM Password Registration Portal.
RegistrationptPT	Portuguese (Portugal) language pack for FIM Password Registration Portal.
RegistrationroRO	Romanian language pack for FIM Password Registration Portal.
RegistrationruRU	Russian language pack for FIM Password Registration Portal.
RegistrationsrCS	Serbian language pack for FIM Password Registration Portal.
RegistrationskSK	Slovak language pack for FIM Password Registration Portal.
RegistrationslSI	Slovenian language pack for FIM Password Registration Portal.
RegistrationesES	Spanish language pack for FIM Password Registration Portal.
RegistrationsvSE	Swedish language pack for FIM Password Registration Portal.
RegistrationthTH	Thai language pack for FIM Password Registration Portal.
RegistrationtrTR	Turkish language pack for FIM Password Registration Portal.
RegistrationukUA	Ukranian language pack for FIM Password Registration Portal.

Table 3 Add-ins and Extensions Language Pack Features

Feature	Description
FIMALP	FIM Add-ins and Extensions Language Pack
bgBG	Bulgarian language
zhCN	Chinese (Simplified) language
zhTW	Chinese (Taiwan) language
hrHR	Croatian language
csCZ	Czech language
daDK	Danish language
nlNL	Dutch language
etEE	Estonian language
fiFI	Finnish language
frFR	French language
deDE	German language
elGR	Greek language
hiIN	Hindi language
huHU	Hungarian language
itIT	Italian language
jaJP	Japanese language
koKR	Korean language
lvLV	Latvian language
ltLT	Lithuanian language
nbNO	Norwegian language
plPL	Polish language
ptBR	Portuguese (Brazil) language
ptPT	Portuguese (Portugal) language
roRO	Romanian language
ruRU	Russian language
srCS	Serbian language
skSK	Slovak language
slSI	Slovenian language
esES	Spanish language
svSE	Swedish language
thTH	Thai language
trTR	Turkish language
ukUA	Ukranian language

The following tables list the properties that are associated with the features from above.
Table 4 Synchronization Service properties

Property Name	Description
STORESERVER	Name of SQL Server
SQLDB	Name of database (FIMSynchronization)
SQLINSTANCE	Name of database instance
SERVICEACCOUNT	(Required) Service account name
SERVICEPASSWORD	Required) Service account password
SERVICEDOMAIN	(Required) Service account domain
GROUPADMINS	Name of admin group (FIMSyncAdmins)
GROUPOPERATORS	Name of operators group (FIMSyncOperators)
GROUPACCOUNTJOINERS	Name of joiners group (FIMSyncJoiners)
GROUPBROWSE	Name of browse group (FIMSyncBrowse)
GROUPPASSWORDSET	Name of password set group (FIMSyncPasswordSet)
FIREWALL_CONF	0 – Do not configure firewall (default)1 – Configure firewall

Table 5 FIM Service and FIM Portal properties

Property name	Description
SQMOPTINSETTING	1 – opt in, 0 – opt out (default)
SQLSERVER_SERVER	(Required) Name of SQL Server instance
SQLSERVER_DATABASE	Name of database (FIMService)
EXISTINGDATABASE	0 – New database (default), 1 – Existing database
MAIL_SERVER	(Required) Name of mailserver
MAIL_SERVER_USE_SSL	0 – Disable SSL, 1 – Enable SSL (default)
MAIL_SERVER_IS_EXCHANGE	0 – SMTP, 1 – Exchange (default)
SERVICE_MANAGER_SERVER	Name of the FIM Reporting Service Manager management server.
POLL_EXCHANGE_ENABLED	0 – Server will not poll for e-mail messages1 – Server will poll for e-mail messages (default)
CERTIFICATE_NAME	Name of certificate to generate (ForefrontIdentityManager)
SERVICE_ACCOUNT_NAME	(Required) Service account name
SERVICE_ACCOUNT_PASSWORD	(Required) Service account password
SERVICE_ACCOUNT_DOMAIN	(Required) Service account domain
SERVICE_ACCOUNT_EMAIL	(Required) Service account e-mail address
SYNCHRONIZATION_SERVER	(Required) Address of FIM Synchronization Service server
SYNCHRONIZATION_SERVER_ACCOUNT	FIM Service Management Agent account in format domain\accountname
SERVICEADDRESS	Address used by clients to contact the server
SHAREPOINT_URL	URL used to contact the SharePoint server
REGISTRATION_PORTAL_URL	An optional URL of the FIM 2010 R2 password registration portal that the FIM portal will redirect to when the user clicks on the "Register for password reset" FIM portal homepage link.
FIREWALL_CONF	0 – Do not configure firewall (default)1 – Configure firewall
SHAREPOINTUSERS_CONF	0 – Do not add authenticated users (default1 – Add authenticated users
PASSWORDUSERS_CONF	0 – Do not add authenticated users (default1 – Add authenticated users
REQUIRE_REGISTRATIONPORTAL_INFO	0 – Do not require password registration information (default)1 – Require password registration information
REGISTRATION_ACCOUNT_NAME	Account name of the application pool account that will run the password registration portal.
REGISTRATION_ACCOUNT_DOMAIN	Domain of the application pool account that will run the password registration portal.
REQUIRE_RESET_INFO	0 – Do not require password reset information (default)1 – Require password reset information
RESET_ACCOUNT_NAME	Account name of the application pool account that will run the password reset portal.
RESET_ACCOUNT_DOMAIN	Domain of the application pool account that will run the password reset portal.
SHAREPOINTTIMEOUT	Timeout in seconds the installer should wait for Office SharePoint to deploy the solution packs.

Table 6 FIM 2010 R2 Certificate Management properties

Property Name	Description
WEBAPPNAME	Name of the virtual folder for certificate Management.
SITELOCK_DOMAIN	List of sites used by FIM CM installations. This list is used for ActiveX controls to initiate.

Table 7 Add-ins and Extensions properties

Property name	Description
SQMOPTINSETTING	1 – opt in, 0 – opt out (default)
PORTAL_LOCATION	Address to the FIM Portal. Used by Outlook add-in.
PORTAL_PREFIX	Prefix used to contact the FIM Portal. http or https (default)
MONITORED_EMAIL	FIM Service e-mail address. Used by the Outlook add-in when sending e-mail messages.
RMS_LOCATION	Address to the FIM Service. Used by Password Reset extensions
REGISTRATION_PORTAL_URL	The URL of the FIM 2010 R2 password registration portal that the rich client will navigate to by default. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to that URL if password registration be required. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to this URL if password registration be required.
BEST_EFFORT_INSTALL	If both components are selected, but one cannot be installed due to failed prerequisites, silently continue installation with the other component. 0 – Fail installation (default) 1 – Silently continue

The following is an example of installing the FIM 2010 R2 Synchronization Service:

Copy

msiexec /q /i “D:\Synchronization Service\Synchronization Service.msi" STORESERVER=LocalMachine SQLDB=FIMSynchronization SERVICEACCOUNT=FimSynchService SERVICEPASSWORD=Pass1word! SERVICEDOMAIN=CORP GROUPADMINS=FIMSyncAdmins GROUPOPERATORS=FIMSyncOperators GROUPACCOUNTJOINERS=FIMSyncJoiners GROUPBROWSE=FIMSyncBrowse GROUPPASSWORDSET=FIMSyncPasswordSet FIREWALL_CONF=1   /L*v C:\mylogfile.txt

The following is an example of installing the FIM 2010 R2 Service and Portal:

Copy

msiexec /q /i "D:\Service and Portal\Service and Portal.msi" ADDLOCAL=CommonServices,WebPortals SQMOPTINSETTING=0 SQLSERVER_SERVER=APP1 SQLSERVER_DATABASE=FIMService EXISTINGDATABASE=0 MAIL_SERVER=EX1.corp.contoso.com MAIL_SERVER_USE_SSL=0 MAIL_SERVER_IS_EXCHANGE=1 POLL_EXCHANGE_ENABLED=1 CERTIFICATE_NAME=ForefrontIdentityManager SERVICE_ACCOUNT_NAME=FIMService SERVICE_ACCOUNT_PASSWORD=abc123*2k SERVICE_ACCOUNT_DOMAIN=CORP SERVICE_ACCOUNT_EMAIL=FIMService@corp.contoso.com SERVICE_MANAGER_SERVER=APP2 SYNCHRONIZATION_SERVER=FIM1 SYNCHRONIZATION_SERVER_ACCOUNT=CORP\FIMMA SERVICEADDRESS=FIM1 SHAREPOINT_URL=http://localhost REGISTRATION_PORTAL_URL=https://passwordregistration.corp.contoso.com FIREWALL_CONF=1 SHAREPOINTUSERS_CONF=1 REQUIRE_REGISTRATION_INFO=1 REGISTRATION_ACCOUNT_NAME=FIMPassword REGISTRATION_ACCOUNT_DOMAIN=CORP REQUIRE_RESET_INFO=1 RESET_ACCOUNT_NAME=FIMPassword RESET_ACCOUNT_DOMAIN=CORP  /L*v C:\fimservicelog.txt

The following is an example of a command-line installation for the Password Reset and Registration Portal.

Copy

msiexec /q /i “D:\Service and Portal\Service and Portal.msi"  ADDLOCAL=RegistrationPortal,ResetPortal REGISTRATION_ACCOUNT=CORP\FIMPassword REGISTRATION_ACCOUNT_PASSWORD=Pass1word$ REGISTRATION_HOSTNAME=passwordregistration.corp.contoso.com REGISTRATION_PORT=80 REGISTRATION_FIREWALL_CONFIG=1 REGISTRATION_SERVERNAME=FIM1 IS_REGISTRATION_EXTRANET=Extranet RESET_ACCOUNT=CORP\FIMPassword RESET_ACCOUNT_PASSWORD=Pass1word$ RESET_HOSTNAME=passwordreset.corp.contoso.com RESET_PORT=81 RESET_FIREWALL_CONF=1  RESET_SERVERNAME=FIM1 IS_RESET_EXTRANET=Extranet /L*v C:\mylogfile.txt 

The following is an example of a command-line installation for the FIM CM Web Portal and FIM CM Update Service of FIM 2010 Certificate Management

Copy

msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi"  ADDLOCAL=CLM_Service,Web_Files WEBAPPNAME=CertificateManagement /L*v C:\mylogfile.txt

The following is an example of a command-line installation for the FIM CM CA Modules of FIM 2010 Certificate Management

Copy

msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi"  ADDLOCAL=CA_Modules /L*v C:\mylogfile.txt

The following is an example of a command-line installation for the FIM CM Client of FIM 2010 Certificate Management

Copy

msiexec /q /i “D:\CM Client\x64\CM Client.msi"  ADDLOCAL=CMClient,ChangePin,AppletManagement,SelfServiceControl,ProfileUpdateControl /L*v C:\mylogfile.txt

The following is an example of installing the Add-ins and Extensions:

Copy

msiexec /q /i “D:\Add-ins and extesnisons\x64\Add-ins and extensions.msi" ADDLOCAL=OfficeClient,PasswordClient PORTAL_LOCATION=FIM1 PORTAL_PREFIX=http RMS_LOCATION=FIM1 MONITORED_EMAIL=FIMService@corp.contoso.com REGISTRATION_PORTAL_URL=https://passwordregistratio.corp.contoso.com /L*v C:\mylogfile.txt

The following is an example of installing the Service and Portal Language Pack. It shows how to install the Japanese language pack for all of the components

Copy

msiexec /q /i “D:\Service and Portal Language Pack\Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortaljaJP,FIMServiceLP,MTjaJP, FIMResetPortalLP,ResetjaJP,FIMRegistrationPortalLP,RegistrationjaJP /L*v C:\mylogfile.txt

The following is an example of installing the Add-ins and Extensions Language Pack. It shows how to install the Japanese language.

Copy

msiexec /q /i “D:\Add-ins and Extensions Language Pack\Add-ins and Extensions Language Pack.msi" ADDLOCAL=FIMALP,jaJP /L*v C:\mylogfile.txt