Preinstallation and Topology Configuration
This document provides an overview of the major components of a FIM 2010 deployment with recommendations for topology architecture, load-balancing, and high-availability scenarios.
Components to Deploy
FIM 2010 consists of these main components:
FIM Service
Deploying the FIM Service component consists of installing the FIM Service and configuring the FIM Service SQL database. This section discusses the options and recommendations for deploying the FIM Service. It also discusses the options and recommendations for deploying the FIM Service SQL database.
You can deploy the FIM Service:
You can deploy the FIM Service:
- On a stand-alone server
- On a shared server with the FIM Portal and Windows® SharePoint® Services 3.0
- On multiple servers, we recommend that you use:
- Network Load Balancing (NLB) to distribute the processing load.
- Aliases (for instance, A or CNAME records) so that one common name is exposed to the user.
- A separate alias for a dedicated FIM Service server as an alternative to offload intensive administration tasks to one or more servers so that the end-user tasks are not affected.
Important If you use a load-balancing technology other than the NLB feature in Windows Server 2008 or Windows Server 2008 R2, make sure your solution will redirect one session to the same server and not to a random server. - Network Load Balancing (NLB) to distribute the processing load.
- We strongly recommend that the FIM Service SQL database exist on a dedicated server.
- The server running Microsoft SQL Server® can be a single server or part of a failover cluster.
- You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
FIM Synchronization Service
Deploying the FIM Synchronization Service consists of installing the FIM Synchronization Service, configuring management agents for various connected data sources, and configuring the FIM Synchronization Service SQL database. This section discusses the options and recommendations for deploying the FIM Synchronization Service.
FIM Synchronization Service requirements:
FIM Synchronization Service requirements:
- Only one FIM Synchronization Service instance can exist in a deployment.
Warning Having more than one Synchronization Service instance can cause errors when attempting to upgrade a FIM deployment. - The FIM Synchronization Service may be installed on a stand-alone server or on the same server as the SQL Server database. If you connect the FIM Synchronization Service and the database with at least a 1-GB network, there is no significant performance difference when you separate the two components.
- The server running SQL Server can be a stand-alone server or part of a failover cluster.
- You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.
FIM Portal
Deploying the FIM Portal consists of installing the FIM Portal component and configuring Windows SharePoint Services. This section discusses the options and recommendations for deploying Windows SharePoint Services and the options and recommendations for deploying the FIM Portal.
Deploying Windows SharePoint Services 3.0
- Deployment - You can deploy Windows SharePoint Services on either a stand-alone server or as a Windows SharePoint Services server farm. There is no performance advantage in either deployment, but a stand-alone deployment is in most configurations easier to manage. You can also deploy Windows SharePoint Services on a single server, along with the FIM Service and the FIM Portal.
- Load balancing
- If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
- NLB can also be used in addition to Windows SharePoint Services load-balancing to distribute the processing load. If you use another solution other than NLB, ensure that the solution makes sure that one user always is directed to the same server (also known as pinning).
- In a load-balanced environment, we also recommend that you use an alias (for example, CNAME record) so that one common name is exposed to the user.
- If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
- A SharePoint server farm will need one shared SQL database for its configuration. Make sure this database has the same high available solution as the other FIM databases to not have a single point of failure.
- SharePoint products and technologies - The following products are currently not supported:
- Microsoft Office SharePoint Server
- Microsoft SharePoint Foundation 2010
- Microsoft Office SharePoint Server
Deploying the FIM Portal
The FIM Portal is a component that does not demand intensive resources and can be deployed on the same server as the FIM Service. For more information, see the illustrations in the following sections.
Topology Considerations
How you deploy Microsoft® Forefront® Identity Manager (FIM) 2010 depends almost entirely on the size and complexity of the environment you need to support. This section is intended to help you determine an optimal network topology for your environment. It addresses ways to deploy FIM beginning with a basic topology typically used by smaller organizations, followed by more advanced topologies to meet the requirements of larger organizations. In general terms, the topology, hardware profiles, and related system requirements described in this document can be applied to organizations based on the following scale:
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.
- Small organization of up to 20,000 users and 10,000 groups. Basic deployment with multitier topology and network load balancing.
- Medium organization of up to 50,000 users and 50,000 groups. Advanced deployment with multitier topology, network load balancing, and dedicated servers for FIM services.
- Large organization of up to 200,000 users and 450,000 groups. Advanced deployment with multitier topology, network load balancing, and multiple multiple servers for FIM services.
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.
Basic FIM deployment
A basic deployment which could be used in a small organization may be deployed on three to four servers running Microsoft Windows Server® operating systems.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.
FIM deployment with multiple dedicated servers
In this example, which could be used in a medium-sized organization, the basic components, are deployed among five servers running Windows Server with both the FIM Portal and Windows SharePoint Services installed on the same stand-alone server.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.
Load-balancing the FIM Service with multiple servers
A more advanced deployment, which could be used in a larger organization, is to load balance FIM Services using multiple dedicated servers with some designated to handle user requests and others reserved for administrative requests. Synchronization of data with external systems can add a considerable load to the system and run over an extended period of time. If the synchronization configuration results in triggering policies with workflows, these policies contend for resources with end-user workflows. Such issues can be pronounced with authentication workflows, such as password resets, which are done in real time with an end user waiting for the process to complete. By providing one instance of the FIM 2010 R2 Service for end user operations and a separate portal for administrative data synchronization, you can provide better responsiveness for end-user operations.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.
No comments:
Post a Comment