8/29/2012

external link  :

How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG 

Can I do this on ISA Server? No, but you can with TMG

Learn more about Forefront TMG 2010

Below are some resources that are available for learning about and trying Forefront TMG 2010:

Microsoft Forefront TMG Core Capabilities

Microsoft Forefront TMG 2010 is positioned as a Secure Web Gateway. The core new features of this product are:
  • URL filtering: improves blocking of malicious or inappropriate sites using aggregated data from multiple URL filtering vendors and the anti-phishing and malware technologies that also protect Internet Explorer 8 users.
  • HTTPS Inspection: inspect outbound HTTPS traffic in order to protect your organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as viruses and other malicious content that could infiltrate the organization undetected.
  • Intrusion Prevention (NIS): Protects against browser-based and other Microsoft vulnerabilities.
  • Web anti-malware: Provides highly accurate malware detection with the same world-class engine that is used by Microsoft Security Essentials and Microsoft Forefront products.
  • Support for Windows Server 2008 R2 (x64): first Microsoft Edge protection product that leverages the scalability and increased memory space improvements of the Windows 64 bit platform.

8/28/2012

FIM Server Roles

 
 


Federating FIM 2010 using UAG/ADFS and KCD

Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.
  • Protocol transition is a Kerberos extension introduced in Windows 2003 which allows a service that uses Kerberos to obtain a Kerberos service ticket on behalf of a Kerberos principal to the service without requiring the principal to initially authenticate to the KDC with credentials.
  • Constrained delegation is an extension which allows a service to obtain service tickets (under the delegated users identity) to a subset of other services after it has been presented with a service ticket that is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition extension.
The architecture should look and works as diagramed below:
 


To get this working you need the following:
  1. Kerberos-enabled WSS 3.0 (FIM Portal Server) + working FIM 2010 installation
  2. ADFS 2.0 Server (STS-RP and STS-IP)
  3. UAG 2010 SP1
There are many online references for configuring WSS for Kerberos; therefore, I’m just going to summarize the key configuration tasks and troubleshooting notes.
Configuring WSS for Kerberos
  1. Reference the following TechNet article to configure Kerberos authentication within WSS:
  2. Insure Kerberos enabled end-to-end:
    • Run the following query to determine Kerberos is being used for SQL:
      • SELECT SESSION_ID,AUTH_SCHEMA,NET_TRANSPORT FROM SYS.DM_EXEC_CONNECTIONS WHERE @@SSPID = SESSION_ID
      • Verify Kerberos is being used on the WSS Web Front-end event logs. You should be able to filter the log to Event ID: 4624.
        • You can also use Fiddler to validate WWW-Authentication from the client browser to IIS.
  3. Once you’re sure Kerberos is configured end-to-end within WSS, you should be good to proceed.
Configure UAG with ADFS 2.0
For the ADFS and UAG configuration make sure the common pre-requisites are configured properly. What I’m referring to is name resolution, certificates, and a working configuration. To insure this, I recommend configuring a sample claims-aware application to insure ADFS is working. This can be accomplished by using any of the step-by-step guides published by the PG.
The next step is to create a portal trunk in UAG and wire it up to the STS.
  1. Within the UAG Management Tool, add an ADFS Authentication Server.
  2. Specify the URL of the federation metadata and select the “Retrieve Metadata” button.
    • Select the claim value to be used as lead user value. I used Name but this can be something like UPN or Windows Account Name; whatever you want really.
  3. Create a portal trunk which will use ADFS as an authentication mechanism.
  4. Save and activate the configuration. The next step would be configuring UAG as an RP in ADFS.
    • Verify the federation metadata on UAG and save it to a file for later use.
  5. Configure UAG as an RP Trust in ADFS. To do this, you will need to import the federation metadata from the file created in the previous step.
  6. Edit the Claims Rules to pass data from the attribute store. In my configuration, the minimum was SAM-Account-Name mapping to Name. Save and test the configuration.
  7. As a test, you should attempt to access the UAG Portal. You should be redirected to your IDP. If you have more than one identity provider, then the requestor will need to select their IdP within the HRD page. Otherwise, you should get the FBA login page presented by the IdP. Enter the appropriate credentials to successfully authenticate and be redirected to the RP (UAG Portal). The RP will consume the AuthN token and the end result is to successfully long into the UAG Portal.
Publish FIM through UAG
Now that requestors can successfully log into UAG using Federated AuthN, the next step is to publish FIM 2010 as an application within UAG.
  1. Add an application within the existing trunk. UAG comes with a template to use with FIM 2010.
  2. Specify the URL for FIM under the web servers’ properties.
  3. Enable SSO under the authentication properties. Select “Use Kerberos constrained delegation for single sign-on. Additionally, select a value from this claim type as the shadow account user name for KCD when using federated authentication.The final step is to configure the SPNs in Active Directory for KCD to the UAG server object. Using the UAG Management Tool, Export KCD Settings to Active Directory. Then use Ldifde.exe to import the SPN value which is set on the msDS-AllowToDelegateTo attribute of the UAG computer object.
    • I prefer publishing applications directly through UAG. To do this, uncheck “Add portal and toolbar link” and “Open in a new window” within the Portal Link properties. Within the Portal Trunk configuration, I modify the “Portal home page” to the FIM Application and uncheck “Display home page within portal frame. Assuming, the FIM SPNs are configured properly…we can assume a working FIM Portal.
  4. The final step is to test the configuration. Browse the FIM URL from an untrusted workstation outside of the network. The end result is the FIM Portal being rendered in the same way as if you were accessing it internally.


Chris Calderon
MSFT

Release Notes for Forefront Identity Manager 2010 R2

           
by MS Technet
 
Welcome to the release notes for Microsoft® Forefront® Identity Manager (FIM) 2010 R2. Before you install this application, we recommend that you read this entire document and the Forefront Identity Manager 2010 R2 Deployment Guide. You can use these notes to guide you as you troubleshoot issues that may arise when you use FIM 2010 R2.

Release Notes for Forefront Identity Manager 2010 R2 – Known Issues

These release notes are broken down into 3 main areas of focus. These areas are Pre-Installation and Upgrade, Installation and Upgrade, and Post-Installation. Each of these areas is then subdivided into the various features that make up FIM 2010 R2. This will provide easy and quick reference to the features and components that pertain to you.

AreaDescription
Pre-Installation and UpgradeIncludes known issues that need to be understood prior to installing or upgrading to FIM 2010 R2
Installation and UpgradeIncludes known issues that may occur during installation or upgrade
Post-InstallationIncludes known issues may occur once FIM 2010 R2 is installed and running.

Pre-Installation and Upgrade

This section includes known issues that can occur and must be understood prior to installing and upgrading FIM 2010 R2. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components
Service and Portal – Pre-Installation and Upgrade
  • FIM Portal
  • FIM Service
  • FIM Service Database
  • Password Registration Portal
  • Password Reset Portal
  • Reporting
Service and Portal Language Packs – Pre-Installation and UpgradeService and Portal Language Packs

Service and Portal – Pre-Installation and Upgrade


  • FIM Service: Domain and DomainConfiguration attributes default behavior for user and groups has now been extended to all resources in FIM
    If you have used either of these attributes as part of your current implementation in FIM, this change may result in unexpected behavior and/or failed requests. If you have used either of these attributes please test prior to upgrading your production environment.
  • FIM Service Database: Custom Schedules for FIM SQL Agent jobs are overwritten during upgrade
    If you have a customized the schedules for the FIM SQL Server agent jobs, you will need to reapply your changes.
  • Password Registration Portal ,Password Reset Portal: Upgrading the SSPR portals from RC/RC Refresh to RTM is not possible.
    If you try and upgrade the SSPR portal from RC/RC Refresh to R2 RTM it will fail with an “invalid port” error. The fix for this is to uninstall the SSPR portals and install the new versions from the R2 RTM media.
  • FIM Synchronization Service: Users who installed FIM 2010 RTM from the MSDN website are un-able to upgrade the Synchronization Service.
    If you have deployed FIM 2010 RTM from the MSDN website an in-place upgrade is not supported for the Synchronization Service. However, the database can be preserved and used in FIM 2010 R2 RTM. To do this, you must uninstall the FIM 2010 RTM Synchronization Service and then install FIM 2010 R2 RTM using the existing database. The uninstall and then subsequent install of FIM 2010 R2 is supported. The FIM Service and Portal can then be upgraded using the normal method. This only affects users who have installed FIM 2010 RTM from MSDN and only the Synchronization Service. This is a known issue.
  • Reporting: Upgrading from FIM 2010 R2 RC/RC Refresh Reporting to FIM 2010 R2 RTM Reporting is only supported for TAP customers who deployed the schema hotfix for RC
    Only customers that have participated in the TAP program and installed the shcema hot fix for RC are supported when upgrading from FIM 2010 R2 RC/RC Refresh. To be supported you must meet the following criteria:

    1. Participated in the TAP program for FIM 2010 R2 RC
    2. Have deployed RC Reporting into production
    3. Have deployed RC using the schema hotfix
    If you meet all of the following requirements, it is recommended that you contact Microsoft Support for assistance with the upgrade.

Service and Portal Language Packs – Pre-Installation and Upgrade


  • Service and Portal Language Packs: Customers should back-up their customized RCDC symbol-value pairs for non-English languages
    It is a known bug in upgrade that those non-English string resource values will be overwritten.

    Backing up involves exporting these RCDCs. To make these customizations appear again, you will need to re-do the customizations looking at the differences between the old and new symbol value pairs.

    For more information see Considerations for Upgrading to FIM 2010 R2 in the Forefront Identity Manager 2010 Deployment Guide.

Installation and Upgrade

This section includes known issues that can occur with installation and upgrade. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components
Add-ins and extensions – Installation Upgrade
  • FIM Add-in for Outlook
  • FIM Password and Authentication Extensions
Certificate Management –Installation and Upgrade
  • All Certificate Management Features
Service and Portal – Installation and Upgrade
  • FIM Portal
  • FIM Service
  • FIM Service Database
  • Password Registration Portal
  • Password Reset Portal
  • Reporting
Service and Portal Language Packs – Installation and Upgrade
  • Service and Portal Language Packs
Synchronization Service – Installation and Upgrade
  • ECMA 2.0
  • FIM Management Agent
  • Synchronization Service

Add-ins and extensions – Installation Upgrade


  • FIM Password and Authentication Extensions After installing the FIM Password and Authentication Extensions a reboot is required
    The reason is is that when these extensions are installed, changes are made to the Windows Authentication Framework. This requires a reboot. Likewise, if the FIM Password and Authentication Extensions are uninstalled, a reboot will be required.

Certificate Management –Installation and Upgrade


  • Certificate Management: FIM CM configuration fails if database name contains an apostrophe (‘)
    The FIM CM database name should not contain any apostrophe characters within it. The presence of an apostrophe in the database name causes an error when the FIM CM Configuration Wizard runs.
  • Certificate Management: FIM CM configuration fails if username or password contains an apostrophe (‘) as first or last character
    The FIM CM database username or password should not contain an apostrophe as the first or last character. The presence of an apostrophe as the first or last character causes an error when the FIM CM Configuration Wizard runs.

Service and Portal – Installation and Upgrade


  • FIM Portal: Running setup with a non-default SharePoint site URL or a SharePoint site that uses SSL will fail
    If you attempt to upgrade and are using a non-default SharePoint site URL (other than localhost) or you are using SSL on your SharePoint site the upgrade will fail. To workaround this add http://localhost into the SharePoint alternative mappings and re-run setup.
  • FIM Portal, FIM Service: Object reference not set to an instance of an object
    If you receive this error while attempting to install the FIM 2010 R2 Service and Portal, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.
  • FIM Service: Administrator must open firewall ports manually
    During a change installation, there is no option to open the firewall ports. The administrator must open the firewall ports manually.
  • Password Registration Portal: FIM Service Installer does not mask password for Self Service Password Reset accounts
    When running the FIM 2010 R2 Service and Portal MSI from the command line using the verbose log parameter (msiexec /i "Service and Portal.msi" /l*v log.txt), the REGISTRATION_ACCOUNT_PASSWORD property in the log file is not masked to “*” as it should be. This is a known issue that only occurs when verbose logging is turned on.
  • FIM Service Database: Database should use a collation that supports surrogate pair characters or searches on string attributes may return improper results
    If your environment contains string data with surrogate pair characters, you must have a SQL Database collation that supports them. Failure to do so will result in invalid search results. For more information on the available options refer to this article: http://msdn.microsoft.com/en-us/library/ms143503(v=sql.105).aspx

    After installation of the FIMService, run the following TSQL statement to determine the FIMService database collation.

    SELECT DATABASEPROPERTYEX('FimService', 'Collation') SQLCollation;
    
    
    A Collation that works with a large variety of environments is this one: Latin1_General_100_CI_AS

    Follow the SQL Server documentation for how to change collation if you need to do so to support your environmenthttp://msdn.microsoft.com/en-us/library/ms175835(v=sql.105)

Service and Portal Language Packs – Installation and Upgrade


  • Service and Portal Language Packs: Installing language packs from the command line may fail
    Installing language packs from the command line using the following syntax will fail:

    msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,FIMServiceLP /l* Install.log

    To install language packs:

    • Do not use the command line. Double click the .msi to launch the installation.

      or
    • You may use the command line to install one language pack at a time, using the following format (example shown is for the Russian locale (ruRU)):

      msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortalruRU,FIMServiceLP,MTruRU /l* Install.log
  • Service and Portal Language Packs: Service and Portal Language Packs are uninstallable if FIM components that depend on SharePoint are uninstalled
    If you have installed the FIM Portal Language Pack or the FIM Password Reset Portal Language Pack (the old RTM password portal, not R2 SSPR Portals) and then you uninstall all of the FIM components that depend on SharePoint (the FIM Portal and the old FIM Password Reset Portal) you will not be able to uninstall or upgrade the language pack.

    This is because both the FIM Portal and old FIM Password portal rely on SharePoint and hence store the SharePoint base site collection URL in the registry (BaseSiteCollectionUrl). The Service and Portal language packs (for FIM portal, old password portal) also rely on that key to be in the registry.

    Therefore, uninstalling the FIM components that rely on SharePoint will result in the inability to uninstall/upgrade the language packs because you lost that registry key.

    To correct this issue do the following:

    1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.
    2. Create a string regkey named BaseSiteCollectionUrl.
    3. Inside that key, enter the SharePoint URL at which the FIM Portal/Password Reset Portal was deployed.
    4. You can now either uninstall or upgrade the language pack.
  • Service and Portal Language Packs: Object reference not set to an instance of an object
    If you receive this error while attempting to install the FIM 2010 R2 Service and Portal Language Pack, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.

Synchronization Service – Installation and Upgrade


  • FIM MA: Interactive logon required for setting up the FIM Service Management Agent
    The FIM MA requires the interactive logon right during setup. This requirement is a Windows behavior. When the Service account impersonates the MA account, Windows will do an interactive logon to be able to load the user profile (etc). If the user isn’t allowed to login interactively you will see an access denied in the security eventlog. This is needed for all operations.

Post-Installation

This section includes known issues that can occur once FIM 2010 R2 is installed and running. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components
Add-ins and extensions – Post-Installation
  1. FIM Add-in for Outlook
  2. FIM Password and Authentication Extensions

Certificate Management – Post InstallationAll Certificate Management Features
Service and Portal – Post-Installation
  • FIM Portal
  • FIM Service
  • FIM Service Database
  • Password Registration Portal
  • Password Reset Portal
  • Reporting
Synchronization Service – Post-Installation
  • ECMA 2.0
  • FIM Management Agent
  • Synchronization Service

Add-ins and extensions – Post-Installation


  • FIM Add-in for Outlook Unicode is not fully supported when launching the Outlook add-in for users with names that contains Unicode characters.
    This is because of a bug in Outlook.

Certificate Management – Post Installation


  • Certificate Management: User PIN dialog may not display on IE9
    FIM CM portal users may be blocked from completing a request when the FIM CM client is unable to display the user PIN dialog. This issue occurs intermittently for IE9 users who have not yet applied the IE 9 cumulative update located at here.

Service and Portal – Post-Installation


  • FIM Portal: Double Quote in Contains Search Fails
    Entering a search string containing double quotes into a search scope that uses Contains functionality will fail with the following stack trace:



    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
    Other ---> System.Data.SqlClient.SqlException: Syntax error near 'User' in the full-text search condition '""User 1"*"'


  • FIM Portal: Authentication functionality changes
    With FIM 2010 R2, the following functionality is deprecated: interactive registration for an authentication workflow from the FIM 2010 R2 Portal, and interactive authentication for a request from the FIM 2010 R2 portal.
  • FIM Portal: Wildcard character * is not supported in Filter builder


    ImportantImportant
    If you create a filter that uses the * character, for example
    DisplayName contains *
    the * character will be discarded from the filter definition and the resulting expression will be considered invalid, and will fail.

  • FIM Portal: Custom resources with ":", "(", or ")" in the name render the FIM Portal inoperable
    In this release, do not use a colon [:] or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name cause the FIM 2010 R2 Portal to become inoperable and requires a reinstallation of the FIM 2010 R2 Portal.
  • FIM Portal: User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on group and user resources
    In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on groups and user resources. To work around the issue, you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the Management Policy Rule (MPR) named Administration - Schema: Administrators can change selected attributes of schema-related resources. It is important to revert the changes after the modification since the MPR is there to protect against illegal modification to elements important to the system schema.
  • FIM Portal: Default DisplayName and Description is not submitted during creation of BindingDescription
    In this release, if the user does not modify the existing DisplayName or Description of a BindingDescription resource, the BindingDescription is created without DisplayName or Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default value. The workaround is to update the DisplayName and Description after creation or supply a different value for these attributes during creation.
  • FIM Portal: Custom resources with hyphens in their names do not create RCDC configuration XML correctly
    You can create a custom attribute or custom resource type with a hyphen “-“ in the system name. However, if you create an RCDC for this new resource, the RCDC configuration file that is created automatically is not correct. The RCDC uses the attribute name as the control name, but the control name does not support “-“. The workaround is to remove “-“ from the control names in the RCDC configuration file.
  • FIM Portal: Timeouts while previewing dynamic membership of a set or group may prevent display of actual membership
    When previewing dynamic members of a group or set, an error message is displayed if the request times out. If you subsequently click Preview a second time, the query may show no members in the group or set, even if they do contain members. If this happens, click Cancel to close the dialog box and retry the preview operation. If the request times out again, the administrator may need to increase the server timeout.
  • FIM Portal: Default search operator for DisplayName has been changed to starts-with from contains
    As a result of working with a number of internal and external customers, on portal search performance we chose to change the default search operator used by the FIM Portal (Search Scopes, Identity Picker) to leverage starts-with rather than contains for the DisplayName attribute. This will impact your existing FIM Portal implementation and your FIM portal administrative searches. If you wish to return to the default search behavior for one or more search scopes, we have added the ability to configure an "Advanced Filter". Please see FIM 2010 R2 Search Changes for more information.
  • FIM Portal: ObjectPicker will not automatically resolve entered names when navigating to the next page
    When the user enters a name into an object picker and clicks the "next" button down below, the user is prompted to finish resolving names.
  • FIM Portal: Matching Usage Keywords are necessary for a search scope to appear on a given page of the site
    For example, the “Pending from Today” search scope may be expected to appear on the “Search Requests” page. The Usage Keywords for the “Pending from Today” search scope must be updated manually to include the Usage Keywords configured for the “Search Requests” page which, by default, are the following:

    • customized
    • Request
    • SearchRequests
  • FIM Portal: Disable SharePoint 2010 job: “SharePoint Foundation Search Refresh”
    The SharePoint Foundation 2010 job “SharePoint Foundation Search Refresh” will continuously generate FIM 2010 R2 event log entries. The errors can be ignored, but the FIM 2010 R2 event log will become unnecessarily cluttered. To disable the job, in SharePoint 2010 Central Administration, click Check job status, then disable the job “SharePoint Foundation Search Refresh”.
  • FIM Portal: Supplying no input for a Search Scope with the Advanced Filter configured does not produce search results
    As a work around you can type a % in to the Search box.
  • FIM Service, FIM Portal:Unicode not fully supported in certain cases
    The FIM 2010 R2 Portal and Service does not fully support Unicode in the case of User Names of new users created through the portal. This is to limit the format of User Names to those that can be used to create mailboxes through SharePoint.
  • FIM Service: Custom workflows, that run under the context of the requestor (Actor) may fail with permission denied
    If you encounter this error you will need to update your existing custom workflow(s) to explicitly set the ActorId and ensure that the appropriate MPRs have been configured.
  • FIM Service: Contains searches on String attributes relies on SQL Full Text Search (FTS) as part of the implementation
    The FTS parser may break the search string into multiple search tokens if any word break characters are found. This may lead to the Contains search returning invalid results. You may notice missing rows, or extra rows being returned that do not match your search string. You can use the SQL FTS parser http://technet.microsoft.com/en-us/library/cc280463(v=sql.105) to test the behavior of search strings commonly used in your environment. If you find that the SQL FTS parser is not returning the expected results, consider setting up search scopes using Starts-With instead which do not use FTS.
  • FIM Service: Starts-With, and Ends-With searches on String and Text attributes are implemented using the TSQL LIKE operator with standard SQL wildcard behaviors
    This means that the following characters %, _, [, ^ are treated as wildcards (http://msdn.microsoft.com/en-us/library/ms179859.aspx). If your use cases require these characters to be treated as literals, then you must escape them per the TSQL LIKE documentation by enclosing the wildcard character in brackets.
  • FIM Service::Running repair on the FIM Service does not repair SQL Server Agent jobs
    When running a repair operation on the FIM 2010 R2 Service, SQL agent jobs are not repaired, as the repair operation does not have SQL Server Agent permissions.
  • FIM Service: Diagnostics tracing file format has changed for FIM 2010 R2
    If you currently use data from the diagnostics tracing file, you will need to modify your tools or scripts to accommodate the new format.
  • FIM Service: The FIM Service web service contract for faults has changed
    The fault contract for FIM 2010 R2 includes additional information to support the troubleshooting enhancements in this release. You will need to regenerate the client proxy based on the updated fault contracts.
  • FIM Service: New resource type CompositeType may interfere with custom Action workflows
    A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a CompositeType.
  • FIM Service: UpdateRequestActivity has been removed from FIM 2010 R2
    UpdateRequestActivity has been removed from FIM 2010 R2. If you have any custom code that references UpdateRequestActivity, it will no longer compile. Moving forward, you should use UpdateResourceActivity instead.
  • FIM Service: For asynchronous exports from the FIM MA, multiple FIM Service instances will process synchronization requests
    In R2, all FIM service instances, irrespective of whether they belong to a particular service partition will process synchronization requests. In order to avoid performance impacts on specific FIM service instances and/or service partitions you will need to update the Microsoft.ResourceManagment.service.exe.config setting receiveSynchronizationRequestsEnabled as documented in the configuration file.
  • FIM Service: Do not reuse your existing Microsoft.ResourceManagement.Service.exe.config file
    Reusing an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.
  • FIM Service: A request may fail when multiple workflows attempt to modify the same single valued attribute on the same object
    The most likely scenario would be in the PostProcessing phase of a Request in which two or more Action workflows execute in parallel and they are trying to operate on the same object within a narrow time frame. The Request will fail with PostProcessingError and you will likely find this stack trace in the Event Log.



    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
    Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
    UpdateResource, Line 525, Message: Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index
    'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'.



    If your system has this issue, you should consider merging the functionality into a single workflow that can perform the operations in a synchronous manner to avoid the race conditions.
  • FIM Service: Configuration Migration Compare-FIMConfig cmdlet comparisions today are case insensitive
    When comparing settings, the Compare-FIMConfig cmdlet will not detect changes if the only difference is the case of the strings. For example if you compare the DisplayName attribute where source = "User1" and target = "user1" the tool will consider this as the same value.
  • FIM Service: Date time strings are not constructed or parsed properly when running on Windows 2008 Italian
    FIM Service expects DateTime strings to be of this format "yyyy-MM-ddTHH:mm:ss.fff" and parses them with this code: DateTime.Parse(input, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal);

    A customer has reported issues trying to run FIM Service on an Italian Server in which dates were represented as follows:"yyyy-MM-ddTHH.mm.ss.fff". In this case, the FIMService did not run properly and reported Exceptions like this:

    mscorlib.dll!System.DateTimeParse.Parse(string s, System.Globalization.DateTimeFormatInfo dtfi, System.Globalization.DateTimeStyles styles)
    mscorlib.dll!System.DateTime.Parse(string s, System.IFormatProvider provider, System.Globalization.DateTimeStyles styles)
    Microsoft.ResourceManagement.dll!Microsoft.ResourceManagement.Utilities.DateTimeSerializer.ReadCoordinatedUniversalTimeString(string input = "2010-02-25T09.14.12.237")


    The work-around was to change the Server to format dates per this format "yyyy-MM-ddTHH:mm:ss.fff"
  • FIM Service: Viewing an Objects' Resource page in the Portal will fail if you mark the Description attribute as Required on the Object in the FIM Schema
    When trying to view the Object's Resource page in the portal, you will end up on the ErrorPage.aspx page. To fix the problem, you must remove the Required setting, restart IIS, and then try again.
  • FIM Service: Deletion of an Attribute or ObjectType from FIM Schema must follow a specific order of steps or you will get an Unwilling to Perform exception


    Exception: Other Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level
    16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message:
    Reraised Error 547, Level 16, State 1, Procedure PostProcessObjectTypeDescriptionUpdate, Line 90, Message: The DELETE statement conflicted with the REFERENCE constraint
    "FK_BindingInternal_ObjectTypeInternal". The conflict occurred in database "FIMService", table "fim.BindingInternal", column 'ObjectTypeKey'.



    To delete an Attribute or ObjectType from the FIM Schema, do the following:

    1. Delete all instances of any Objects that currently use those schema elements.
    2. If it is desired that the reporting data warehouse capture the deletion of the attribute or objects instances from the previous step. Run and complete an Incremental job. Failure to do this will not result in an error, however any Object changes recorded in the system since the last Incremental job will not have the history for these schema items once they are deleted.
    3. Search for any Set or Dynamic Group Filter that currently includes the FIM Schema items you plan to delete and delete the Set or Dynamic Group. If the Set is used in an MPR, you will first need to delete the MPR.
    4. Delete all Bindings that reference the FIM Schema items you plan to delete.
    5. Delete the Schema item.
  • FIM Service: Request will Fail and throw Unwilling to Perform Exception if duplicate MPRs trigger the same Action Workflow on the Request
    If 2 or more MPRs are configured to execute the same Action Workflow and get triggered on the same Request, the Request will fail with the following exception:


    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
    DoProcessRequest, Line 267, Message: Cannot insert duplicate key row in object 'fim.PolicyApplication' with unique index
    'IX_PolicyApplication_RequestKey_TargetKey_WorkflowDefinitionKey'.


    To fix the problem you can use the Portal to search all enabled MPRs, locate the duplicate, and delete it.
  • FIM Service:Set or Dynamic Group Membership may be invalid if the Set or Dynamic Group Filter attribute contains a reference to Deleted Attributes or ObjectTypes in the FIM schema
    The system will allow deletion of Attribute and ObjectTypes from the FIM schema without detecting whether or not these items may be in-use in Set or Dynamic Group definitions. As a result, the affected Set or Dynamic Groups will have invalid membership and should be deleted. To locate the affected Sets or Dynamic Groups, use advanced search in the portal on the Filter attribute of the Sets or Dynamic Groups to find these deleted schema items and delete the affected Set or Dynamic Group objects.
  • FIM Service: synchronizationExportThrottle not supported in FIM 2010 R2
    The hotfix rollup package for build 4.0.3573.2 introduced a property, synchronizationExportThrottle, that is not supported in R2. For more information, see KB2417774. If this property exists in your FIM 2010 R2 Service configuration file, the FIM Service will fail to start. To resolve the issue, remove the property from the configuration file.
  • FIM Service: If your deployment contains multiple FIM Portal or FIMService machines and you are leveraging the FIM Approval workflow, you need to ensure that each machine can authenticate with each other
    This is done by creating a service principal name for each FIMService and then configuring each FIM Portal to use constrained delegation to each FIMService. If your deployment takes advantage of receiving Group Management and Approval Requests to the FIM Service mailbox, the FIMService that has mailbox polling enabled (there is only supposed to be 1 instance) must also be configured to use constrained delegation to each FIMService.

    Approval Responses are submitted directly by the FIM Portal and the FIM Service (receiving mail) to a Workflow Endpoint on the FIM Service that received the original Request. For example, assume your deployment has FIM Portal 1 and 2, and also FIM Service 1 and 2. A user issues a Request to join a Group on FIM Portal 1. That Request is processed by FIM Service 1 and this is where the Approval Workflow Instance lives. If the Approver approves by Email and that email response is processed by FIM Service 2, it is FIMService 2 that will try to communicate with FIMService 1 to send the Approval Response. If the same Approver went to FIM Portal 2 and approved the Request, it is the FIM Portal 2 that will communicate with FIMService 1 to send the Approval Response.

    For instructions for how to setup SPNs and constrained delegation, see the following article: http://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx
  • Password Registration Portal:GateRegistration Objects can accumulate over time
    Because GateRegistration Objects can accumulate over time, periodic deletion is a recommended best practice. GateRegistration Objects may accumulate in the system that are no longer necessary due to various events in and around password reset scenarios. One such event is when an administrator updates an AuthN workflow and checks "force re-registration". When users re-register, new Gate Registration Objects are created, but the original ones are not removed. Periodic deletion of these unnecessary GateRegistration Objects would be a best practice to ensure your system maintains the minimum objects necessary to enable your scenarios.
  • Password Registration Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
    This error can occur when a user attempts to navigate to the Password Registration Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.

    For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.
  • Password Reset Portal:Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
    This error can occur when a user attempts to navigate to the Password Reset Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.

    For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.
  • Reporting: Filtering the Request History or Group History reports on an MPR name, you may receive incorrect results
    When filtering the Request History or Group History reports on an MPR name, you may receive incorrect results. While the data represented in the report is accurate, you may need to export this report to a third party format (such as Excel) and then filter it there.
  • Reporting: Certain reports may time out on large datasets
    You may experience SSRS timeouts when running reports on large data sets. The default SSRS timeout is set to 1800 seconds for all reports. You may change this timeout by navigating to the Site settings link in the upper right hand of the SSRS web interface, opening the General tab, and then changing the timeout to either no timeout or a value larger than the default 1800 seconds.
  • Reporting: Reports do not show Created Time for requests which exist before initial ETL was run
    The Created Time column will appear blank for requests which were in the system before reporting setup was completed. There is no workaround for this issue, but since the request’s committed time will be captured, you will still be able to correlate when the change was made in the FIM 2010 R2 database.
  • Reporting: When the creator of a request is not a person resource in FIM (ie, FIMService, Anonymous User), no creator is shown in the out of box reports
    Currently, if the FIM 2010 R2 service or an anonymous user issues a request in the FIM 2010 R2 portal, the creator is shown as blank in the out of box reports. This is due to the fact that these resources are not moved over as part of our ETL processes, since they are not person resources in FIM 2010 R2.
  • Reporting: Unique key constraint violation when running reporting synchronization jobs
    If you attempt to run reporting synchronization jobs on a default System Console System Manager SP1 (SCSM SP1) installation, you may receive the error “Violation of UNIQUE KEY constraint ‘idx_ManagedEntityManagedTypeId’. Cannot insert duplicate key…”. To address this issue, please make sure you have the following updates installed on your System Center Service Manager Management Server, Data Warehouse Server, and any machines that have the System Center Service Manager Console installed on them:

    1. KB2542118– System Center Service Manager Cumulative Update 2
    2. KB2542118– System Center Service Manager FIM 2010 R2 Hotfix

      noteNote
      You must have the SCSM Cumulative Update 2 installed before installing KB2542118.

  • Reporting: If a resource is created and deleted inside one SCDW extract batch, that resources will not show up in the SCDW
    When an instance of a resource is created and deleted inside one extract batch, the deleted instance will never be extracted from the SCSM Management Server to be moved over to the Data Warehouse. This is a known issue with the System Center Service Manager Product. You may see this issue in testing environments if you, for example, create a person in FIM 2010 R2, delete that person, and then run the SCSM ETL job. Because the creation and deletion event occur in the same ETL batch, these events do not get sent to the System Center Data Warehouse.
  • Reporting: When running on PowerShell version 1.0, running Get-Help on Import-FIMReportingReport results in an error
    You may receive the error: “Error loading help content for Import-FIMReportingReport” in certain cases when attempting to load help information for Import-FIMReportingReport. If this occurs, try the alternate method of outputting the parameter list by typing “Import-FIMReportingReport -?”. If this also fails, refer to the Deployment Guide for Forefront Identity Manger 2010 R2 – PowerShell Reference.
  • Reporting:Out-of-box reports may not return data with default filtering parameters
    The default end date for the out-of-box reports is defined as Todays Date in UTC + 1. As a result, running reports with the default filtering parameters may result in an empty data set, depending on what time zone the user is running in. This is a known issue that you can resolve by manually specifying the date range with which you wish to filter your report.
  • Reporting:Running an incremental synchronization after a large export from Active Directory may take several days to complete
    Depending on the size of the export job, the incremental synchronization process may take up to several days to complete. This is due to the large number of requests generated by the export process that are then moved over to the Data Warehouse. You may safely continue to run this incremental synchronization job without regressing performance on the FIM 2010 R2 service or other components. However, if this waiting period is unacceptable, and you would like to ignore the requests generated by the export process, please contact the product support for assistance (see How and when to Contact Microsoft Customer Service and Support).
  • Reporting:Data does not appear in reports even after all synchronization processes are completed
    For data consistency purposes, SCSM will not move data that has been modified in the last 30 seconds. Therefore, if you run the FIM 2010 R2 reporting synchronization processes immediately followed by the SCSM ETL jobs, the changes made in the reporting synchronization job may not appear in the Data Warehouse. You can solve this issue by either:

    • Waiting 30 seconds before starting the SCDW ETL jobs
    • Running the SCDW ETL jobs again
    Because the SCDW ETL jobs run every 20 minutes to 1 hour (depending on job type), you can be assured that data will flow to the DataMart within a 24 hour Service Level Agreement. For testing purposes, however, it is important to consider this 30 second delay when exercising certain scenarios.
  • Reporting:Certain Chinese Characters may cause the SCSM console to fail to load a report
    Double-byte length Chinese characters (surrogate pairs) in report data may cause the SCSM console to fail to load a report. This is caused by an issue in version 9.0.0.0 of the report viewer used by the SCSM console. To work around this issue, you can either:

    • Continue viewing the reports through the SQL Server Reporting Service (SSRS) web interface (which does not have this issue), or
    • Delete the bad data, restart the SSRS service, and attempt to view the reports via the SCSM console
  • Reporting:Status of requests is different for initial and incremental synchronizations
    In this release, during initial synchronization, FIM 2010 R2 Reporting moves finished requests with the final state of “completed” to the Data Warehouse, but it only moves finished requests with the final state of “committed” during incremental synchronization. This is a known issue that does not affect data integrity.
  • Reporting:FIM reporting initial sync moves over failed requests
    In this release, during initial synchronization, FIM 2010 R2 Reporting moves both successful and failed requests to the Data Warehouse, whereas during incremental synchronization it only moves the successful requests. This will result in a small amount of extra data being present in the Data Warehouse in certain cases. This does not affect data integrity.

Synchronization Service – Post-Installation


  • ECMA 2.0: ECMA 2.0 does not support "Multi-Partition" file based Connectors
    ECMA 2.0 does not prevent a programmer from creating a file-based "multi-partition" Connector, however, it should be noted that these scenario are not supported and may result in unexpected or 'broken' behaviors.

    Programmers should not try to use/implement the GetPartition() or GetHierarchy() interfaces when writing a file-based ECMA 2.0 connector, as they will not work properly.
  • ECMA 2.0: CustomData for OpenImportConnectionRunStep.CustomData comes from GetImportEntriesResults
    The watermark data returned in OpenImportConnectionRunStep.CustomData does not come from CloseImportConnectionResults.CustomData as would be expected. Instead, the CustomData field is coming from the GetImportEntriesResults.CustomDataThis issue would be encountered by Connector programmers when writing their connectors to have watermark data passed between MA runs.
  • ECMA 2.0: ECMA 2.0 does not allow a page/batch size of greater than 9999
    When configuring the batch size for a ECMA 2.0 based MA, you may not configure a batch size larger than 9999 objects. The UI will not allow a larger number to be configured, and there is no way to exceed this size in your Connector's configuration.
  • ECMA 2.0:: Generic Style DN's do not accept all characters
    Generic Style DN's have the same character limitations as LDAP Style DN's, even though there is no specific reason for that limitation.
  • FIM MA: Using Service Partitioning to isolate FIM MA Export load is not supported for FIM 2010 R2.
    Those customers who have more than one FIM 2010 R2 Service instance installed and who wish to control which of these FIM 2010 R2 Service instances processes the load from the FIM MA during an Export run will need to use the following setting in the FIM 2010 R2 Service configuration file, under resourceManagementService:
    receiveSynchronizationRequestsEnabled

    By default, the value is "True", meaning that that FIM 2010 R2 Service instance processes FIM MA Export requests. Setting the value to “False” would indicate that that FIM 2010 R2Service instance does not process export requests.

    noteNote
    Although you specify a FIM 2010 R2 Service address in the FIM MA properties in Synchronization Service Manager, all FIM 2010 R2 Service instances attached to a single FIM 2010 R2 Service database will process these requests.

  • FIM MA: A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation
    A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation. Example: A request based MPR that sends an email to a manager of the created person. An error similar to the following will be written to FIM Service eventlog.

    EXCEPTION DATA\r\n\r\nMESSAGE: Cannot deference non-instantiated attribute Manager\r\n\r\n**METHOD:System.Exception ThrowException(System.Exception)\r\n\r\n**METHOD:System.Object ResolveAttribute(System.String, Boolean, ResolverOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveToLine(System.String)\r\n\r\n**METHOD:System.String ResolveRecipientLine(Microsoft.ResourceManagement.WFActivities.Resolver, System.String, System.Text.StringBuilder ByRef)\r\n\r\n**METHOD:Microsoft.ResourceManagement.Workflow.Runtime.MessageContent ResolveMailMessage(System.Guid, System.Guid, System.Guid, System.Collections.Generic.Dictionary`2[System.String,System.Object], System.String, System.String, System.String, System.Guid, Microsoft.ResourceManagement.Workflow.Activities.EmailResolutionOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveMail(System.Object, System.EventArgs)\r\n\r\n**METHOD:Void RaiseEvent(System.Workflow.ComponentModel.DependencyProperty, System.Object, System.EventArgs)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(T, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.Activity, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n

    This is expected. Reference attributes are not guaranteed to be part of the original Create request.

    Workaround: The MPR should be on an update attribute instead of Create request.
  • FIM MA: FIM MA export of sets and dynamic groups filter attributes will impact performance
    Synchronization requests containing updates to set or dynamic group filters will only be processed using the single object FIM MA export behavior.
  • Synchronization Service: Changing MV Object type during runtime is not supported
    The FIM 2010 R2 code does not yet actively prohibit this so it must be stated that doing so is not supported.
  • Synchronization Service: Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''.
    The FIM Service eventlog might have the following error: Request 'ca6a8db0-c084-4783-bb9b-5be054d38a10' failed while trying to commit the changes to the database. Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''. The ‘MembershipLocked’ attribute missing happens under the following conditions.

    1. Sync engine sends an update request with attributes that got modified.
    2. The FIM MA does a quick lookup and finds the object missing in FIM Service (probably deleted through portal).
    3. The FIM MA treats the update as 'Create' request.
    4. The create request in FIM Service fails because it has missing attributes like ‘MembershipLocked’.
    Doing a delta import and delta sync followed by Export will fix the error. Sync service will understand the object as deleted from FIM Service and will not send a pending update during the next FIM MA export operation.
  • Synchronization Service: Do not reuse your existing miiserver.exe.config file
    Re-using an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.
  • Synchronization Service: Sync Service manager shows a User object deleted when linked ERE was actually deleted
    During migration from policy based sync rule to filter based sync rule, the sync engine will delete EREs which are linked to filter based sync rules. However, the Identity Manager statistics falsely show that the User linked to the ERE being deleted was deleted. The user was not, in fact deleted, it was the ERE that was deleted. Customers should only run into this problem once, when they are migrating from policy based to filter based rules. There is no action needed to be taken by the customer. The User object was not actually deleted.
  • Synchronization Service: The value of boolean type outbound scoping filter in Filter based Sync Rule is case sensitive.
    It must be all lowercase.ie. "true" or "false" If the casing is different, it will crash.

Preinstallation and Topology Configuration

            by MS Technet
 
This document provides an overview of the major components of a FIM 2010 deployment with recommendations for topology architecture, load-balancing, and high-availability scenarios.

Components to Deploy

FIM 2010 consists of these main components:

FIM Service

Deploying the FIM Service component consists of installing the FIM Service and configuring the FIM Service SQL database. This section discusses the options and recommendations for deploying the FIM Service. It also discusses the options and recommendations for deploying the FIM Service SQL database.
You can deploy the FIM Service:
  • On a stand-alone server
  • On a shared server with the FIM Portal and Windows® SharePoint® Services 3.0
  • On multiple servers, we recommend that you use:

    • Network Load Balancing (NLB) to distribute the processing load.
    • Aliases (for instance, A or CNAME records) so that one common name is exposed to the user.
    • A separate alias for a dedicated FIM Service server as an alternative to offload intensive administration tasks to one or more servers so that the end-user tasks are not affected.
    ImportantImportant
    If you use a load-balancing technology other than the NLB feature in Windows Server 2008 or Windows Server 2008 R2, make sure your solution will redirect one session to the same server and not to a random server.

When you install the FIM Service SQL database:
  • We strongly recommend that the FIM Service SQL database exist on a dedicated server.
  • The server running Microsoft SQL Server® can be a single server or part of a failover cluster.
  • You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.

FIM Synchronization Service

Deploying the FIM Synchronization Service consists of installing the FIM Synchronization Service, configuring management agents for various connected data sources, and configuring the FIM Synchronization Service SQL database. This section discusses the options and recommendations for deploying the FIM Synchronization Service.
FIM Synchronization Service requirements:
  • Only one FIM Synchronization Service instance can exist in a deployment.

    WarningWarning
    Having more than one Synchronization Service instance can cause errors when attempting to upgrade a FIM deployment.

  • The FIM Synchronization Service may be installed on a stand-alone server or on the same server as the SQL Server database. If you connect the FIM Synchronization Service and the database with at least a 1-GB network, there is no significant performance difference when you separate the two components.
FIM Synchronization Service SQL database requirements:
  • The server running SQL Server can be a stand-alone server or part of a failover cluster.
  • You can run any SQL Server edition (such as Standard and Enterprise) except SQL Server Express. Which SQL Server edition you use depends on other business requirements such as high availability and manageability. For more information, see the Microsoft SQL Server Web site.

FIM Portal

Deploying the FIM Portal consists of installing the FIM Portal component and configuring Windows SharePoint Services. This section discusses the options and recommendations for deploying Windows SharePoint Services and the options and recommendations for deploying the FIM Portal.

Deploying Windows SharePoint Services 3.0

  • Deployment - You can deploy Windows SharePoint Services on either a stand-alone server or as a Windows SharePoint Services server farm. There is no performance advantage in either deployment, but a stand-alone deployment is in most configurations easier to manage. You can also deploy Windows SharePoint Services on a single server, along with the FIM Service and the FIM Portal.
  • Load balancing

    • If you are deploying a Windows SharePoint Services server farm, Windows SharePoint Services automatically load-balances the servers.
    • NLB can also be used in addition to Windows SharePoint Services load-balancing to distribute the processing load. If you use another solution other than NLB, ensure that the solution makes sure that one user always is directed to the same server (also known as pinning).
    • In a load-balanced environment, we also recommend that you use an alias (for example, CNAME record) so that one common name is exposed to the user.
  • A SharePoint server farm will need one shared SQL database for its configuration. Make sure this database has the same high available solution as the other FIM databases to not have a single point of failure.
  • SharePoint products and technologies - The following products are currently not supported:

    • Microsoft Office SharePoint Server
    • Microsoft SharePoint Foundation 2010

Deploying the FIM Portal

The FIM Portal is a component that does not demand intensive resources and can be deployed on the same server as the FIM Service. For more information, see the illustrations in the following sections.

Topology Considerations

How you deploy Microsoft® Forefront® Identity Manager (FIM) 2010 depends almost entirely on the size and complexity of the environment you need to support. This section is intended to help you determine an optimal network topology for your environment. It addresses ways to deploy FIM beginning with a basic topology typically used by smaller organizations, followed by more advanced topologies to meet the requirements of larger organizations. In general terms, the topology, hardware profiles, and related system requirements described in this document can be applied to organizations based on the following scale:
  • Small organization of up to 20,000 users and 10,000 groups. Basic deployment with multitier topology and network load balancing.
  • Medium organization of up to 50,000 users and 50,000 groups. Advanced deployment with multitier topology, network load balancing, and dedicated servers for FIM services.
  • Large organization of up to 200,000 users and 450,000 groups. Advanced deployment with multitier topology, network load balancing, and multiple multiple servers for FIM services.
The multitier topology is the most commonly used topology, offering the greatest flexibility. The FIM 2010 R2 Portal, FIM 2010 R2 Service, and databases are separated into tiers and deployed on multiple computers. This topology adds flexibility in scaling the different FIM 2010 R2 components. For example, you can scale the FIM 2010 R2 Portal horizontally by adding additional servers in an NLB cluster. Similarly, you can scale the FIM 2010 R2 service by using an NLB cluster and by increasing the number of computers (nodes) in the cluster as needed.
In the multitier topology, a dedicated computer to host each SQL database (one for the FIM 2010 R2 Service and another for the FIM 2010 R2 Synchronization Service) is allocated. The scalability of the performance of the computers that host the SQL databases can be increased by adding or upgrading hardware, for example, by upgrading the CPUs, adding additional CPUs, increasing random access memory (RAM) or upgrading the RAM, or upgrading the hard drive configurations to increase read and write access and decrease latency.
The following are examples of some standard FIM 2010 deployment scenarios.

Basic FIM deployment

A basic deployment which could be used in a small organization may be deployed on three to four servers running Microsoft Windows Server® operating systems.
In this deployment there is one dedicated SQL server for the FIM Service DB. The FIM Service and Portal are installed on a stand-alone server in an NLB cluster. Additional FIM Service and Portal servers can be added to the NLB cluster when needed. In this configuration, the FIM 2010 R2 Synchronization Service and its database are hosted on the same computer. However, you should be able to achieve similar performance if there is a one-gigabit dedicated network connection between the FIM 2010 R2.
Basic FIM 2010 Topology

FIM deployment with multiple dedicated servers

In this example, which could be used in a medium-sized organization, the basic components, are deployed among five servers running Windows Server with both the FIM Portal and Windows SharePoint Services installed on the same stand-alone server.
A dedicated server is used for the FIM synchronization service and a dedicated server is used for the FIM synchronization service DB. The FIM Portal is separated from the FIM Service servers.
Basic FIM 2010 Topology

Load-balancing the FIM Service with multiple servers

A more advanced deployment, which could be used in a larger organization, is to load balance FIM Services using multiple dedicated servers with some designated to handle user requests and others reserved for administrative requests. Synchronization of data with external systems can add a considerable load to the system and run over an extended period of time. If the synchronization configuration results in triggering policies with workflows, these policies contend for resources with end-user workflows. Such issues can be pronounced with authentication workflows, such as password resets, which are done in real time with an end user waiting for the process to complete. By providing one instance of the FIM 2010 R2 Service for end user operations and a separate portal for administrative data synchronization, you can provide better responsiveness for end-user operations.
Using different external names for FIM Service will also allow server partitioning for workflows. When a workflow instance is created the external name of the server is added to the instance. Another server with the same external name can pick up and resume hydrated workflows. This partitioning will ensure that workflows started on the FIM-Admin instance never will be processed by the FIM-User instances ensuring more responsive servers used by end-users.
Load balanced FIM Synchronization Service

Unattended Installation of FIM 2010 R2

            by MS Technet
 
 
All components of the FIM 2010 R2 accept properties that allow unattended and silent installation. Those properties can either be set in a Windows Installer Transform (MST) file or specified at the command line during installation.
The FIM 2010 R2 installation packages do not support advertisement (msiexec /j) or administrative (msiexec /a) installations.
There are several different ways to install FIM 2010 R2 silently (unattended). Two methods are described in this section: pass-in parameters in a command line and MST files. It is outside the scope of this document to describe unattended installations in general.

Pass-in parameters on the command line

This can be used with Microsoft System Center Configuration Manager 2007. To install silently, use the command msiexec with an option, followed by properties, for example:
Msiexec /q /i NameofMSI.msi /Option ADDLOCAL=MSIFeatureName Property=Value
The possible values of MSIFeatureName and Property can be found in Features and properties later in this document. Note that all parameters are case sensitive.
The following is an example command for an installation of FIM Add-ins and Extensions from a file server where only the FIM Outlook add-in is installed:
msiexec /i “\\MyServer\Distribution\FIM\32\Add-ins and extensions.msi” /quiet ADDLOCAL=OfficeClient PORTAL_LOCATION=MyPortalServer PORTAL_PREFIX=https MONITORED_EMAIL=fimservice@contoso.com
Msiexec has several command line switches for silent installations. Of those, only a limited number are supported. The following table is a list of supported switches.

Switch Supported or Not Supported Description
/quiet/q:nSupportedInstallation with no UI at all
/q:fSupported(Full UI) The usual User Interface Wizard behavior.
/q:bNot supported(Basic) No pop-ups, except error messages.
/q:rNot supported(Reduced) Similar to basic.
/aNot supported(Admin) Will unpack an MSI to have all files external. Since this is how we deliver the MSI, no need to support this. Will run the Admin sequences, but no compelling scenario for this.
/xSupportedUninstall of the product
/jNot supportedNo scenarios. (We don’t have install on demand.)
noteNote
Windows Installer has a limit of 256 characters in the path when for installation of applications. Ensure that you do not place the root of the tree in a very deep structure, or the installation might fail.

Create an MST file

Another solution is to use an MST file. MST files can be created with tools such as Orca (shipped with the Windows Software Development Kit (SDK)), and they contain the same settings as are passed in on the command line.

Troubleshoot an installation

If an unattended installation fails, add the option /l*v NameOfLogFile.txt to the command line. This option creates a log file that you can use for troubleshooting. You can identify an error in a Windows Installer log file by looking for the text Return Value 3.
Also, you can you the msiexec file without the /q switch. This will cause the UI to appear and the values you have specified in the msiexec command-line will be populated in their respective locations. This is good for determining if the correct value is being set or not.

Features and properties

The first table is listing the feature name in the UI and its feature name in the Synchronization Service.msi, Service and Portal.msi and the Add-ins and Extensions.msi. The second table is listing the feature name in the UI and its feature name in the Add-ins and Extensions.msi. The third table is the feature name in the UI and its feature name in the Service and Portal Language Pack.msi. These can all be used by the ADDLOCAL, REINSTALL, and REMOVE properties above.The tables in this section list the settings in the order that they appear during the user interface (UI) installation. Default values are in brackets.
Table 1 FIM 2010 R2 Windows Installer Features

Name of the feature in the UI Windows Installer feature name
FIM Add-in for OutlookOfficeClient
FIM Password and Authentication ExtensionsPasswordClient
FIM ServiceCommonServices
FIM PortalWebPortals
FIM Password Reset PortalPwdPortals
FIM Synchronization ServiceN/A (only one feature in the installer)
Forefront Identity Manager Certificate Management (FIM CM) Update ServiceCLM_Service
FIM CM PortalWeb_Files
FIM CM CA ModulesCA_Modules
FIM CM Smart Card PIN Reset ToolChangePin
FIM CM Smart Card Personalization ControlAppletManagement
FIM CM Smart Card ClientSelfServiceControl
FIM CM Update ClientProfileUpdateControl
FIM CM Bulk Issuance ClientClientFiles
Microsoft Password Change Notification ServicePCNSSVC
FIM Password and Authentication Extensions
FIM Password and Authentication Extensions for Windows XP
FIM Password and Authentication Extensions for Windows Vista
PasswordClient
FIM Password Registration PortalRegistrationPortal
FIM Password Reset PortalResetPortal
Table 2 Service and Portal Language Pack Features

Feature Description
FIMPortalLPInstalls Languages for the FIM Portal
FIMServiceLPInstalls Languages for the FIM Service
FIMResetPortalLPInstalls Languages for the FIM Password Reset Portal
FIMRegistrationPortalLPInstalls Languages for the FIM Password Registration Portal
PortalzhCNChinese (Simplified) language pack for FIM Portal.
PortalzhTWChinese (Taiwan) language pack for FIM Portal.
PortalcsCZCzech language pack for FIM Portal.
PortaldaDKDanish language pack for FIM Portal.
PortalnlNLDutch language pack for FIM Portal.
PortalfiFIFinnish language pack for FIM Portal.
PortalfrFRFrench language pack for FIM Portal.
PortaldeDEGerman language pack for FIM Portal.
PortalitITItalian language pack for FIM Portal.
PortaljaJPJapanese language pack for FIM Portal.
PortalkoKRKorean language pack for FIM Portal.
PortalnbNONorwegian language pack for FIM Portal.
PortalplPLPolish language pack for FIM Portal.
PortalptBRPortuguese (Brazil) language pack for FIM Portal.
PortalptPTPortuguese (Portugal) language pack for FIM Portal.
PortalruRURussian language pack for FIM Portal.
PortalesESSpanish language pack for FIM Portal.
PortalsvSESwedish language pack for FIM Portal.
PortaltrTRTurkish language pack for FIM Portal.
MTzhCNChinese (Simplified) language pack for FIM Service.
MTzhTWChinese (Taiwan) language pack for FIM Service.
MTcsCZCzech language pack for FIM Service.
MTdaDKDanish language pack for FIM Service.
MTnlNLDutch language pack for FIM Service.
MTfiFIFinnish language pack for FIM Service.
MTfrFRFrench language pack for FIM Service.
MTdeDEGerman language pack for FIM Service.
MTitITItalian language pack for FIM Service.
MTjaJPJapanese language pack for FIM Service.
MTkoKRKorean language pack for FIM Service.
MTnbNONorwegian language pack for FIM Service.
MTplPLPolish language pack for FIM Service.
MTptBRPortuguese (Brazil) language pack for FIM Service.
MTptPTPortuguese (Portugal) language pack for FIM Service.
MTruRURussian language pack for FIM Service.
MTesESSpanish language pack for FIM Service.
MTsvSESwedish language pack for FIM Service.
MTtrTRTurkish language pack for FIM Service.
ResetbgBGBulgarian language pack for FIM Password Reset Portal.
ResetzhCNChinese (Simplified) language pack for FIM Password Reset Portal.
ResetzhTWChinese (Taiwan) language pack for FIM Password Reset Portal.
ResethrHRCroatian language pack for FIM Password Reset Portal.
ResetcsCZCzech language pack for FIM Password Reset Portal.
ResetdaDKDanish language pack for FIM Password Reset Portal.
ResetnlNLDutch language pack for FIM Password Reset Portal.
ResetetEEEstonian language pack for FIM Password Reset Portal.
ResetfiFIFinnish language pack for FIM Password Reset Portal.
ResetfrFRFrench language pack for FIM Password Reset Portal.
ResetdeDEGerman language pack for FIM Password Reset Portal.
ResetelGRGreek language pack for FIM Password Reset Portal.
ResethiINHindi language pack for FIM Password Reset Portal.
ResethuHUHungarian language pack for FIM Password Reset Portal.
ResetitITItalian language pack for FIM Password Reset Portal.
ResetjaJPJapanese language pack for FIM Password Reset Portal.
ResetkoKRKorean language pack for FIM Password Reset Portal.
ResetlvLVLatvian language pack for FIM Password Reset Portal.
ResetltLTLithuanian language pack for FIM Password Reset Portal.
ResetnbNONorwegian language pack for FIM Password Reset Portal.
ResetplPLPolish language pack for FIM Password Reset Portal.
ResetptBRPortuguese (Brazil) language pack for FIM Password Reset Portal.
ResetptPTPortuguese (Portugal) language pack for FIM Password Reset Portal.
ResetroRORomanian language pack for FIM Password Reset Portal.
ResetruRURussian language pack for FIM Password Reset Portal.
ResetsrCSSerbian language pack for FIM Password Reset Portal.
ResetskSKSlovak language pack for FIM Password Reset Portal.
ResetslSISlovenian language pack for FIM Password Reset Portal.
ResetesESSpanish language pack for FIM Password Reset Portal.
ResetsvSESwedish language pack for FIM Password Reset Portal.
ResetthTHThai language pack for FIM Password Reset Portal.
ResettrTRTurkish language pack for FIM Password Reset Portal.
ResetukUAUkranian language pack for FIM Password Reset Portal.
RegistrationbgBGBulgarian language pack for FIM Password Registration Portal.
RegistrationzhCNChinese (Simplified) language pack for FIM Password Registration Portal.
RegistrationzhTWChinese (Taiwan) language pack for FIM Password Registration Portal.
RegistrationhrHRCroatian language pack for FIM Password Registration Portal.
RegistrationcsCZCzech language pack for FIM Password Registration Portal.
RegistrationdaDKDanish language pack for FIM Password Registration Portal.
RegistrationnlNLDutch language pack for FIM Password Registration Portal.
RegistrationetEEEstonian language pack for FIM Password Registration Portal.
RegistrationfiFIFinnish language pack for FIM Password Registration Portal.
RegistrationfrFRFrench language pack for FIM Password Registration Portal.
RegistrationdeDEGerman language pack for FIM Password Registration Portal.
RegistrationelGRGreek language pack for FIM Password Registration Portal.
RegistrationhiINHindi language pack for FIM Password Registration Portal.
RegistrationhuHUHungarian language pack for FIM Password Registration Portal.
RegistrationitITItalian language pack for FIM Password Registration Portal.
RegistrationjaJPJapanese language pack for FIM Password Registration Portal.
RegistrationkoKRKorean language pack for FIM Password Registration Portal.
RegistrationlvLVLatvian language pack for FIM Password Registration Portal.
RegistrationltLTLithuanian language pack for FIM Password Registration Portal.
RegistrationnbNONorwegian language pack for FIM Password Registration Portal.
RegistrationplPLPolish language pack for FIM Password Registration Portal.
RegistrationptBRPortuguese (Brazil) language pack for FIM Password Registration Portal.
RegistrationptPTPortuguese (Portugal) language pack for FIM Password Registration Portal.
RegistrationroRORomanian language pack for FIM Password Registration Portal.
RegistrationruRURussian language pack for FIM Password Registration Portal.
RegistrationsrCSSerbian language pack for FIM Password Registration Portal.
RegistrationskSKSlovak language pack for FIM Password Registration Portal.
RegistrationslSISlovenian language pack for FIM Password Registration Portal.
RegistrationesESSpanish language pack for FIM Password Registration Portal.
RegistrationsvSESwedish language pack for FIM Password Registration Portal.
RegistrationthTHThai language pack for FIM Password Registration Portal.
RegistrationtrTRTurkish language pack for FIM Password Registration Portal.
RegistrationukUAUkranian language pack for FIM Password Registration Portal.
Table 3 Add-ins and Extensions Language Pack Features

Feature Description
FIMALPFIM Add-ins and Extensions Language Pack
bgBGBulgarian language
zhCNChinese (Simplified) language
zhTWChinese (Taiwan) language
hrHRCroatian language
csCZCzech language
daDKDanish language
nlNLDutch language
etEEEstonian language
fiFIFinnish language
frFRFrench language
deDEGerman language
elGRGreek language
hiINHindi language
huHUHungarian language
itITItalian language
jaJPJapanese language
koKRKorean language
lvLVLatvian language
ltLTLithuanian language
nbNONorwegian language
plPLPolish language
ptBRPortuguese (Brazil) language
ptPTPortuguese (Portugal) language
roRORomanian language
ruRURussian language
srCSSerbian language
skSKSlovak language
slSISlovenian language
esESSpanish language
svSESwedish language
thTHThai language
trTRTurkish language
ukUAUkranian language
The following tables list the properties that are associated with the features from above.
Table 4 Synchronization Service properties

Property Name Description
STORESERVERName of SQL Server
SQLDBName of database (FIMSynchronization)
SQLINSTANCEName of database instance
SERVICEACCOUNT(Required) Service account name
SERVICEPASSWORDRequired) Service account password
SERVICEDOMAIN(Required) Service account domain
GROUPADMINSName of admin group (FIMSyncAdmins)
GROUPOPERATORSName of operators group (FIMSyncOperators)
GROUPACCOUNTJOINERSName of joiners group (FIMSyncJoiners)
GROUPBROWSEName of browse group (FIMSyncBrowse)
GROUPPASSWORDSETName of password set group (FIMSyncPasswordSet)
FIREWALL_CONF0 – Do not configure firewall (default)1 – Configure firewall
Table 5 FIM Service and FIM Portal properties

Property name Description
SQMOPTINSETTING1 – opt in, 0 – opt out (default)
SQLSERVER_SERVER(Required) Name of SQL Server instance
SQLSERVER_DATABASEName of database (FIMService)
EXISTINGDATABASE0 – New database (default), 1 – Existing database
MAIL_SERVER(Required) Name of mailserver
MAIL_SERVER_USE_SSL0 – Disable SSL, 1 – Enable SSL (default)
MAIL_SERVER_IS_EXCHANGE0 – SMTP, 1 – Exchange (default)
SERVICE_MANAGER_SERVERName of the FIM Reporting Service Manager management server.
POLL_EXCHANGE_ENABLED0 – Server will not poll for e-mail messages1 – Server will poll for e-mail messages (default)
CERTIFICATE_NAMEName of certificate to generate (ForefrontIdentityManager)
SERVICE_ACCOUNT_NAME(Required) Service account name
SERVICE_ACCOUNT_PASSWORD(Required) Service account password
SERVICE_ACCOUNT_DOMAIN(Required) Service account domain
SERVICE_ACCOUNT_EMAIL(Required) Service account e-mail address
SYNCHRONIZATION_SERVER(Required) Address of FIM Synchronization Service server
SYNCHRONIZATION_SERVER_ACCOUNT FIM Service Management Agent account in format domain\accountname
SERVICEADDRESSAddress used by clients to contact the server
SHAREPOINT_URLURL used to contact the SharePoint server
REGISTRATION_PORTAL_URLAn optional URL of the FIM 2010 R2 password registration portal that the FIM portal will redirect to when the user clicks on the "Register for password reset" FIM portal homepage link.
FIREWALL_CONF0 – Do not configure firewall (default)1 – Configure firewall
SHAREPOINTUSERS_CONF0 – Do not add authenticated users (default1 – Add authenticated users
PASSWORDUSERS_CONF0 – Do not add authenticated users (default1 – Add authenticated users
REQUIRE_REGISTRATIONPORTAL_INFO0 – Do not require password registration information (default)1 – Require password registration information
REGISTRATION_ACCOUNT_NAMEAccount name of the application pool account that will run the password registration portal.
REGISTRATION_ACCOUNT_DOMAINDomain of the application pool account that will run the password registration portal.
REQUIRE_RESET_INFO0 – Do not require password reset information (default)1 – Require password reset information
RESET_ACCOUNT_NAMEAccount name of the application pool account that will run the password reset portal.
RESET_ACCOUNT_DOMAINDomain of the application pool account that will run the password reset portal.
SHAREPOINTTIMEOUTTimeout in seconds the installer should wait for Office SharePoint to deploy the solution packs.
Table 6 FIM 2010 R2 Certificate Management properties

Property Name Description
WEBAPPNAMEName of the virtual folder for certificate Management.
SITELOCK_DOMAINList of sites used by FIM CM installations. This list is used for ActiveX controls to initiate.
Table 7 Add-ins and Extensions properties

Property name Description
SQMOPTINSETTING1 – opt in, 0 – opt out (default)
PORTAL_LOCATIONAddress to the FIM Portal. Used by Outlook add-in.
PORTAL_PREFIXPrefix used to contact the FIM Portal. http or https (default)
MONITORED_EMAIL FIM Service e-mail address. Used by the Outlook add-in when sending e-mail messages.
RMS_LOCATIONAddress to the FIM Service. Used by Password Reset extensions
REGISTRATION_PORTAL_URLThe URL of the FIM 2010 R2 password registration portal that the rich client will navigate to by default. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to that URL if password registration be required. As part of the rich client password registration, the rich client will invoke the user's default browser to navigate to this URL if password registration be required.
BEST_EFFORT_INSTALLIf both components are selected, but one cannot be installed due to failed prerequisites, silently continue installation with the other component.
0 – Fail installation (default)
1 – Silently continue
The following is an example of installing the FIM 2010 R2 Synchronization Service:
msiexec /q /i “D:\Synchronization Service\Synchronization Service.msi" STORESERVER=LocalMachine SQLDB=FIMSynchronization SERVICEACCOUNT=FimSynchService SERVICEPASSWORD=Pass1word! SERVICEDOMAIN=CORP GROUPADMINS=FIMSyncAdmins GROUPOPERATORS=FIMSyncOperators GROUPACCOUNTJOINERS=FIMSyncJoiners GROUPBROWSE=FIMSyncBrowse GROUPPASSWORDSET=FIMSyncPasswordSet FIREWALL_CONF=1   /L*v C:\mylogfile.txt
The following is an example of installing the FIM 2010 R2 Service and Portal:
msiexec /q /i "D:\Service and Portal\Service and Portal.msi" ADDLOCAL=CommonServices,WebPortals SQMOPTINSETTING=0 SQLSERVER_SERVER=APP1 SQLSERVER_DATABASE=FIMService EXISTINGDATABASE=0 MAIL_SERVER=EX1.corp.contoso.com MAIL_SERVER_USE_SSL=0 MAIL_SERVER_IS_EXCHANGE=1 POLL_EXCHANGE_ENABLED=1 CERTIFICATE_NAME=ForefrontIdentityManager SERVICE_ACCOUNT_NAME=FIMService SERVICE_ACCOUNT_PASSWORD=abc123*2k SERVICE_ACCOUNT_DOMAIN=CORP SERVICE_ACCOUNT_EMAIL=FIMService@corp.contoso.com SERVICE_MANAGER_SERVER=APP2 SYNCHRONIZATION_SERVER=FIM1 SYNCHRONIZATION_SERVER_ACCOUNT=CORP\FIMMA SERVICEADDRESS=FIM1 SHAREPOINT_URL=http://localhost REGISTRATION_PORTAL_URL=https://passwordregistration.corp.contoso.com FIREWALL_CONF=1 SHAREPOINTUSERS_CONF=1 REQUIRE_REGISTRATION_INFO=1 REGISTRATION_ACCOUNT_NAME=FIMPassword REGISTRATION_ACCOUNT_DOMAIN=CORP REQUIRE_RESET_INFO=1 RESET_ACCOUNT_NAME=FIMPassword RESET_ACCOUNT_DOMAIN=CORP  /L*v C:\fimservicelog.txt
The following is an example of a command-line installation for the Password Reset and Registration Portal.
msiexec /q /i “D:\Service and Portal\Service and Portal.msi"  ADDLOCAL=RegistrationPortal,ResetPortal REGISTRATION_ACCOUNT=CORP\FIMPassword REGISTRATION_ACCOUNT_PASSWORD=Pass1word$ REGISTRATION_HOSTNAME=passwordregistration.corp.contoso.com REGISTRATION_PORT=80 REGISTRATION_FIREWALL_CONFIG=1 REGISTRATION_SERVERNAME=FIM1 IS_REGISTRATION_EXTRANET=Extranet RESET_ACCOUNT=CORP\FIMPassword RESET_ACCOUNT_PASSWORD=Pass1word$ RESET_HOSTNAME=passwordreset.corp.contoso.com RESET_PORT=81 RESET_FIREWALL_CONF=1  RESET_SERVERNAME=FIM1 IS_RESET_EXTRANET=Extranet /L*v C:\mylogfile.txt 
The following is an example of a command-line installation for the FIM CM Web Portal and FIM CM Update Service of FIM 2010 Certificate Management
msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi"  ADDLOCAL=CLM_Service,Web_Files WEBAPPNAME=CertificateManagement /L*v C:\mylogfile.txt
The following is an example of a command-line installation for the FIM CM CA Modules of FIM 2010 Certificate Management
msiexec /q /i “D:\Certificate Management\x64\Certificate Management.msi"  ADDLOCAL=CA_Modules /L*v C:\mylogfile.txt
The following is an example of a command-line installation for the FIM CM Client of FIM 2010 Certificate Management
msiexec /q /i “D:\CM Client\x64\CM Client.msi"  ADDLOCAL=CMClient,ChangePin,AppletManagement,SelfServiceControl,ProfileUpdateControl /L*v C:\mylogfile.txt
The following is an example of installing the Add-ins and Extensions:
msiexec /q /i “D:\Add-ins and extesnisons\x64\Add-ins and extensions.msi" ADDLOCAL=OfficeClient,PasswordClient PORTAL_LOCATION=FIM1 PORTAL_PREFIX=http RMS_LOCATION=FIM1 MONITORED_EMAIL=FIMService@corp.contoso.com REGISTRATION_PORTAL_URL=https://passwordregistratio.corp.contoso.com /L*v C:\mylogfile.txt
The following is an example of installing the Service and Portal Language Pack. It shows how to install the Japanese language pack for all of the components
msiexec /q /i “D:\Service and Portal Language Pack\Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortaljaJP,FIMServiceLP,MTjaJP, FIMResetPortalLP,ResetjaJP,FIMRegistrationPortalLP,RegistrationjaJP /L*v C:\mylogfile.txt
The following is an example of installing the Add-ins and Extensions Language Pack. It shows how to install the Japanese language.
msiexec /q /i “D:\Add-ins and Extensions Language Pack\Add-ins and Extensions Language Pack.msi" ADDLOCAL=FIMALP,jaJP /L*v C:\mylogfile.txt