First published on MSDN on Jun 12, 2018
Using This Guide:
Introduction:
This document is intended to be used as an operational build document for the Microsoft Identity Management 2016 Synchronization Server installation. You may perform search and replace on the variables listed below to create a detailed build guide customized for your environment.
Document Variables:
|
Description |
Search and Replace Variable |
|
The Domain’s common Name. |
[Domain] |
|
The Offline MIM Synchronization Server’s Common Name. |
[Offline Sync Server] |
|
The Offline Synchronization Server’s IP Address. |
[Offline Sync Server IP] |
|
Primary Synchronization Server’s Common Name. |
[Primary Sync Server] |
|
The Primary Synchronization Server’s IP Address. |
[Primary Sync Server IP] |
|
The SQL Server’s Common Name. |
[SQL Server] |
|
The SQL Server’s IP Address. |
[SQL Server IP] |
|
The Microsoft SQL Server instance name. |
[SQL Server Instance] |
|
The service account that the MIM Synchronization Service runs under. |
[Synchronization Service Account] |
|
The Installation account used to perform installation and upgrades of the MIM Synchronization Service Software. |
[Install Account] |
|
The name of the Synchronization Server Client’s Administrators Security Group. The default name is FIMSyncAdmins. |
[Admin Group Name] |
|
The name of the Synchronization Server Client’s Operators Security Group. The default name is FIMSyncOperators. |
[Operators Group Name] |
|
The name of the Synchronization Server Client’s Joiners Security Group. The default name is FIMSynchJoiners. |
[Joiners Group Name] |
|
The name of the Synchronization Server Client’s Browse Security Group. The default name is FIMSyncBrowse. |
[Browse Group Name] |
|
The name of the Synchronization Server Client’s Password Management Security Group. The default name is FIMSyncPasswordSet. |
[PW Group Name] |
Requirements:
Virtual Server / Hardware Requirements:
Please reference the following document for best practice guidance on MIM Synchronization Server configurations.
In this Synchronization Server build example, we install two Windows virtual servers. These servers provide for the Primary Synchronization server and an Offline Spare Synchronization Server. Each server should have a minimum of 2 virtual CPUs and 32 Gb of RAM. The two servers in this example have the following disk allocations:
C:\ 100 gb Operating System
E:\ 200 gb MIM 2016, associated management agents and rules extensions.
SQL Server Requirements:
Please reference the following Microsoft document for best practice guidance on SQL server configuration settings and builds for MIM Synchronization Server.
https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices
In this Synchronization Server build example, we install a separated Microsoft SQL Server 2016 instance entitled SYNC.
Server Names and Related Information:
|
Hostname |
IP Address (Public) |
Description |
|
[Offline Sync Server] |
[Offline Sync Server IP] |
Offline Spare Synchronization Server |
|
[Primary Sync Server] |
[Primary Sync Server IP] |
Primary Synchronization Server |
|
[SQL Server] |
[SQL Server IP] |
SQL Server |
Account Requirements:
The following new Active Directory domain accounts are needed to support the installation:
|
Service Account Name |
Usage |
Notes |
|
[Synchronization Service Account] |
Service account for the Synchronization Service with SQL Server Database access. |
Deny logon as batch job Deny logon locally Deny access to this computer from network SQL Server Admin Rights to FIMSynchronizationService database. |
|
[Install Account] |
This is the account used to perform the initial installation of the MIM Synchronization Service Software. |
We will use this account for the installation in the MIM environment.
Local admin on Sync server
Full SQL Admin Rights to create and modify the FIMSynchronizationService database.
Add as a member of the [Admin Group Name] Group.
|
Server Software Installation:
Windows Server Options Installation:
Install .Net 3.5
This is required to successfully install the MIM Synchronization Server.
Note: On Windows 2016 servers you must define an alternate install path of [Drive Letter]:\sources\sxs.
Install SQL Client:
Launch the Microsoft SQL 2016 Client Installation
On the Welcome to the Installation Wizard for SQL Server 2016 Management Studio , select Next.
Review the license agreement and accept the terms if in agreement.
Select Next to install.
On the Feature Selection pane, select Next .
On the Ready to Install Pane , select Install
Once completed, select Finish .
Optional Tools:
Some popular tools and utilities that you may consider installing include:
- NotePad++
- VisualStudio
- Telnet Client
- Active Directory Users and Computers
- LDAP Client
- SQL Server Client
- Oracle Server Client (If connecting to Oracle database)
MIM 2016 Sync Server Installation:
Overview:
The following document is intended to function as an operations guide for the installation of the MIM 2016 Synchronization Server. This document covers both the installation of the Offline Spare and Primary MIM 2016 Synchronization Servers.
The Offline Spare (optional) functions as a pre-installed synchronization engine whose MIM service is disabled until needed (re. in the event of failure of the primary synchronization server). The Offline Spare is installed first, followed by the installation of the Primary Synchronization Server.
Only one MIM Synchronization Server may be operational at a time. The Offline Spare and Primary Synchronization Server share a common SQL database (FIMSynchronizationService) that retains all configuration options, source code, and management agent configurations.
Prerequisites:
Installation Media:
The installation media can be obtained from the Microsoft Customer Portal.
SQL Server Considerations:
· This installation document covers the installation of a stand-by synchronization server which requires the SQL server database to be hosted on a separate SQL server.
· The SQL Server client will need to be pre-installed on this server prior to installation of the MIM Synchronization Server Software.
· The SQL Server will need to be enabled for remote access.
· The SQL Server and SQL Server Agent services for the instance (Ex. Sync) need to be running.
Active Directory Service Accounts :
· Installation Account with SQL Admin rights.
· Sync Service Account with SQL read/write rights.
Active Directory Management Groups:
· [Admin Group Name]
· [Operators Group Name]
· [Joiners Group Name]
· [Browse Group Name]
· [PW Group Name]
Firewall and Port Consideration
· TCP Port 1433 open between Sync Servers and SQL Server.
o [Primary Sync Server] [Primary Sync Server IP] – [SQL Server] [SQL Server IP]
o [Offline Sync Server] [Offline Sync Server IP] – [SQL Server] [SQL Server IP]
MIM Synchronization Service Install:
Server Build Order:
The stand-by synchronization server is installed prior to the primary synchronization server.
Offline Server Build Action:
Login to the Offline Synchronization server [Offline Sync Server] using the Installation Account [Install Account].
Primary Server Build Action:
Login to the Primary Synchronization server [Primary Sync Server] using the Installation Account [Install Account].
Installation Software:
Mount the installation Media.
In Windows Explorer navigate to the root of the MIM 2016 installation media and double-click on FIMSplash to begin the installation.
If prompted how to view .htm files, select Internet Explorer .
This will open the MIM installation menu.
Under Identity Manager Synchronization Service , Select Install Synchronization Service
Select Run
If prompted to allow the program to make changes to this device, you must select Yes to continue the installation.
Microsoft Identity Manager 2016 – Synchronization Service Setup Wizard.
Click Next to continue.
End User License Agreement
Read and accept the terms of the License Agreement.
To continue installation, select Next .
Custom Setup
The default Installation Location is C:\program files\Microsoft Forefront Identity Manager\2010\
If you would like to modify the Installation Location, select the Change button, and enter the custom path setting.
Once complete, select Next to continue.
Configure Microsoft Identity Manager Synchronization Service – Database Connection
When installing your Synchronization Service with a warm stand-by, you must use a remote SQL Server configuration. The Stand-by and Live Synchronization servers reference the same SQL database.
SQL Server is located on :
Select A remote machine
Then enter the common name of the SQL server [SQL Server]
Note : Installation of the SQL Client or SQL Server Management Studio is required as referenced in the Prerequisites section of this document. If this is not installed, you may receive a message that the MIM Synchronization service is having trouble reaching the SQL Server.
The SQL Server instance is :
Select A named instance
Then enter the instance name [SQL Server Instance]
Select Next to continue.
Configure Microsoft Identity Manager Synchronization Service – Service Account
Enter the Service account information under which the MIM Sync Service will run:
Service Account: [Synchronization Service Account]
Password: **********
Service Account Domain: [Domain]
Select Next when completed.
Configure Microsoft Identity Manager Synchronization Service – Security Groups
When implementing a stand-by synchronization server you should use Domain groups. This ensures your access groups remain consistent after implementing the stand-by server.
Prior to proceeding with the installation, the security groups should be created in Active Directory. You may use any naming convention you like for these groups, or you may choose to retain the default group names (Re. FIMSyncAdmins, FIMSyncOperators, FIMSynchJoiners, FIMSyncBrowse, and FIMSyncPasswordSet). In the example below we changed the group names from the default names.
To configure for use with Domain groups, enter the following information:
Administrator: [Domain]\[Admin Group Name]
Operator: [Domain]\ [Operators Group Name]
Joiner: [Domain]\[Joiners Group Name]
Connector browse: [Domain]\[Browse Group Name]
WMI password Management: [Domain]\[PW Group Name]
Click Next to continue.
Configure Microsoft Identity Manager Synchronization Service – Security Changes
Check the box to Enable firewall rules for inbound RPC communications
Select Next
Install Microsoft Identity Manager Synchronization Service
Select Install
Note : Warning messages can occur as part of the normal installation process. Please pay close attention to any Warning or Error messages received. Actions may differ for Offline Spare vs. Primary Synchronization Server. See the troubleshooting section at the end of this document for specific warnings and error message and how to resolve.
Select OK to continue.
Offline Spare Server build action only :
If you are building the Offline Spare for the first time, you should not receive a database already exists message unless you are migrating the configuration from a former implementation.
If you are migrating a former installation to a new server, then you will receive the database already exists message during the offline spare build. Please proceed to the Primary Synchronization Server build and follow those instructions to restore the former database to the new offline spare.
If you are not migrating from a former installation then verify you are connecting to the correct SQL server and instance.
This situation could occur if you are reinstalling the synchronization server from a former failed or test implementation. In such a case, you will need to manually remove the database from the SQL server to proceed. As a matter of extreme caution, always backup the database before removing it.
Primary Synchronization Server build Action Only (Select Encryption Keys) :
You should receive the following Warning:
Select Yes
You should receive the following Warning:
Select Yes
Select the encryption key file (ex. E:\MIM\Keys\SyncKeys.bin)
Select Open
Save Database Encryption Key
Offline Spare Server build action only (Save Database Encryption Keys):
At this point you will be prompted to back up the database encryption key.
Click OK
Select a location and enter a name for this key file, then click Save
Completing the Microsoft Identity Manager Synchronization Service Setup Wizard:
When notified of successful completion,
Click Finish to complete setup.
You may receive the following Warning:
You must logoff and re-logon your system for the security group membership to take effect. Please close the other applications and click Yes if you want to logoff now. You may click No if you want to logoff later.
Select Yes
Restart the MIM Synchronization Server.
Launch the Synchronization Service Client:
You should now be able to open the MIM 2016 Sync Service. (Start, Run, Synchronization Service)
To verify the version, click Help and About .
While the trademark is stamped Microsoft Forefront Identity Manager 2010 R2 , the MIM 2016 R1 starts at 4.4.1302.0 whereas FIM 2010 R2 begins at 4.1.xxxx.x version.
Perform the following steps for the Offline Spare build Only:
From the Service management Console,
Right Click Forefront Identity Manager Synchronization Service
select Properties
On the General Tab, next to Startup Type select Disabled .
If Service Status is “ Running ” select Stop
Select Apply , Ok
Perform the following Steps for the Primary Synchronization Server build Only:
Once complete with the Offline Spare build, repeat the build instructions following all steps for the Primary Synchronization Server and skipping those steps noted for the Offline Spare build.
If you have completed the steps for both the Offline Spare and the Primary Synchronization Server, the synchronization server build process is complete.
Troubleshooting - Error Messages and common resolutions:
Warning 25051. The Microsoft Identity Manager Synchronization Service service account is not secure in its current configuration. For more information about best practices for securing the service account, please see Microsoft Identity Manager Synchronization Service Help.
For Offline Spare and Primary Synchronization Server builds, this is normal, but should be addressed after the installation. Select OK to continue.
To address this issue after installation, please refer to the following documentation:
Error 25009. The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database.
For Offline Spare and Primary Synchronization Server builds, Select Ok to continue.
The installation will rollback, select Finish .
Next, verify your installation account has SQL admin rights and the .net 3.5 Components are installed via server manager. Once resolved, you will need to start the installation process from the beginning.
Warning, A Microsoft Identity Manager Synchronization Service database already exists :
A Microsoft Identity Manager Synchronization Service database already exists. If you click Yes, you will restore the configuration with this database. If you click No, you must manually remove the previous database before installation can continue. Do you want to use the existing database?
Error - SQL Connection Errors:
Verify that the firewall rules are set properly between the MIM 2016 Synchronization Server and the SQL Server.
Verify that the SQL Client or SQL Server Management Studio is installed on the MIM Synchronization Server.
Verify that the SQL Server is running.
Verify that you are logged in as the MIM Install account and that it has rights to access sql.
Verify that the sql instance is running and that you have the correct name.
Verify that the SQL server name is in DNS.
To failover to the Offline Spare:
Disable the Primary Sync Server's FIMSynchronizationService via the Services.msc shell.
Enable the Offline Spare's FIMSynchronizationService via the Services.msc shell.
Run the MIISActivate command line utility.