Operational Assessment - Microsoft



-922020-906780Forefront Identity Manager 2010 Installation & Configuration0Forefront Identity Manager 2010 Installation & ConfigurationManaging Configuration Changes Anthony Marsiglia & Kristopher TackettMicrosoft Premier Field EngineeringInstalling UpdatesInstall the major FIM patches and enhancements that are made available through Windows Update. For major product releases, it is recommended that you test the new version in the test lab first by re-testing all the test cases documented in the Test Plan.Prior to installing major updates make the necessary backups as describe in the section above “Backup the Solution Components”.Managing Configuration ChangesAll changes to the FIM configuration should be documented on a project collaboration site or share and have to go through standard Change Control process.Follow the steps below when rolling out configuration changes to production:Backup the FIM databasesFrom SQL Server Management Studio to backup the following databases:FIMServiceFIM SynchonizationServiceIn case something goes wrong with the update you will be able to restore the FIM configuration and all user and group related data from these backups. Dump Users and Groups from Active DirectoryOpen a command prompt from any of the 3 machines where FIM is running from and run the following command:ldifde –d “dc=sample,dc=com” –r “(objectCategory=person)” –f All-Users.ldifldifde –d “dc=sample,dc=com” –r “(objectCategory=group)” –f All-Groups.ldifNote: if you copy and paste the commands above, they may not work. You should instead type them in.Instead of ldifde.exe you could also use csvde.exe to dump the users and groups into a CSV file. However, you won’t be able to re-import data from a CSV as easily as you could through an LDIF file. Having LDIF dumps becomes handy in case you need to roll back changes that were wrongly made by FIM to some AD attributes.Export the FIM ConfigurationThis step is not really required as the FIM configuration was backed up when the two FIM databases were backed up. However, it may become handy to have the FIM configuration in XML format in case you need to roll back selected changes you made to the FIM configuration.On FIM Service & Portal go to the folder C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Scripts and run the following commands: PowerShell .\ ExportPolicy.ps1, which generates all the FIM configuration the file Policy.xmlPowerShell .\ ExportSchema.ps1, which generates the FIM schema in the file Schema.xmlOn Sync Server start the FIM Synchronization Server Manager console and go to File Export Server Configuration. Then select a folder to dump the configuration to. Disable all the Sync Jobs before making any changeStart the Windows Scheduler on Sync Server and disable all the synchronization jobs located under the FIM folder. This is to prevent changes to be exported inadvertently.Make the changes by copying them from test into production manually.It is recommended to make the changes manually rather than using the Configuration Migration tool as manual update allows you to have better control over what is being modified. Check the changes in the Connector Spaces before Exporting themWhen changing synchronization rules from the FIM Synchronization Server Manager console or from the FIM Portal Administration Synchronization Rules, make sure you run first a Full Sync on the MAs whose configuration you changed. Then look for changes pending to be exported in the target MAs connector spaces such as AD, FIM MAs. If the changes pending for export are legitimate then only consider re-enabling the sync jobs to export them.In case you have too many changes pending to be exported in the connector space and you cannot possibly look at them all through the FIM Synchronization Server Manager console, consider using the ExportPendingChangesFromCS.exe tool (see above for a description of this tool).Re-enable all the Sync JobsAfter you have checked that all the changes waiting to be exported in the connector spaces are legitimate you can re-enable the FIM sync jobs from the Windows Scheduler. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download