<p>Environmental Preparation (Server 2012)</p><p>Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. © 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.</p><p> ii Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Environmental Preparation (Server 2012)</p><p>In this section, we will cover the prerequisite actions which must be completed prior to installing FIM 2010 R2 SP1 on Windows Server 2012 with SharePoint Foundations 2013. </p><p>Account Purpose / Notes YOURDOMAINADMA Create a domain service management agent account You must create a domain account that is reserved for the exclusive use of the Active Directory Domain Services management agent (ADMA). This account will be used to Synchronize Data between the Domain and the Synchrnization Engine. If your Domain is called Lab than the name of this Management Agent Service Account should be LABADMA or something close that meets your nameing standard. FIMSync Create a domain service account to run the FIM Synchronization Service You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. This account should not be a local administrator account.</p><p>In your LAB you may wish to skip this step and allow the FIM Synchronization Installation to install these 5 Groups locally on the Server that will host the FIM Synchronization Engine. In Production especially in environments where you have a Cold Standby server for the Sync Engine you may wish to pre create the Following Groups in AD and point to these groups during the installation of the Synchronization Engine. Account Purpose / Notes FIMSyncAdmins FIMSyncBrowse FIMSyncJoiners FIMSyncOperators FIMSyncPasswordRese t To Install the FIM Portal: Account Purpose / Notes FIMMA Create a domain FIM Service management agent account You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with Page 3 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration the FIM Service. The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account. Understanding the purpose of the FIM Service management agent account The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run. The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ. If you later change this account in the FIM Synchronization service, you must also run a change install on the FIM Service to update the service with the new account information.</p><p>FIMService Create a mail enabled domain service account to run the FIM Service To run the FIM Service component, you must have a dedicated domain service account. To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway. This account also is used to send e-mail notifications from FIM 2010. This account should not be granted local administrator permissions. You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected. FIMSPPool User account for the SharePoint Application Pool</p><p>To Install FIM Self Service Password Reset: Account Purpose / Notes FIMPassword Create a domain service account to run the FIM Password Reset Service If you are using FIM Password Reset, you must create a service account to run the FIM Password Service. This service account must be a domain service account. This account should not be a local administrator account.</p><p>Page 4 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Connect to a Domain Controller in the domain in which the FIM Environment will exist. Note: Replace “YOURDOMAINADMA” with the name of the ADMA account that will be used to on the MA in the Synchronization Engine that will synchronize with the Domain. Account Permissions YOURDOMAINADMA Read YOURDOMAINADMA Replicate Directory Changes YOURDOMAINADMA Read Domain Password Lockout Policies YOURDOMAINADMA Read other Domain Parameters</p><p>At the root of your Domain, Right click on the Domain</p><p>Click on “Properties”</p><p>Page 5 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>If Security Tab is not available you will need to click on View in the Main ADUC Window and Enable Advanced Features</p><p>Page 6 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click on the Security Tab</p><p>Click on Add… Type in the name of the ADMA Service account that would give permissions to the ADMA to manage resources in AD.</p><p>Page 7 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click on Check Names to validate, once validated with an underline click on OK</p><p>Verify the account you just added is now highlighted </p><p>Page 8 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Scroll down and select the following and place a check for Allow if not already checked Read</p><p>Replicate Directory Changes</p><p>Read Domain Password Lockout Policies</p><p>Read other Domain Parameters</p><p>Click on Apply Click on OK</p><p>On each OU that will contain users that will be managed by Forefront Identity Manager the following permissions will need to be set. FIMADMA Create Child Objects</p><p>Page 9 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration Delete All Child Objects</p><p>Special Permissions</p><p>Applies onto user objects Special Permissions</p><p>List Contents</p><p>Read All Properties</p><p>Write All Properties</p><p>Read Permissions</p><p>Apply onto This Object and all child objects Create/Delete All Child Objects</p><p>As a best practice, it is also a good idea to create a new OU to house objects managed by FIM. For simplicity, you may call it “FIMObjects”. Within this OU, it is also recommended that two additional OUs be created; “Users” and “Groups”. </p><p>To simplify the process of setting permissions, you may use the “Delegation Control Wizard”, as shown below: For Basic User and Group Management you can follow the Delegation Steps to set the nesercary permissions on each OU that Contains Users and or Groups to be managed FIM.</p><p>Right click on the OU You wish to apply User Delegation on</p><p>Page 10 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click Delegate Control</p><p>Click on Next</p><p>Page 11 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click on Add…</p><p>Type in the name of the Service account that will be used to connect the FIM Synchronization Service to Active Directory via the ADMA.</p><p>Click on Check Names, this will validate that the name of the service account typed is correct and the account exist and this will underline the full account name, click on Ok</p><p>Page 12 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click on OK</p><p>Click on Next</p><p>Select and place a check for Create, delete, and manage user accounts. In the Tasks to Delegate window verify that the Delegate the following common tasks: radial is selected and select the following: 1. Create, delete, and manage user accounts Page 13 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration 2. Reset user passwords and force password change at next logon</p><p>3. Create, delete and manage groups</p><p>4. Modify the membership of a group</p><p>Note: Keep in mind you will only select the options that are relevant to the task. For example if only Users will be in an OU do not select the options for Create, delete and manage groups or Modify the membership of a group. Additionally if the users that will be managed will not be able to reset their password than there is probably no reason to select the Reset user passwords and force password change at next logon option. </p><p>In Summary: 1. If the OU you are delegating control on will manage groups select the Create, Delete and manage groups as well as Modify the membership of a group </p><p>2. If the OU you are delegating control on will manage users select Create, delete, and manage user accounts</p><p>3. If the OU you are delegating control on will also allow users to Reset their Password via Self Service Password Reset you will also need to select the Reset user passwords and force password change at next logon</p><p>Click on Next</p><p>A summary of the delegation action will be displayed, it is a good idea to verify that the account selected and delegation task selected are correct.</p><p>Page 14 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>Click on Finish **** If you additionally want to delegate the ability to enable/disable user accounts **** Tick the 'Create a custom task to delegate' radio button and click the 'Next' button. Tick the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button. At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions: Change Password Reset Password Read userAccountControl Write userAccountControl</p><p>If you will be setting up Exchange User Provisioning via the ADMA you will need to add the ADMA Service account to the following group. Note: This is after Exchange has already been installed in your Forest. On a DC in the Domain where Exchange has been installed in locate the the following group “Organization Management”</p><p>Page 15 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering Forefront Identity Manager 2010 Installation & Configuration</p><p>The Organization Management group provides the following (Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted.)</p><p>Page 16 Prepared by Anthony Marsiglia & Kristopher Tackett Microsoft Premier Field Engineering</p>