Forefront Identity Manager
2010 Installation &
Configuration
Operational Care and Feeding: Scheduled Tasks
Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to
you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot
guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief
highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
ii
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Daily Tasks
Events and Errors
The location of events from the FIM components varies depending on the component. The Synchronization
Server places errors in the Application log and within the Synchronization Service Manager console. Portal
request errors can be found in the FIM Portal Request log.
Login to Synchronization Server and make sure from the Operations tab of the Synchronization Service
Manager console that the data is flowing through the different Management Agents. Also make sure that no
error is reported. Note that some errors are considered “normal” as they are due to bad data in the connected
system.
Page 3
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Review the Event Logs on the FIM servers
The Application Log and Forefront Identity Manager Log contain FIM events useful to determining FIM
health. An enterprise monitoring product like SCOM can be used to watch for events of high importance in
these logs.
For more information see the paragraph below called “Use the Event Logs”.
Page 4
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Using a Monitoring Product/Solution
Organizations should use a network monitoring product such as Microsoft System Center Operations Manager
(SCOM) to monitor the health of the following components of the FIM solution:

SQL Server

Internet Information Server (IIS) and SharePoint running

FIM Service (Portal)

FIM Synchronization Server

System Center Service Manager Services
The SCOM management packs for IIS, SQL Server and FIM provide a comprehensive starting point for effective
monitoring of the FIM infrastructure. These management packs can be extended to handle error trapping in
custom code and tuned to react appropriately to certain events.
The SCOM management pack for FIM monitors items such as:
1. Management agent errors requiring administrative intervention.
2. Events indicating service outages.
3. Alerts indicating configuration issues and connected data source changes.
4. Verification that all dependent services are running.
5. Notification if password management is denying access to requests.
6. Notification when account provisioning doesn’t occur correctly.
SCOM management packs are available for download at the following location:
http://pinpoint.microsoft.com/en-US/systemcenter/managementpackcatalog
To install the necessary management packs, search the management pack catalogue by product name,
download the management pack, and follow the instructions for deployment.
If another Monitoring product is in use besides SCOM consider looking at the SCOM Management Packs
available for the different components of the FIM solution as they include the list of items that need to be
monitored.
Page 5
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Backing Up the FIM Databases
Forefront Identity Manager 2010 should be backed up on a daily basis to ensure the solution is recoverable in
the event of a catastrophic system failure. The FIM backup strategy depend on the Recovery Point Objective
(RPO of 0 means no data loss).
Here are two alternatives to be considered:

RPO 24 Hours
o

Schedule a full backup of the database one time each day
RPO 3 Hours
o
Ensure the database is set to "Full Recovery Mode"
o
Schedule a full backup of the database one time each day
o
Schedule a backup of the Transaction Log every 3 hours
We are recommending the second option RPO3 which allows us to limit any loss of data to less than 3 hours.
A full backup should be performed daily and a Transaction log backup should be done every 3 hours on
the following databases:


FIM Service database
FIM Synchronization Service database
Store past database backups offsite (either on a network drive or on tape) to allow for recovery in case the
database backup on the primary site is corrupt or cannot be accessed anymore.
So long as all of these database backups can be restored, the FIM solution can be quickly returned to an
operational state via reinstallation of Forefront Identity Manager 2010 services and other solution components.
If the necessary system databases are in place and the FIM Encryption Key Set backup file is available (see the
section below “Export and Backup the Synchronization Service Encryption Key Set” below), a manual
repopulation of the FIM Synchronization Service metaverse and FIM Service database will not be necessary.
Page 6
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Purging the Synchronization Service Run History
The Forefront Identity Manager Synchronization Service maintains a detailed run history for each management
agent execution. This run history information is stored in the FIMSynchronizationService SQL database, and is
retained indefinitely until cleared by an administrator. Over time, if the management agent run history is not
flushed on a regular basis, the SQL database can grow to be quite large. To prevent unrestricted growth of the
database while allowing for the retention of a sufficient amount of MA run history, the script should be
scheduled to run daily to automatically purge records older than reasonable number of days old. It is important
to note that clearing the management agent run history could have a significant impact on ongoing
management agent executions.
Page 7
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Weekly Tasks
Full Imports and Full Synchronizations Across All Connected
Data Systems
If the deployment of Forefront Identity Manager 2010 has been designed to leverage delta import and
synchronization operations during normal operation it will facilitate the rapid execution of management agents
and, subsequently, the rapid flow of data between connected systems. Though delta imports and
synchronizations can be leveraged indefinitely to identify changes and appropriately move them through the
system, it is recommended that full import and full synchronization operations be executed on a weekly basis
to ensure data consistency across all connected identity systems.
Page 8
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Monthly Tasks
Monitoring Performance of FIM and Performing Database
Maintenance
You will usually notice performance issue with the solution when:

The operating system is not responsive. All tasks take longer to complete. This could be due to a system
bottleneck (such as CPU, Memory or Disk). If these are virtual machines, you need to have your HyperV/VMware Administrator take a look at the resource allocation for the FIM servers.

An MA takes longer to complete its run operation:
o
A delay in an Export or Import operation may indicate a problem with the network connectivity
or an issue with the source data system.
o
A delay in a Sync operation may be due to a large number of groups being synchronized (this
could even happen on delta operations when many large groups have been updated).

The FIM Portal takes a long time to respond or times out when issuing a search request. If this happens
when performing a “contain” (partial) search, it may be because the Full Text Search Catalog has not
been rebuilt for a while. In this case you can just rebuild it by following the steps below:
1. Start SQL Server Management Studio
2. Open the FIM Service catalog ftCatalog by clicking on the FIMService database  Storage  Full
Text Catalogs ftCatalog (check the Last Population Date).
3. Select Rebuild catalog.
4. Even though the UI quickly returns a completion message, a job is actually started in the
background and can take several hours to complete depending on the size of your database.
Note: Full-text catalogs and indexes are not stored in a SQL Server database. You cannot use the
Transact SQL statements BACKUP and RESTORE to back up and to restore full-text catalog files:
http://support.microsoft.com/kb/240867

Indexes Maintenance has not occurred
If the search performance is bad even for “non-contain” type of searches then you may need to rebuilt
the Indexes and update the Statistics for the FIMService database. To find out if you need to defragment
your indexes because you are experiencing bad search results, run the following SQL query to return
the average fragmentation for all indexes on the table fim.ObjectValueString.
Page 9
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
SELECT a.index_id, name, avg_fragmentation_in_percent
FROM sys.dm_db_index_physical_stats (DB_ID(), OBJECT_ID(N'fim.ObjectValueString'),
NULL, NULL, NULL) AS a
JOIN sys.indexes AS b ON a.object_id = b.object_id AND a.index_id = b.index_id;
index_id
Name
avg_fragmentation_in_percent
1 PK_ObjectValueString
98.17252445
2 IX_ObjectValueString_AttributeID
5.084607875
3 IX_ObjectValueString_AttributeKey_ValueString
98.34533039
IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey4 Filtered_Multivalued
87.30556716
5 IX_ObjectValueString_Q2
98.44728916
6 IX_ObjectValueString_Q8
66.928716
The results above show that the indexes need to be rebuilt as described in the following article:
http://msdn.microsoft.com/en-us/library/ms189858.aspx .

Expired system objects have not been purged
Among the critical areas of maintenance is the need to prevent old request objects from slowing down
the FIM database. If you're operating FIM in a large environment, expired system objects will
accumulate quickly and should be removed on a regular basis. FIM retains expired objects for 30 days
before they are deleted by the agent job, FIM_DeleteExpiredSystemObjectsJob, which runs daily. You
may have to adjust these defaults depending on your environment. Note that request objects and all
associated WorkflowInstance, Approval, and ApprovalResponse objects are deleted according to the
ExpirationTime attribute. The Expiration Time attribute is stamped at the time that the Request finishes
processing using the currentTime + the SystemRetentionTime.
For addition Guidance on Deleting expired system objects:
http://technet.microsoft.com/en-us/library/ff830030(v=WS.10).aspx
Page 10
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering