Download
1 / 73
730 likes | 1.07k Views
Required Slide. SESSION CODE: SIA319. Forefront Identity Manager 2010: In Production. Joe Schulman Adrienne Wu Program Manager Program Manager Microsoft Corporation Microsoft Corporation. Prerequisites. General knowledge of Forefront Identity Manager (FIM) SIA318 “Deploying FIM”.
E N D
Required Slide SESSION CODE: SIA319 Forefront Identity Manager 2010:In Production Joe Schulman Adrienne Wu Program Manager Program Manager Microsoft Corporation Microsoft Corporation
Prerequisites • General knowledge of Forefront Identity Manager (FIM) • SIA318 “Deploying FIM”
Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless
Woodgrove Bank • Fictitious Organization • 15,000+ employees • 19 IT Specialists • 3 Continents • Self-service Password Reset • Group Management • Provisioning
Today’s Goals • How do I manage FIM in production? • Change management • Disaster recovery • Monitor availability • Respond to helpdesk tickets • How do I measure and demonstrate value of FIM?
General FIM Resources • Microsoft Supported – TechNet • http://technet.microsoft.com/en-us/library/ee621258(WS.10).aspx • http://technet.microsoft.com/en-us/forefront/default.aspx • Community • http://social.technet.microsoft.com/Forums/en-US/ilm2/threads • https://connect.microsoft.com/site433
Woodgrove’s FIM Deployment SQL Server stores FIM’s state
Woodgrove’s FIM Deployment Dedicated “Admin” Portal and Service
The basics of Change Management in FIM • Separate pilot environment from production • Make all changes in pilot and test in pilot • Migrate changes to production using PowerShell scripts
Philosophy of FIM Change Management • FIM’s value is automating changes in connected systems. • Automation or “policy” is customer-specific. • Most connected systems do not have “Undo” or “Recycle Bin” • Getting policy wrong means unintended consequences • We don’t want you accidentally to automate de-provisioning all employees! • We recommend separate lab environment with representative topology • Use config migration process to push changes into production
Pilot Production
Pilot Production
Considerations • Do not • Delete out of box objects • Rename out of box objects • Make changes in production • Modify the intermediate XML • Do • Follow the published guide
The basics of FIM disaster recovery • SQL, SQL, SQL! • Backup and restore FIM Service and Synchronization Service SQL in lock-step • See the guide for more details • Test your backups
Woodgrove’s FIM Deployment Backup SQL Backup SQL
Recommended FIM Backup Schedule * If incremental backup is not planned, the database should be set to simple recovery mode.
Testing backups • Failing to test a backup can be as bad as not having a backup • Define a test plan with a couple core scenarios • End users can join groups • End users can approve requests • End users can reset passwords • Changes in FIM flow out to connected systems
For HA and DR, consider clustering SQL Cluster SQL
The basics of Monitoring Availability • Prioritize end user scenarios first • Use Operations Manager 2007 • Use existing MPs for SQL and Windows Server
End user availability • Can end users accomplish self-service? • This is the primary monitoring scenario for most people • Use Operations Manager 2007 Web Application Monitor • See the MP Guide for a synthetic transaction to configure • Supplement Web App Monitor with FIM MP Monitors • E.g. Monitor FIM service
SQL Availability • E.g. Does SQL have enough disk space? • SQL failures = FIM failures • FIM MP does not provide monitors for SQL • Use the SQL MP for monitoring SQL in production
Sync Availability • Did my Run Profile execute? • The FIM MP monitors for Sync Service configuration failures • E.g. Were there errors during a sync? • Need to tune the MP to meet your specific sync scenario. • Need to add instrumentation to way you execute run profiles.
The basics of troubleshooting • Helpdesk tickets still arise • “Can’t reset my password” • “Can’t access the portal” • “Can’t approve this request” • Refer to the troubleshooting guide • Request resources store audit and troubleshooting • Don’t rely on the management pack for troubleshooting
Five Diagnostic Techniques • Requests • MPR Explorer • SOAP Faults • Event Viewer • Diagnostic Tracing * At the end of the deck there are slides that answer what these techniques are, when to use them, and why they are useful.
PowerShell as a troubleshooting aid • Sometimes it’s easier to read and write “raw” views of FIM resources • Reset a value which isn’t exposed in the UI • PowerShell provides a supported web service client • See the example scripts on FIM ScriptBox
The basics of measuring Value for FIM • FIM provides a lot of value in many different ways • Certificate management • Automated provisioning • Criteria-based (dynamic) groups • Self-service identity management • Measuring value is environment-specific, but here are pointers
Measuring value for self-service scenarios • End users calling helpdesk costs ~$30 per password reset • Value of self-service is the number of reduced helpdesk calls • Report on the number of self-service password resets • Not a feature in FIM today; consider partner like Omada to help • Use this pattern to measure value of group management and approvals
XPath Queries for Password Reset Search Scope • All Password Reset Requests • All Completed Password Reset Requests /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation='Put'] /Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and RequestStatus=‘Completed']
