Installing Microsoft Forefront Identity Manager 2016 SP1 on Server 2016 with SQL 2016

In this post, I will walk you through the process of installing MIM 2016 SP1 on Windows Server 2016

running SQL 2016. MIM 2016 SP1 will be evaluation version.

My home lab consist of:

Domain – RAMLAN.CA DC1 & DC2 - Domain Controllers Server 2016 MIM – Forefront Identity Manager Server 2016 SP1 on Server 2016

Create proper OU structure for MIM install. I have created the following to keep everything clean.

I will be creating following users and groups within above OU. These accounts will be used during the

installation/testing/deployment stages. I have shared PowerShell script to create these users/groups.

import-module activedirectory $sp = ConvertTo-SecureString "01Jan2009" –asplaintext –force New-ADUser –SamAccountName MIMMA –name MIMMA -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "MIMMA@ramlan.ca" New-ADUser –SamAccountName MIMSync –name MIMSync -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "MIMSYNC@ramlan.ca" New-ADUser –SamAccountName MIMService –name MIMService -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "MIMService@ramlan.ca" New-ADUser –SamAccountName MIMSSPR –name MIMSSPR -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "MIMSSPR@ramlan.ca" New-ADUser –SamAccountName MIMSSPR –name MIMSSPWR -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "MIMSSPWR@ramlan.ca" New-ADUser –SamAccountName SharePoint –name SharePoint -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "Sharepoint@ramlan.ca" New-ADUser –SamAccountName SqlEngine –name SqlEngine -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "SqlEngine@ramlan.ca" New-ADUser –SamAccountName SQLAgent –name SQLAgent -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName "SQLAgent@ramlan.ca" New-ADUser –SamAccountName BackupAdmin –name BackupAdmin -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName BackupAdmin@ramlan.ca New-ADUser –SamAccountName BackupAdmin –name MIMADSync -path "OU=ServiceAccounts,OU=Services,OU=MIM,DC=ramlan,DC=ca" -AccountPassword $sp -PasswordNeverExpires 1 -Enabled 1 -UserPrincipalName MIMADSync@ramlan.ca and add this user to Domain Admin group as well

New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins -path "OU=Groups,OU=Services,OU=MIM,DC=ramlan,DC=ca" New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators -path "OU=Groups,OU=Services,OU=MIM,DC=ramlan,DC=ca" New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners -path "OU=Groups,OU=Services,OU=MIM,DC=ramlan,DC=ca" New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse -path "OU=Groups,OU=Services,OU=MIM,DC=ramlan,DC=ca" New-ADGroup –name MIMSyncPasswordReset –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordReset -path "OU=Groups,OU=Services,OU=MIM,DC=ramlan,DC=ca"

Run below command to add these groups as well.

Create SPNs: Run below command as Domain Admin

setspn -S http/MIM.RAMLAN.CA RAMLAN\SharePoint setspn -S http/MIM RAMLAN\SharePoint setspn -S FIMService/MIM.RAMLAN.CA RAMLAN\MIMService setspn -S FIMSynchronizationService/MIM.RAMLAN.CA RAMLAN\MIMSync

Install pre req using PowerShell:

Add-WindowsFeature NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-Pipe-Activation45,NET-WCF-

HTTP-Activation45,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-

Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Asp-Net45,Web-Net-

Ext,Web-Net-Ext45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-

Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-

Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-

Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,WAS,WAS-

Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-

Foundation,Xps-Viewer –verbose

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-

Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

Set local security policies:

Open properties for Log on as a service and add these accounts.

RAMLAN\MIMSync; RAMLAN\MIMMA; RAMLAN\MIMService; RAMLAN\Sharepoint; RAMLAN\SQLEngine; RAMLAN\SQLAgent; RAMLAN\MIMSSPR; RAMLAN\MIMSSPWR

Add these 2 accounts as well

– MIMADSYNC & MIMSSPWR

Open properties for Deny access to this computer from the network and add these accounts.

RAMLAN\MIMSYNC; RAMLAN\MIMSERVICE

Open properties for Deny log on locally and add these accounts.

RAMLAN\MIMSYNC; RAMLAN\MIMSERVICE

Change the IIS Authentication mode:

iisreset /STOP C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost iisreset /START

Install SQL Server 2016 SP1: After mounting SQL 2016 ISO – You can run this command to install SQL silently.

setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION=install /FEATURES=SQL

/INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="RAMLAN\SQLEngine"

/SQLSVCPASSWORD="01Jan2009" /AGTSVCACCOUNT="RAMLAN\SQLAgent"

/AGTSVCPASSWORD=”01Jan2009” /AGTSVCSTARTUPTYPE=Automatic

/SQLSYSADMINACCOUNTS="RAMLAN\Administrator"

I am going to perform manual install of SQL 2016 SP1 -

Include Full-Text & Semantic Extractions

for Search. This is required.

Install SQL Server 2016 SP2: I am going to perform manual install of SQL 2016 SP2 -

Install SQL Server 2016 SP2 CU2:

I am going to perform manual install of SQL 2016 SP2 CU2-

Install Management Studio:

I am going to perform manual install of SQL Management Studio -

Install SharePoint Foundation 2013 with SP1:

https://www.microsoft.com/en-ca/download/confirmation.aspx?id=42039

Download SharePoint Foundation 2013 from above link. Extract to the folder using this command "sharepoint.exe" /extract:c:\download\sharepoint

Start the prerequisite installer wizard from an administrative command shell. If you do not use an administrative shell, you will get download errors and the wizard will fail.

Restart the Server

Feature installation: Fix .net framework 4.5 hardcoding (solution courtesy of https://support.microsoft.com/en-ca/help/3087184/sharepoint-2013-or-project-server-2013-setup-error-if-the–net-framewo) First you have to download https://download.microsoft.com/download/3/6/2/362c4a9c-4afe-425e-825f-369d34d64f4e/wsssetup_15-0-4709-1000_x64.zip Open the .zip file and extract the wsssetup.dll into the updates folder under your extracted Sharepoint installation. (C:\download\Sharepoint\updates) if you have replicated my folder structure)

Start the Sharepoint installer from an administrative command shell and run setup

Configuration Wizards:

01Jan2009

I was getting above error when, I open Central SharePoint site. Try one of the solutions listed below:

1. Copy MOMAgent.msi from OM Server (C:\Program Files\Microsoft System Center\Operations Manager\Server\AgentManagement\amd64) Run this command - msiexec.exe /fvomus "MOMagent.msi" NOAPM=1 Restart the server

2. You can try this solution - Locate HKLM\SOFTWARE\Microsoft\.NETFramework - Add a new

DWORD value called LoaderOptimization.

Open SharePoint Central Administration site – It should work now

Configure SharePoint for MIM:

A) Create new web application

Start SharePoint Management Shell with run as admin and run below command

$dbManagedAccount = Get-SPManagedAccount -Identity RAMLAN\SharePoint New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 82 -URL http://portal.ramlan.ca

B) Create new Site collection connected to the new web application

$t = Get-SPWebTemplate -compatibilityLevel 14 -Identity "STS#1" $w = Get-SPWebApplication http://portal.ramlan.ca:82 New-SPSite -Url $w.Url -Template $t -OwnerAlias RAMLAN\administrator -CompatibilityLevel 14 -Name "MIM Portal" -SecondaryOwnerAlias RAMLAN\BackupAdmin $s = SpSite($w.Url) $s.AllowSelfServiceUpgrade = $false $s.CompatibilityLevel

C) Disable SharePoint Server side view state and SharePoint task health analysis

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService; $contentService.ViewStateOnServer = $false; $contentService.Update(); Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

Make sure you can login to the new site (http://localhost:82/default.aspx)

Installation: Synchronization Service

Mount the ISO and run setup.exe from Synchronization Service folder

Since we were unable to export the key due to above error. I clicked No to complete the process.

Below you will find how to back up the keys.

Since we were not able to export the keys – I will show you how it can be done.

Open Synchronization Service Key Management from Programs

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Forefront Identity Manager\miiskeys-1.bin

How to find what version of MIM 2016 SP1 before applying updates KB4050936:

With above version 4.4.1302, we can install hot fix update KB4050936 version 4.4.1749. To install FimSyncService Update KB4050936, we have to stop FIM Synchronization Service

Open administrative command prompt

You can check the version from Add/Remove Programs

Install and configure the MIM Portal / Service: DNS:

Create a Host A record for the portal address

Remove the Default Web Site:

Remove SharePoint – 80: Start the Sharepoint PowerShell console Get-SPWebApplication “SharePoint – 80″|Remove-SPWebApplication

Verify your SharePoint mappings:

SharePoint is using something called Alternate Access Mappings to define what URLs are used for what SharePoint application. We need to check and modify URL through System Settings

You should see above URL’s in Alternate Access Mappings – If not add them manually. Verify your IIS Bindings:

Click No Selection & Select MIM Portal - enter the URL & save

Firewall settings: Since this is a lab – I have disabled firewall for the domain. So no need to configure any rule for Port 82 or Port 80 to access MIM portal. Installation – Service and Portal Open command prompt as Administrator Run this command - msiexec /i “Service and Portal.msi” /L*v c:\temp\MIM_Service_Install.log

To open MIM Identity Management portal type this address http://localhost/identitymanagement

Portal Permission: Users

All users should be able to look at their own object. To make that happen, you have to enable the “User management: Users can read attributes of their own” Management Policy Rule.

Type User Management inside Search for and click search button

Open User Management – Users can read attributes of their own

If you want to give users read selected attribute for other users do the same as above.

Firewall rules:

Since this is home lab – My firewall is disabled by GPO for the domain. In real world you will have to make sure these rules are set open within Firewall

Management Agent Configuration – Active Directory Management Agent:

Check this link for more info about MA configuration - https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync-ad-service

These are various Management Agents that are available in MIM 2016 SP1. You can use these agents to create various attributes and others within your domain and run them as and when required.

Management agents link specific connected data sources to Microsoft Identity Manager (MIM) 2016 SP1. A management agent is responsible for moving data from a connected data source to MIM. When data in MIM is modified, the management agent can also export the data out to the connected data source to keep the connected data source synchronized with the data in MIM. Before we can manipulate users and/or groups with the FIM Synchronization Engine, it is necessary that we create Management Agents. Here, we will create a Management Agent for connecting to Active Directory. Begin by opening the Synchronization Engine from Programs

Provisioning hierarchy, in case you’re wondering, gives us the ability to create OU that currently do not exist and bring them into scope based on a defined path in the DN. You can select whatever object types feel important.

You can select whatever attributes feel important.

For “Join and Projection Rules”, select the “User” and click “New Join Rule”.

Select Data source, Metaverse attribute and click Add condition. You will get this warning. Click OK!

It is worth noting that you may have any number of join conditions here, as we would prefer a join to a possible projection of a duplicate object. Also of interest is these become an “or” where it starts with the first condition and, if a join is unable to occur, it continues down the list attempting joins until there is no more criteria. At that point a project happens.

Above are the 2 screens you will see after adding attributes to Group and User.

1

2

Now you have created Active Directory Management Agent with various attributes for Group and Users. This is just an example. You can add/modify/create more attributes as and when required by editing the ADMA (Management Agent). Before you can test ADMA agent you will have to create Run profile, so this agent ADMA that we configured will go through the attributes and perform required action. If you want to know more about MA/Connectors check these links https://docs.microsoft.com/en-us/previous-versions/mim/jj863241(v=ws.10) https://docs.microsoft.com/en-us/microsoft-identity-manager/supported-management-agents Management Agent Configuration – FIM Service Management Agent: Start by opening the Synchronization Service Manager and click Management Agents, then Create. Select FIM Service MA

https://social.technet.microsoft.com/wiki/contents/articles/31018.fim-2010-troubleshooting-fim-ma-does-not-support-the-current-fim-resource-management-service-db-version.aspx

To fix this error we have to install

hotfix update kb4050936

So here are the steps to install the hotfix. First check the version installed. In my case it was 4.4.1302. So, I can upgrade to 4.4.

Then stop below services.

Open Command Prompt as Administrator and run below command

Let’s try FIM Service MA agent install again

Create Person attribute flows. Below you see, I created one for AccountName. Follow the same step and create attribute flow for others listed in the table below.

Create Group attribute flows. Below you see, I created one for AccountName. Follow the same step and create attribute flow for others listed in the table below

Create Run Profiles: Run Profiles are managed in the “Configure Run Profiles” dialog in Synchronization Service Manager. We have to create individual profile for each Management Agent. In our example we have to create run profile for ADMA and MIM Service. I am going to create Run Profile for ADMA. Follow the same steps listed below and complete for MIM Service MA as well.

Configure the MIM Service: Got to the Administration part of the portal and select Sync Rules

Repeat these for inbound attribute flow

TESTING: There are four steps you need to take before you can test your MIM configuration with AD data:

1. Enable Provisioning 2. Initialize the MIM MA 3. Initialize the ADMA 4. Populate MIM Service database

Enable Provisioning: Open the Synchronization Service Manager. To open the Options dialog box, on the Tools menu, click Options Select Enable Synchronization Rule Provisioning. To close the Options dialog box, click OK.

Initialize the MIM MA:

Run a complete synchronization cycle on this connector. The complete cycle consists of the following run profiles:

Full Import Full Synchronization Export Delta Import

Open the Synchronization Service Manager and, on the Tools menu, click Management Agents. In the Management Agents list, select MIM MA. To open the Run Management Agent dialog box, on the Actions menu, click Run. For each run profile listed above, complete the following steps: To open the Run Management Agent dialog box, on the Actions menu, click Run. In the Run profiles list, select the run profile you want to run. To start the run profile, click OK.

The result is 3 records found from User Inbound Sync Rule and no sync errors

Initialize the ADMA: To populate the MIM Service database with the objects, you need to run a synchronization cycle on the ADMA connector. The cycle consists of: Export Full Import Full Synchronization Open the Synchronization Service Manager and in the Tools menu, click Management Agents. In the Management Agents list, select ADMA. To open the Run Management Agent dialog box, on the Actions menu, click Run. For each run profile listed above, complete the following steps: To open the Run Management Agent dialog box, on the Actions menu, click Run. In the Run profiles list, select the run profile you want to run. To start the run profile, click OK.

I am getting replication access error 8453. Will have to investigate further.

Full Sync of ADMA was success without any information. Not sure, if I have to investigate this as well.

Below is the fix for 8453 replication access error: 1. Open the Active Directory Users and Computers snap-in 2. On the View menu, click Advanced Features. 3. Right-click the domain object, such as "company.com", and then click Properties. 4. On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7. 5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add. 6. Click OK to return to the Properties dialog box. 7. Click the desired user account. 8. Click to select the Replicating Directory Changes check box from the list. 9. Click Apply, and then click OK.

I ran ADMA Full Import again and it completed without error. It located entire domain OU structure.

There were 2 errors pertaining to Exchange System Mailbox. I guess this error can be IGNORED.

This concludes the whole process of installing, configuring and testing MIM 2016 SP1. Thanks Ram Lan – 19th Sep 2018

TROUBLESHOOTING - 1:

After performing few test – When you opened the portal http://localhost/IdentityManagement - I was getting this error:

The solution is as follows:

Open Management Studio - Expand Databases – Select FIMService Database and execute this command

SELECT * FROM [FIMService].[fim].[Objects] WHERE ObjectKey = '2340'

Open ADUC – Go to Users – Administrator and look for this info

Go to Management Studio and execute this command against FIMService database insert into [FIMService].[fim].UserSecurityIdentifiers values (2340,0x010500000000000515000000C2A2247694522122EC0E2D5EF4010000)

Restart IIS Service.

Open Identity Management Portal and it should open.

TROUBLESHOOTING – 2:

I am getting this warning in the event viewer on MIM Server. Will have to investigate later and fix the issue. Based on Google it is certificate issue between MIM and EXCHANGE server.

https://social.technet.microsoft.com/wiki/contents/articles/17439.fim-troubleshooting-fim-service-polling-the-exchange-web-service-ews-fills-the-application-event-log.aspx - Followed this link to fix the issue

Above configuration did not fix the warning in Event Viewer on MIM Server. Still have to keep looking for possible solution.