This post is part of a series. The chapter index is located here.
In this post we install and configure the MIM Sync Service.
You should not use the default domain admin (MIM\Administrator), but create a separate account. In some previous labs you will se a reference to MIM\JKLAdmin in the sample scripts. That is a separate admin account. While you are at it, create an account that is not a domain admin as well. That is the account you should use during normal operations. This account may be a MIM admin, but should not be a domain admin. We could be lax about security in the lab, but experience has shown me that doing so makes installation in production tricky. You will discover that some tasks require specific permissions, while others do not. Running everything as a domain admin circumvents most such problems, but doing so is not beneficial to your over all security.
Make sure that whatever account you use is a member of the MIM\MIMSyncAdmins group.
- Log in to you VM as your admin account.
- Start by getting hold of the MIM 2016 installation ISO and mount it on you VM. You could also extract the contents of the ISO to a folder.
- Open the Synchronization Service folder on the ISO and start setup.exe.
- Follow along the default path. Remember to change the SQL Server location if you did not follow the SQL Server guide to the letter. You should have created an MSSQL instance on the local computer. MSSQL is the default instance. In production I would suggest creating a named instance called MIM on a separate dedicated SQL Server.
- Specify the MIM Sync service account that you created in chapter 1.
- Then specify the security groups you created in chapter 1 on the next screen.
- Enable firewall rules for inbound RPC:
- Wait for the wizard to finish.
- Follow the instructions to create a backup of the MIM Encryption Key and store this file in a safe place.
It is now time to patch the server again. We have installed a lot of stuff since the last round. As mentioned earlier I recommend using PSWindowsUpdate.
After a couple of rounds with Get-Wuinstall –Microsoftupdate, it is time to install the latest MIM 2016 update, the Sync Service update to be exact. You can find a list of versions at https://blogs.technet.microsoft.com/iamsupport/idmbuildversions/.
Patching the MIM Sync Service
At time of writing, the latest version is 4.4.1459.0. I installed the MIM 2016 SP1 (4.4.1237.0). Upgrading to the latest version requires upgrading to MIM 2016 SP1 4.4.1302.0 first. Sadly, there is no way to do this. 4.4.1237.0 is a branch that was so rotten it has been cut off the tree and thrown into a vat of acid never to be talked about again. So I will have to uninstall and start over. The funny thing is that I have a production system running this version, which is why I installed it in the lab to begin with. Anyways, as the settings are stored in SQL this is not really a problem for MIM Sync. The portal will be quite another cup of coffee I suspect.
But back to the main narrative.
“Patching” by uninstall/reinstall
Note: Make sure you have a copy of the current encryption key. You know, the key you were supposed to back up at the end of the installation wizard the last time. If you are in doubt, create a new copy.
- First, you have to remove the MIM Sync service using the original installer.
- Afterwards it is probably smart to reboot the server.
- Then, just start from the top again.
- When installation starts, if everything is entered correctly, the wizard asks if you want to re-use the existing database. Answer yes.
- The wizard asks you for the encryption key. Provide the .bin-file.
- Start the Synchronization Service Manager and check the version number. Yes, I know it still self-identifies as FIM. Who am I to assume the identity of computer programs.
A somewhat more regular update of the Sync Service
As mentioned above, 4.4.1459.0 was the latest version at the time of writing. To upgrade the Sync Service, download FIMSyncService_x64_KB4012498.msp (or the latest version).
- You have to stop the Sync Service before you start the installation. It self-identifies as “FIMSynchronizationService”, with the display name “Forefront Identity Manager Synchronization Service”.
- The .msp requires local admin mode to execute, but has not been written to correctly request it. It just pouts about it. Thus, you have to launch it from an administrative command prompt.
- Again, start Synchronization Service Manager to check the version number.
- It is a good practice to restart the server after such updates.
The end of MIM LAB 3
This post is part of a series, and the chapter index is located here. In the next chapter, we will look at installing the MIM Service/Portal.