Identity Provisioning and Access Management

Identity Provisioning and Access
Management
In a Dynamic IT environment, identity provisioning and access management is highly automated,
following required processes defined by the organization and any relevant compliance regulations.
Identity provisioning and access management is centrally managed, integrating with all applicationspecific identity management systems. This white paper describes the major steps and tasks an
organization can take to perform identity provisioning and access management at the Dynamic level in
the Core IO Model.
Capability: Identity and Security ServicesIdentity and Access
Applies to: Active Directory Domain Services (AD DS) in Windows Server 2008 R2, Active Directory
Lightweight Directory Services (AD LDS) in Windows Server 2008 R2, Forefront Identity Manager (FIM)
2010
Attributes: Security, Management
Author: Douglas Steen
Published: November 2010
Disclaimer
This document is provided as-is. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association
or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
2010 Microsoft. All rights reserved.
ii
Contents
Introduction .................................................................................................................................................. 1
Identity Provisioning and Access Management ........................................................................................ 1
Steps to a Dynamic Environment .............................................................................................................. 2
Plan Identity Provisioning and Access Management .................................................................................... 3
Plan AD DS................................................................................................................................................. 4
Plan AD LDS ............................................................................................................................................... 4
Plan FIM 2010 ........................................................................................................................................... 5
Deploy Identity Provisioning and Access Management................................................................................ 9
Deploy AD DS .......................................................................................................................................... 10
Deploy AD LDS......................................................................................................................................... 11
Deploy FIM 2010 ..................................................................................................................................... 11
Configure Management Policies ................................................................................................................. 12
Perform Synchronization ............................................................................................................................ 14
Conclusion ................................................................................................................................................... 17
iii
Introduction
Microsoft Infrastructure Optimization (IO) is based on three information technology (IT) models: Core
IO, Application Platform optimization, and Business Productivity IO. Each of these models contains four
levels of process maturity and capability classifications as logical groupings of requirements for each
level of maturity. Core IO focuses on the foundational elements of IT services and components. Maturity
levels in Core IO are Basic, Standardized, Rationalized, and Dynamic. This guide contains checklists to
help move from the Rationalized level to the Dynamic level for the Identity Provisioning and Access
Management sub-workload in the Core IO model. See Infrastructure Optimization at
http://www.microsoft.com/infrastructure/ for more information about Core IO.
Identity Provisioning and Access Management

Management of identities and access to resources is an ongoing process for all organizations. Many
organizations have multiple identity systems that are administered separately, each presenting unique
challenges in identity provisioning, synchronization of passwords, and compliance with regulatory
requirements.
In addition to the challenges in provisioning and managing identities, users regularly need to be granted
access to the appropriate resources. Often, granting access to the resources is a mostly manual process
and as such cannot be ensured to be compliant with established business policies and best practices. In
addition, the ongoing management of resource access for these organizations is highly labor intensive
and leads to inefficient and ineffective use of IT resources.
Table 1 lists the levels of IT environment optimization and provides a brief description of how identity
provisioning and access management is performed in each level.
Table 1. Identity Provisioning and Access Management at Each IT Environment Optimization Level
Level
Description
Basic
User account provisioning and de-provisioning are manual and access is

controlled per instance.
Standardized
Limited, simple provisioning and de-provisioning of user accounts, mailboxes,

certificates, smart cards, and machines exists to control access.
Rationalized
Provisioning and de-provisioning of user and super-user accounts, certificates,

and smart cards is automated; access control is role-based.
Dynamic
Provisioning and de-provisioning of all resources, certificates, and smart cards

is automated for all users; roles and entitlement are managed and access
control is policy driven.
Steps to a Dynamic Environment

In a Dynamic IT environment, identity and access management is performed using highly automated
processes that are compliant with existing business policies, best practices, and any other regulations.
The automation of identity provision and access management is performed using the following features
in FIM 2010:
Identity synchronization. This feature provisions, de-provisions, and manages identities in the
appropriate identity systems as required by business policies, such as provisioning identities in AD
DS, AD LDS, or application-specific identity systems.
Policy Management. This feature uses workflows to grant the appropriate access to applications
and services based on the roles for a user and the business policies that are associated with each
role.
Figure 1. Steps in performing identity provisioning and access management at the Dynamic IT level
Figure 1 illustrates the steps in the process that can help your organization move to the Dynamic IT level
of identity provisioning and access management through the use of AD DS, AD LDS, and FIM 2010. The
remainder of this document uses a checklist format to break each step into tasks.
Note FIM 2010 provides the automated identity management features previously provided by
Microsoft Identity Lifecycle Manager 2007 (ILM 2007), plus many additional features.
Plan Identity Provisioning and Access Management
Figure 2. Plan identity provisioning and access management

Figure 2 illustrates the Plan Identity Provisioning and Access Management step, during which all the
planning related tasks are completed so that you can prepare your infrastructure for performing
automated identity provisioning and access management that is compliant with business policies and
compliance regulations.
Table 2 lists the inputs (prerequisites or necessary information) for completing this step and the
outcomes (or deliverables) of its completion.
Table 2. Plan Identity Provisioning and Access Management: Inputs and Outcomes
Category
Description
Inputs
Application portfolio: This provides a comprehensive list of all the applications.

Includes detailed information about each application, including if the application
integrates with AD DS or AD LDS, or if the application has a separate identity
system itself.
Network documentation: This provides the current network services that exist and
the network topology. You will use this information to ensure the prerequisite
networking services to support an application directory service at the Dynamic IT
level. If the prerequisite networking services do not exist, then you will perform
infrastructure remediation.
Active Directory infrastructure documentation: This provides all pertinent
information regarding the Active Directory infrastructure, which include the
configuration of:
AD DS. Provides information such as the number and placement of domain
controllers, number and coverage of Active Directory sites, and site replication
topology.
AD LDS. Provides information such as the number of AD LDS instances and the
Category
Description
Outcomes
source for the identities managed in each AD LDS instance.

Identity systems portfolio: This provides a comprehensive list of all the identity
systems that are integral to the applications. Includes the identity attributes for
each system and the source for these attributes.
Identity provisioning and access management design documentation: This
contains all the necessary specifications to prepare your infrastructure for an
application directory service at the Dynamic IT level and to perform identity
synchronization for each application.
Application portfolio: This contains an updated list of the applications based on
information discovered during this step.
Identity systems portfolio: This contains an updated list of the identity systems
that are integral to specific applications based on information discovered during
this step.
To plan identity provisioning and access management at the Dynamic IT level, you need to plan each of
the following components:
AD DS
AD LDS
FIM 2010
Plan AD DS
In identity provisioning and access management at the Dynamic IT level, AD DS contains and is used to
manage identities that are used by computers or applications that are able to integrate with AD DS. AD
DS is provided for applications that have access to the domain controllers on your private network and
for accounts that reside in your AD DS forest. Otherwise, AD LDS or an application specific identity
system is used.
Note In many instances an AD DS infrastructure will already exist, but may require remediation to
support identity provisioning and access management at the Dynamic IT level.
The planning for AD DS is discussed in the Plan AD DS section in the Mission Critical Directory Services
document in the Mission Critical document series. Please consult that section for the necessary tasks in
planning AD DS for identity provisioning and access management.
Plan AD LDS
In identity provisioning and access management at the Dynamic IT level, AD LDS contains and is used to
manage the identities that are used by computers or applications that are able to integrate with AD LDS.
AD LDS is provided for applications that do not have access to the domain controllers on your private
network and for accounts that do not reside in your AD DS forest. AD LDS is typically used to maintain
4
identities for applications and resources in extranets or the Internet. Otherwise, AD DS or an application
specific identity system is used.
Note In many instances an AD LDS infrastructure might exist, but may require remediation to provide
identity provisioning and access management at the Dynamic IT level.
The planning for AD LDS is discussed in the Plan AD LDS section in the Mission Critical Application
Directory Services document. Please consult that section for the necessary tasks in planning AD LDS for
identity provisioning and access management.
Plan FIM 2010

FIM 2010 is the cornerstone technology that provides identity provisioning and access management at
the Dynamic IT level. For identity provisioning, FIM 2010 is used to synchronize identities between the
identity attribute sources and the various identity systems in your organization. FIM 2010 automates the
synchronization process by collecting identity attributes into the FIM 2010 metaverse, a centralized
repository of all the identities and their attributes. FIM 2010 uses the information in the metaverse to
synchronize the appropriate attributes with the appropriate identity systems in your organization.
For example, FIM 2010 can collect identities and attributes from a human resource (HR) system into the
FIM 2010 metaverse. Then FIM 2010 synchronizes the identities and attributes in the metaverse with AD
DS, AD LDS, or with other identity systems. In addition, FIM 2010 could perform the reverse
synchronization and synchronize changes from one of the identity systems to the HR system.
For access management at the Dynamic IT level, the policy management feature in FIM 2010 provides
the ability to grant application and resource access to users based on the users roles. Access
management is implemented using the workflows in MPRs. Using these workflows, you can implement
role-based access management that automates existing business policies.
Table 3 will help you plan FIM 2010 deployment. Upon completion of this step, you will have completed
the FIM 2010 design documentation, which will be used in subsequent steps.
Table 3. Plan FIM 2010
Task
Description
Reference
Identify the
identity
systems to be
included in
identity
management.
The identity systems, also known as

connected data sources, need to be
identified. Update the identity system
portfolio to reflect each identity system.
For example, if you have a human
resources system and AD DS, then each
of those is a separate identity system.
Task 2: Determine the Connected

Data Sources in Scope in the
Infrastructure Planning and Design:
Microsoft Forefront Identity
Manager 2010 Guide, available at
Forefront Identity Manager 2010
Identify the
source for each
Each identity in the FIM 2010 metaverse

needs to come from a connected data

Task
Description
Reference
identity.
source. Identities can either come from

one source or be derived from multiple
connected data sources. Update the
identity system portfolio to reflect the
source for each identity.

Identify the
source for each
identity
attribute.
Each identity attribute in the FIM 2010

metaverse needs to come from a
connected data source. Attributes can
either come from one source or be
derived from multiple connected data
sources. Update the identity system
portfolio to reflect the source for each
identity attribute.

Determine the
user load.
Knowing the number of users and the

load they exert on FIM 2010 is essential
to identifying the number of servers
required and their placement. Update
the application directory service design
document to reflect the user load.
Task 3: Determine User Load in

the Infrastructure Planning and
Design: Microsoft Forefront Identity
Determine fault
tolerance
requirements.
You must identify fault tolerance

requirements for each application in the
application portfolio. The application
availability requirements will determine
the availability requirements for FIM
2010. For example, if an application
requires 99.9% availability, then FIM
2010 requires the same availability and
fault-tolerance requirements.
Task 4: Determine Fault-Tolerance

Requirements in the Infrastructure
Planning and Design: Microsoft
Guide, available at Forefront
Identity Manager 2010
Determine the
server roles to
include.
Identity provisioning and access

management services at the Dynamic IT
level require the identity management
feature in FIM 2010. If password
synchronization is also required, then the
password synchronization feature in FIM
2010 is also required.
Step 2: Determine the Required

Roles in the Infrastructure
Determine the
Typically a single FIM Synchronization
Task 1: Decide How Many FIM
Task
Description
Reference
number of FIM
Synchronization
Service
instances
required.
Service instance is sufficient However,

any number of instances may be installed
as required, for considerations such as
consolidation of identities from multiple
data sources, reducing the
synchronization cycle time, or regulatory
requirements. For example, additional
instances may be included to reduce
synchronization cycle length.
Synchronization Service Instances

Will Be Required in the
Determine the
FIM
Synchronization
Service
database
storage
requirements.
A FIM Synchronization Service database

is required for each FIM Synchronization
Service instance. The storage
requirements must be determined for
each instance; they can be affected by
the number of identities retained in the
metaverse, the number of attributes
retained for each identity in the
metaverse, and other factors.
Task 2: Determine FIM

Synchronization Service Database
Storage Requirements in the
Determine the
fault-tolerance
requirements
for the FIM
Synchronization
Service instance
and
corresponding
database.
The fault-tolerance FIM Synchronization

Service instance and database
requirements are determined by the
availability requirements of the
applications. Determine the faulttolerance requirements by reviewing the
availability requirements in the
application portfolio.
Task 3: Apply Fault-Tolerance

Determine the
FIM
Synchronization
Service server
placement.
Servers running the FIM Synchronization

Service instances need to have highspeed, persistent connections to the FIM
Synchronization Service database and to
identity systems (connected data
sources).
Task 4: Determine FIM

Synchronization Service Server
Placement in the Infrastructure
Determine the
number of FIM
Service servers
Typically, a single FIM Service instance is

sufficient. However, any number of
servers may be installed as required to
Task 1: Determine the Number of

FIM Service Servers Required in
Task
Description
Reference
required.
help improve scalability such as running

workflows. For example, additional
instances may be included to help
improve the time required to perform a
password reset.

Forefront Identity Manager 2010.
Determine the
number of FIM
Portal servers
required.
Typically, a single FIM Portal server is

sufficient. However, any number of
servers may be installed as required to
help improve scalability and availability.
For example, additional servers may be
included to help improve the
performance when multiple users are
simultaneously accessing the FIM Portal.
Task 2: Determine the Number of

FIM Portal Servers Required in the
Determine the
FIM Service
database
storage
requirements.
A FIM Service database is required for

each FIM Service instance. The storage
requirements must be determined for
each instance.
Task 3: Determine FIM Service

Database Storage Requirements in
Determine the
fault-tolerance
requirements
for the FIM
Service instance
and
corresponding
database.
The fault-tolerance FIM Service instance

and database requirements are
determined by the availability
requirements of the applications.
Determine the fault-tolerance
requirements by reviewing the
availability requirements in the
application portfolio.
Task 4: Apply Fault-Tolerance

Identity Manager 2010.
Determine the
FIM Service
components
placement.
Servers running the FIM Service

components need to have high-speed,
persistent connections to the other
components. For example, the server
running the FIM Service needs to have a
high-speed, persistent connection to the
FIM Service database.
Task 5: Determine the Placement

of the FIM Service Components in
Determine the
The FIM components can be run in
configuration of physical and virtualized environments.
Task 6: Determine the

Configuration of FIM Service
Task
Description
Reference
the FIM Service

components.
Regardless, the FIM components require

sufficient system resources to provide
adequate performance and availability.
Components in the Infrastructure

Identity Manager 2010.
Deploy Identity Provisioning and Access Management
Figure 3. Deploy identity provisioning and access management

When you have finished planning for identity provisioning and access management at the Dynamic level,
you are ready to begin deployment. This step, illustrated in Figure 3, will help you ensure that the
appropriate infrastructure exists for providing an application directory service.
Table 4. Deploy Identity Provisioning and Access Management: Inputs and Outcomes
Category
Description
Inputs
Application portfolio: This is a comprehensive list of all the applications. It includes

detailed information about each application, including whether the application
integrates with AD DS or AD LDS, or if the application has a separate identity
system itself. It also includes information about the application user roles and the
business policies for granting access to the application.
systems that are integral to the applications. It includes the identity attributes for
Category
Description
Active Directory infrastructure documentation: This provides all pertinent

information regarding the Active Directory infrastructure for AD DS and AD LDS.
Identity provisioning and access management documentation: Contains all the
necessary specifications to prepare your infrastructure identity provisioning and
access management at the Dynamic IT level, which includes performing identity
synchronization and granting access to each application.
Note If the design team that constructed the original design for your organization
is different from the deployment team that will implement the design, make sure
that the deployment team reviews all final decisions with the design team.
Outcomes
Identity provisioning and access management: Identity provisioning and access

management is deployed at the Dynamic IT level. The necessary infrastructure
exists, the servers are prepared, and the FIM 2010 server roles are installed on the
appropriate servers. The identity provisioning and access management
infrastructure is ready for the applications to be configured to use the appropriate
identity systems, create the management policy workflows to grant access to the
appropriate applications, and synchronize identities between the identity systems.
Application portfolio: This documentation should be updated to reflect any
changes discovered during this step.
Identity system portfolio: This documentation is updated to reflect any changes
discovered during this step.
Identity provisioning and access management documentation: This
documentation is updated to reflect any changes discovered during this step.
To deploy identity provisioning and access management at the Dynamic IT level, you need to deploy and
configure each of the following components:
AD DS
AD LDS
FIM 2010
Deploy AD DS
In identity provisioning and access management at the Dynamic IT level, AD DS is a requirement. Ensure
that the AD DS is deployed and any necessary remediation is performed.
The deployment of AD DS is discussed in the Deploy AD DS section in the Mission Critical Directory
Services document. Please consult that section to learn how to deploy AD DS.
10
Deploy AD LDS
In identity provisioning and access management at the Dynamic IT level, deployment and use of AD LDS
is optional, depending on application requirements. If your solution requires AD LDS, ensure that AD LDS
is deployed and any necessary remediation is performed.
The deployment of AD LDS is discussed in the Deploy AD LDS section in the Mission Critical Directory
Services document. Please consult that section to learn how to deploy AD LDS.
Deploy FIM 2010

Table 5 will help you deploy FIM 2010. Upon completion of this step, you will have completed the FIM
2010 deployment.
Table 5. Deploy FIM 2010
Task
Description
Reference
Prepare servers
for FIM 2010
deployment.
Prior to installing FIM 2010 on each

server, the servers need to be
prepared. This preparation includes
configuring system resources,
installing Windows Server 2008 R2 or
Windows Server 2008, and
configuring the operating system.
Hardware and Software Requirements
Prepare
environment
for FIM 2010
Synchronization
Service
instance
deployment.
Prior to installing the FIM 2010

components, there are some tasks
that need to be completed for
installing the FIM Synchronization
Service instances. These include
creating a service account for the FIM
Synchronization Service, configuring
the server running SQL server,
configuring SQL aliases, and
configuring the SQL collation settings.
Before You Begin
Install the
appropriate
FIM 2010
server
components.
Install the FIM 2010 server

Installing the FIM 2010 Server
components based on the
Components
information in the Identity
Provisioning and Access Management Unattended Installation of FIM 2010
design, such as the FIM Service, the
FIM Synchronization Service, or the
FIM Portal.
Perform post-
After the deployment of the FIM
11
Post-Installation and Configuration
Task
Description
Reference
installation and
configuration
tasks for FIM
2010.
2010 server components, FIM 2010

needs to be configured appropriately
to support an application directory
service. The configuration tasks
include configuring the SQL Server
database, configuring the
synchronization rules, and
performing the initial Active
Directory-to-FIM 2010 data load.
Guide
Extend FIM
2010 schema
for custom
resources and
attributes.
Some applications may require

custom resources or attributes in FIM
2010. For these applications, the
schema of FIM 2010 needs to be
configured to support the new
resources or attributes.
Introduction to Custom Resource and

Attribute Management
Configure FIM
2010 for cross
forest
management.
FIM 2010 needs to be configured to

work properly with AD DS in a crossforest environment.
Cross-Forest Management Deployment

Guide
Custom Resource and Attribute

Management Deployment Guide
Configure Management Policies
Figure 4. Configure management policies

Figure 4 illustrates the Configure Management Policies step, which will help you ensure that the
appropriate management policy rules (MPRs) exist to grant access to the applications and resources
based on the business policies and compliance regulations.
Table 6 lists the inputs (prerequisites or necessary information) for completing the Configure
Management Policies step and the outcomes (or deliverables) after completing this step.
12
Table 6. Configure Management Policies: Inputs and Outcomes

Category
Description
Inputs

management infrastructure exists and is ready for the configuration of policies and
synchronization of identities.
Application portfolio: This provides a comprehensive list of all the applications.
Includes detailed information about the business policies for granting user access
to each application.
Identity provisioning and access management documentation: This contains all
the necessary specifications to prepare your infrastructure identity provisioning
and access management at the Dynamic IT level, which includes performing
identity synchronization and granting access to each application.
Outcomes

management is configured with the appropriate MPRs and is ready for identity
synchronization.
Application portfolio: This documentation should be updated to reflect any
Identity system portfolio: This documentation should be updated to reflect any
documentation should be updated to reflect any changes discovered during this
step.
Table 7 will help you configure the management policies in FIM 2010. Upon completion of this step, you
will have completed the FIM 2010 deployment.
Table 7. Configure Management Policies
Task
Create the FIM
2010 sets for
management
13
Description
Reference
Sets in FIM 2010 identify the user

objects to which the management
policy will be applied. You need to
create the appropriate sets as
For more information, see the Create

the scenario set topic in Introduction
to Management Policy Rules.
Task
Description
policies.
required by the management

policies.
Reference
Create the FIM

2010 policy
workflows for
management
policies.
Each management policy has one or

more policy workflows that are used
to perform actions within the
management policy. Policy workflows
are invoked in response to the state
change.
For more information, see the Create

the workflows topic in Introduction to
Management Policy Rules.
Create the
management
policies.
Create a management policy for each

business policy identified during the
Plan Identity Provisioning and Access
Management step using the Create
Management Policy Rule Wizard.
For more information, see the Creating

the MPRs topic in Introduction to
Management Policy Rules.
Perform Synchronization
Figure 5. Perform synchronization

Figure 5 illustrates the Perform Synchronization step, which will help you ensure that the FIM
Synchronization Service instances are properly configured to synchronize the identity systems used by
the applications.
Table 8. Perform Synchronization: Inputs and Outcomes
Category
Description
Inputs
14

management infrastructure exists and is ready for the configuration of
synchronization of identities.
Category
Description
Identity systems portfolio: Provides a comprehensive list of all the identity

Identity provisioning and access management documentation: Contains all the
necessary specifications to prepare your infrastructure identity provisioning and
access management at the Dynamic IT level, which includes performing identity
synchronization.
Outcomes
Identity provisioning and access management: The identity provisioning and

access management infrastructure is configured to perform identity
synchronization between the identity systems.
Identities: The appropriate identities and identity attributes are synchronized
between the FIM 2010 metaverse and each identity system.
Identity system portfolio: This documentation should be updated to reflect any
documentation should be updated to reflect any changes discovered during this
step.
Table 9 will help you synchronize the identities between AD DS forests, AD LDS instances, and
application-specific identity systems that support applications in your intranet, your extranet, and the
Internet. Upon completion of this step, the appropriate identities are provisioned and the identities
have the appropriate attributes.
Table 9. Perform Synchronization
Task
Configure
identity
synchronization
from the AD DS
forests to FIM
2010.
Description
Reference
Configure FIM 2010 to synchronize

identities and their attributes from
the AD DS forests to the FIM 2010
metaverse.
Introduction to User and Group

Management
Introduction to Security Group
Management
Introduction to Distribution Group
Management
Introduction to Management Policy
15
Task
Description
Reference
Rules
Introduction to Inbound Synchronization
Configure
identity
synchronization
from FIM 2010
to the AD DS
forests.
Configure FIM 2010 to synchronize

identities and their attributes from
the FIM 2010 metaverse to the AD
DS forests.

Management
Introduction to Security Group
Management
Introduction to Distribution Group
Management
Introduction to Management Policy
Rules
Introduction to Outbound
Synchronization
Configure
provisioning of
user and group
accounts from
FIM 2010 into
AD DS.
FIM 2010 must be configured to

provision new user and group
accounts in AD DS.

Management
Introduction to Outbound
Synchronization
Introduction to Publishing To Active
Directory from Two Authoritative Data
Sources
How Do I Provision Users to AD DS
How Do I Provision Groups to AD DS
Configure
synchronization
of user and
group accounts
from AD DS to
FIM 2010.
16
FIM 2010 needs to be configured to

synchronize user and group accounts
in AD DS with the FIM 2010
metaverse.
Introduction to Inbound Synchronization

How Do I Synchronize Users from AD DS
to FIM
How Do I Synchronize Groups from AD
DS to FIM
Upon completion of this step, the ongoing management policy and synchronization management is
performed through iterative configuration of the AD DS forests, the AD LDS instances, the management
policies, and synchronized, by:
1. Starting with the Deploy Identity Provisioning and Access Management step.
2. Performing all intermediary steps.
3. Ending with this step.
This process continues as AD DS forests, AD LDS instances, new applications, or business policies are
included as part of the solution.
Conclusion
Identity provisioning and access management at the Dynamic IT level helps reduce the complexity and
effort of managing identities and access to applications. You can manage and maintain the application
directory service using AD DS, AD LDS, and FIM 2010. These technologies help ensure all applications
have access to the appropriate identities and that users are able to access these applications using the
same credentials. These highly automated processes dramatically reduce the effort required for
managing your identity provisioning and access management, which helps reduce ongoing operating
costs and improve overall user satisfaction.
For more information, see the following resources:
17
FIM 2010 Planning and Architecture: http://technet.microsoft.com/enus/library/ee808044(WS.10).aspx

FIM 2010 Deployment: http://technet.microsoft.com/en-us/library/ee621261(WS.10).aspx
FIM 2010 Getting Started: http://technet.microsoft.com/en-us/library/ee621261(WS.10).aspx
FIM Scriptbox: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/807617bc-b5604cbe-a137-b9f338bfbd8e
FIM Experts Corner: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/2c0d4e9caeeb-45e4-8f47-be1f2fab6158
Forefront Identity Manager 2010 forum: http://social.technet.microsoft.com/Forums/en-us/ilm2
Infrastructure Planning and DesignMicrosoft Forefront Identity Manager 2010 Guide:
http://technet.microsoft.com/en-us/library/ff630889.aspx
Infrastructure Planning and DesignWindows Server 2008 and Windows Server 2008 R2 Active
Directory Domain Design Guide: http://technet.microsoft.com/en-us/library/cc268216.aspx
Administering Active Directory Domain Services: http://technet.microsoft.com/enus/library/cc771744(WS.10).aspx
Read-Only Domain Controller Planning and Deployment Guide: http://technet.microsoft.com/enus/library/cc771744(WS.10).aspx
Active Directory Domain Services in the Perimeter Network (Windows Server 2008):
http://technet.microsoft.com/en-us/library/dd728034(WS.10).aspx
18
AD LDS Getting Started Step-by-Step Guide: http://technet.microsoft.com/enus/library/cc770639(WS.10).aspx

AD LDS Replication Step-by-Step Guide: http://technet.microsoft.com/enus/library/cc731246(WS.10).aspx
Active Directory Lightweight Directory Services Operations Guide: http://technet.microsoft.com/enus/library/cc816635(WS.10).aspx

Identity Provisioning and Access Management

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Identity Provisioning and Access Management

Uploaded by

Copyright:

Available Formats

Identity Provisioning and Access

Identity Provisioning and Access Management

User account provisioning and de-provisioning are manual and access is

Limited, simple provisioning and de-provisioning of user accounts, mailboxes,

Provisioning and de-provisioning of user and super-user accounts, certificates,

Provisioning and de-provisioning of all resources, certificates, and smart cards

Steps to a Dynamic Environment

Plan Identity Provisioning and Access Management

Figure 2. Plan identity provisioning and access management

Application portfolio: This provides a comprehensive list of all the applications.

source for the identities managed in each AD LDS instance.

Plan FIM 2010

The identity systems, also known as

Task 2: Determine the Connected

Each identity in the FIM 2010 metaverse

Task 2: Determine the Connected

source. Identities can either come from

Infrastructure Planning and Design:

Each identity attribute in the FIM 2010

Task 2: Determine the Connected

Knowing the number of users and the

Task 3: Determine User Load in

You must identify fault tolerance

Task 4: Determine Fault-Tolerance

Identity provisioning and access

Step 2: Determine the Required

Typically a single FIM Synchronization

Task 1: Decide How Many FIM

Service instance is sufficient However,

Synchronization Service Instances

A FIM Synchronization Service database

Task 2: Determine FIM

The fault-tolerance FIM Synchronization

Task 3: Apply Fault-Tolerance

Servers running the FIM Synchronization

Task 4: Determine FIM

Typically, a single FIM Service instance is

Task 1: Determine the Number of

help improve scalability such as running

Design: Microsoft Forefront Identity

Typically, a single FIM Portal server is

Task 2: Determine the Number of

A FIM Service database is required for

Task 3: Determine FIM Service

The fault-tolerance FIM Service instance

Task 4: Apply Fault-Tolerance

Servers running the FIM Service

Task 5: Determine the Placement

Task 6: Determine the

the FIM Service

Regardless, the FIM components require

Components in the Infrastructure

Deploy Identity Provisioning and Access Management

Figure 3. Deploy identity provisioning and access management

Application portfolio: This is a comprehensive list of all the applications. It includes

Active Directory infrastructure documentation: This provides all pertinent

Identity provisioning and access management: Identity provisioning and access

Deploy FIM 2010

Prior to installing FIM 2010 on each

Hardware and Software Requirements

Prior to installing the FIM 2010

Before You Begin