OVERVIEW / PURPOSE 

The purpose or goal of this document is to provide additional assistance, or guidance to the actual Forefront Identity Manager 2010 installation guide.  It is meant as a companion document to help in the preparation of your installation of the Microsoft Forefront Identity Manager 2010 product.

This document is more of a guideline to help make the installation easier.

SUGGESTED ACCOUNTS 

FIMINSTALL 

• This is a suggested account, not a mandatory account. The reason it is suggested, is because the installing account needs to have some elevated privileges to get the product installed.

  • It will need SysAdmin permissions on the backend SQL Server
  • It should have Local Administrator permissions on the different machines executing the installation of the different pieces of FIM
• The easiest way to ensure that the installing account has SysAdmin permissions and Local Administrator permissions would be to make the account a Domain Admin account. In either case, it is recommended that the account be at-least a Domain User Account, as the different pieces of FIM are installed across different machines.
• Now once the product is installed, this account can be disabled and only enabled for a hotfix installation as the hotfix installation requires the same permissions as the installation of the main product.
• It is a good idea, not necessary, to have a generic FIMINSTALL account to allow for the ability to have a main FIM Administrator account in the FIM Portal.
• Utilize this account for all hotfix installations as well.

SVC_FIMSYNC 

• This account is the account for the FIM Synchronization Service Account.
• The account can be either a local account to the FIM Synchronization Service machine, or a Domain User Account.
• If you intend to setup a high availability scenario with the FIM Synchronization Service, then this account will need to be a Domain User Account.

SVC_FIMSERVICE 

• This account is for the FIM Web Service Account.
• It should be a Domain Account, as it will require ServicePrincipleNames (SPNs) in a distributed FIM Solution
• This account should be good as a Domain User Account.
• It is a good idea to go ahead and create a mailbox for the FIM Web Service Account. 
  • The FIM Web Service does send emails.  It is based on how you have your FIM Solution configured.

SVC_SHAREPOINTSERVICE 

• This account is the SharePoint - 80 Application Pool Account
• The account should be a Domain User account

 FIMMA

•  The FIM MA account is the user account that is utilized inside of the FIM Service Management Agent.
• The account should be a Domain User Account.

OTHER POSSIBLE ACCOUNTS 

Based on your FIM Solution, you may want to create some other accounts.  Here are some other possible accounts that you may consider creating prior to executing the installation of the Microsoft Forefront Identity Manager product.

*NOTE: Remember these are just suggested names for the accounts, and suggested that you create them prior to executing the installation.

The below accounts are very commonly used accounts for common solutions, such as Self-Service Password Reset (SSPR) and GalSync.  If your FIM Solution is going to work with other data sources, you may consider creating those accounts now.  For example, if you are incorporating a SQL Server Management Agent you may want to create an account to work with SQL Server, or if you are working with SAP, yu may want to get the SAP Management Agent Account created at this time.

userADMA

• This user is for use in an Active Directory Management Agent.
• An Active Directory Management Agent would be used in:
  • Self-Service Password Reset (SSPR) Solutions
  • Hire - Fire Scenario Solutions
• This user should be a Domain Account, as it will need access to Active Directory resources
• This user should be good as just a Domain User account
• Permissions, depending on your solution, this user may need permission to work with
  • Specific OrganizationalUnits
  • Active Directory Users / Contacts
  • Active Directory Groups
• Depending on your FIM Solution, and your Business Rules, you may need to place the user in some Security Groups to allow it the ability to do other actions.

userGALSYNC 

• This user is for use in a GalSync Management Agent.
• If you are developing a GalSync Solution, then you will need a GalSync User account in each of the forests.
• For permissions needed for the GalSync User account review the Permissions for GalSync User on the GalSync Resource Wiki 

OTHER FIM INSTALLATION RESOURCES

• Forefront Identity Manager 2010 Deployment (Installation Guide)
• Forefront Identity Manager 2010 Hotfix Installation Companion (MSP Information)
• Forefront Identity Manager 2010 - FIM Installation Companion - ServicePrincipleNames (SPNs) - Adding and Troubleshooting

SEE ALSO 

• Current Forefront Identity Manager Resources
• Current Certificate Lifecycle Manager Resources
• GalSync Resource Wiki
• PCNS-Password Synchronization Resource Wiki
• Self-Service Password Reset (SSPR) Resources