none
FIM 2010 across multiple servers for HA RRS feed

  • General discussion

  • Experts,
    For a very HA of FIM 2010 R2 following option is considered. Ideas is to have separate partition for administrative tasks and general users.

    Admin partition:-
    FIM Service and FIM Portal for admin partition
    server1 & server2 (NLB name say FIM_SERVICE_ADMIN)
    Server3 & server4 (NLB name say FIM_Portal_ADMIN)

    User partition:-
    FIM Service and FIM Portal for users
    Server5 & Server6 (NLB name say FIM_SERVICE_Users)
    Server7 & Server8 (NLB name say FIM_Portal_Users)

    I am confused on how to go for installation.

    1. What about the service account for FIM Service. Do I need to create two service account for FM Service. Using one account while installing FIM Service admin partition and using other service account while installing the FIM Service user partition? Is it possible?

    2. What about share point foundation? Do I need to create two default website, one for admin partition and one for user partition? and again two service account for sharepoint application pool?
    3. How SPN setting will go on?

    Many more :(

    Kindly guide me please.

    Thanks,
    Mann
    Sunday, April 6, 2014 3:29 PM

All replies

  • Hi Mann.Cool,

    1. FIMService has its own attribute - partition. But all partitions use the same database. I have never tried with separate service accounts, so I don't know if it would work. Considering Sync engine, it would have one MA only - connected to one of the partition (as they use the same DB)

    2. I don't really take the question - you have specified 2 servers for admin partition and additional 2 servers for user partition. So you install SharePoint at first 2 for Admin portal and additional 2 SharePoints on user servers.
    Or do you want to create SharePoint farms? If so, you would need two separate farms. Or do you want to use Server3 as portal for Admin and for users (on different addresses)? - if so you can configure it on IIS.

    2.b: you can use either one service account or two service accounts - up to you.

    3. As you would have NLBs, those settings would be as:

    • FIMService/FIM_SERVICE_ADMIN YourDomain\FIMServiceAccount
    • FIMService/FIM_SERVICE_Users YourDomain\FIMServiceAccount
    • HTTP/FIM_Portal_ADMIN YourDomain\FIMAdminWebPool (or HTTP/FIM_Portal_ADMIN YourDomain\FIMWebPool if they use the same account)
    • HTTP/FIM_Portal_Users YourDomain\FIMUsersWebPool (or HTTP/FIM_Portal_ADMIN YourDomain\FIMWebPool if they use the same account)

    And Kerberos delegation would be:

    1. FIMServiceAccount -> FIMServiceAccount
    2. FIMAdminWebPool -> FIMServiceAccount 
    3. FIMUsersWebPool -> FIMServiceAccount
    4. or FIMWebPool -> FIMServiceAccount instead of 2 & 3 if you use the same account for two NLBs

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Sunday, April 6, 2014 5:18 PM
  • Thanks a ton DOminik!
    Its very comforting :)

    1. You said FIM Service as its own partition. Where do we define this?

    Actually I was confused if one has to necessary use different service accounts for installing multiple instance of FIM or if it may create any problem in future since I dont have deep understanding of kerberos authentication. I guess you are suggesting it is ok two use single/same service account for multiple installation of FIM Service.

    2. Yes. I have planned two servers for FIM Portal(for admin) and two servers for FIM Portal(for user).
      Sharepoint farm1-->(Server3 & server4 (NLB name say FIM_Portal_ADMIN))
      service account =FIMAdminWebPool
    &
      Sharepoint farm2-->Server7 & Server8 (NLB name say FIM_Portal_Users)
      service account =FIMUsersWebPool
      Is this a good approach?

      and again I was confused if one has to necessarily use different accounts?

    P.S. - Some of my doubts might look obvious but I am from Oracle background so kindly ignore and help!

    Thanks,
    Mann

     
    Sunday, April 6, 2014 7:08 PM
  • 1. You said FIM Service as its own partition. Where do we define this?

    (...) I guess you are suggesting it is ok two use single/same service account for multiple installation of FIM Service.

    Yes, I would suggest use the same/single Service Account as I have never tried to install multiple FIMService servers on different accounts and I don't know how it would behave. Maybe it would be possible on two different FIM Service partitions.
    And about how to define FIM Service partitions, please take a look here:

    Understanding FIM Service Partitions

    Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

    2. Yes. I have planned two servers for FIM Portal(for admin) and two servers for FIM Portal(for user).
      Sharepoint farm1-->(Server3 & server4 (NLB name say FIM_Portal_ADMIN))
      service account =FIMAdminWebPool
    &
      Sharepoint farm2-->Server7 & Server8 (NLB name say FIM_Portal_Users)
      service account =FIMUsersWebPool
      Is this a good approach?

    It is much easier to configure if you use the same service account for each member in NLB, so yes, this is a good approach. You can also use the same account for those two NLBs (so for all four servers).

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Monday, April 7, 2014 5:20 AM
  • Thanks again Dominik!

    One more thing since I am using SharePoint Foundation, I think NLB might not require as document says SharePoint automatically load balances.

    and process would be:-

    *

    installing sharepoint foundation 2013(my window server is 2012) on Server3 and joining server4 in sharepoint farm.

    Installing FIM Portal on server3

    *

    **

    Again installing sharepoint foundation 2013 on server5 and joining server6 in the farm

    Installing FIM Portal on server5

    **

    Does this make sense?

    Thanks Again1

    -Mann

    Monday, April 7, 2014 12:39 PM
  • Yes, it makes sense - but farm is not needed for FIM. Please check the following:

    FIM Portal in a SharePoint farm–why you should not do this


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Monday, April 7, 2014 4:14 PM
  • Thanks Dominik! Your suggestion has helped me a lot! I am not able to find the link to mark for answer.

    Also kindly suggest on below two more queries.

    1. If sharepoint farm is used, FIM portal will be require to install on only one server in Sharepoint Farm?
    2. How will SSL be setup in farm. currently in UAT setup since only one server is used for FIM Portal, server name was mentioned while requesting certiificate. What I will be mentioning in case of Sharepoint farm?

    Thanks Again,

    Mann

    Thursday, April 10, 2014 6:40 PM
  • You cannot mark as answer as this topic was set as "discussion" during creation - and discussions doesn't have answers...

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, April 11, 2014 7:33 AM