none
Can MIM provision AD users based on CSV files and can it be configured for true HA? RRS feed

  • Question

  • Hi,

     I've setup FIM 2010 R2 to provision AD accounts and Exchange 2010 mailboxes based on inputs from a CSV file (they're actually CSVDE exports from another domain). Account provisioning and deprovisioning works fine. I'm also using self service password resets. I need to revisit my setup to ensure that the architecture is highly available. Achieving true HA within FIM 2010 was always difficult (I'm thinking the FIM Synchronization service here). I'm considering moving to using MIM 2016, but have a few questions (as I've found getting information to be difficult):

    - Can MIM 2016 provision AD accounts and Exchange 2010 mailboxes based on a CSV input file?
    - Can MIM be configured for true HA?
    - Does MIM come with SSPR functionality?

    Thanks

    A

     


    IT Support/Everything

    Thursday, January 21, 2016 2:42 PM

Answers

  • MIM introduces support for a couple of new features, but basically it's just a rebranded FIM. Synchronization service, provisioning and SSPR are unchanged, so whatever you have in FIM 2010 will work in MIM 2016. That also means that there is still no "real" HA option for sync service: you'll still need scripts if you want to automate failover.

    Gleb.

    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Thursday, January 21, 2016 2:53 PM
  • Hi,

    Gleb is mainly right, beside the fact that there are updates on SSPR.

    First think is that Azure MFA Support was added (New Phone gate)

    The other thing is SSAU (Self Service Account Unlock) without resetting PW.

    Regarding the HA, as Gleb states it is the same as in FIM 2010 R2, so for example having a SQL Cluster for SyncService DB and setup a sync Stand-by Server schould mostly be sufficient, as normally you dont run syncs continously right.

    But as already stated there is no automatic switchover to that 2nd sync Server but you can built that on your own when Monitoring the 1st sync Server for example.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Proposed as answer by Jeff IngallsMVP Thursday, January 21, 2016 6:01 PM
    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Thursday, January 21, 2016 3:14 PM
  • Hi,

    yes you are right, SSPR also depends on the PWSync (and WMI) capabilities in FIM Sync Service (AD MA).

    So if you want HA for that scenario (beside the HA provides by your Hypervisor vendor) you could setup like this:

    - Setup SQL Cluster with DB for Sync and Service

    - Setup 2 FIMService/Portal Server

    - Setup 2 SSPR Portal Server (or put that on FIMService/Portal, depends on usage) for Reset/Register

    - Setup 1 FIMSync and another warm standby SyncServer

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Friday, January 22, 2016 10:08 AM

All replies

  • MIM introduces support for a couple of new features, but basically it's just a rebranded FIM. Synchronization service, provisioning and SSPR are unchanged, so whatever you have in FIM 2010 will work in MIM 2016. That also means that there is still no "real" HA option for sync service: you'll still need scripts if you want to automate failover.

    Gleb.

    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Thursday, January 21, 2016 2:53 PM
  • Hi,

    Gleb is mainly right, beside the fact that there are updates on SSPR.

    First think is that Azure MFA Support was added (New Phone gate)

    The other thing is SSAU (Self Service Account Unlock) without resetting PW.

    Regarding the HA, as Gleb states it is the same as in FIM 2010 R2, so for example having a SQL Cluster for SyncService DB and setup a sync Stand-by Server schould mostly be sufficient, as normally you dont run syncs continously right.

    But as already stated there is no automatic switchover to that 2nd sync Server but you can built that on your own when Monitoring the 1st sync Server for example.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Proposed as answer by Jeff IngallsMVP Thursday, January 21, 2016 6:01 PM
    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Thursday, January 21, 2016 3:14 PM
  • Thanks Petr,

     Currently I'm running FIM Sync + FIM service on the same virtual machine (VM) with SSPR on another VM, but in theory I could extract this out so that:

    - FIM Sync + SQL is on VM1 (FIMSync)
    - FIM Service + SQL on VM FIMService
    - FIM SSPR is on VM 

    Am I right in thinking that the SSPR service relies on FIM service and FIM sync? i.e. if the FIM sync isn't available then SSPR will not work? I ask because SSPR functionality is something we need all the time, but synchronisation only occurs once a week so that specific functionality doesn't need HA.

    Thanks


    IT Support/Everything

    Friday, January 22, 2016 9:43 AM
  • Hi,

    yes you are right, SSPR also depends on the PWSync (and WMI) capabilities in FIM Sync Service (AD MA).

    So if you want HA for that scenario (beside the HA provides by your Hypervisor vendor) you could setup like this:

    - Setup SQL Cluster with DB for Sync and Service

    - Setup 2 FIMService/Portal Server

    - Setup 2 SSPR Portal Server (or put that on FIMService/Portal, depends on usage) for Reset/Register

    - Setup 1 FIMSync and another warm standby SyncServer

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Aetius2012 Sunday, January 24, 2016 1:34 PM
    Friday, January 22, 2016 10:08 AM