none
FIM Design Question - AD to Support Multiple Environments RRS feed

  • Question

  • We intend on have three FIM environments - one for test, one for development, and one for production. Each environment will be connected to separate SQL and FIM related servers.

    Instead of having three additional Active Directory domains, we are looking at having each of these environments within a single domain. The domain will have a two-way trust with the primary (and currently existing) domain. I realize that any AD schema update will effect all environments. Would SSPR/PCNS be possible with this? What are other caveats?

    To ask succintly, could a single domain support multiple FIM metaverse/environments while providing for SSPR?

    Thank you,
    Dave


    • Edited by DodyaCA Friday, July 6, 2012 5:05 PM
    Friday, July 6, 2012 4:58 PM

Answers

  • The real problem with PCNS is having multiple MAs in the same sync engine for the same forest.  That wouldn't be your problem since these are separate servers. You can have multiple active PCNS targets configured in the domain.

    I think you could have multiple FIM servers attached to the same domain for the purposes of testing SSPR (only), though how you would do testing from the client side isn't clear to me.  In other words, have you thought about how your clients will access the correct FIM environment?  For web-only this seems straightforward, but testing the login experience I don't know enough to speakabout.

    My concern with setting up an environment like yours is that if your dev and test servers are connected to your production AD domain, you have potential problems testing exports to AD vis-a-vis account creation and management.  Your options there are:

    1. Never actually export to AD from your dev/test servers.  This doesn't seem practical, isn't a good test, and hard to enforce especially if you are going to export the configuration from one of them and import into production.
    2. Dev/test are limited to certain OUs in their configuration.  Again this seems problematic as you couldn't actually test the code/configuration you are going to use in production.
    3. Manage the same objects in all environments, and the FIM servers fight over what is the "truth" to be enforced in AD.

    Chris

    Friday, July 6, 2012 6:06 PM