Thursday, July 29, 2010

The Book: FIM Best Practices Volume 1

In two weeks we (Brad Turner is my co-author) will make available for ordering a book on FIM entitled:

FIM Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010

Information on order will be posted here on my blog

This will be the first book on Forefront Identity Manager in English that is not focused on Certificate Management (Brian Komar wrote on book on FIM Certificate Management deployment and two gentlemen from Japan wrote a book on FIM in Japanese as blogged about by fellow MVP, Naohiro  Fujie.

Here is the Current Table of Contents:

Chapter 1: What is Identity Management? Provides a brief introduction to Identity Management
Chapter 2: Forefront Identity Manager 2010 Introduces one to Forefront Identity Manager 2010 including a walkthrough of the lifecycle of one user Feather Stone a new employee at Snappy Slackers.
Chapter 3: FIM Architecture This gives a good understanding of FIM Architecture
Chapter 4: FIM Installation Topologies Discusses how the various FIM components can be installed and discusses why to choose one topology over the other
Chapter 5: Sizing Your FIM Installation This expands greatly upon the FIM Capacity Planning guide from Microsoft, helping you estimate your scale, load and complexity and then provides a methodology for sizing your FIM Servers and picking your topology. Includes flow charts to help you decide which components need to be highly available and which Edition of SQL Server to use.
Chapter 6: Installing the Prerequisites Installing the Prerequisites is complex so we have created excellent flow charts to help you through it and include lots of discussion around decision points (like WSS stand-alone or farm).
Chapter 7: Installing FIM Screen shot by screen shot we guide you through installing the FIM components. Also not to be missed our sections on unattended install where we match the UI install settings to the unattended ones and note where they are persisted (registry, databases, config files etc).
Chapter 8: Updating the FIM Components FIM already has an update learn screen shot by screen shot where to go to get, prepare for it and install it.
Chapter 9: Post Install Tasks Get ready to get rolling with FIM by setting up some database maintenance and creating a few objects in the portal.


This will be the first of several books in a series.

The following are possible titles for follow ups:

  • FIM Best Practices Volume 2: Using Forefront Identity Manager 2010 to Provision, Deprovision, Synchronize and provide Self-Service
  • FIM Best Practices Volume 3: Microsoft Forefront Identity Manager 2010 Operations and DBA Guide
  • FIM Best Practices Volume 4: Go Codeless -- Digging Deep with Advanced Features in Microsoft Forefront Identity Manager 2010
  • FIM Best Practices Volume 5: Got Code? Customizing Microsoft Forefront Identity Manager 2010 with .NET Code

Work on Volume 2 is underway and will cover:

  • Synchronization from HR to the Portal
  • Synchronization To and From AD and the Portal
  • Sets, Management Policy Rules, Workflows
  • Self-Service Profile Management
  • Self-Service Password Reset
  • Self-Service Group Management
  • Policy Management and Workflow
  • Deprovisioning

Tuesday, July 20, 2010

Embedding comments in your XPATH Filters


One thing I love to do is provide self-documenting code and configurations. Well when I have to customize sets the XPATH filter can get a bit complex so I recently found a way to comment the XPATH Filter in my sets and groups:

/Person[starts-with(DisplayName,'%')] <!-- Only with DisplayName --> </Filter>


By using <!--  --> to enclose my comments and only after the last closing ] of the predicate I can comment on the filter itself.

The following will error (don’t put the comment inside the predicate [].

/Person[starts-with(DisplayName,'%') <!-- Only with DisplayName -–> ]</Filter>

Friday, July 9, 2010

MVP’d again

Thanks to the folks at Microsoft for continuing to recognize my contributions to the world of FIM. I awarded MVP for the fourth time.

Finding a Binary Value in the Haystack (FIMService Database)

While Query the FIM Service Database at the SQL layer is not supported by Microsoft I had an issue the other day where I couldn’t find what object had a conflicting SID that was preventing the update of another user. I could see in the error detail that it referenced the ObjectSID attribute. So I created this script and replaced the binary value down below with the SID of the object I was looking for.

This SQL Script will find any person object that has any binary attribute with this value in it.





select * from fim.Objects where [ObjectKEY] IN (

select ObjectKey from fim.ObjectValueBinary where ObjectKey in


select ObjectKey from fim.Objects o

where o.ObjectTypeKey = (SELECT oti.[key] from fim.ObjectTypeInternal oti where Name = 'person')


and ValueBinary = 0x010200000000000916000000C83BFC025A1C2A4F9175596438570000