Installing Microsoft Identity Manager 2016–Part 2

We addressed the pre-requisites here.  As you can see, there was quite a bit to accomplish to even start working on MIM. Now for the good stuff. There’s essentially two components in play for the bulk of the installs. You have the Synchronization service as well as the portal which covers the bulk of the MIM install. It’s worth noting that plenty of mistakes can be made here, so think and plan this one out carefully.

To start, I’m going to make a couple notes:

1) Log on as the MIMInstall account. I mentioned this before, but there does seem to be some ties into the account that installs it. I recommend a generic install account here that is an admin on the server in question. You can disable it later on once you’ve granted all the appropriate rights and what not and simple re-enable as needed.

2) Once you have the CD/ISO mounted, create a temp folder somewhere for logging information. You may need it. Launch an elevated command prompt and run the following from the synchronization service folder in the CD (I’m using c:\temp for my temp folder):

msiexec /i “Synchronization service.msi” /L*v c:\temp\MIM_SyncService_Install.log

That will create a log file in the c:\temp folder, which can be useful if you need to troubleshoot.

Click Next through the first wizard and accept the license agreement and click next again.

This screen as well is pretty straight forward, click next:

image

Here’s where you have hopefully made a choice, I’m hosting my SQL server locally, but if you aren’t, you need to change this.

image

The next screen wants the creds to your MIM Service Account. This is also pretty easy.

image

Next are the various groups you created previously (by the way, if you haven’t already done this, add the appropriate people to the Admins group):

image

You probably want to open firewall ports. If you aren’t using Windows Firewall, you’ll want to do this manually:

image

At this point, you can click Install. I’ll save you the boring screenshot, and the install shouldn’t take too long. That said, you’ll want to launch the Synchronization service once done. If it doesn’t start, you have a problem. Go back and figure this out, because trust me, if this isn’t working right, it makes the portal portion even harder. When it’s working, you should see this screen when you launch it without error:

image

If you have don’t this already, you might want to get around to those aliases I mentioned in the first piece. You’re going to install the portal next, which sits on top of the SharePoint site collection you setup previously.  You can still work off of the CD you mounted earlier, but you’ll need to navigate to the service and portal folder and run the following command: 

msiexec /i “Service and Portal.msi” /L*v c:\temp\MIM_Service_Install.log

It’s the same concept. You’re putting a log in c:\temp so you can troubleshoot what’s going on here. Like before, you can click next through welcome and accept the licensing agreement. You can decide at this point if you want to use PAM. I chose no here, as this is a lab. It is, however, something that’s highly encouraged as it enables just in time administration.

image

Next, you identify a database server and database name:

image

If you have Exchange running locally or online, do something here. I don’t at this point, so I’m going to uncheck the top two boxes and set this to localhost:

image

In a prod environment, I’d have a CA doing a real certificate, for what that’s worth. Here, I’ll use a self-signed:

image

Next, you define that service account. Note the warning here about that email. It’s kind of important.

image

Depending on how you configured it, you may receive a warning about the account being insecure. Go back to the guide and figure that part out. Ensure you did it right. Next you need the Management Agent Account. The server name here is the server where the synchronization service was previously installed. I kept these all on the same machine, but I’m also running this in lab with one user.

image

Side note, but if you get this warning, cancel the install and revisit issues with the Synchronization service:

image

If you don’t, you’ll move on to this screen. Enter the server name hosting the SharePoint Site Collection:

image

And then enter the site collection URL you created earlier:

image

Now you’ll be prompted for the password registration portal URL… note that this does need to have the http, it’s cut off in my screenshot. And for some silly reason, MSFT has * in front of the URL in their example. Don’t do that. I tried it for fun. It doesn’t work.

image

Now for ports, like before, open them if you have the Windows firewall on. If not, call your Firewall person and have him/her do it:

image

And you thought we were done Smile. Not even close. One more service account, this time your sspr which I’d add will be done again shortly. Also, You need the password registration URL (without the HTTP this time) and you might want to open ports. Note that I’m doing this on 80 because I don’t have a CA. But if you do, you should issue a web cert here and use 443.

image

If you use 80, you’ll get a security warning. Otherwise, you need to enter the servername hosting the MIM Service.I did choose to keep this internal, but you may want this on an extranet. Choose accordingly:

image

And for grins, you get to put your SSPR in again, this time referencing the password reset portal:

image

If you’re not secure here (i.e. no https), you’ll get another warning. Go back and setup https. But if not, click next. That brings you to this screen, much like the above. This time though, you need to configure the password reset URL to go with the server hosting the MIM Service installed above:

image

Now you’re done (sort of). Click Install. If you have no errors, you can go on to the next part.