Microsoft Identity Manager Series
Part 5: Basic MIM Configuration to Support SharePoint 2016
This blog post will walk you through the basic MIM configuration to support SharePoint 2016. Microsoft Identity Manager is a relatively easy installation. We will need a service account, and if you want to follow how the previous servers ran, you can of course use the Farm Administrator, however you may want to consider using a separate account due to the security we will put in place on that account.
You will need the following software:
Microsoft Identity Manager ISO (MSDN, VLSC, etc.)
SQL Server 2008 R2, 2012, or 2014
Hotfix Rollup 4.3.2064.0 for MIM – KB3092179
Secure the Domain User service account running MIM. In the Local Security Policy, add the user to the following User Rights Assignment:
- Deny users access to log on as a batch job
- Deny users access to log on locally
- Deny users access to log on by using Terminal Services
- Deny users access to this computer from the network
If MIM is not installed on a SQL Server, install the appropriate SQL Native Client from the Feature Pack, otherwise the MIM installation will fail. Next, validate the user running the MIM installation is a sysadmin on the SQL Server.
You will only be installing the MIM Synchronization Service. This service is provided as part of a Windows Server license. The installation bits are located on the ISO at X:\Synchronization Service\setup.exe. Start the installation.
Specify the SQL Server name and instance.
Next, specify the Domain User which will run the MIM service. This is not the user who will be connecting to Active Directory and/or SharePoint.
Leave the group names as default. These are local groups. Enable RPC firewall rule if Windows Firewall is enabled. Once install has completed, you will be prompted to save the encryption key for MIM. When prompted to log off and back on again, do so.
Install the MIM hotfix. The hotfix download will contain many files, but the only file we need is FIMSyncService_x64_KB3092179.msp. Open an elevated Command Prompt or PowerShell console. Use net stop FIMSynchronizationService or Stop-Service FIMSynchronizationService. This is to prevent the need to restart after the patch is installed. The service will be started automatically when the patch has completed installation.
Install the SharePoint Connector. Run SharepointConnector.msi and agree to the license terms, then complete the installation.
The next step is to create the Active Directory and SharePoint Management Agents via the UserProfile.MIMSync project download. Extract the contents to a folder, such as C:\SharePointSync. Using PowerShell, navigate to the folder. You will need two credentials, the synchronization account credential that has Replicate Directory Changes/All on the Domain as well as Configuration container, and the Farm Administrator account (or an account delegated Farm Administrator rights with Full Control on the UPSA as well as write rights on the Web Application where pictures are stored, if importing pictures).
First, import the module.
In my example, s-sp2016sync is the user with Replicate Directory Changes, and s-sp2016farm is the Farm Administrator of the SharePoint 2016 farm. Nauplius.local is the DNS name of my forest, and I’m choosing to scope the Active Directory Management Agent (ADMA) to my entire domain using “DC=nauplius,DC=local”, although you can scope it lower (e.g. “OU=Employees,DC=nauplius,DC=local”). My Central Administration URL is “https://centraladmin.nauplius.local” and I’m choosing to export my pictures from Active Directory to SharePoint. Note that you don’t have to type all of that out, you can use the tab key to auto complete that switch.
$syncAccount = Get-Credential -UserName "NAUPLIUS\s-sp2016sync" -Message "Sync Account"
$farmAccount = Get-Credential -UserName "NAUPLIUS\s-sp2016farm" -Message "Farm Admin"
Install-SharePointSyncConfiguration -Path C:\SharePointSync -ForestDnsName nauplius.local -ForestCredential $syncAccount -OrganizationalUnit "DC=NAUPLIUS,DC=LOCAL" -SharePointUrl https://centralAdmin.nauplius.local -SharePointCredential $farmAccount -PictureFlowDirection "Export only (NEVER from SharePoint)"
During installation of the Management Agents, there will be a warning that the Active Directory Management Agent password must be set prior to first run. Using the Synchronization Service application (miisclient.exe), click on the Management Agents tab. Double click on the ADMA.
Click on Connect to Active Directory Forest, and enter the password for the synchronization service account. Click OK to close the ADMA.
At this point, you’re ready to start the initial full synchronization. To do so, go back to the PowerShell command prompt. In the command prompt, start the synchronization process.
This will begin the full sync process. You will be prompted during the run if you want to continue to export the objects to SharePoint. You can bypass this by using Start-SharePointSync -Confirm:$false
These runs are also visible in the Synchronization Service Manager, under the Operations section. This will provide you with additional information on any warnings or errors.
That completes the installation of MIM and initial run!