Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-10-04) Upgrading ILM 2007 To FIM 2010 – What To Do?

Posted by Jorge on 2009-10-04


In the ILM 2 Forum the following question was asked:

What’s the upgrade path to go from MIIS/ILM 2007 to FIM 2010? Will FIM 2010 just use your current configuration? Also, how’s the timing of the FIM release? If you were implementing Identity Management now – is it best to implement it on ILM or FIM?

Bob Tucker from Oxford Computer Group answered:

  1. The upgrade path from ILM 2007 to FIM 2010 involves several steps, but generally will not be terribly difficult. You would need to accomplish the following:
  2. Stand up a test environment that represents your production environment
  3. Upgrade your SQL database to 2008 if not already there
  4. Recompile all code using .Net 3.5 (Visual Studio 08)
  5. Perform complete end to end testing
  6. Verify you have x64 versions for any third party apps required on the ILM server (Oracle client, Notes client, etc)
  7. Build Windows 2008 x64 and install FIM 2010 sync engine – pointing to the SQL 2008 version of the ILM database
  8. Perform complete end to end testing
  9. Consider installing FIM 2010 portal
  10. Consider migrating some of the codeless capabilities and group management to FIM 2010
  11. Perform complete end to end testing

As you can see from above – FIM 2010 can make use of your existing design, but it is not a point and click upgrade (one is 32 bit only, the other 64 bit only).

Timing of the release of FIM 2010 can best be answered by some of the MS guys – they have the latest information.

As for which one to use – if you are just now getting into the process of implementing an identity management solution, you should start with determining systems involved, gathering requirements, developing a design, etc. If you absolutely require the use of a portal to allow user participation, then you may want to wait on FIM 2010 (or look at designing your own); if you are looking to deploy in the immediate future, you will have to decide whether or not you can use release candidate software in a production environment. With the release of RC1 of FIM 2010, you may be able to participate in TAP/RDP programs if desired.

As you can see from the migration path; if you decide to start with ILM 2007, you can still migrate the capabilities to FIM 2010 without too much work, though it may involve some rework to move some of the design into the portal.

David Lundell from Ensynch answered additionally:

In step 3 You will need to change some of your references to use 64-bit editions of the new Microsoft.metadirectoryservicesex.dll that was introduced with the hotfix referenced below:

I can’t understate the importance of following Bob’s advice in Step 5. 64 bit editions of the items needed is critical. For example the Host Access Management Agents are not yet available for 64-bit use since they depend on Host Integration Server 2006 which won’t install on Windows Server 2008 x64. So if connect to mainframes you will need to consider how to do that:

  1. using ILM 2007 as a bridge
  2. using a 3rd party MA
  3. writing your own MA

My personal comments:

With regards to "timing release", the known official release date/period is Q1 2010.

Should you use ILM 2007 or FIM 2010? Basically what ILM 2007 is able to do, FIM 2010 is also able to do. Big thing you need to take into account is the architecture. ILM 2007 is 32 bit only and FIM 2010 is 64 bit only. Any dependency on THAT needs to be investigated. As already mentioned, if you need additional client software for an MA (Oracle, Notes, SAP, etc.) to work and you want to use FIM 2010, make sure 64 bit client software is available!

If you need portal functionality, such as users need to interact with ILM/FIM for whatever reason (e.g. self-service password reset, other self-service stuff, group management, etc.) you are better in using FIM 2010. It does not mean it is not possible to do it with ILM 2007. What it does mean is that ILM 2007 itself cannot do it, but you need s solution external to ILM for those features.

The sync engine in FIM 2010 differs from ILM 2007 in the following ways:

  • Supports both scripted provisioning and codeless provisioning
  • Supports both inbound/outbound attributes flows and inbound/outbound sync rules
  • Automatic hierarchical provisioning (creating directory structures if they do not exist) (ILM 2007 support this also, but rather in code)
  • Equal precedence (meaning "last sync wins" and allowing the merger of multi-valued attributes such as the member attribute in group objects)

With regards to licensing, for the Sync Engine you just need a server CAL, but if you want to use the features of the Portal you need user CALs in addition.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

One Response to “(2009-10-04) Upgrading ILM 2007 To FIM 2010 – What To Do?”

  1. Hans said

    But what is with the encryption keys from Microsoft Identity Integration Server (MIIS) and ILM?
    Need to backup?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: