Microsoft Identity Manager 2016 | Install and Configure MIM | TSR #036

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello hello hello welcome to the server room it is 8 o clock p.m. Eastern Standard Time February 2nd holy moly episode 36 Wow 36 episodes so far this is season 2 of 2018 and we're gonna give it a few we're gonna actually start maybe at 8:01 we have a lot a lot to do today so I just want to make sure that the YouTube channel is receiving the content it looks like it is receiving the contents awesome we are live it is still 8 o'clock we're gonna wait one more minute until we start and we are officially going to start it is 801 welcome everyone to the server room episode 36 hopefully all of you guys had a very fruitful kind of week mine was extremely busy at the job it's always constantly busy at the 905 job as well as my night job building content for you guys so hopefully you guys are enjoying your Friday chillin have a beer or whatever you're doing I don't know so uh imma stop talking and we're going to get straight to the show because again like I said there's a lot that we have to cover and I'm gonna switch the scene hopefully you guys are capable of hearing me with no problem if most likely if you are not able to him and you're going to let me know but let's get started so today's I'm gonna do the announcements big thank you for Lenovo they're the ones that have provided the TD 340 that I have been using throughout season one and also season two with a lot of my virtual machines that have building for the top three chatters for the last show that we did I think it was episode 35 yeah episode 35 big thanks to Dave Matthew and Microsoft SCCM guru thank you for joining and being a chatterbox my good friend from my network admin Parker from the discord server he's created two awesome Google Docs one gives you a list of everything that's happened with season 1 and everything that's going to be happening with season 2 just an update I am a huge gamer I do have a twitch TV I changed my name to tekzilla which is my Tiger my gaming tag check it out follow me I tried a game as much as possible and also I set myself a first quarter subscriber goal I'm trying to hit 50,000 my main goal is try to hit 100,000 subscribers because then you two kind of hooked me up with that awesome plaque that's awesome right so my my goal is to hit 50,000 I know it's a huge goal I believe if we go into seeing one you're gonna see at the top right there that's how many subscribers I have right now and yeah so that is my my goal so let me stop yapping and get straight to it so today's topic is all about em i am i think is min i think that's how you pronounce it marcus off identity manager why why am I'm tackling this for this episode because my good friend the network admin and parker from disk from the disk or server i wanted me to touch base on this and it interests me because i've never heard of it i know nothing about it I am NOT a guru so the first thing that I started doing was researching a lot of sites don't really have great documentation on this the only documentation that you can find is within the TechNet blog site and reading that stuff is like you have to decrypt it it's like everything is encrypted they tell you to do this do that do this so the majority of stuff that I did for the Microsoft identity manager believe it or not I did everything best practice creating all the specific accounts I followed the TechNet blocked the blog articles to the T but I've had a lot of issues with the Technic and I'm gonna show you guys all the issues that I had and how I fixed it because that's who I am I don't want to basically get it up and running and show you how to do it because that's the same concept of reading the blog sites from the technique they show you how it works but behind the scenes when you're installing it getting all the requirements it doesn't work the way it's supposed to work on the article right that sucks so so Microsoft identity manager helps you manage the users credentials policies and access within your organization has five key components one is a min portal self-service portal on SharePoint so we are gonna be doing SharePoint and holy-moly SharePoint was my kryptonite throughout this entire adventure dealing with the Microsoft identity it was my kryptonite but I got around it and I got it up and running number two is the management policy rules which is your MPR which are rules and permissions and actions you have your workflows which triggers your MPs your your management policy rules and then you have your Pam which is your privilege access management keep your privileged access safe and then the I haven't touched this on my own as if yeah I did a little bit of research a little bit of reading and a little playing around with my Azure infrastructure but you are able to do hybrid which allows you to do reporting to your azor now side note it can be installed within Windows Server 2016 this is old information because the application server but but you are able to install it with Server 2016 depending on what version you're installing if you do push out Microsoft Identity Manager 2016 Service Pack 1 you are able to install it on Server 2016 I found that out the hard way all right the Google Doc that I'm showing you guys right now will be provided at the end of the show there's a lot of stuff that I'm gonna be providing for you guys a lot of stuff PowerShell scripts installation files the PowerPoint all right the PowerPoint is literally close to 500 slides yes I go through every little thing but I'm gonna skim through it real fast for you guys because the majority of stuff you guys already know how to do it like both the secret database and create an account and all that good stuff so within the Google Doc I gave you guys a link of all the core requirements of what's needed to get this guy up and running okay so as you can see on the server side server side right here mm I'm gonna zoom in for you guys okay so I says Windows Server 2016 but it has a shtick see the version mark with an ash trick only supports mem 2016 Service Pack 1 if you only have 2016 2016 definitely needs I think the roles and feature of the application server to be installed I found this out late so I had 2012 r2 that's the operating system that I'm using but you are able to use Server 2016 it should be the same method the way that I'm going to show you guys today but yeah so my poison is Server 2012 r2 now ad prep you need to create a lot of user accounts as well as a lot of groups ok one you're going to be creating a management agent a sync service a common service a password registration for your application pool because you're going to be taking advantage of your SharePoint as well as I is because I is is one of the core requirements to get this guy up and running you're also going to create a group an account I mean for password reset application pool also a SharePoint farm accounts a sequel admin and a Pam service for your groups you definitely need to create a sink em in a sink operator sink joiner sink browser and a sink password reset now all these ad accounts as well as groups I got all this stuff from the TechNet blast site so again it's really rare that I follow best practices when doing this stuff because I just say screw it just use admin for the hell of it right but I really wanted to do it the right way to see how everything works okay PowerShell script that I'm going to be using this guy right here is a lifesaver again my crypto not throughout this entire adventure dealing with Microsoft Identity Manager was SharePoint so this guy right here was a big help I did do some modifications on the particular PowerShell which again is going to be given to you at the end of the show is gonna be a zip file with all the modifications that I did to make it work within my system and I want to go I want to show you guys this is the server its web base it has one application that does the synchronization which you have to create two agents one agent is for your fem which is your Microsoft I did any management service management and I'm assuming for you guys there you go and then the other one is your Active Directory domain services so you need both of these it's a lot of work and then overall it is web base so this is right here miss do mouse so you guys get a better view so its web base okay so let's go back to this and this link right here will take you to download the W the WCF data services 5.6 r TM 2 installer you're gonna definitely need this I will explain that when we're going over the power the power point and the initialization environment profile now when you read the Google site like right now this is the Google site when you read the TechNet blog site which I provided the link because this link right here is basically gonna tell you what I'm gonna show you but it doesn't give you nice pictures is everything is like like you do you really have time to read all this would you rather just have pictures of it done step by step and just look at the pitches and just follow it right I mean reading all this crap and decrypting this this is nuts but this is the path again I've been reading around and there's a certain path that you have to run your services for stuff to sync up that's the part that I'm stuck a little bit because this will cause some errors and errors are known for the min 2016 okay so and then again this is the site that you could go and check it out like I tried this way and also if you go all the way in the bottom right here where is that when you're creating your profiles your connector profiles if you when you're initializing the test it tells you to do a full import you probably saying what the hell is all this Bernardo what are you talking about full import and full sync and export trust me I'm gonna explain everything right here but these are the steps that it tells you to do sometimes it doesn't work and the steps that I do provide for you guys on the Google Docs it works sometimes it doesn't sometimes I do it's again it's crazy so let's get straight to the PowerPoint because this guy is a monster and I'm a zoom in I want to show you guys how many slides this guy is four hundred and thirty-four slides yes and I'm gonna try to do this under an hour because I don't want to keep you guys this Friday I want you guys to relax have a beer and just relax write goals catch the ghost catch the show tomorrow on a Saturday morning when you're eating breakfast or something so that's a full screen this guy and there you go so like I said episode 36 we are doing install and configure Microsoft Identity Manager 2016 Service Pack 1 I kind of learned late that you can store Service Pack 1 with 2016 I just did 2012 or 2 for the hell of it so first thing you need to do is configure users and groups I created a organization a group called min you don't really need to do this but for me I just to keep everything nice I like creating folders for those that know me I created a bunch of accounts and this is the name that I did again you don't really need to follow the way I did it you could call it whatever but if you want to follow what I'm doing throughout the the show as well as you want to follow the commentation I advise you to name everything the way that I'm doing it next thing you need to curt your groups now I don't show you in the slide that I created my SharePoint farm and I did not create my Pam and what was the other one there was another one that I should have created but I do create them throughout the slide and the reason why I ain't do them all in one shot is because I was following the TechNet blog site and I was just following it to the tee so they was telling me okay you need to create this user constant need to create this blah blah blah so this is a user's the group's that I created and within the sync admins I added my regular lemon and as well as a user account that I have that I use for admin rights okay so the next thing that you need to do is prep up your machine and that's install roles and features again I am using Windows Server 2012 r2 that is my poison for this installation but you are able to install servers you are able to install min 2016 but Service Pack 1 on Server 2016 yeah so you know click on manage add roles and features you're gonna get this guy I click on next and next again again I'm gonna fly through this quick because you guys already experienced this right click on next and from here you want to check application server you want to go all the way to the bottom and check web server web server when you click on this it's gonna want you to add additional features just click on add features click on next and from here you definitely need to have dotnet framework 3.5 features click on next alright check on it and I went all the way in the bottom and for me because I'm gonna be doing a lot of PowerShell and a lot of stuff with at the directory I went for it and just went inside the remote server admin tools and I added the Active Directory module for Windows PowerShell I kind of recommend this for anyone anyone that's learning PowerShell and managed a Active Directory this is a lifesaver trust me customizing is a lot of stuff within at the directory's make makes a job super simple adding people to groups and creating multiple accounts in an instant right click on next again this is not needed but for me I did it because some of the some of the stuff that I did throughout the installation stuff on the the mem I use active I used Active Directory in Windows PowerShell I'm gonna click on next and next again and by default this is check make sure the dotnet framework 4.5 is checked ok click next next again you don't have to do anything here leave all the defaults if if you want to get all you know technical you you are able to go inside the web services and modify and enable certain things that you would think will benefit you in your environment but for me I left everything as the default plus within the technics aiight they don't really tell you you need to do this do do this is they just tell you ok make sure web servers and enable just click Next so it's leave it all default because we are using Server 2012 r2 we have to specify an alternative source path for what dotnet framework 3.5 and I have my is ou mounted to the D Drive so I just told it D sources s xs/s X press ok on that and installation and you're good to go if you want you can reboot the server but we don't really need to reboot it at all so the next thing you need to do on the local machine and I just want you I want to key I want to tell you guys before I ever continue I'm doing everything as a standalone server that means I am installing SharePoint limp sequel everything in one box it's not really best practice it's not SharePoint definitely for what tech you know for what Microsoft stated they would want you to have the SharePoint on a different server definitely on the secret the secret database should be on a different server and your mem your maybe your sink unless stuff should be on a separate server but for the hell of it I did everything on a standalone machine okay one box so on the Microsoft identity management server you need to configure local policies so within here you know click on start and you're gonna type in local security policy you can click on that and it's gonna launch you want to go inside the local policy node and within there go to user rights assignments now the one that you want is log on as a service double click on that by default you're gonna have the NT service all services you're going to click on add user or groups and you want to add basically all the user accounts that we created the agents the password reset password registration for the application pool the service and the sink I made a mistake and I also needed to put in the SP farm as well as the Pam services okay Microsoft doesn't tell you that I learned that the hard way again it's one of those things you follow the Microsoft articles and eventually you get problems but that's one of the kind of things that I learned the hard way you needed to add the SP farm account as well as the Pam service account into this as well ok so I press ok apply ok there you go done next thing that we need to do is install the Microsoft sequel 2014 I'm doing sequel 2014 I think let's go inside the Google Doc and let's close this up let's close this up ok so both sequel for a database I think yeah so you could go up to 2016 I went for engines went 2014 Service Pack 1 because that's what I have that's what I have license I have a license a legit license but you are able to do Server 2016 if you want ok and let's go back into this so I'm gonna like go real fast on this because everyone should have at least a secret database up in running if not the documentation the PowerPoint will be provided at the end of the show you guys could go take your time go over all the slideshows but again from here once you install I want because I'm using a virtual machine I mounted my ISO of my sequel 2014 it launched up click on install and I bypassed the product key but the first menu the first window should be your product key and then when you click on next it should take you to the licensing terms just accept it click on next definitely push out Microsoft updates if you want click Next it's gonna initialize the setup I don't have to worry about the firewall and the reason why is because it's local everything is local but definitely if if you have a single database that's a separate host make sure the firewall the firewall settings or firewall ports are configured correctly that other machines are able to access it ok click Next I did a sequel server feature installation and again you got to understand this is me following the article ok data engine services is what we need and I went all the way to the bottom and definitely management tools because I want to get in there do a little a couple queries and make sure everything is up and running click on next also I left everything has a default I've a lot of people like to change it but for me I'm keeping everything kind of simple C Drive is for me ok default instance I'm gonna leave it as is and click on next and from here you're going to configure your startup type as well as if you if you want you could configure your server agent to have a different account as well as a server database engine ok and set the password and click on X now from here you want to add the current user and you also want to add the sis M and group ok so whoever's inside this group would have access to the secure database ok I don't show you here but I went back and I enabled the mixed mode just I don't like doing this a lot in production but for testing wise I just enabled it just just a you know for precaution once you do all that click on next click install and install bah blah done so every time I install sequel I like to go inside the Start menu and just start up the management tool and just make sure that the instant is running as well as the server aging don't get me wrong you could go inside services and change and just and just check both services and make sure they're running but I'm so accustomed to doing this and you know go for it ok plus that also gives me a reassurance that the username and password is working to have access to the database ok so next thing that we need to do is prep for SharePoint and holy moly so I want I want you guys get a little water right now wait I want you guys to like go get yourself a cup of coffee go get yourself a beer go get your snack and then come back right away because this right here this is where the ride starts happening alright so everyone buckle up and get ready because this was the worst experience ever dealing with SharePoint like holy-moly Microsoft serious come on they give us a tool to make things easy for us for installing SharePoint but it does not work crap ah alright so go straight to it prepare for SharePoint installation so this is where I create my SP farm accounts and you need a it's good to have at least a SharePoint farm account because this is the one that's going to have full admin rights throughout all your collections and all that stuff or your web portals now I made a boo-boo because of my bad habits of my you know my testing environment I didn't use SP farm I used an admin account which I shouldn't know about that but I just want to give you guys a heads up ok now that's one step for the SharePoint just creating an accounts also you need to start setting permissions for your app pool accounts so within your secret server you want to go inside the security node right click on logins and new login from here from the login name in a search location change the location to your entire directory and you want to do the SP for me you want your SP farm to have access to the database again this is my mistake I forgot to use the SP farm account during the installation of the ship and that wasn't the problem that wasn't my kriptonite because again I use an admin account and it still it I had no problem trust me your SP farm you want to give it server roles and you want to give it the following you want to give it a DB creator security admin and it says admin press ok you want to do the same thing for the password registration and application pool ok that particular user will have DB creator security admin as well as system in you want to do the same process I'm skipping because you got to do this this right here you got a right-click on this got a right click new new log in three times ok three times y'all right click on the log in click on search change the location click on entire directory and then find your names and then change the server oh okay I did the same concept of hit all right clicked on logins new log in search blah blah blah same thing I just bypassed all that stuff for this account the mint password registration application pool again creator security admin and sysadmin I also added the password resets application pool that one also has Creator security Ammon and sysadmin sysadmin sorry so yeah so this is how it looks ok awesome I think the it's one of those things that I learned the hard way at the very end and Microsoft doesn't tell you that within their documentation is you should've I should have added the Pam service account as well to have access to the database damn Microsoft now said application pool for service principle name yes PN so this is what power show comes in so you wanna click on starts right click on your Windows PowerShell and running as Hammond and hey guess once you get the user account control and I'm gonna do a CD so I get into my root and you want to run the following I don't know if you guys can see that but I'm gonna zoom in for you guys so you want to run set SPN - s ok HTTP for /bj - mint which is going to be the name the primary name of my portal BTW NHD backslash MAMP priests reset AP so that's gonna be the account that I'm going to be using for this service principle name ok so that confirms it it's all good and next thing that you need to do this this the L just lists it ok so set zoom in so set SP n - s sets it and - capital L just listed this right here is just a confirmation that it was set and the service principle name was created ok or registered now is one of the things that again I learned the hard way well I'm not I'm so used to when you testing stuff I really push updates out to my testing machines because again it's a test machine right you just want to test stuff out and if it breaks it breaks so with this experience dealing with Microsoft ID in any manager your machine has to be fully patched and again this process is still I'm still working with the SharePoint stuff it's one of those problems I had SharePoint was giving me a lot of problems because Windows was not updated the Windows Update Services weren't running if you go inside services and you enable it it's still not going to work it's going and give you problems the machine has to be fully patched for SharePoint to work correctly learn it the hard way and again don't you know don't get me wrong I push updates out to my 9:05 servers all the time that's my production that's what you're supposed to do before a testing of my me I wasn't really expecting that I was just expecting double-clicking on the Exe file next next next setting the the variables and settings and you're done no point was like no you need to have Windows updated so I pushed out all the windows updates make sure that's nice and update I had a couple of updates all my virtual machine it was a brand new fresh virtual machine I had 162 updates so I pushed all of them out okay now we're preparing for the SharePoint installation yeah so you download the SharePoint for me I think I got SharePoint 2010 foundation because core requirements let's go back over here for SharePoint mazuma for you guys this is SharePoint and this is the core requirements I think I think correction I'm using SharePoint foundation 2013 sp1 I think that's the one that I'm using but you are able to do SharePoint 2016 but it has to be the Microsoft identity Service Pack 1 version for that to work ok so let's go back here so when you double-click on the file it's gonna launch the wizard I didn't want to do that so I open up a command prompt within the root of my D Drive or an BTN HD which I had to shared and I also created a folder call SPF for SharePoint foundation because I want to extract everything inside the exe file inside this folder so that's what I did and there goes our goodness what I really wanted to do is use this because this tool right here this beautiful nice little tool that Microsoft provides us supposed to help us supposed to install everything for us to the point that all we have to do is double click on the setup file and just sit back and relax and then configure the sequel database connection and the user name that you want to use no this crap really work trust me alright so running the SharePoint pre-press acquits this is whether all the goodies happen so like I said Microsoft says double click on it it's gonna store all the roles and the features and everything that you need to get you up and running hell no that did not happen for me so I clicked on it looks like oh good this is all the service that's gonna happen it's gonna install a dotnet framework windows management framework application server roles some of these roles already have installed and shouldn't have any problems so I click on X I set the terms I click on next everything looks like it's going and bam there was an error during installation so I'm scratching my head like okay what's going on I did a little research this is very common problem dealing with the pre vesicular tool so a lot of sites a lot of websites a lot of tech sites basically says download the Windows Server a fabric install it rerun the tool and same problem same damn problem over and over and over so I eventually got it to work it bypasses it boom another error this tool supposed to be helpful it's not helping it's causing more problems and more headaches again this was my kryptonite throughout this entire installation process so what I did was I said why not do this offline with help so I downloaded three power shells which I showed you guys the link at the very beginning of the show very cool power shells one downloads the prover secret files for you that's easy right you don't have to do much one installs it and one install the roles and features now the roles and feature has already had installed so I don't really need to do that but I definitely needed to do this and do this I need to get them and install them so I opened up the downloads folder I mean I opened up the Downloads power shell script and I looked over it the first prompt right here it says please enter a directory path to where you wish to say the SharePoint 2013 professor ku files so I said okay so I created a SP downloads folder and I ran it and I copied and pasted it in there and I hit enter and it looks like it was doing his thing and I I saw all the files that I needed how awesome is that everything was downloaded cool so what I did was I copied everything that was downloaded from the powershell and i placed it within a folder within the main route aware my sharepoint installation files are located there's a folder called pre res acquit installer files drop them in there this folder is made for those individuals that want to install SharePoint off-line right because the pre Resik way it's supposed to read this folder and install everything for you that doesn't really happen that way because I try the instill problems so how did I get around it so Oh before we continue there's another tool that W that WCF 5.6 that I was telling you guys you need to download it because the PowerShell doesn't grab it and this is a requirement for the SharePoint 2013 Service Pack 1 now when you download it is the same version that the previous secrets download I think this one right here the original one just going right here I think it's 3.5 you need 3.5 installed and then 5.6 because of the same name the one that you downloaded which is 5.6 just rename it as 5/6 this is where the second powershell that we're going to run you need to make some modifications on it and I wanted to show you guys that I took my virtual machine offline and I put it inside the private network which the private network does not have any internet I just made sure that I didn't want this sharepoint to contact any anything right because I had all the files locally you're supposed to talk to this folder which is locally has all the files for you right so opened up the install and the only modification that I made was I created a variable called WCF data services 56 and I pointed it to the 56 Exe okay we definitely need this okay again this PowerShell script the modifications that I made only will be provided at the end the show so don't worry about it so next thing that you want to do is hit run and when you hit run actually yeah when you hit run it's going to say hey we need that main folder so I'm go back and see if you guys go back I can't see it I'm gonna show you okay so there you go so it's gonna say please enter the directory path to where your SharePoint 2013 installation files exists my path was SPF that folder so I copied that path paste it in and boom you see this little guy pop up again so I'm saying okay the PowerShell script is doing this thing it's probably piggybacking on the tool why now let's click on next I accept it I click on next this is a good sign once to me to restart it's restarting its windows ready do not turn off it's installing features 84% I'll do a country control-alt-delete and this is where the problem starts happening again I hit yes when you hit yes apparently the PowerShell script that you is running disappears the per the the pre rescue tool within the installation folder takes over and it gives you more problems so this is the reason why I snapshot this and a highlight no I highlight it no so when you get this one you log in hit no please hit no once you hit no you go back inside power show you open up the install pre-vet secret file and you run it again you do the same thing give it the path this tool is gonna pop up do not worry click on next accept the terms hit next again it's gonna start running and eventually yes installation is completed awesome it took me about a day and a half to get this thing up and running because I was having so many problems with the built-in prep tool that they provide you and I'm so happy that I found this scrip and they worked out with no problem so the next step is make sure you restart so I restarted my virtual machine boom now install SharePoint really now so double-click on that setup file and you're gonna hit you know get that user can coach oh hey yes and it looks like it's working it's not working BAM the product requires Microsoft dot framework 4.5 I'm like what the hell I know I had 4.5 install I am a win side my screenshots and I carefully looked at that section 4.5 was installed so what the hell is going on why so it looks like there's problems with this issue and there's a patch that they give you Microsoft does provide you a patch with Microsoft SharePoint foundation 2013 and I do provide you guys that dll file it's a dll file that you need to insert in a particular folder so I found the patch the.net framework patch fix this is a patch right here it's a WS SS setup dot DL and you want to copy this and place it inside the updates folder just place it in there and then now you're okay to install SharePoint so double click on your setup hey yes I'm gonna get this nice little friendly dialog box but wait for it BAM you get this finally holy moly you accept the terms hit continue what we're gonna do is a complete server type is it complete we're gonna install now it's gonna start prepping you definitely want to lead this because you want to run the SharePoint product configuration wizard now because you want it you want to share you need to tell SharePoint the account as well as the database and all that good stuff so click on close you're gonna get this click on next you know get this dialog box right here say the following service may have to be started or reset during the configuration hey guess on this and can i connect to an existing farm if you already have SharePoint already implemented but for this you definitely need to create a new server farm ok because there's a new installation and I'm doing everything in one box database and database name this is the database name that's going to be created within your secret database ok so you provide the server name which is local and this is where I made the booboo oh sorry I should've gave it the SP farm accounts SP farm accounts should have been added here and the SP farm should have been added well SP farm was added within the secret database I just forgot to add it here it was my mistake but you definitely want to add your SharePoint farm account here click on next passphrase make sure you write it down or you know put it in whatever kind of software that locks your passwords this is very very important to have ok for ports I specified app or for this one i gave it 8 8 8 8 4 8 and for the config security settings i left it as the default which is ntlm ok click on next and this is all the settings this is your database for me was local this is gonna be the name of the new database and the host for the sensual administration web application this is their address and authentication provider would be ntlm ok click Next and it's gonna do it staying this process takes a while and eventually you get all the information I would say take a screenshot of this and put it inside documentation so everyone knows what this what is what right click finish when you click finish your internet browser will launch up and it's going to have this I said no I don't want to participate so click OK and eventually you are going to be inside your SharePoint central administration yeah SharePoint is installed all right so to get into your sensual administration sites this would be your your URL this was the name of my server so this might be different for you or whatever port you use default dot aspx and our log you win okay you need to get into that because we need to set up manage accounts within your your SharePoint so within SharePoint you want to go to security within security when a configured manage accounts and again I think it signed me off for administration implements system admin so I just provided my credentials log me back in so the only managed account that I have is the one that I provided during the database entry remember I should've added SP farm shame on me but I am able to correct that in an SP farm here so you want to click on register manage accounts and the following that you want to enter is you definitely want to add your password resets application pool also provide the password press ok and you do that process a couple of times so the one that you want is the password registration and the password reset application pool and I just went for and just with this SP farm automatically you should have your SP farm there if you added a an actual account that deals with your SharePoint ok and next thing we need to do is create a web application sharePort portal a SharePoint portal for our for Microsoft Identity Manager because it uses SharePoint so from from your machine you're gonna click on start and you want to start typing in SharePoint 2013 management shell right click on that and run it as an admin and we're gonna definitely hit YES on that so from here we're gonna do the following and let me zoom in cool so we are going to create a variable let me drink a little water apologize sorry about that we're gonna create a variable and we're gonna sign that variable with the following parameter so he's gonna get the service of SharePoint manage account and it's gonna be the identity of this okay it's going to be the password reset application pool so you probably saying sir so why you're doing why are you doing this I'm following the Microsoft site and they telling me like the the article that I'm gonna that I add it within the Google Doc documentation that you guys are gonna get if when you click on the link it gives you a breakdown of why you should add all these accounts and it's just crazy so that's the first we created a variable and we an assign this okay and next thing that we need to do what I did was I just called them I called out my variable just to make sure that this user account is assigned to MA you can call it whatever you want okay and the next thing that we need to do is the following power show command so we need to do a new SharePoint web application with the name of mem portal you could give it whatever you want this is up to you we're using the parameter of application pool and I call that mint ap we are also using application pool accounts and we're calling our variable that we created MA okay so we're using this particular user name for our application pool account for the authentication meant that we're using key bros and the reason why i'm doing the power show here is because during the installation of our sharepoint we configured it as a ntlm configuration right the Microsoft identity manager needs key bros for it to work correctly so this is the reason why we're doing this on PowerShell and I assigned the port 80 and the URL will be you know HTTP colon backslash backslash BJ - and which is the name of the server okay you're gonna get this nice little yellow warning it is okay it takes some time so hit enter and once it enters you it should give you this display name is min portal the URL when you go back inside your central administration from SharePoint you want to click on application management underneath web applications click on manage web applications and long behold there you go there goes our portal that we created within PowerShell gotta love PowerShell right next thing that we need to do is create a new site collection within SharePoint so within your central administration click on create site collection and once you click on that you want to give it a title mines I gave it min portal your template selection you want to pick 2010 and for your template you want it blank blank slate a blank site okay and at the very bottom you want to assign a primary and secondary collection admin so I give it this user account my first one should have been SP in them the second one should have been something else but it's really up to you I recommend that your primary should be your SharePoint farm okay once that's configured you click on OK and you're gonna get this it's gonna say central administration application management top-level site successfully created and that's the link click OK and once you click OK it's going to launch your new portal your new blank collection and that's awesome so next thing that we need to do we need to do a couple of things on our portal we need to definitely disable the view state as well as the self-service upgrade we do not want this portal to be upgraded it's there should be no upgrading this portal at all so we need to disable that so the only way to disable it is we need to do a little bit of PowerShell again a lot of PowerShell is being done throughout this entire installation configuration of the Microsoft identity management stuff so I'm a zoom in again I am creating a variable called CS you could call it whatever you want and I am assigning it to Microsoft dot sharepoint dot administration dot sharepoint web services and it's gonna be the content service and from here i'm calling the variable CS dot view state on server equal to false okay by default is set to true you want to set it to false and that's it hit enter you're not really going to see any magic pop-up it's just once you hit enter it it just happens if you have problems you're probably gonna get Evers okay so don't don't expect like it's oh okay successfully done okay you hit enter it's nothing next thing that we need to do is update it so definitely gonna call that we create it and Dallas on CS dot update and hit enter and then you definitely need to do a service SharePoint timer job this right here would disable the timer on your portal I believe okay so it's gets SharePoint timer job hourly all SharePoint hours timer service health analytics job disable SharePoint timer job the whole point is we need to disable this portal so it won't update on us at all hit enter again don't expect it to say successfully done it's just gonna be blank ok and the next thing we need to do is disable the updates so this entire process right here to disable the viewstate I know right and this step right here is to disable the update so again I'm creating a variable dollar sign site again you call it whatever you want and I'm assigning it to get a SharePoint site which is the name of this and hit enter and now we're calling the site dot allow self-service upgrade and we assigning that to false so you're basically saying this command right here this right here is getting the SharePoint we're telling it where where it's using the command get SharePoint site and we're telling it what portal to use right so this portal right here is assigned to site then we're calling our variable dot allow self-service upgrade which is which is a for that how you call it it's like a parameter and you assigning that's a false hit enter again don't expect it to say successfully done it's just done and I said that's how you disable the viewstate as well as the update again all this information is on the TechNet site it's just put everything in words and you have to like understand what the hell Microsoft is trying to say to you next thing that you need to do is add the service principle names for the mem sync account and again I did a little polish I've been playing around with a lot of power shop our show is very powerful so I open up the PowerShell hit yes on that once you get the user accounts I did a CD back slash so I get into the root and the following command that I did was the following Neuman zoom in for you guys so again I did the set SPN - capital S to set it and it's going to be the theme service for /bj - mint and the name that I'm going to be setting setting this account disservice to and when to hit enter and the service principle name is a sign cool cool it's C it's really weird because right on the article this service right here is not even installed as of yet but they want you to do it first there's like two services that need to be running for this stuff to work properly but you set this stuff first and then you install the services is Jesus why Microsoft I don't I don't understand it the next thing that we need to do again because I did I did just a server name I also did the full qualified name of the server just for the hell of it so I added that as well and to the service principle name if you want you could do a set s P n dash capital L with the name that you assign and is that if you give it the name is going to show you everything that this name has the service principle name on it excuse me next thing that we need to do I think we went over yep we went over that next thing is add the agent account to the sink and group so right I'm doing that old-school you know going Active Directory and go into the group and adding I did a little partial of PowerShell man that's why I took advantage that's why I added the powershell commandlets during the server the roles and features part so I called the ad ad group member identity which is the group and I added the member agent that's all it did is basically going to Active Directory finding the group adding the name it's the same concept but I'm just doing the geeky way and using PowerShell okay now copy the Microsoft internet internet Microsoft identity management installation files to the server so we're getting close to the installation part and how a time wow it's already 855 so I copied all the installation files mounted the ISO on the virtual machine and I copied everything over to my D Drive I created a folder called mem and I copied everything in it so blah blah blah now the first thing I need first thing that you need to install is the synchronization stuff for your Microsoft identity manager so within the folder like within here I'm sure you guys real quick let me stop and go inside the server and minimize all this stuff for you so when you copy over the contents on the mint stuff they give you like a crapload of subfolders this is all the subfolders that they give you so it's like okay where to start where the hell should I start you know they do provide you an order run but it's like okay wait I start here this looks like an obvious place to start but it's not okay the first thing that you need to do is do the synchronization stuff so let's get out of there all right so go inside your synchronization services right click on setup running as an EM and hit YES on that and get the nice little wizard click on next accept the terms click on next left it as the default as the C Drive click on next because the database is local I left it as this computer and because it's the default instant I left everything as is this might change in your environment and then click Next now the service account now this service account is the following enter the credentials of the account under which the Microsoft identity manager synchronization service will run it tells me that I'm using the eval and so the service to come that I'm using is the one that we created call sync provide a password as well as the domain next now you can keep everything as is but remember these are groups I changed all the groups tomb imp am I am so I just changed them they all created we recorded this at the very beginning that was the first slide that we did that I showed you guys I created the groups all the second slide I created the groups all I did was just change to MI m okay so I went in and just change it to M I am you definitely want to enable the rules within the inbound our peace communication so I enabled that hit next hit install yes so warning this is the Microsoft didn t manager synchronization service eval service account is not secure in its current configuration so I was getting I was getting a lot of warnings Oh get me wrong everything worked all right I got the portal to work and functioning somewhat correctly but I kept on getting these warnings I definitely need to do some research on this to see why it was giving me that problem so it's one of those to do things that I need to take care of it's gonna say the Microsoft identity managers synchronization service eval said it will not create a backup other encryption key you have you you have to create a Christian key so when you click on Kay you give it a name you drop it whatever you want I think I dropped it on the desktop yep and I called admit backup key hit safe so this is an encryption key click finish installation was completed finished and you definitely to restart your machine so once your machinery starts you know login and once you log in you gonna start go inside your Start menu and you're gonna see a bunch of new options the one that you want is the synchronization service so I just clicked on it just to show you guys how it looks it looks pretty now it is time to install the Microsoft identity manager 2016 Service Pack 1 so it's a lot of work to get this little guy running so we need to get inside again with all those subfolders we need to get into the service in Portal you're gonna right click on setup and run as an admin hit yes hit next on the wizard accept hit next some I'm like going through going through this stuff real quick because this is kind of self-explanatory click on next on that and well it's up to you if you want to join the customer experience but for me I didn't join so click on next this is very important right here by default the privileged access management is not installed you had you have to click on this and you want that installed on the machine okay very important so click on will be installed in the local hard drive and click on next and the database name it should automatically pre-populated itself if it doesn't if you have the secret database like not within the same server enter it the database into the name of the database so I entered it that's not the name as this is the no this is the name that they created we well you could keep this name because it's gonna create a new database but I just changed it to something else and create a new database click on next dr. gone again god damn Microsoft Microsoft didn't tell me this during the installation a secret when I first started they just said you only needed a database engine and you needed the secret server a full-text search for this to work again I learned that the hard way Thank You Microsoft what your outstanding articles that you have written for us IT people so I launched a secret the secret server installations and I went back in here and I just checked off the full-text stuff and click next next next I reran the installation when I got to that point when I click next this is the next window ok so once you install the search tech stuff it should take you to this now because this is a testing environment I don't really have a mail server but it I don't really I don't think you really need a mail server I think the mail server will work I think you need the mail server when you're dealing with resetting or registry or registering your password stuff but for me I just added any gibberish stuff here I mean if you have mail server most likely a lot of you do have that into the information there ok if you have like an exchange go for it I left it as default generating new self issue certificate for my so right here enter this is the common services configure the common services so into the condition credentials of the account under which the memfs were run so accounts name would be service crap password domain and email address I just made a phony one and then you click Next again I got another nice little warning saying that account is not secure I have to have to double check to see why is it not secure why are you giving me that problem it still allows me to install it successfully so click on next from here you want to configure the Microsoft identity manager service and portal synchronization so the sync server and the management agent accounts I provided you know we gave it we create a sync account so that's what I gave it yeah yeah sync another warning says the main synchronization server you have entered does not exist or is not running so I'm say what what's going on so if you go inside services services there's a particular service that did not start it's set to automatically it just has a huge huge delay so right click on it start it and once you start it should bypass that window and you should get to this so for my MIT service server address I just kept it as the name of the server when you click on next the SharePoint site collection it's not localhost so just give it the proper URL which was my server name for the registration portal I kept it as the server name as that again you could change it as you want but I just kept everything super simple you definitely want to open up the ports of 5725 and 5626 very important to have as well as grant access to users grant authenticated users access to the member site so click on next on that for the whole snail and the port now this is for the Pam you don't need to enter anything for the localhost you don't need to enter anything for the host name because it's local ok if it was located somewhere else definitely enter it but because the pain is living inside the same server just leave it blank and just provided a ports I provided 8086 for this right here this is for your Pam reset API so for the account name I provided the password reset application pool with the password as well as the domain and this right here is for your components and for the component one again Microsoft and tell me this in the very beginning the Pam component services needed a an account so I went to Active Directory and I created a Pam services account again it's one of those things that Microsoft did not mention throughout their article when you first create the user accounts that you need so I learned that at the you know later the game so you enter the name as well as the counter password click Next and it gets again gives me a warning I have to figure out why this is telling me and it also says for more information about best practices for securing your service account please I need to know why I says I just haven't had the time to look into it yet so click on X and from here this is to monitor the services to provide an account password domain I used the Pam service I just kept the same click Next to get the warning again you get the warning again so click Next again and for your password registration pool you're gonna use your password registration application pool the password the host name and the port I gave it the port of 8088 and I open it with the firewall and click Next again well this is a little different because I'm not using SSL it is recommended to use SSL when you're dealing with this because I'm assuming Microsoft Identity Manager supposed to be used outside of your LAN for users to have access to you know reset their own passwords you're giving the users access to their accounts to reset their passwords when they need to for my testing I did not have SSL so I just kept it as HTTP okay for the service for the mem server service server address it would be the server name Porter was hosted on the is site III is site which can be accessed by Internet users you know provide this is for the password reset portal so again I gave it the password reset application account application pool account password and this is where this is another one right here because Microsoft when we provided the port number here 80 88 Microsoft on their documentation says on this part right here when you're providing the account information for the password reset portal you're able to use the same port 80 88 that's a lie I get a huge nasty warning saying this port cannot be used because it's being used for something else so you definitely need to assign another I another port number and just make sure you open it within the firewall again I'm getting that SSL warning which is okay I'm doing everything locally and you're gonna provide the service address this will be the name of the server and by default it is picked by default it's set up to portal is hosted on an i is site which can be accessed by Internet users I mean if you want outside usage this is definitely that you this is the option that you want intranet Internet yeah I think now I'm losing it so click on next click install BAM you getting another warning I got another warning and as a surprise that my my agent wasn't running so to fix this problem I wanna size services and it's set to automatic but it wasn't running so I just started the services and then it went through with no problem so this is like the steps its deploying a solution hit finish and definitely restart the Machine and then this is another thing that I learned the hard way that Mike doesn't really tell you that there's two services that need to run automatically and one of them takes its sweet time starting up and that's the forefront Identity Manager service now if you're trying to get into the site to start working and start playing around and it doesn't load up for you going inside services and check if this guy started if it if it's it you know most likely it's set to automatically automatic delay but the delay just takes forever so just you know if you like me you're impatient you know you have no patience you just start it and it's gonna automatically start in the web browser works for you so this is the browser so the URL is this beautiful URL right here which is the name of your server identity management for slash default.aspx so that's how you will navigate to it so you still got more to go this is a long one so we need to enable user management users can read attributes on their own again the whole concept of this portal is to allow end users to have access to the accounts to do certain things to their accounts like reset their own passwords right so do this you want to go inside management policy rules and they got a nice little search feature so within the search box just type in user management hit enter and the feature that you want would be user management users can read attributes of their own by default set to e it's disabled so click on it and just enable it if you want that option so it's gonna load up unchecked policy is disabled click ok and submit once you submit it's gonna say no and now users are allowed to read their own attributes on their own accounts so we need to go inside the synchronization server because we need to start syncing our ad stuff to our MIT portal this is where I I had some issues which I'm still working on so open up your synchronization server service and we need to create a management's agents for the min as well as a active directory management agent and I'm following all these instructions on that link that I clicked on I'm following this these instructions I'm going to show you guys where is it so right here these are the instructions of creating the management agent right and also there's a crapload of them holy moly there's a lot they're also creating an ad management agent so I'm like skim through this real quick with you guys because I almost a hundred more slides to go and I haven't even checked the chat I don't even know how what's going on over there because I'm just going straight through with this so we need to create a mint I'm in whatever Microsoft Identity Manager management agents so we're gonna open up our server service manager and from here you're gonna click on management agent and click on creates and you're gonna click on the drop down and the one that you want to is fin service management agents you want to give it a name I call the service agents and click on next you're gonna provide the server database and the film service base address which is going to be the local host of 5725 and then you're also going to provide a username and password and domain to have access to the database click Next now by default the only three are checked off with this one this one in this one so check off group in person and then click Next now in from here you need to click on show all ok it says don't need any wrote any now but that's that's BS because I learned that the hard way as well microsoft says you don't need anything now check this when you get to this point make a note all right make a note check this off then click Next from here you don't need to do anything for you connect to filters from here you definitely need to map your group in person so click on group and once you click on group click on add mapping and make sure I say is group for your Metaverse object type and do the same thing for person click on it add mapping make sure it says person for your Metaverse click OK there you go and hit next oh and this is where the fun happens I will recommend you guys to go inside that link then I'm gonna provide and just go over each one okay so I'm gonna go through this real quick so you got to make sure you have person in person for your data source as well as your Metaverse right you want to pick account name and account name on both attributes and click new ok next one that you want to do within still with in person person display display and new ok still in person email email new again still in person employee ID employee ID new person person employee type employee type new first name first name last name last name and every time I'm picking something like I'm picking last name last name its new ok objective s ID object is ID and new the next thing that you need to do we already took care of person person is considered as the user account within the Microsoft identity management world next and then we need to do is group so make sure you pick group on the data source as well as the Metaverse and again account account new display display new email email new mail nickname and melt nickname mail nick name and then click on new member member objective s ID and both sides have to match and they hit new I know and like all that stuff is here like look this is what they give you accounts accounts display display I was following all this crap from telling his nuts what a challenge so once you do all that within the group as well as the person just click on X and just make them disconnectors click Next and next thing you want to do is configure their extensions and then click on finish and then there you go right now it's gonna say it's gonna start saying creating but eventually it's gonna say I do and once it says that that means it's completed whoa actually it's completed you know creating itself so now we need to create another agent so click on create actually we need to create an ad management so from here click on create and click on the drop down and the drop down the option that you want to be Active Directory domain services give it a name I give it mi m ad click on next and then you want to give it your first name username password and domain now the username password should be an account that has full access to your forest so that's what I did I provided all that information and I click Next now configure directory partition you can select your directory partition and once you select that you just click Next you know we didn't you don't really need to do anything else here just click on this and just click on next and that's it for from here you don't need to do anything for your provisionary hierarchy just click on X for your objective types just make sure you have group and users selected and then you click Next for your attributes is okay there's a crapload of attributes and again within this site which I'm gonna show you guys again within this sites these are all the attributes that you need well this is was the ad stuff see the ad these are all attributes that you need unique company display name employee employee type give a name group type blah blah blah this is everything that you need ok so I checked all the ones that I needed Baba just going real fast make sure you got objective si D Sam account I'm just showing you again the website gives you the list of all of them I'm just showing you all the ones that did all right once you set all your attributes for your connector filter you don't need to do anything here just click on next for your join and projection rules you don't have to do anything click Next for here click on next you don't need to do anything click Next again and for your extensions click finish and eventually it's gonna say idle and then you're done ok now you need to create and run profiles for ad and service agents now for both agents that you created for the ad as well as the service agent you need to create five of them right one is to import full sync sync and import mode I don't know I'm going to show you guys ok so to create one you highlight whichever one it doesn't matter which one you do first date or both of them are gonna have the same steps so I did Active Directory domain services the ad one and highlight it click on configure run profile and you're gonna get a nice little dialog box click on new profile so I the name that I gave it was profile 1 full import click on next hit the drop down menu and the one that you want would be full import stage only click Next and click Next click finish and just make sure you apply it and then you can do it again new profile this one of me this one's gonna be profile 2 this is going to be a full sync and just make sure the drop down stays full synchronization click Next and again click finish and hit apply new profile again this is your third profile and once you click on that I called it profile 3 Delta import click Next on the drop down make sure I say it's Delta import stage owning next finish and apply click new profile yes I had to do all this this is just ridiculous new profile this is going to be number 4 Delta sync hit the drop down menu and well hit down the drop down menu sorry hit down click on the drop down menu and make sure it's a is Delta synchronization and click Next then hit finish and then apply it and then you got one more profile last profile this profile will be number 5 and this one would be your exports make sure I say its export next finish and then apply now that's only for active directory you need to do the same steps for your management agent yes you do so highlight it click on configure run profiles and just for the hell of it I just didn't take a snapshot it's the same concept same things that we did click on new profile give it a name make sure you pick your type a first profile should be a full import second should be a full sync third one should be a delta import fourth one should be a delta sync and the last one should be an export ok now create a sync run so now we're going inside the portal now we're physically touching the portal again how awesome is that so within the portal you want to go inside synchronization rules click on that and you want to click on new and you want to give it a name so I gave it a desync you want to make sure that the data flow is inbound click on next you want to go from here your Metaverse resource type your external system as well as your external system resource type the following settings would be a person mint ad which would be the name you provide your crap your agent right and then the the resource type would be user so go all the way all the way to the bottom and hit next for your Metaverse object object person and as well as connected it's both of them going to be identified the relationship between both of them are going to be the object s ID okay you want to create the resource Finn and then click on next alright and for your inbound attribute flow so click on new and you want to do the following click on new hit the drop down menu you want to do the Sam account name go to destination and the destination would be the account name so you're going to constantly do that press ok do the same thing over and over you going to do it to the point that you're gonna do a 1 2 3 4 5 6 7 times the same if one would be your domain and the attribute flow will be a string you would provide your domain name and then when you go into destination you pick domain ok I just bypassed all that it's the same concept as doing the first one just make sure the last one that you create which is your domain you pick string and then you pick domain for your destination ok click finish and submit and there goes our synchronization rule so time to initialize the environment time to start syncing everything within our ad up to mem and this is where I have problems which is the problem that have is very very common with this type of application and I'm still trying to figure it out ok like this is all new to me I'm still figuring out I was happy to get this up and running there's a couple of bugs that are popping up and they're known bugs in the Microsoft world that a lot of people are still having issues and I'm definitely gonna try to figure it out and push out future videos for you guys of how I fix it within my environment so running it you need to run both of them and eventually when you click on users you should see your users there and that's the last slide holy moly I need a beer I need alcohol in my system the way that you've run the profiles is the following well it really depends there was an article within Microsoft that stated you need to do profile 1 profile to profile 5 pro 4 and then you go to ad sync and then run all five of them then go back into your servers ancient and then run this one but then if you go inside this article and go all the way to the bottom where it says initialize the the agent it tells you to do the import first sync export Delta and then go to the ad and just run export full and full import and then full sync now the problem that I have been having is one it's not working ok duh but if I go inside operations I want to show you guys what I've been having issues and it's the export the export is where I'm having the issue and this is this problem right here is very common this has been happening a lot I've been doing a lot of research I've been trying all the all the fixes online and I haven't got it to work yet I mean yes I'm very determined to get this up and running I definitely want my ad stuff to show up on the site I went inside the database it looks like this problem is due to multiple accounts there are duplicates but I have no duplicates with Matt the director is such a small little active director with maybe two accounts it shouldn't have a problem I'm still working on it to get it fully working but I have the site up and running everything is working the only problem is it's just the export portion of it grabbing the information from my ad and then placing it inside the database that's why I'm having problems and there's not a permission thing because I I double-checked all my permissions and it's not that it's something else causing it and I gotta figure it out again once I figure it out I'm gonna post a future video for you guys how to fix it if you guys know about this I'll have tested this out or try them within your environment you want to play around with it hey by all means go for it let me know if you figure it out that'd be so cool it is 9:28 holy moly let's go inside the chat to see who's who's there I am going to I'm gonna end it in a few minutes we have a couple of people I do appreciate everyone watching so I've got a couple of people we have Alex we have Chad we have Joe thank you so much for joining we I know we had a couple people I know the show has run extremely late but all the information provided I mean all the documentation that like the PowerPoint or the PowerShell scripts all the stuff that I'm gonna provide for you guys so you guys can have it and tested I within your environment will be posted at the end of the show and I'm gonna end there right here guys hopefully guys enjoy the video I'll catch you guys on the next one again first quarter of the year my goal is to get 50,000 subscribers that'd be so awesome if we could reach that if not we're gonna push it hard hopefully guys enjoy the show I don't know if I'm gonna be doing something next week I don't know I don't know hopefully you guys I don't know I'll catch you guys on the next one again make sure to come back there will be a link at the bottom of the video and the description that would take you to my github repository where all the files are gonna be located so you guys could grab a copy of it play around with it break your break whatever you need a break and test it out hopefully you guys enjoy and I catch you guys on the next one I am tired I'm really tired right now all right guys thank you so much I always forget how to end this mm-hmm all right I'm out of here later it's over why he's not over you I'm really tired all right Marty

Info

Channel: BTNHD

Views: 32,554

Rating: undefined out of 5

Keywords: TSR, The Server Room, btnhd, bjtechnews, Bernardo Arocho, Install MIM 2016, Configure MIM 2016, Install MIM 2016 SP1, Configure MIM 2016 SP1, Install SharePoint 2010, SharePoint Foundation 2010 MIM, MIM 2016 requirements, How to MIM install, how to install MIM 2016, Microsoft Identity Manager, Microsoft Identity 2016, How to Identity Manager

Id: UAC7DsX3ZcQ

Channel Id: undefined

Length: 89min 33sec (5373 seconds)

Published: Fri Feb 02 2018