Thursday, September 26, 2019

Upgrade FIM 2010R2 Certificate Manager to MIM 2016 SP1

I recently ran this scenario through a lab, where I had a Windows 2008R2 server with a FIM 2010R2 instance at a pretty low patch level, along with a cm client installed on the same machine.  Going through the upgrade, I followed roughly these steps:

1) Upgrade of the FIM 2010R2 server components to the last released patch level (4.1.3766.0).  This step may not have been necessary, but I did it just in case its relevant.

2) Install .net 4 framework on the CM server and CA if they don't have it already.  It is a prerequisite for MIM 2016 SP1

3) Install of MIM 2016 SP1 CM server component over the top of the existing installation.  The component list of the installer defaults to try to install the CA module component.  You can uncheck that.  There will be a notice about reusing the database and warning regarding that.  The install itself went smoothly.  The only issue on the CM server was that the IIS application pool's identity was changed from my service account to LocalSystem.  So this will need to be manually fixed.  After install of the CM web server components, run the same installer on the certificate authority that you point to.  Again, this was smooth.  You will need to unselect the installer components that you don't want.  There's a checkbox option regarding keeping your old settings.  Restart the cert services when done.  For both of these components, I don't believe a reboot was required (all card operations still worked), however if you run some other installer afterwards it may tell you that a reboot is needed.

4) At this point I did an in-place OS upgrade to 2012R2 on the CM server.  Again, no issues here.  All the components for the server and the cm client were fine after the upgrade.  The only issue was IE security settings for the trusted zone were changed and I had to do some fixes there.

5) Patch both the CM server and CA server to the latest patch level.  In my case I took it directly to 4.5.412.0.  Again, no reboots we required.  Everything continued working fine for card operations that I tested throughout the whole process.

Also note: I did not upgrade the CM client during any of the stages above, while I was still able to perform card enrollment/renewal and such on my physical cards at each step.  For the CM client upgrade, you can't directly upgrade from FIM2010 versions to MIM2016 versions.  You need to uninstall the old client and then put on the 2016 SP1 version.  Surprisingly with these two operations, neither of them required a reboot.  I tried taking this directly to the same MIM patch version of the server, but ran into DLL dependency errors.  So I went to v4.4.1749.0 instead (reboot required).  The few MIM patches released since then have various .net framework version and visual c++ install dependencies, so I'm assuming the client might be impacted by these dependencies, while the server component installers and patches did not require them.

No comments:

Post a Comment