Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • FIM Optimization & Performance Best Practices

FIM Optimization & Performance Best Practices

The goal of this article is to provide a checklist for validating Microsoft’s Forefront Identity Manager’s (FIM) configuration for optimal performance. As there are many different technologies involved in a FIM deployment, I thought it would be helpful to compile a list of articles that would be useful for planning or troubleshooting performance related issues.

This post provides a significant number of things to consider in planning and/or performance optimization of a FIM solution. As with any guidance of this nature, the guidance provided in this article may not apply to all situations and should be earnestly evaluated for applicability against the current design. This document is not specifically arranged in any order or priority, but is intended to form a comprehensive listing of items that may be decreasing performance.

Virtualization

Best Practices

To start out, follow your virtualization platform’s best practices. Best practices generally result in better performance and stability. The following links will guide you to best practices recommendations:

Integration Services

  • Integration services should be installed on each VM Guest
  • Integration services should be the correct version for the hypervisor

Virtual processors

  • Over-committing virtual processors (assigning more processor cores to the guest than are can be made consistently available due to other process usage) can create latency in fulfilling requests in performance systems. For instance, having four (4) virtual machines with four (4) processors when there are only eight (8) cores.
As such, add only the number of virtual processors needed to support the solution. In over-committed cases, adding processors to the VM guest will have a negative impact because the VM Host must wait for all of the resources to become available to fulfill the VM guest’s request.  In performance scenarios, such as SQL server, try to keep the assignment of virtual CPUs (vCPU) mapped to the number of actual processor cores. This practice reduces the possible consolidation, but helps to ensure performance is maintained without the induced latency of waiting on processor resources.

If you need to over-commit processors, please read the next item (CPU Ready Time) for how to detect a stalled condition.

  • Review the CPU Ready Time (VMWare) or Virtual Processor\CPU Wait Time Per Dispatch (Hyper-V) on a regular basis to ensure that the solution is not stalled waiting for processor time
    • This post provides the following guidance on the meaning of the CPU Ready Time counter:
“At one point VMware had a recommendation that anything over 5% ready time per vCPU was something to monitor. In my experience for a SMP SQL VM, anything over 5% per vCPU is typically a warning level and anything over 10% per vCPU is critical.” (Kehayias, CPU Ready Time in VMware and How to Interpret its Real Meaning, 2012
 

Virtual Memory

  • Overcommitting memory is a useful virtualization capability when used properly. Overcommitting should be avoided in situations where VM guests routinely have extended periods where they need the RAM for application purposes. However, SQL server is an application that is likely to use memory for extended periods of time and may experience performance penalties due to swapping.
SQL Server makes performance and optimization decisions based on how much physical memory it “thinks” that it has. SQL is unaware of being virtualized and can suffer severe performance issues if the virtualized memory it is using is not backed by dedicated physical memory. By default, SQL expands its memory footprint to take all the memory it can based on how much memory it “thinks” that there is. Configuring SQL Server to use a fixed amount of memory can help in situations where apparent available physical memory is not the same as actual available physical memory.

Antivirus Exclusions

Properly configuring the antivirus client can dramatically reduce the time that resources are locked while real-time scanning is occurring. Use the following configuration information to improve performance by reducing wait times for locked resources:

Hyper-V

The following recommendations for configuring the antivirus client for the Hyper-V role are taken from WINDOWS ANTIVIRUS EXCLUSION RECOMMENDATIONS (Helmick, 2014).

Process exclusions

  • Vmms.exe
  • Vmwp.exe

File Type exclusions

  • AllVHD,VHDX,AVHD,VSV and ISO files
    • *.vhd
    • *.vhdx
    • *.avhd
    • *.vsv
    • *.iso

Directory exclusions

  • Default virtual machine configuration directory: C:\ProgramData\Microsoft\Windows\Hyper-V
  • Custom virtual machine configuration directories
  • Default virtual hard disk drive directory: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
  • Custom virtual hard disk drive directories
  • Custom replication data directories, if you are using Hyper-V Replica
  • Snapshot directories
  • C:\Clusterstorage and all subdirectories (if using Live Migration together with Cluster Shared Volumes)

Note: The paths shown below are default paths and may have been modified in your installation.

SQL 2012

The following recommendations for configuring the antivirus client for the SQL application are taken from WINDOWS ANTIVIRUS EXCLUSION RECOMMENDATIONS (Helmick, 2014).

Process exclusions (SQL 2012)

  • %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

Clustering

In the event you are using a Windows cluster, the following best practices should be used (Antivirus software that is not cluster-aware may cause problems with Cluster Services, 2012)

  • Antivirus software must be cluster aware
  • Exclude the following locations:
    • Q:\ (Quorum drive)
    • C:\Windows\Cluster
    • Temp directory of the SQL cluster’s service account

File Type exclusions

  • SQL Server data files
    • *.mdf
    • *.ldf
    • *.ndf
  • SQL Server backup files
    • *.bak
    • *.trn
  • Full-Text catalog files locations: (File Locations for Default and Named Instances ofSQL Server)
    • Default instance: Program Files\Microsoft SQL Server\MSSQL\FTDATA
    • Named instance: Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA
  • Trace files
    • *.trc – these files can be generated either when you configure profiler tracing manually or when you enable C2 auditing for the server.
  • SQL audit files (forSQL Server 2008 or later versions)
    • *.sqlaudit
  • SQL query files
    • *.sql

Directory exclusions

  • Analysis Services data
    • Default location is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data.
  • Analysis Services temporary files
    • Default location is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data.
  • Analysis Services backup files
    • Default location is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup
  • Analysis Services log files
    • Default location is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log
  • Filestream data files (SQL 2008 and later versions)
  • Remote Blob Storage files (SQL 2008 and later versions)
  • Reporting Services temporary files and Logs (RSTempFiles and LogFiles)

Note: The paths shown above are default paths and may have been modified in your installation.

IIS

The following recommendations for configuring the antivirus client for the IIS role are taken from WINDOWS ANTIVIRUS EXCLUSION RECOMMENDATIONS (Helmick, 2014).

Process exclusions

  • %systemroot%\system32\inetsrv\w3wp.exe
  • %systemroot%\SysWOW64\inetsrv\w3wp.exe

Directory exclusions

  • IIS compression directory: %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files

SharePoint Foundation 2013

The following recommendations for configuring the antivirus client for the SharePoint application are taken from WINDOWS ANTIVIRUS EXCLUSION RECOMMENDATIONS (Helmick, 2014).

FILE AND DIRECTORY EXCLUSIONS

Web Server Extensions

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
  • If you do not want to exclude the whole Web Server Extensions folder fromantivirus scanning, you can exclude only the following two folders:
    • * Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Logs
    • * Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Data\Applications

SharePoint Application Pool identity

  • Note: If you use a specific account forSharePoint services or application pools identities, you may also have to exclude the following folders:
    • * Drive:\Users\ServiceAccount\AppData\Local\Temp
    • * Drive:\Users\Default\AppData\Local\Temp

Forefront Identity Manager (FIM)

The following directory exclusions can be used to minimize the scanning of solution files during FIM’s processing:

FIM Synchronization Engine Directory exclusions

  • Exclude the FIM Binaries: C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\
  • Exclude any clients needed for management agents:
    • Notes Client: E:\Notes
    • Oracle Binaries: E:\Oracle

FIM Service Directory exclusions

  • Exclude the FIM Binaries: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service

SQL Configuration

The proper configuration and optimization of the SQL Server is critical for achieving the best possible performance of FIM. If performance problems are occurring, I would validate the SQL configuration first. The items listed below are not in any particular tuning priority order. Each item should be considered when validating the SQL server’s configuration.

Antivirus Configuration

  • Follow the best practices mentioned in the tuning of the SQL server’s antivirus client listed in the previous section.

Disk Alignment

  • All disk partitions should be validated for disk alignment offset issues prior to performing any installs. This is especially true for all partitions created by a Windows OS prior to Windows 2008. Disk Partition Alignment Best Practices for SQL Server (May & Lee, 2009) offers prescriptive guidance for how to detect and fix this issue. Even though this is written for SQL 2008, the guidance still applies for newer versions of SQL.
  • Underneath logical disk partitions are performance impacting items such as RAID block size and physical hard drive sector size. Guidance varies between RAID vendors and hard drive manufacturers. Check with the appropriate vendor sources to ensure that the physical implementation of your logical disk space is optimized.

Disk I/O

  • Disk I/O per second (IOPs) should be carefully thought through and properly engineered. Do not assume that the SAN offers unlimited IO or that the SAN’s configuration is ideal for what the design requires.
  • The underlying disk subsystem and RAID levels are extremely important in optimizing disk performance. This statement is particularly true when using physical servers with locally attached storage. SAN vendors typically provide tuning guidance for the SAN configuration to optimally support applications such as SQL server.
  • A SQL server has different IO usage patterns. These usage patterns can benefit from using different performance tiers of disks. SQL SERVER – Virtualized SQL Server Performance and Storage System – Notes from the Field #013  suggests separating SQL components onto different virtual disks with different storage characteristics. (e.g. SQL database needs fast disk, whereas SQL Backup doesn’t need the fast disk but it needs lots of disk space).
  • The following counters are useful in detecting diskIO issues:
    • Logical Disk – Avg. Disk Queue Length > 1 indicates a sustained backlog of IO requests
    • Logical Disk – Split I/O – useful in detecting fragmentation
    • Logical Disk – %Disk Time >= 80%

Disk Fragmentation

  • Defragment both the Virtual Host and the Virtual Guest’s disks to reduce fragmentation
  • Use a commercial disk defragmentation utility that can defragment large files. The default OS defragmentation software is not capable of performing large file defragmentation (> 64MB) which can leave large files such as a database spread across non-contiguous space.
  • Physical Disk (Virtual Host)
    • Physical disks can become fragmented when large files such as Virtual Hard Drives (VHDs) are expanded.
    • Pre-size the virtual disk files to their intended size. Do not allow the VHDs to auto-grow.
    • Defragment the physical volumes if the virtual hard drives are resized to maintain contiguous disk usage.
    • Do not place virtual disks on system partitions
  • Virtual Disk
    • Schedule defragmentation during off hours when backups are not occurring.
    • Limit the number of virtual disks for simultaneous defragmentation to reduce IO load on disk subsystem.
    • Defragment the volumes prior to install, after install, and after pre-sizing the database
    • Avoid defrag on VM Guests that have a Snapshot. Defragging can make the snapshot grow.
    • Page files should be placed onto their own virtual disk to reduce system partition fragmentation
  • Database file fragmentation
    • Data base files are typically larger files that are placed on physical or logical drive volumes and cannot be easily defragmented using the operating system defragmentation tools. If these files grow, it is possible for the databases themselves to be split into non-contiguous disk space thereby slowing performance. If this has happened, it is recommended that a commercial grade defragmentation software be used to reduce the fragmentation. To reduce the occurrence of fragmentation caused by database growth, see “Pre-sizing the databases” for more information.

Pre-sizing the databases

  • Pre-size the FIM databases with the initial size from lab environment. Pre-sizing the database to the expected size reduces future disk fragmentation when other files exist on the same volume. For instance, if there are two databases on the same volume, when one database grows it may need to utilize non-contiguous space for the growth. Pre-sizing allows for the databases to reach their intended size without needing to expand into non-contiguous space.
  • Ideally a pre-sized database shouldn’t grow, but events often conspire that prevent us from staying within the boundaries set during the initial sizing. It is recommended that the DBA allow growth by larger blocks (500 MB) to avoid constantly growing the database during processing cycles. This practice also helps to reduce disk fragmentation as well.
  • The following commands can be used to expand the size of the databases & log files as well as change the growth patterns:
Alter Database FIMSYNCHRONIZATION modify file (NAME= FIMSYNCHRONIZATION, SIZE = 8192, FILEGROWTH = 500)
Alter Database FIMSYNCHRONIZATION modify file (NAME= FIMSYNCHRONIZATION_LOG, SIZE = 8192, FILEGROWTH = 500)
Alter Database FIMSERVICE modify file (NAME=FIMSERVICE, SIZE = 8192, FILEGROWTH = 500)
Alter Database FIMSERVICE modify file (NAME=FIMSERVICE_LOG, SIZE = 8192, FILEGROWTH = 500)

Temp DB

  • Consult with the DBA as to the appropriate size and number of Temp DB files that should be added to the solution. A general rule of thumb is one Temp DB per processor core provided that the disk subsystem can efficiently support the IO requests of multiple files. The idea is to maximize the throughput to the Temp DB to increase the performance of the application.
  • Temp DBs should be placed on a fast disk as it is heavily used by the FIM Service
  • Standardize the size of the default Temp DB to the size of the additional temp DBs that will be created. Remember to size according to typical size and growth patterns.
The following T-SQL will modify the size of the default Temp DB to a one (1) GB file that grows in five-hundred (500) MB increments:
ALTER DATABASE TempDB
MODIFY FILE (NAME = TempDev , SIZE = 1024 MB, FILEGROWTH=500 MB);
ALTER DATABASE TempDB
MODIFY FILE (NAME = Templog, SIZE =1024 MB, FILEGROWTH=500 MB);
  • Add additional Temp DBs per the DBA’s recommendation.
The following T-SQL will create the second, third, and fourth temp DB files:
ALTER DATABASE tempdb
ADD FILE (NAME = tempdev2, FILENAME = ‘F:\MSSQL11.MSSQLSERVER\MSSQL\Data\tempdb2.ndf’, SIZE = 1024,FILEGROWTH=500 MB);
ALTER DATABASE tempdb
ADD FILE (NAME = tempdev3, FILENAME = ‘F:\MSSQL11.MSSQLSERVER\MSSQL\Data\tempdb3.ndf’, SIZE = 1024,FILEGROWTH=500 MB);
ALTER DATABASE tempdb
ADD FILE (NAME = tempdev4, FILENAME =
‘F:\MSSQL11.MSSQLSERVER\MSSQL\Data\tempdb4.ndf’, SIZE = 1024,FILEGROWTH=500 MB);
GO
  • In a SQL cluster, use Local Disks for Temp DBs (new feature in SQL 2012)

SQL Fragmentation

SQL fragmentation is when indexes and catalogs become heavily fragmented. SQL uses this to boost the performance of queries. To keep SQL performing optimally, it is good practice to rebuild indexes and full text catalogs on a routine basis.

  • Index fragmentation
    • Create a weekly maintenance plan to Rebuild Indexes and Update Statistics for all User databases.

FIM Specific guidance

FIM Versions

  • Ensure all FIM components are running the same version levels across the solution. (FIM Synchronization Engine, FIM Service, FIM Client, etc…)

FIM Best Practice Analyzer

FIM Sync

  • Ensure all attributes that are used in “Joins” or metaverse searches are properly indexed in the metaverse configuration for the attribute.
  • Remove indexing from any metaverse attributes that are not active using this in Joins or metaverse searches.
  • Evaluate “out of band” coding activities. Calls made to systems inside of the FIM provisioning code to external resources (AD, SQL database) are latency expensive. Even small delays (10 milliseconds) add up when performed on thousands of objects.  Make judicious use of “out of band” activities. Consider the use of custom workflows to deliver the functionality made in the out of band activity.
  • If external resources (e.g. SQL database) must be called during an “out of band” coding activity, then the setup and takedown of connections to these external resources needs to be done in the “Initialize” and “Terminate” methods for the extension, and not the “Provision” or “Flow” methods. For code that is not thread safe, pooling or caching should be implemented.
  • Evaluate the performance of “in bound” logic. Poorly tuned .NET code (even if it never leaves the process context of the sync engine) has a big impact. Even simple stuff like using string flags (“Y”/”N”) vs Boolean values can make a big difference in the overlying performance.
  • If there are a large number of valid dis-connectors use the filter feature Declared (Import Filter) in place of the filter feature Declared. This can dramatically speed up synchronization times as the objects do not need to be processed during the cycle. More information about this topic can be found here (Drewes, 2012).

FIM Service

  • Remove SharePoint Foundation Search service
  • Enable only the needed MPRs for the solution. Disable MPRs that are not needed for the solution, such as an “All Powerful MPR” that may have been created for troubleshooting FIM permissions issue as these MPRs will create multiple requests for each transaction.
  • Remove any unnecessary Sets from the solution
  • Ensure that there are not any circular MPRs by ensuring that the MPR filters are as narrowly defined as possible to avoid overlap which may result in a circular loop
  • Ensure that client update requests only update attributes that are actually changing. For instance, setting an attribute to the value that it already is will kick off MPRs that likely don’t need to run.
  • Ensure that the minimum number of requests that are needed to solve the business problem are used (combine multiple attribute updates to the same object into a single request).
  • Combine multiple attribute updates into single requests. This means that the built in function evaluator should be avoided when updating multiple attributes on the same object. Instead use the WAL, another 3rd party activity, or write your own.
  • Consider use of FIM Service partitions to spread the request load across multiple instances of the FIM Service
  • For bulk operations, consider the use of a web services client to talk to the FIM Service directly instead of the PowerShell cmdlets

FIM Database guidance

  • In some cases, it makes sense to separate the synchronization engine and FIM Service databases onto separate servers. It should be noted that data from one database is flowing into or out of the other database. If resource constraints occur on one database, it will cause performance issues with the other database.
  • SCSM databases should ideally be placed on a different SQL server from the FIM Service database due to potential resource constraints issues as mentioned in the FIM Sync/FIM Service database discussion above.
  • If virtualizing the servers, you need to pay special attention to the underlying hardware. For instance, if you have three separate SQL servers on the same physical host or using the same disks, you might not get the performance you expect due to resource constraints.

Works Cited

Antivirus software that is not cluster-aware may cause problems with Cluster Services. (2012, August 17). Retrieved from https://support.microsoft.com/kb/250355

Bradley, B. (2014, Jan 1). How to Automate the Rebuilding of FIM Full Text Indexes. Retrieved from https://social.technet.microsoft.com/wiki/contents/articles/5701.how-to-automate-the-rebuilding-of-fim-full-text-indexes.aspx

Drewes, F. (2012, Jan 8). Pre-Import Filtering of AD objects in FIM 2010 R2. Retrieved from https://social.technet.microsoft.com/wiki/contents/articles/6600.pre-import-filtering-of-ad-objects-in-fim-2010-r2.aspx

File Locations for Default and Named Instances of SQL Server. (n.d.). Retrieved from https://msdn.microsoft.com/en-us/library/ms143547%28v=sql.110%29.aspx

FIM Best Practice Analyzer for FIM 2010 R2. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/jj203402%28v=ws.10%29.aspx

Helmick, B. (2014, January 16). Comprehensive AV Exclusion document. Retrieved from https://sdrv.ms/LES7gB

Kehayias, J. (2012, November 29). CPU Ready Time in VMware and How to Interpret its Real Meaning. Retrieved from https://www.sqlskills.com/blogs/jonathan/cpu-ready-time-in-vmware-and-how-to-interpret-its-real-meaning/

Kehayias, J. (2013, November 13). Hyper-V Equivalent to VMware CPU Ready Time. Retrieved from https://www.sqlskills.com/blogs/jonathan/hyper-v-equivalent-to-vmware-cpu-ready-time/

Klee, D. (2012, December 12 17). CPU Overcommitment and Its Impact on SQL Server Performance on VMware. Retrieved from https://www.davidklee.net/2012/12/17/cpu-overcommitment-and-its-impact-on-sql-server-performance-on-vmware/

May, J., & Lee, D. (2009, May). Disk Partition Alignment Best Practices for SQL Server. Retrieved from https://msdn.microsoft.com/en-us/library/dd758814.aspx

Performance Best Practices for VMware vSphere 5.5. (n.d.). Retrieved from https://www.vmware.com/pdf/Perf_Best_Practices_vSphere5.5.pdf

Performance Best Practices for VMware vSphere™ 5.0. (n.d.). Retrieved from https://www.vmware.com/pdf/Perf_Best_Practices_vSphere5.0.pdf

Pinal, D. (2014, January). SQL SERVER – Virtualized SQL Server Performance and Storage System – Notes from the Field #013. Retrieved from https://blog.sqlauthority.com/2014/01/30/sql-server-virtualized-sql-server-performance-and-storage-system-notes-from-the-field-013/

SQL SERVER – vCPUs – How Many Are Too Many CPU for SQL Server Virtualization ? – Notes from the Field #003. (n.d.). Retrieved from https://blog.sqlauthority.com/2013/11/21/sql-server-vcpus-how-many-are-too-many-cpu-for-sql-server-virtualization-notes-from-the-field-003/

Windows Server 2012 Hyper-V Best Practices. (n.d.). Retrieved from https://blogs.technet.com/b/askpfeplat/archive/2013/03/10/windows-server-2012-hyper-v-best-practices-in-easy-checklist-form.aspx

SQL SERVER – Virtualized SQL Server Performance and Storage System – Notes from the Field #013 (Pinal, 2014)

 

Thank you to Rex Wheeler and Sami Van Vliet for their assistance with this guide.