##Article in progress##

This article is covering the following topics


It sounds strange and it's kind of controversial way of supporting the FIM product, but uninstalling FIM properly is part of the FIM administrators job too.
There might be various reasons to remove the product from your environtment.
- after a merger, the product is migrated to another FIM installation on another network
- only particular and limited functionality is used (and more specifically served by another product)
- functionality is phased out, installed functions are not used anymore
- (feel free to add more scenarios in here)

Whatever the reason, you should do it properly and thoroughly.
What are the things you should think about?
It's not as simple as reversing the installation procedure.




  • Servers
  •  Databases
    •  FIM Service
    • FIM Sync
    • SharePoint
  • FIM security groups
    •  FIM Sync Admins
    • FIM SYnc Browse
    • FIM Sync Joiners
    • FIM Sync Operators
    • FIM Sync Password set
  • Service Accounts 
    • FIM Service
    • FIM Sync
    • FIM portal (sharepoint/IIS)
    • SharePoint application pool account
    • FIM MA account
    • Management agent accounts
  • Client SW  
  • AD security
    • Service Account Rights & Permissions on OUs
    • Replicating directory changes rights
    • SPN settings
    • Service Settings
  • Certificate

Mailbox on Exchange

Removing components

  • Uninstalling FIM Portal
  • Uninstall Password reset & Password registration portal 
  •  Uninstall FIM Service
  •  Uninstall FIM Sync
  •  Removing DB
  •  Uninstall SQL 
  •  Uninstall PCNS
  •  Uninstall SharePoint Foundation
  • Remove client software 
  •  Remove FIM SPN configuration
    •  setspn -l servi
    • setspn –S FIMService/<alias> <domain>\<serviceaccount>                     
  • Remove service account rights from AD
  • Check for Kerberos delegation
    • Turn on Kerberos delegation for the FIM Service and FIM Password service accounts in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.
  •  Remove service accounts
  • Remove SQL Server alias information
  • setspn.exe –S HTTP/<ssprPortalHostHeaderName> <domain>\<ssprPortalMachineAccount$>,

To check the SQL Server alias for Setup to be able to contact the server running SQL Server

  1. Start the SQL Server Configuration Manager.

  2. Navigate to SQL Native Client 10.0 Configuration/Aliases.

  3. Create a new alias with your server information.

Remove uninstalled file left overs
- logs
- ma data

Hints & tips

Source references

Uninstalling Forefront Identity Manager 2010 R2

 To configure IIS to use the service account for Kerberos delegation, set useAppPoolCredentials as described in Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=188290).

See also