Running Management Agents Asynchronously from Powershell

June 21, 2013, 9:19 am

≫ Next: FIM_TemporalEventsJob

≪ Previous: between contact and contact_MaName Attribute flow is needed for galsync ?

$

0

0

Anybody have a good solution for running multiple Management Agents asynchronously from Powershell for Import operations?

My understanding is that you can run any number of Imports (not sync's) at any given time. If that's the case then running multiple Imports asynchronously would save time for things like Full Imports from a handful of Management Agents.

I was able to come up with this solution which leverages Powershell Jobs (since you can't really do any type of threading in Powershel), it seems to work ok.

#The names of all the Management agents in which you want to run a simultaneous Import (**NOT SYNC**)
$runList = @("FIM Service", "ADMA", "ADLDS", "SQL Server","GAL Sync")
$jobs = @()
$syncService = Get-WmiObject -Namespace "root\microsoftidentityintegrationserver" -class "MIIS_ManagementAgent"
$syncService | % { 
	$jobs += Start-Job -InputObject $_.__PATH -Name ($_.Name) -ScriptBlock {
		Invoke-WmiMethod -Path $input -Name Execute -ArgumentList "Full Import"
	}
}
#You can either do other stuff while the import runs, or wait for all of them to complete
$jobs | Wait-Job

Just curious if anyone has any other suggestions, improvements or ideas.

---

FIM_TemporalEventsJob

June 21, 2013, 10:10 am

≫ Next: Error Creating Criteria-based security group in FIM 2010 R2 SP1

≪ Previous: Running Management Agents Asynchronously from Powershell

$

0

0

After migrating to FIM 2010 R2, I recently noticed that most of the employees are not getting disabled timely.

I have used time based sets based on the LastWorkingDate attribute.
I found that though the users are members of sets (when we select and open the time based sets we can find the users as member of set), time based MPRs are not triggered for them.
After exploring more, I found that the SQL job - FIM _TemporalEventsJob has not run after I have upgraded. Though the job is scheduled to run at 1 am, it never got invoked !!

I seek advice in deciding -
-   Should I manually run the job and then reschedule it for specific time of the day ?
-   Will running the job at this time trigger the pending time based MPRs in bulk (which should have already triggered earlier) for all the users who should have been disabled ?

Please provide your valuable advice. This is a production environment.

---

Mayank Vaish

Error Creating Criteria-based security group in FIM 2010 R2 SP1

June 21, 2013, 11:12 am

≫ Next: FIM CM Certificate Request Error: Denied by Policy Module:

≪ Previous: FIM_TemporalEventsJob

$

0

0

I have a security group I created in AD. It flows all the way into the portal just fine, just like my other security groups. This one group I want to make criteria-based. I go to the portal and change the member selection to Criteria-Based. I change the members to be based on the OfficeLocation attribute. I click OK then submit and immediately  I get an error message, so I doubt it's a time out, the other thing I noticed If I go and "Search Requests" and All From Today, the requested change to the group does not exist

Here is the error in the portal after clicking submit:
========================================================================
Error processing your request: The server was unwilling to perform the requested operation.
Reason: Unspecified.
Attributes:
Correlation Id: 01acb001-99f4-4bd6-9579-de42b6562b7b
Request Id:
Details: Request could not be dispatched.
=======================================================================

The error in the Windows Application Event log at the same time is:
=======================================================================

The Portal cannot connect to the middle tier using the web service interface.  This failure prevents all portal scenarios from functioning correctly.

The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration.

Ensure the portal configuration is present and points to the resource management service.

========================================================================
Which makes no sense since the portal is working, I can make a change to a random user or change another attribute of a group and it flows back just fine.

Any ideas on what may be causing this?

Thanks in advance!

Jonathan

FIM CM Certificate Request Error: Denied by Policy Module:

June 21, 2013, 1:18 pm

≫ Next: [Reference] Increasing the Max Pool Size in FIM CM:

≪ Previous: Error Creating Criteria-based security group in FIM 2010 R2 SP1

$

0

0

FIM CM Certificate Request Error: Denied by Policy Module:

 http://social.technet.microsoft.com/wiki/contents/articles/17694.fim-cm-certificate-request-error-denied-by-policy-module.aspx

---

Tim Macaulay Security Identity Support Team Support Escalation Engineer

[Reference] Increasing the Max Pool Size in FIM CM:

June 22, 2013, 11:19 am

≫ Next: Improve FIM CM Search Performance When Using Custom or AD Attributes:

≪ Previous: FIM CM Certificate Request Error: Denied by Policy Module:

$

0

0

[Reference] Increasing the Max Pool Size in FIM CM: http://social.technet.microsoft.com/wiki/contents/articles/18023.reference-increasing-the-max-pool-size-in-fim-cm.aspx

---

Tim Macaulay Security Identity Support Team Support Escalation Engineer

Improve FIM CM Search Performance When Using Custom or AD Attributes:

June 22, 2013, 11:24 am

≫ Next: [Troubleshooting] FIM CM – Attempts to Retire Smart Card Receive Error 0x80072116:

≪ Previous: [Reference] Increasing the Max Pool Size in FIM CM:

$

0

0

Improve FIM CM Search Performance When Using Custom or AD Attributes: http://social.technet.microsoft.com/wiki/contents/articles/18007.improve-fim-cm-search-performance-when-using-custom-or-ad-attributes.aspx

---

Tim Macaulay Security Identity Support Team Support Escalation Engineer

[Troubleshooting] FIM CM – Attempts to Retire Smart Card Receive Error 0x80072116:

June 22, 2013, 11:34 am

≫ Next: Syncing contacts from a forest using Office 365 with FIM 2010 - It appears this forest is not exchange enabled.

≪ Previous: Improve FIM CM Search Performance When Using Custom or AD Attributes:

$

0

0

[Troubleshooting] FIM CM – Attempts to Retire Smart Card Receive Error 0x80072116: http://social.technet.microsoft.com/wiki/contents/articles/17844.troubleshooting-fim-cm-attempts-to-retire-smart-card-receive-error-0x80072116.aspx

---

Tim Macaulay Security Identity Support Team Support Escalation Engineer

Syncing contacts from a forest using Office 365 with FIM 2010 - It appears this forest is not exchange enabled.

June 23, 2013, 9:53 pm

≫ Next: Relative search scope criteria - match on common property between requestor and target

≪ Previous: [Troubleshooting] FIM CM – Attempts to Retire Smart Card Receive Error 0x80072116:

$

0

0

Hi,

I am setting up FIM to create a shared address list between multiple separate domains.  I've got the GAL Sync MA working between Ex2013 and Ex2010 domains without too many issues, but one of the domains has a standalone Office 365 set up.  They still have the list of contacts and attributes I want in their domain, but when setting up the AD GAL MA I receive the message "It appears this forest is not exchange enabled".

It will not allow me to progress any further via the Create Management Agent wizard.

How can I sync the contact info in from the domain without Exchange in it using FIM?

Cheers,

---

Relative search scope criteria - match on common property between requestor and target

June 24, 2013, 11:07 am

≫ Next: BHOLD: ScriptProcessor.ExecuteScript Fails for roleAddUser Function When Using bscript.dll

≪ Previous: Syncing contacts from a forest using Office 365 with FIM 2010 - It appears this forest is not exchange enabled.

$

0

0

I have a few different scenarios I am looking to use some logic like this, but will use the Search Scope as an example.

I am trying to create a scope called "My Site's Computers" where it will list all computers that match my Office Location.  Using the following Xpath filter does not work, but seems in theory close to what I want to accomplish:

/Computer[OfficeLocation=/Person[ObjectID='%LoginID%']/OfficeLocation]

Basically saying, return all computers whose location matches the location of the logged on user.

I would try to use the same logic when applying MPRs to allow permission to edit objects based on the same kind of concept to say a person can edit all computer objects at their site.  The goal of this would be to simplify the amount of rules/set involved and not have to create a pair of them for every grouping of objects.... I could get away with just one potentially.

mostly it seems like this relationship can only be made by a property being equal to the loginID itself, but not a property of the loginID object.   I found a thread listing the possible environment variables, but again loginID was the only relevant one.

BHOLD: ScriptProcessor.ExecuteScript Fails for roleAddUser Function When Using bscript.dll

June 24, 2013, 1:55 pm

≫ Next: IFF multiple DN in provisioning the groups in AD

≪ Previous: Relative search scope criteria - match on common property between requestor and target

$

0

0

Hi all,

I am trying out running BHOLD scripts, just simple stuff like adding a user to a role.  I am using bscript.dll managed assembly instead of the .asmx web service.  Reason being, the way the applicaiton is structured, I cannot directly reference the web service for some reason and have to work around this by having a separate console application that calls the service (not preferred).

My script string looks like this (I hardcoded the ids for simplicity):

string sc = "<functions><function name='roleadduser' roleid='17' userid='11' /></functions>";

When I try to run it (ScriptProcessor.ExecuteScript(sc)), it fails with the following error (no matter what I do with the string):

FuncName: roleadduser
Function: <function name="roleadduser" roleid="17" userid="11" />
5_Error converting data type nvarchar to int.

BUT (!!!) This exact same call works fine if I use the web service.  Makes me think that something is messed up inside the ScriptProcessor class.

Has anyone encountered this kind of behavior before?

Thank you!
Ilya

IFF multiple DN in provisioning the groups in AD

June 24, 2013, 3:18 pm

≫ Next: ReplaceString function to remove multiple special characters from sAMAccountName

≪ Previous: BHOLD: ScriptProcessor.ExecuteScript Fails for roleAddUser Function When Using bscript.dll

$

0

0

Hi All,

I have two OU Bangalore and Pune in AD and need to provisioning the group in AD on the basis of location.Created a location attribute and bind the attribute to the group in FIM portal.

Stuck in mapping the group to DN in the Synchronization Rule.

Below is the custom expression used in mapping it to DN.

IIF(Eq(Location,"Bangalore"),"CN="+displayName+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),"CN="+displayName+",OU=Pune,DC=XXXX,DC=com"))

Kindly advice.

Regards,
Anirban Singha(Bangalore,India)

ReplaceString function to remove multiple special characters from sAMAccountName

June 25, 2013, 1:52 am

≫ Next: Delta import for Lync 2010

≪ Previous: IFF multiple DN in provisioning the groups in AD

$

0

0

I'm provisioning groups in AD an naming them according to DepartmentName in HR. off course HR uses & % \ / , and other fun stuff, so i need to do some regex before exporting DepartmentName to sAMAccountName. I'm doing the Regex on Import Sync. rule.

CustomExpression: ReplaceString(NAVN,"/","") works fine, but this is only fixing the /'s what i need is something that can do:

ReplaceString(NAVN,"/" or "\" or "," or "&","") but this apparently is not valid.

Does any of you have a CustomExpression to do this "simple" action?

---

/Frederik Leed

Delta import for Lync 2010

June 25, 2013, 2:24 am

≫ Next: FIM 2010 R2 Service Pack 1 Download

≪ Previous: ReplaceString function to remove multiple special characters from sAMAccountName

$

0

0

Hi Guys,

I'm writing an ECMA 2.2 extension for FIM, which provisions users into Lync from AD. I have a question around handling delta imports.

Firstly, to handle delta imports, I get all the Lync objects which have changed since the last import step (which is passed as customData to the import function). To do that, I use the WhenChanged property returned by get-csuser, and I run this code 

ps.Commands.AddCommand("Get-csaduser");
ps.Commands.AddCommand("where-object");
string filtercommand = string.Format("$_.Enabled -eq $True -and $_.SipAddress -ne $Null -and $_.WhenChanged -gt \"{0}\"", importRunStep.CustomData);

effectively, this is running the following PS command:

Get-csaduser | where  "{$_.Enabled -eq $True -and $_.SipAddress -ne $Null -and $_.WhenChanged -gt <last import date>}"

Now, the trouble is that Lync uses AD to get the date and time for the last object change, which means that if I change an object in AD and do a delta import in the Lync MA, I still get imported objects into the Lync connector space. What I want is to have a distinction between the two, so that if a user in AD is changed and a delta import performed on the Lync MA, it doesn't sync those changed objects in the Lync CS.

One way I thought of doing that perhaps is to get all the changed objects as above, but then iterate through the existing CS Entry objects in the Lync MA and do a comparison to see what has changed, but as far as I know there is now way to get hold of the current objects in the connector space.

Is there any logic which could help me perform the above, i.e. separate Lync and AD completely but still be able to do a delta import on Lync MA?

Thanks in advance

FIM 2010 R2 Service Pack 1 Download

June 25, 2013, 2:38 am

≫ Next: ADAM MA Refresh Schema error

≪ Previous: Delta import for Lync 2010

$

0

0

Hi,

Can someone please send me the link for FIM 2010 R2 Service Pack 1 download.

I am just looking for the SP1 files. All I can find on MSDN is FIM 2010 R2 with SP1. 

I need to upgrade a environment from FIM 2010 R2 to FIM 2010 R2 SP1

Thanks,

ADAM MA Refresh Schema error

June 25, 2013, 3:14 am

≫ Next: Get all objects in the connector space for a given MA

≪ Previous: FIM 2010 R2 Service Pack 1 Download

$

0

0

We are using FIM 2010

One MA is connected to ADAM. There is a schema change in ADAM instance (added one new attribute).

Now i am trying to refresh the schema in ADAM MA. provided credentials are correct. 

It is also recognizing change in schema, but it is throwing below error at last. I am also able to run Export and Delta Import profiles and it is successful

Retrieving the new schema ...
Retrieving the new schema complete
Comparing new and old schema ...
The schemas are different
Retrieving the metaverse data ...
Retrieving the metaverse data complete
Validating object type inclusion ...
Validating object type inclusion completed successfully
Validating attribute inclusion ...
Validating attribute inclusion completed successfully
Validating validating stay disconnector rules ...
Validating stay disconnector rules completed successfully
Validating join and project rules ...
Validating join and project rules completed successfully
Validating attribute flow rules ...
Validating attribute flow rules completed successfully
Validating deprovisioning rules ...
Validating deprovisioning rules completed successfully
Validating extension settings ...
Validating extension settings completed successfully
The new schema has been validated and is being saved ...
The attempt to commit the new schema failed

could you please let me know what may be the reason behind this error. I am not getting any particular reason for this error.

 

---

Get all objects in the connector space for a given MA

June 25, 2013, 5:12 am

≫ Next: BHOLD Suite Installation: Access to BHOLD is refused for the following reason(s): -

≪ Previous: ADAM MA Refresh Schema error

$

0

0

Hi,

I need to write code to get all the objects in the connector space for a given MA. I'm using some guidance from this link:

http://social.technet.microsoft.com/Forums/en-US/a54b1c47-6905-4cfd-b3af-cf3b375b6ece/whats-the-best-way-to-get-all-objects-within-the-connector-space-in-c

The code I'm using is this

string managementAgentName = "LyncECMA2";
            ManagementScope mgmtScope = new ManagementScope(@"root\MicrosoftIdentityIntegrationServer");
            SelectQuery query = new SelectQuery("Select * from MIIS_ManagementAgent where name ='" + managementAgentName + "'");
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(mgmtScope, query);
            string guid = string.Empty;
            ManagementObject wmiMaObject = null;
            foreach (ManagementObject obj in searcher.Get())
            {
                wmiMaObject = obj;
            }
            PropertyDataCollection props = wmiMaObject.Properties;
            foreach (PropertyData p in props)
            {
                if (p.Name.ToString() == "Guid")
                {
                    guid = p.Value.ToString();
                }
            }

            ManagementScope WMInamespace = new ManagementScope(@"root\MicrosoftIdentityIntegrationServer");
            SelectQuery query2 = new SelectQuery("Select * from MIIS_CSObject where DN=100 and MaGuid='"+guid+"'");
            ManagementObjectSearcher searcher2 = new ManagementObjectSearcher(WMInamespace, query2);
            ManagementObjectCollection CSobjects = searcher2.Get();
            foreach (ManagementObject obj in CSobjects)
            {
             // How do I retrieve the CS object properties??
            }

I am able to succesfully connect to the CS object, but I would like to retrieve the attributes of this object now (like firstName, lastName etc). How do I do that?

I can iterate over obj and use the .Properties collection but that gives me the properties of a MIIS_CSObject whereas I want to access the attributes of the CS Object itself

BHOLD Suite Installation: Access to BHOLD is refused for the following reason(s): -

June 25, 2013, 7:58 am

≫ Next: Upgrade from FIM 2010 R2 build 4.1.2548.0 to build 4.1.3451.0 i.e. FIM 2010 R2 SP1: FIM Service and Portal Setup ends prematurely

≪ Previous: Get all objects in the connector space for a given MA

$

0

0

Hello everyone

I'm performing the BHOLD Access Management Connector Test Lab Guide.

At Step 7 (http://technet.microsoft.com/en-us/library/jj853093(v=ws.10).aspx) I tried to access the BHOLD Core page by accessing http://FIM1:5151/BHOLD/Core

Unfortunately, it throws me an error:

Access to BHOLD is refused for the following reason(s):

-

But there isn't even stated any reason! What could be the reason?

Any help'd be appreciated.

Thank you!

---

I appreciate it very much if you vote my Replies as Helpful or Mark as Answer if I could help you out. Thanks!

Upgrade from FIM 2010 R2 build 4.1.2548.0 to build 4.1.3451.0 i.e. FIM 2010 R2 SP1: FIM Service and Portal Setup ends prematurely

June 26, 2013, 1:03 am

≫ Next: What is Contact object type assosiated with this forest setting in GALMA ?

≪ Previous: BHOLD Suite Installation: Access to BHOLD is refused for the following reason(s): -

$

0

0

We were able to upgrade 2 FIM Sync Server, 2 FIM Portal Servers and 1 FIM Service Node to build 4.1.3451.0 without any issues, however when we try to install the same patch on the 2nd FIM Service Node, the installation fails with error 1603. We also have Reporting feature installed on this affected FIM Service Node.

We tried installing the patch using the msiexec command i.e. msiexec /p "E:\FIMService_x64_KB2849119.msp" /L*v "E:\FIM_Install.log" here is the error code details

CustomAction ImportCommonReportManagementPackBundle returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 10:26:05: InstallFinalize. Return value 3.

What is Contact object type assosiated with this forest setting in GALMA ?

June 26, 2013, 2:32 am

≫ Next: Using custom attribute for sending email in FIM portal

≪ Previous: Upgrade from FIM 2010 R2 build 4.1.2548.0 to build 4.1.3451.0 i.e. FIM 2010 R2 SP1: FIM Service and Portal Setup ends prematurely

$

0

0

We use MIIS for galsync.

We see Contact object type assosiated with this forest(contact_MAName metaverse object) setting in GALMA.

If we delete attribute flow which include this contact_MAName metaverse object , or delete this object from metaverse,

Is there any negative impact in galsync ?

Using custom attribute for sending email in FIM portal

June 26, 2013, 4:23 am

≫ Next: FIM CM MA Sync Error, Event ID: 8041, the given key was not present in the dictionary

≪ Previous: What is Contact object type assosiated with this forest setting in GALMA ?

$

0

0

Hi ,

I have a scenario where i need to store user's personal email address and send mails to it. I cannot save this value in default email attribute in FIM portal as it holds the official email address value. So I have created a custom attribute for storing this value. But in a workflow activity we get option to specify "[//Target/ObjectID]". How can I specify my custom attribute at this place.

---

Dolly