FIM sync force update on attribute that hasn't changed.

September 7, 2015, 2:21 am

≫ Next: Advanced mapping reference attribute

≪ Previous: taking my pc back

$

0

0

Morning,

I have been asked to update CustomAttribute1 in Azure to populate the Address Books in Exchange Online, when I tried it failed stating that this was controlled by FIM.

I thought about running the same commands on our Exchange users online to trigger a sync up to Azure but was told that FIM would check AD and compare it against its own copy and see that there were no changes so wont cause a sync.

Is there a way in FIM to take the value of CustomAttribute1 and force it to sync to Azure even if it hasn't changed?

---

.: Lister :.

---

Advanced mapping reference attribute

September 7, 2015, 5:49 am

≫ Next: Lync 2013 login failed in window 7

≪ Previous: FIM sync force update on attribute that hasn't changed.

$

0

0

Hello, 

I'am trying to use advanced mapping for manager attribut on export for an ADLDS management agent but it's not permitted. 

Actually, I want to synchronize the manager attribut from AD to ADLDS but the DN is not calculated by the same rule 

in AD cn=toto,DC=contoso,DC=com

in ADLDS cn=toto,OU=Users,DC=contoso,DC=com

Any idea

Regards

Lync 2013 login failed in window 7

September 7, 2015, 10:39 pm

≫ Next: FIM 2010 Set bit value based on a boolean

≪ Previous: Advanced mapping reference attribute

$

0

0

Thanks in advance.. 

We are using Office 365 for our e-mails flow.

in our organization we are using window 7 on many machine.. on some machine we are using window 8.1

Skype for business is working very well on 8.1

but in window 7 we are not able to install the same. so we are decided to install Lync 2013 for window 7.

but after installation unfortunately we are not able to login in Lync 2013 on window 7.

"The server is temporarily unavailable. If the problem continues, Please contact your support team."

PLease help us.

---

Thannks & Regards Naveen Singh

FIM 2010 Set bit value based on a boolean

September 7, 2015, 11:33 pm

≫ Next: BHOLD unattended installation

≪ Previous: Lync 2013 login failed in window 7

$

0

0

I am wondering how can I set an ad attribute bit value based on a boolean metaverse value.

So if I want to set LSB to 1 in ad, is this the correct way? I am a little bit confused with this.

IIF(BooleanAttribute,BitAnd(1,1),BitAnd(1,0))

BHOLD unattended installation

September 8, 2015, 9:18 am

≫ Next: Getting FIM MA "Stopped Server" error in Synchronization Server Manager FIM

≪ Previous: FIM 2010 Set bit value based on a boolean

$

0

0

Hello!

What are the parameters for BHOLD Core 5.0.1992.0 unattended/silent installation?

What is the way to provide password for BHOLD Core service user account?

When I tried to provide SQL Server name MySQLServerName as a value of propertySQLSERVERNAME, log file looked like this:

PROPERTY CHANGE: Adding SQLSERVERNAME property. Its value is 'MySQLServerName'.

...

PROPERTY CHANGE: Modifying SQLSERVERNAME property. Its current value is 'MySQLServerName'. Its new value: 'MyBHOLDServerName'.

Thank you in advance!

PS. Sorry if I'm posting to the wrong forum. Didn't find better place.

Getting FIM MA "Stopped Server" error in Synchronization Server Manager FIM

September 9, 2015, 6:42 am

≫ Next: change in url of fim portal

≪ Previous: BHOLD unattended installation

$

0

0

After migrating the 3 FIM DBs to a new SQL Server (2012) using the following migration process, we noticed an issue with FIM MA in the Management Agent Operations, specifically with FIM MA running Export and Delta Import:

1. We took a full snapshot (VM) and backup of our FIM server

2. On our FIM server:

a. Disabled any scheduled FIM tasks (FIM Delta/Full) in Task Scheduler

b. Ensured that all Management Agents had a "Idle" status before proceeding

3. RDP'ed into our old SQL Server

a. Backed up all FIM related DBs

i. FIMService

ii. FIMSynchronizationService

iii. FIMSyncPortal

b. Copied all backup copies of the FIM DBs to the new SQL Server location

4. On the FIM server

a. Stopped the Forefront Identity Manager Sync Service and Forefront Identity Manager Service

5. RDP'ed into new SQL server

a. Restored all 3 FIM DBs on the new SQL Server

b. Created the necessary service accounts on the new SQL server, mapped to the 3 FIM DBs w/ appropriate permissions:

i. domain\SVC_FIMSync

ii. domain\SVC_FIM

iii. domain\SVC_FIMMA

6. Back on our FIM Server, went into REGEDIT to point FIM to our new SQL Server:

i. Navigated to HKEY LOCAL MACHINE>SYSTEM>Current Control Set>Services>FIMSyncService>Parameters

ii. Changed the Server Property value to: [New SQL Server]

iii. Navigated to HKEY LOCAL MACHINE>SYSTEM>Current Control Set>Services>FIM Service

iv. Changed the DatabaseServer to: [New SQL Server]

7. Started the FIM Services that were stopped in step 4

a. Ensured the FIM Sites were started in IIS, if not clicked Manage Sites>Start

i. Sites SharePoint-80 (IdentityManagement), FIM Password Registration, FIM Password Reset

 8. Opened FIM Synchronization Service Manager, ensured Management Agents appeared and that I could see the Run History in the Operations tab

9. Re-enabled the FIM tasks (Delta/Full) in the Task Scheduler

Everything seemed to be working as it should however we noticed that FIM MA, specifically Export and Delta Import, was giving us a "Stopped Server" error.  All other Operations are running as they should.  More specifically, the Export operation is the one that is giving us trouble.  

Please help!

change in url of fim portal

September 9, 2015, 12:13 pm

≫ Next: Make a member of the group

≪ Previous: Getting FIM MA "Stopped Server" error in Synchronization Server Manager FIM

$

0

0

We have to get new certs for fimportal in new name. fimportal is hosted as fimportal.addomain.local extension and going forward it will be hosted as fimportal.domainname.edu url. What are the places should I be changing the url after the newcerts are added?

1) In sharepoint, alternate access mappings?

2) Do I have to run fimportal installation again on portal and service server?

resourcemanagement client and resourcemanagementservice has fimportal.addomain.local in config file.

3)In sync engine, fimma, fim service base address is http://fimportal.addomain.local:5725. Should that be changed too?

Please advise.

Make a member of the group

September 9, 2015, 4:19 pm

≫ Next: MIM 2016 Post Upgrade Errors.

≪ Previous: change in url of fim portal

$

0

0

Hi,

I am successfully provisioning users in AD via FIM however I need to add user in a specific group. By default all newly provisioned users are member of Domain Users and now I want to add them in another group say "FIMGROUP".

Your help will be appreciated.

Regards
Sarwar

---

Sarwar

---

MIM 2016 Post Upgrade Errors.

September 9, 2015, 4:23 pm

≫ Next: BHOLD Export Error - cd-error - What to do Next?

≪ Previous: Make a member of the group

$

0

0

In my Dev lab we upgraded FIM 2010 to MIM 2016 prior to attempting in production.  We stood up a new SQL 2012 box and a Server 2012 box.  The front end server has the Synchronization Service and Portal services for Password Registration and Reset.

Upgrade went fine with no errors encountered during the upgrade sequence.

The portal works great and all Resets and Registration works fine after the migration.

My issue is when I launch Synchronization service and attempt to run my FIM Management Agent with any of the Configured Profiles Sync,Import, Export.  I get a pop up that says unexpected error occurred and I get no further information on the actual Syncrhonization Service GUI.

Attached is a screen shot of the pop up.  I refreshed the Schema and it didn't change the situation.  My ADMA works fine without a problem.

Event logs shows the following error:

"the Server encountered an unexepected error while performing an operation for management agent.

"BAIL: MMS(9668): ..\ma.cpp(3781): 0x80070002 (The system cannot find the file specified.)

Forefront Identity Manager 4.3.1.1935.0"

I have run a repair on the Service and Portal and came up empty handed.  I also created a 2nd FIM MA just to see if it would go further but it popped the same error.  Any ideas or suggestions?

BHOLD Export Error - cd-error - What to do Next?

September 10, 2015, 12:08 pm

≫ Next: FIM 2010 R2 - User history report - Almost duplicate rows

≪ Previous: MIM 2016 Post Upgrade Errors.

$

0

0

Not sure where to go with this. I'm getting several identical errors (cd-error) when exporting my groups to BHOLD. The error message doesn't contain a stack trace. But, I did configure logging for BHOLD.  BHOLD is reporting this error when an export is run:

Sql Exception Encountered

Stack: System.Data.SqlClient.SqlException (0x80131904): Reraised Error 2627, Level 14, State 1, Procedure tasks_INSERT_QueueManagementTrigger, Line 16, Message: Violation of UNIQUE KEY constraint 'PermissionNameApplicationId'. Cannot insert duplicate key in object 'dbo.Permissions'. The duplicate key value is (InvestmentStrategies, 2).
   at System.Data.SqlClient.SqlCon ..... <bla-bla-bla>

followed by a list of group names similar to this:

Base Table:
ObjectIdentifier bholdDescription bholdTaskName bholdMaxRoles bholdMaxUsers bholdAuditAction bholdAuditAlertMail ApplicationDescription 
0 Network Configuration Operators Network Configuration Operators     Active Directory 

1 Performance Log Users Performance Log Users     Active Directory 

I tried to delete this group in BHOLD-Core, but the group name doesn't show up in my search.  So, I'm stuck.   I can't get anything to process in BHOLD.  And, I have no idea how to fix this.

Any suggestions?  I going to open up a support incident soon.  This is wearing my patience.

Thanks,

Greg

 

FIM 2010 R2 - User history report - Almost duplicate rows

September 11, 2015, 1:50 am

≫ Next: ADMA Outbound - GroupMembership ADD now fails with "permission-issue" after adding "false=>MembershipLocked" to sync rule

≪ Previous: BHOLD Export Error - cd-error - What to do Next?

$

0

0

I am using a default User history report.

I noticed that report return "almost duplicate" values for at least Delete operation types. So basically there are 2 rows for deleted person. The only difference is that Attribute Value column is empty in another row and in another row there is a value. Like below.

Username, Operation type, Attribute name, Attribute value
User1, Delete, ObjectID, 234234-234-234-234
User1, Delete, ObjectID, 

What could cause this?

ADMA Outbound - GroupMembership ADD now fails with "permission-issue" after adding "false=>MembershipLocked" to sync rule

September 14, 2015, 7:22 am

≫ Next: Failed-creation-via-web-services ValueViolatesUniqueness

≪ Previous: FIM 2010 R2 - User history report - Almost duplicate rows

$

0

0

I have implemented declarative rules for managing a specific group from a source forest to target forest. I have successfully added users to the group by modifying the source group and having them sync to the target group membership.

even with it working I was seeing errors that require attribute was missing "membershipLocked" and after reviewing documentation and blogs I added it to the inbound attribute flow on the soruce & target connectors.  It is set to "false".

Now I am getting permission errors on the Add to membership on the target.  Any suggestions?

Thanks,Stu

Failed-creation-via-web-services ValueViolatesUniqueness

September 14, 2015, 11:01 am

≫ Next: FIM 2010 R2 - Creating own reports

≪ Previous: ADMA Outbound - GroupMembership ADD now fails with "permission-issue" after adding "false=>MembershipLocked" to sync rule

$

0

0

We have the default SSPR install. The only MAs that we use are AD (full import, full sync) and FIM (full sync, export). So, basically we are importing the users from AD into FIM Portal for SSPR.

The process was running fine for a couple of months. Then there was a "server-stopped" error on export operation. Even viewer said that the connection to the database timed out. So the server was restarted.

After that the jobs were run again in order "AD full import, AD full sync, FIM Full sync, and FIM export". This resulted in "completed-export-errors" for FIM export. The user accounts that are in the export error list are already in FIM Portal and hence the error about value violates uniqueness.

I saw a few articles online but wasn't sure if it really pertained to this case. Some talk about creating import attributes, some about running stored process to clear the duplicates (I wasn't able to locate the procedure in the database), some about permissions, etc.

Can anyone please suggest a good resolution to get rid of these duplicates? (since these users are in the portal and registered with SSPR, I don't think deleting them from portal is a good option?)

FIM 2010 R2 - Creating own reports

September 15, 2015, 12:27 am

≫ Next: Custom SMS OTP

≪ Previous: Failed-creation-via-web-services ValueViolatesUniqueness

$

0

0

Just wondering are there any guides how to create own "normal" reports for FIM. For example if I need a report which lists all users in FIM, how can I do that?

Custom SMS OTP

September 15, 2015, 2:22 am

≫ Next: Regex One Time password mobile phone

≪ Previous: FIM 2010 R2 - Creating own reports

$

0

0

Hello, 

I developped a custom SMS OTP dll for FIM2010 R2, but I didn't find a way to send to FIM portal result when it concerns errors. 

Even I put throw new Exception("Test result") , in the request I have "ValidationError:UnableToSendSecurityCode" anyway to customize this message dynmically. 

Thanks

Regards

---

Regex One Time password mobile phone

September 15, 2015, 2:49 am

≫ Next: TARGET ADMA service account is a standard user - password sync failing because of membership in protect groups

≪ Previous: Custom SMS OTP

$

0

0

Hi, 

I m'a facing an issue, actually I'am trying to update a validation pattern for One Time password mobile phone attribut but I got this error. 

The same regex works with the mobile phone, any idea !!!

Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Correlation Identifier: 60551445-a586-4b5a-9df8-d8a0ba736a69
Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> Procedure: ReRaiseException.  Line number: 37.  Message: A Sql failure occurred.evel 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure PostProcessBindingDescriptionUpdate, Line 455, Message: DataAccessSqlException: The attribute StringRegex for attributeTypeDescription object StringRegex cannot be modified since it is a system object..
   --- End of inner exception stack trace ---
   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
   at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
   at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest(RequestType request)

Regards

TARGET ADMA service account is a standard user - password sync failing because of membership in protect groups

September 15, 2015, 7:12 am

≫ Next: FIM 2010 SQL MA Delta Import

≪ Previous: Regex One Time password mobile phone

$

0

0

I will be doing a one (primary) to many one-way outbound sync into over 60 target forests. I am syncing standard user  "System Engineer" accounts from the primary into the target forests where they are added to a group "DomAmins-ETG" which is a member of the built-in Domain Admins group.

My ADMA Target service account was created based upon FIM step by step docs.   Standard user granted replication rights at the forest level and granted read\write etc rights at the "Managed" OU level expecting inheritance.

I ran into my first issue with Protect Groups yesterday.  I lost the ability to manage the target group membership after AD ran it's Protect Group scan and disabled Inheritance on the group and set adminCount to 1.  I resolved this issue by granting manually granting the ADMA service accounts explicit rights on the group.

I just performed troubleshooting on Password Sync and it is failing as each FIM created user that bacme a member of the security group is now part of a protected group.

How can FIM managed protect Groups & users?

Is my only choice to make the ADMA service account a Domain Admin rather than standard user?

-Stu

FIM 2010 SQL MA Delta Import

September 15, 2015, 6:03 pm

≫ Next: My ADMA User sync rule does not delete target objects, but will create, modify, enable, disable, etc. sAMAccountNAme relationship?

≪ Previous: TARGET ADMA service account is a standard user - password sync failing because of membership in protect groups

$

0

0

Hi All,

I do not see the Delta Import profile in SQL MA in FIM 2010 SP1, does Delta Import in SQL MA  is deprecated from FIM 2010 SP1.

Regards,
Anirban Singha

My ADMA User sync rule does not delete target objects, but will create, modify, enable, disable, etc. sAMAccountNAme relationship?

September 16, 2015, 12:43 pm

≫ Next: MIM 2016 Configure the MIM Service - Missing Attribute

≪ Previous: FIM 2010 SQL MA Delta Import

$

0

0

My User ADMA sync rule does not delete target objects, but will create, modify, password sync, enable, disable, etc.

I am syncing users and a group from my primary forest one-way into what will be many customer forests.  This will allow our engineers to be Admins for these customer forests with their passwords synced.

I morph my user objects in the outbound User sync rule to ensure that there will be no name collisions in any customer forest:  Could this be the cause?

accountName+"-ACME"=>sAMAccountName

accountName=>msDS-cloudExtensionAttribute15  (existence test)

"CN="+aacountName+"ACME"+",OU=ACME Users,DC=LABForest1,DC=corp"=>dn  (Initial flow Only)

displayName+" (ACME)"=>displayName

My sync rule Relationship Criteria is:  accountName = sAMAccountName

On my primary inbound ADMA I have flow errors on the two deleted user accounts

• Error: extension-dll-exception.
• Sync step: export flow
• occurrences..
• Retry count: 33
• extension name: FunctionLibrary.dll
• extension rule: export flow
• extension context:  <export-flow allows-null="true"><src><attr>displayName</attr></src><dest>displayName</dest><scoping></scoping><fn id="+" isCustomExpression="false"><arg>displayName</arg><arg>" (EdgeTG)"</arg></fn></export-flow>
• Destination MA:  ADMA-LABForest1
• Destination Object: CN=TestUser2-ACME,OU=ACME Users,DC=LABForest1,DC=corp
• Mapping type: direct
• Data source attribute: sAMAccountName

Call Stack:

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'LABForest1 User Outbound Sync Rule'. Details: Object reference not set to an instance of an object.
   at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

Thanks, Stu

MIM 2016 Configure the MIM Service - Missing Attribute

September 16, 2015, 2:11 pm

≫ Next: MIM 2016 hybrid reporting

≪ Previous: My ADMA User sync rule does not delete target objects, but will create, modify, enable, disable, etc. sAMAccountNAme relationship?

$

0

0

On the inbound attribute flow page I select the source attribute samAccountName.  However the Destination attribute list does not have samAccountName.  There is an account name.

I am following this documentation:  https://technet.microsoft.com/en-us/library/mt219040.aspx

I am new to MIM 2016 and have never used FIM 2010 and this is an installation in our test lab.

I tried to set up concatenate for the attribute but this did not work.

Any ideas are appreciated.

Thank you!

---

kathy4270