I would like to thank the community for your all of your support.  I appreciate all the assistance that this forum and its members have been providing. This one way, one to many forest Directory & Password Sync project just came up.  I'm currently in a design, build and integrate mode in the lab.  While I have been reading the TechNet documentation,  Kent Nordstrom's FIM 2010 R2 book and constantly searching the Forum - FIM is a complex product and a challenge to understand quickly.  With your help I have been moving forward successfully towards the solution.   I hope to one day be able to contribute back to the community as I build my own skills and experience with FIM.

Warning - I'm sure that I will have more questions before I reach project completion.  I will do my best effort to leverage documentation where possible.

Thanks, Stu 

Ok, I am suffering exactly a same problem descripted in this article:

http://blogs.technet.com/b/identitymanagement/archive/2015/08/07/mim-2016-upgrade-issues-on-builds-4-1-3646-0-or-4-1-3634-0-or-4-1-3627-0.aspx

The workaround is replace Microsoft.IdentityManagement.DatabaseUpgrade.exe.config file with another one.

The problem is that I am still getting the same error and facing the problem. So is that file which can be downloaded from the link above broken allready or am I missing something?

Am I the only one who is suffering with this?

Hello,

I am working with a client who use FIM 2010 R2.  It is taking inputs from 3rd party applications, and then using the information from the application to provision an account in AD including the users mailbox for Exchange.

There are multiple management agents, one management agent then pushes a subset of users accounts from AD to 365.  The subset of users is close to 50,000 users.

We are in the middle of a POC office 365 migration which will involve pushing a further 6-7 thousand users to 365 from the same AD. 

FIM could accomplish this for us, but due to complications that I wont go into here, we are looking at other options.  The option favoured is to implement AADSYNC into the same domain in addition to FIM.  So to clarify, this would result in having FIM and AADSYNC in the same AD forest, same AD domain, syncing different accounts.

I have on many occasions read that you can only have one DIRSYNC, FIM, AADSYNC instance per forest.  We are working with a 3rd party consultancy who advise that whilst this may not be supported, it is technically possible.

In context to the above scenario, my question is:

a) Is it supported by MS to have FIM and AADSYNC in the same forest

b) Is it recommended

c) What are the drawbacks if it is possible but not recommended and not supported

Thanks very much

Greetings and salutations.

I am attempting to alter an existing Powershell script that we have for creating groups in FIM that pulls groups from Active Directory and creates them in FIM.  We target a single OU.

What I attempting to do should be very straight forward, but obviously not because here I am! All I want to do is update the FIM group object(s) organizationalUnit attribute with a new value. To finish that thought to help you understand what it all does; the group will then be moved to that new OU later in the script.

The function I created is a piecemeal of an existing function that adds members to a group in FIM. It's very similar code to what you find in this Technet article https://technet.microsoft.com/en-us/library/ff720152(v=ws.10).aspx

Here is the function I wrote to accomplish the organizationalUnit attribute update:

function UpdateFIM_SetNewOU ($ADCredentials, $LocalDC, $SearchRootGrp, $LDAPFilter, $PropList, $FIMPortalCredentials, $ResourceManagementURI)
{
	Try
	{
		Connect-QADService -Service $LocalDC -Credential $ADCredentials

		Get-QADGroup -SizeLimit 0 -SearchRoot $SearchRootGrp -LdapFilter $LDAPFilter -SearchScope Subtree -IncludedProperties $PropList	|
		Select-Object $PropList |
		Foreach-Object {
			If($debug){Write-Host $_.sAMAccountName}

			$GroupAccountName = $_.sAMAccountName
			$OU = $NewGroupOUDN

			If($debug){Write-Host "`r`n$(Get-Date): Group Name: $GroupAccountName" -foregroundcolor white -backgroundcolor darkred}
			If($debug){Write-Host "$(Get-Date): New Group OU: $OU"}
			Add-Content $ResultFile "`r`n$(Get-Date): Group Name: $GroupAccountName"
			Add-Content $ResultFile "$(Get-Date): New Group OU: $OU"

			#Get the group object from the FIM Portal.
			$ImportObject = $null
			$ImportObject = QueryResource -filter "/Group[AccountName=""$GroupAccountName""]" -uri $ResourceManagementURI -Credential $FIMPortalCredentials

			if($ImportObject)
			{
				#Initialize variables for modifying a FIM Portal object.
				$ModifyImportObject = $null
				$ModifyImportObject = ModifyImportObject -TargetIdentifier $ImportObject.ResourceManagementObject.ObjectIdentifier -ObjectType "Group"
				if($ModifyImportObject)
				{
					#Set organizationalUnit attribute in modified import object
					SetSingleValue $ModifyImportObject "organizationalUnit" $OU
					$UpdateObject = $null
				  	$UpdateObject = (,$ModifyImportObject)
				  	$UpdateObject | Import-FIMConfig -uri $ResourceManagementURI -Credential $FIMPortalCredentials
				}
			}
		}

		Disconnect-QADService
	}
	Catch [System.ArgumentException]
	{
		#Potential bug with Import-FIMConfig.  The FIM Portal request completes without any errors.
		Add-Content $ResultFile "`n$(Get-Date) The object $ObjectID was updated in FIM."
		$ReturnValue = $true
	}
	Catch [Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException]
	{
		Add-Content $ResultFile "`n$(Get-Date) The object $ObjectID was not updated in FIM."
		$ReturnValue = $false
	}
}

Here is the error I receive at the point where it pipes UpdateObject to the Import-FIMConfig cmdlet.

SourceObjectIdentifier : urn:uuid:d55e4f2e-912d-45ca-a677-7efb16b9f7b5
TargetObjectIdentifier : urn:uuid:d55e4f2e-912d-45ca-a677-7efb16b9f7b5
ObjectType             : Group
State                  : Put
Changes                : {organizationalUnit}
AnchorPairs            :

Import-FIMConfig : Failure when making web service call.

SourceObjectID = urn:uuid:d55e4f2e-912d-45ca-a677-7efb16b9f7b5
Error = System.InvalidOperationException: Operation is not valid due to the current state of the object.
   at Microsoft.ResourceManagement.WebServices.Client.AttributeContainerHelper`1.GetAttribute(String attributeName)
   at Microsoft.ResourceManagement.Automation.ImportConfig.ConvertTypedAttributeValue(String objectType, String attributeNam
e, String value)
   at Microsoft.ResourceManagement.Automation.ImportConfig.UnifiedClientPut(List`1 changeList, UniqueIdentifier objectIdenti
fier, String objectType, CultureInfo locale)
   at Microsoft.ResourceManagement.Automation.ImportConfig.ProcessLocaleBucket(String objectIdentifier, String objectType, D
ictionary`2 localeBucket)
   at Microsoft.ResourceManagement.Automation.ImportConfig.Put(String objectIdentifier, String objectType, List`1 changeList
)
   at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()
At C:\MnDOT\Scheduled Tasks\Copy AD groups to FIM -Task.ps1:485 char:43
+                 $ModifyImportObject | Import-FIMConfig <<<<  -uri $ResourceManagementURI -Credential $FIMPortalCredentials+ CategoryInfo          : InvalidOperation: (:) [Import-FIMConfig], InvalidOperationException+ FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automation.ImportConfig

When I do a Fuji apple to Granny Smith apple comparison of the existing group membership update function to this one, the objects all look to be identical in nature, with obviously different attributes and values being used.  I don't see how this is not working, and I am about ready to quit and become a gardener.

Cheers,

Jesse B.

P.S. I can upload the full script if necessary.

All the votes are in! 

And below are the results for the TechNet Guru Awards, August 2015 !!!!

The TechNet Guru Awards celebrate the technical articles on TechNet, contributed from valued wiki authors like YOU!

Each month, the contributions are scored by a panel of judges (5 per category, 2-3 in each are MS experts), and the winners of each category are showered with love and attention from all corners of TechNet.

See the links at the bottom, to find out more about the competition and how to enter.

We have picked the top three highest scored contributions for each category to bestow our awards upon.

The awards are in gold, silver and bronze, the gold obviously being the top winner of the category.

The last column is just a few of the comments judges made during the judging process.

In some cases, we have not obtained permission to use the judges names, so they have been reduced to initials.

My fellow wiki ninjas will be digging deeper into some of these articles in this blog series, so watch out for those.

Starting this month you will notice some articles are marked as failing to meet our minimum bar for quality or content.

Any of our judges can exercise their right to veto an article, if they do not feel it meets minimum requirements for a medal.  

When this is the case, we will at least give an indication of the reason, so you understand why.

A big thank you also to the other authors who did not make the top three of each category.

Some articles only just missed out, so we may be returning to discuss those too, in future blogs.

BizTalk Technical Guru - August 2015

Also worth a mention were the other entries this month:

• Performance issues in BizTalk and How to maintain and troubleshoot BizTalk Server databases by Kamlesh Kumar
  LG: "Link to this article is broken. Seems it is broken on TechNet."
  Sandro Pereira: "Despite the content is good, the article needs a new layout, it need to be more organized (header, toc, ...) to have more value. At the moment it's too confused"

Forefront Identity Manager Technical Guru - August 2015

Also worth a mention were the other entries this month:

• Cut down on your PowerShell code with the Lithnet FIM Service PowerShell module byRyan Newington
  PG: "nice article, interesting comparison but majority of the article is from Paul Williams content. And you should add proper credits (now fixed)"
• How to Run Management Agent - XML Source with Powershell by AnirbanSingha
  PG: "Small but interesting, quick fix"

Microsoft Azure Technical Guru - August 2015

Also worth a mention were the other entries this month:

• Developing a Recommender Solution with Azure Machine Learning byChervine
  AS: "Good. However the ML engines is failing - I would not recommend Life of Pi to someone how has watched The Lego Movie :)"
  JH: "This one was already covered in our Article Spotlight. I love the articles from Chervine." 

Miscellaneous Technical Guru - August 2015

Also worth a mention were the other entries this month:

• ASP.NET: How to consume WEB API from MVC4 using RestSharp byGaurav Kumar Arora
  Philippe Levesque: "Good contents and article layout is really nice"
  Richard Mueller: "Good use of Wiki guidelines. Are the images out of order? Grammar needs work."

SharePoint 2010 / 2013 Technical Guru - August 2015

Also worth a mention were the other entries this month:

• SharePoint 2013: Working with REST API using jQuery Ajax byDanish Islam
  Ashutosh Singh: "good and well structured article"
  KB: "Like already mentioned by others, it is better to elaborate further in order to have more added value on top of the already existing MSDN articles."
• K2 for SharePoint byAshish Mishra
• Disable IE Esc for Windows Server 2008 byDanish Islam
• Real World Problem and Solution  -  Sandbox Solution: Disable List Throttling byAshish Mishra
  Ashutosh Singh: "Changing the standard throtlling setting more than 500 causes table lock inplace of row lock so for normal users in genral scenario is highly not recommended"
  KB: "For which version of SharePoint is this? You cannot have code behind in a sandboxed solution in SP2013. "
• Rename Central Admin Database in SharePoint 2010 using PowerShell byDanish Islam
  KB: "Very useful article, but the layout is rather primitive: your code snippets should be rendered differently to make it easier to read."
  
• Sharepoint Content Hub Rollback / Cleanup Script byGanesan Rajesh Kumar 
  KB: "Useful script!"
  

Small Basic Technical Guru - August 2015

SQL BI and Power BI Technical Guru - August 2015

Also worth a mention were the other entries this month:

• Power BI - Building Relationships Between Tables when Each has Duplicate, Non-Common Values in Columns by smoupre
  PT: "This is a common stumbling block for model designers and a good technique. Thanks"
  RB: "Interesting subject but not really wel explained"

System Center Technical Guru - August 2015

Transact-SQL Technical Guru - August 2015

Universal Windows Apps Technical Guru - August 2015

Visual Basic Technical Guru - August 2015

Also worth a mention were the other entries this month:

• Surface Areas and Volumes Calculator by.paul.
  Richard Mueller: "Good formulas. Some examples using this could help."
  Carmelo La Monica: "Great article and content. Congrats!" 

Visual C# Technical Guru - August 2015

Wiki and Portals Technical Guru - August 2015

Windows PowerShell Technical Guru - August 2015

Windows Presentation Foundation (WPF) Technical Guru - August 2015

Windows Server Technical Guru - August 2015

A huge thank you to EVERYONE who contributed an article to August's competition.

Hopefully we will see you ALL again in September 2015's listings?

If you haven't contributed an article for this month, and you think you can create a more useful, clever and better presented wiki article than the winners above,here's your chance! :D

Best regards,
Pete Laker

More about the TechNet Guru Awards:

• TechNet Guru Competitions

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

We have a SQL Table of users and their managers as main source to MetaVerse.

The table is provided by HR and gives the ids for all the INTERNAL users + managers.

However, some of the INTERNAL users may have EXTERNAL managers and these manager ids will not exist in the Sql table as "user ids".

In this case FIM will flow a null to manager field in the MetaVerse as it cannot find (dereference the external manger's id)

All is not lost, all managers should have AD accounts. The manager's id not in HR table can be found in AD 99 times out of 100.

What I want to know is the best strategy to fill in the MV manager attribute when null by getting it from AD. What confuses me is the manager being a 'reference' field. This fact may limit my options.

What if I wrote some C# import attribute flow rule for the HR MA, is it OK just to push the DN *string* of the manager found in AD into MV:manager attribute? If not what should this C# code do??

What is best way to cover this hole, I am sure we are not unique in this situation?

Hi, 

I have a cd-error when I run an export on AD Management Agent 

The message error is "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain." 

On the export changes there is an update of the useraccountcontrol 514 -> 512. 

I don't know why I have this problem ? 

Any idea to fix it. 

Thanks

Hi,

I am looking for a solution using FIM 2010 r2.

1. Please let me know if it is possible to sync gal across 2 forests 1 exchange 2010 SP3 and 2nd Exchange 2007 SP3.

2. Do we need to create any sort of domain or forest trusts.

3. Do we need create VPN tunnel Connectivity between 2 forests.

4. Do we need to setup FIM servers in both the forests.

5. Do we need to setup FIM server in DMZ.

6. MIM 2016:- Can it be used with Exchange 2007 for GAL SYNC.Exchange 2010 and Exchange 2007 FIM 2010 R2 Gal sync without domain or forest trust

Hi All,

We have a group attribute in FIM Portal where the value for it is in the form of a drop down with 3 options. Ex: Its A, B, C. Now they want it to be replaced with X, Y, Z. We know that this can be handeled easily in Group Creation RCDC while creation of new groups in FIM Portal. We were wondering for the existing groups how do we manage? We updated the RCDC for Group Modify and View, but when we go to the groups we can see the the drop down values as A, Y, Z, X.

Does it mean that using PowerShell script we will have to update the attribute value to the new values as a One time cleanup for existing groups? Or is there any other way.

Kindly help!!

Regards,

Veena

Hello,

Currently we are syncing across forests, with a single source of truth, we have a couple thousand group objects and about 30,000 user objects. I was wondering if it is possible to configure de-provisioning for deletion of user objects only and make groups regular disconnectors.

We had an issue where someone deleted a couple of groups in the source of truth, by accident and it deleted the groups in the other forests. But we want to delete users when they are deleted from the source so we don't have a bunch of orphaned users in other domains.

Any suggestions would be appreciated.

Thanks

Russell Lema

So here is our scenario

We have an old domain, that we are currently using as the source of truth and provisioning and syncing across forests to 4 other domains

domainA -> DomainB, DomainC, DomainB-Dev, DomainB-QA - Auto every hour

We have rule extensions in place to modify everything due to OU structure and other attributes.

Now I have 2 other FIM instances in DEV and QA that have the same rules as prod - the main issue is that we aren't updating

DomainA-Dev ->DomainB-Dev , rest of MAs disabled - manually run

DomainA-QA -> DomainB-QA, rest of MAs disabled - manually run

So We are using quest to update DomainA-DEV &QA

The main question I have is, would it be better to stand up another instance of FIM to sync and provision to DomainA-DEV &QA or should I use the current instance, even though we massage some of the attributes being projected into the MV.

I see positives for both.

Thanks for any help.

Russell Lema

Greetings,

I'm having an issue with a FIM Sync server.  I have the typical PS script that runs MAs. But when I run the script I'm getting Provider load failure.  This PS line is the one causing the issue.

$MA = get-wmiobject MIIS_ManagementAgent -namespace "root/MicrosoftIdentityIntegrationServer" -filter "name='$MAName'"

When I run this line in PowerShell (substituting $MAName for the actual MA name), I get the same error. When I open WBEMtest.exe, I connect to Namespace: root\MicrosoftIdentityIntegrationServer, then run a Query: select * from MIIS_ManagementAgent and I get the same error.  When I click on Enum Classes, level the superclass name empty, click on Recursive I'm only returned 60 objects.  Interestingly enough when I do this on a FIM server that works it returns 72 objects.  The ones that are missing are the 10 that start off with CIM_ and the 2 that start with MSFT_.

I've tried wimmgmt /verifyrepository - all good.  Even did wimmgmt/resetrepository.  then did mofcomp mmswmi.mof. Still not working.

I re-installed FIM sync.  Still no luck.  I also ran wmidiag.  I did find this error in there: !! WARNING: MOF file of WMI Provider 'MIIS' ({9A6AE3F8-5DEF-416E-A569-BB74B3184DC6} / NETWORKSERVICEHOST) of namespace 'ROOT/MICROSOFTIDENTITYINTEGRATIONSERVER' CANNOT be located.

Any guidance would be appreciated

Hi FIM Experts,

For any Search Scope, FIM by default sorts out the result based on "Display Name" attribute. We have a requirement to sort the results for 1 particular Search Scope based on some other attribute.

Is there any way to do this? I am clueless at this point. I was able to add/remove attributes to be viewed in the Result panel but was unable to find a way to change the default sorting.

Any help would be appreciated.

Thanks!

Veena

Hi All,

I want to form a PowerShell query to fetch all the groups from FIM expiring on a particular date. Is it possible? I want to ignore the year and consider only month and date as this will be part of task scheduler and will be running on a monthly basis.

Currently the groups in FIM seem to have expiration time in the format mm/dd/yyyy 00:00:00 AM/PM.

I am guessing querying groups based on expiration time is not as simple as I thought. I have gone through the blog below as well but still I am not able to form the query for my requirement.

http://blogs.msdn.com/b/syamp/archive/2011/03/13/fim-2010-xpath-how-to-check-null-value-on-a-datetime-attribute.aspx

Any suggestions?

Regards,

Veena

Dear experts,

Can Q & A gate and SMS OTP gate coexist, if no, can email OTP and SMS OTP co exit? What if our default gate is SMS OP and user somehow has issues with their cell. Please assist.

Hi experts :)

I'm working on setting up a cross forest synchronization for GALsync purposes. I want to modify the "description" field of a user in the target domain to identify that it comes from the source domain. From my findings, I need to do this in code, by recompiling the GALSYNC.dll file. My initial attempt fails miserably :)

   Public Sub MapAttributesForImport( _

  Select Case FlowRuleName

This fails with this error message:

Why is the imported field read only?

This is an issue that is happening after an upgrade from FIM 2010 to MIM 2015 -

I have a criteria based set in FIM that has 91 users as members.

I have a set transition MPR that has a workflow associated with it.

I have the workflow set to "Run on Policy Update" - set as checked

When I disable the MPR then Re-Enable the MPR it runs for 15 users and no more.

Trouble shooting I've done:

No errors in the application event log.

Turned on Verbose logging on the FIM Service and checked the trace logs - no errors.

The users in the set that it does run for shows as completed in the requests page - no post processing error or anything like that. It doesn't have the other 76 users in the request page as pending or anything.

Thanks in advance

Hello Everyone,

Please can I get your opinions on managing Home Directory, Roaming Profile and Quota via FIM?

We have an internally developed solution for this, and are now looking at FIM 2010 R2 SP1 as a replacement.

The devil is in the detail with this, so bear with me! Hopefully it may benefit others.

Challenge|Current Solution

1. Create the user in Active Directory
2. We have 108 home directory shares (we are a big University! some of this is legacy design); pick a home directory share (essentially at random), then create a home directory folder in here.

3. Set permissions on this home directory folder;

   • the user should be able to create, modify and delete  files and folders below their home folder
   • the user MUST NOT be able to delete their home folder itself

   • the user MUST NOT be able to change permissions - in other words, they must not have FULL CONTROL permissions

     • share level permissions only allow read and modify, and not full control, but this requirement should still be fulfilled

4. Using traditional quota management (ie in Windows Explorer, right-click on the volume, then on the Quota tab, tick enable quota management), allocate an initial quota value, which varies according to the user type (staff and students)

5. set the following Active Directory attributes;

   attribute	value: syntax	value: example
   homeDirectory	\\[server]\[share]\[unique folder]	\\lha-001\pers-K\00123478
   homeDrive	N:	N:
   profilePath	\\[server]\[share]\[unique folder]\[profile folder]	\\lha-001\pers-K\00123478\profile
   [Remote Desktop Services User Profile]	\\[server]\[share]\[unique folder]\[remote desktop profile folder]	\\lha-001\pers-K\00123478\rdprofile

Result

• users can logon to Windows computers
• users' settings are preserved across desktop computers
• users' settings are preserved across Remote Desktop sessions
• users have an allowance on their home directory
• users cannot delete their home directory folder in the example above, the \\lha-001\pers-K\00123478 folder

Deprovision the home directory with the user.  In terms of ongoing operations, there is only adjust quota (invariably upwards!)

As the home directory folder is not the username, it never needs changing for renames, etc.

Context

• roaming profiles are somewhat deprecated in favour of User Experience Virtualization (UE-V), but we use roaming profiles
• storing roaming profiles in the same location as the end user's home directory isn't good practice; however, this is current practice
• Microsoft provide OneDrive for Business with practically unlimited storage; wedo provide this for our users, but it doesn't replace entirely the need for home directory and roaming profiles
• FIM 2010 R2 SP1 provides very limited capabilities out-of-the-box for this

Option 1: Auto-Provision

• create the user and set the attributes in FIM service; (except the Terminal Services Home Directory)
• set a default quota (say, 1GB)
• when a user logs on, their home directory and profile folders will be created automatically 

Option 2: PowerShell Workflow

• run a PowerShell script, which can interface to databases, etc) and do everything in PowerShell
• on the next import run from Active Directory, the details come through to FIM Portal

Neither of these options are perfect.

How have you tackled this?

I have a production replica MIM integration lab with my source forest being Windows 2012 R2 \ Exchange 2013. My target forests where I am only using Outbound Sync Rules to push accounts are Windows 2012 and I just applied the Exchange 2013 schema update without having actual exchange servers in the target forests.

MY Target ADMA's do not have all the Exchange attributes available and Refresh Schema command is failing:

Retrieving the management agent data ...
Retrieving the management agent data complete
Retrieving the new schema ...
An error was encountered during the schema refresh. Please try again later.

I saw one post that recommended that the ADMA would need deletion and re-creation? Wouldn't that break all my Sync rules, workflows, sets, etc

any ideas?

-Stu