Migrating MIM from one server to another (2008 R2 OS to 2012 R2)

January 14, 2016, 4:36 pm

≫ Next: MIM Password Registration Portal - Basic Authentication works, but not Windows Authentication

≪ Previous: Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

Hi all.

I currently have FIM 2010 R2 in my environment, and long term I want to move our identity management to either a server 2012 R2 or server 2016 server, depending on what is most suitable at the time. All that we currently have is the sync service - the MIM service / portal etc are not installed, though I want to install them in the future.,

FIM 2010 R2 is currently installed on a 2008 R2 server. I tried in a test environment to install MIM 2016 fresh and migrate, but failed. I decided that our best course of action was simply to do an in-place upgrade of FIM to MIM 2016 without changing services, and then later look at migrating the newly-installed MIM to a newer OS and SQL database version. The inplace upgrade in my test environment was trivial.

Unfortunately, I can't find any guidance for doing so. Before I actually make my recommendation to the business, I want to just get a feeling of how difficult it would be to migrate MIM 2016 from a 2008 R2 server to 2012 R2 (or 2016 if supported).

Since I plan to install the MIM service and portal, I'm also wondering about the difficulty to migrate those; should I install those on my 2008 R2 server once I've upgraded the sync service, or should I wait until I've migrated MIM to another server and install them there? I don't know how much effort it takes to migrate the extra services...

↧

MIM Password Registration Portal - Basic Authentication works, but not Windows Authentication

January 15, 2016, 3:17 am

≫ Next: ECMA 2.0 Full Import Error Run Profile ( File based )

≪ Previous: Migrating MIM from one server to another (2008 R2 OS to 2012 R2)

So I am facing an issue with Password Registration Portal. If I change authentication mode from Windows to Basic, it will start working.

What could cause the issue that when Windows authentication is enabled, Password Registration Portal won't work.

Trying to access the portal, IE prompts credentials 3 times and then displays HTTP Error 401.1 Unauthorized Error page.

The page says:

Detailed Error Information:

Module
   WindowsAuthenticationModule

Notification
   AuthenticateRequest

Handler
   PageHandlerFactory-ISAPI-2.0-64

Error Code
   0x80090305

Requested URL
   http://register.universum.com:66/default.aspx

Physical Path
   C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration Portal\default.aspx

Logon Method
   Not yet determined

Logon User
   Not yet determined

↧

ECMA 2.0 Full Import Error Run Profile ( File based )

January 15, 2016, 6:29 pm

≫ Next: WIKI licensing article needs an update?

≪ Previous: MIM Password Registration Portal - Basic Authentication works, but not Windows Authentication

Hi All,

There is a error "Extension Could not be loaded" while creating the Full Import of file based ECMA 2.0.

When refresh the interface, it shows the Management Agent support "Full Import".

Unable to create any of the Run Profile of the MA. Kindly suggest and advice.

Thanks & Regards,

Anirban Singha

↧

WIKI licensing article needs an update?

January 17, 2016, 9:53 am

≫ Next: Lorus Domino Connector - Unable to provision user

≪ Previous: ECMA 2.0 Full Import Error Run Profile ( File based )

I referenced this article before MIM 2016 came out, but it seems that it may not now be accurate in respect of the new MIM 2016 (? must have a CAL) licencing.

http://social.technet.microsoft.com/wiki/contents/articles/2487.how-to-license-fim-2010-and-mim-2016.aspx

I will admit to not having dug too deep into MIM 2016 license option yet - but first glance now implies that SA on server is still the same, but the CAL is now mandatory for all situations?

Rgds. Nigel.

Boz

↧

Lorus Domino Connector - Unable to provision user

January 19, 2016, 1:44 am

≫ Next: Provisioning linked mailboxes and GALSync doesn´t work

≪ Previous: WIKI licensing article needs an update?

Hi all,

I have a small problem using the Lotus Domino Connector. I can not get FIM to provision a user (International user, with and ID stored as an attachement) in Domino. Also I can not activate the logs on the connector. I have tried to follow these threads:

http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx
http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging?forum=ilm2

And for the config of the connector itself this one: https://msdn.microsoft.com/en-us/library/hh859750%28v=ws.10%29.aspx

This is my config:

- FIM 2010 R2 SP1

- Lotus domino 8.5.3 HF6

- Lotus domino client 8.5.3 HF6 install in single mode on the FIM box

- Lotus Domino Connector build: 1.0.597.910

I am using the Portal for my sync rules.

I have activated the verbose logging on the DOMINO Server and I can see a connection made to the server by FIM but no provisionning.

The connector gives me this error in the stack trace: Notes Error: Access to Data Denied.

I am using an admin account, who is in the LocalAdmins Group on the domino server (I have check with a Notes admin and everything looks perfectly fine on the DOmino side).

Also as mentionned I have been trying to activate the logging of the connector but without success. I have seen that I need to use ETW tracing, I have followed the instructions on the tehcnet site, I got the Source Name (connectorLog) however I do not know the ETW GUID (I have tried many GUID's with no success).

I was wondering if anyone could lend me a hand to activate logging and provision a user. For information an update of the user in the domino directory works fine.

Also I was wondering if someone had already succeded in making the connector work for provisioning.

Thanks for your help.

Sylvan

↧

Provisioning linked mailboxes and GALSync doesn´t work

January 19, 2016, 2:27 am

≫ Next: FIM Reporting - how to fix this break in Reporting Data?

≪ Previous: Lorus Domino Connector - Unable to provision user

Dear community,

we´ve the following situation: Two trusted AD-Forests, with Exchange 2010 in each forest. FIM 2010 R2 is running in Forest B.

Forest A contains User mailboxes which needs to be cross-forest-moved to (Resource-)Forest B.

For preparation/provisioning i´ve setup FIM by importing the following MS sample script: https://www.microsoft.com/en-us/download/details.aspx?id=17741

This is working well, meaning that FIM creates disabled and mail-enabled AD accounts in Forest. Afterward i can use Exchange powershell scripts to move the mailboxes across the forest -> great!

But i need to configure additional MAs for GAL-Synchronization as not all mailboxes are being moved to Forest B.

Once i start to create a MA for GAL Sync i do receive the following error messages (at stage"Configure GAL"):

Synchronization Service Manager is unable to import schema file.

Attribute legacyExchangeDN differs inly in case with an existing attribute in server schema.

The same for attributes msExchMasterAccountSid, displayName and. objectSid. For "publicDelegates" it´s different: ... has different indexable property with an existing attribute ....

I´m not a FIM specialist and tried different things like editing the XML file, changed the case and everything, but i can´t get it running.

Any hints?? I really appreciate as this is important for us to get it up and running.

Thanks,
Lars

↧

FIM Reporting - how to fix this break in Reporting Data?

January 19, 2016, 4:56 am

≫ Next: Update properties on Domain Admin accounts

≪ Previous: Provisioning linked mailboxes and GALSync doesn´t work

The customer has let us know that they seem to have a gap in their FIM User Report. They see data up to 9.12.2015 and from 5.1.2016 to date. No updates (which there were several) are visible in the Report.

On investigation 2 critical events were discovered.

On 9th December 2015, the SQL support team "upgraded/patched" AND REBOOTED the MSSQL server.

On 5th January 2016, the SQL support team "upgraded/patched" AND REBOOTED the DataWarehouse server.

In FIM the Incremental reporting job completed successfully all through December 2015 but Failed on 5th Jan. 2016 as the DW services were not running. For some reason these 3 services are (were) Manual:

System Center Data Access Service, System Center Management Configuration and System Center Management

I guess the rebooting of the SQL Server on 9.12.2015 smashed all the DataWarehouse jobs leaving them in an unknown state until yesterday when I managed to..

Start the 3 DW services, Restarted the MPSync and DWMaintenance jobs and waited 24 hours for them to complete, Run the ETL-Load ps script and now I see data in the reports from 5.1.2016 onwards :-)

BUT! I have no clue where the data changes sent by FIM 3 times a day from 9.12.2015 to 5.1.2016 are. It seems to be "in transit". FIM has sent it somewhere but the DataWarehouse jobs that I recently restarted seem unable to move it into the DataMart DB for reports to access it.

Is there a way I can examine where these changes are? There seems a blockage somewhere. BUT WHERE? Can FIM possibly resend the data increments from 9.12.2015 to 5.1.2016?

FIM Reporting relies on a whole load of processes on a whole load of servers, so many possible points of failure it is almost beyond belief that anything gets reported.

↧

Update properties on Domain Admin accounts

January 19, 2016, 6:55 am

≫ Next: GALSync and Office365

≪ Previous: FIM Reporting - how to fix this break in Reporting Data?

Is there any way besides making the FIM action account member of Domain Admins to have it update properties on Domain Admin accounts?
I would like to use FIM to synchronize information like name and phone numbers from the user regular accounts to their admin accounts. But as they are Domain Admins I always get access denied.

I tried to specifically add write permission on some of the attributes to FIM on one of the DA's and then FIM could update the info, but after a while the permission was gone again?

Thanks

Peter

↧

GALSync and Office365

January 19, 2016, 7:01 am

≫ Next: Does SAP R/3 work with MIM 2016?

≪ Previous: Update properties on Domain Admin accounts

I would like to implement MIM GALSync across three Exchange Organizations. One of them uses Office365 (AzureAD and ADDS are synchronized using AzureAD Connect). But they don’t have an Exchange Server on-premises anymore. From my perspective the only way to establish proper GALSync is to deploy Exchange 2013 CAS Server on-prem to be able to provision mail-enabled contacts. Is there a more elegant way?

Another question. What would be the best way for GALSync if an Organization has Cloud-only Identities (No Sync between AzureAD and ADDS)?

Thanks for any suggestions best regards

Pirmin

↧

Does SAP R/3 work with MIM 2016?

January 19, 2016, 7:17 am

≫ Next: MIM SSPR vs Azure SSPR

≪ Previous: GALSync and Office365

Hi,

Is the combination possible? Can I upgrade in place to MIM 2016 if i'm using SAP R/3 MA?

↧

MIM SSPR vs Azure SSPR

January 19, 2016, 6:27 pm

≫ Next: Windows Server Active Directory 2012 R2 to Windows Server Active Directory 2012 R2 User and Pasword Synchronization using MIM?

≪ Previous: Does SAP R/3 work with MIM 2016?

Hi,

Got a few questions around MIM and Azure AD SSPR.

So MIM has the following SSPR options:

Question and Answer Gate
OTP Email Gate
OTP SMS Gate
Azure MFA using OTP SMS gate (is this the same OTP SMS Gate as above in item 3?)
Azure MFA using Phone Gate

I also see that Azure AD has its own SSPR, so:

Do the same options (as per 1-5 above) exist in Azure AD as in MIM?
When should we use the Azure AD SSPR vs the MIM SSPR?

Additionally, MIM can also 'unlock' an AD account during a Password Reset operation - can this be done with Azure AD SSPR?

Lastly, MIM allows different Gates to be used for Extranet vs Intranet users - does Azure AD SSPR cater for this too?

Actually - what are the differences between MIM SSPR and Azure AD SSPR?

Thank you,

↧

Windows Server Active Directory 2012 R2 to Windows Server Active Directory 2012 R2 User and Pasword Synchronization using MIM?

January 19, 2016, 7:22 pm

≫ Next: Lotus Domino Connector - Unable to provision user

≪ Previous: MIM SSPR vs Azure SSPR

Hello MSDN,

Good day. We are trying to sync the user account and password from one Window Server AD to Window Server AD. We tested ADMT but it is ungraceful in long term synchronization. May we ask for your advise if what are the Microsoft supported tools that can sync user AD accounts and passwords from one AD to another AD in a separate forest? is MIM capable of syncing AD to AD?

Any advise would be highly appreciated.

Thanks,

Glenn Sebastian

↧

Lotus Domino Connector - Unable to provision user

January 19, 2016, 1:44 am

≫ Next: GAL Sync for 2 office 365 tenant using FIM

≪ Previous: Windows Server Active Directory 2012 R2 to Windows Server Active Directory 2012 R2 User and Pasword Synchronization using MIM?

Hi all,

And for the config of the connector itself this one: https://msdn.microsoft.com/en-us/library/hh859750%28v=ws.10%29.aspx

This is my config:

- FIM 2010 R2 SP1

- Lotus domino 8.5.3 HF6

- Lotus domino client 8.5.3 HF6 install in single mode on the FIM box

- Lotus Domino Connector build: 1.0.597.910

I am using the Portal for my sync rules.

I have activated the verbose logging on the DOMINO Server and I can see a connection made to the server by FIM but no provisionning.

The connector gives me this error in the stack trace: Notes Error: Access to Data Denied.

I am using an admin account, who is in the LocalAdmins Group on the domino server (I have check with a Notes admin and everything looks perfectly fine on the DOmino side).

I was wondering if anyone could lend me a hand to activate logging and provision a user. For information an update of the user in the domino directory works fine.

Also I was wondering if someone had already succeded in making the connector work for provisioning.

Thanks for your help.

Sylvan

↧

GAL Sync for 2 office 365 tenant using FIM

January 20, 2016, 7:44 am

≫ Next: Changing distinguished name in AD

≪ Previous: Lotus Domino Connector - Unable to provision user

Hi All,

I like to achieve the GAL Synchronization between two office 365 Tenant using FIM 2010R2

My Environment :On Premise AD , Azure AD , 2 Office 365 Tenant

User Synchronization happens using DIRSYNC between On Premise AD and Azure AD. And I have 2 OU as SITE A and SITE B. SITE A users have separate Office 365 Tenant and SITE B users have separate Office 365 Tenant. Now I need to perform GAL Synchronization.

Please suggest which solution will be feasible.

Approach 1

Using FIM AAD Connector , SITE A user will be provisioned as contact in Azure AD SITE B and SITE B users will be provisioned as Contact in Azure AD SITE A.

Approach 2 : Using FIM- GAL MA I will create a contact in On premise AD itself on both OU and then only contact will synchronize to Azure AD.

Thanks in Advance

Regards,

Sridhar

↧

Changing distinguished name in AD

January 20, 2016, 8:05 pm

≫ Next: Configuring Galsync and Freebusy and facing lot of issues

≪ Previous: GAL Sync for 2 office 365 tenant using FIM

Currently we're using the FIM Portal's Synchronization Rules to provision users in AD and we're facing a problem with the DN because the attribute contains "DisplayName" instead of a unique value. We have flows for the initial flow and not initial (to handle if user's surname changes). Is there a way to add something more to the current DN without breaking anything? The issue now is that since there are couple of users with same names, the synchronization fails because of the duplicate DN already existing in AD...

↧

Configuring Galsync and Freebusy and facing lot of issues

January 20, 2016, 10:09 pm

≫ Next: FIM 2010 R2. Add manager from other forest.

≪ Previous: Changing distinguished name in AD

Hello All,

Configuring GalSync / FreeBusy and facing lot of issues.

Requirement: We need to galsync, freebusy and delegation of mailboxes between the 2 AD forests by using AD Forest trust.

We have forest A and Forest B. Installed FIM2010 R2 and SQL 2008 R2 STD. in forest A. We have created 2 MA agents for Forest A and Forest B.

We did Full Import Stage and Full Sync happened. Now when we tried Delta Import, Delta Sync and Export, its changed the Primary Email address at Forest B.

Can anyone shed some light on this issue as I am troubleshooting but not getting any articles to this kind of errors to resolve.

Any help really appreciated

Regards

Anand S

Thanks & Regards Anand Sunka MCSA+CCNA+MCTS

↧

FIM 2010 R2. Add manager from other forest.

January 20, 2016, 11:47 pm

≫ Next: Can MIM provision AD users based on CSV files and can it be configured for true HA?

≪ Previous: Configuring Galsync and Freebusy and facing lot of issues

Hello!

I have 2 forests A and B in 2-way trust.

I need add manager from forest A for user from forest B.

From ADUC I can't do it. I can do it only with Foreign Security Principals but in Preperties of user I see only account name.

Alex

↧

Can MIM provision AD users based on CSV files and can it be configured for true HA?

January 21, 2016, 6:42 am

≫ Next: MIM 2016 and AD Forest/Domain Functional Levels

≪ Previous: FIM 2010 R2. Add manager from other forest.

Hi,

I've setup FIM 2010 R2 to provision AD accounts and Exchange 2010 mailboxes based on inputs from a CSV file (they're actually CSVDE exports from another domain). Account provisioning and deprovisioning works fine. I'm also using self service password resets. I need to revisit my setup to ensure that the architecture is highly available. Achieving true HA within FIM 2010 was always difficult (I'm thinking the FIM Synchronization service here). I'm considering moving to using MIM 2016, but have a few questions (as I've found getting information to be difficult):

- Can MIM 2016 provision AD accounts and Exchange 2010 mailboxes based on a CSV input file?
- Can MIM be configured for true HA?
- Does MIM come with SSPR functionality?

Thanks

IT Support/Everything

↧