Hi,

Registered for Forefront Identity Manager 2010 R2 SP1 labs and its providing me old FIM 2010 lab and not the R2 version. Am i doing something wrong?

Thanks in advance

We plan to introduce FIM for passowrd sync and galsync.

Is there any recommended settinng or tuning of SQL2008R2 we should do to introduce FIM ?

I am thinking of setting of max memory usage of SQL2008.

Andreas has posted an announcement on the FIM 2010 group on Facebook:

Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or click"Vote as helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.

Hi,

We are migrating from an environment that used synchronization rules from the codeless provisioning to classic coded provisioning.

There are no EREs, DREs or SRs in the metaverse or the FIM Service. All user objects have empty ERLs and DRLs.

However, when we do a preview on a user, we get the following result:

We've even tried deleting all of the connector spaces and re-joining the objects, but still see this.

There are object_types in the connector space table that say they are "NULL" object types. Not sure if that is normal or not.

Any help would be greatly appreciated!

Thanks,

Sami

Hello

I'm struggling with moving the extensible MA by PoshCompany, between machines: I'm moving from the Development Environment to the pre-Live environment. I suspect that this is a more general question about an extensible management agent which has been developed by someone else, but it's driving me nutso.

I've copied over the .dll, I've had the webservice set up correctly. I've double checked that both machines are running the same version of .Net (3.5.1). I've copied a .avp file hither and thither, but since it doesn't seem to matter where said file is (it's moved several times on the Development Machine).

Every single time I try to run my initial import, I get an error 'stopped-extension-dll-load'. The Application Event Log gives me eventID 6166 qualifier 49152, with the further information of "The run step stopped because a configured extension for this management agent could not be loaded. Verify that the extension is loaded in the Extensions Directory. If the extension is present, confirm that the version of the .NET framework that can run the extension is installed on the server and that a supportedRuntimes entry in the configurations files specifies that version. The synchronization engine will not be able to load an extension that is built with a newer version of the .NET framework than the version of the .NET runtime it is hosting."  I've double checked the relevant .config file in the extensions folder - it doesn't have a supportedRuntimes entry. And, given that the .dll dates from July 2011, I doubt that the problem is that it's been built with a newer version of .NET than that which is currently installed!

There are no errors in the Forefront Identity Manager eventlog when checking in eventviewer.

I've worked my way through http://social.technet.microsoft.com/wiki/contents/articles/17550.troubleshooting-fim-event-id-6152-stopped-extension-dll-load.aspx

The runtime section of miis.config.exe looks like this in the source

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" />
</dependentAssembly>

and this in the destination:

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.1.0" />
<bindingRedirect oldVersion="4.0.0.0" newVersion="4.0.1.0" />
</dependentAssembly>

Until I updated it to look like this:

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.2.0" />
<bindingRedirect oldVersion="4.0.0.0" newVersion="4.0.2.0" />
<bindingRedirect oldVersion="4.0.1.0" newVersion="4.0.2.0" />
</dependentAssembly>

Which didn't help

Then I changed it to being

<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" />
</dependentAssembly>

Also, no joy. So I went back to where I'd been in the first place for the destination, double checked mnsscrpt.exe.config and created dllhost.exe.configwo as per http://support.microsoft.com/kb/2635086

I'm running 4.0.3594.2 in the DEV environment, and 4.0.3606.2 in the pre-Live environment.

All this leads me to believe that my next step is to recompile the .dll? It's probably a Good Thing that I do have access to the original code.

Any further ideas appreciated...

Jane

On the password reset page of FIM 2010, I want to include a URL/link of one of my LOB application. Can we do this?

Aim is to provide user's easy access to accessing applications after he successfully resets password.

Everywhere I see articles describing changing logo, css and pre-defined string resources. I could not see any example telling how to embed custom URL.

http://blogs.msdn.com/rahul/

Tim Macaulay Security Identity Support Team Support Escalation Engineer

Dear All,

I am in new in this forum and infact this is my very first access to this forum. I ahve been working on Forefront Identity Manager 2010 and made some progress to provision users to and from AD, FIM and SQL as well as Password Registration and Reset working fine. However I am unable to create users home folder for users being provisioned in AD from FIM. I have been viewing the blog and solution given by experts on this forum but unable to get any success. I would be grateful to you if you can tell me how to create User Home folder, either from PowerShell Activity or MA. I am at the begining so your detailed text would be appreciated.

Sarwar

Hi,

I have ILM 2007 running on a physical server 32 bit win 2003 R2 system and database on a Win 2008 server and it is on sql 2005

On the test environment, I have the similar server kit and would like to upgrade from ILM 2007 to FIM 2010

The challenges are

1. Want to retain the original database

2. Will there be an option to export the ILM 2007 key during the migration process ? (similar to what i did while migrating from MIIS 2003 to ILM 2007)

3. Will the Rule extensions work directly on FIM server or do I need to re compile them

4. Will I need to upgrade SQL 2005 to SQL 2008?

If you have a step by step process for this, it will of great help

Best Regards,

Venkat

Our FIM recently went through a botched upgrade and now the service is unable to connect to the database.  The event log is flooded with Event 3.

The current version of database is not compatible with the one expected by Forefront Identity Manager service. The current version of the database is : 1116. The expected version is : 1112.

The Forefront Identity Manager Management Agent does not support the current Forefront Identity Manager Resource Management Service database version.

- Get on the floor, do that dinosaur

Does FIM 2010 need to be installed on a Domain Controller? What if there are multiple domain controllers in multiple sites, does it need to be installed on all of them?

What options does the user have for resetting there password, is it only through Windows? How does this integrate with Mac users or mobile users?

What is the major benefit of FIM over these other companies that have these lightweight password reset tools?

Thanks.

James

Hello to All,

Description of the problem:

Our organizations have Enterprise CA installed in Failover cluster the cluster works active/passive mode.Aftersuccessful installationof theFIM 2010r2 CM Server, In additionwe installedon each node of CA the FIM CA module and configure Exit module for connectivity for SQL Data Base. We checked theproperconnectivityforCA servers to SQL Data Base via SQL FIM DB Table: Certificate Authority andWe sawtwoof thephysical CA serversregisteredin this table" Certificate Authority"- for this step look iseverythingsuccessful.

1. The main problem when I want to set and configure certificate template of CA in Profile Template of FIM CM system get the error: CcertAdmin::GetCAPropertyFlags: The RPC Server is unavailable. 0x800706ba

2. Another thingthatis not clear why in SQL FIM DB Table" Certificate Authority",physical CA servers (node) registered and not Virtual CA name server (VIP cluster name) because its Cluster?  

*When I workwith onlyone CA (note) server that register in  SQL FIM DB Table" Certificate Authority"I'm notexperiencingthe problem.

Any ideas / helps please for my issue.

Thanks

TechNet Wiki is looking for great new content, from YOU!

Show us your forum solutions or nifty knowledge nuggets and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can shine.

If you spend any amount of time crafting an awesome answer to a forum question, or just learnt something new, then why not get the most back for your efforts, by posting it to TechNet Wiki.

1) Please copy over any solutions and revelations to TechNet Wiki.

2) Add a link to it on THIS WIKI PAGE, so we know you've contributed

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises, similar to the weekly contributor awards, however once "on our radar" and making your mark, you will probably be interviewed for your greatness, and eventually even invited into other TechNet/MSDN circles!

Either way, winning this award in your favoured technology can only be good for your career! ;)

Feel free to ask any questions below.

Thanks in advance!
Pete Laker

#PEJL Got a good solution? If you invest your time in coding an elegant/novel or large answer on these MSDN forums, why not copy it over to our belovedTechNet Wiki, for future generations to benefit from!

I've been noticing some bizarre FIM MA export behavior which started with the FIM Service throwing the failed-creation-via-web-services with the stack trace of:

Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: &lt;RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;&lt;AttributeRepresentationFailure&gt;&lt;AttributeType&gt;EmployeeType&lt;/AttributeType&gt;&lt;AttributeValue&gt;Employee&lt;/AttributeValue&gt;&lt;FailureMessage&gt;Exception: ValueViolatesRegularExpression Target(s): <Removed Account Name>
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesRegularExpression
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateObjectAttributes[T](RequestType request, Guid objectIdentifier, String objectTypeName, IEnumerable`1 parameters, OperationType operationType)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ValidateInputRequestCreate(RequestType request)
   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)&lt;/FailureMessage&gt;&lt;AttributeFailureCode&gt;ValueViolatesRegularExpression&lt;/AttributeFailureCode&gt;&lt;AdditionalTextDetails&gt;The specified attribute value does not satisfy the regular expression.&lt;/AdditionalTextDetails&gt;&lt;/AttributeRepresentationFailure&gt;&lt;CorrelationId&gt;b48b0fb1-a569-461b-ac41-a17e8bd8d3bd&lt;/CorrelationId&gt;&lt;/RepresentationFailures&gt;

Troubleshooting steps:

1.) I've checked the validation string, which is ^(Contractor|Employee)?$, on both the EmployeeType binding and the attribute, both of which match, and I still receive the above error message.

The source of the value is an HR MA constant attribute flow of "Employee" so it can't be any case or leading\trailing white space issue.

2.) Restarted the FIM Service and IIS Admin service on all FIM Service servers

3.) Cleared the FIM MA Connector Space

4.) Cleared the HR MA Connector Space

5.) Ran a Full Import and Full Sync on both the FIM MA and HR MA

Now here's where it gets weird.......some of the accounts get created and some fail. Also, if I rerun the export the failed accounts are created. In addition during the confirming import instead of seeing the newly exported person object count of say 5 updates, or whatever is the exported person count, I see 5 Adds and 50 updates. The additional updates seem to be caused by the workflows updating person object data on the FIM Service side but I've never seen that kind of behavior before.

With that said has anyone seen that kind of behavior and if so how did you resolve the problem?

Any help would be greatly appreciated!

Thanks,

Austin

I've extended the Groups RCDC to display "Account Name" in the different controls showing members, for both Manually-Managed and Criteria-Based groups.  This includes Current Membership & "Member To Remove" in a Manually-Managed group, and Preview Membership in a Criteria-Based Group.

Displaying the additional attribute works just fine, however when the Column Heading (in this case "Account Name") is clicked, intending to sort the list by Account Name, the list goes blank.  Closing & re-opening the RCDC brings the list back.  Sorting using the out-of-the-box "Display Name" and "Resource Type" column headings work just fine.  I am seeing the same result in each of controls that I listed above.

I'm running version 4.1.3451.0 and have confirmed this issue on multiple instances running this version, as well as an instance running version 4.1.2273.0.  I have also tried another attribute (instead of AccountName), with the same result.

Can anyone confirm whether this is a bug, or if I am missing something with my RCDC configuration?

I've included the relevant groupings from the RCDC below:

Thanks!

-Ryan

I am creating an ECMA2 MA.

I have a couple of metaverse attributes, that I use ONLY when exporting - and that I cannot read back in an import, because they are not stored anywhere. 

So the export works fine, but when I then try to Import, I get "exported-change-not-reimported" errors.

How can I avoid that?

One workaround is to define a constant import for an export-only attribute. This will not get rid of the "exported-change-not-reimported" errors on first import, but on subsequent export/import cycles, the constant value will have taken over, and I will not get the error again. Feels like a dirty hack though, since I still get the error first time around.

Another workaround could be to store the export-only values in a file or something, so I can import them again, but that seems like a lot of trouble for no value - and just another dirty hack. 

If anybody is wondering "why would you export something, that you cannot import again":

An example is that on export I supply a geographic identifier, to determine which mailstore a new shared mailbox (exchange) should be created in. That geographic id is never stored anywhere, as it is only used temporarily.

---Sig---

Hi,

I have Dirsync installed for O365 and its been working perfectly for the past couple of weeks but when I logon today the FIM service was stopped and when I tried to start I  get errors below. The account obviously as it has been working does have full access to the reg key.

Log Name:      Application
Source:        FIMSynchronizationService
Date:          04/08/2013 14:07:58
Event ID:      6208
Task Category: Database
The server encryption keys could not be accessed. 
 User Action
 Verify that the service account has permissions to the following registry key:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service
 

Celtic

We use MIIS for galsync.

If some MA had connected to metavase person object ,

and that MA's  had import flow and was imported some values to person object and that CS object were  disconnected from  person object, what will happne to person object ?

Those person attribute values which are imported from that MA will disappear when disconnected ?

I am getting the following error when trying to start the FIM sync service:-

Windows could not start the Forefront Identity Manager Synchronization Service service on Local Computer.Error 5: Access is denied.

And this is what in application logs:-

The server encountered an unexpected error and stopped.

"BAIL: MMS(5472): d:\bt\800\private\source\miis\server\server\service.cpp(2260): 0x80070005 (Access is denied.)

BAIL: MMS(5472): d:\bt\800\private\source\miis\server\server\service.cpp(1088): 0x80070005 (Access is denied.)

Forefront Identity Manager 4.1.3419.0"

Any HELP please.....

<o:p></o:p>

<o:p></o:p>

Hello,

i am using ILM 2007 to sync users from AD to Novell Edir (and PCNS to sync passwords). Everything is working very well but now i have problem. My client ask me to sync also the password reset. I mean, when the help desk operator reset a password in AD for a user, he checks the "user must change the password at next logon" check box. This won't be synched to Novell (that use another way to ask for a new password) and so the users can use the temporary password to login in Novell without to be prompted for a new password.

Novell use attribute "passwordExpirationTime" that must be set to a date in the past (so for Novell the password is expired and asks for a new one). In AD, when "user must change the password at next logon" is checked, the attribute "pwdLastSet" is forced to ZERO.

I can manage this, using a management agent extension to transform "pwdLastSet=0" to "passwordExpirationTime=01/01/1992". But the problem is that passwords are synchronize in real time, while the pwdLastSet attribute is synchronized only based on the run profile schedulation. I can't be sure that right after a password sync, a delta sync is run.

I know that i can write a password extension, but probably i cannot it use with the Novell MA, is it right ? Do i have to write also a new MA ?

Thanks !

Bodo