Generic SQL Connector - Export Type: Object Replace option

June 25, 2018, 5:26 pm

≫ Next: MIM Justification - Justification response provided by the approver

≪ Previous: Physical to Virtual Migration of FIM server

$

0

0

Hi,

I am currently implementing a Generic SQL Connector based on Stored procedures only (not direct access to the table). For the export, an ADD and UPDATE stored procedures have been implemented. To be able to clear value in the table, I wanted to use the option:"Export Type: Object Replace" available on the connector second page. From the documentation, this option should do:

Export Type: Object Replace: During export, when only some attributes have changed, the entire object with all attributes is exported and replaces the existing object.

Ref: https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql
  

By ticking this option, I would expect that FIM/MIM would send the whole object (all the attributes configured to be exported) with NULL value where this no value for an attibute. It's look like that this option is not taken in consideration by the Management Agent. Here the result of the log file after an export with this option activated:

<?xml version="1.0" encoding="UTF-16"?>
<mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export">
  <directory-entries>
<delta operation="update" dn="MIM_History+220175640">
 <anchor encoding="base64">GAAAAE0ASQBNAF8ASABpAHMAdABvAHIAeBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBA==</anchor>
 <primary-objectclass>MIM_History</primary-objectclass>
 <objectclass>
  <oc-value>MIM_History</oc-value>
 </objectclass>
 <attr name="GIVENNAMES" operation="update" type="string" multivalued="false">
  <value operation="delete">Yfwegewi</value>
  <value operation="add">Yigsgd;Erfsfic Dudspond</value>
 </attr>
</delta>
  </directory-entries>
</mmsml>


Did anyone has the same issue in the past? Is it a bug in the MA or did I misconfigure something?

What would be a good workaround to clear value in a table with an UPDATE stored procedure?

Thanks in advance for you help.

Anthony S.

---

MIM Justification - Justification response provided by the approver

June 26, 2018, 2:51 am

≫ Next: Deprovisioning stopped

≪ Previous: Generic SQL Connector - Export Type: Object Replace option

$

0

0

So how we really get the value of the response provided by the approver for example to include it in email notification?

Some examples in internet are providing solution to use [//WorkflowData/Reason]. But somehow we need to include the value to worflowdata dictionary.

Deprovisioning stopped

June 26, 2018, 5:53 pm

≫ Next: Accounts are being created as Disabled in Active Directory even with 512 in user control account value

≪ Previous: MIM Justification - Justification response provided by the approver

$

0

0

MIM - HR MA deprovisioning is set to 'Make them disconnectors'.  It is connecting to a SQL view and is updating and creating accounts, but is not deprovisioning those not in the view. AD MA is using a rules extension file which disables and moves them to disabled OU. Was working correctly then stopped. Had made change to the rules extension file that creates the account name and now accounts are being created in the new format, but those not in the view are not being disabled. No changes to the rules extension for deprovisioning. Set the previous version of the rules extension file which creates account name back and still no account disables. 

Accounts are being created as Disabled in Active Directory even with 512 in user control account value

June 26, 2018, 11:36 pm

≫ Next: exporting null value to AD Accountexpires

≪ Previous: Deprovisioning stopped

$

0

0

Hi All,

Greetings! I am facing this issues since from last three days. All of my accounts that are being provisioned from MIM to Active Directory are created as disabled accounts in Active Directory. Even I am passing 512 to UserControlAccount attribute. 

Below are the stats of AD MA Export for one record. Now when I see in AD, this account is marked as disabled.

Kindly help me and guide me in this regard.



---

F.

exporting null value to AD Accountexpires

June 27, 2018, 12:48 am

≫ Next: stopped-extension-dll-exception

≪ Previous: Accounts are being created as Disabled in Active Directory even with 512 in user control account value

$

0

0

Dear All,

I am trying to delete existing accountexpires value. using following c# script but no luck

long iFileTime = 9223372036854775807;
                    if (mventry["employeeEndDate"].ToString() != null)
                    {
                        DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);

                        csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTimeUtc();
                    }
                    else
                    {
                        csentry["accountExpires"].IntegerValue = iFileTime;
                    }

Need Your Help!

Thanks,

Shashidhar

stopped-extension-dll-exception

June 27, 2018, 4:56 am

≫ Next: Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

≪ Previous: exporting null value to AD Accountexpires

$

0

0

Dear All,

when I am trying to run Export Profile Getting stopped-extension-dll-exception status.

Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

July 1, 2018, 12:45 am

≫ Next: Changing HRDB Table

≪ Previous: stopped-extension-dll-exception

$

0

0

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in July 2018 and must be in English. However, the original blog or forum content can be from before July 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

---

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

---

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

---

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read Moreabout TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Vimal Kalathil.

Thanks in advance!
- Ninja [Kamlesh Kumar] TechNet Wiki Council

---

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Changing HRDB Table

July 2, 2018, 11:06 pm

≫ Next: MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

≪ Previous: Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

$

0

0

Dear Team,

Testing purpose we have created SQLMA with Test Table. Now we would like to change it to production SQL view.

How to change and does it affect SQLMA?

Thanks,

Shashidhar

---

MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

July 3, 2018, 1:46 am

≫ Next: AADConnect password sync direction

≪ Previous: Changing HRDB Table

$

0

0

I'm trying to deploy MIM 2016 in a test environment. I have deployed Sharepoint 2013 SP1 and SQL 2016 Enterprise. Trying to install MIM Service and Portal but I'm getting error "the feature you have selected have the following prerequisites. Refer to the installation guide for more information. Please update your machine and retry the installation. -Sharepoint"

Can anyone help me out?

AADConnect password sync direction

July 3, 2018, 2:51 pm

≫ Next: importing from azure active directory connector gives only few attributes

≪ Previous: MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

$

0

0

Hi,

Does AADConnect support bi-directional password sync (so from on-prem to Azure cloud and vice versa)?

So if I change my password on-prem, AADConnect syncs the pwd to my Azure account?

And if I change my password in Azure, AADConnect syncs the pwd back to my on-prem account?

Assume that AADConnect is already setup and synchronising my on-prem identities with Azure.

Cheers & Thanks

SK

importing from azure active directory connector gives only few attributes

July 4, 2018, 9:11 am

≫ Next: MIM 2016 SP1 Lab Install Issues - Synchronization Service

≪ Previous: AADConnect password sync direction

$

0

0

Hello,

I have to connect the output of non active directory system to Office365 to provision users. To this end I have installed MIM 2016 and added the azure active directory connector.

The office365 tenant has pre-existing user accounts. I specified an immutableId for these accounts using powershell. I then was able to import these users.

The problem is I get only very few attributes in the import, though I selected many for import.

I would at least expect a value for userprincipalname and the email addresses of the user, but I barely get more than first and lastname. How do I get the agent to import more attributes? Is this a result of those account already existing? If so how do I convert them to "synced" accounts?

Hope somebody here know the answer.

MIM 2016 SP1 Lab Install Issues - Synchronization Service

July 5, 2018, 4:55 am

≫ Next: MIM 2016 Support for PostGre SQL

≪ Previous: importing from azure active directory connector gives only few attributes

$

0

0

Following the below article in a hyper-v lab.

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy

Lab Setup

2 x Windows Server 2016 VM's consisting of 

1 x Domain Controller hosting AD

1 x Member Server hosting SQL 2017, SharePoint 2016

I get to the point where I now want to install MIM Synchronization Service

https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync

The install goes through successfully except I get an error saving the Sync Service Key

*****

“The Forefront Identity Manager Synchronization Service setup wizard was unable to back up the key set. <hr=0x80131600>

*****

I try and launch the MIM Synchronization Service and I get an error saying

I checked the service and it isn't started so I try and start it manually and I get the below

In the Windows System log I get the below error

I have followed the deployment guide with the exception of installing SQL Server 2017 instead of 2016. Does anyone have any steer on where I'm going wrong here? any guidance would be appreciated!

MIM 2016 Support for PostGre SQL

July 5, 2018, 6:15 am

≫ Next: Error refreshing directory partitions

≪ Previous: MIM 2016 SP1 Lab Install Issues - Synchronization Service

$

0

0

Hi EveryOne,

I wish to know if there is anyone who has been able to integrate the MIM 2016 SP1 Generic SQL Connector successfully with PostGre SQL 9.x Database.

The configuration works, and Import works as well but I am having some issues with Export Run. Troubleshooting with PostGre ODBC Logs shows that Export activity from MIM is not recorded, while Import activities are well logged.

On the MIM Synchronization Console, the error is described as "unexpected error 0x8ffe2740" after Export run.

I am almost concluding that this issue could because PostGre SQL is not on the list of supported Databases for MIM 2016 Generic SQL Connectors.

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql

Appreciate some advice from anyone with some experience with this or a workaround to address the issue.

Thanks

Error refreshing directory partitions

July 5, 2018, 9:31 am

≫ Next: Synchronize user password across 2 AD forests

≪ Previous: MIM 2016 Support for PostGre SQL

$

0

0

We've made some changes to our forest, removing some child domains and adding others. When I try to refresh the partitions on the AD MA, I get: "An error was encountered while refreshing domains: Unable to cast object of type 'System.Collections.ArrayList' to type 'Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject'.

I'm on Version 4.4.1749.0 of the Synchronization Service Manager, running on Server 2012 R2.

---

Ed Bell - Specialist, Network Services, Convergys

Synchronize user password across 2 AD forests

July 8, 2018, 5:50 am

≫ Next: MiM SYNC cross forest - Group Membership - Contacts & Users

≪ Previous: Error refreshing directory partitions

$

0

0

Hi,

Please help on the below requirement.

Forest A (Domain - 1), Forest B (Domain - 2) Both forest functional level 2012 R2 having 

Primary users in A1 (applications and computer domain) and have the same user accounts created in B2 (O365 emails is hosted) in an OU. Need to synchronize the password from A1 to B2 so that the users have to remember only 1 password for computer login and O365 emails.

I have gone through the below article which gives a good insight but it does not specify whether the users are already created in the trusting domain (Fim.lab.local)

https://social.technet.microsoft.com/wiki/contents/articles/19821.how-to-password-synchronization-with-pcns-using-a-one-way-externalforest-trust-with-selective-authentication.aspx

Regards,

Shoeb

---

MiM SYNC cross forest - Group Membership - Contacts & Users

July 10, 2018, 3:52 am

≫ Next: MIM and Cardax integration

≪ Previous: Synchronize user password across 2 AD forests

$

0

0

Currently I have MIM sync implemented with GALSYNC to create and manage cross forest contacts.  Now I want to expand on this.   We are currently doing a cross forest move of users with ADMT, Prepare-mailboxmove.ps1.  This process works fine, a user in A is move to B and through SID history they also keep their group memberships.  What I want to do is populate the corresponding Mail Enabled distribution groups with the users contact in Domain B, when the user is migrated to domain B the contact is created in A (Currently working) and the contact is also added to the correct Distribution Group.  Is this even possible?

Domain A	Domain B
USER.A1	USER.B1
Contact.B1	Contact.A1
Before Migration
DL	DL
Contact.B1	User.B1
After migration
DL
User.B1	Contact.B1

MIM and Cardax integration

July 10, 2018, 4:46 pm

≫ Next: Clear value in source on FilterForDisconnection

≪ Previous: MiM SYNC cross forest - Group Membership - Contacts & Users

$

0

0

Hi,

Has anyone integrated FIM/MIM with a building access security card system called Cardax before?

Which MA did you use / develop?

Were there any complexities to be aware of?

Thank you,

SK

Clear value in source on FilterForDisconnection

July 11, 2018, 11:12 pm

≫ Next: Synchronizing nested active directory groups

≪ Previous: MIM and Cardax integration

$

0

0

I have a FilterForDisconnection rule so that CS entries are removed that satisfy a certain condition. What I need to do is set a value on that newly disconnected object - the metaverse entry remains so I don't think it comes under deprovisioning. I just need to write something to the actual object in the source before it's disconnected. Is there some way I can do this?

Synchronizing nested active directory groups

July 12, 2018, 2:38 am

≫ Next: FIM 2010 R2 - Removing attribute from Attribute Flow

≪ Previous: Clear value in source on FilterForDisconnection

$

0

0

Hello dears..

is there any way to sync groups between active directory and MIM 2016 without expanding nested groups and convert it to a group that contains members only ?

I have some cases that I need to manage membership of nested groups without the members expanding, please help.

thank you :)

FIM 2010 R2 - Removing attribute from Attribute Flow

July 12, 2018, 6:04 am

≫ Next: Bhold breaks nested groups structure in active directory

≪ Previous: Synchronizing nested active directory groups

$

0

0

Dear community,

In an Account & Resource Forest scenario for Exchange, FIM 2010 R2 has been installed and configured with two Management Agents. Currently, one Management Agent is importing user objects from the Account Forest into MIM, the other Management Agent is exporting those user objects from MIM into the Resource Forest.

Currently, the attribute "mailNickname" is synchronizing from the Account forest into the Resource forest thru FIM.

My intend is, to remove the attribute "mailNickname" from the attribute flow, so that this attribute is not synchronized into the user objects in the Resource Forest from the user objects from the Account forest anymore - BUT I have to make sure, that user objects in Resource Forest, who already have the attribute "mailNickname" set, that the attribute "mailNickname" will not be deleted or emptied - the user objects in Resource forest  should remain as they are.

How FIM thinks and works in that case?
Does FIM no longer feel responsible for the attribute "mailNickname" in the Resource Forest if I remove the attribute from the attribute flow? (which is what I want) Or will FIM remove the attribute "mailnickname" from all user objects in the target Resource Forest (which is not what I want)?

Thanks everybode for input!