Get pending operation for a CS object with an export error

February 28, 2014, 2:50 am

≫ Next: How to empty an attribute in MV before export?

≪ Previous: How to cretae powershell variabels from hash table?

I'm writing a PowerShell script that sends a warning email in case an export operation fails with a certain error count (e.g. if an export fails 5 times probably some manual action will have to be taken in the connected system).

I manage to get the export errors analyzing the xml provided by the RunDetails function of MIIS_ManagementAgent:

$runDetails = [xml]$managementAgent.RunDetails().ReturnValue
$exportErrors = $runDetails.'run-history'.'run-details'.'step-details'.'synchronization-errors'.'export-error'

However, export error details do not include the operation (add, replace, delete) that failed. The xml looks like this:

<export-error cs-guid="{61A544B0-C19F-E311-B753-00155DFF7EED}" dn="316f5dc6-d8ed-460d-a2d4-700775e99055"><date-occurred>2014-02-28 09:21:40.322</date-occurred><first-occurred>2014-02-27 15:46:10.897</first-occurred><retry-count>20</retry-count><error-type>ma-extension-error</error-type><cd-error><error-code>0x80230703</error-code><error-literal>(error message)</error-literal></cd-error></export-error>

I tried checking if the connector space object contains information about the pending operation, but couldn't find it there either.

Is there a method to determine what's the type of the pending export operation?

I was thinking I could check the UnappliedExportHologram and UnconfirmedExportHologram of the MIIS_CSObject, but I'm not sure it's correct (and maybe there's a simpler way).

Thanks,
Paolo

Paolo Tedesco - http://cern.ch/idm

↧

How to empty an attribute in MV before export?

March 1, 2014, 9:33 am

≫ Next: FIM 2010 management agent support Oracle Identity directory OID 10.1.4.2.0

≪ Previous: Get pending operation for a CS object with an export error

Hi,

sry for the noob question: I'm looking for a possibility to empty an attribute before i Export it?

I have 2 Active Directory MA. One imports objects and attributes to the MV and the other exports the attributes to an other Active Directory.

Sometimes i need the possibility to empty an attribute before exporting it without to delete the attribute flow.

If i try to use a constant then i can't set it to an empty value. Is there any (easy) possibility to empty the attribute so it is set to <not set> in the target active Directory? (for every Attribute type...e.g. DN, string, boolean, ...)

Thank you!

↧

FIM 2010 management agent support Oracle Identity directory OID 10.1.4.2.0

March 2, 2014, 1:16 am

≫ Next: Run History - Details

≪ Previous: How to empty an attribute in MV before export?

Does FIM 2010 R2 SP1 support OID version 10.1.4.2.0 ? If there is no support for OID then what is the alternative for making its connectivity?

↧

Run History - Details

March 2, 2014, 3:54 am

≫ Next: Custom FIM BHOLD approval

≪ Previous: FIM 2010 management agent support Oracle Identity directory OID 10.1.4.2.0

Is there a way to export a specific Export Run from the Run-History along with what specifically were modified using powershell or some other automated way? I have a number of modifications and can't do it manually.

↧

Custom FIM BHOLD approval

March 2, 2014, 11:48 am

≫ Next: You can be our next Spring FIM Guru !!

≪ Previous: Run History - Details

I am aware of the concept of role approval within FIM BHOLD
But is there a way to change this? Is it possible to run my own authorization workflow on BHOLD requests?

Thanks, Henry

↧

You can be our next Spring FIM Guru !!

March 2, 2014, 2:13 pm

≫ Next: Delegation in FIM 2010

≪ Previous: Custom FIM BHOLD approval

In the northern hemisphere at least, Spring is here! (apparently)

And at TechNet Wiki, we're hoping you're all hatching new ideas for this month's TechNet Guru competition!

We're looking for more shoots and leaves of wisdom to sprout forth from the great tree of MSDN/TechNet life.

We're also hoping some of our old Guru winners will be coming back out of hibernation and flexing their grey matter!

So, pick up your pen and MARCH into TechNet History! This could truly be the start of something BEAUTIFUL!

What delightful new arrival will YOU be bringing into this world?

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL

Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over to the one and onlyTechNet Wiki, for future generations to benefit from! You'll never get archived again!

If you are a member of any user groups, please make sure you list them in the Microsoft User Groups Portal. Microsoft are trying to help promote your groups, and collating them here is the first step.

↧

Delegation in FIM 2010

March 3, 2014, 5:27 am

≫ Next: FIM Web Service Connector - how to pass all known employee IDs to the web service?

≪ Previous: You can be our next Spring FIM Guru !!

Experts,

Is it possible to delegate the role in FIM 2010.

Say I have a requirement where manager request for account activation. Initially from HR, accounts are getting created in disabled state.

In case manager is not present, can manager delegates this right to some other person?

Kindly suggest.

Thanks,

Mann

↧

FIM Web Service Connector - how to pass all known employee IDs to the web service?

March 3, 2014, 5:59 am

≫ Next: Unable to Export / Import Google APP MA

≪ Previous: Delegation in FIM 2010

Hi all,

I'm implementing the web service connector for a customer who have presented an extract to me which expects the Employee ID number to be passed in, in order to return the information.

Looking at the samples, I can see examples of paginating through characters and appending a wildcard '*' but that's not an option. If I, as a one off, specify a valid employee ID, I do get the data, so I know that works.

Setting a paginate depth of 3 and a pattern of "include [0-9]", I can see through a logging activity it paginating through

000
001
...
999

which would achieve what I need through a (very!) brute force method if I was able to increase the depth to 8, but unfortunately (or fortunately!) that's not a valid depth.

Does anyone have any experience of something similar and can we paginate through a list obtained from SQL, for example?

Any assistance would be appreciated.

Many thanks,

Paul.

↧

Unable to Export / Import Google APP MA

March 3, 2014, 6:28 pm

≫ Next: How to stop FIM from Deleting Connections?

≪ Previous: FIM Web Service Connector - how to pass all known employee IDs to the web service?

I am unable to either Export or Import from Google APP MA

I get following error :

The extensible extension returned an unsupported error.
The stack trace is:

"Microsoft.MetadirectoryServices.ExtensibleExtensionException: The given key was not present in the dictionary. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
at FimSync_Ezma.EzmaExtension.OpenExportConnection(KeyedCollection`2 configParameters, Schema types, OpenExportConnectionRunStep exportRunStep)
--- End of inner exception stack trace ---
at FimSync_Ezma.EzmaExtension.OpenExportConnection(KeyedCollection`2 configParameters, Schema types, OpenExportConnectionRunStep exportRunStep)
Forefront Identity Manager 4.1.3419.0"

Please help as me with this i tried to google this but could not find relevant answer

↧

How to stop FIM from Deleting Connections?

March 3, 2014, 7:03 pm

≫ Next: FIM 2010 R2 SP1 on window server 2012

≪ Previous: Unable to Export / Import Google APP MA

There is something that i need, but have ben unable to do... and that is to keep my BDC data even when there is no connection. I have not been able to figure out how to stop deletes from happening... this is what happens when my service is down

This is the result of the DeltaImport... It adds a SPS-Dummy object and removes all my objects, this causes all my fields in the user profile to become empty. I do not want this to happen. How can I configure FIM to not do this?

This is the result of the DeltaSync...

I have been working on this for days, and I just can't figure it out. I am going crazy!!! Please assist me.

↧

FIM 2010 R2 SP1 on window server 2012

March 4, 2014, 3:57 am

≫ Next: Bulk Load FIM/Powershell - Extra account updated

≪ Previous: How to stop FIM from Deleting Connections?

I am installing FIM 2010 R2 SP1 on window server 2012.

however following pre-requisites is a problem
"Windows SharePoint Services 3.0 Service Pack 2 (SP2) or Microsoft SharePoint Foundation 2010."

"Windows SharePoint Services 3.0 Service Pack 2 (SP2)" can not be installed on Windows server 2012 .

Do I need to install Microsoft SharePoint Foundation 2010 or is there any workaround?

Thanks,
Mann

↧

Bulk Load FIM/Powershell - Extra account updated

March 4, 2014, 7:24 am

≫ Next: Altering a FIM metaverse attribute-type

≪ Previous: FIM 2010 R2 SP1 on window server 2012

Hi ~

I'm doing a test bulk upload using a file that contains only one record. After running PS script successfully, I check my search requests and see that two records files have actually been changed by the script. I've reviewed the script for any mentions of the second record ~ nothing there. Has this happened to anyone else? How can I troubleshoot this?

Thanks,

Kim

↧

Altering a FIM metaverse attribute-type

March 4, 2014, 9:49 am

≫ Next: Azure AD connector, FIM, ADFS and multiple forests.

≪ Previous: Bulk Load FIM/Powershell - Extra account updated

Hi All,

I have recently become acquainted with FIM 2010 R2 and I'm still learning all of the inner quirks that this wonderful product has to offer.

We are currently in the process of configuring the AAD connector (http://technet.microsoft.com/en-us/library/dn511001%28v=ws.10%29.aspx & http://technet.microsoft.com/en-us/library/dn511002%28v=ws.10%29.aspx#BKMK_SampleScript) for a customer (in lieu of using DirSync). Our original infrastructure and deployment included DirSync as well a consolidated Active Directory. I understand that the AAD connector has recently gone to GA (General Availability). As an attempt to minimize the infrastructure/components required for the deployment, we have removed DirSync and the Consolidated AD out of the picture.

Our implementation of FIM currently has multiple MAs (management agents) configured and running periodically. While going through the AAD connector guides, we realized that we needed to create several new metaverse attributes and object classes in order to support the AAD connector. In conjunction with the sample code provided and as a general inquiry, we are attempting to modify one of the attributes (accountEnabled) in the metaverse from an attribute-type of String (non-indexable) to Boolean.

What is the safest way, if any, to change an attribute-type in the metaverse? This attribute seems to be used in various spots throughout FIM (in attribute flows mostly), so we do not want to break any of the existing functionality.

I understand that the easiest way is to simply alter the sample code and change it to represent a String instead of Boolean. For now, this is not the intended method, unless stated otherwise by the FIM SMEs.

I appreciate any help that can be provided. Any feedback on your own experience with the AAD connector is also appreciated (pros & cons).

Thanks,

↧

Azure AD connector, FIM, ADFS and multiple forests.

March 5, 2014, 3:37 am

≫ Next: RCDC dynamic operation

≪ Previous: Altering a FIM metaverse attribute-type

Hi - Hope you can help. I have a pretty unique problem in our business and I'd like to check whether we can solve it with the AD connector for FIM. We have multiple AD forests in our business with trusts between them (about 10 forests!). We also have FIM implemented with all objects in the 10 forests synchronised to a centralised directory - with linked user objects. We are looking at moving to Office 365 but we realise that the DirSync won't work with our 10 forests. So we would presumably need the AD connector for FIM combined with ADFS. Assuming that the AD connector can synchronise all the correct attributes to AD in Office 365, how does the authentication work? If a user logs in from their own forest, using their password in their local forest, what kind of ADFS architecture would one need? i.e. does the ADFS server look back to the source forest for that user? Can one ADFS server look back to every source forest if there are 10 of them? Does ADFS know that the user in the source forest is the same as the user in the unified directory that FIM updates? Hope this scenario makes sense. I guess my real question is whether I can have a hybrid solution with Office 365 and 10 forests where all the AD admin and password management is done in each source forest. thanks in advance for any advice!

↧

RCDC dynamic operation

March 5, 2014, 4:38 am

≫ Next: account for FIM Service MA

≪ Previous: Azure AD connector, FIM, ADFS and multiple forests.

I am having Boolean attribute(say "isPermanent") on each user object. I want to create a field in user RCDC which will allow only that user object's accountname which have "isPermanent" set to true. Is it possible?

↧

account for FIM Service MA

March 5, 2014, 5:59 am

≫ Next: [Troubleshooting] Certificate Services fail to start after installing CM CA Modules:

≪ Previous: RCDC dynamic operation

Experts,
I am going through FIM installation "http://technet.microsoft.com/en-us/library/hh332707(v=ws.10).aspx".

It is mentioned to create 'domain service account' for FIM Synch service, FIM Password reset portal, SharePoint service etc but for 'FIM Service Management Agent', just 'domain account'.

Is there any difference between 'domain service account' and 'domain account' or am i reading too much in between the lines?

Thanks,
Mann

↧

[Troubleshooting] Certificate Services fail to start after installing CM CA Modules:

March 5, 2014, 1:18 pm

≫ Next: SSPR config question

≪ Previous: account for FIM Service MA

[Troubleshooting] Certificate Services fail to start after installing CM CA Modules:http://blogs.msdn.com/b/ms-identity-support/archive/2014/03/05/troubleshooting-certificate-services-fail-to-start-after-installing-cm-ca-modules.aspx

Tim Macaulay Security Identity Support Team Support Escalation Engineer

↧

SSPR config question

March 5, 2014, 6:21 pm

≫ Next: FIM portal data validation

≪ Previous: [Troubleshooting] Certificate Services fail to start after installing CM CA Modules:

Hi,

Assume we have 2 different user types: staff and students.

Student accounts reside in their own forest
Staff accounts reside in 2 different and separate forests
FIM resides in another separate forest (a resource forest)

We are about to deploy SSPR in the resource forest, and need the following functionality:

When resetting the password, Staff will type in "domain\username"; Staff will use the question & answer SSPR approach
however Students will use the OTP approach and only type in their "username" since many won't know the domain name (we will set the 'defaultdomainName' attribute in the config file)

My question is this:

Because we need 2 different SSPR approaches and for Students we need the 'defaultdomainName' prepopulated - will we need 2 separate instances of the SSPR Portal deployed on 2 separate servers?

Thanks,

↧

FIM portal data validation

March 6, 2014, 8:04 am

≫ Next: ERE not getting add for existing AD users

≪ Previous: SSPR config question

Hi,

I've implemented some basic data validation in the fim portal by editing the rdcd configuration for user editing control. I've added a regex expression for post code with a value of "^[0-9a-zA-Z\s]*$"

Most of the examples I come across regarding portal validation all refer to copying the rcdc, creating a new control and then modifying that. My way seems to work, but I wanted to know if there's a good reason why I can't modify the xml associated with the original rcdcs?

Thanks

IT Support/Everything

↧

ERE not getting add for existing AD users

March 6, 2014, 8:12 pm

≫ Next: Forcefuly user should change his PASSWORD when login for the first time.

≪ Previous: FIM portal data validation

We are in the process of prod movement in FIM. Now FIM portal will authoritative data source. So while provisioning existing AD users from AD to FIM, I can see these existing users(provisioned from AD) dint have EREs present. Any idea on how to resolve this issue.

↧

Latest Images