Migration from MIIS to FIM

June 6, 2013, 12:38 pm

≫ Next: Synchronize Tivoli Directory Server via LDAP Proxy

≪ Previous: Provisioning mailboxes to multiple Exchange in the environment

$

0

0

I am planning to migrate from MIIS to FIM for galsync.

I got the following useful advise here.

If you are planning to install FIM from scratch and re-import all users from all forests you can then make the test mentioned where you sould selectonly the user/s OU to import for the test and leave in the target OUonly the contact/s for the test.

The steps should be (example on two forests):

1. Un-check "Enable Provisioning Rules Extension" (from the tools--> options)

2. full import (stage only) from ForestA MA

3. full import (stage only) from  ForestB MA

4. full synchronization from ForestA MA (Project users of ForestA)

5. full synchronization from ForestB MA (Project users of ForestB and Join contacts of ForestA)

6. full synchronization from ForestA MA (Join contacts of ForestB)

7. Re-check "Enable Provisioning Rules Extension"

Remark: of course, each MA is a Source and also a Target

You will find all the information needed for GALSync in the following link: Global Address List Synchronization (GalSync) Resources

There are some questions I have.

1 Un-check "Enable Provisioning Rules Extension" enable to ignore to call provision function of MV rule extension when synching ?

2 If we fail to join some of existing contact objects, is therer any negative impact to production environment if we delete those GALMA and CS objects of FIM ? I would like to think about recovery plan.

 

---

Synchronize Tivoli Directory Server via LDAP Proxy

June 6, 2013, 1:41 pm

≫ Next: FIM export stopped-server error for SSPR

≪ Previous: Migration from MIIS to FIM

$

0

0

Hello, 

I try to fix some issues in my environnement to be able to use an LDAP Proxy( Tivoli Directory Integrator)  to connect FIM 2010 R2  and Tivoli Directory Server. 

I created the Management Agent (IBM Direcotry Server) and check the container that i want to synchronize but when i run a first Full Import Profile to get the containers in the connector space , i have an error "Dropped-connection"

Any idea to resolve that !!!

FIM export stopped-server error for SSPR

June 6, 2013, 1:56 pm

≫ Next: Equal precendence rule

≪ Previous: Synchronize Tivoli Directory Server via LDAP Proxy

$

0

0

Hi folks,

I am facing some problems for FIM Export. When I ran a delta sync, in the Sycn Service Manager, I got Status "Stopped-Server". It worked before for a few months and all of sudden, it stopped working. It used to take about 2 min to finish successfully, now it takes about 20 min to show this error. The export statistics shows all 0 for all the fields.

In the system Application log, I got this "The management agent "FIM Service MA" failed on run profile "FIM Export" because the server encountered errors."

In the FIM event log, I got this:

Log Name:      Forefront Identity Manager Management Agent
Source:        ForefrontIdentityManager.ManagementAgent
Event ID:      3
Task Category: None
Level:         Error
Computer:      FIMSyncSrv.domain.local

Description:
System.InvalidOperationException: The export session has timed out waiting for responses.  

That amount of time can be configured using the exportActivityTimeoutInSeconds attribute of the resourceSynchronizationClient element within the Forefront Identity Management Synchronization Service application configuration file.  The default duration is 600 seconds.  If the volume of requests is very high, then using that attribute to increase the duration would be advisable. 

However, one should investigate why no responses to export requests have been received within the default amount of time.  Requests created on behalf of the Forefront Identity Manager Synchronization Service should be investigated to determine whether they are taking an unexpectedly long time to process. 

I have checked that both FIM Service server and Sync server are running on the same version of FIM binary. No hotfix or update was installed on either FIM boxes when the problem started to happen. I never manually touched sync service application config file before so I don't really I corrupted it. Both servers have been rebooted multiple times and I also manually bounced both FIM Service and Sync service multiple times with the same error.

I dont know where to look at this point. Is there a log to trace it or how to continue troubleshooting?

Thanks,

Equal precendence rule

June 6, 2013, 3:56 pm

≫ Next: FIM 2010R2 how automatic synchronization exchange2010 GAL between two forests？

≪ Previous: FIM export stopped-server error for SSPR

$

0

0

Can someone help me how equal precedence works in this case?

I have a date attribute and equal precedence of both FIMMA and HR.

scenario 1:  dateAttribute : 6/6/2013; date from HR says: 12/31/2013. dateAttribute changes to 12/31/2013

scenario 2 : 1date Attribute: 12/31/2013; date from HR says: 6/7/2013. dateAttribute changes to 6/7/2013

Scenario 3:Admins change the date in FIM to 9/30/2013. date from HR stays the same(6/7/2013) . Would the date attribute be changed to 6/7/2013 in the next HR sync for equal precedence even if there is no change in HR?

Thanks!

FIM 2010R2 how automatic synchronization exchange2010 GAL between two forests？

June 6, 2013, 8:53 pm

≫ Next: AD Delta Mechanism

≪ Previous: Equal precendence rule

$

0

0

Hello All，

I have a qusetion：

FIM 2010R2 how automatic synchronization exchange2010 GAL between two forests ？

Thanks

AD Delta Mechanism

June 6, 2013, 10:24 pm

≫ Next: BHOLD core portal showing blank page

≪ Previous: FIM 2010R2 how automatic synchronization exchange2010 GAL between two forests？

$

0

0

Hi, I'm interested I the delta mechanism for active directory delta imports using the ad am. When I do an import how does it know what is a new change and what does it do to be aware that these changes should not be included in a future delta import. Hypothetically if I had two fim instances delta importing from the same directory, would they interfere with each others understanding of what is a new change?

BHOLD core portal showing blank page

June 6, 2013, 10:49 pm

≫ Next: Impact on FIM if authoritative database is restore everyday

≪ Previous: AD Delta Mechanism

$

0

0

Hi,

We have deployed FIM 2010 R2 in our client environment, say SERVER1. we need to deploy BHOLD in our client environment to enable the user attestation to verify the user accesses.

In our test lab, we have installed BHOLD core module on a separate server, saySERVER2. SQL server resides on SERVER1 and both the servers (SERVER1 and SERVER2)belong to the same domain, sayDOMAIN1.

we have performed all the prerequisites steps and installed all the prerequisites softwares for BHOLD core but still after successful installation of BHOLD core module, when we tried to access the URLhttp://server:5151/bhold/core, windows popup come up asking for credentials. After providing the credentials, it displays a blank page.

I have rechecked all the preprequisites:

- required user and group created and added to the IIS_USRS group

- Installed .net framework 3.5.1, Silverlight 5, IIS with ASP.Net and scripting tools

- Windows in 2008 server R2 and SQL version is 2008 R2

- Machine is domain joined (same domain as of FIM)

Can somebody help me in identifying the issue? I am not sure why the portal is showing blank page.

Quick response will be really helpful.

Thanks,

Sanjog

Impact on FIM if authoritative database is restore everyday

June 6, 2013, 11:23 pm

≫ Next: FIM cross forest deployment-to sync groups without trust relationship

≪ Previous: BHOLD core portal showing blank page

$

0

0

Hi,

We are pulling the user information from a employee details sql table to FIM. Could anyone please suggest what will be the impact on the FIM  if we restore the sql table database every day, however there will not be any change in database name, employee details and credentials.

Regards

Harry

---

FIM cross forest deployment-to sync groups without trust relationship

June 7, 2013, 1:01 am

≫ Next: PCNS are not delivering password to existing Target users

≪ Previous: Impact on FIM if authoritative database is restore everyday

$

0

0

We have two forests without any trust relationships.

Can we use FIM in any way to sync groups from the Forest B to Forest A and the FIM portal.

---

shakti

PCNS are not delivering password to existing Target users

June 7, 2013, 3:06 am

≫ Next: Group and user sync between forests

≪ Previous: FIM cross forest deployment-to sync groups without trust relationship

$

0

0

Hi,

I am getting strange problem in PCNS 

I have two forest or domain ABC.INTRANET(SOURCE) and XYZ.INTRANET and FIM 2010 R2(Target server for PCNS to deliver pwd to XYZ forest)

• existing user changes password in source forest, event shows 2100 (means password forwarded to target server i.e FIM)
• But the same user cannot log-in using same password.
• If i delete the user in XYZ forest and tr password change it works.

Now i have some 4000+ users in xyz forest all of them is facing same problem.

How to resolve this issue 

Note: Using trial version and FIM stopped working ,this is happened after updating to licensed copy of FIM.

Group and user sync between forests

June 7, 2013, 3:41 am

≫ Next: Are Binary Attributes Supported by FIM Reporting?

≪ Previous: PCNS are not delivering password to existing Target users

$

0

0

Hi, I have two scenarios to accomplish. I tried to do with scripts, but I am lost. We have FIM license and FIM seems to address these issues. I would like your help if these scenarios are possible.

I have 2 forests. FstA is primary and FstB is another site, they can communicate with each other through firewall. FstB trusts FstA (one way). I have two things to do.

1. I need to synchronize some security groups which are in a special OU from FstA to FstB. When a security group is created, modified or deleted from FstA, it must also happen in FstB.

2. Since FstB trusts FstA, I need to populate the membership of these groups which are in FstB, with the users of FstA. To be more clear:

FstA:
Group: FstA\Group1
Members: FstA\User1, FstA\User2

FstB:
Group: FstB\Group1
Members: FstA\User1, FstA\User2

When the membership changes in FstA, it must be mirrored to FstB.

I would like to learn if these two connected scenarios are doable with FIM 2010? If yes, what components will I need (sync service, fim service, ADMA, portal?) and what ports do I need to open thorugh firewall? Also is it enough to have FIM server in FstA, or do I need to deploy some server or agent to FstB as well?

Any comment or even links to documentations appreciated.

Thanks,
Cetin

Are Binary Attributes Supported by FIM Reporting?

June 7, 2013, 8:23 am

≫ Next: Group Membership- Criteria-based + Manually managed

≪ Previous: Group and user sync between forests

$

0

0

Can attributes marked as binary in the FIM Service (ie SID) be exported to the SCDW for Reporting?  Although multi-value non-reference attributes are called out as non-supported in this dochttp://technet.microsoft.com/en-us/library/jj133861(v=ws.10).aspx I don't see any mention of binary values.

When attempting to store in the datawarehouse as a string, I get the following error during the "Initial Sync" process in FIM after the Reporting schema is extended: Microsoft.EnterpriseManagement.Common.InvalidSimpleObjectValueException:
Simple object value was not the proper type.

When attempting to store in the datawarehouse as a binary, I get the following error during the "Initial Sync" process in FIM after the Reporting schema is extended: System.InvalidOperationException:
The given value is not a binary value.

I image extending the FIM Service schema and storing a copy of the attribute as a different type would be the work-around here if binary types are not supported.

Thanks!

-Ryan

Group Membership- Criteria-based + Manually managed

June 7, 2013, 9:12 am

≫ Next: Weird exchange error - Property RoleAssignmentPolicy can't be set

≪ Previous: Are Binary Attributes Supported by FIM Reporting?

$

0

0

Hi,

I'm configuring my first FIM implementation, and I need to have AD Group membership have criteria-based members as well as manually managed members. I am aware that this can't be done directly on the Group in the Portal, but is there another way? I read somewhere that a Group can reference Set members, but I am not clear about the syntax, or how to go about doing this.

Thanks for the help!

Rob

Weird exchange error - Property RoleAssignmentPolicy can't be set

June 7, 2013, 4:48 pm

≫ Next: how we get custom attributes from Active Directory into CSV file

≪ Previous: Group Membership- Criteria-based + Manually managed

$

0

0

All,

We recently moved to exchange 2010. Some users are still in 2007. We have ADMA to do the new user provisioning in exchange 2010 (settings in the configure extension property tab- default Exchange2010.dll). Provisioning of 2010 user works fine. But whenever an attribute needs to be updated for 2007 user, i am getting ma-extension-error in AD export error.

In the event logs,

Property RoleAssignmentPolicy can't be set on this object because it requires the object to have version 0.10 (14.0.100.0) or later. The object's current version is 0.1 (8.0.535.0).

It looks like fim is trying to set role assignment policy for the 2007 users. Any workaround to solve this?

how we get custom attributes from Active Directory into CSV file

June 10, 2013, 11:51 am

≫ Next: Failure Installing FIM Server and Portal Language Pack on FIM Portal Server

≪ Previous: Weird exchange error - Property RoleAssignmentPolicy can't be set

$

0

0

Hi scripting guys!

I've recently added some custom attributes to the AD schema: customAttribut1,...,18. I want to import users and their info from Active Directory and export into csv file and  that would include those 18 custom attributes.  In my power shell script, I've tried typing the attributes as they are written but it does not recognize them as valid parameters.

Any help would be appreciated.

Thanks,

---

Failure Installing FIM Server and Portal Language Pack on FIM Portal Server

June 10, 2013, 12:40 pm

≫ Next: Provisioning Mail-Enabled User to Exchange Server 2010

≪ Previous: how we get custom attributes from Active Directory into CSV file

$

0

0

I am installing the FIM 2010 R2 SP1 Service and Portal Language Pack for French in a new lab environment for my client.  The installation ran flawlessly on the FIM Service server in the lab, but will not install on the FIM Portal Server in the same environment.  The portal server is a Windows Server 2012 base server with SharePoint Foundation 2013 installed and configured and IIS installed, configured, and running.  I successfully installed the SharePoint Foundation 2013 Language Pack.  When I run the FIM French Language Pack installation (and I'm only installing the French language pack), the installation gets about 75-80% done, then rolls back.  The installation wizard then closes with a message that the FIM Service and Portal Language Pack installation ended prematurely.  There are no errors in the Windows logs.  Here is the error I found in the msiexec installation log:

<snip>

MSI (s) (E0:D0) [15:02:30:224]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI9F14.tmp, Entrypoint: CAQuietExec
CAQuietExec:  Microsoft.IdentityManagement.SolutionPackUtility.exe will deploy and/or retract the FIM solution packs. This operation may take long time in a SharePoint farm environment.
CAQuietExec:  Executing all administrative timer jobs in preparation for FIM solution pack deployment.
CAQuietExec:  An exception occurred while deploying/retracting FIM Portal solution packs. Exception : Exception has been thrown by the target of an invocation.
CAQuietExec:  Error 0xfffffff9: Command line returned an error.
CAQuietExec:  Error 0xfffffff9: CAQuietExec Failed
CustomAction InstallSolutionPackfrFR returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
06/10/2013 15:02:32.658 [2272]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 398

06/10/2013 15:02:32.658 [2272]: Detailed info about C:\Windows\assembly\tmp\PO1NYY89\Microsoft.IdentityManagement.CredentialManagement.Portal.Gates.resources.dll

06/10/2013 15:02:32.658 [2272]:  File attributes: 00000080

06/10/2013 15:02:32.674 [2272]:  Restart Manager Info: 1 entries

06/10/2013 15:02:32.674 [2272]:   App[0]: (2272) Windows Installer (msiserver), type = 3

06/10/2013 15:02:32.674 [2272]:  Security info:

06/10/2013 15:02:32.674 [2272]:   Owner: S-1-5-18

06/10/2013 15:02:32.674 [2272]:   Group: S-1-5-18

06/10/2013 15:02:32.674 [2272]:   DACL information: 4 entries:

06/10/2013 15:02:32.674 [2272]:   ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

06/10/2013 15:02:32.674 [2272]:   ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

06/10/2013 15:02:32.674 [2272]:   ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

06/10/2013 15:02:32.674 [2272]:   ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

Action ended 15:02:32: InstallFinalize. Return value 3.
MSI (s) (E0:48) [15:02:32:689]: Note: 1: 2265 2:  3: -2147287035
MSI (s) (E0:48) [15:02:32:689]: User policy value 'DisableRollback' is 0
MSI (s) (E0:48) [15:02:32:689]: Machine policy value 'DisableRollback' is 0
MSI (s) (E0:48) [15:02:32:689]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1120565328,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (E0:48) [15:02:32:689]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (E0:48) [15:02:32:689]: Executing op: DialogInfo(Type=1,Argument=Forefront Identity Manager Service and Portal LP)
MSI (s) (E0:48) [15:02:32:689]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])

<end snip>

Obviously, this is only a snippet of the log immediately before, after, and including, the error I received. I'm happy to add more log info if it is relevant.

Has anyone else seen this error?  Any ideas where to continue troubleshooting or what to look at so we can get the FIM French Language Pack installed on this server?  The ability to use the French language pack is make-or-break for my client because they have facilities in both the US and Canada and must meet Canadian requirements for language localization.

Any assistance with this issue is greatly appreciated.

Thank you.

--Ian Kahn

Provisioning Mail-Enabled User to Exchange Server 2010

June 10, 2013, 8:35 pm

≫ Next: Criteria based group membership xPath

≪ Previous: Failure Installing FIM Server and Portal Language Pack on FIM Portal Server

$

0

0

Dear All,

        I created a custom galsync source code to create a mail-enabled user from user forest(Exchange 2003) to resource forest(Exchange 2010). The mail-enabled user object is able to import in FIM. However, when FIM Server start to export to resource forest.

       There are below errors:

There is an error in Exch2010Extension AfterExportEntryToCd() function when exporting an object with DN CN=SMokgele,OU=Users,OU=Windmill,OU=SIML Business Units,DC=corp,DC=simlds,DC=com.

Type: Microsoft.MetadirectoryServices.ExtensionException

Message:

**** ERROR ****

Property RoleAssignmentPolicy can’t be set on this object because it requires the object to have version 0.10 (14.0.100.0) or later. The object’s current version is 0.0 (6.5.6500.0).

**** END ERROR ***

What is this error about? I double checked the source code, I provided all mandatory attributes, but the errors still exist.

Please help.

Criteria based group membership xPath

June 11, 2013, 2:44 am

≫ Next: How could I disable MV rule extension ?

≪ Previous: Provisioning Mail-Enabled User to Exchange Server 2010

$

0

0

Hi'

I wan't to create a group, where the members are the one who has the same value in Description as the Group has in Displayname.

Pseudo: Person where Description Eq Group Displayname

/Person[(DisplayName = '%ObjectID%/Displayname')]   <-- is not right, but can it even be done? Is %ObjectID% only available for RCDC or is it possible to use in Set / Group membership criteria?

---

/Frederik Leed

How could I disable MV rule extension ?

June 11, 2013, 4:04 am

≫ Next: X path filter for getting all users under particular manager

≪ Previous: Criteria based group membership xPath

$

0

0

We restore MIIS environment to test environment.

If we try to uncheck Enable metaverse extension rule, it says There are object deletion rules defined with rule extension.

1

How could I disable MV rule extension ?

X path filter for getting all users under particular manager

June 11, 2013, 4:22 am

≫ Next: FIM 2010 and a already running implementation

≪ Previous: How could I disable MV rule extension ?

$

0

0

What would be the xpath filter for getting all the users whose manager is a particular person? This particular person is the person who is currently logged in to FIM portal