Hello.

My company is currently on an assignment to add a new MA to an already running FIM 2010 (not R2) implementation.

First of all, we are writing a simple script to download some information from a HRM system and save it all as XML.

Then create a MA for that XML, and add a way to report back to the HRM systems with export from FIM 2010 (the client want the e-mail to be created in exchange). 

As we have never worked with FIM before, I was wondering what we have to be careful of when working with an already implemented solution (they have 6 different MA's right now, and we will add the 7th). Though our solution will only sync to one of the other MA's connector spaces (Admin AD). We have set up a test solution with FIM 2010, SQL server 2008 R2, AD, etc. But we can't copy all of they'r data from AD due to size and personal information that's stored there. So what test solutions would you guys recommend when we are testing the MA we are making? What hidden trap doors is there? We really don't want to end up doing something that will make their AD solution unusable. 

Kind regards, Kenneth.

Hello,

Can I perform the PCNS Schema Update (documented below) independently and outside of the PCNS install?  If so, how would this be done?

http://social.technet.microsoft.com/wiki/contents/articles/1597.troubleshooting-pcns.aspx

Thanks for your help! SdeDot

Hi,

I am aware of permissions and group memberships that are required for FIM Synchronization Service and FIM Service accounts. What I haven't been able to find is a minimum set of database role memberships both accounts should be given in their respective databases.

Currently, both accounts are having db_owner role membership and I am unsure what can happen if accounts will be running with only db_datareader, db_datawriter role memberships? Is there a reason they are running as db_owners?

Best regards,

P

I would like to see what other people who want to externally expose FIM 2010 R2 Password Registration are doing to achieve this scenario? The goal being a supported scenario where a user can register their security questions from a tablet or smart phone, library, coffee shop, or any where externally from the internet.

I have made a blog post about the solution I came up with, but it's less than ideal since I wanted this supported out of the box with FIM R2.

HI,

I am following (at least try to) on th ehow to from this Website http://www.harbar.net/articles/fimportal.aspx which is a great post. THANKS

Me as a rooky trying to follow this step by step post and failing already at the power Shell part. I believe I Need to copy your Information into the Editor and Change some Information that applies to my Network and then save the file as fim farmcreation.ps1
Correct?
I have tried to get to Change this Information to reflect my Network Settings but I always getting Errors when I run the script.
Please see my adapted script on the below where I would be very happy if someone could Review it and let me know about my errors?
My Network Settings are as following:
SQL Server=sql2-srv with a named instance FIMSP
FIM Server=fim1-srv
FIM Service=fim.service
FIMSPFarm=fimsp.service
FIMSPContent=fimsp.content

Many thanks,
Markus

asnp Microsoft.SharePoint.PowerShell

$databaseServer = "SQL2-SRV\FIMSP"
$configDatabase = "FIMSP_Config"
$adminContentDB = "FIMSP_Content_Admin"
$passphrase = "mypassword?"
$farmAccountName = "XY\fimsp.service"
$caUrl = "https://fimspca.XY.COM"
 
$farmAccount = Get-Credential $farmAccountName
$passphrase = (ConvertTo-SecureString $passphrase -AsPlainText -force)
 
Write-Host "Creating Configuration Database and Central Admin Content Database..."
New-SPConfigurationDatabase -DatabaseServer $databaseServer -DatabaseName $configDatabase `
     -AdministrationContentDatabaseName $adminContentDB `
     -Passphrase $passphrase -FarmCredentials $farmAccount
 
$spfarm = Get-SPFarm -ErrorAction SilentlyContinue -ErrorVariable
err        
if ($spfarm -eq $null -or $err) {
   throw "Unable to verify farm creation."
}

Write-Host "ACLing SharePoint Resources..."
Initialize-SPResourceSecurity
Write-Host "Installing Services ..."
Install-SPService  
Write-Host "Installing Features..."
Install-SPFeature -AllExistingFeatures

Write-Host "Creating Central Administration..."             
New-SPCentralAdministration -Port 443 -WindowsAuthProvider NTLM
Write-Host "Fixing CA IIS binding..."
Set-SPCentralAdministration -Port 443 -Confirm:$false
Write-Host "Fixing Internal URL..."
Set-SPAlternateURL -Identity "https://$env:fim1-srv" -Url $caUrl

Write-Host "Installing Help..."
Install-SPHelpCollection -All       
Write-Host "Installing Application Content..."
Install-SPApplicationContent

Write-Host "Farm Creation Done!"

AdminIT

Hi All,

I'm very new to the FIM world, so please pardon this newbie question :)

Are there any examples for FIM management agents which can provision users to Lync by reading them from AD? I know there are a few examples using PowerShell, but I would like to know if it is possible using VB or C#? Basically I want to write the extension without relying on external scripts (ideally)

As a backup plan (i.e. using powershell), I read this forum http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/39724bcb-8d1d-447e-8cd2-77624d6a4476 but I'm not sure how to call powershell cmdlets from my extension. Is it a simple case of calling powershell scripts from C# code which will do the provisioning, or is there a way to use powershell cmdlets directly in C#?

Thanks

Opper....

We have a set called Super Admins. I want this set to add as member of FIM "Administrators" set.

• Is it feasible?.
• I added "Super Admins" set as manually managed member of FIM "Administrators" set but its not giving the desired result.

When users transistion out of a temporal set (last working day), I would like to deprov them.What is the correct date criteria?

Fo eg, if the end date is 6/11/2013, I want to deprov during the temportal job run @ 1am on 6/12/2013.

enddate after today or enddate after 1 day ago?

Can i Use IE 10 in Windows xp sp3? I've Problems with ie 6, 7, 8 respectively.

1. I can't Uninstall them,
2. I can't Find the Uninstaller in Add or Remove Programs,
3. I can't find out the ie8, ie7's uninstallers in windows directory,
4. I've installed sp3 my pc before installing the IE later versions,
5. Can i run the IE10

Is any prevention there to solve these Problems? 

Should FIM be updated independently of SharePoint 2010 or should all FIM updates be handled through the SharePoint Cummulative Updates ?

Dean MCTS-SQL 2005 Business Intelligence, SharePoint 2010, Configuration

Hi,

I have MIIS 2003 running on my production environment.

Now in my development environment i have a FIM 2010 installed with two agents and the same extensions (code) used in production environment. The two agents are an agent for a RH database and an agent for Active directory.

But now in my development environment i have a difference from production, all my AD accounts already exists. I run the first import of the AD Agent and it creates all the CSEntries in the conector space of the agent. But when i run the full import and synchronize of the RH database agent (this agent is configured for provisioning) it creates the MV entry but it says the object already exists in the conector space (AD agent) with the following error:

"Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "CN=xxx,OU=yyy..." already exists in the managemet agent "Contoso.PT AD Agent"

I use the following piece of code for provisioning:

    Connected_AD_MA = mventry.ConnectedMAs["Contoso.PT AD Agent"];

    ParentContainer = mventry["userOU"].Value;
    rdn= "CN=" + mventry["login"].Value;
    DN = Connected_AD_MA.EscapeDNComponent(rdn).Concat(ParentContainer);

    
    //The first connector to be built
    if(Connected_AD_MA.Connectors.Count == 0)
    { 
     //Account provisioning in AD

     ConSpaceEntry = Connected_AD_MA.Connectors.StartNewConnector("user");
     ConSpaceEntry.DN = DN;
     SetUserAccountSettings(ConSpaceEntry, mventry, Connected_AD_MA);
     ConSpaceEntry.CommitNewConnector();
    }

I thought .startnewconnector just link the mv entry with the csentry but did not create the cs entry itself.

Do u have any ideas how i can solve this problem in this first import where the objects already exists in AD and what comes from the RH database is mandatory so the provisioning code has to be runed?

TIA.

Filipe Clemente

Hey FIM Expert – Wondering if you guys have seen this issue before or came across this.

My issues is that I cannot seem to start both of the “ Services” for Forefront Identity Manager Synchronization Service & Forefront Identity Manager Services.

We have rebooted many times and re-enter the account password as well, this is the error that we're getting:

Error:

The Forefront Identity Manager Synchronization Service service terminated with service-specific error %%-2146234334.

Many thanks,

Hi,

I am writing my own Extension project to provision users to Lync.

At the moment, I'm only testing out the import functionality. However, everytime I do a full import, I get an invalid-attribute-value on DistinguishedName. The value being passed is a proper DN ("CN=Joe Bloggs,OU=LyncUsers,DC=testlab,DC=com"), and I even tried passing a dummy string "foo", but I always get the same error.

In the Import code, I set the DN correctly as far as I can tell:

public GetImportEntriesResults GetImportEntries(GetImportEntriesRunStep importRunStep)
        {
            GetImportEntriesResults importReturnInfo;
            List<CSEntryChange> csentries = new List<CSEntryChange>();

            InitialSessionState initial = InitialSessionState.CreateDefault();
            initial.ImportPSModule(new string[] { "C:\\Program Files\\Common Files\\Microsoft Lync Server 2010\\Modules\\Lync\\Lync.psd1" });
            Runspace runspace = RunspaceFactory.CreateRunspace(initial);
            runspace.Open();
            PowerShell ps = PowerShell.Create();
            ps.Runspace = runspace;

            // get-csaduser -filter {Enabled =eq $True -and SipAddress -ne $Null}
            ps.Commands.AddCommand("Get-csaduser");
            ps.Commands.AddCommand("where-object");
            ScriptBlock filter = ScriptBlock.Create("$_.Enabled -eq $True -and $_.SipAddress -ne $Null");
            ps.AddParameter("FilterScript", filter);

            foreach (PSObject result in ps.Invoke())
            {
                string myDN = string.Format("CN={0},OU=LyncUsers,DC=testlab,DC=com",result.Members["displayName"].Value);
                CSEntryChange csentry1 = CSEntryChange.Create();
                csentry1.ObjectModificationType = ObjectModificationType.Add;
                csentry1.ObjectType = "user";
                csentry1.DN = myDN;

                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("firstName", result.Members["firstName"].Value));
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("LastName", result.Members["lastName"].Value));
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("EmployeeID", result.Members["employeeID"].Value);
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("accountName", result.Members["samAccountName"].Value));
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("SipAddress", result.Members["SipAddress"].Value));
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("ID", "testlab\\" + result.Members["samAccountName"].Value));
                csentry1.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("Domain", "testlab"));
                csentries.Add(csentry1);
            }
            importReturnInfo = new GetImportEntriesResults();
            importReturnInfo.MoreToImport = false;
            importReturnInfo.CSEntries = csentries;
            return importReturnInfo;
        }

Any idea why I'm getting this error repeatedly?

Thanks in advance

Hello,

I have a web service, wich returns the user and it's related roles:

 [DataContract]

   publicclassSAP_AD_User

   {

       [DataMember]

       publicInt32 UserId {get;set; }

       [DataMember]

       publicstring EmployeeNumber {get;set; }

       [DataMember]

       publicstring FirstName {get;set; }

       [DataMember]

       publicstring LastName {get;set; }

       [DataMember]

       publicstring FullName {get;set; }

       [DataMember]

       publicstring UserName {get;set; }

       [DataMember]

       publicstring JobTitle {get;set; }

       [DataMember]

       publicstring Company {get;set; }

       [DataMember]

       publicIEnumerable<RoleID> SAPUserRoles { get;set; }

   }

   [DataContract]

   publicclassRoleID

   {

       [DataMember]

       publicstring FIMRoleId {get;set; }

   }

I have defined two attributes: User (with refSAPUserRoles Multi-Valued attribute of Reference type) and Role (with RoleId of String type), I've also designed the Full Import workflow for webservice MA. But how to assign a value to this multi-valued attribute in CreateValueChange element?

Hello,

I‘ve been using the workflow from here: http://www.wapshere.com/missmiis/generate-unique-attribute-activity to generate unique accountName. Everything seems to work, except, it‘s not using one thread. That is – while for the first user it is calling the enumerateResourceActivity, then for the second user it starts another workflow (even if for the first user workflow is not finished). And when for the second user the search for unique values is made in the portal, the changes for the first one (generated unique accountName) may still not be submitted, so the same accountName will be generated for the second user.

What changes should I make to the workflow to force to start the workflow for the next user only when the workflow is finished for the current one?

I've tried to put the whole workflow in synchronizationScopeActivity, but after changes my workflow is not loaded at all.

Hi,

How can I enable delta imports in my ECMA?

I've added the flag to my capabilities, but when I connect to the DLL the MA doesn't recognize delta import capability, and neither does it let me create a delta import profile. Here's my capabilities code:

public MACapabilities Capabilities
        {
            get
            {
                MACapabilities myCapabilities = new MACapabilities();
                myCapabilities.ExportType = MAExportType.AttributeUpdate;
                myCapabilities.ConcurrentOperation = true;
                myCapabilities.ObjectRename = false;
                myCapabilities.DeleteAddAsReplace = true;
                myCapabilities.DeltaImport = true; // Enable delta imports?
                myCapabilities.DistinguishedNameStyle = MADistinguishedNameStyle.None;
                myCapabilities.NoReferenceValuesInFirstExport = false;
                myCapabilities.Normalizations = MANormalizations.None;
                return myCapabilities;
            }
        }

On the same topic, the logic I had in mind for handling delta imports would be to get a list of all the objects in the relevant external system and then iterate over each CSEntry object in the connector space to see if the object already exists (by comparing the anchor attribute). If it exists, skip it otherwise create a new CSEntry object. It still seems like a lot of work, specially to iterate through all the existing objects in both the external system and in the connector space, so is there any quicker way to do a delta import?

Thanks a lot, and sorry for being a pest on your forums lately :)

Hi,

How can I enable delta imports in my ECMA?

I've added the flag to my capabilities, but when I connect to the DLL the MA doesn't recognize delta import capability, and neither does it let me create a delta import profile. Here's my capabilities code:

public MACapabilities Capabilities
        {
            get
            {
                MACapabilities myCapabilities = new MACapabilities();
                myCapabilities.ExportType = MAExportType.AttributeUpdate;
                myCapabilities.ConcurrentOperation = true;
                myCapabilities.ObjectRename = false;
                myCapabilities.DeleteAddAsReplace = true;
                myCapabilities.DeltaImport = true; // Enable delta imports?
                myCapabilities.DistinguishedNameStyle = MADistinguishedNameStyle.None;
                myCapabilities.NoReferenceValuesInFirstExport = false;
                myCapabilities.Normalizations = MANormalizations.None;
                return myCapabilities;
            }
        }

On the same topic, the logic I had in mind for handling delta imports would be to get a list of all the objects in the relevant external system and then iterate over each CSEntry object in the connector space to see if the object already exists (by comparing the anchor attribute). If it exists, skip it otherwise create a new CSEntry object. It still seems like a lot of work, specially to iterate through all the existing objects in both the external system and in the connector space, so is there any quicker way to do a delta import?

Thanks a lot, and sorry for being a pest on your forums lately :)

Hi,

I reviewed the following document and I want to confirm my scenario as it relates to a FIM.  I inherited a FIM RTM system which was subsequently upgraded to 4.0.3617.2.  If I understand this document correctly, then we need to uninstall FIM Sync, preserve the database and then install R2 and subsequent patches?  Did I read that correct?!

Cheers!