FIM 2010 GAL Syncronization

August 27, 2014, 2:28 pm

≫ Next: Implementing Delta Import in a custom (ECMA2) management agent

≪ Previous: Change FIM Portal Attribute Data Type After Creation?

Hellohow are you?

I have the followingscenario:

First Organization:

1Exchange 2013sp1
2ActiveDirectory2012 R2

SecondOrganization:
1Exchange 2010Sp2
2ActiveDirectory 2008R2

My goalis to implementFIMto create a GALbetween the two organizations.
My questions are:
1FIM2010 R2license required?onlyintendto useFIM syncronization.
2How do I makethe settingsanddomainsare completely differentand there issome internallink?
a.I need to publisha service?

Staytuned toyour answer.

↧

Implementing Delta Import in a custom (ECMA2) management agent

August 28, 2014, 4:38 am

≫ Next: Handling blank values in reference workflows

≪ Previous: FIM 2010 GAL Syncronization

I'm implementing a custom management agent, and I was wondering what I'm actually supposed to return during a Delta Import operation.

Am I supposed to return:

1) All the changes that were performed on the connected system since the previous import operation, including those coming from exports

2) Only the changes that happened in the connected system independently of the export operations that were performed?

An example: suppose that in the connected system I have users A and B.
We run a full import.
After that, the displayName of A is changed in FIM, and consequently A is modified during an export.
B is not modified in FIM, but a system attribute which I'm importing changes in the connected system.
At the next delta import, should my MA return only B or both A and B?

This is an ECMA2 MA, but I think the principle should be the same for ECMA1.

Thanks,
Paolo

Paolo Tedesco - http://cern.ch/idm

↧

Handling blank values in reference workflows

August 28, 2014, 4:52 am

≫ Next: MPR design question - how to grant rights to only a given set of users to add other users to groups

≪ Previous: Implementing Delta Import in a custom (ECMA2) management agent

Hi,

I have a site de-referencing workflow which holds various attributes such as siteName, address1,address2, etc and I'm mapping these attributes on to custom FIM user attributes. I have drop down control that allows users to pick their site and updates the user site information by using an MPR with a dereferencing workflow, i.e.

[//Target/SiteAddress2/]

[//Target/siteReference/SiteAddress2]

This works fine as long as the attribute in my reference object (i.e. SiteAddress2 in this case) is populated. If I have a blank or null value in the target attribute then the end user attribute is not updated. The problem occurs when a user changes their site location from A to B - there are instances where the old site information is left intact and not cleared.

Is there a way I can get FIM to update the end user custom attribute regardless of whether the underlying site attribute is null or blank?

All help is appreciated

↧

MPR design question - how to grant rights to only a given set of users to add other users to groups

August 29, 2014, 3:35 am

≫ Next: Domain is not getting synchronized in office 365 through Windows Azure Active Directory Connector

≪ Previous: Handling blank values in reference workflows

Hi,

I have a scenario where I'm implementing a feature where users can request memership to owner approval groups. This is all good, no issues. However, another feature that is requested is that Assistants can request membership on behalf of other users too.

This poses a bit of an MPR related challenge. The attribute in question is "ExplicitMember", and since every user should have the right to request group membership, I made an MPR which grants all users the right to request group membership (by being able to add to multivalued attribute "ExplicitMember"). However, this also means that every user can request membership on behalf of any other user too, and I need to restrict just this feature to be available for Assistants. I can create a set of Assistants but I'm not sure how the MPRs would look to allow this feature.

Any ideas?

Thanks

↧

Domain is not getting synchronized in office 365 through Windows Azure Active Directory Connector

September 1, 2014, 3:04 am

≫ Next: how to show register attribute value in my register users report in FIM 2010 R2

≪ Previous: MPR design question - how to grant rights to only a given set of users to add other users to groups

Hi Everyone,

I am Synchronizing on premise AD user to Office 365 through FIM Windows Azure Active Directory Connector and my On premise domain is not getting synchronized into Office 365.

For Eg. My domain in On-premise AD is abc.efg.com but when I am synchronizing the user into Office 365 it is coming abc.onmicrosoft.com but I want abc.efg.com in office365 and also I have registered this domain i.e abc.efg.com into Office 365 but still I am not able to synchronize this domain.

When I checked the Synchronization Server and in the attributes of Office365 connector I could see the UPN value is correct but when I check into Office 365 the UPN is showing different.

Can anyone please provide me any steps by which I can fix this issue.

Thanks,

Aman Khanna

↧

how to show register attribute value in my register users report in FIM 2010 R2

September 1, 2014, 4:31 am

≫ Next: Lync Persistent Chat provisioning

≪ Previous: Domain is not getting synchronized in office 365 through Windows Azure Active Directory Connector

Hi,

How to show register attribute value in my register users report in FIM 2010 R2?

Please suggest on this.

Regards

Anil Kumar

↧

Lync Persistent Chat provisioning

September 1, 2014, 8:52 pm

≫ Next: RCDC page is empty

≪ Previous: how to show register attribute value in my register users report in FIM 2010 R2

I was wondering, has anyone configured FIM to do some automation on the Lync Persistent Chat -feature? I'm talking about adding users to Creators (the room creators) or Managers (managers of the room) through FIM? How about automated chat room creation?

↧

RCDC page is empty

September 1, 2014, 9:55 pm

≫ Next: Completed-Transient-Object and FIM powershell module

≪ Previous: Lync Persistent Chat provisioning

Hi,

I am logged in as the only FIM Portal Administrator...I have created MPRs, Sets, Workflows, Sync Rules, extended the Schema, etc. so I definitely am Admin ;)

However, when I click the RCDC link, there are no entries what so ever...its completely empty (I clicked 'Search').

Is there some MPR that controls RCDC access? I don't ever recall having to enable one.

And I have restarted the FIM server & FIM Service.

Thanks,

↧

Completed-Transient-Object and FIM powershell module

September 2, 2014, 6:58 am

≫ Next: FIM -IIF Custom Expression

≪ Previous: RCDC page is empty

Hi,
I'm writing a script to check and fix errors during FIM DirSync.
One case I'm trying to manage is error reporting "completed-transient-object".
I've downloaded FIM powershell module from https://fimpowershellmodule.codeplex.com/ and using these cmdlets I'm able to retrieve all information I need on management agents etc...
Does anyone has used these module to parse this kind of error?
How can I search for transient object in the connector space using powershell?
FIM 2010 on Windows 2008 R2.
Thanks !

↧

FIM -IIF Custom Expression

September 2, 2014, 8:06 am

≫ Next: Domain Admin Group account for installing BHOLD Core

≪ Previous: Completed-Transient-Object and FIM powershell module

Hi,

How can i write a Custom IIF expression , where the value returned can be assigned to a "reference type attribute " for a user.

Ex- IIF(Eq(abc,"123"),"accountname1","accountname2")---> xyz

xyz-reference attribute.

abc- user's attribute used in IIF case

This is not working as the workflow gives error "conversion failedwhen converting from a character string.

Regards

shakti

↧

Domain Admin Group account for installing BHOLD Core

September 2, 2014, 8:55 am

≫ Next: BHOLD Core Installation database errors

≪ Previous: FIM -IIF Custom Expression

I was trying to install BHOLD Core on a test lab setup. Technet documentation says that to install BHOLD Core, you should login with an account which is a member of Domain Admin Group. Is this mandatory? If only Model Generator is required, should we still login with Domain Admin Group account? Can somebody clarify?

↧

BHOLD Core Installation database errors

September 2, 2014, 9:12 am

≫ Next: Azure AD MA does not import "mobile" ("MobilePhone") attribute

≪ Previous: Domain Admin Group account for installing BHOLD Core

I am trying to create a test lab for BHOLD. I have followed the instructions in http://technet.microsoft.com/en-us/library/jj134095%28v=ws.10%29.aspx

No matter what options I try, I was unable to install BHold Core if I supply the db details when db is on a different server, the installation would fail.

Error -2147217843: Installation failed to create the database B1.

Could someone help?

Thanks

Kris

↧

Azure AD MA does not import "mobile" ("MobilePhone") attribute

September 2, 2014, 12:21 pm

≫ Next: FIM Capacity Planning - SSPR

≪ Previous: BHOLD Core Installation database errors

Hi,

I am trying to import MobilePhone (or "mobile") attribute from Azure AD into FIM. It does not work. My current setup is up-to-date DirSync with /fullSQL. Although the attribute is included in the attribute set in the Azure MA configuration (the "Select Attributes" page), its value is also present on the AAD object itself, the value is not ever imported into Azure MA CS. Why?

I have also tried to define some import attribute flow to persuade it, but no chance.

Thanks!

ondrej.

↧

FIM Capacity Planning - SSPR

September 2, 2014, 1:07 pm

≫ Next: BHOLD Core login

≪ Previous: Azure AD MA does not import "mobile" ("MobilePhone") attribute

Hello,

I've ran through the Ms guide for FIM 2010 capacity planning (http://technet.microsoft.com/en-us/library/ff400279(v=ws.10).aspx), but it doesn't really cover my situation.

I have a unique setup in a hosted environment:

- AD accounts are provisioned by an input file (CSV). FIM is currently purely being used to provision accounts in a hosted environment.
- The FIM portal and Synchronisation service has been installed, but users do not use the portal.
- Declarative synchronisation rules are being used.
- I'm happy with the current performance, an AD export and delta import for my domain with around 8,000 user accounts takes 90 seconds.

Currently a single server with FIM 2010 R2 is hosting the portal, sync engine and SQL DBs (all on one 1 server) with the following spec:
- Windows 2008 R2, x64, 2 vCPUs (2 x Intel Xeon 2560 2GHz), 4 GB RAM, 3 logical disks (split over RAID 1 15K SAS disks)

I need to now enable SSPR functionality and only expose the password reset portal (I'll use a script to programmatically register users so the registration site is not needed).

I currently have a spare server with the following specs:
- Dual Core Intel Xeon (2 x 1.8 GHz ES 2650)
- 2 x 15K SAS Disks in a RAID 1
- 8 GB RAM

I suspect this will meet my requirements for the SSPR server, however other than building the system and in depth testing I don't know. In addition, I'm not sure how the extra load will impact upon my FIM server, whilst I can freely add additional memory and CPUs, increasing disk speed is a lot harder.

I'd be interested to hear from others on their current sizing profiles, especially if someone has a similar environment to myself. I'm really trying to make sure the system will be able to handle 1,000 performing password resets simultaneously.

Thank you in advance

IT Support/Everything

↧

BHOLD Core login

September 2, 2014, 11:42 pm

≫ Next: What is the best strategy using the FIM cmdlets to list all Criteria-based security groups that have NO members?

≪ Previous: FIM Capacity Planning - SSPR

Hi,

I am setting up a test lab for BHOLD Core and was able to install BHOLD Core and BHOLD Model Generator modules with local admin rights but was not able to start the service. As far as my requirement goes, I just need to run Model Generator. I have tried several options but was able to open BHOLD Core or BHOLD Model Generator home page only when I login with the account that I used for installing the modules. Is this the expected behavior?

If I use any other account, it gives an error message:

Access to BHOLD is refused for the following reason(s):

Username unknown

How do I provide access to other users? Did anyone face this before?

anticipating a response.

Thanks

Kris

↧

What is the best strategy using the FIM cmdlets to list all Criteria-based security groups that have NO members?

September 3, 2014, 1:48 am

≫ Next: FIM 2010 can provide user authentication?

≪ Previous: BHOLD Core login

I want to create a list of criteria-based Security Groups (membership locked) that have no members that match the criteria by using FIMcmdlets.

I can get a list of these Groups easily enough with a customConfig filter but how can I then grab the list of user objects generated when I push the "View Members" button on the Portal form from, within Powershell.

↧

FIM 2010 can provide user authentication?

September 3, 2014, 4:08 am

≫ Next: Password Reset Regex

≪ Previous: What is the best strategy using the FIM cmdlets to list all Criteria-based security groups that have NO members?

Can FIM 2010 be used to provide authentication to a 3th party applcation developed, for example, in .NET?

These are the steps the application must accomplish:

1. User provides his username and his password on login page.

2. .NET app calls FIM 2010 and validate user and password with the user informations created in a previous synchronization with AD.

Thanks

↧

Password Reset Regex

September 3, 2014, 2:04 pm

≫ Next: FIM 2010 R2: 2 Questions about Exchange 2013 and Windows Azure AD PW Sync

≪ Previous: FIM 2010 can provide user authentication?

Has anyone else run into this scenario? I have implemented SSPR with PCNS to sync passwords from AD to other downstream systems. This works like a charm but we have run into occasional problems where special characters that are accepted by the AD password policy, and validated by the FIM password reset portal, throw errors at the target system when invoked by PCNS into FIM Sync.

We won't be able to modify the AD password policy to stop users from including the problem special characters. One thought is to put a regex on the main password reset portal page and just handle this in the UI. I did not see anything about this in the MS password portal customization document.

Before I go to far down this road, I wanted to see how others have handled this.

Thanks,

Scott

If this post has been useful please click the green arrow to the left or click Propose as answer

↧

FIM 2010 R2: 2 Questions about Exchange 2013 and Windows Azure AD PW Sync

September 4, 2014, 1:13 am

≫ Next: DirSync login as email address

≪ Previous: Password Reset Regex

Hi,

1. my first question is about Exchange 2013. It's about the Account to send and receive Status Mails. I checked the Value in "Microsoft.ResourceManagement.Service.exe.config". I have done through this Troubleshoot guide: http://technet.microsoft.com/en-us/library/18e87593-9728-4890-8765-dac5e5e36809(v=ws.10)#bkmk_Exchange . I am able to connect to the Address of the EWS Webpage, also with the FIM Service Account. I can open the OWA Webadress for the FIMService Account. There is no Certificate Error when browsing to These sites. I can't find any Information that FIM Supports Exchange 2013, could that be the Problem?

2. I read about, that it is not possible to sync the Passwords to Azure AD with FIM. Is that true? Does someone know, if and when this functionalitäy will appear?

Thanks a lot
Martin

www.sccmfaq.ch

↧

DirSync login as email address

September 4, 2014, 2:10 am

≫ Next: Calculate Set membership based on Group Membership

≪ Previous: FIM 2010 R2: 2 Questions about Exchange 2013 and Windows Azure AD PW Sync

I am sure this question has been raised before but I have been unable to find a definitive guide...

users internall log in as domain.local\joeb or joeb@domain.local however I wish to add a new suffix into AD which I have done to match the email domain,

I then need users to be able to log in with their email address which is first name . lastname so joe.bloggs@domain.com.

Can someone either give me some simple steps or point me to a full guide on the process?

***Don't forget to mark helpful or answer***

↧