Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

Installing Bhold Core on a named instance

0
0

Gentlemen,

i'm facing an extremely unexpected situation, i was able to install FIM Service and BHOLD Core on a database named instance. However when i try to install the BHOLD FIM Integration it seems like it's not able to connect the database, it keeps throwing this exception on the log file:

The property 'SqlConnectionString' was found with value ''

Could the problem by that i'm installing on a named instance not the default what? is there any special configurations should i perform?

Majd


Sending Groups Back to their originating OU

0
0

I am setting up to export group changes back to AD.

My question is: Without defining an OU in the sync rule will group updates automatically go to the originating OU?
Since I have defined the containers to include in the ADMA I would assume this is kept somewhere in FIM or the MV.

Unfortunately, all instructions for setting up outbound group syncs point to the test FIMObjects OU and fail to answer this question.

Questions about FIM 2010...

0
0

My company has moved from NZ to the US and while in NZ they used FIM 2010 to synchronize AD with O365. Now that they're here, they'd like to replicate their FIM server in the US and I have been tasked with building the new server. I have a couple off questions first:

1. Is there a way to simply replicate the server from there to here? They're both VMs in a HyperV environment and they will be using different SQL servers.

2. If I have to build a new server, is there a way to export the configuration information from the old server to the new server?

3. Is installing an FIM Portal mandatory? And is it a separate server?

4. While we're on the subject, MS isn't very clear about the actual components involved with FIM 2010: how many separate servers do I need? Or can we just have one FIM server that connects to external SharePoint and SQL servers?

Thanks in advance.

FIM Users won't join

0
0

Hello

I have a basic FIM 2010R2 sp1 config (PCNS between two Forests) The config seems to work fine for all but one user. I'm matching on "mail" attribute and I've tagged that to the "Person/mail" attribute in the MV. The attribute is accurate.

When I run an import and then sync, the attribute for the particular user registers as expected from both external directories, but rather than join the directories on the mail attribute, it appears to leave them as "Projecting" and create unique entries for them in the MV. I've tried removing the MAs and recreating the users from scratch - and after all that it still does the same thing. I'm thinking that it might be erroneous data left in the db from all my testing.

Any ideas?

-a


-a

ERE Not Applied

0
0

Hi Guys,

Getting some sync-rule-flow-provisioning-failed.

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=DEVAGENCYmailtestrmg" already exists in management agent "Exchange Mailbox Permissions Powershell MA".

So I run a sync with provisionin turned off and it successfully joined - however the ERE in FIM for that MA still has a 'Not Applied' state and even though the identity is now joined when I turn provissioning back on it still tries to provision and gets the error. 

Any ideas?

completing-referential-updates 0%

0
0

Hello, 

When i try a Full Sync on the FIM MA it is stuck for more than 6 days and is giving completing-referential-updates 0% as in the below screenshot.  

Any Advise would be appreciated.


Mohamad Chahla


BHOLD RBAC: dependency on AD

0
0

I was going through the BHOLD introduction below and wondering if AD is a dependency for BHOLD for implementing RBAC (since it uses organizational units). My client has an existing AD where the maintain the users, and wondering if they need to create another OU to maintain roles.

Microsoft BHOLD Suite Concepts Guide
http://msdn.microsoft.com/en-us/library/jj134102(v=ws.10).aspx

Exchange issue

0
0

My FIM deployment is having problem with exchanging emails and I get this the following error logged in the event logs.

Microsoft.ResourceManagement.Service: System.ArgumentException: Invalid or NULL email address
   at Microsoft.ResourceManagement.Mail.Utilities.ValidateMailMessage(GenericMessage message, IMailServer mailServer)
   at Microsoft.ResourceManagement.Mail.NotificationMessage.Send(Int32 timeoutInMilliseconds)
   at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.SendMailMessage(MessageContent messageContent, Int32 timeoutInMilliseconds)
   at Microsoft.ResourceManagement.Workflow.Hosting.SendMailWorkItemProcessor.ProcessWorkItem(WorkItem workItem)

I got Exchange 2010. I logged in to each accounts (e.g. FIM Service account, FIM Admin account, test user accounts) using OWA and was able to send/receive emails w/o any issues; however, I do not see any emails in the service account mailbox, or for any users.

    <add key="mailServer" value="https://srv1.contoso.local/ews/exchange.asmx" />
    <add key="isExchange" value="1" />
    <add key="sendAsAddress" value="FimSvc@contoso.local" />
    <add key="synchronizationServerName" value="srv2.contoso.local" />

Any thoughts on what I should be looking into?

Thanks,
John


How to trigger a delta import flow on attribute that was just exported/imported

0
0
Can someone tell me a technique to trigger a delta import flow when I export an attribute and then do a confirming import on it? I'm only using the sync engine--no portal. For example, when I export an attribute to a data source, then do a confirming import, the change comes back into the connector space. But, I'm assuming that because the import was the same as the export, there's no delta created. But I want that value to then flow into the mv on a delta sync. But it doesn't. I'm wondering what method people use to force this to happen so that a full sync is not necessary. Obviously it does flow into the mv when I do (or preview) a full sync. Thanks.

FIM 2010 GAL Synchronization Permissions Required

0
0

Hello friends.

I have the following scenario

An organization that has:
1 Server 2012 R2 Active Directory
1 Server with Exchange 2013 Sp1
1 Server with FIM Server 2010 R2 Sp1

Second Organization
1 Exchange Server 2010
1 Server 2008 R2 Active Directory

I'm currently setting FIM Server 2010 to create a GAL between the two organizations.

the two organizations has two OU.

Forest1

            Accounts (all users)
            GalSync
Forest2
            Accounts (all users)
            GalSync

by organization policies should not create users with domain admins permissions on the forest 2.

  1. My question is, what permissions do I need on the forest 2 in order to export data from users OU "accounts (all users)" and it can be imported in the Forest 1 in the OU "GALSync"
  2. My goal is to Synchronise contacts forest without permisos Each domain administrator.
  3. I read that it is possible to delegate permissions full on the OU  "Accounts (all users)", I wonder if there is any permission that achieves only export the data.
  4. on OU "GalSync" I understand that if I have full permissions so you can read \ write all contacts.

I welcome your comments.


Can Declarative and Classic provisioning coexist?

0
0
How do I use both classic and declarative provisioning together? If I just throw a EntryPointNotImplementedException exception from the IMVSynchronization.Provision method for the MAs that I want to use Sync Rule  to provision? Or both of them will be triggered?

Is there a BHOLD demo or training available anywhere for free or paid?

0
0

Is there a BHOLD demo or training available anywhere for free or paid?

Thanks!
John

Sync Rule ERE for exporting users to a SQL MA is marked as "Not applied"

0
0
I am able to bring in users from a SQL DB using SQL MA, but I am not able to export to the DB. When I see the user object in sync service, I see an ERE for the sync rule marked as "Not Applied". There is no error or any log indicated why it was not applied. Any suggestions?

Active Directory

0
0

Hi Team,

I have few queries mentioned below. Kindly share me your suggestion.

1) how can we make sure that time is getting synchronized properly in AD infrastructure and how to monitor this?

2) Is there anyway to find which attribute got changed recently of object ?

Regards

Sajin P S

Alternate Access Mapping Blank Page

0
0

We have a FIM 2010 R2 sp1 environment setup which works.  We need to publish the user portal using a different URL than the server names.  However, I have gone through all of the steps to create the alternate access mapping including the SPNs and delegations.  We are currently forcing Kerberos for the portal and it works on both servers which host it using their servernames.  The issue is when users go to the new URL the authentication box appears for them three times then just a blank page is displayed.  Since I have verified that the SPNs and delegations are setup just as they are for the actual server names and I have added the AAM in the Sharepoint admin portal I'm not sure why it is doing this.   Any help would be greatly appreciated.


FIMMA FS getting stuck - sql profiler

0
0
FIMMA FS takes 3 hrs to complete and for the past few weeks, it is getting stuck. It has been a few weeks sice we had a full sync complete. I would like run sql profiler to see what's causing that issue.Could you please tell me the steps on how to run it and check on the FIMMA FS?

FIM 2010 R2: Creating Security Groups in portal : OU

0
0

Hi,

We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?

Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?

Or perhaps someone has tried some other ideas for this scenario ?

Thanks

Why are sets not enough for role management?

0
0

Why are sets not enough for role management? Trying to understand when exactly to recommend the BHOLD component to the clients.

Thanks,
John

Metaverse not updating for some users via FIM.

0
0

I have users on-prem Exchange 2013 which are not getting updated in Azure AD.  Looking at users in FIM shows they are not getting updated in Metaverse.  I am getting two errors:

1) Unable to update this object in Windows Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.

2) Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses smtp:21060@twdc.mail.onmicrosoft.com;].  Correct or remove the duplicate values in your local directory. ---- Have done this but it is not syncing via FIM write-back.

<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
 <v:stroke joinstyle="miter">
<v:formulas>  <v:f eqn="if lineDrawn pixelLineWidth 0">
  <v:f eqn="sum @0 1 0">
  <v:f eqn="sum 0 0 @1">
  <v:f eqn="prod @2 1 2">
  <v:f eqn="prod @3 21600 pixelWidth">
  <v:f eqn="prod @3 21600 pixelHeight">
  <v:f eqn="sum @0 0 1">
  <v:f eqn="prod @6 1 2">
  <v:f eqn="prod @7 21600 pixelWidth">
  <v:f eqn="sum @8 21600 0">
  <v:f eqn="prod @7 21600 pixelHeight">
  <v:f eqn="sum @10 21600 0">
 </v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
 <v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
 <o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape alt="" id="Picture_x0020_1" o:spid="_x0000_i1025" style="width:416.4pt;height:292.2pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image001.png@01CFEDE2.2BC55C20" src="file:///C:\Users\Katie\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape>

Group deletion after Inbound sync rule

0
0

Help please...

If one had:

1. Set up an inbound sync rule for groups and imported a group for testing purposes.

2. Found that their sync rule had issues but the group exists in the FIM environment, 
    then deleted that group through the SharePoint interface to start over again.

4. After they got the inbound rule working correctly and reimported the group and
    then they setup the outbound sync rules and ran their adma and fimma run Profiles,

 Would that group be deleted from AD on the next Sync service runs?

thx

Viewing all 4767 articles
Browse latest View live




Latest Images