MPR behavior with changing sets

February 6, 2017, 2:53 am

≫ Next: MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

≪ Previous: Using Active Directory for public services

Hello!

Can somebody explain some MPR logics?

I have MRP (Transition In) + Workflow for AD provisioning users. They are using sync rule with Initial flow for password generation for users and emails to manager with account information. I’m using a set with static defined user set (with employeeID numbers)

As I understand if I make “Disable” and “Enable” at MPR I will get reapplied MPR, right? Moreover, all my users will receive new passwords and managers will receive emails. This is not acceptable, because system is going to production.

I need to change my test static set to “All People” production set, how it can be safely done? Thanks!

↧

MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

February 6, 2017, 5:03 am

≫ Next: Group Creation RCDC change - Lost Membership Type Radio Buttons

≪ Previous: MPR behavior with changing sets

So, we are running a C# code with MIM 2016 SP1 using FIM 2010 Granfeldt Workflow Activity Library.

The code itself should work because it works with FIM 2010 R2 and also FIM 2010 R2 updated to MIM 2016 (not SP1).

Are there any known compatibility issues between MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library?

See the error messsages:

PostProcessingError:
Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character '

Evet Viewer:
System.Exception: Couldn't compile
Compile Error: CS2032 in Ln 0 Col 0-Character '

   at Granfeldt.FIM.ActivityLibrary.CodeRunActivity.CompileCode_ExecuteCode(Object sender, EventArgs e)
   at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)
   at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
   at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
   at System.Workflow.Runtime.Scheduler.Run()

↧

Group Creation RCDC change - Lost Membership Type Radio Buttons

February 6, 2017, 11:42 am

≫ Next: Physical to Virtual Migration of FIM server

≪ Previous: MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library - Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character

Hello,

I was attempting to add a basic text box, bound to an attribute I've mapped to the Group objects ("groupType"), to the group creation RCDC. All I did was copy the existing Description control, paste that under the Description control and change the "description" values in the new control node to my new attribute "groupType". But, when I imported the new RCDC, my new control showed up in the RCDC, like I expected, but the MembershipType control disappeared. I went back to the original RCDC (I exported and saved it off before I started changing it). My "groupType" attribute is gone, as I expected, but so is the MembershipType control. So, I'm stuck. I don't know what to do to get those three radio buttons back. I've restarted IIS, rebooted the MIM server, and still no membership type control on the RCDC.

Any ideas?

Greg

↧

Physical to Virtual Migration of FIM server

June 25, 2018, 12:50 pm

≫ Next: stopped-extension-dll-exception

≪ Previous: Group Creation RCDC change - Lost Membership Type Radio Buttons

Hi,

I have a FIM physical server , that is going to migrate soon.

May I know what all thing need to be taken care before and after migration ?

Any help is much appreciated.

↧

stopped-extension-dll-exception

June 27, 2018, 4:56 am

≫ Next: Accounts are being created as Disabled in Active Directory even with 512 in user control account value

≪ Previous: Physical to Virtual Migration of FIM server

Dear All,

when I am trying to run Export Profile Getting stopped-extension-dll-exception status.

↧

Accounts are being created as Disabled in Active Directory even with 512 in user control account value

June 26, 2018, 11:36 pm

≫ Next: exporting null value to AD Accountexpires

≪ Previous: stopped-extension-dll-exception

Hi All,

Greetings! I am facing this issues since from last three days. All of my accounts that are being provisioned from MIM to Active Directory are created as disabled accounts in Active Directory. Even I am passing 512 to UserControlAccount attribute.

Below are the stats of AD MA Export for one record. Now when I see in AD, this account is marked as disabled.

Kindly help me and guide me in this regard.

↧

exporting null value to AD Accountexpires

June 27, 2018, 12:48 am

≫ Next: Who will be announced as the next FIM Guru? Read more about May 2018 competition!!

≪ Previous: Accounts are being created as Disabled in Active Directory even with 512 in user control account value

Dear All,

I am trying to delete existing accountexpires value. using following c# script but no luck

long iFileTime = 9223372036854775807;
                    if (mventry["employeeEndDate"].ToString() != null)
                    {
                        DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);

                        csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTimeUtc();
                    }
                    else
                    {
                        csentry["accountExpires"].IntegerValue = iFileTime;
                    }

Need Your Help!

Thanks,

Shashidhar

↧

Who will be announced as the next FIM Guru? Read more about May 2018 competition!!

April 30, 2018, 7:42 pm

≫ Next: Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

≪ Previous: exporting null value to AD Accountexpires

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in May 2018 and must be in English. However, the original blog or forum content can be from before May 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read Moreabout TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Kamlesh Kumar.

Thanks in advance!
- Ninja [Kamlesh Kumar] TechNet Wiki Council

↧

Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

July 1, 2018, 12:45 am

≫ Next: MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

≪ Previous: Who will be announced as the next FIM Guru? Read more about May 2018 competition!!

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in July 2018 and must be in English. However, the original blog or forum content can be from before July 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read Moreabout TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Vimal Kalathil.

Thanks in advance!
- Ninja [Kamlesh Kumar] TechNet Wiki Council

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

↧

MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

July 3, 2018, 1:46 am

≫ Next: Changing HRDB Table

≪ Previous: Who will be announced as the next FIM Guru? Read more about July 2018 competition!!

I'm trying to deploy MIM 2016 in a test environment. I have deployed Sharepoint 2013 SP1 and SQL 2016 Enterprise. Trying to install MIM Service and Portal but I'm getting error "the feature you have selected have the following prerequisites. Refer to the installation guide for more information. Please update your machine and retry the installation. -Sharepoint"

Can anyone help me out?

↧

Changing HRDB Table

July 2, 2018, 11:06 pm

≫ Next: failed-modification-via-web-services

≪ Previous: MIM 2016 portal installation error under SharePoint 2013 and SQL 2016

Dear Team,

Testing purpose we have created SQLMA with Test Table. Now we would like to change it to production SQL view.

How to change and does it affect SQLMA?

Thanks,

Shashidhar

↧

failed-modification-via-web-services

January 3, 2018, 3:52 am

≫ Next: AD Sync Error (does not have a parent object in management agent or already exists in management agent)

≪ Previous: Changing HRDB Table

Hi there,

I've read the threads on this but still need help.

I'm setting sup MIM 2016 SP1 (which is absolutely not my forte) and have run into the this problem when running the Export on the MIM MA.

It seems to be the one detailed in https://social.technet.microsoft.com/wiki/contents/articles/17242.fim-troubleshooting-failed-creation-via-web-services-invalidrepresentationexception-valueviolatesuniqueness.aspx, which suggests creating an Import Attrib Flow for domain --> domain but I can't see how to do that... I don't get the option under Mgmt Agent/Properties/Configure Attribute Flow.

The MIM server was set up according to the instructions at

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy

Full text of the error is below. Thanks in advance for any assistance.

Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception: Other
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain' expects parameter '@domainName', which was not supplied.
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope)
at Microsoft.ResourceManagement.Data.DataAccess.GetDomainConfigurationIdentifiersFromDomain(String domainName)
at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.AddDomainConfigurationFromDomain(CreateRequestParameter domainNameParameter, RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.DomainConfigurationActionProcessor.DoRequestCreationPreProcessByAttribute(RequestType request)
at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.DoRequestCreationPreProcessByAttribute(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)
--- End of inner exception stack trace ---</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>d70ac3fc-6a00-4c6d-b369-e481bebab642</CorrelationId></DispatchRequestFailures>

↧

AD Sync Error (does not have a parent object in management agent or already exists in management agent)

May 13, 2018, 8:30 am

≫ Next: AADConnect password sync direction

≪ Previous: failed-modification-via-web-services

Hi All,

I got stuck in situation and will be really thankful, If anyone could get me out of this. I am facing issues while syncing records to Active Directory.

I have a FIMMA and an outbound ADMA. When I run Full sync for FIMMA, without running full import of Outbound ADMA, I get this error for ADMA sync rule:

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: Object "CN=ahmad.sohail,OU=Xnrel,OU=Active Xnrel Employees,OU=Entire xnrel,DC=xnrel,DC=com" does not have a parent object in management agent "Xnrel Outbound ADMA".

But if I first run Full Import of Outbound ADMA then run full sync of FIMMA, then outbound ADMA sync rule get applied on new records but for existing records, it gave me this error below:

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=ahmad.sohail,OU=Xnrel,OU=Active Xnrel Employees,OU=Entire xnrel,DC=xnrel,DC=com" already exists in management agent "Xnrel Outbound ADMA"

So kindly help/guide me for this scenario.

Thanks

↧

AADConnect password sync direction

July 3, 2018, 2:51 pm

≫ Next: MIM 2016 SP1 Lab Install Issues - Synchronization Service

≪ Previous: AD Sync Error (does not have a parent object in management agent or already exists in management agent)

Hi,

Does AADConnect support bi-directional password sync (so from on-prem to Azure cloud and vice versa)?

So if I change my password on-prem, AADConnect syncs the pwd to my Azure account?

And if I change my password in Azure, AADConnect syncs the pwd back to my on-prem account?

Assume that AADConnect is already setup and synchronising my on-prem identities with Azure.

Cheers & Thanks

↧

MIM 2016 SP1 Lab Install Issues - Synchronization Service

July 5, 2018, 4:55 am

≫ Next: Deprovisioning stopped

≪ Previous: AADConnect password sync direction

Following the below article in a hyper-v lab.

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy

Lab Setup

2 x Windows Server 2016 VM's consisting of

1 x Domain Controller hosting AD

1 x Member Server hosting SQL 2017, SharePoint 2016

I get to the point where I now want to install MIM Synchronization Service

https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync

The install goes through successfully except I get an error saving the Sync Service Key

*****

“The Forefront Identity Manager Synchronization Service setup wizard was unable to back up the key set. <hr=0x80131600>

*****

I try and launch the MIM Synchronization Service and I get an error saying

I checked the service and it isn't started so I try and start it manually and I get the below

In the Windows System log I get the below error

I have followed the deployment guide with the exception of installing SQL Server 2017 instead of 2016. Does anyone have any steer on where I'm going wrong here? any guidance would be appreciated!

↧

Deprovisioning stopped

June 26, 2018, 5:53 pm

≫ Next: Error refreshing directory partitions

≪ Previous: MIM 2016 SP1 Lab Install Issues - Synchronization Service

MIM - HR MA deprovisioning is set to 'Make them disconnectors'. It is connecting to a SQL view and is updating and creating accounts, but is not deprovisioning those not in the view. AD MA is using a rules extension file which disables and moves them to disabled OU. Was working correctly then stopped. Had made change to the rules extension file that creates the account name and now accounts are being created in the new format, but those not in the view are not being disabled. No changes to the rules extension for deprovisioning. Set the previous version of the rules extension file which creates account name back and still no account disables.

↧

Error refreshing directory partitions

July 5, 2018, 9:31 am

≫ Next: FIMService Roll Up 2

≪ Previous: Deprovisioning stopped

We've made some changes to our forest, removing some child domains and adding others. When I try to refresh the partitions on the AD MA, I get: "An error was encountered while refreshing domains: Unable to cast object of type 'System.Collections.ArrayList' to type 'Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject'.

I'm on Version 4.4.1749.0 of the Synchronization Service Manager, running on Server 2012 R2.

More information:

If I futz around with this, I can get the new partitions to show up, but when I try to add them, I get the error: Unable to update the management agent. Exception from HRESULT: 0X80230405

Event Log contains ID 6309:

The server encountered an unexpected error while performing an operation for a management agent.

"BAIL: MMS(5996): ..\cdext.cpp(559): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(5996): ..\xstack.cpp(538): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(5996): ..\xparse.cpp(542): 0x80070057 (The parameter is incorrect.)
BAIL: MMS(5996): ..\mastate.cpp(10227): 0x80230405 (The operation failed because the object cannot be found)
BAIL: MMS(5996): ..\mastate.cpp(6373): 0x80230405 (The operation failed because the object cannot be found)
BAIL: MMS(5996): ..\ma.cpp(670): 0x80230405 (The operation failed because the object cannot be found)
BAIL: MMS(5996): ..\ma.cpp(928): 0x80230405 (The operation failed because the object cannot be found)
Forefront Identity Manager 4.4.1749.0"

Ed Bell - Specialist, Network Services, Convergys

↧

FIMService Roll Up 2

March 9, 2012, 9:03 am

≫ Next: MIM 2016 Support for PostGre SQL

≪ Previous: Error refreshing directory partitions

Hi,

After attempting to install the latest FIM hotfix Roll Up 2, we seem to hit an area where the database was upgraded half way through (i.e. fim.version table had version -1).

So we have restored FIMService database, from a backup taken just prior to the hotfix installation. After restoring the FIMService database we seem to encountered another error when starting FIM Serivce

System.ServiceModel: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue 'XXXXXXXXXXXXXXXXX'.
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(StoreLocation storeLocation, StoreName storeName, X509FindType findType, Object findValue)
at Microsoft.ResourceManagement.WebServices.ResourceManagementServiceHost.SetServiceHostCredentials(ServiceHostBase serviceHostBase)

Reviewing the Local Computer > Personal > Certificate, we dont seem to find ForefrontIdentityManager certificate. Is there a way to re-generate this cert?

Thank you,

Laith

↧

MIM 2016 Support for PostGre SQL

July 5, 2018, 6:15 am

≫ Next: Synchronize user password across 2 AD forests

≪ Previous: FIMService Roll Up 2

Hi EveryOne,

I wish to know if there is anyone who has been able to integrate the MIM 2016 SP1 Generic SQL Connector successfully with PostGre SQL 9.x Database.

The configuration works, and Import works as well but I am having some issues with Export Run. Troubleshooting with PostGre ODBC Logs shows that Export activity from MIM is not recorded, while Import activities are well logged.

On the MIM Synchronization Console, the error is described as "unexpected error 0x8ffe2740" after Export run.

I am almost concluding that this issue could because PostGre SQL is not on the list of supported Databases for MIM 2016 Generic SQL Connectors.

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql

Appreciate some advice from anyone with some experience with this or a workaround to address the issue.

Thanks

↧

Synchronize user password across 2 AD forests

July 8, 2018, 5:50 am

≫ Next: importing from azure active directory connector gives only few attributes

≪ Previous: MIM 2016 Support for PostGre SQL

Hi,

Please help on the below requirement.

Forest A (Domain - 1), Forest B (Domain - 2) Both forest functional level 2012 R2 having

Primary users in A1 (applications and computer domain) and have the same user accounts created in B2 (O365 emails is hosted) in an OU. Need to synchronize the password from A1 to B2 so that the users have to remember only 1 password for computer login and O365 emails.

I have gone through the below article which gives a good insight but it does not specify whether the users are already created in the trusting domain (Fim.lab.local)

https://social.technet.microsoft.com/wiki/contents/articles/19821.how-to-password-synchronization-with-pcns-using-a-one-way-externalforest-trust-with-selective-authentication.aspx

Regards,

Shoeb

↧