MIM 2016: Microsoft.IdentityManagement.ConfigurationBackup.exe utility fails with error, not installed or version

November 23, 2015, 6:03 am

≫ Next: Unable to export users from FIM to AD due to missing registry keys

≪ Previous: Identity Manager 2016 licensing questions

Product documentation for Backup specifies to use the Microsoft.IdentityManagement.ConfigurationBackup.exe utility to export settings for backup. See https://technet.microsoft.com/en-us/library/jj134435(v=ws.10).aspx

Running the tool on my production server (MIM 2016 version 4.3.1935.0) fails with the following error:

Product is not installed or tool is not supported on your current installation version.

Any assistance is appreciated.

-Stu

↧

Unable to export users from FIM to AD due to missing registry keys

February 11, 2016, 11:28 am

≫ Next: Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

≪ Previous: MIM 2016: Microsoft.IdentityManagement.ConfigurationBackup.exe utility fails with error, not installed or version

Hi All,

I have been trying to export users from FIM 2010 R2 to ADDS but have not been successful.

I get to see a lot of errors on the event logs. The major being missing registry keys 1. ADMADoNormalization 2. ADMARecursiveUserDelete 3. ADMAUseACLSecurity

I could not find these registry keys on reistrykey Db. 'ADMADoNormalization' needs to be present under SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\PerMAInstance\<ma
name> but I cannot find any other folder after Parameters. How and when are these keys created? what do I need to do to fix these errors?

some of the other errors

1. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(2354)' Thread ID: '0x1038'
Additional Info: ''

2. HRESULT: '0x80230808' Source:
'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(635)' Thread
ID: '0x1038' Additional Info: 'EndExportSession called before export session was
initialized

3. HRESULT: '0x0' Source:
'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3729)' Thread ID: '0x1038'
Additional Info: 'Controller Export failed with hr= 80230703.

4. HRESULT:
'0x80230703' Source: 'd:\bt\800\private\source\miis\cntrler\cntrler.cpp(3562)'
Thread ID: '0x1038' Additional Info: ''

5. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\ma\ldapcore\ldapmaexportcore.cpp(585)' Thread
ID: '0x1038' Additional Info: ''

6. HRESULT: '0x80230703' Source:
'd:\bt\800\private\source\miis\scrhost\scripthost.cpp(20031)' Thread ID:
'0x23E0' Additional Info: ''

7. HRESULT: '0x80004002' Source:
'd:\bt\800\private\source\miis\scrhost\scripthostloader.cpp(790)' Thread ID:
'0x23E0' Additional Info: ''

8. HRESULT: '0x0' Source:
'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(58)' Thread ID: '0x1038'
Additional Info: 'Failed getting registry value 'ADMARecursiveUserDelete', 0x2

9. HRESULT: '0x80070002' Source:
'D:\bt\800\private\source\MIIS\ma\shared\inc\MAUtils.h(59)' Thread ID: '0x1038'
Additional Info: 'Win32 API failure: 2

↧

Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

February 1, 2016, 8:34 am

≫ Next: converting DN to lowercase using custom Expressions in FIM

≪ Previous: Unable to export users from FIM to AD due to missing registry keys

I changed the AD OSR so that DN is flowed out to AD all the time(in addition to initial flow what we already had). All sync rules are throwing error for just one user. I could see many other objects where the DN got changed. I am not able to find the root cause of this issue. I even tried matching the dn in AD to be same as that of FIM.

Extensionfile name: FuctionLibrary.dll

Extension-Type:export-flow

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OSR - User - Create/Delete'. Details: Unable to rename non-leaf object.
at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

↧

converting DN to lowercase using custom Expressions in FIM

February 11, 2016, 9:53 pm

≫ Next: MIM PAM Powershell set-pamuser

≪ Previous: Unable to rename non-leaf object. - extension dll exception - .FunctionEvaluationException

Our requirement is to convert DN (distinguished Name) of a particular OU and its sub OU's to lower case using FIM .

Is there any way we can select a particular OU and convert it to Lowercase using custom expressions ?
Is it possible to call a powershell script in synchronization rules.
EX:- We have a script to convert DN to lower case in AD LDS. Can we call that script in FIM synchronization rules.

↧

MIM PAM Powershell set-pamuser

February 12, 2016, 2:04 am

≫ Next: display name of referenced resource not available while adding user in remove operation its showing cannot display instead of No user removed when checked request its showing this value

≪ Previous: converting DN to lowercase using custom Expressions in FIM

Hi !

I'm trying to use the set-pamuser cmdlet to deactivate users remotely but i receive the following error message.

Strangely, i'm able to use the new-pamuser remotely.

Regards,

Yannick

$remote = get-credential
$session = new-pssession -connectionUri "http://pamsrv.private.local:5985/wsman" -Credential $remote -Authentication Credssp
Invoke-Command -session $session -scriptBlock {set-pamuser -user (get-pamuser -SourceAccountName FRAEV04) -PrivAccountActive $true}

Log Name:      Privileged Access Management
Source:        Microsoft.IdentityManagement.PamPowerShell
Date:          12/02/2016 10:35:08
Event ID:      338
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      PAMSRV.private.local
Description:
[Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]

User attributes of 'FRUSER' could not be modified.
Exception:
The server is unwilling to process the request.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft.IdentityManagement.PamPowerShell" />
    <EventID Qualifiers="0">338</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-02-12T09:35:08.000000000Z" />
    <EventRecordID>27610</EventRecordID>
    <Channel>Privileged Access Management</Channel>
    <Computer>PAMSRV.private.local</Computer>
    <Security />
</System>
<EventData>
    <Data>[Id: b99a7c53-11a2-4cc1-a10f-27169e03ce1f]

User attributes of 'FRAEV04' could not be modified.
Exception:
The server is unwilling to process the request.
</Data>
</EventData>
</Event>

↧

display name of referenced resource not available while adding user in remove operation its showing cannot display instead of No user removed when checked request its showing this value

February 6, 2016, 9:46 am

≫ Next: FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

≪ Previous: MIM PAM Powershell set-pamuser

I am receiving below error for only one mailbox when im trying to add users to that shared mailbox on portal. For other mailbox its working fine.

<RequestStatusDetail xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2016-02-06T17:20:29.4982645Z">Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.DispatchRequest[TResponseType](RequestType request, Boolean applyAuthorizationPolicy)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessGetWorkItem(ReadRequestWorkItem readWorkItem)
at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)</RequestStatusDetail>

↧

FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

February 11, 2016, 11:22 pm

≫ Next: FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

≪ Previous: display name of referenced resource not available while adding user in remove operation its showing cannot display instead of No user removed when checked request its showing this value

We are facing issues with SQL deadlocks. The problem is that we are really confused about the root cause.

We have noticed that some requests takes up to 30 minutes to finish. And those request are simple, add sync rule for a person etc.

But could we assume that there is something wrong with the SQL because of the long finishing times of requests?

↧

FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

January 26, 2016, 9:36 pm

≫ Next: SharePoint Services Connector for FIM 2010 R2

≪ Previous: FIM 2010 R2 - Requests takes up to 30 minutes to finish - SQL Deadlocks

I get this error intermittently while executing the enrollment requests in FIM 2010 CM R2. Sometimes it auto resolves but during other times I will have to restart the IIS to get this working again. My environment earlier had FIM 2010 and was upgraded to FIM 2010 R2. Did I forget some configuration? Please help.

-- JPM

↧

SharePoint Services Connector for FIM 2010 R2

February 14, 2016, 3:08 am

≫ Next: PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

≪ Previous: FIM CM 2010 R2 Error: The version of OLE on the client and server machines does not match. (Exception from HRESULT: 0x80010110)

What versions of SharePoint does this support?

↧

PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

February 14, 2016, 8:31 pm

≫ Next: FIM Reports using scripts

≪ Previous: SharePoint Services Connector for FIM 2010 R2

Hi all,

Has anybody written any PS script to bulk update multivalued attributes including[Displayed Owner], [Owner], [Filter] for a Criteria-based Group and [Members] for a Manual Group in FIM? I really don't like to reinvent the wheel.

Really appreciate your help on this and thanks in advance

/Jerry

Aravinth Jerry Microsoft Identity Consultant

↧

FIM Reports using scripts

February 14, 2016, 11:27 pm

≫ Next: Internet Explorer 11 support for FIM 2010 R2 SP1

≪ Previous: PowerShell Script to Bulk update multivalued attributes of group objects in FIM 2010

I am trying to generate the default FIM reports which we get from the Reporting tool. However, the client does not want us to use or install the tool and we have to use some form of scripts to get the work done. I am looking for the following reports:

Group Membership Change
Set Membership Change
Group History
Set History
User History
Request History
Management Policy Rule History

Can someone help me with the scripts or point me in the right direction for it? Thanks!

↧

Internet Explorer 11 support for FIM 2010 R2 SP1

February 15, 2016, 10:24 am

≫ Next: Microsoft Identity Management 2016 Documentation

≪ Previous: FIM Reports using scripts

As per pre-requisite documentation FIM portal 2010 R2 SP1 supports Internet Explorer 9,8,7 and 6.
Is Internet Explorer 11 officially supported for FIM Portal 4.1.3419 ( 2010 R2 SP1) running on Windows 2008 R2 SP1?

If not, can you suggest the FIM version that supports IE 11.

↧

Microsoft Identity Management 2016 Documentation

February 15, 2016, 8:07 am

≫ Next: New-PAMDomainConfiguration: The Netdom trust command returned the following error:

≪ Previous: Internet Explorer 11 support for FIM 2010 R2 SP1

Is there any plans to release documentation for Microsoft Identity Manager 2016, specifically the Certificate Management area? The MIM 2010 / 2010 R2 guides are pretty good (not great) but I can't find much at all about MIM 2016 and what might be different.

Moreover, I finding quite a few references to '2010' and '2015' within MIM 2016 wizards and webpages. I'm questioning the QA that went into it's release. Is this really safe to use in an enterprise environment?

Bryan Berns

↧

New-PAMDomainConfiguration: The Netdom trust command returned the following error:

February 15, 2016, 1:31 am

≫ Next: MIM 2016 with SMTP gateway instead of Exchange

≪ Previous: Microsoft Identity Management 2016 Documentation

I have been following the MIM PAM lab guide here: https://technet.microsoft.com/en-us/library/mt488766.aspx

When I reach the point at which to use the New-PAMDomainConfiguration command, I get an error stating that the Netdom trust command returned the following error:

However, no error is presented. Running the command with -Debug, it just provides a little more information stating that the trust between priv.contoso.local and contoso failed.

The preceding command - to set up the one way forest trust work just fine - using the same credential object.

Have any others seen this issue and found a resolution?
Can anyone provide some ideas for further debugging?
What changes does the New-PAMDomainConfiguration cmdlet make on the target domain?

Regards,

Jon.

↧

MIM 2016 with SMTP gateway instead of Exchange

February 16, 2016, 3:53 am

≫ Next: Error while provisioning user to ADLDS server through FIM

≪ Previous: New-PAMDomainConfiguration: The Netdom trust command returned the following error:

If I want to use a smtp gateway instead of a Exchange web services, how shoud I configure the Microsoft.ResourceManagement.Service.exe.config file?

I got a these from my MailAdmin:

gateway smart host address: server.domain.com

port tcp/25

no authentication

These are Microsoft.ResourceManagement.Service.exe.config configurations.

<p><addkey="mailServer"value="server.domain.com"/><addkey="isExchange"value="0"/></p><p>Should I configure SMTP E-mail in IIS too to get this working?</p><p>Now when MIM tries to send email, it just says</p><preclass="prettyprint">System.Net.Mail.SmtpFailedRecipientException: Mailbox unavailable. The server response was: 5.7.1 Unable to relay.

↧

Error while provisioning user to ADLDS server through FIM

February 16, 2016, 2:44 am

≫ Next: Add New Users to Default Groups Assistance

≪ Previous: MIM 2016 with SMTP gateway instead of Exchange

Hello,

We are encountering "The modification was not permitted for security reasons" error while provisioning user to ADLDS. The objecttype is userProxyFull

ObjectSid attribute imported into FIM through a direct flow and also exported to ADLDS server from FIM through an direct mapping.

We can see ObjectSid value updated in connector space of ADLDS after synchronization but when Export profile is executed we are facing below error and export to server is failed.

Can anyone please assist in this.

Regards,

Jyothishree SP

↧

Add New Users to Default Groups Assistance

February 9, 2016, 6:24 am

≫ Next: Provision objects with MVExtension to two connected MA's at the same time

≪ Previous: Error while provisioning user to ADLDS server through FIM

MIM 2016 – I have a sync rule, WF and MPR that adds users to the applicable OU by way of company code on user creation from Oracle. Now I need to add these users to some default groups. I have imported the AD groups into the MV. Just not sure how I can get these new users into the groups. Can I work off my current sync rule, WF and MPR or do I need an additional sync rule, WF and MPR. Any guidance is appreciated. Thank you!

kathy4270

↧

Provision objects with MVExtension to two connected MA's at the same time

February 16, 2016, 2:55 pm

≫ Next: Identity Manager Service and Portal installation ended prematurely

≪ Previous: Add New Users to Default Groups Assistance

Hello. I'm working on syncing the same contact objects to two separate AD LDS instances. The instances are not replicating, so FIM will do the provisioning/deprovisioning in both instances at the same time. I have created two separate AD LDS Management Agents with the same settings, "AD-LDS 1" and "AD-LDS 2".

Note that I don't have the FIM portal installed. So I have written a MVExtension doing the provisioning to "AD-LDS 1", which works fine. Now I want to add provisioning for the same contacts to "AD-LDS 2" in the same process - how should I do that in the MVExtension?

void IMVSynchronization.Provision (MVEntry mventry)
        {
            if (mventry.ObjectType.Equals("contact"))
            {
                ConnectedMA ManagementAgent = mventry.ConnectedMAs["AD-LDS 1"];

...

Is it possible to add "AD-LDS 2" within "mventry.ConnectedMAs" like so: mventry.ConnectedMAs["AD-LDS 1;AD-LDS 2"]; ? Or should I just copy the provisioning code for "AD-LDS 1" and paste it below for "AD-LDS 2"? I couldn't find any details on what "ConnectedMAs" supports.

Any tips are appreciated, thanks!

↧

Identity Manager Service and Portal installation ended prematurely

February 16, 2016, 8:05 pm

≫ Next: MIM 2016 - SCOM 2012 R2 Management Pack?

≪ Previous: Provision objects with MVExtension to two connected MA's at the same time

Hi,

I am new to this field, I am trying to deploy this MIM 2016 and try to install using the disc image file. So I used Virtual Clone Drive. I am trying to install into hyper-V virtual machine.

Following the guide, I am told that I should start with Installation of Microsoft Identity Manager Service and Portal. But it presents error.

"Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely because of an error. your system has not been modified. To install this program at a later time, run Setup Wizard again."

So did I miss something? Please advice.. Thanks

Regard,

AzureTechGuy

↧

MIM 2016 - SCOM 2012 R2 Management Pack?

February 3, 2016, 8:48 am

≫ Next: Problem in Exchange Provisioning (2010) with FIM - "no-start-ma"

≪ Previous: Identity Manager Service and Portal installation ended prematurely

Will there be a new/updated SCOM2012 R2 compatible management pack for new Microsoft Identity Manager 2016?

If so, when?

If not, are we expected to try and monitor with the FIM 2010 MP?

↧