Hi,

According to the FIM Infrastructure Planning Guide (IPD):

• FIM Service database: SQL Server can be clustered for fault tolerance (there is no mention of other high availability and disaster recovery strategies like database mirroring and log shipping in this part of the IPD document)
  
• FIM Sync Service database: The FIM Synchronization Service database can be hosted on a clustered instance of SQL Server for fault tolerance. Other high availability and disaster recovery strategies like database mirroring and log shipping can also be used to provide fault tolerance for the SQL Server database, whether located locally or remotely

Question 1:

Based on this IPD document, FIM Service database does NOT support "Other high availability and disaster recovery strategies like database mirroring and log shipping"?

Question 2:

SQL these days has numerous High Availability options, how many of these are supported by both MIM databases:

- SQL Clustering

- Availability Groups

- Database Mirroring

- Log Shipping

- any other?

It would be awesome if Microsoft could give us a clear answer to these HA options for MIM SQL databases please.

Thx,

SK

Hi

I implement the Microsoft Identity Manager 2016 Self Service Reset Password in my environment. 

I have Password Policy in my domain that users can not used five password history and can not change their password twice in a day.

But when Users use SSPR, they can change password several times and they can set any password out of our policy.

MIM 2016 have any setting that understand Domain Password Policy age behave according to our policy?

Thanks

Fabulous February is here at last!

This is the month some of the greatest names in TechNet Wiki history will step forth and give us knowledge!

That's YOU by the way!

Drop us a little ray of sun, a few lines of love, or virtual valentine!

Your revelations could enrich so many more if you copied it for posterity into the wiki of wisdom

We need heroes! We need YOU! Join us and grow your reputation amongst some of the greats of the community!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

January's entries are now being judged, but below are December's mighty winners and contenders!

BizTalk Technical Guru - December 2015

Forefront Identity Manager Technical Guru - December 2015

Microsoft Azure Technical Guru - December 2015

Miscellaneous Technical Guru - December 2015

SharePoint 2010 / 2013 Technical Guru - December 2015

Small Basic Technical Guru - December 2015

SQL BI and Power BI Technical Guru - December 2015

SQL Server General and Database Engine Technical Guru - December 2015

System Center Technical Guru - December 2015

Transact-SQL Technical Guru - December 2015

Universal Windows Apps Technical Guru - December 2015

Visual Basic Technical Guru - December 2015

Visual C# Technical Guru - December 2015

Wiki and Portals Technical Guru - December 2015

Windows PowerShell Technical Guru - December 2015

Windows Presentation Foundation (WPF) Technical Guru - December 2015

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hi Folks,

I want to hide the "Advanced Search" link for a particular search scope. Is this achievable?

I went through this link http://blog.msresource.net/2013/11/21/forefront-identity-manager-2010-r2-build-4-1-3496-0-released/ but this leads in hiding "Advanced Search" for all configurations. Tried customizing it only for a particular search scope but did not work.

Any suggestions?

Regards,

Veena

I want to use UocFilterBuilder for creating criteria based groups. When I define the criterias and move to next page or finish the wizard the configuration wont be saved. I could see this when I go to the next tab and go back again to criteria, all configuration are lost. I think it could be one of the handlers not working properly.

When I click on Preview Button first, it looks like it sents back data to the server and than it saved the criteria configuration correctly. Also when using the edit creiteria based groups wizard it works properly as well, without using Preview Button.

Does somebody know how to save filter criterias within RCDC for group creation?

My RCDC code looks like this:

<my:Grouping my:Name="GroupingCalculatedMembers" my:Caption="%SYMBOL_GroupingCalculatedMembersTabCaptionTabCaption_END%"><my:Control my:Name="ManagerialMembershipDescription" my:TypeName="UocTextBox" my:Visible="false"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_ManagerialMembershipDescription_END%" /></my:Properties></my:Control><my:Control my:Name="Manager" my:TypeName="UocIdentityPicker" my:Caption="%SYMBOL_GroupingManagerialMembersManagerCaption_END%" my:RightsLevel="{Binding Source=rights, Path=Filter}"><my:Properties><my:Property my:Name="Required" my:Value="true" /><my:Property my:Name="ObjectTypes" my:Value="Person" /><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName, MailNickname, Manager" /><my:Property my:Name="AttributesToSearch" my:Value="DisplayName, MailNickname" /><my:Property my:Name="UsageKeywords" my:Value="Person" /><my:Property my:Name="ResultObjectType" my:Value="Person" /><my:Property my:Name="ListViewTitle" my:Value="%SYMBOL_ManagerPopupListviewTitle_END%" /><my:Property my:Name="PreviewTitle" my:Value="%SYMBOL_ManagerPopupPreviewTitle_END%" /><my:Property my:Name="MainSearchScreenText" my:Value="%SYMBOL_ManagerSearchText_END%" /></my:Properties><my:Events><my:Event my:Name="SelectedObjectChanged" my:Handler="OnChangeManagerialMembership" /></my:Events></my:Control><my:Control my:Name="FilterBuilder" my:TypeName="UocFilterBuilder" my:RightsLevel="{Binding Source=rights, Path=Filter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="PermittedObjectTypes" my:Value="Person,Contact" /><my:Property my:Name="Value" my:Value="{Binding Source=object, Path=Filter, Mode=TwoWay}" /><my:Property my:Name="Required" my:Value="true" /><my:Property my:Name="PreviewButtonVisible" my:Value="false" /></my:Properties></my:Control><my:Control my:Name="Preview" my:TypeName="UocButton" my:ExpandArea="true"><my:Properties><my:Property my:Name="Text" my:Value="%SYMBOL_ViewMembers_END%" /></my:Properties><my:Events><my:Event my:Name="Click" my:Handler="OnClickPreview" /></my:Events></my:Control><my:Control my:Name="ComputedMemberList" my:TypeName="UocListView" my:Caption="%SYMBOL_CalculatedMemberCaption_END%" my:RightsLevel="{Binding Source=rights, Path=Filter}" my:ExpandArea="true"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType" /><my:Property my:Name="EmptyResultText" my:Value="%SYMBOL_CalculatedMemberEmptyResultText_END%" /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="false" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" /><my:Property my:Name="ReadOnly" my:Value="true" /></my:Properties></my:Control><my:Control my:Name="InvalidMemberListDynamic" my:TypeName="UocListView" my:Caption="%SYMBOL_InvalidMemberCaption_END%" my:Description="%SYMBOL_InvalidMemberHint_END%" my:ExpandArea="true" my:Visible="false"><my:Properties><my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,ObjectType" /><my:Property my:Name="EmptyResultText" my:Value="%SYMBOL_InvalidMemberListEmptyResultText_END%" /><my:Property my:Name="PageSize" my:Value="10" /><my:Property my:Name="ShowTitleBar" my:Value="True" /><my:Property my:Name="ShowActionBar" my:Value="false" /><my:Property my:Name="ShowPreview" my:Value="false" /><my:Property my:Name="ShowSearchControl" my:Value="false" /><my:Property my:Name="EnableSelection" my:Value="false" /><my:Property my:Name="SingleSelection" my:Value="false" /><my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" /><my:Property my:Name="ReadOnly" my:Value="true" /></my:Properties></my:Control><my:Events><my:Event my:Name="AfterEnter" my:Handler="OnEnterMembersGrouping" /><my:Event my:Name="BeforeLeave" my:Handler="OnLeaveMembersGrouping" /></my:Events></my:Grouping>

Hello, 

I have a question regarding the conditional sync from two forest. The setup is:

- Two AD forests with management agents (object of each forest is joined to the same metaverse object)

- AD extension attribute is used to indicate, which forest should determine the attributes of the metaverse object (via connector filters)

-Connector filter in forest 1: "filter out if extension attribute != 1"

-Connector filter in forest 2: "filter out if extension attribute != 2"

My procedure is the following:

I create an AD object in forest 1, populate certain attribute (extension attribute =1 and a immutable anchor attribute). In forest 2, I create an object with the same anchor attribute (for joining) and the extension attribute also set to 1. Other attribute have different values in comparison to forest 1. I then make a "full import and sync" with the management agent of forest . Connector space get filled and (since metaverse is empty) objects are projected (works fine, metaverse objects have the attribute values of forest 1). After that i set the extension attribute in both forest to a value of 2 and I start a "full import and sync" with the management agent of forest 2. Joining is performed successfully and the metaverse objects attributes have the values of forest 2 (as it should) be. If I run the management agent of forest 1 again, as intended nothing happens (due to the connector filter) to the attribute values of the metaverse object.

Now comes the interesting part: I now change the extension attribute back to "1". The management agent of forest 2 now does, as expected (due to the connector filter) nothing. However running the management agent of forest 1 also has not effect on the metaverse object. Its attribute values were set to the values of forest two in the former step and should now be updated by the values of forest 1 of the correponding object. Howver this does not happen! Reason presumably is the following: When the managment agent of forest 1 runs againt (happens for delta and full import and sync) it reads the data from forest and compares it to the connector space data it already has from the prior run. Except for the extension attribute, no attribute was changes, and  it seems that the FIM does not apply a flow rule if the source and the connector space attribute have still the same data (although the metaverse attribute value of the object is different). So to speak: "If source directory data and connector space data are the same I do not have to sync to the metaverse."

Does anyone know how to change this behavior or how to force and metaverse update? (Or any other solution)

Thanks

Hello,

I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:

An HR system running on SQL Server
A staging database that extract data from the HR system
The staging database has a table representing person object
The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
The staging database has a table representing group objects
The staging database has a table representing group memberships (mult-valued)

A SQLMA connected to the person and person multi tables
A SQLMA connected to the group and group membership tables

All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership table

This system does connect to AD (and a few other things), but I'm not concerned with that, right now.

I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.

But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.

Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.

I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute.  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations, group functions and person types (bascially, I don't care about the MV rdn).

Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.

Thanks,

Greg Wilkerson

Hi,

I am new to this field, I am trying to deploy this MIM 2016 and try to install using the disc image file. So I used Virtual Clone Drive. I am trying to install into hyper-V virtual machine.

Following the guide, I am told that I should start with Installation of Microsoft Identity Manager Service and Portal. But it presents error.

"Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely because of an error. your system has not been modified. To install this program at a later time, run Setup Wizard again."

So did I miss something? Please advice.. Thanks

Regard,

AzureTechGuy

Hi All,

I am using FIM2010 to do GAL Sync between two forest. One running Exchange 2010 and the other running Exchange 2013.

Lets name Forest A - Exchange 2010 and Forest B - Exchange 2013

When I migrate a user from Forest A to Forest B, The user account is still Active in Forest A.

When I do FIM Synchronization, The contact of the user in Forest A (Which is still available in this forest) gets created in Forest B even if the User Object is available in Forest B (The user was migrated).

My Question is : Is there a way for FIM to check if the user is available in the specified forest before creating its contact?

I am quite new to FIM and if someone has a resolution for this I would be immensely grateful.

Kind Regards,

Mathieu

I have a sync rule for IAF flow from an external system which also contains a mapping from multivalued string attribute in the external system to a multivalued string attribute in the MV. Also, I have a similar export flow in the FIM MA which maps the multivalued string MV attribute to a multivalued string FIM Portal attribute.

When I run a sync cycle, I can see that the values come in the FIM MA CS. However when I trigger an export, I get the following error:

failed-modification-via-webservices

An error occurred in executing a Web service object modification request.

Type: System.InvalidOperationException

Message: Operation is not valid due to the current state of the object.

Stack Trace:

Inner Exception:

Does anyone know the cause behind this? I am struggling to find the exact issue since there is not Stack Trace which gives the detail.

Greetings,

We have a FIM 2010 and we want to upgrade to FIM 2010 R2 SP1.

Can we go directly to 2010 R2 SP1 ? or we need to upgrade first to R2 then to R2 SP1 ?

Please provide a reference.

Thanks
Nafe

We are starting to plan a MIM 2016 development. The scenario consists of on premises AD and MIM server(s) with Azure AD Connect installed on its own server. There is the cloud and Azure AD plus Exchange Online.

There is NO Exchange 20xx anywhere, all mailboxes now live in Exchange Online.

We are asked to create new on-prem AD accounts via MIM from an HR feed. AADC will sync these to Azure AD. MIM is also tasked to make Exchange Online mailboxes & license the things via a Powershell script when the account is in Azure.

All ok so far.. except that the Managers and Service Desk want Notifications to be sent BY *MIM* when a new AD account is created and again when a (licensed) mailbox is successfully created. 

How is MIM and the myDomain\MIMService account configured to send Email notifications without an on-prem Exchange?

I am guessing/hoping that Exchange Online can act as a SMTP server... but really how is it done?

I have just installed the FIM portal into my test environment.  The synchronisation service was already working perfectly (can provision users from a .csv file).
The FIM Service and Portal are installed on a server (we'll call it SPF1), and the FIM sync service on another server (SYNC1)
Whenever I try to log on to the fim portal with my standard user account (it has never worked), I get the following error:

Unable to process your request.

Please contact your help desk or system administrator.

Error processing your request: The server was unwilling to perform the requested operation.

Reason: The requester of this operation is invalid.

Correlation Id: 7da76fce-5c9a-4596-90f7-8d7243c21de8

Details: The requestor's identity was not found.

>Go to Forefront Identity Manager home page

(The web page header does show the FIM logo, so the portal itself is there).

In the ForeFront logs on SPF1, I get the following:

Log Name:      Forefront Identity Manager
Source:        Microsoft.ResourceManagement
Date:          1/13/2015 5:48:08 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SPF1.testdomain.internal
Description:
GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft.ResourceManagement" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
    <EventRecordID>523</EventRecordID>
    <Channel>Forefront Identity Manager</Channel>
    <Computer>SPF1.testdomain.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data>GetCurrentUserFromSecurityIdentifier: No such user TESTDOMAIN\StandardUser, S-1-5-21-1(sid goes here)</Data>
  </EventData>
</Event>

Log Name:      Forefront Identity Manager
Source:        Microsoft.ResourceManagement
Date:          1/13/2015 5:48:08 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SPF1.testdomain.internal
Description:
Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft.ResourceManagement" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-14T01:48:08.000000000Z" />
    <EventRecordID>522</EventRecordID>
    <Channel>Forefront Identity Manager</Channel>
    <Computer>SPF1.testdomain.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Requestor: Internal Service
Correlation Identifier: da87f241-eee5-4bf5-b1dd-8a6728a2c627
Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: IdentityIsNotFound
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetUserFromSecurityIdentifier(SecurityIdentifier securityIdentifier)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.GetCurrentUser()
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Enumerate(Message request)</Data>
  </EventData>
</Event>

Further, I note that it has trouble connecting to the web exchange connector.  I wonder if this is because I used an alias (for easy migration in the future) for which the certificate does not match the name for?  I'm connecting to "mail.testdomain.internal", although that's actually a NLB group between two CAS/HUB servers.
Log Name:      Application
Source:        Microsoft.ResourceManagement.ServiceHealthSource
Date:          1/13/2015 7:43:49 PM
Event ID:      12
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     SPF1.testdomain.internal
Description:
The Forefront Identity Manager Service cannot connect to the Exchange Web Service.

The connection failure may be due to a network failure, firewall configuration error, or other connection issue.  Additionally, the failure may be due to incorrect Exchange Web Service configuration.

Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer.  Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly.  Last, ensure that the Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft.ResourceManagement.ServiceHealthSource" />
    <EventID Qualifiers="0">12</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-14T03:43:49.000000000Z" />
    <EventRecordID>7581</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SPF1.testdomain.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The Forefront Identity Manager Service cannot connect to the Exchange Web Service.

The connection failure may be due to a network failure, firewall configuration error, or other connection issue.  Additionally, the failure may be due to incorrect Exchange Web Service configuration.

Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer.  Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly.  Last, ensure that the Exchange Web Service configuration is correct in the Microsoft.ResourceManagement.Service.exe.config file.</Data>
  </EventData>
</Event>

I'm not really sure where to start investigating at this point.  The only other thing to note is that after installing the portal, I didn't see a new management agent in the synchronization service (I thought one was supposed to appear, though I could be mistaken).

I have been following the MIM PAM lab guide here: https://technet.microsoft.com/en-us/library/mt488766.aspx

When I reach the point at which to use the New-PAMDomainConfiguration command, I get an error stating that the Netdom trust command returned the following error:

However, no error is presented. Running the command with -Debug, it just provides a little more information stating that the trust between priv.contoso.local and contoso failed.

The preceding command - to set up the one way forest trust work just fine - using the same credential object.

• Have any others seen this issue and found a resolution?
• Can anyone provide some ideas for further debugging?
• What changes does the New-PAMDomainConfiguration cmdlet make on the target domain?

Regards,

Jon.

Hello,

We need to add a person to a group representing their post.  I have two view tables, one for users and one for posts.  The user has a postid attribute and the post has an immutableid.  I'm flowing the post into the MV and using an inbound sync rule to create a security group in the FIM Service.  Workflow (FIMWAL update) fires on completion of the 'create' request.  This will run a query to find the user that has the same postid as the post group immutableid which is the stored in the query key.  The query result is then flowed to the 'ExplicitMember' attribute of the group.  This works fine on create but not on a modify driven activity, that is when the users' postid changes.

The objective is to remove the user from the post group when their postid no longer matches the immutableid of the group because the user has changed post.

In the example above i used a manually-managed group as we couldn't find a way to write the value expression into the Filter attribute using the workflow thus enabling us to use a dynamic group which would be the nirvana in this instance.

However, is there another way of removing the user programmatically from the group when there is a change to the postid. I have the MPR configured so that it will call a workflow when this attribute is modified on the user, i'm just stuck on what to run in the workflow.  Can Powershell be used in this example to work out what the post group is that the user is in before the postid was changed and then remove the user from that group??  Or is there a way of auto creating a dynamic group by being able to specify the correct xml to feed to [//Target/Filter]??

Rob 

Hi,

I have managed to add a new attribute in the existing SyncRule (users provisioned to AD). When I tried to run the FullImport and FullSync or DeltaSync options for FIMService MA, I am getting the below error

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector

The new attribute which is added in the SyncRule was,

FIM Attribute => AD

JobTitle => Title

can anyone help?

Thanks

FIM Community Information Center Article

 

Wiki Page: FIM2010: Selective Import Attribute Flow

 

Go to the FIM Community Information Center

 

Wim Beck | IS4U FIM/MIM Expert Blog: blog.is4u.be

If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!

Hello,

Has anyone installed SQL 2012 SP3 on the server hosting their FIM DB's and if so, were there any issues?

Thanks

Part 1

Hi Everyone

I trying to make work the join rules, they are working. But I have an issue.

Whe I make changes on HR that is my DS auth the chages go to FIM but they dont go to AD, and when I delete a object from HR the object is deleted from AD and FIM.

Also I have 6 ERE for each user on FIM I dont know Why, I add all the info of my FIM configuration below, hopefully you can help me out guys.

Cheers

When I ran Delta Sync or Full Sync Run profiles I got the follow error:

Stack Trace Info

Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OUT Users'. Details: The partition filter criteria for management agent "AD" do not include an object with DN "CN=Zuleica Morales Morales,OU=TestUsers,CN=kiasvan,CN=ca" and object classes top, person, organizationalPerson, user.
   at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)