Hi,
i am setting up MIM 2016 in parallel to existing FIM 2010R2 in our environement.
IS it possible to use same FIM sync security groups for MIM sync installation as i am using currently or i need to create all 5 sync security groups again.
Regards,
Raj
My scenario is almost identical to the sample scenario in this blog that I have been trying to follow. Customer has multiple domains. A user's manager may likely exist in another domain in a different forest. So, they use the UserProxy objects in LDS to track the managers. All users in MIM are exported to a single LDS datasource. I have the managerID attribute populated on all users with their manager's employee ID. I need a way to export the reference to the manager attribute to the LDS Connector Space. Here is my adapted code from the above blog. Where am I going wrong? The Sync Engine is telling me that ManagerID doesn't exist. I have ManagerID (string) mapped to manager (reference) and set as a Rules Extension. Then, I put the below code in the Export section of the code.
string ManagerIDField;
ManagerIDField = "" + csentry["ManagerID"].ReferenceValue;
string employeeIDField;
employeeIDField = "" + csentry["employeeID"].ReferenceValue;
//Start manager lookup
if (mventry[ManagerIDField].IsPresent)
{
MVEntry[] mveManager;
mveManager = Utils.FindMVEntries(employeeIDField, mventry[ManagerIDField].Value);
//performs a search
if (mveManager.Length == 1)//if we get only one return (which we should)
{
if (mveManager[0]["DN"].IsPresent)//if there is the DN on that return
{
csentry["manager"].Value = mveManager[0]["DN"].Value; //set the DN as the manager
//break;
}
else
{
//break;//dn may not be populated yet - it will occur on the next run
}
}
else
{
//break;
//should never happen (employeeID is unique)- we'll fall through if it does
}
}
else
{
//break;Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx
We have a SQL Table of users and their managers as main source to MetaVerse.
The table is provided by HR and gives the ids for all the INTERNAL users + managers.
However, some of the INTERNAL users may have EXTERNAL managers and these manager ids will not exist in the Sql table as "user ids".
In this case FIM will flow a null to manager field in the MetaVerse as it cannot find (dereference the external manger's id)
All is not lost, all managers should have AD accounts. The manager's id not in HR table can be found in AD 99 times out of 100.
What I want to know is the best strategy to fill in the MV manager attribute when null by getting it from AD. What confuses me is the manager being a 'reference' field. This fact may limit my options.
What if I wrote some C# import attribute flow rule for the HR MA, is it OK just to push the DN *string* of the manager found in AD into MV:manager attribute? If not what should this C# code do??
What is best way to cover this hole, I am sure we are not unique in this situation?
Hi,
In all the documentation I read only scenarios about managing DGs with Outlook. What if I want to manage SGs the same way? I cannot get the final answer from documentation. Just checking...
https://docs.microsoft.com/en-us/previous-versions/mim/ee534919(v%3dws.10)
https://docs.microsoft.com/en-us/previous-versions/mim/ee534915(v%3dws.10)
GH
I call the function like so:
Start_RunProfile($AD,$FI)
Output looks like this:
is executing (Values for $CMA and $RP are null?)
You cannot call a method on a null-valued expression.
At line:28 char:12
+ return $CMA.Execute($RP).ReturnValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
#- - - - - - - - - - - - - Functions - - - - - - - - - - - - -
#Function to execute Run Profile of specified MA
#Run Profile $RP in $MA agent
function Start_RunProfile($MA,$RP)
{
$CMA = (get-wmiobject -class "MIIS_ManagementAgent" -namespace "root\MicrosoftIdentityIntegrationServer" -filter "Name='$MA'")
Write-Host $CMA.Name $RP "is executing"
return $CMA.Execute($RP).ReturnValue
}
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
But if I run the 3 lines of the function directly it executes as expected.
$CMA = (get-wmiobject -class "MIIS_ManagementAgent" -namespace "root\MicrosoftIdentityIntegrationServer" -filter "Name='$MA'")
Write-Host $CMA.Name $RP "is executing"
return $CMA.Execute($RP).ReturnValue
Output looks like this:
ADMA FullImport is executing
success
Why does it fail when I call it as a function?
Hi.
I've searched for a forum for 2016 SP1 MIM, so apologies if this is the wrong spot.
Anyway... Is there a way to set some sort of a variable in VALUE for a filter? Basically, I want to filter out users from the ADMA agent that have not logged (LastLogon Timestamp) into the system for six months. Thanks.
Hello!
I have stumbled across something new and exciting (to me at least)! A while back I had an issue with Delta Import on FIM MA running forever. When I stopped it manually it had imported almost 2 million objects, but there's only 120.000 objects in CS.
It continued to do so on every Delta Import until I ran a full import, which solved the problem. I didn't put much thought into this since I was about to upgrade to MIM shortly.
But yesterday, at the same customer, I ran in to the same issue. This time we've upgraded to MIM 2016 (4.4.1302) and everything has moved to new servers.
Has anyone else come across this issue? How do we avoid it in the future?
/Kristoffer
Hi,
our Linux colleagues use Beyondtrust PBIS to connect Linux servers to AD in order to use AD user accounts for logon to Linux.
Every week we get 1-2 PCNS events with ID 7000:
Log Name: Application
Source: PCNSSVC
Date: 26.02.2019 16:48:18
Event ID: 7000
Computer: DC22.contoso.com
Description:
An unexpected error occurred.
LDAP://DC22/CN=CALT01,OU=Workstation,OU=CAX,OU=PBISCELLS,DC=contoso,DC=compwdLastSet
But it is not only PBIS, such events can stem also from ESX hosts:
LDAP://DC22/CN=EPKWKB,OU=ESXiServer-Prod,OU=T4,OU=SC37E,DC=contoso,DC=compwdLastSet
BTW: Yes, I know that the last word "compwdLastSet" in the distinguishedName doesnt make sense. I believe it is just a display issue, a missing white space char.
I have no glue how these events are created.
Now the thing is:
I tried to avoid these events by adding the group "Domain Computers" to the PCNS Excluded Group, but this doesnt work: Today we got an event again.
I have verified using ntdsutil: The computer CALT01 is indeed member of the Excluded Group and also of Domain Computers.
But obviously this membership doesnt help.
2 Question, please:
1) Does anyone know when exactly the PCNS Excluded Group is evaluated:
Is it one time after the PCNS service has started? Then I'd have to restart the service so that the new membership gets effective.
Or is it every time when PCNS is called? Then PCNS would compute in real-time if the actual user/computer is member of the Excluded Group. No service restart necessary.
2) Has anyone an idea what else I could do? (the more important question)
Thanks
Walter
We have a MIM 2016 SP1 deployment that was inadvertently build with a MIM 2016 Evaluation DVD. This deployment is in production. We went to update this deployment to 4.5.286.0 and when updating the MIM Sync Service it gave us error 25080 indicating an evaluation copy of MIM / Sync Service had been initially deployed and had expired. Interestingly enough MIM was still running well even though the evaluation had expired
What we need to be able to do is update the deployment with a non evaluation copy of MIM which we will get from the Volume Licensing portal but I need to verify the process we could use to do this that will be done destructive as this is still a production MIM deployment
Any assistance is most welcome
Hello all,
we have just installed a MIM 2016 CM SP1 (4.4.1302.0) on a windows server 2016.
the Certificate Authority is a 2016 one.
and we have the Error: the version of OLE on the client and server machines does not match.(Exception from HRESULT: 0x80010110)
Is someone know how to solve this problem?
we check all the spn and delegation, the rights on the database, and the group in Web Config, and all seem to be good.
thanks,
Regards,
Jean.
Hi
We configured SSPR in FIM 2010. the registration is working fine. When we are using Chnage password portal, it is prompting with questions and we are providing answers and it is going to reset password page.
There we are providing new password and clicking on submit, It is throwing error.
In MA we are unable to enable Password change checkbox. Because it is got disabled. Due to this reason password change is not working,
Kindly suggest will Password reset works with VIS(Virtual Identity Server).
I am able to create a Set just fine for this. So, I wanted to give my client the same option in the Search Scopes. I took the XPath query directly from the Set details. But, it errors out when I hit search. Can someone see what I may be doing wrong with this query for this Search Scope?
/Person[(EmployeeStartDate < op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))) and (EmployeeStartDate > op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P1D')))]
Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx
Hello
We have a problem with FIMService database
Error in Event viewer:
SQL Server detected a logical consistency-based I/O error: incorrect pageid (expected 1:1477410; actual 101:2097266). It occurred during a read of page (1:1477410) in database ID 20 at offset 0x000002d1644000 in file 'E:\SQL\FIM\FIMService.mdf'. Additional messages in the SQL Server error log or system event log may provide more detail. This is a severe error condition that threatens database integrity and must be corrected immediately. Complete a full database consistency check (DBCC CHECKDB). This error can be caused by many factors; for more information, see SQL Server Books Online.
No actual backup exist
Database working now, but problem with synchronization of some users between two domains. Is it possible recreate new database from scratch and start full sync?
Please Help!
Hi
I've got two SQL MAs that I'm trying to sync some attributes between. These are DateofBirth and ExpectedEndDate.
In the source SQL table I get these values in the format 1968-07-23 00:00:00.000
I can flow these values in to the metaverse via a direct flow on the source MA and export them to the destination SQL table. If I look directly at the destination table with SQL Management Studio I can see that these have been populated correctly. However when I do my confirming import I get the 'exported-change-not-reimported' error and when I look at what it is trying to do I see:
Imported Value 1968-07-23 00:00:00
Export Value 1968-07-23 00:00:00.000
It's been a very long week and maybe I'm missing something obvious but why is it trying to import a different value from what I can see in the destination SQL table? Any ideas what I can do about this?
Thanks for any help.
Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!
One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.
Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.
If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in March 2019 and must be in English. However, the original blog or forum content can be from beforeMarch 2019.
Come and see who is making waves in all your favorite technologies. Maybe it will be you!
Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.
Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.
If you win, people will sing your praises online and your name will be raised as Guru of the Month.
Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!
One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.
Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.
If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in March 2019 and must be in English. However, the original blog or forum content can be from beforeMarch 2019.
Come and see who is making waves in all your favorite technologies. Maybe it will be you!
Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.
Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.
If you win, people will sing your praises online and your name will be raised as Guru of the Month.
Hi,
I suspect the answer to this is no, but is it possible to view user's SSPR answers? Is it possible for an admin to change a user's SSPR answers?
Thanks
Hi,
In my previeus post I asked about Security Group Mambership. The last answer is that It's still fully supported.
In a LinkedIn post Frenk Drewes commented on my question writhig: "Guy - this is not possible with the current MIM Outlook plug-in design. The key limitation is the selection of groups comes out of what Outlook sees as groups - distribution groups. If the security groups were mail-enabled, that might be a possibility- but that’s not something trivial (or even desirable to some).
My new question is obvieusly: What's wrong with making security groups mail enabled?
I already see that messages to the group can be prevented. For me it's just a few attributes more.
GH
I'm developing a custom ECMA2 Management Agent, I developed my DLL and went through all the configuration, but when I try to run a profile, I just get this message:
Unable to run the management agent.
Exception from HRESULT: 0x8023080E
If I check the event viewer, I see an event 6309 with this message in the Application Log (FIMSynchronizationService):
The server encountered an unexpected error while performing an operation for a management agent.Does anyone know what this is supposed to mean, or if I have a way to debug this?
Thanks,
Paolo
Paolo Tedesco - http://cern.ch/idm
