Author Archive

Note-to-self: @JsQForKnowledge – FIM Portals Die After Installing Rollup Package (Build 4.1.3599.0)

Wed 22 Oct 2014 Leave a comment


@JsQForKnowledge (aka Jorge de Almeida Pinto) posted an interesting fix on his blog to get FIM 2010 R2 back up and running after the 3599 fix broke the portal.

Note-to-self*: “What you do not have is a production environment.”

Tue 21 Oct 2014 Leave a comment

Every now and then (most likely during a FIM Health check at a customer) the same type of discussion gets back on the table again….
It always links back to the massive amount of fime and budget cost to copy the development environment to start a production environment.
Oh sorry, it’s the other way around (or not)… ;)

A while ago I got the links below, forwarded by one of my colleagues in security.

My side note to the stuff below:
– FIM Hotfixes DO have an impact on key FIM components, like FIM application, FIM databases hosted on SQL. So be prepared: PLEASE DO run the tests on a DEV/TEST environments, with a similar security setup as production.

- Make sure you have a  backup of all critical FIM components. I see to many FIM customers that think a FIM Server snapshot and a FIM DB SQL Backup is enough. IT IS NOT. Don’t forget about single component backup FIM Service and FIM Sync server configuration export, MA config backup , MV config backup, config file export, client software backup and more…

- Carefully test your FIM setup. Gradually, step-by-step, BEFORE you even think “PRODUCTION BIG BANG”.

Dev and Test Domains do not belong in your Production forest!
Source and credits:

Quote: “/../ If you do not have a formal Dev/Test environment, meaning an entirely separate forest or forests, then in actuality, you have no production environment regardless of what you want to call it – you only have a lab environment and well, don’t expect production availability and stability out of a test/lab environment.

For those in the know, they realize I am paraphrasing something said by one of the father’s of Active Directory – Mr. AD – Don Hacherl on the ActiveDir Org list (Friday, February 20, 2009 4:08 PM) /../

Link to quote of Don Hacherl, see below.

Highly Available Active Directory
Source and credits:

Quote to remember: “We are, I believe, all humans, humans make mistakes, failure to take that into account in the first place is just one more failure to add onto the list of items you are reviewing when performing the failure analysis. These types of mistakes made to the directory will quickly (you wanted low convergence times right?) replicate around your entire domain/forest. You accidently delete all users in an OU and soon they will be gone from all DCs.Good updates going bad… I think many of us, especially those of us have been in this business a long while, have seen this happen. Something worked great in the lab and out in production something goes left instead of right and you are standing there going WTF[1]? And those without a production environment at all… Well they really are likely to have an issue. What do I mean when I say you don’t have a production environment???/../”

Both refer to the quote of the century by DonH:
“From: [] On Behalf Of Don Hacherl
Sent: Friday, February 20, 2009 4:08 PM
Subject: RE: [ActiveDir] Newbie QuestionI have to make a comment here, as I’ve heard this too many times. You do, in fact, have a lab environment. What you do not have is a production environment.


Allow me to post another quote of the century from the same thread, by my well respected friend Jorge de Almeida Pinto.
Don’t know if he likes quoting:
“Sorry, but not having a test environment and not making time for it is BS. “

Rest my case.

(*) Using my blog once again as an external memory assistant.

Reviewed for you: The latest #FIM2010 learning on your media player, video course by Kent Nordström

Wed 8 Oct 2014 Leave a comment

Quite a while ago I had the privilege of reviewing the draft of the latest publication on Enterprise Identity Management with Microsoft Forefront Identity Manager 2010 (R2). It has been published during my vacation, needed to find some time to visit the final version.
And, it’s not a book, but a video.


For the newest generation of FIM experts, this is another interesting means of learning FIM.
(Oh, it’s old fashioned to use plain old paper book, right?)

As quoted on the Packt website : “If you are implementing and managing FIM 2010 R2 in your business, then this video course is for you. You will need to have a basic understanding of Microsoft-based infrastructure using Active Directory. If you are new to Forefront Identity Management, the case-study approach of this video course will help you understand the concepts and implement them quickly and efficiently. Even if you’re well-versed with the technology, this is a great guide to strengthen your knowledge.”

The interesting part of the video is that you can watch it online, or download it.
‘Start to run” is soooo 2007, now it’s “Start to FIM”!

It’s an 2h and 35 minute big pack of 36 videos.
A lot of stuff, but you won’t regret.

Hey, sometimes it’s a nice feeling of control as you can simply make Kent shut up (don’t try that live).
Let me give you a quick peek on the Table of contents:

  1. Installing FIM 2010 R2 on Windows Server 2012
    • Installing SharePoint Foundation 2013 on Windows Server 2012
    • Configuring Service Accounts for FIM 2010 R2
    • Configuring SQL Aliases for FIM 2010 R2
    • Installing the FIM 2010 R2 Synchronization Service
    • Installing the FIM 2010 R2 Service and Portal
  2. Basic Configuration of FIM Synchronization and FIM Service
    • Configuring the FIM Service Management Agent
    • Setting Up the Active Directory Management Agent
    • Configuring Run Profiles and Schedules
    • Schema Management in FIM 2010 R2
    • Importing Existing Users from Active Directory
  3. User Management
    • Importing Users from HR
    • Provisioning Users to Active Directory
    • Managing the userAccountControl Attribute in AD
    • Exchange Management Using Built-in FIM Functionality
    • Deleting Users in Active Directory
  4. Group Management
    • Understanding Group Types and Scopes
    • Importing Groups from HR
    • Provisioning Groups to Active Directory
    • Using FIM Portal to Manage Groups
    • Managing Distribution Lists Using the Outlook Add-in
  5. Configuring FIM for Self-service
    • Allowing Users to Access the FIM Portal
    • Configuring Self-service Password Reset
    • Allowing Users to Manage Selected Attributes of Their Account
    • Allowing Helpdesk to Manage Users Using the FIM Portal
  6. Customizing FIM
    • Changing the FIM Portal Look and Feel
    • Adding Custom Workflow Activities
    • Using Classic Rules Extensions
    • Using a PowerShell Management Agent to Manage Lync
  7. Reporting
    • Installing FIM Reporting
    • Running the Initial Data Load
    • Viewing Reports
    • Allowing Managers to Access Reports from FIM Portal
  8. Issuing Smart Cards Using FIM CM
    • Installing FIM CM
    • Configuring FIM CM
    • Configuring CA for FIM CM Usage
    • Allowing a Manager to Issue Certificates for Consultants

I must admit I’ve enjoyed the different videos, Kent is doing an extremely good job!
Speaking experience, I know it’s not an easy job to keep a steady, controlled pace.

Still I think there is room for improvement as I’m missing a session transcript, an overview of the external references (overview of all websites, scripts, … on the net) and a hand-out of the entire session would make the course perfect.

Anyway this is another piece of reference material you should add to your FIM reference package.

If you need to catch up on the published FIM material: bookmark these:

Need some more start material:

[EDIT, 22/oct/2014]
I noticed in the video, Kent is referring to scripts in the course. They are not (yet) available for download.
At the moment of publishing this review Packt is not providing scripts in the video course.However, this will be done for their future courses. You can request the script-zip via Packt support.

Categories: Security

Note-to-Self: Microsoft Security Newsletter September 2014

Fri 26 Sep 2014 Leave a comment


In this months newletter you’ll find guidance on:

  • Windows Phone 8.1 Security Overview
  • Windows Phone Security Forum for IT Pros
  • Create Stronger Passwords and Protect Them
    • Inlcuding  free online tool offered by Microsoft Research, called Telepathwords, for those that would rather have a randomly generated strong password created for them.
  • Two-Factor Authentication for Office 365
  • Multi-Factor Authentication for Office 365
  • Configuring Two-Factor Authentication in Lync Server 2013
  • Adding Multi-Factor Authentication to Azure Active Directory
  • Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
  • Building Multi-Factor Authentication into Custom Apps


  • Get Started with Virtual Smart Cards

Plus much more… check it out at

Azure Active Directory Sync is now GA! #FIM2010 #DirSync #AADSync

Tue 16 Sep 2014 1 comment


New Azure Active Directory Synchronization Services (AAD Sync) has reached general availability.

Here are more details about this – and here is the related documentation.

If you just want to get started, just click here to download AAD Sync.

As discussed on the release blog post:

“AAD Sync capabilities in this release include the following;

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud.
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises.”

SCM Baselines for Windows 8.1, IE 11 and Windows Server 2012 R2 are now live!

Thu 4 Sep 2014 Leave a comment

Source: TechNet Blogs » Microsoft Security Guidance » SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!

Today the SCM team has finally released the SCM baselines for Windows 8.1, IE 11 and Windows Server 2012 R2.

To get the updates you can open the SCM tool and select the “Download Microsoft baselines automatically” in the tool:

SCM release

Please carefully read the Release Notes for these baselines in the Attachments/Guides section as there are a couple of known issues that may affect capabilities that worked in the past, but are no longer working with SCM and other related tools.

Alternatively, you can download all the CAB files directly from the following links:

8.1 Baseline and 8.1 Attachments -

IE 11 Baseline and IE 11 Attachments

Windows Server 2012 Baseline and Windows Server 2012 Attachments

Lastly, a HUGE thank you goes to the SCM team, Aaron Margosis and Rick Munck who have put huge efforts to release these baselines.

They have also produced the SCM materials, along with a more extensive set of GPO’s and security guide here for customers to use:

See also:

  • SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
  • What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11
  • Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta
  • Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Hotfix rollup package (build 4.1.3599.0) is available for #FIM2010 R2 SP1

Wed 3 Sep 2014 Leave a comment

A hotfix rollup package (build 4.1.3599.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1). This hotfix rollup resolves some issues and adds some features that are described in the “More Information” section.

Details at:

For a complete list of the hotfixes for FIM 2010 (incl. R2…), go to



Categories: FIM, Hotfix, Microsoft

Get every new post delivered to your Inbox.

Join 53 other followers