Disclaimer: The opinions expressed on this blog is a personal opinion and and do not express the opinion of my employer, Microsoft, Winsec or any other party.

Ignite 2015 session posted: Upgrading from #FIM2010 to #MIM2016 and #AAD

Tue 12 May 2015 Leave a comment
Categories: Security

New #FIM2010 R2 SP1 hotfix released to fully support Windows Server 2012 R2 ADDS (Build 4.1.3634.0)

Sat 2 May 2015 Leave a comment

Microsoft has released a very important hotfix for FIM2010 R2 SP1: full details at https://support.microsoft.com/kb/3048056. (FIM Build 4.1.3634.0)

As indicated in the article, Microsoft recommends that all customers apply this update to their production systems.

The most important fix in this hotfix is that FIM2010 R2 (SP1) now fully supports Windows Server 2012 R2 Active Directory Domain Services, both for domain and forest level.

Still an important condition for this support is that the FIM Synchronization Service must be installed only on

  • Windows Server 2008,
  • Windows Server 2008 R2,
  • or Windows Server 2012 member server.

FIM 2010 Server components must NOT be installed on a Windows Server 2012 R2 member server.

Only the PCNS component can be installed on a Windows Server 2012 R2 domain controller.

More information:

New MIM vNext CTP (CTP4) posted on Microsoft Connect #FIM2010 #MIM2015, now #MIM2016

Tue 21 Apr 2015 Leave a comment

Source: http://blogs.technet.com/b/ad/archive/2015/04/21/microsoft-identity-manager-public-preview-updated.aspx

Today the FIM/MIM product group posted a new version of the MIM vNext CTP on Microsoft Connect (Milestone CTP4, 4.3.1790.0)

Head over to the Microsoft Connect site at https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=57668

As you’ll see quickly you’ll need 35GB free space now, to download the documents and VMs.

In addition to the new functionality, if you carefully read the list of downloads we have got a new product name:

Microsoft Identity Manager 2016.

CTP3 MIM CM with Modern App TLG.docx 5,38 MB Download
MICROSOFT EVALUATION SOFTWARE LICENSE TERMS.docx 70 KB Download
PRIVDC.zip 6.429,13 MB Download
CORPDC.zip 7.438,93 MB Download
CORPWKSTN.zip 7.461,45 MB Download
PAMSRV.zip 13.791,65 MB Download
MIM install 4.3.1790.0.zip 158 MB Download
MIM CTP Test Lab Guide for Privileged Access Management.docx 474 KB Download
TLG – MIM2016 Deployment.docx 8,98 MB Download
TLG – MIM2016 RC Self-Service Login Assistance (SSPR+SSAU) with Azure MFA.docx 4,05 MB Download

The beta release can be downloaded as following:

Note-to-self: A quick tip to convert Hyper-V .vhdx to .vhd file formats (prep for Windows Azure)

Fri 17 Apr 2015 Leave a comment

#FIM2010 licensing model is changing as of 1st of april 2015

Wed 1 Apr 2015 1 comment

Source: http://www.microsoft.com/licensing/products/products.aspx Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required

  • a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
  • Forefront Identity Manager 2010 R2 External Connector
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) FIM Server SKU
CAL Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL
External Users FIM External Connector license (per server)

After 1st of april 2015:

  • Windows Server license (Standard & Datacenter) will include FIM server entitlement
  • FIM Server 2010 R2 licenses will not be available anymore on the price lists
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) Windows Server license (Standard & Datacenter) will include FIM server entitlement
CAL Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL
External Users Windows Connector license

Certificate and Identity Management

  • A CAL is also required for any person for whom the software issues or manages identity information.

Synchronization Service

  • A CAL is not required for users only using the Forefront Identity Manager synchronization service.

From the PUR:

  • External Connector License means a license attached to a Server that permits access to the server software by External Users.
  • External Users means users that are not either your or your Affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  • CAL means client access license. There are two kinds of CALs: user and device. A user CAL allows access to the server software from any device by one user. A device CAL allows access to the server software from one device by any user.

FIM / MIM is using a user CAL.

The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software.

Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required.

Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync).
Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM.

MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches.

And for my Dutch speaking followers… Tous la même chose:

PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)

Note-to-self: Download free DLA Piper legal start-up pack with legal rules of thumb and templates.

Thu 19 Mar 2015 Leave a comment

Source: http://trends.knack.be/economie/bedrijven/gratis-juridisch-start-up-pack-voor-technologiestarters/article-normal-541367.html

“This Start-up Pack has been designed and prepared by the (DLA PIPER) Technology Sector initiative, which includes lawyers with experience in intellectual property, corporate, employment and tax matters.

The purpose of this Start-up Pack is to provide assistance and support to early stage start-ups who are looking to establish their business on a more formal basis. Creating the right legal framework and ensuring that the business is protected at the outset is vital for a start-up to achieve its full potential.”

Troubleshooting #FIM2010: The Office 365 MA Connector export cycle has stopped. Object with DN CN={1234567890AABBCCDDEEFFGGHGGFFEEDDCCBBAA987654321} failed validation for the following attributes: member.

Fri 6 Mar 2015 Leave a comment

 

Event Viewer

Log Name: Application
Source: Directory Synchronization
Date:
32/13/2015 4:48:55 AM
Event ID: 107
Task Category: None
Level:
Error
Keywords: Classic
User: N/A
Computer: <servername
/>.<domain />.<root />
Description:
The Office 365 MA Connector
export cycle has stopped. Object with DN
CN={1234567890AABBCCDDEEFFGGHGGFFEEDDCCBBAA987654321} failed validation
for the following attributes: member. Please refer to documentation for
information on object attribute validation.
Event Xml:
<Event
xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”&gt;

<System>
<Provider Name=”Directory Synchronization” />
<EventID
Qualifiers=”0″>107</EventID>
<Level>2</Level>
<Task>0</Task>

<Keywords>0x80000000000000</Keywords>
<TimeCreated
SystemTime=”2015-13-32T03:48:55.000000000Z” />

<EventRecordID>994163</EventRecordID>
<Channel>Application</Channel>

<Computer><servername />.<domain />.<root /></Computer>
<Security />

</System>
<EventData>
<Data>The Office 365 MA Connector export
cycle has stopped. Object with DN
CN={1234567890AABBCCDDEEFFGGHGGFFEEDDCCBBAA987654321} failed validation
for the following attributes: member. Please refer to documentation for
information on object attribute validation.</Data>
</EventData>

</Event>

Root Cause

There is a technical limit of 15000 members, that the Office 365 management
agent can support.

Solutions

1. Keeping member numbers under 15000

  • Eg. splitting groups

2. Migrating your O365 connector to AADSync

 

Additional info

Prepare for directory synchronization:
https://msdn.microsoft.com/en-us/library/azure/jj151831.aspx

Follow

Get every new post delivered to your Inbox.

Join 70 other followers