Note-to-self: new #FIM2010 Connector for Windows Azure Active Directory published

Source: http://www.microsoft.com/en-us/download/details.aspx?id=41166

Forefront Identity Manager Connector for Windows Azure Active Directory helps you synchronize identity information to Azure Active Directory.

Version:
Date Published:
1.0.6567.0002 2/19/2014
Advertisements

Note-to-self: AD Managed service accounts and virtual accounts Step-by-Step Guide

Service Accounts Step-by-Step Guide: http://technet.microsoft.com/en-us/library/dd548356(v=WS.10).aspx

“Managed service accounts and virtual accounts are two new types of accounts introduced in Windows Server® 2008 R2 and Windows® 7 to enhance the service isolation and manageability of network applications such as Microsoft Exchange and Internet Information Services (IIS).

This step-by-step guide provides detailed information about how to set up and administer managed service accounts and virtual accounts on client computers running Windows Server 2008 R2 and Windows 7.”

#FIM2010 Quicktip: mapping drive letter as shortcut to FIM extensions folder

When working with FIM, you’ll need to access some of the folders on your FIM servers more frequently. like C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions.

It would be far more easier to have a drive letter for it, right?
You’ll find plenty of articles on the net to map a drive letter to a directory.

It’s fairly easy to use the subst command.
From the subst help (via command prompt: subst /?)

Associates a path with a drive letter.
SUBST [drive1: [drive2:]path] SUBST drive1: /D
drive1:        Specifies a virtual drive to which you want to assign a path.  
[drive2:]path  Specifies a physical drive and path you want to assign to a virtual drive.  
/D             Deletes a substituted (virtual) drive.

Type SUBST with no parameters to display a list of current virtual drives.

Sample:
subst z: “C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions”

The disadvantage of the subst command is, it dissapears when you reboot.

If you prefer a more permanent solution, use the registry (sample below is Windows 2008 based..Regedit v5.)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices]
“Z:”=”\\??\\C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions”

or you add it manually (in that case, add a new string  value to the DOS Devices key.
Name: Z:
Value: \??\C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions

You could also put the subst command in a batch file and run it on startup (by putting the script in the startup folder).

Some other solutions suggest to use a drive mapping, but keep in mind that network security and share security comes in play.
Which usually is another layer or complexity on top of a simple solution.

A good FIM admin is lazy, sorry, time efficient but effective.

A hotfix rollup package (build 4.1.3508.0) is available for #FIM2010 R2

Source: http://support.microsoft.com/kb/2913228

Microsoft has released a hotfix rollup package (build 4.1.3508.0) for Microsoft Forefront Identity Manager (FIM) 2010 R2.

“Issues that are fixed or features that are added in this update

This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, the FIMService instance may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports that have a run status of stopped-server. Additionally, the following exception is logged in the Forefront Identity Manager event log:

System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.
Issue 2

Consider the following scenario:

  • A Transition Out management policy rule is using a dynamic set together with a multivalued attribute.
  • Two or more elements are removed from the attribute in a single request.
  • One of the removed elements triggers the Transition-Out ManagementPolicyRule (MPR) resource. 

In this scenario, the request fails. Additionally, you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint ‘PK__#1B54B73__5330D0771D3CFFB1’. Cannot insert duplicate key in object ‘dbo.@transitionOutapplicableRuleBuffer’.
Issue 3

When an export that is run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a failed-modification-via-web-services exception may be returned. When you review the details of the exception, you find that an SQL deadlock occurred.

FIM Synchronization Service

Issue 1

If a multivalued attribute is exported and then changed directly in the target system, the change is not evaluated during delta synchronization. For example, this issue occurs in the following scenario when the Active Directory Management Agent is used:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses directly in Active Directory outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.

In this scenario, the next delta sync will not process the change.

Issue 2

If an exception is thrown by the Connector’s password extension during password synchronization, the Connector will be unloaded from memory. This behavior may cause high processor usage on the computer that is hosting the FIM Synchronization Service when that computer processes password synchronization if it is under load or is synchronizing passwords to multiple Connectors.
After this update is installed, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface and unload the Connector. This lets the interface to be reused for another password operation to the connected data source. The password operation will not be retried and is removed from the queue. Any other exception will still unload the Connector and reload it at the next password operation.”

Microsoft has released a new hotfix rollup package (build 4.0.3733.2) for #FIM2010 R1

Source: http://support.microsoft.com/kb/2926490/en-us

“Issues that are fixed or features that are added in this update

This update fixes the following issue that was not previously documented in the Microsoft Knowledge Base.

FIM Synchronization Service

Issue 1

If a multivalued attribute is exported and then changed directly in the target system, the change is not evaluated during delta synchronization. For example, this issue occurs in the following scenario when the Active Directory Management Agent is used:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses directly in Active Directory outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.

The next delta sync will not process the change.”

Note-to-self: Plan for administrative and service accounts (Office SharePoint Server)

As planning for a FIM installation, the setup of the security like groups, service accounts and installation accounts requires significant attention.

As FIM portal uses WSS/SharePoint, setting SharePoint security (like the Application Pool account) is one of the tasks to complete.

Got a hint from a SharePoint expert: Plan for administrative and service accounts (Office SharePoint Server)

Note-to-self: enabling Windows Installer verbose logging via registry (while troubleshooting #FIM2010 hotfix installation fail)

Case

Trying to install the latest FIM hotfix (msp-file, 4.1.3496 on a Windows 2008 R2 machine). That installs fails without an error message on screen, and in the eventviewer neither.
When executing the msp file with msiexec, including verbose logging options, also that install fails. (Probably using the wrong parameters for msiexec…)

Goal

I need to quickly find out what’s going wrong on that installation without losing too much time. (Or, to put it differently, getting PEBCAC out of the equation..)

Solution

Check out this article: How to enable Windows Installer logging (http://support.microsoft.com/kb/223300)

It allows you to set the logging level (eg extra verbose logging with vx option) the registry.

Then the log file is (by default) stored in the %TEMP% folder (check it out by running a SET command in a command prompt).

Details

To have us enable or disable Windows Installer logging for you, go to the “Fix it for me” section. If you would rather enable Windows Installer logging yourself, go to the “Let me fix it myself” section.To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.

You can fix it with a automated config :
Enable Windows Installer logging Disable Windows Installer logging
    Fix this problem Microsoft Fix it 50380
    Fix this problem Microsoft Fix it 50381
Or you can fix it manually in the registry.
To enable Windows Installer logging yourself, open the registry with Regedit.exe and create the following path and keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Reg_SZ: Logging Value: voicewarmupx (where only vx is used to enable extra verbose logging…)

Find all details in the KB article How to enable Windows Installer logging