#FIM2010 & #MIM2016 Error 25009 fun stuff on #TNWiki

For the FIM Geeks, I’ve submitted some new FIM/MIM 25009 event troubleshooting articles on TechNet Wiki (http://aka.ms/Wiki)

Plus, a page the collects all the 25009 trroubleshooting resources, including lots of fun stuff of Tim Macauly.

If you got more of this 25009 fun stuff yourself, feel free to add your articles and add them to the collection page.

Note-to-self: Regarding The Dropbox Hack, are YOU impacted?

To all who is using Dropbox… get your passprhase (yes, phrase, not word) changed and have it highly complex (eg using password manager).

Bit late maybe, but NOW is a good time.
See: https://www.troyhunt.com/the-dropbox-hack-is-real/

And another hint: subscribe to the https://haveibeenpwned.com/ website and get notified when the bad news comes.

Stay safe!

Note-to-self: DNS naming best practices for internal domains and networks

Just a few days ago, I’ve got a question from a customer regarding the DNS naming best practices for internal DNS and AD domains…

As it’s not a daily job to setup a new AD domain and internal DNS (from scratch…), so it might help to share the results of my investigation, that have lead to confirm my practical experiences.

Apparently it’s a pretty frequent topic on AD and network platforms. Plus there are some strict technical guidelines that apply here, even for internal DNS configurations…

The short answer, as best practice:

  • Microsoft strongly recommends to register a public domain and use subdomains for the internal DNS.
  • So, register a public DNS name , so you own it. Then create subdomains for internal use (like corp.pgeelen.be, dmz.pgeelen.be, extranet.pgeelen.be) and make sure you’ve got your DNS configuration setup correctly.

Below more detailed explanation. Luckily enough there is some nice reading material out there to prove the statement, so make sure you bookmark this page😉

But first we need to clarify a few things…

AD Domain vs DNS name

The AD domain name is NOT the same as the DNS name, but they are linked.

AD Domain names are mainly used within AD operations, mostly LDAP queries for AD functionality, while DNS is rather a network level solution for name resolution on IP level (to solve the machines or application names to IP addresses).

Essentialy this difference allows you to use a ‘internal’, private AD domain name and use a public, registered DNS name.

When you look into discussions and documentation on this topic, you’ll also see that the AD domain short name is referred as NetBIOS Name (as in the AD logon name <DOMAIN>\<username>).

For example

  • AD Domain name: CORP
  • DNS name: corp.pgeelen.be

See here for more explanation: https://technet.microsoft.com/en-us/library/bb676377

You can also ‘unlink’ the AD domain name from the DNS name, then you get a disjoint namespace, as explained in previous link.

For Example

  • AD Domain naam : CORP
  • DNS naam: intranet.pgeelen.be

Check this forum discussion: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f6ac34e8-4b35-4c3b-a60f-179f68d6eb24/ad-domain-name-vs-dns-domain-name?forum=winserverDS

And also: https://technet.microsoft.com/en-us/library/cc978018.aspx

Dummy DNS name vs official DNS name

In the past, lots of people chose to use a dummy, unofficial TLD (top-level-domain) for their internal network, likedomain.lan, domain.local of domain.internal (and also domain.internalhost)

But this can get you in serious trouble.

Because these names are not supported by internet standards, the most important RFC on this is: RFC 2606 (http://tools.ietf.org/html/rfc2606)

This RFC standard is very explicit on chosing domain names for voor private testing and documentation

  • .test
  • .example
  • .invalid
  • .localhost

But also for documentation some 2nd level domains are reserved

  • example.com
  • example.net
  • example.org

As you can see, these names are created for testing and not for production.

Plus, if the public naming standards change or additional names are released you might be using a name you don’t own and that can be routed to the internet, which conflicts with the initial use.

Therefore the technical conclusion is fairly straight forward: register a public DNS name and use it for your internal DNS resolution.

So the use of <yourinternaldomain>.be is technically correct but it doesn’t stop there.

There are some important consequences.

Allow me to take the discussion a step further.

You have to make a choice on the DNS zones:

  • using a single DNS zone
  • Using subdomains
  • using different DNS zones

 

Using a single namespace (for internal and external hosts)

Some customers use the same DNS zone for internal and external usage. But there are some important disadvantages:

  • mismatch between security zones (like intranet, extranet, dmz and) and DNS naming
  • when adding / merging domains the DNS is subject to redesign
  • less flexible, less automated DNS operations
  • conflict in authority with internal DNS and external DNS (managed by internet provider)

You might face some practical issues like:

  • conflicts in DNS,
  • instable operations and sub-optimal performance
  • network issues
  • complex configuration
  • less or no automated DNS operations, more manual operations
  • keeping DNS under control is less obvious

Plus, you’ll face some consequences regarding network security, by the lack of segregation of (DNS) duties.

So: Single DNS domain is absolutely not advised.

Using different DNS names and zones

It’s completely the opposite of the previous approach. From DNS level, this is fairly simple setup, but you need to duplicate or multiply DNS configurations. And from a user perspective it might be complex or confusing, or not transparent, and inconsistent

DNS sub-domains

This is a frequently used technique to use the same TLD (top level domain) and separate the zones by subdomain. Eg “intranet”, “extranet”, “DMZ” for ‘internal’ zones en just plain <domain>.<tld> for public DNS.

For example:

  • intranet.pgeelen.be or corp.pgeelen.be (if your AD is named ‘CORP’ )
  • extranet.pgeelen.be for applications or partner facing websites
  • DMZ.pgeelen.be for applications that need DMZ for data protection or publication,
  • and master suffix .pgeelen.be for public websites (managed by your Internet Provider)

The forum post I mentioned earlier discusses a technique called “DNS split brain”:

In fact you have one DNS name space, but with sub spaces per zone.

This is a bit more complicated setup as you need to make sure the DNS servers forward the requests to the applicable zones correctly.

And it does require some planning and cooperation with your internet provider.

Microsoft strongly suggests to work with subdomains, within a publicly registered TLD domain.

Check: Creating Internal and External Domains op https://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

Design Option Management Complexity Example
The internal domain is a subdomain of the external domain. Microsoft strongly recommends this option. For more information, see Using an Internal Subdomain. Easy to deploy and administer. An organization with an external namespace contoso.com uses the internal namespace corp.contoso.com.
The internal and external domain names are different from each other. For more information, see Using Different Internal and External Domain Names. More complicated than previous option. An organization uses contoso.com for its external namespace, and corp.internal for its internal namespace.

 

On top of that you need to be aware of a few rules regarding naming standards: https://support.microsoft.com/en-us/kb/909264

 

To conclude, please find some useful reference info in one spot below:

The new #MIM2016 book is out! Must have!

I just got the notice from Packt Publishing today that the new MIM2016  book has been published!
Go check at http://aka.ms/mim2016book.

David Steadman and Jeff Ingalls have been working very hard to create a reference piece of literature, so it’s a must have for your bookshelf.

From the early beginning of the book I’ve been involved in the reviewing, and although it has been a bumpy ride, it has been a great time!

I know my FIM/MIM geekiness/freakiness must have caused quite some headaches to the authors and the publishing project team at Packt, but just be sure it was for the better good.

The ebook version is awful cheap, but I’m going for the paper version anyway as I’m convinced it’s a must have.

So my future FIM/MIM students will have something to look forward to (meaning get their hands on MY copy of the book, … )

3925EN_4526_Microsoft%20Identity%20Manager%202016%20Handbook_jpg

Congratz, David and Jeff!
Now you can take a well-deserved vacation!

 

A hotfix rollup package (build 4.1.3765.0) is available for #FIM2010

Source: https://support.microsoft.com/en-us/kb/3171318

 

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Certificate Management

  • Issue 1 A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.
  • Issue 2 The Duplicate Revocation Settings policy is replaced because some users could not set it.
  • Issue 3 There is a redundant space in the “Profile Summary” string on the Request Complete page for some languages.

FIM Synchronization Service

  • Issue 1 In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.
  • Issue 2 Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.
  • Issue 3 The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.
  • Issue 4 When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.
  • Issue 5 An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.
  • Issue 6 You receive a “Reference to undeclared entity ‘qt'” error message when you run the history process and the history text contains the “greater than” symbol (>).
  • Issue 7 Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.
  • Issue 8 A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

  • Issue 1 Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

  • Issue 1 During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.
  • Issue 2 In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

  • Issue 1 When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.
  • Issue 2 Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.
  • Issue 3 When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.
  • Issue 4 An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.
  • Issue 5 If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.
  • Issue 6 An email alias is truncated if it is longer than 30 characters.

New hotfix rollup package (build 4.3.2266.0) is available for #MIM2016

Source: https://support.microsoft.com/en-us/kb/3171342

Quick overview below, full detail in KB article referenced.

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1: PAM monitor service error with PRIV only PAM USER

 

FIM add-ins and extensions

Issue 1: SSPR windows clients with high DPI have incorrect scaling of the final page

Issue 2: SSPR Windows client text message overlap

 

FIM Certificate Management

Issue 1: <span “text-base”=””>ExecuteOperations.Disable operation issue

Issue 2: Smart Card search issue

Issue 3: Profile summary issue

Issue 4: Duplicate revocation settings policy issue

Issue 5: Certificae Management portal issue with LDAP CN name

Issue 6: misplaced link in Certificate Management portal for certain languages

 

FIM Synchronization Service

Issue 1: MA config wizard issue

Issue 2: error messages logged in Event Viewer + Perf counter issue

Issue 3: Issue with Full sync vs Equal precedence

Issue 4: ECMA2 issue with incorrect page size

Issue 5 :error message from the Management Agent cannot be parsed if it contains some special symbols

Issue 6″Reference to undeclared entity ‘qt'” error message

Issue 7: <span “text-base”=””>New Functionality:/span> The ability to skip the Management Agent during the import of a server configuration is added.

Issue 8: A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool.

 

FIM Portal

Issue 1: incorrect display of multivalue labels

Issue 2: RCDC update XML format not verified

Issue 3: cannot drag and drop user to remove box

Issue 4: Local date and time issue

Issue 5 RCDC additional attributed included

 

 

FIM Service

Issue 1: SharePoint Server 2013 and later , workflow issue, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

 

BHOLD

Issue 1: issue with incompatible permissions

Issue 2 attribute based AuthZ issues

Issue 3: Acces management connector issue

Issue 4: error during BHOLD installl in IIS

Issue 5: user role permission issue with extraction

Issue 6: email alias truncated if longer than 30 char.