#MIM2016 Troubleshooting: FIM MA Full import error 0x80070002

This post has been published on TNWiki too, and waiting for your input at: MIM 2016 Troubleshooting: FIM MA Full import error 0x80070002


When you try to run an Full import run profile on the MIMMA, you get an error message in the MIM GUI.

On screen

Unable to run the management agent.

The system cannot find the file specified. (Exception from HRESULT: 0x80070002)

Error message


Log Name:      Application
Source:        FIMSynchronizationService
Date:          10/17/2016 5:38:58 PM
Event ID:      6309
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
The server encountered an unexpected error while performing an operation for a management agent.
"BAIL: MMS(39888): ..\ma.cpp(3781): 0x80070002 (The system cannot find the file specified.)
Forefront Identity Manager 4.3.1935.0"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6309</EventID>
    <TimeCreated SystemTime="2016-10-17T15:38:58.000000000Z" />
    <Security />
<Data>BAIL: MMS(39888): ..\ma.cpp(3781): 0x80070002 (The system cannot find the file specified.)
Forefront Identity Manager 4.3.1935.0</Data>

Other symptoms

When you try to stop the run of the MIM MA you get an error.

Root cause

The option “run the management agent in a separate process” is activated.


Uncheck the option “Run this management agent in a separate process” from the “Configure extensions” item in the management agent properties.

Note-to-self: Security Compliance Manager 4.0 now available for download!

Sometime you get some silent signals that you have been way too busy…

Like stumbling into an announcement of a tool you evangelise…

Security Compliance Manager 4.0 now available for download!




Thank you!

This weekend I’ve received some pretty exciting news that I was awarded the 2016 MVP award (Microsoft Most Valuable Professional) for Enterprise Mobility (Identity & Access).


I’m extremely proud to receive the award, but I never could have achieved this award without your support. So, in the first place I want to thank YOU for supporting me and making it possible. With your help I certainly will continue to support and build the Microsoft and security community with great pride.

A great thanks to Ed Price, Ronen Ariely, Gokan Ozcifci and Jorge de Almeida Pinto for the support and recommendations. (I sincerely hope I haven’t forgotten anyone…) I owe you Belgian beer.

I had the honor to be part of the program earlier, and never have stopped to build and maintain the community with passion for Identity and Access management, but as combining Microsoft FTE with MVP is not possible… I had a break for the years at MS… still it was different.

I’m also extremely thankful that my wife Katrien and my 2 kids can cope with my crazy passion for TechNet Wiki and MS community obsession. This addiction is just so much fun…but I’ll never admit that. (oh ships, just did…)

#FIM2010 & #MIM2016 Error 25009 fun stuff on #TNWiki

For the FIM Geeks, I’ve submitted some new FIM/MIM 25009 event troubleshooting articles on TechNet Wiki (http://aka.ms/Wiki)

Plus, a page the collects all the 25009 trroubleshooting resources, including lots of fun stuff of Tim Macauly.

If you got more of this 25009 fun stuff yourself, feel free to add your articles and add them to the collection page.

Note-to-self: Regarding The Dropbox Hack, are YOU impacted?

To all who is using Dropbox… get your passprhase (yes, phrase, not word) changed and have it highly complex (eg using password manager).

Bit late maybe, but NOW is a good time.
See: https://www.troyhunt.com/the-dropbox-hack-is-real/

And another hint: subscribe to the https://haveibeenpwned.com/ website and get notified when the bad news comes.

Stay safe!

Note-to-self: DNS naming best practices for internal domains and networks

Just a few days ago, I’ve got a question from a customer regarding the DNS naming best practices for internal DNS and AD domains…

As it’s not a daily job to setup a new AD domain and internal DNS (from scratch…), so it might help to share the results of my investigation, that have lead to confirm my practical experiences.

Apparently it’s a pretty frequent topic on AD and network platforms. Plus there are some strict technical guidelines that apply here, even for internal DNS configurations…

The short answer, as best practice:

  • Microsoft strongly recommends to register a public domain and use subdomains for the internal DNS.
  • So, register a public DNS name , so you own it. Then create subdomains for internal use (like corp.pgeelen.be, dmz.pgeelen.be, extranet.pgeelen.be) and make sure you’ve got your DNS configuration setup correctly.

Below more detailed explanation. Luckily enough there is some nice reading material out there to prove the statement, so make sure you bookmark this page😉

But first we need to clarify a few things…

AD Domain vs DNS name

The AD domain name is NOT the same as the DNS name, but they are linked.

AD Domain names are mainly used within AD operations, mostly LDAP queries for AD functionality, while DNS is rather a network level solution for name resolution on IP level (to solve the machines or application names to IP addresses).

Essentialy this difference allows you to use a ‘internal’, private AD domain name and use a public, registered DNS name.

When you look into discussions and documentation on this topic, you’ll also see that the AD domain short name is referred as NetBIOS Name (as in the AD logon name <DOMAIN>\<username>).

For example

  • AD Domain name: CORP
  • DNS name: corp.pgeelen.be

See here for more explanation: https://technet.microsoft.com/en-us/library/bb676377

You can also ‘unlink’ the AD domain name from the DNS name, then you get a disjoint namespace, as explained in previous link.

For Example

  • AD Domain naam : CORP
  • DNS naam: intranet.pgeelen.be

Check this forum discussion: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f6ac34e8-4b35-4c3b-a60f-179f68d6eb24/ad-domain-name-vs-dns-domain-name?forum=winserverDS

And also: https://technet.microsoft.com/en-us/library/cc978018.aspx

Dummy DNS name vs official DNS name

In the past, lots of people chose to use a dummy, unofficial TLD (top-level-domain) for their internal network, likedomain.lan, domain.local of domain.internal (and also domain.internalhost)

But this can get you in serious trouble.

Because these names are not supported by internet standards, the most important RFC on this is: RFC 2606 (http://tools.ietf.org/html/rfc2606)

This RFC standard is very explicit on chosing domain names for voor private testing and documentation

  • .test
  • .example
  • .invalid
  • .localhost

But also for documentation some 2nd level domains are reserved

  • example.com
  • example.net
  • example.org

As you can see, these names are created for testing and not for production.

Plus, if the public naming standards change or additional names are released you might be using a name you don’t own and that can be routed to the internet, which conflicts with the initial use.

Therefore the technical conclusion is fairly straight forward: register a public DNS name and use it for your internal DNS resolution.

So the use of <yourinternaldomain>.be is technically correct but it doesn’t stop there.

There are some important consequences.

Allow me to take the discussion a step further.

You have to make a choice on the DNS zones:

  • using a single DNS zone
  • Using subdomains
  • using different DNS zones


Using a single namespace (for internal and external hosts)

Some customers use the same DNS zone for internal and external usage. But there are some important disadvantages:

  • mismatch between security zones (like intranet, extranet, dmz and) and DNS naming
  • when adding / merging domains the DNS is subject to redesign
  • less flexible, less automated DNS operations
  • conflict in authority with internal DNS and external DNS (managed by internet provider)

You might face some practical issues like:

  • conflicts in DNS,
  • instable operations and sub-optimal performance
  • network issues
  • complex configuration
  • less or no automated DNS operations, more manual operations
  • keeping DNS under control is less obvious

Plus, you’ll face some consequences regarding network security, by the lack of segregation of (DNS) duties.

So: Single DNS domain is absolutely not advised.

Using different DNS names and zones

It’s completely the opposite of the previous approach. From DNS level, this is fairly simple setup, but you need to duplicate or multiply DNS configurations. And from a user perspective it might be complex or confusing, or not transparent, and inconsistent

DNS sub-domains

This is a frequently used technique to use the same TLD (top level domain) and separate the zones by subdomain. Eg “intranet”, “extranet”, “DMZ” for ‘internal’ zones en just plain <domain>.<tld> for public DNS.

For example:

  • intranet.pgeelen.be or corp.pgeelen.be (if your AD is named ‘CORP’ )
  • extranet.pgeelen.be for applications or partner facing websites
  • DMZ.pgeelen.be for applications that need DMZ for data protection or publication,
  • and master suffix .pgeelen.be for public websites (managed by your Internet Provider)

The forum post I mentioned earlier discusses a technique called “DNS split brain”:

In fact you have one DNS name space, but with sub spaces per zone.

This is a bit more complicated setup as you need to make sure the DNS servers forward the requests to the applicable zones correctly.

And it does require some planning and cooperation with your internet provider.

Microsoft strongly suggests to work with subdomains, within a publicly registered TLD domain.

Check: Creating Internal and External Domains op https://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

Design Option Management Complexity Example
The internal domain is a subdomain of the external domain. Microsoft strongly recommends this option. For more information, see Using an Internal Subdomain. Easy to deploy and administer. An organization with an external namespace contoso.com uses the internal namespace corp.contoso.com.
The internal and external domain names are different from each other. For more information, see Using Different Internal and External Domain Names. More complicated than previous option. An organization uses contoso.com for its external namespace, and corp.internal for its internal namespace.


On top of that you need to be aware of a few rules regarding naming standards: https://support.microsoft.com/en-us/kb/909264


To conclude, please find some useful reference info in one spot below:

The new #MIM2016 book is out! Must have!

I just got the notice from Packt Publishing today that the new MIM2016  book has been published!
Go check at http://aka.ms/mim2016book.

David Steadman and Jeff Ingalls have been working very hard to create a reference piece of literature, so it’s a must have for your bookshelf.

From the early beginning of the book I’ve been involved in the reviewing, and although it has been a bumpy ride, it has been a great time!

I know my FIM/MIM geekiness/freakiness must have caused quite some headaches to the authors and the publishing project team at Packt, but just be sure it was for the better good.

The ebook version is awful cheap, but I’m going for the paper version anyway as I’m convinced it’s a must have.

So my future FIM/MIM students will have something to look forward to (meaning get their hands on MY copy of the book, … )


Congratz, David and Jeff!
Now you can take a well-deserved vacation!