FIM

Announcing the public availability of the #MIMWAL for #MIM2016 project, now available as an Open Source Project on GitHub

Source: https://social.technet.microsoft.com/Forums/en-US/e613bbd9-5a2a-46c2-8d91-5f1e0116521b/announcing-the-public-availability-of-the-mimwal-project-now-available-as-an-open-source-project-on?forum=ilm2

Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.

The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.

MIMWAL Features

  • Building-block Workflow Activities
  • Conditional Execution Capability for Building-block Activities
  • Support for Iteration Over a Collection of Values in Building-block Activities
  • Deep Resolution Capability for FIM Lookup Grammar
  • Rich Library of Workflow Functions
  • UI Framework for Building Additional Custom Workflow Activities
  • Support for ETW Event Tracing
  • Optimization of Update Requests
    • Combining multiple updates into a single request per resource per activity
    • Issuing update request only when resource is actually modified.

More information

Please visit the MIMWAL site at http://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.

Please post any questions or discussions about the MIMWAL project on this forum, which can also be found at http://aka.ms/MIMWAL/Forum

MIMWAL Links

FIM/MIM Licensing: clarification on the requirement to use CALs

Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).

In April 2015 licensing update of FIM/MIM, the server license became virtually free.

The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.

See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).

You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)

 

In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.

Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.

You DO require CALs, which is mentioned by the PUR as:

“A CAL is also required for any person for whom the software issues or manages identity information.”

 

You can acquire FIM CALs via :

  • Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
  • Enterprise Mobility Suite User SL, or
  • Microsoft Azure Active Directory Premium

The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):

“/../

Synchronization Service

A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”

To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).

This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.

This also applies to BHOLD and FIMCM.

This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.

This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.

Now, this perfectly answers the question of Henrik on my post on the licensing update.

His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”

The short answer is: you still need to acquire the CAL.

Summary

  • FIM/MIM server license is included in the Windows Server License
  • you DO NEED CALs for FIM/MIM
    • you can purchase CALS or acquire them via EMS/AAD premium/ECS
    • for EVERY person managed
  • 1 EXCEPTION:
    • if you ONLY use the FIM/MIM Sync Engine, you do not need CALs

I hope that this explanation helps you to better understand the FIM/MIM licensing.

Feel free to contact me via any channel if you have any feedback or questions.
Happy licensing!

Using Powershell to generate eventviewer statistics and event exports

During FIM health checks we need to have a good overview of the event viewer on the FIM Servers.
In almost any case the event viewer is a good measure of the server’s health.

The more red and yellow you see, the more errors and warnings, the more work you’ll have to get your server in a healthy state.

First goal is to have a general temperature of the health.
Second goal is to have the details to fix the issues.

I’ve created a Powershell to analyse the event viewer logs.

Instead of posting the Powershell in this blog, I’ve published it on TechNet Gallery, over here:

https://gallery.technet.microsoft.com/Powershell-Event-log-ab0ded45

There is a companion Wiki article with some guidance and configuration manual.

http://social.technet.microsoft.com/wiki/contents/articles/32204.powershell-event-viewer-statistics.aspx

In short, the Powerscript below is a modular script that offers following functions:

  • display the event log properties
  • analyse number of events per category
  • analyse number of events per severity
  • overview of error events with source, severity and sample message
  • detailed list of last event per eventID

You can configure the script:

  • choice of event logs
  • history length (period of events to report on)
  • enable/disable logging
  • enable/disable result export to file

 

Before you start

  • validate your script execution policy
  • copy the script to a separate folder where you can execute the script
  • validate the script parameters

Script configuration parameters

  • $enableLogging
    • $TRUE = create a transcript of the script during run (does not work in ISE)
    • $FALSE = do not create a verbose log
  • $ExportEnabled
    • $FALSE = do not export the result to file
    • $TRUE = export the results, statistics and event details to file
  • $EventLogList
    • Default: ‘System’,’Application’,’Setup’,’Forefront Identity Manager’,’Forefront Identity Manager Management Agent’
  • $startdate
    • Defines from which point in time the event logs must be analysed
    • HINT: on a system with a large size of event logs, it’s advised to limit the history to x days or x weeks. A large volume event log will impact the usage of script memory.

I’m more than happy if you would test the script and provide me feedback to improve the script.

 

Note-to-self: quickly checking which #FIM2010 Sync Security groups used

Although, it’s best practices to use AD based security groups to setup your FIM/MIM, this is not always the case in practice.
So, how do you quickly verify which groups have been used to secure your FIM Sync configuration?

On the FIM Synchronization server, open the component services

(samples are taken from a Windows Server 2012, but this also applies to Windows 2008 …)

First, look up and open Component services

1. find component services

Within the Component Services navigate to “Computers > My Computer”, open DCOM Config

2. open DCOM config

It’s very likely that you get the icon view, switch it to detailed view.

3. change view to details

Then look up the Forefront Identity Synchronization Manager configuration item.

4. open FIMSync Service Props

Right click on it, click properties

5. open Security tab - launc and activation

Click the security tab.

And on the “Launch and Activation Permissions” section, click the edit button.

In case you the sections are greyed out, you need to set registry permissions to allow access

Side note

In the Component services console, you might encounter that the security options are greyed out…

Here’s the solution to fix this quickly: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

6. Launch and activation permissions

Now you should see the FIM Sync Security groups configured.

The info will show you (based on the group names) if local or AD groups have been used.

End note on this topic: you can’t change these groups manually.
You need to run the FIM Sync installation wizard in repair mode to fix or change these groups.

The wizard will change the component services, DCOM config, regisgtry and local NTFS permissions to match the groups.

If you would like to do it in a more scripted way, you can use the DCOMPerm code sample, which is included with the Microsoft Windows SDK for Windows 7 and .NET Framework 4.

Sample command:

dcomperm -aa {835BEE60-8731-4159-8BFF-941301D76D05} list

Output

Access permission list for AppID {835BEE60-8731-4159-8BFF-941301D76D05}:

Remote and Local access permitted to CONTOSO\FIMSyncAdmins.
Remote and Local access permitted to CONTOSO\FIMSyncOperators.
Remote and Local access permitted to CONTOSO\FIMSyncJoiners.
Remote and Local access permitted to NT AUTHORITY\SYSTEM.
Remote and Local access permitted to CONTOSO\svcfimsync.
Remote and Local access permitted to CONTOSO\FIMSyncBrowse.
Remote and Local access permitted to CONTOSO\FIMSyncPasswordSet.

Note-to-self: #FIM2010 Virtualisation support

Nowadays, it’s not a hot topic anymore, rather a common practices to run your FIM / MIM environment in a virtualized setup.
Still once in a while we do get questions about virtualization support for FIM/MIM.

Bookmark the sources below, as it might be useful to retrieve the answer quickly.

First, more general to check is: the Windows Server Catalog (http://www.windowsservercatalog.com/).
On that catalog page you find the link to the Server Virtualization Validation Program site (http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm).

“Please visit the Server Virtualization Validation Program site for more information on validated solutions and available support.” 

That page mentions:

“Information on Microsoft’s support policy for Hyper-V and Azure can be found at:

and

“The information provided by the Microsoft Application Support Policy is for guidance purposes only. Please visit the Products listing to review the latest information available ”

Microsoft Server Software and Supported Virtualization Environments points to this KB article : https://support.microsoft.com/nl-be/kb/957006

It explicitly refers to Forefront Identity Manager as:

“Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 and later versions are supported.”

Just as a side step, the Products Listing page (on http://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25), has the latest updates on Windows Server 2012 and later…

In the left side menu bar you’ll find OS Compatibility and Processor architecture:

OS compatibility

Supports Windows Server 2012 R2
Supports Windows Server 2012
Supports Windows Server 2008 R2
Supports Windows Server 2008

Processor architecture

Windows Server 2012 R2 (x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 (x64)
Windows Server 2008 (x64)
Windows Server 2008 (x86)

Another side note, for support lifecycle the KB article refers to http://support.microsoft.com/?pr=lifecycle.
But, for FIM 2010 / MIM 2016 there is an easier short cut you should use :

FIM 2010: https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Forefront%20Identity%20Manager&Filter=FilterNO

MIM 2016 (also include FIM2010 info): https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Identity%20Manager&Filter=FilterNO

For future use, this info has also been published on TNWIki, you can use this short URL http://aka.ms/FIM2010Virtualisation and http://aka.ms/MIM2016Virtualisation.

 

Note-to-self: Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal – Upgrade from FIM 2010 R2

Source: http://blogs.msdn.com/b/connector_space/archive/2015/08/05/installing-the-microsoft-identity-manager-2016-4-3-1935-0-service-and-portal-upgrade-from-fim-2010-r2.aspx

Great work from Anthony Marsiglia (FIM Devil)

Note-to-self: Identity manager resources at the TechNet Evaluation Center

Source: http://aka.ms/IdentityManagerEval aka http://www.microsoft.com/en-us/evalcenter/search?k=identity%20manager&p=&a=&s=&r=&so=

Head over to the TechNet Evaluation center to find some interesting resources on Identity Manager….

 

Note-to-self: update to #FIM2010 Lifecycle support (mainstream support now : 2017-10-10)

The FIM support lifecycle page has been updated, FIM 2010 main stream support is now set to 10 oct 2017.

Source: https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Forefront%20Identity%20Manager&Filter=FilterNO

Products Released Lifecycle Start Date Mainstream Support End Date Extended Support End Date Service Pack Support End Date Notes
Microsoft Forefront Identity Manager 2010 2010-05-27 2017-10-10 2022-10-11 Mainstream and Extended support for Microsoft Forefront Identity Manager 2010 is extended as shown in order to provide all customers with the standard lifecycle transition timeline.
Microsoft Forefront Identity Manager 2010 R2 2012-07-24 2017-10-10 2022-10-11 2014-04-08 Mainstream and Extended support for Microsoft Forefront Identity Manager 2010 is extended as shown in order to provide all customers with the standard lifecycle transition timeline.
Microsoft Forefront Identity Manager 2010 R2 Service Pack 1 2013-01-15 Review Note Review Note Support ends 12 months after the next service pack releases or at the end of the product’s support lifecycle, whichever comes first. For more information, please see the service pack policy at http://support.microsoft.com/lifecycle/#ServicePackSupport.

Note-to-self: By default #FIM2010 Localized information is not migrated using Export-FIMConfig

Many of us are using the Export-FIMConfig powershell to export, extract, migrate or document FIM Service and portal configurations.

If someone complains that the localized content is not exported or migrated, I send over the links below.

Source:

 

Many international FIM customer have localized and/or customized content that doesn’t get exported with the default export functionality.
This is explained in Appendix C: “Localized information not migrated by default”:

“By default, the Windows PowerShell scripts that are included in this guide do not migrate localized information. To include localized display names, edit the ExportPolicy.ps1 and the SyncPolicy.ps1 so that the Export-FIMConfig cmdlet includes the –AllLocales option. This option instructs the cmdlet to download all localized information. However, its presence slows down the scripts.

Another parameter  to pay attention to is the -MessageSize parameter

As explained at “Windows PowerShell Examples for Configuring FIM“:

” If a FIM 2010 R2 resource is too large to fit within a single Simple Object Access Protocol (SOAP) message, it may be necessary to increase the message size. This regularly happens when you export Set resources with thousands of explicit members. Often, administrators pick an arbitrarily large message size such as 999,999.”

Keep in mind that exporting the localized information and a large message size will significantly impact your export performance.

 

Some additional references to bookmark:

And interesting to read:

New #FIM2010 R2 SP1 hotfix released to fully support Windows Server 2012 R2 ADDS (Build 4.1.3634.0)

Microsoft has released a very important hotfix for FIM2010 R2 SP1: full details at https://support.microsoft.com/kb/3048056. (FIM Build 4.1.3634.0)

As indicated in the article, Microsoft recommends that all customers apply this update to their production systems.

The most important fix in this hotfix is that FIM2010 R2 (SP1) now fully supports Windows Server 2012 R2 Active Directory Domain Services, both for domain and forest level.

Still an important condition for this support is that the FIM Synchronization Service must be installed only on

  • Windows Server 2008,
  • Windows Server 2008 R2,
  • or Windows Server 2012 member server.

FIM 2010 Server components must NOT be installed on a Windows Server 2012 R2 member server.

Only the PCNS component can be installed on a Windows Server 2012 R2 domain controller.

More information: