FIM 2010 R2

Microsoft Identity Manager online resources (#MIM2016)
  1. Quick note on Microsoft Learn & Docs
  2. Microsoft news and announcements
    1. Microsoft Product support lifecycle
    2. Feeds
  3. Official documentation – Microsoft
    1. Getting prepared
    2. Best practices
    3. Deployment documentation
    4. MIM for developers
    5. MIM reference material
  4. Github
    1. (Microsoft) MIM Configuration Documenter
    2. (Microsoft) Workflow Activity Library (WAL)
    3. MIM projects
  5. Microsoft Community
    1. Forums (Active)
    2. Microsoft Answers
    3. Forums (Achive)
    4. Technet blogs archive
    5. Experts Exchange
    6. Microsoft Wiki
      1. FIM/MIM related content (check the tags)
      2. ILM/FIM/MIM article overview
      3. ILM/FIM/MIM Troubleshooting
    7. The FIM/MIM geek blogs & posts…
  6. Social Media
    1. Facebook
    2. Twitter
  7. Books
    1. Online Companion guide for MIM 2016 book
  8. Visio Stencils
  9. Archives
    1. Microsoft Learn – previous versions

Quick note on Microsoft Learn & Docs

A while ago Microsoft moved from Docs (Docs.microsoft.com) to Learn (Learn.microsoft.com), but still some older information might point to the Docs links. In case the redirect fails, replace the docs prefix in the URL to learn an try again.
If it still fails, Bing it and let me know.

Microsoft news and announcements

Microsoft Product support lifecycle

https://docs.microsoft.com/en-us/lifecycle/products/?terms=Identity

Feeds

Official documentation – Microsoft

Getting prepared

Supported platforms: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms

Best practices

https://learn.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

Deployment documentation

MIM for developers

MIM reference material

Github

(Microsoft) MIM Configuration Documenter

https://github.com/microsoft/MIMConfigDocumenter

(Microsoft) Workflow Activity Library (WAL)

https://github.com/microsoft/MIMWAL

MIM projects

https://github.com/search?q=mim2016

Microsoft Community

Forums (Active)

Microsoft Answers

Forums (Achive)

Technet blogs archive

Technet blogs archive: https://learn.microsoft.com/en-us/archive/blogs/

Experts Exchange

Microsoft Wiki

FIM/MIM related content (check the tags)

ILM/FIM/MIM article overview

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx

ILM/FIM/MIM Troubleshooting

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx#FIM_Troubleshooting_Article

The FIM/MIM geek blogs & posts…

Below you’ll find some interesting and helpful articles and posts (some of the are old/archived… But still valid for MIM too.)

In alphabetic order (on last name)

Social Media

Facebook

Twitter

Books

Online Companion guide for MIM 2016 book

Visio Stencils

https://github.com/PeterGeelen/Microsoft-Identity-Manager/tree/main/FIM-MIM%20stencils

Archives

Microsoft Learn – previous versions

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/forefront-2010/ee652263(v=vs.100)

#MIM2016 Troubleshooting: Uninstall fails with error – Administrator privileges are required to run installer. Please re-launch installer with administrator privileges.

I’ve got a new post up on TechNet Wiki about MIM2016 troubleshooting:

Full version at the TNWIKI: MIM2016/FIM2010 Troubleshooting: Uninstall fails with error – Administrator privileges required

Feel free to add useful information yourself, I’m looking forward to your feedback and cooperation to make it better.

The short version is below.

Rikard Strand Jump has published a similar article, which has served as baseline for this article. Rik’s article is focussed on DirSync, but the troubleshooting below is more widely applicable and even programs not related to FIM/MIM/DirSync…

When you try to uninstall or to change the component from the Control Panel > Programs (Uninstall a program), you get a error pop up, saying:

Administrator privileges are required to run installer. Please re-launch installer with administrator privileges.
 
There are some troubleshooting steps, including running the Control Panel in administrator mode.
 
If that doesn’t work, you need to find the uninstaller info in the registry and run the msiexec command with the uninstaller info.
Open the registry editor and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

In this directory you’ll find the installed programs with their GUID, which is mostly fixed per application.

Eg

  • MIM 2016: {5A7CB0A3-7AA2-4F40-8899-02B83694085F}
  • DirSync/AADConnect: {C9139DEA-F758-4177-8E0F-AA5B09628136}

And finally, the quick and dirty option is to kill the uninstall registry key before your run the uninstall from the control panel again

In case of MIM2016
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A7CB0A3-7AA2-4F40-8899-02B83694085F}
 
You know the usual warning: I didn’t tell you to delete the registry key.

Last update: 2020-12-30

A hotfix rollup package (build 4.1.3765.0) is available for #FIM2010

Source: https://support.microsoft.com/en-us/kb/3171318

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Certificate Management

  • Issue 1 A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.
  • Issue 2 The Duplicate Revocation Settings policy is replaced because some users could not set it.
  • Issue 3 There is a redundant space in the “Profile Summary” string on the Request Complete page for some languages.

FIM Synchronization Service

  • Issue 1 In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.
  • Issue 2 Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.
  • Issue 3 The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.
  • Issue 4 When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.
  • Issue 5 An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.
  • Issue 6 You receive a “Reference to undeclared entity ‘qt'” error message when you run the history process and the history text contains the “greater than” symbol (>).
  • Issue 7 Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.
  • Issue 8 A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

  • Issue 1 Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

  • Issue 1 During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.
  • Issue 2 In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

  • Issue 1 When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.
  • Issue 2 Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.
  • Issue 3 When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.
  • Issue 4 An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.
  • Issue 5 If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.
  • Issue 6 An email alias is truncated if it is longer than 30 characters.

Updated: 2020-12-30

Note-to-self: #FIM2010 Quick Tip – Who has NOT Registered for SSPR

Just a quick useful tip to solve the practical question…

Question already asked (a few times) on the FIM forum: how to “Query FIM user not registered for SSPR”?

https://social.technet.microsoft.com/Forums/en-US/b44a4a2c-ebc2-45e2-9afd-1d083c7be3ad/query-fim-user-not-registered-for-sspr?forum=ilm2

Answers:

See also:

http://social.technet.microsoft.com/wiki/contents/articles/9846.fim-self-service-password-reset-sspr-resources.aspx by Tim Macaulay

Updated: 2020-12-30

#FIM2010 upgrade/update failure and roll back

Recently I have been working with several customer that experienced a similar situation:

  • update FIM with a hotfix fails
  • upgrade FIM 2010 to FIM 2010 R2 fails
  • during installation of FIM he FIM services won’t start

All of them result in a roll-back of the installation.

Let me spoil the root cause right away (and then explain): using an SQL port number in the installation wizard.

The installation wizard is not able to connect to the database with a port number.

Solution:

use an SQL alias

Background

The FIM Sync Service and/or the FIM servers check the registry for the database server and instance and then connect to SQL and start the service.

The use of a port number seems to break the wizard.
Normally the FIM Services and FIM Sync Services CAN use an SQL port…

Easy fix: set an alias in the SQL Server client network utility

c:\windows\system32\cliconfig.exe

cliconfig
port1433_1
port1433_2
setalias

Then change the registry to use the FIM SQL ALIAS (as server), you don’t need the instance and port anymore (as the alias will take care of it).

For the FIM Sync:

regedit

Check the server and instance configured for the FIM Sync database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Server (use SQL Alias)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Instance (empty)

for FIM Service

Check the server and instance configured for the FIM Service database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMService\DatabaseServer

Reference

I’ve updated the Wiki article with more detailed info at http://social.technet.microsoft.com/wiki/contents/articles/14551.fim-2010-r2-troubleshooting-syncservice-installation-or-upgrade-failure-and-roll-back.aspx

See also:

Last updated: 2020-12-30

Announcing the public availability of the #MIMWAL for #MIM2016 project, now available as an Open Source Project on GitHub

Source: https://social.technet.microsoft.com/Forums/en-US/e613bbd9-5a2a-46c2-8d91-5f1e0116521b/announcing-the-public-availability-of-the-mimwal-project-now-available-as-an-open-source-project-on?forum=ilm2

Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.

The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.

MIMWAL Features

  • Building-block Workflow Activities
  • Conditional Execution Capability for Building-block Activities
  • Support for Iteration Over a Collection of Values in Building-block Activities
  • Deep Resolution Capability for FIM Lookup Grammar
  • Rich Library of Workflow Functions
  • UI Framework for Building Additional Custom Workflow Activities
  • Support for ETW Event Tracing
  • Optimization of Update Requests
    • Combining multiple updates into a single request per resource per activity
    • Issuing update request only when resource is actually modified.

More information

Please visit the MIMWAL site at http://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.

Please post any questions or discussions about the MIMWAL project on this forum, which can also be found at http://aka.ms/MIMWAL/Forum

MIMWAL Links

Hotfix rollup package (build 4.1.3671.0) for Forefront Identity Manager 2010 R2

Source: https://support.microsoft.com/en-us/kb/3092178

From the KB Article:

Issues that are fixed or features that are added in this update

This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM add-ins and extensions

Issue 1

This hotfix addresses an issue in the password reset window that occurs on displays that have high DPI settings when the Windows display sizing of items is set to a custom size, such as 200% or more.

FIM Certificate Management

Issue 1

If you try to enroll a smart card that has the correct profile selected (and the correct adminKey), but the user PIN does not correspond to the smart card PIN policy, you receive the following error message:

The card cannot be accessed because the wrong PIN was presented.

 

FIM Synchronization Service

Issue 1

When you configure an ECMA2 run profile, you receive the following exception:

Value of ‘10’ is not a valid value

 

Issue 2

The Sync Engine reports a staging error during delta import when the Generic LDAP connector detects the renaming of the distinguished name for an object.

Issue 3

During the export run DN modification of a user, an object is deleted from a group membership in Oracle Directory Enterprise Edition (ODSEE) instead of changing the DN LDAP.

Issue 4

When you try to select an OU that contains more than 4,000 sub-OUs on the Directory Partitions tab, you receive the following error message:

The administrative size limit on the server was exceeded.

 

Issue 5

When you perform an Export, CS Search, or CS Deletion during ECMA2 Export Only, the MA displays the following error message:

The image or delta doesn’t have an anchor.

 

Issue 6

The Sync Service stops responding because of high CPU usage when you stop a run profile for the ECMA connector.

Issue 7

When you have characters in the SMTP address that are unsupported by Exchange Server, a GALSync Export operation stops, and you receive an ma-extension error. This triggers a provisioning loop that causes object duplication.

FIM Portal

Issue 1

This hotfix addresses an issue in the FIM Portal that affects sorting a customized list view that’s based on the columns specified in the ColumnsToDisplay field.

Issue 2

This hotfix updates HTML elements and attributes in the password registration portal and the FIM Portal.

Issue 3

The object picker does not search objects that contain special characters in their file names.

Issue 4

This hotfix updates the translation into Russian of the user interface strings that relate to “Password Reset AuthN Workflow” activity.

Issue 5

This hotfix addresses an issue that affects the Leave and Remove Member buttons when the group resource type is customized.

Issue 6

This hotfix adds a new search scope (All Groups) to enable searching for and joining groups if the user does not know whether the group is a security group or a distribution list.

FIM Service

Issue 1

This hotfix addresses an issue in which broker service conversations are not closed after an export from FIM Sync to the FIM Service database.

Issue 2

When there are too many negative conditions in the Group Criteria, the SQL & FIM service stop running.

Issue 3

SET filter definitions are unsuccessful during save after you upgrade to version 4.1.3634.0.

Issue 4

When you use the CustomExpression option, the Concatenate operator is replaced with the “+” character. This triggers an error when it saves.

Issue 5

This hotfix addresses an issue that affects FIM Service database stored procedures. Specifically, deadlocks might occur in approval workflows. This issue occurs particularly in deployments with complex or general Set definitions such as sets matching “/*” instead of with specific resource types.

BHOLD

Issue 1

There’s an inconsistency between the Permission name and the value if an attribute changes. After Export\Import\Export flow in FIM Sync, BHOLD receives duplicates of a renamed group and retains the original group in the database.”

Note-to-self: Exchange recipient administration rights in ILM/FIM/MIM

Another great post to bookmark, using the blog as my external memory again:
Check Paul Williams’ post at : http://blog.msresource.net/2011/12/02/exchange-recipient-administration-overkill-in-ilm-and-fim/

“What am I talking about?  Reducing the privilege required to perform Exchange recipient provisioning using the Active Directory Domain Services Management Agent (ADMA).  The default documentation on the subject clearly states that in order to provision mailbox-enabled users or linked mailboxes the ADMA account needs to be a member of the Recipient Administrators role group.  Now, while it’s true membership in that group will allow you to run Update-Recipient and successfully invoke the RUS after creating a user and stamping the mandatory Exchange attributes that same membership also grants you access to perform a multitude of recipient administration tasks that the account doesn’t need to perform.”

And also : http://blog.msresource.net/2011/12/14/delegating-the-minimum-set-of-permissions-for-mailbox-enabled-user-and-linked-mailbox-provisioning/

Note-to-self: Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal – Upgrade from FIM 2010 R2

Source: http://blogs.msdn.com/b/connector_space/archive/2015/08/05/installing-the-microsoft-identity-manager-2016-4-3-1935-0-service-and-portal-upgrade-from-fim-2010-r2.aspx

Great work from Anthony Marsiglia (FIM Devil)

Note-to-self: By default #FIM2010 Localized information is not migrated using Export-FIMConfig

Many of us are using the Export-FIMConfig powershell to export, extract, migrate or document FIM Service and portal configurations.

If someone complains that the localized content is not exported or migrated, I send over the links below.

Source:

 

Many international FIM customer have localized and/or customized content that doesn’t get exported with the default export functionality.
This is explained in Appendix C: “Localized information not migrated by default”:

“By default, the Windows PowerShell scripts that are included in this guide do not migrate localized information. To include localized display names, edit the ExportPolicy.ps1 and the SyncPolicy.ps1 so that the Export-FIMConfig cmdlet includes the –AllLocales option. This option instructs the cmdlet to download all localized information. However, its presence slows down the scripts.

Another parameter  to pay attention to is the -MessageSize parameter

As explained at “Windows PowerShell Examples for Configuring FIM“:

” If a FIM 2010 R2 resource is too large to fit within a single Simple Object Access Protocol (SOAP) message, it may be necessary to increase the message size. This regularly happens when you export Set resources with thousands of explicit members. Often, administrators pick an arbitrarily large message size such as 999,999.”

Keep in mind that exporting the localized information and a large message size will significantly impact your export performance.

 

Some additional references to bookmark:

And interesting to read: