FIM2010

Microsoft Identity Manager online resources (#MIM2016)

Quick note on Microsoft Learn & Docs

A while ago Microsoft moved from Docs (Docs.microsoft.com) to Learn (Learn.microsoft.com), but still some older information might point to the Docs links. In case the redirect fails, replace the docs prefix in the URL to learn an try again.
If it still fails, Bing it and let me know.

Microsoft news and announcements

Microsoft Product support lifecycle

https://docs.microsoft.com/en-us/lifecycle/products/?terms=Identity

Feeds

Official documentation – Microsoft

Microsoft Learn- MIM landing page: https://learn.microsoft.com/en-us/microsoft-identity-manager
Microsoft Identity Manager 2016 news and updates: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016
Version History: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/version-history

Getting prepared

Supported platforms: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms

Best practices

https://learn.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

Deployment documentation

Capacity planning: https://learn.microsoft.com/en-us/microsoft-identity-manager/capacity-planning-guide
Deploy and use: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-deploy
Deprecated features: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features

MIM for developers

•Microsoft Identity Manager 2016 developer reference: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-developer-reference
•Microsoft Identity Manager Cmdlets Reference: https://learn.microsoft.com/en-us/powershell/microsoft-identity-manager/overview?view=idm-ps-2016sp1

MIM reference material

Developer reference: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-developer-reference
Functions reference: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/mim2016-functions-reference
Management agent run error codes: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/maerrorcodes
RCDC configuration XML: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/rcd-configuration-xml-reference

Github

(Microsoft) MIM Configuration Documenter

https://github.com/microsoft/MIMConfigDocumenter

(Microsoft) Workflow Activity Library (WAL)

https://github.com/microsoft/MIMWAL

MIM projects

https://github.com/search?q=mim2016

Microsoft Community

Forums (Active)

Tech Community : https://techcommunity.microsoft.com/

Microsoft Learn – Q&A : https://learn.microsoft.com/en-us/answers/search.html?type=question%20OR%20idea%20OR%20kbentry%20OR%20answer%20OR%20topic%20OR%20user&redirect=search%2Fsearch&sort=relevance&q=identity%20manager

Microsoft Answers

•Microsoft Answers: https://answers.microsoft.com/en-us/search/search?SearchTerm=MIM%202016
•FIM 2010: https://answers.microsoft.com/en-us/search/search?SearchTerm=FIM%202010

Forums (Achive)

(archive) Technet forum FIM/MIM: https://social.technet.microsoft.com/Forums/en-US/home?forum=ilm2&filter=alllanguages
(archive) Technet Forum ILM 2007: https://social.technet.microsoft.com/Forums/en-US/home?forum=identitylifecyclemanager&filter=alllanguages

Technet blogs archive

Technet blogs archive: https://learn.microsoft.com/en-us/archive/blogs/

Experts Exchange

Experts Exchange: https://www.experts-exchange.com/searchResults.jsp?searchTerms=MIM2016

Microsoft Wiki

Microsoft Wiki: https://social.technet.microsoft.com/wiki
Short URL: https://aka.ms/wiki

ILM/FIM/MIM article overview

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx

ILM/FIM/MIM Troubleshooting

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx#FIM_Troubleshooting_Article

The FIM/MIM geek blogs & posts…

Below you’ll find some interesting and helpful articles and posts (some of the are old/archived… But still valid for MIM too.)

In alphabetic order (on last name)

Bob Bradley: https://idm4real.com/
Blain Checkly: https://identityminded.wordpress.com/
Jorge de Almeida Pinto (MVP): https://jorgequestforknowledge.wordpress.com/
Soren Granfeldt: https://github.com/sorengranfeldt
Antony Ho (Microsoft) : https://learn.microsoft.com/en-us/archive/blogs/aho/
Jeff Ingalls (https://ingallsdesigns.com/),
Borys Majewski (http://idarchitect.net/)
Ryan Newington (https://twitter.com/RyanLNewington): https://lithnet.io/products/mim
Kent Nordstrom: https://konab.com/blog/
Darren Robinson: https://blog.darrenjrobinson.com/identity-manager-management-agents/
Carol Wapshere: https://www.wapshere.com/missmiis/rcdc-memberof-list
…

Facebook

https://www.facebook.com/groups/MicrosoftIdentityManager/

Twitter

Books

Online Companion guide for MIM 2016 book

https://social.technet.microsoft.com/wiki/contents/articles/34993.microsoft-identity-manager-2016-handbook-online-companion-guide.aspx

Visio Stencils

https://github.com/PeterGeelen/Microsoft-Identity-Manager/tree/main/FIM-MIM%20stencils

Note-to-self: #MIM2016 & #FIM2010 Config documenter released on GitHub

Source: Announcement on MIM 2016 Group on LinkedIn by Jef Kazimer

Source Code: https://github.com/Microsoft/MIMConfigDocumenter

Jef announced that the Identity Community Projects team has published the MIM Config Documenter tool to the Microsoft GitHub Organization as an open source community project.

The MIM configuration documenter is a very nice and easy tool to generate documentation of a MIM / FIM synchronization or service installation.

It allows to:

Document deployment configuration details for the MIM / FIM solution, including MIMWAL Workflow definitions
Track any configuration changes you have made since a specific baseline
Build confidence in getting things right when making changes to the deployed solution

You can find the project code, releases, and documentation at https://github.com/Microsoft/MIMConfigDocumenter

Note-to-self: Got #MIM2016 product feedback, feature wish list? aka.ms/mimfeedback

Very short note-to-myself (#memory-function-on)…

David Steadman, respected @fimguy, now @TheMIMGuy posted an interesting poke…

#MIM2016 Have an Idea? Have Feedback? https://aka.ms/mimfeedback

— David Steadman (@TheMIMGuy) February 14, 2017

So, got any constructive suggestion, move over to that feedback page at: https://aka.ms/mimfeedback

(Last update: 2020-12-31)

#FIM2010 & #MIM2016 Error 25009 fun stuff on #TNWiki

For the FIM Geeks, I’ve submitted some new FIM/MIM 25009 event troubleshooting articles on TechNet Wiki (http://aka.ms/Wiki)

Plus, a page the collects all the 25009 troubleshooting resources, including lots of fun stuff of Tim Macauly.

FIM/MIM Troubleshooting Error 25009 Resource page

If you got more of this 25009 fun stuff yourself, feel free to add your articles and add them to the collection page.

Updated: 2020-12-30

A hotfix rollup package (build 4.1.3765.0) is available for #FIM2010

Source: https://support.microsoft.com/en-us/kb/3171318

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Certificate Management

Issue 1 A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.
Issue 2 The Duplicate Revocation Settings policy is replaced because some users could not set it.
Issue 3 There is a redundant space in the “Profile Summary” string on the Request Complete page for some languages.

FIM Synchronization Service

Issue 1 In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.
Issue 2 Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.
Issue 3 The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.
Issue 4 When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.
Issue 5 An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.
Issue 6 You receive a “Reference to undeclared entity ‘qt'” error message when you run the history process and the history text contains the “greater than” symbol (>).
Issue 7 Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.
Issue 8 A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

Issue 1 Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

Issue 1 During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.
Issue 2 In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

Issue 1 When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.
Issue 2 Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.
Issue 3 When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.
Issue 4 An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.
Issue 5 If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.
Issue 6 An email alias is truncated if it is longer than 30 characters.

Updated: 2020-12-30

Note-to-self: #FIM2010 Quick Tip – Who has NOT Registered for SSPR

Just a quick useful tip to solve the practical question…

Question already asked (a few times) on the FIM forum: how to “Query FIM user not registered for SSPR”?

https://social.technet.microsoft.com/Forums/en-US/b44a4a2c-ebc2-45e2-9afd-1d083c7be3ad/query-fim-user-not-registered-for-sspr?forum=ilm2

Answers:

See Tomasz Onysko’s response on the FIM Forum thread.
Anthony Marsiglia (FIM Devil) on the the Connector Space blog: Who has Not Registered for SSPR
Revert the logic on this solution of Markus Vilcinskas , published on TNWiki at: How to Use PowerShell to Export All Users Who Have Registered for Self-Service Password Reset (SSPR)
https://jorgequestforknowledge.wordpress.com/2012/11/11/finding-all-users-within-fim-that-have-not-registered-for-sspr/

#FIM2010 upgrade/update failure and roll back

Recently I have been working with several customer that experienced a similar situation:

update FIM with a hotfix fails
upgrade FIM 2010 to FIM 2010 R2 fails
during installation of FIM he FIM services won’t start

All of them result in a roll-back of the installation.

Let me spoil the root cause right away (and then explain): using an SQL port number in the installation wizard.

The installation wizard is not able to connect to the database with a port number.

Solution:

use an SQL alias

Background

The FIM Sync Service and/or the FIM servers check the registry for the database server and instance and then connect to SQL and start the service.

The use of a port number seems to break the wizard.
Normally the FIM Services and FIM Sync Services CAN use an SQL port…

Easy fix: set an alias in the SQL Server client network utility

c:\windows\system32\cliconfig.exe

Then change the registry to use the FIM SQL ALIAS (as server), you don’t need the instance and port anymore (as the alias will take care of it).

For the FIM Sync:

Check the server and instance configured for the FIM Sync database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Server (use SQL Alias)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Instance (empty)

for FIM Service

Check the server and instance configured for the FIM Service database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMService\DatabaseServer

Reference

I’ve updated the Wiki article with more detailed info at http://social.technet.microsoft.com/wiki/contents/articles/14551.fim-2010-r2-troubleshooting-syncservice-installation-or-upgrade-failure-and-roll-back.aspx

FIM2010# MIISActivate – FIM Sync service terminated with service-specific error %%-2146234334

This article has been posted on TNWiki at: FIM2010 Troubleshooting: MIISActivate – FIM Sync service terminated with service-specific error %%-2146234334.

Situation

Failing over a FIM Sync Server to the standby FIM sync server using MIISActivate.

After using successfully MIISActivate, the FIMSync Service fails to start and logs an error in the eventviewer.

Symptoms

You’ll see 2 error messages in the event viewer, erro 7024 and error 6324.

Error 7024

Reference

This error is pretty similar or exactly like the error described in the following Wiki article:

FIM2010 Troubleshooting: FIM Sync service terminated with service-specific error %%-2146234334.

Screen

Error message Text

Log Name: System

Source: Service Control Manager

Date: 3/02/2016 15:08:59

Event ID: 7024

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: servername.domain.customer

Description:

The Forefront Identity Manager Synchronization Service service terminated with service-specific error %%-2146234334.

Event Xml:

<Channel>System</Channel>

<Computer>servername.domain.customer</Computer>

</System>

<Data Name=”param1″>Forefront Identity Manager Synchronization Service</Data>

</EventData>

</Event>

Error 6324

Error message Text

Log Name: Application

Source: FIMSynchronizationService

Date: 3/02/2016 15:08:59

Event ID: 6324

Task Category: Server

Level: Error

Keywords: Classic

User: N/A

Computer: servername.domain.customer

Description:

The server encountered an unexpected error and stopped.

“BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(5096): 0x8023060d (The computer_id in the database does not match this computer.)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(493): 0x8023060d (The computer_id in the database does not match this computer.)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(429): 0x8023060d (The computer_id in the database does not match this computer.)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x8023060d (The computer_id in the database does not match this computer.)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x8023060d (The computer_id in the database does not match this computer.)

ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2145188339. This is retry number 0.

BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)

ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 1.

BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)

ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 2.

BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)

ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 3.

BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1041): 0x80131022 (unable to get error text)

Forefront Identity Manager 4.1.3634.0″

Event Xml:

< Provider Name=”FIMSynchronizationService” />

< Keywords>0x80000000000000</Keywords>

< EventRecordID>266336</EventRecordID>

<Channel>Application</Channel>

< Computer>servername.domain.customer</Computer>

</System>

< EventData>

<Data>BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(5096): 0x8023060d (The computer_id in the database does not match this computer.)