FIM CM Search Errors

We recently deployed FIM CM at a client with a large Active Directory (120000+ objects), and ran into two very specific issues when we tried to search for a user to enroll them for a smart card. Here are both issues listed with both solutions:

1.       'ADSDSOObject' Failed with no error message available, result code:  -2147016669(0x80072023).

This error code simply means that the search scope you are trying to read is too large. Plainly your result set is too large; add additional search parameters to limit the search scope. By default AD has a search scope limit for queries and the amount of AD objects a FIM CM search can return is limited by these same limits (to my knowledge it is 1000 objects). Unfortunately this value cannot be increased in FIM CM.

Firstly You need to make sure that you limit the search scope by adding the FIM CM group you created for FIM CM users to the CLM.RequestSecurity.Groups in the FIM CM web.config file. This will allow FIM CM to determine which users are elligible for using FIM CM.

Secondly, if you are searching in a big directory, try to further limit the scope by typing at least 3 or more characters of the login name and adding additional search fields like email address, first name or last name to the search criteria.

2.       “value does not fall within the expected range” error

In short this error occurs because Authorization Agent account does not have sufficient rights on the object it is trying to access. Check that the account is part of the “Pre-Windows 2000 Compatible Access” Group and that the group rights are not applied differently across the Active Directory. Our problem stemmed from the fact that a set of OU’s had the permission for the group altered from the initially delegated permission. So if you get this error on a user, you can be sure that there is a permissions issue on the OU where they are located.

Here are some great additional links to help you resolve possible FIM CM issues:
http://support.microsoft.com/kb/2387990
https://blogs.msdn.com/b/spatdsg/archive/2010/08/02/fim-cm-logging-and-random-errors.aspx

Exchange 2007 Management Console on Windows 2008 R2 for Exchange 2007 mailbox Provisioning on FIM 2010

If you have recently deployed FIM 2010 on Windows 2008 R2 and tried to install the Exchange 2007 SP2 or earlier Management tools (required for exchange 2007 mailbox provisioning via the AD MA), you would have noticed that the SP2 or below was not supported on Windows 2008 R2. Fortunately Exchange 2007 SP3 solves this problem by adding support for Windows 2008 R2.

You can download Exchange 2007 SP3 at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en

Restoring ILM/FIM Database in a different domain

Hi When you need to have to restore your ILM/FIM SyncService server to a different domain either for recovery for development, you will need to do the following in order to access the database:

1. Install ILM/FIM Sync Service.
2. Backup the existing configuration of databases and encryption keys.
3. Restore the database overwriting the existing database.
4. Run MIISActivate to activate the server.

Here however the fun begins, as you will not be able to access the server, due to the fact that the group SID's differ between data the stored database and actual group SID's of the domain. You have two choices regarding this. Rerun the setup (easiest IMO) or get the SID's from AD and update the SID values in the mms_server_configuration table. The values are stored in the following fields:

• administrators_sid - stores the SID for the ILM/FIM Administrators Group
• operators_sid - stores the SID for the ILM/FIM Operators Group
• account_joiners_sid - stores the SID for the ILM/FIM Account Joiners Group
• browse_sid - stores the SID for the ILM/FIM Browsers Group
• passwordset_sid - stores the SID for the ILM/FIM Password Set Group

As these values are binary, you will need to run a sql CONVERT when setting the values as per the example below:

UPDATE [FIMSynchronizationService].[dbo].[mms_server_configuration]
   SET [administrators_sid] = CONVERT(varbinary,0x0105000000000005150000002BA93955DBAC7A56E35F9DA76C040000)
      ,[operators_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76D040000)
      ,[account_joiners_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76E040000 )
      ,[browse_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA76F040000)
      ,[passwordset_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA770040000)
   
 WHERE instance_id ='976E8CFB-46C3-425B-85B1-96726DFB044D'
GO

Restart the ILM/FIM SyncService Service and all will accessible again.

Tech-Ed South Africa is done and Dusted!!

Hi Everyone,
Tech-Ed SA is done, back to reality!!! Thank you to everyone that attended the event and our sessions. Thank you for your valuable contribution in making this event a big success.

Tech-Ed 2010 - South Africa

The anticipation has been building for Tech-Ed 2010, and as I sit at the airport waiting for my flight, I wonder how it will turn out. I also wish invite everyone to come and attend my Live@Edu session at the student day on Monday at 16:00 and also my "WTB237 - All you need to know about Microsoft Live @ Edu" on Wednesday morning, where I will delve into Live@Edu in more detail. Also please feel free to attend the sessions that my colleagues will be hosting as listed below, and please come and visit the Gijima stand and chat to us. Tech-Ed here we come!!!!

Sessions by Gijima

Speaker	Focus Area	Sessions
Almero Steyn	Identity Management	· Realising the “Art of Possible” · Microsoft Forefront Identity Manager 2010: In Production · Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management · Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager · Microsoft Forefront Identity Manager 2010 Deep Dive
Jacques Mostert	Systems Management	· Realising the “Art of Possible” · Microsoft System Center Configuration Manager 2007: Overview · Microsoft System Center Operations Manager 2007 R2: Service Levels, Reports, Dashboards, Report Authoring, and More! · What’s New Since the Release of Microsoft System Center Operations Manager 2007 R2
Jacques Swanepoel	Identity Management	· All you need to know about Microsoft Live @ Edu
Jayesh Mowjee	Security	· Realising the “Art of Possible” · Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server · Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft’s Secure Endpoint Solution · Secure Collaboration: Microsoft Forefront Protection 2010 for SharePoint Deep Dive
Leonard Rawbone	Architecture	· Realising the “Art of Possible”
Simon Martyn	Virtualisation	· Realising the “Art of Possible” · Windows Server 2008 R2 Hyper-V Performance Analysis: How You Can Get the Most Out of Hyper-V · Dynamic Datacenter \ Cloud Services with Microsoft Virtualization

PCNS Event 6023,6025 Firewall Issue running on Windows 2008

When Running the PCNS (Password Change Notification service) with both Windows 2008 Domain Controller and ILM/FIM Synchronization Service server, allways remember to add a rule on the ILMFIM Synchronization Service server to allow inbound PCNS connections in (recommended) or disable the Firewall on the "Domain" Profile (not recommended.

If this is not in place, you will typically get the following event log errors on your DC's
Event ID 6023

(click on Image to enlarge)

Event ID 6025



(click on Image to enlarge)

On eventlog 6025 the typical eventlog data will look as follows

Log Name:      Application
Source:        PCNSSVC
Date:          2010/09/30 03:09:55 PM
Event ID:      6025
Task Category: (4)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCname.domain.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be contacted.

User Action:
The target server may not be running. Verify that the target server is running.

Additional Details:

Thread ID: 2804
Tracking ID: 9dd78d30-cda7-4163-96ec-04cb1312823b
User GUID: 82ed51a7-5c1c-4e9d-ac22-296db6190f5d
User: Domain\TestUser
Target: miisPCNS
Delivery Attempts: 42
Queued Notifications: 3
0x000006BA - The RPC server is unavailable.

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 2
Status is 1722 - The RPC server is unavailable.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 1442
Flags is 0
NumberOfParameters is 1
Unicode string: ilmserver.domain.com

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 323
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 311
Flags is 0
NumberOfParameters is 3
Long val: 49201
Pointer val: 0
Pointer val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 318
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established con
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="PCNSSVC" />
    <EventID Qualifiers="49152">6025</EventID>
    <Level>2</Level>
    <Task>4</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-09-30T13:09:55.000Z" />
    <EventRecordID>224531</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DCname.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>2804</Data>
    <Data>9dd78d30-cda7-4163-96ec-04cb1312823b</Data>
    <Data>82ed51a7-5c1c-4e9d-ac22-296db6190f5d</Data>
    <Data>domain\TestUser</Data>
    <Data>miisPCNS</Data>
    <Data>42</Data>
    <Data>3</Data>
    <Data>0x000006BA</Data>
    <Data>The RPC server is unavailable.
</Data>
    <Data>ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 2
Status is 1722 - The RPC server is unavailable.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 1442
Flags is 0
NumberOfParameters is 1
Unicode string: ilmserver.domain.com
ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 323
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 311
Flags is 0
NumberOfParameters is 3
Long val: 49201
Pointer val: 0
Pointer val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 318
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established con</Data>
<Data>

The password change notification target could not be contacted.

User Action:
The target server may not be running. Verify that the target server is running.

Additional Details:

</Data>
  </EventData>
</Event>

Configuring AD mail-enabled groups to sync as groups using Galsync R4.2

In order to allow for the creation of a group as a group and not a contact, you will need to configure the following:
1. OnPremise MA
You will need to select the following attributes:

• member
• legacyExchangeDN
• proxyAddresses
• mail

This can be done by :

1. Open the Identity Manager/FIM 2010 Synchronization Engine Console
2. Click on Management Agents.
3. Right click on the OnPremise MA and select Properties
4. Click on “Select Attributes”
5. Clicking on “Show All”, and selecting the abovementioned listed attributes
6. Then click on the “Configure Attribute Flow”
7. Select the options as below and click new






8.  Click Ok to finish

2. Hosted MA
You will need to configure the following:

1. Click on Management Agents.
2. Right click on the Hosted MA and select Properties
3. Click on “Configuring Additional Parameters” and configure as listed below





4. Then click on the “Configure Attribute Flow”





5. Select the options as below and click new


6. Click Ok to finish

Run a full import and full synchronization cycle on the OnPremise MA and a EDIDS(export,delta import and delta synchronization) cycle on the Hosted