Restoring ILM/FIM Database in a different domain

Hi When you need to have to restore your ILM/FIM SyncService server to a different domain either for recovery for development, you will need to do the following in order to access the database:

1. Install ILM/FIM Sync Service.
2. Backup the existing configuration of databases and encryption keys.
3. Restore the database overwriting the existing database.
4. Run MIISActivate to activate the server.

Here however the fun begins, as you will not be able to access the server, due to the fact that the group SID's differ between data the stored database and actual group SID's of the domain. You have two choices regarding this. Rerun the setup (easiest IMO) or get the SID's from AD and update the SID values in the mms_server_configuration table. The values are stored in the following fields:

• administrators_sid - stores the SID for the ILM/FIM Administrators Group
• operators_sid - stores the SID for the ILM/FIM Operators Group
• account_joiners_sid - stores the SID for the ILM/FIM Account Joiners Group
• browse_sid - stores the SID for the ILM/FIM Browsers Group
• passwordset_sid - stores the SID for the ILM/FIM Password Set Group

As these values are binary, you will need to run a sql CONVERT when setting the values as per the example below:

UPDATE [FIMSynchronizationService].[dbo].[mms_server_configuration]
   SET [administrators_sid] = CONVERT(varbinary,0x0105000000000005150000002BA93955DBAC7A56E35F9DA76C040000)
      ,[operators_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76D040000)
      ,[account_joiners_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76E040000 )
      ,[browse_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA76F040000)
      ,[passwordset_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA770040000)
   
 WHERE instance_id ='976E8CFB-46C3-425B-85B1-96726DFB044D'
GO

Restart the ILM/FIM SyncService Service and all will accessible again.

Tech-Ed South Africa is done and Dusted!!

Hi Everyone,
Tech-Ed SA is done, back to reality!!! Thank you to everyone that attended the event and our sessions. Thank you for your valuable contribution in making this event a big success.

Tech-Ed 2010 - South Africa

The anticipation has been building for Tech-Ed 2010, and as I sit at the airport waiting for my flight, I wonder how it will turn out. I also wish invite everyone to come and attend my Live@Edu session at the student day on Monday at 16:00 and also my "WTB237 - All you need to know about Microsoft Live @ Edu" on Wednesday morning, where I will delve into Live@Edu in more detail. Also please feel free to attend the sessions that my colleagues will be hosting as listed below, and please come and visit the Gijima stand and chat to us. Tech-Ed here we come!!!!

Sessions by Gijima

Speaker	Focus Area	Sessions
Almero Steyn	Identity Management	· Realising the “Art of Possible” · Microsoft Forefront Identity Manager 2010: In Production · Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management · Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager · Microsoft Forefront Identity Manager 2010 Deep Dive
Jacques Mostert	Systems Management	· Realising the “Art of Possible” · Microsoft System Center Configuration Manager 2007: Overview · Microsoft System Center Operations Manager 2007 R2: Service Levels, Reports, Dashboards, Report Authoring, and More! · What’s New Since the Release of Microsoft System Center Operations Manager 2007 R2
Jacques Swanepoel	Identity Management	· All you need to know about Microsoft Live @ Edu
Jayesh Mowjee	Security	· Realising the “Art of Possible” · Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server · Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft’s Secure Endpoint Solution · Secure Collaboration: Microsoft Forefront Protection 2010 for SharePoint Deep Dive
Leonard Rawbone	Architecture	· Realising the “Art of Possible”
Simon Martyn	Virtualisation	· Realising the “Art of Possible” · Windows Server 2008 R2 Hyper-V Performance Analysis: How You Can Get the Most Out of Hyper-V · Dynamic Datacenter \ Cloud Services with Microsoft Virtualization

PCNS Event 6023,6025 Firewall Issue running on Windows 2008

When Running the PCNS (Password Change Notification service) with both Windows 2008 Domain Controller and ILM/FIM Synchronization Service server, allways remember to add a rule on the ILMFIM Synchronization Service server to allow inbound PCNS connections in (recommended) or disable the Firewall on the "Domain" Profile (not recommended.

If this is not in place, you will typically get the following event log errors on your DC's
Event ID 6023

(click on Image to enlarge)

Event ID 6025



(click on Image to enlarge)

On eventlog 6025 the typical eventlog data will look as follows

Log Name:      Application
Source:        PCNSSVC
Date:          2010/09/30 03:09:55 PM
Event ID:      6025
Task Category: (4)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCname.domain.com
Description:
Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be contacted.

User Action:
The target server may not be running. Verify that the target server is running.

Additional Details:

Thread ID: 2804
Tracking ID: 9dd78d30-cda7-4163-96ec-04cb1312823b
User GUID: 82ed51a7-5c1c-4e9d-ac22-296db6190f5d
User: Domain\TestUser
Target: miisPCNS
Delivery Attempts: 42
Queued Notifications: 3
0x000006BA - The RPC server is unavailable.

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 2
Status is 1722 - The RPC server is unavailable.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 1442
Flags is 0
NumberOfParameters is 1
Unicode string: ilmserver.domain.com

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 323
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 311
Flags is 0
NumberOfParameters is 3
Long val: 49201
Pointer val: 0
Pointer val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 318
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established con
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="PCNSSVC" />
    <EventID Qualifiers="49152">6025</EventID>
    <Level>2</Level>
    <Task>4</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-09-30T13:09:55.000Z" />
    <EventRecordID>224531</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DCname.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>2804</Data>
    <Data>9dd78d30-cda7-4163-96ec-04cb1312823b</Data>
    <Data>82ed51a7-5c1c-4e9d-ac22-296db6190f5d</Data>
    <Data>domain\TestUser</Data>
    <Data>miisPCNS</Data>
    <Data>42</Data>
    <Data>3</Data>
    <Data>0x000006BA</Data>
    <Data>The RPC server is unavailable.
</Data>
    <Data>ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 2
Status is 1722 - The RPC server is unavailable.
Detection location is 1710
Flags is 0
NumberOfParameters is 1
Long val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 1442
Flags is 0
NumberOfParameters is 1
Unicode string: ilmserver.domain.com
ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1722 - The RPC server is unavailable.
Detection location is 323
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 311
Flags is 0
NumberOfParameters is 3
Long val: 49201
Pointer val: 0
Pointer val: 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:55:89
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Detection location is 318
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 1237 - The operation could not be completed. A retry should be performed.
Detection location is 313
Flags is 0
NumberOfParameters is 0

ProcessID is 2764
System Time is: 9/30/2010 13:9:34:54
Generating component is 18
Status is 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established con</Data>
<Data>

The password change notification target could not be contacted.

User Action:
The target server may not be running. Verify that the target server is running.

Additional Details:

</Data>
  </EventData>
</Event>