Hi When you need to have to restore your ILM/FIM SyncService server to a different domain either for recovery for development, you will need to do the following in order to access the database:
- Install ILM/FIM Sync Service.
- Backup the existing configuration of databases and encryption keys.
- Restore the database overwriting the existing database.
- Run MIISActivate to activate the server.
Here however the fun begins, as you will not be able to access the server, due to the fact that the group SID's differ between data the stored database and actual group SID's of the domain. You have two choices regarding this. Rerun the setup (easiest IMO) or get the SID's from AD and update the SID values in the mms_server_configuration table. The values are stored in the following fields:
- administrators_sid - stores the SID for the ILM/FIM Administrators Group
- operators_sid - stores the SID for the ILM/FIM Operators Group
- account_joiners_sid - stores the SID for the ILM/FIM Account Joiners Group
- browse_sid - stores the SID for the ILM/FIM Browsers Group
- passwordset_sid - stores the SID for the ILM/FIM Password Set Group
As these values are binary, you will need to run a sql CONVERT when setting the values as per the example below:
UPDATE [FIMSynchronizationService].[dbo].[mms_server_configuration]
   SET [administrators_sid] = CONVERT(varbinary,0x0105000000000005150000002BA93955DBAC7A56E35F9DA76C040000)
      ,[operators_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76D040000)
      ,[account_joiners_sid] = CONVERT(varbinary, 0x0105000000000005150000002BA93955DBAC7A56E35F9DA76E040000 )
      ,[browse_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA76F040000)
      ,[passwordset_sid] = CONVERT(varbinary,  0x0105000000000005150000002BA93955DBAC7A56E35F9DA770040000)
    
 WHERE instance_id ='976E8CFB-46C3-425B-85B1-96726DFB044D'
GO
Restart the ILM/FIM SyncService Service and all will accessible again.
This is SOOOO helpful. I'm working with a customer right now that that set up FIM Sync with local groups, but then wanted to do Domain groups so DR was simpler. I'm in the process of updating their dbs so everything works right after miisactivate. BIG THANKS.
ReplyDelete