A look at why using Multi-value tables are not always the best approach

I recently had a case at a client where they were unable to get a full import of their user information from Oracle into FIM 2010 with the full import failing after 36 hours without importing all the necessary information. The institution has a 250000+ user base and complex infrastructure.  The Oracle MA utilized a multi-value table for allocation of some RBAC components within their AD.

The Oracle MA had the following tables configured:

1.       Main User information table (250000+ items, 18 fields, 790mb)

2.       Multi-value table (250000+ items, 4 fields,  690mb)

3.       Delta table

I followed the usual troubleshooting steps ensuring that:

1.       The Oracle tables were correctly built and indexed.

2.       The Oracle client version was correct.

3.       The FIM Server was installed, configured and patched correctly.

4.       All possible bottlenecks were identified and eliminated between servers in question.

With all these resolved, we did not get a significant increase in speed, so I did a test of importing the user information excluding the multi-value table from the configuration and the import completed in less than 40 minutes. It was in fact the multi-value table causing the import performance degradation. Although it was correctly indexed, contained only 4 fields, it was almost the same size as the main user table.

We had three options:

1.       Reduce the complexity of the data in the main and multi-value tables (was not possible in this instance).

2.       Consolidate the data into a single view and pass the multi-value processing to FIM rules extension.

3.       Write a custom management agent to incorporate multi-values directly (Due to the work involved in achieving this it was not really an option).

I then asked the client to consolidate the data into a single view writing the multi-values delimited to a single value field. I was then able to still do the import in less than 40 minutes and use a rules extension to extract the multi-values from the single value table to an array which I then flowed to the relevant multi-value attributes in the metaverse. The total process of full import and sync then completed in less than 3 hours.

I am a big advocate of using multi-value tables where appropriate, but there certain scenarios where using multi-value tables are just not feasible and other approaches may be needed.

When evaluating whether or not to use a multi-value table it is important remember that the size and data complexity if the table will affect performance. My own rule of thumb is once the multi-value table exceeds 33-50% (based on complexity) of size of the main table there will be a performance impact on the import of data into the connector space.

FIM 2010 R2 RTM now available on MSDN

As of the 1st of June 2012 FIM 2010 R2 RTM has been released on MSDN And TechNet. What is very notable is that BHOLD is also available.

The media can be downloaded via the following links below:
FIM 2010 R2 RTM: https://msdn.microsoft.com/en-US/subscriptions/securedownloads/#FileId=49037
BHOLD: https://msdn.microsoft.com/en-US/subscriptions/securedownloads/#FileId=49036

For additional information on FIM 2010 R2 please refer to the release  notes

"The breakpoint will not currently be hit. No symbols have been loaded for this document." when debugging FIM 2010 Code in VS2008/2010

I have been running into situations where I tried to debug some FIM MA and MV extension code in VS2008/2010 and hit the "The breakpoint will not currently be hit. No symbols have been loaded for this document." problem even though I was:

• Correctly attaching to the "miiserver.exe" process

• Setting breakpoint that would be hit
• Manually forcing a Debugger.Launch()
• Not running the code in a separate process
• Running VS2008/2010 in Administrator context.

When i started looking at the problem more closely I remembered a similar problem with MIIS pre- SP1 that occurred once framework 2.0 was installed and the MIIServer.exe.config was not forces to run in Framework 1.1. So I had two choices, either force the framework or change my compiling framework to 3.0-3.5 which is natively supported by FIM 2010.

So my initial VS advanced compiling configuration looked as follows:

Once I changed the settings to the settings below, and recompiled the code I was able to debug my code with no issues.

"The Forefront Identity Manager Service has not started yet." errors when trying to do a password reset you via the FIM 2010 Password Portal

When trying to do a password reset from the FIM Password Portal you get the following error: "The Forefront Identity Manager Service has not started yet."

This error is mostly caused by the Forefront Identity Manager Password Reset Client Service (FIMPasswordReset) service not being started. This can be easily remedied by starting the service. However, if you have verified that the service is running on the workstation you are trying to do the reset from, there could be a problem with the IE zone and protected mode setting for the Local Intranet Zone.

Please note that you need to make sure that the site is running under a "Local Intranet" zone and that Protected mode is switched OFF.

A configuration as shown below will cause the error as the ActiveX component cannot check the service status if incorrectly configured, and generates the error in question.

Applying the defaults zone settings to the Local Intranet Zone should allow the components to run as expected

Exchange 2007 Management Console on Windows 2008 R2 for Exchange 2007 mailbox Provisioning on FIM 2010

If you have recently deployed FIM 2010 on Windows 2008 R2 and tried to install the Exchange 2007 SP2 or earlier Management tools (required for exchange 2007 mailbox provisioning via the AD MA), you would have noticed that the SP2 or below was not supported on Windows 2008 R2. Fortunately Exchange 2007 SP3 solves this problem by adding support for Windows 2008 R2.

You can download Exchange 2007 SP3 at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en