Greetings from the field!
I've posted a PowerShell script you can run on the FIM Synchronization server to display the names of the FIM security groups:
How to Use PowerShell to Display the FIM Security Groups
The script will come in handy if the default FIM security group names were not used and nobody remembers the names of the groups. FYI - The only supported method to modify these groups is to re-run the setup. This is because we set permissions in DCOM, the registry and folders.
Best,
Jeff Ingalls
Update Rollup 2 (build 4.0.3606.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. This hotfix package resolves several issues and adds several features that are described in the "More Information" section. Additionally, this update contains all servicing fixes that were made since the release of FIM 2010.
PrerequisitesTo apply this update, you must have Forefront Identity Manager 2010 (build 4.0.2592.0 or a later build) installed.
Restart requirementYou must restart the computer after you apply the FIM 2010 Add-ins and Extensions component. Additionally, you may have to restart the server components.
Issues that are fixed or features that are added in this update:
2502631 A hotfix rollup package (build 4.0.3576.2) is available for Forefront Identity Manager 2010
2417774 A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 2010
2272389 A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
2028634 A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
978864 Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010
See the full KB for known possible issues and additional information.
KB here: http://support.microsoft.com/kb/2635086
I have moved my blog to http://jeffingalls.blogspot.com
There are three types of blogs: useful, interesting/entertaining, and other which is usually the opposite of both. The goal of this blog is to be in bucket #1 and bucket #2. More to come...
A friend recently asked me how to touch every file in a folder and subfolders. Let's say he has an executible called "dosomething.exe" and wants to run that program against every file in the parent folder and subfolders. Here's a quick script to do such a thing. There's not much to the VBScript but I am posting because I know what it is like to be out in the field and need something quickly. While this can be done multiple ways, I wrote this in VBScript because I did not know the client OS version and only had notepad handy at the time. :)
On Error Resume Next ' Ignore errors such as access deniedDim ObjShell, objFSO, objFolder, objStartFolderDim colFiles
Set ObjShell = CreateObject("WScript.Shell")Set objFSO = CreateObject("Scripting.FileSystemObject")Set objFolder = objFSO.GetFolder(objStartFolder)Set colFiles = objFolder.Files
objStartFolder = "C:\jingalls" ' This is the parent directory
For Each objFile in colFilesNext
ShowSubfolders objFSO.GetFolder(objStartFolder)
Sub ShowSubFolders(Folder) For Each Subfolder in Folder.SubFolders Set objFolder = objFSO.GetFolder(Subfolder.Path) Set colFiles = objFolder.Files For Each objFile in colFiles wscript.echo Subfolder.Path & "\" & objFile.Name set objWshScriptExec = objShell.Exec("%COMSPEC% /c c:\utils\dosomething.exe " & Subfolder.Path & "\" & objFile.Name) Set objStdOut = objWshScriptExec.StdOut strOutput = objStdOut.ReadAll WScript.Echo strOutput Next ShowSubFolders Subfolder NextEnd Sub
Set objShell = NothingSet objFSO = Nothingset objFolder = Nothingset objStartFolder = Nothingset colFiles = Nothing
Greetings from Redmond! I trust that you all are fully recovered from the holiday break and are ready to tackle your new year goals.
This is a quick post to say what's new...and explain the delay in blogging. I hired into Microsoft about a year ago on an internal position that was geared internally and there wasn't much externally interesting stuff that I could talk on each day. Shortly before the new year I accepted a position as a Premier Field Engineer in Microsoft Services and will be concentrating on Identity Management (FIM, ILM, MIIS). This is a blog worthy role and as such you'll be hearing more from me. We are ramping up other PFEs in Identity so if you are a premier customer who is using our identity management solutions and have some looming questions or problems, reach out to your TAM about talking to a PFE. You are welcome to drop my name to your TAM and we can work to see how I can work you on my calendar. I am based out of the Redmond area and can do conference calls or visits up to a week or two.
My PFE specialty is FIM.
Onward to PFE adventures and a new year!
Greetings from an airplane! I have added a new Technet article on troubleshooting FIM SSPR's 3003 error. I hope you find it useful.
http://social.technet.microsoft.com/wiki/contents/articles/20213.fim2010r2-troubleshooting-sspr-error-3003-the-current-user-account-is-not-recognized-by-forefront-identity-manager-please-contact-your-help-desk-or-system-administrator.aspx
Best, Jeff Ingalls
Greetings from Redmond!
We released hotfix 4.1.3469.0 a few days ago. The hotfix is available here: http://support.microsoft.com/kb/2877254
FIM Hotfix 4.1.3479.0 has been released under KB 2889529. Please see the KB for what is included in this cumulative hotfix.
Link: http://support.microsoft.com/kb/2889529
Email from Andreas Kjellman (Microsoft program manager for I&AM):
"We have just released the RTM for Lotus Domino 8.x Connector to Microsoft Download Center. It is an optional component for FIM2010 Update 2. Note that this connector is not supported with FIM2010 R2 RC but will be supported with FIM2010 R2 RTM in the future. FIM2010 Update 2 can be found on Microsoft Update.
With this release we are adding many frequent request from our customers, such as support for additional object types and use AdminP for operations.Additional details about the functionality can be found in the TechNet documentation.
The package can be found here: http://go.microsoft.com/fwlink/?LinkID=242615The TechNet documentation can be found here: http://go.microsoft.com/fwlink/?LinkID=226246"
Q1: I want to connect FIM to a data source that does not have an in-the-box Management Agent. What is the process of purchasing an extensible Management Agent from a Microsoft partner? Will this impact my support with Microsoft?
A1: The FIM 2010 Management Agents from Partners TechNet article lists several partner solutions. If you are interested in purchasing one of the Management Agents listed on the page then please contact the partner directly. Microsoft does not act as a broker between you and the partner group. Microsoft will provide commercially reasonable support through our technical phone support line.
Q2: I am trying to do some expressions in Sets and am receiving an error when I try to save. What's the deal?
A2: FIM guru Paul Williams' blog explains it best. Thanks Paul!
Q3: I am trying to create the FIM MA and am receiving "Failed to connect to the specified database. Failed to connect to the specified database or Forefront Identity Management Service. Please check the specified database location, service host address, and account information."
A3: The FIM Service is on port 5725. In the example above, the FIM Service base address should be: http://OTHELLO.shakespeare.com:5725
Q4: I installed FIM 2010 a few months ago. Today I logged in and tried to start the Synchronization Service Manager and received the error message "There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."
A4: [Complements of Zoltan Harmath] Check to see if the DependOnService registry entry "MSSQLSERVER" is missing from HKLM\\SYSTEM\CurrentControlSet\Services\FimService. Thanks Zoltan!
Q5. I am trying to export and receiving "Skipped – Not Precedent" error in the FIM Synchronization Service Manager. Why do I get this error and how can I solve it?
A5. If the value of an attribute in the MV comes from an MA with a lower precedence than the MA with the export flow, the export will not be processed.
Q6. Does it really rain in Seattle all the time?
A6. Not all the time. It only feels that way.
Until next time...
Greetings from Redmond! Are you interested in FIM? Been working with FIM for some time? I encourage you to take exam 70-158: Forefront Identity Manager 2010, Configuring. I felt this was a good assessment of real world situations, a few of which I had run into over the past month. Even though there are no authorized FIM 2010 books to help you study for the exam that are listed on the website, you do get a book if you take an in person FIM 2010 Workshop. You can use the book to continue practicing in your lab environment, study and take the exam and then apply that learning to your business. Premier Field Engineers like me teach this workshop as well as other instructors in authorized training centers. If you are a Premier customer you can reach out to your Technical Account Manager to schedule a FIM 2010 Workshop.
If you're unable to take in person training a good second best is working through the FIM Ramp Up training. The online virtual lab gives you 2 hours for each module and has videos and instructions leading you along.
Have fun!
Welcome to this edition of FIM Q&A. This week I am going to focus on Windows Management Instrumentation (WMI). WMI is critical for FIM to function from running/stopping run profiles to syncing passwords. Let's get right to it...
Q1: My WMI is broke! How did it get this way?
A1: According to some trusted Microsoft support guys, the top cause is not flushing to disk before shutdown (or what we call in the biz, a dirty shutdown). Next would be 3rd party application causing some problems.
Q2: What can I do to determine the problem?
A2: WMIDiag is a tool we released a few months ago to help determine WMI problems. The Ask Perf team has a good blog on it here.
Q3: What can I do to prevent the problem?
A3: I like how you think. There are a few WMI hotfixes out there that will prevent future problems as well as improve performance. The hotfixes are post Windows 2008 R2 SP1 and Windows 7 SP1. You will not get these fixes through Windows Update and will need to download them manually. Test in your lab, go through testing and get them on your machines.
Find the list of WMI hotfixes post Windows 2008 R2 SP1 and Windows 7 SP1 here. The list is maintained by one of our PFEs, Yong Rhee. If you are running a different version you can search his blog for "WMI" and find the list of hotfixes for your OS version.
Q4. Where can I get more information on the WMI in regards to FIM?
A4. The FIM 2010 Developer Reference discusses the FIM WMI classes and how to work with them.
Q5. Can I use PowerShell?
A5. You bet. Good starting articles are Accessing WMI from PowerShell and PowerShell Scriptomatic
That's all for now. Have a great week!
Over the past several months I have been listening to customer feedback around learning and understanding FIM 2010. As I collected the feedback and talked with customers it is evident that the steep learning curve is not due to the technology as much as it is the language we use. We use a lot of new words in the product that seem academic at first but turn out to be incredibly important when it comes to operating and troubleshooting FIM 2010. We have the FIM 2010 Terminology and Glossary however this page does not include terminology we used in the previous versions of the product. As such, I feel there is an opportunity for us to produce a comprehensive document containing all FIM 2010 terminology. The file attached is the first attempt at building a comprehensive FIM 2010 terminology document. The ZIP file contains a WORD document and a PDF file. The WORD and PDF files contain the same information.
I hope you find the document useful. Please feel free to send me email if you like it as well as any suggestions for improvement. I like email and I also like feedback. Feedback is one step towards helping us make things better and is directly related to our company values.
Our Values
"As a company, and as individuals, we value integrity, honesty, openness, personal excellence, constructive self-criticism, continual self-improvement, and mutual respect. We are committed to our customers and partners and have a passion for technology. We take on big challenges, and pride ourselves on seeing them through. We hold ourselves accountable to our customers, shareholders, partners, and employees by honoring our commitments, providing results, and striving for the highest quality."
"We’re pleased to announce general availability of FIM 2010 R2. Details of the announcement can be found on the Server & Cloud news blog @ http://blogs.technet.com/b/server-cloud/archive/2012/06/14/forefront-identity-manager-2010-r2-now-available.aspx."
More to follow...
Greetings from Redmond. Today I want to discuss something universal to all people involved with FIM and Windows servers in general, Event Logs. The Event Logs are one of the places you will find information, warning and error messages from the FIM product and its components. It is not the only place (see also FIM 2010 or FIM 2010 R2 troubleshooting) but it is one of the places.
Let's look at each FIM 2010 component and see what it adds to the system upon installation:
* This is a semi-general range of events of FIM 2010 RTM. See the attachment for the list of events in the RTM version of FIM 2010. Any event IDs could be added to future releases of the product which is why the product team lists ranges (see below).
If you happen to have SCOM installed in your environment then you can download the free FIM Management Pack (MP) to start monitoring your system. You will notice the FIM MP looks for specific FIM events and some FIM availability but does not include monitoring to systems it could interface with such as Active Directory or SQL. Those are other Management Packs you can download.
The word transparency is tossed around Microsoft like the flu. Allow me to sneeze...
So that's what transparency the flu looks like!
...and say this -- I've only seen one customer use the FIM MP to watch over FIM. Sometimes it is due to the customer using another monitoring solution (it's ok, we forgive you) and those that do use SCOM either don't know about the FIM MP or they install it and never use it. Whatever your situation, I am providing you an attachment with a list of event IDs you can use to at least start monitoring the FIM Event Logs. This will not give you a full view of your FIM environment but it is a start.
One final note. You will notice the Management Pack includes a Word document which lists ranges of event IDs and that list doesn't fully match the table above. Better said, my table includes some ranges that the Management Pack Word document does not include. Enjoy!
The latest official public release of FIM as well as previous versions of the product are listed here:
http://social.technet.microsoft.com/wiki/contents/articles/13394.microsoft-s-identity-software-public-release-build-versions.aspx
For those who have MIIS 2003, ILM 2007, FIM 2010 or FIM 2010 R2, we recently released an article on features that are scheduled to be released in a future release of FIM. Please review it and start your planning!
OK, I can now say that Forefront Identity Manager 2010 R2 SP1 is officially announced.
This is a big milestone for the product as we have added official support for Windows 2012, SQL 2012, SharePoint 2013, Visual Studio 2012, SharePoint Foundation 2013, and Exchange 2013. For the client extensions we now support Windows 8 and Outlook 2013. For FIM reporting we have added support for System Center Service Manager 2012. Internet Explorer 10 with the Portal is fully supported too (see KB article for two hotfixes that need to be applied to the Portal for IE 10 support.)
Beyond all the new product support cycles we've improved the time it takes to upgrade from FIM 2010 to FIM 2010 R2 and fixed some bugs.
What's New in FIM 2010 R2 SP1: http://technet.microsoft.com/en-us/library/jj863246(v=ws.10).aspx
FIM 2010 R2 SP1 KB article which includes free download to SP1: http://support.microsoft.com/kb/2772429
A few days ago we released FIM 2010 R2 Hotfix 4.1.3451.0. Like all FIM hotfixes, it is a cumulative meaning you will get all the new features and bug fixes of prior hotfixes (and Service Pack 1 if you haven't installed it yet).
http://support.microsoft.com/kb/2849119
See also my article: What is the latest version of FIM? which links to a Wiki of our public releases.
Greetings from Redmond,
Quick post to let you know we released a cumulative FIM hotfix a few weeks back...
http://support.microsoft.com/kb/2870703
Our Wiki has also been updated to reflect the update.
The number #1 question I get asked is "How can I quickly setup FIM self-service password reset?"
The first item you will need to do is go through the deploying FIM 2010 R2 checklist of requirements, before you begin and setting up the FIM Sync and FIM Portal components:http://technet.microsoft.com/en-us/library/hh332710(v=ws.10).aspx
If you want to do a quick proof-of-concept the SSPR quick start tool will be useful:http://technet.microsoft.com/en-us/library/hh332710(v=ws.10).aspx
If you want all the steps involved or if the quick start tool is not sufficient then follow the FIM R2 SSPR Deployment Guide:http://www.microsoft.com/en-us/download/details.aspx?id=29959
Another helpful SSPR link is the FIM 2010 R2 SSPR Resources Wiki
http://social.technet.microsoft.com/wiki/contents/articles/9846.self-service-password-reset-sspr-resources.aspx