Forefront Identity Manager

Dependent Sync Rules – Disconnection on removal of a dependent Sync Rule

Recently, I discovered that under certain conditions the removal of a dependent sync rule could cause the disconnection of objects in AD or other connected data sources. So I had to investigate the inner workings of dependent Sync Rules to uncover this mystery and fix it. FIM allows us to create dependent Sync Rules. First let me explain the what and then a little why. Then allow me to explain a bug that I discovered and how to work around it.

Continue reading

Object reference not set to an instance of an object

/Remi - Nov 3, 2010This comment has been removed by the author. Hello David! :) Have you got the time to test this in a lab ? I`am experiencing the same problem. And I`ve tried everything without any luck. http://social.technet.microsoft.com/Forums/en/ilm2/thread/deae65d0-ede6-4b36-994b-3695d0cc8260

Continue reading

Object reference not set to an instance of an object

Lessons learned: Run the Do a FIM MA account configuration quick test script. Always refresh the schema of the FIM MA using the real FIM MA Service Account which we usually call svc-FIMMA. Scenario: You have just modified the schema of FIM Service by creating a new Boolean attribute and have bound it to the user resource type. You refresh the FIM Schema, select the new attribute setup a direct export attribute flow from the corresponding Boolean metaverse attribute to the FIM MA attribute.

Continue reading

FIM Sets, XPATH, finding nulls with Strings

Watch out for the latest FIM hotfix. It appears i… Chris Clayton - Nov 4, 2011Watch out for the latest FIM hotfix. It appears it will treat the % as a literal rather than a SQL wildcard.

Continue reading

FIM Sets, XPATH, finding nulls with Strings

A little while ago I encountered some rather strange behavior of a Set vs. the XPATH query in FIM 2010. Using the Export-FIMConfig with the -onlyBaseResources -CustomConfig switches I run the following query to see if there are any users without a DisplayName /Person[not(starts-with(DisplayName,''))] It showed 20 So then I created a set, called “~ People with no displayname”, with that as the custom filter. I checked it doesn’t violate any of the limitations listed in the Business Policy Modeling doc (which I must say is a pretty good doc)

Continue reading

Restoring your FIM databases to the moment before oops

At the FIM Birds of a Feather (BOF) after a discussion about FIM database backups I was asked to make a blog post to more fully elucidate the benefits of using the full recovery model. Since Recovery models affect the transaction log you may find it useful to have the following background about transaction logs: •The Data in tables and indexes are stored in data files not the transaction log

Continue reading

TEC Decks Posted!

If you attended TEC you can now get the Slide Decks by registering on TheExpertsCommunity.com and accessing the following item: TEC 2010 Conference Materials Have Been Posted! You can find my sessions here:  http://theexpertscommunity.com/item/list/type/session/meta_expert_tag/speaker%3Adavidlundell Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RM… continue reading “Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS”

Continue reading

FIM 2010 Technical Overview Published – short version

Great job David and crew! Marc Mac Donell, CISSP - Apr 4, 2010Great job David and crew!

Continue reading

FIM 2010 Technical Overview Published – short version

Microsoft has published a short version of the FIM Technical Overview whitepaper written by David Lundell (me), Brad Turner, Chris Calderon and Joe Zamora. The longer version will come out a bit later. Short version, long version makes me feel kind of like I am figure skating in the Olympics. Thank you to Brjann Brekkan, Mark Wahl, Joe Schulman, Darryl Russi, Jack Kabat and Andreas Kjellman for their support, editing, eluciations on blogs and encouragement on this paper.

Continue reading

FIM Pitfall for old ILM hands

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Continue reading