A new hotfix rollup was released on the 11th of March Microsoft Identity Manager contains a number of fixes and some new functionality.

It appears that it also contains a new bug. Information about this came to my attention from Ryan Newington

The bug kicks in if you’re trying to run sync sequences on multiple MA’s simultaneously. It throws the error; “Unable to run the management agent.” Exception from HRESULT: 0x8023063D

The screenshot below shows the error when attempting to run a Full Synchronization on an MA when another MA is already running a Full Synchronization.

Note: You CAN still run Stage (Full Import) sequences on multiple MA’s simultaneously.

After rolling back my MIM Sync Server (to 4.3.2064.0, the snapshot prior to applying the 4.3.2124.0 rollup) I can again run multiple sync sequences across multiple management agents simultaneously.

Summary

If your run sequences include running multiple sync jobs running simultaneously don’t update your MIM/FIM Synchronisation Server to 4.3.2124.0.

Microsoft, can we have a fix please.

Follow Darren on Twitter @darrenjrobinson

Category:
FIM, Identity and Access Management
Tags:
,

Join the conversation! 6 Comments

  1. I don’t believe this is a bug, but rather preventing you from doing what shouldn’t be done, i.e. running synchronization run profiles concurrently. That can easily lead to deadlocks, and possibly data corruptions, given two synchronization runs running at the same time may try to synchronize the same object at the same time.

    They are addressing this in the hotfix, i.e. issue 4. Running more than one run profile with a synchronization task at the same time may cause data corruption. Note A message box is displayed with a 0x8023063D error code.

    That’s exactly the behaviour you’re seeing.

    Cheers,

    Marc

    Reply
    • I understand your viewpoint Marc if you’re using FIM/MIM to managed a single object type.
      Many of my implementations are managing many different object types across multiple MA’s. This is where is makes perfect sense to run them in parallel.
      Decisions to run them like this should be up to the implementer not a constraint in the product.

      DR

      Reply
  2. Hotfix rollup package (build 4.3.2195.0) has been released which is supposed to address this issue. However in my testing I’m still getting Exception from HRESULT 0x8023063D when running a Sync on multiple MA’s. https://support.microsoft.com/en-us/kb/3134725

    Reply
  3. Do we know if there is a workaround to this issue?

    We have many MAs so now having to run in parralell is taking days rather than hours. Is this logged formally with Microsoft?

    Reply
    • Microsoft are aware this is an issue for some implementations. I previously just hadn’t applied that hotfix. Now for the one implementation that needs this that is on the latest patch level I’ve split the Import from the Sync. It’s multiple Syncs that throw the exception. You can still run multiple Imports Only in parallel.

      Reply
  4. […] In August 2016 I wrote this post on how to use PowerShell to leverage the Microsoft GraphAPI and use Differential Queries. The premise behind that post was I required a Microsoft Identity Manager Management Agent to synchronize identity information from AzureAD into Microsoft Identity Manager. However the environment it was intended for has a large AzureAD implementation and performing a Full Sync every-time is just to time consuming. Even more so with this limitation that still exists today in MIM 2016 with SP1. […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: