Background

I’ve been using Ryan’s Lithnet MIIS Automation Powershell Module for a few months now as you’ve likely seen from some of my blog posts.
The module and its installer direct you to install the module on your FIM/MIM Synchronisation Server. This all makes perfect sense as the FIM/MIM Synchronsation Sever is more of your traditional server application. However we are no longer living in that kind of IT world. Consultants, Administrators, Architects, DevOps etc all want the flexibility to use their own workstations, administrative workstations, automation services etc.
So how do we apply that to the FIM/MIM Synchronisation Server ? Well, with the Lithnet MIIS Automation Powershell Module installed on your FIM/MIM Synchronisation Server you can, thanks to the wonderful thing that is Powershell. Thanks Jeffrey Snover.

Overview

In this blog post I’ll detail the quick and easy steps to enable you to remotely administer, orchestrate, report and query your FIM/MIM Sync Server and Metaverse using Powershell and the Lithnet Automation Powershell Module.
The diagram below outlines the topology. Essentially a standard MIM Sync Sever deployment in an Active Directory Domain. An Admin with a workstation in the same domain with domain credentials.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/Arch.png

Prerequisites

It should be pretty obvious by now, but you’ll need;

  • A FIM/MIM Synchronisation Server
    • at least one connected system with a configuration that populates your Metaverse with holograms
  • Download and install the Lithnet MIIS Automation Powershell Module on your FIM/MIM Sync Server
  • The account you will use to connect to the FIM/MIM Sync Server must be in the Administrators Group on the FIM/MIM Sync Server
  • The account you will use to connect to the FIM/MIM Sync Server must be in the FIM/MIM Admins Role Group

Enable the MIM Sync Server for Remote Powershell

In a domain environment as described above this is straight forward. On your FIM/MIM Sync Server we need to enable Powershell Remoting. This is so we can leverage the Lithnet MIIS Automation Powershell module (that is a prerequisite that you’ve already installed right).
On the FIM/MIM Synchronisation Server open Powershell (as Administrator) and execute the command  Enable-PSRemoting -Force 
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMMVFunction/EnablePSRemoting.png
Test from another server in your network that you can access the MIM Sync Server. I did this from my MIM Service Server.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMMVFunction/Test%20Remote1.png

Establishing a Remote Powershell Session to your FIM/MIM Sync Server

Now you’re ready to start a remote session into your FIM/MIM Sync Server. Take the following snippets and put them into an Administrator Powershell ISE session, modify for your FIM/MIM Sync server name and your Admin username (if you’re not already in a session with that privileged account) and try connecting.

Success we’re connected, a remote session.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/Connected.png
Now let’s run a couple of queries using two of the cmdlets from the Lithnet MIIS Automation PS Module. One to get a user and the other to get the MA Stats for the Twitter MA.
Success. Brilliant. Simple.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/UsersMAStats.png

Troubleshooting

Server User Role Permissions

If you are authenticating with an account without enough permissions for Remote Powershell you’ll get the following message. Access is Denied. Whilst you would expect that putting the user account into the “Remote Management Users” would/should be enough, in my experience you need to have the account you’re connecting with in the Administrators group on the FIM/MIM Server. If there is another method of least privilege please let me know.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/AccessDenied.png
 

MIM Sync Permissions

If you aren’t in a FIM/MIM Role for the tasks you are looking to perform, you will get an error similar to that below. You can see I could connect to the MIM Sync Server with Remote Powershell, but could not run the Get-MVObject cmdlet.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/NoMIMPerms.png
If you are in the FIM/MIM Operators Role Group you’d think you could return an object. No. You get an error message like the one below.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/Operators%20Role.png
When the same account is in the FIM/MIM Admins Role Group, Success.
https://dl.dropboxusercontent.com/u/76015/BlogImages/MIMSyncRemotePS/SuccessRole.png
 

Summary

That is the quick start guide to using Remote Powershell and the Lithnet MIIS Automation Powershell Module to manage your FIM/MIM Sync Server. Automate and Manager away.
You should now think about additional security and restricting what hosts can connect to your FIM/MIM Sync Server using RPS. See Restricting WinRM Hosts here.
 
Follow Darren on Twitter @darrenjrobinson

Category:
DevOps, FIM