The first question usually asked when something goes wrong: What changed?
Some areas of FIM/MIM make it easy to answer that question, some more difficult. If the Reporting Services components haven’t been installed (pretty common), history within the Portal/Service is only retained for 30 days by default, but also contains all data changes not just configuration changes. So, how do we track configuration change?
I was inspired by colleague Darren Robinson’s post “Automate the nightly backup of your Development FIM/MIM Sync and Portal Servers Configuration“, but wanted more detail, automatic differences, and handy visualisation. This is my first rough version and hasn’t been deployed ‘in anger’ at a client, so I expect I haven’t found all the pros/cons as yet. It also doesn’t implement all the recommendations from Microsoft (Check FIM Service Backup and Restore and FIM 2010: Planning Disaster recovery for details).
Approach
Similar to Darren’s post, we’ll export various Sync and MIM Service config to text files, then use a local git repository (no, not GitHub) to store and track the differences.
Assumptions
The script is written with the assumption that you have an all-in-one MIM-in-a-box. I’ll probably extend it at some point to cater for expanded installations. I’m also assuming PowerShell 5 for easier module package management, but it is not a strict requirement.
Pre-requisites
You will need:
- “Allow log on locally” (and ideally, “Allow log on through Remote Desktop Services”) rights on your FIM/MIM all-in-one server, with access to create directories and files under C:\MIMBackup (or a similar backup location)
New-Item -ItemType Directory -Path C:\MIMBackup
- Access to your FIM/MIM Synchronisation Service with MIM Sync Admin rights (can you open the Synchronisation Service Console?). Yes, Admin. I’d love to do this with minimum privileges, but it just doesn’t seem achievable with the permissions available
- Access to your FIM/MIM Service with either membership of the Administrators set, or a custom set created with Read access to members of set “All Resources”
- Portable Git for Windows (https://github.com/git-for-windows/git/releases/latest)
The Portable version is great, doesn’t require administrative access to install/use, doesn’t impact other installation of Git (if any), and is easy to update/maintain with no impact on any other software. Perfect for use in existing environments, and good for change controlUnpack it into C:\MIMBackup\PortableGit
- Lithnet FIM/MIM Service PowerShell Module (https://github.com/lithnet/resourcemanagement-powershell)
The ‘missing commandlets’ for FIM/MIM. Again, they don’t have to be installed with administrative access and can be copied to specific use locations so that other installations/copies will not be affected by version differences/updatesNew-Item -ItemType Directory -Path C:\MIMBackup\Modules Save-Module -Name LithnetRMA -Path C:\MIMBackup\Modules
- Lithnet PowerShell Module for FIM/MIM Synchronization Service (https://github.com/lithnet/miis-powershell)
More excellent cmdlets for working with the Synchronisation serviceSave-Module -Name LithnetMIISAutomation -Path C:\MIMBackup\Modules
- FIMAutomation Module (or PSSnapin)
The ‘default’ PowerShell commandlets for FIM/MIM. Not the fastest tools available, but they do make exporting the FIM/MIM Service configuration easy. If you create a module from the PSSnapin [Check my previous post], you don’t need any special tricks to install itStore the module in C:\MIMBackup\Modules\FIMAutomation
- The Backup-MIMConfig.ps1 script
C:\MIMBackup\PortableGit\cmd\git.exe clone https://gist.github.com/Froosh/bd17ff4675f945dc7dc3bbb6bbda036d C:\MIMBackup\Backup-MIMConfig
Prepare the Git repository
New-Alias -Name Git -Value C:\MIMBackup\PortableGit\cmd\git.exe Set-Location -Path C:\MIMBackup\MIMConfig git init git config --local user.name "MIM Config Backup" git config --local user.email "MIMConfigBackup@$(hostname)"
Since the final script will likely be running as a service account, I’m cheating a little and using a default identity that will be used by all users to commit changes to the git repository. Alternatively, you can log in as the service account and set the user.name and user.email in ‘normal’ git per-user mode.
git config user.name "Service Account" git config user.email "ServiceAccount@$(hostname)"
Give it a whirl!
C:\MIMBackup\Backup-MIMConfig\Backup-MIMConfig.ps1
Now, make a change to your config, run the script again, and look at the changes in Git GUI.
Set-Location -Path C:\MIMBackup\MIMConfig C:\MIMBackup\PortableGit\cmd\gitk.exe
As you can see here, I changed the portal timezone config:
