FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"

26th of April, 2017 / / 3 Comments

If you treat the FIM Synchronization Service well and your configuration is good, it will reward you and the ‘magic’ will happen. At my customer site, the ‘magic’ stopped working and I was faced with an increasing number of synchronization errors being ‘An object with DN “CN=<blah>” already exists in management agent “<blah> MA” ‘. For users that were already provisioned correctly, the FIM Synchronization Service was attempting to re-provision a duplicate object in the destination directory but obviously the account already existed.… [Keep reading] “FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"”

FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"

26th of April, 2017 / / No Comments

If you treat the FIM Synchronization Service well and your configuration is good, it will reward you and the ‘magic’ will happen. At my customer site, the ‘magic’ stopped working and I was faced with an increasing number of synchronization errors being ‘An object with DN “CN=<blah>” already exists in management agent “<blah> MA” ‘. For users that were already provisioned correctly, the FIM Synchronization Service was attempting to re-provision a duplicate object in the destination directory but obviously the account already existed.… [Keep reading] “FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"”

Diagnosing FIM/MIM 'kerberos-no-logon-server' error on an Active Directory Management Agent

24th of April, 2017 / / 1 Comment

Overview

I have a complex customer environment where Microsoft Identity Manager is managing identities across three Active Directory Forests. The Forests all serve different purposes and are contained in different network zones. Accordingly there are firewalls between the zone where the MIM Sync Server is located and two of the other AD Forests as shown in the graphic below.

As part of the project the maintainers of the network infrastructure had implemented rules to allow the MIM Sync server to connect to the other two AD Forests.… [Keep reading] “Diagnosing FIM/MIM 'kerberos-no-logon-server' error on an Active Directory Management Agent”

An alternate method for dealing with Orphaned MetaVerse Objects

20th of April, 2017 / / No Comments

Update 21 April ’17. The LithnetMIISAutomation PS Module now has a -Force switch for Delete-CSObject
As often happens in development environments, data changes, configurations change and at some point you end up with a whole bunch of objects that are in no-mans land. This happened to me today. I had thousands of objects that we basically empty but had previously triggered to be exported to the MIM Service prior to them actually being deleted from the source management agent.… [Keep reading] “An alternate method for dealing with Orphaned MetaVerse Objects”

Bulk create and update related configuration objects in FIM/MIM using the Lithnet Import-RMConfig cmdlet

12th of April, 2017 / / 3 Comments

Working on a FIM implementation for a customer, I needed to bulk create and update a number of related Sets and MPRs which granted permissions to users. I could have performed this task a number of ways:

  • Manually create and update all objects
  • Scripted in PowerShell using FIM Automation
  • Scripted using the Lithnet FIM/MIM Service PowerShell Module

I’ve been successfully using the Lithnet FIM/MIM Service PowerShell Module in a number of scripts to query and bulk create objects in the FIM Service which has greatly improved the quality and simplicity of my PowerShell scripts compared to using the FIM Automation module.… [Keep reading] “Bulk create and update related configuration objects in FIM/MIM using the Lithnet Import-RMConfig cmdlet”

Getting started configuring the latest Microsoft Identity Manager IBM Notes Management Agent with Domino v9.x

12th of April, 2017 / / No Comments

Lotus Notes. My old nemesis as both a user and as an administrator is back to haunt me again.
There’s a reasonable amount written by others on the trials and tribulations of getting the FIM/MIM Notes MA configured and working. However they are all referencing older versions of the MA and older versions of Domino. (If you are looking details on the previous versions checkout Michael’s great post here). The info on permissions is still valid, so make sure you’re on top of that.… [Keep reading] “Getting started configuring the latest Microsoft Identity Manager IBM Notes Management Agent with Domino v9.x”

Joining Identities between Active Directory and Azure Active Directory using Microsoft Identity Manager

11th of April, 2017 / / 1 Comment

Introduction

One of the foundations of Identity Management is the ability to join an identity between disparate connected systems. As we extend our management of identities into cloud services this adds a few twists.
A key concept is to use an anchor that is persistent. Something that doesn’t change through a users life-cycle. A user’s Security IDentifier (SID) in Active Directory is perfect. It doesn’t change when a user or group may get renamed.  What gets interesting is how the SID is represented when returned using different methods.… [Keep reading] “Joining Identities between Active Directory and Azure Active Directory using Microsoft Identity Manager”

Error rebuilding MIMWAL – File MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.dll not found

2nd of April, 2017 / / No Comments

First published on Nivlesh’s blog at https://nivleshc.wordpress.com
A few days ago, I was going through the steps for compiling MIMWAL, as listed at http://ithinkthereforeidam.com/installing-the-mimwal/ and came across an interesting problem.
After I had rebuilt my Visual Studio package, I went to run Sign.cmd and kept getting the following error message
Signcmd_Error
Error: File “MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.dll” Not Found. You need to compile WAL solution first! Make sure you use REBUILD Solution menu. Aborting script execution…
This was quite bizarre as I had not deviated from the steps listed in the above mentioned article.… [Keep reading] “Error rebuilding MIMWAL – File MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.dll not found”

Standalone installation of the MIM Self Service Password Reset Portals ends prematurely

28th of March, 2017 / / No Comments

Today I was performing a standalone installation of the MIM Self Service Password Reset Portals (Enrollment and Reset). These Portals rely on IIS and not the normal prerequisites associated with the MIM Service Portal (SharePoint etc).  As such using PowerShell I’d only installed the Web Server Role with the usual dependencies.
On starting the MIM Service and Portal installation I got the dreaded Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely dialog. So straight into debug mode running with an installation log as per the command below.… [Keep reading] “Standalone installation of the MIM Self Service Password Reset Portals ends prematurely”

A workaround for the Microsoft Identity Manager limitation of not allowing simultaneous Management Agents running Synchronisation Profiles

9th of March, 2017 / / No Comments

Why ?

For those of you that may have missed it, in early 2016 Microsoft released a hotfix for Microsoft Identity Manager that included a change that removed the ability for multiple management agents on a Microsoft Identity Manager Synchronization Server to simultaneously run synchronization run profiles. I detailed the error you get in this blog post.
At the time it didn’t hurt me too much as I didn’t require any other fixes that were incorporated into that hotfix (and the subsequent hotfix).… [Keep reading] “A workaround for the Microsoft Identity Manager limitation of not allowing simultaneous Management Agents running Synchronisation Profiles”