locked
ILM 2007 FP1 installed on RTIS hosted VM

    Dotaz

  • Hi Team,

    We have ILM 2007 FP1 and SQL 2005 SP2 to be installed on virtual environment running on Win 2008 server hosted on VM. We have one Virtual server for ILM and one for SQL

    While we go about this task, should this setup be on the same host or separate host? Which is better in terms of performance

    Regards,

    Venkat

     

     

    27. srpna 2010 11:38

Odpovědi

  • There are a lot of it depends in all answers you could get on this. Usually, you typically get the best performance when installing ILM on the server on which SQL is running. If you have a sufficiently large DB, you should make sure to have SQL using storage on a pass-through disk. Otherwise, your performance is likely going to be suffering. In order to install on Win2k8, I think you will need ILM2007 FP1 SP1. Also, you cannot install on the x64 version of the OS. See als the ILM FAQ.

    If you are doing a new install, I would consider implementing the sync engine of FIM 2010, which has the exact same capabilities (with a couple of minor differences) as ILM 2007 and will show to future proof (64bit, SQL 2008, Win2k8R2, ... + you can add the expanded capabilities of the FIM service later on if you need it)


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    27. srpna 2010 20:30
  • In addition to Paul's guidance I'd also remind that if you DO run SQL on a different VM then you can run the SQL VM on x64.  Makes it easier to assign gobs of memory to the SQL server instead of fussing with PAE and AWE on x86.  You'll still need to run ILM on an x86 VM.
    CraigMartin – Edgile, Inc. – http://identitytrench.com
    30. srpna 2010 21:54

Všechny reakce

  • There are a lot of it depends in all answers you could get on this. Usually, you typically get the best performance when installing ILM on the server on which SQL is running. If you have a sufficiently large DB, you should make sure to have SQL using storage on a pass-through disk. Otherwise, your performance is likely going to be suffering. In order to install on Win2k8, I think you will need ILM2007 FP1 SP1. Also, you cannot install on the x64 version of the OS. See als the ILM FAQ.

    If you are doing a new install, I would consider implementing the sync engine of FIM 2010, which has the exact same capabilities (with a couple of minor differences) as ILM 2007 and will show to future proof (64bit, SQL 2008, Win2k8R2, ... + you can add the expanded capabilities of the FIM service later on if you need it)


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    27. srpna 2010 20:30
  • In addition to Paul's guidance I'd also remind that if you DO run SQL on a different VM then you can run the SQL VM on x64.  Makes it easier to assign gobs of memory to the SQL server instead of fussing with PAE and AWE on x86.  You'll still need to run ILM on an x86 VM.
    CraigMartin – Edgile, Inc. – http://identitytrench.com
    30. srpna 2010 21:54
  • Hi Paul & Craig, thanks for your reply.

    I have ILM 2007 running on x86 VM - dual core 2.93 GHz Xeon CPU with 8 GB RAM and  SQL running on 64 BIT processor on 2.93 GHz Xeon CPU with 8 GB RAM.

    Now the issue is:

    I have SQL installed on x64 Box - fresh installation with SP2

    On the current MIIS2003 Env running on Win 2003 Server & sql 2005 SP2 , I stopped MIIS 2003 service, took a key back up.

    From my old MIIS 2003 db I have restored the database to the new x64 SQL server VM setup 

    Next On the x86 VM box, installed ILM FP1 MSDN version. All steps go fine, I point to the new database, then it prompts for the Key - the key from previous MIIS 2003 backup set is pointed too, setup completes. However when I invoke ILM 2007 from start menu, the service does not start.

    The error message / exception thrwon is :

    -------------------------------------------------------------------------------

    "Unable to conenct to Microsoft Indentity Integration Server"

    "Some possible reasons are:"

    "1.The service is not started"

    "2.Your account is not a member of the requested security group"

    "see Microsoft Identity Server documentation for details"

    -------------------------------------------------------------------------------

    Now I can confirm to you all that I have my accounts perfectly in place, the old MIIS 2003 setup works on those accounts

    I have local admin rights on the VMs, also the accounts

    MIISAdmins
    MIISOperators
    MIISJoiners
    MIISBrowse
    MIISPasswordSet

    have the Group scope at Local domain levels, which the old MIIS 2003 kit uses and works perfectly good.

    I 'm still puzzled why ILM 2007 installed on x86 VM throws this error.

    So, did not stop here, I uninstalled ILM 2007 from the Vm and re installed on a Win 2003 blade server (physical machine) running on quad CPU with  12 GB RAM and pointed to the SQL db installed on the x64 Win 2008 VM setup. On encrytption  key prompt I pointed to the same old key back up taken earlier and started ILM ..., It works just fine !!

    So, I'm not sure where the issue is could you both throw some light on this please?

    Regards,

    Venkat

     

    9. září 2010 6:11
  • Venkat,

    You might need to run MIISActivate as well. Could you check the event log for anything additional? Also, did you check whether the ILM service is started?

    Paul.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    9. září 2010 13:29
  • I've been stuck there before too.  Running the MSI from a command prompt as Administrator worked for me (not just logged on as admin, right-click then choose Run As Administrator).

    BTW - I have a VM running ILM in a similar topology (ILM in a VM, SQL2008x64 on real HW).


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    9. září 2010 22:40
  • Venkat,

     

    Are you still having this problem? If so, please state what the application event log shows when you attempt to start the ILM service, Microsoft Identity Integration Server(miiserver.exe). If it fails to start, it has always shown an error when this has happened to me.

    26. září 2010 4:10
  • Hi All,

    Sorry for this late reply.Yes, I still get the same error

    I first tried with MIISactivate.exe - that also fails to start the service

    The event logs when ILM was invoked from Start menu :

    =========================================================

    The server encryption keys could not be accessed.

     

    User Action

    Verify that the service account has permissions to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Identity Integration Server

     

    If the problem persists, run setup and restore the encryption keys from backup.

    =========================================================

    The event logs when the Service was started manually from Service.msi

    =========================================================

    The server encountered an unexpected error and stopped.

     

    "BAIL: MMS(3392): mmscrypt.cpp(2956): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(2528): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(380): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): storeimp.cpp(635): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): server.cpp(299): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): server.cpp(3335): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): service.cpp(1483): 0x80231000 (The server failed to create or load its encryption keys.)

    ERR: MMS(3392): service.cpp(966): Error creating com objects. Error code: -2145185792. This is retry number 0.

    BAIL: MMS(3392): mmscrypt.cpp(2956): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(2528): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(380): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): storeimp.cpp(635): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): server.cpp(299): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): server.cpp(3335): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): service.cpp(1483): 0x80231000 (The server failed to create or load its encryption keys.)

    ERR: MMS(3392): service.cpp(966): Error creating com objects. Error code: -2145185792. This is retry number 1.

    BAIL: MMS(3392): mmscrypt.cpp(2956): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(2528): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(380): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): storeimp.cpp(635): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): server.cpp(299): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): server.cpp(3335): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): service.cpp(1483): 0x80231000 (The server failed to create or load its encryption keys.)

    ERR: MMS(3392): service.cpp(966): Error creating com objects. Error code: -2145185792. This is retry number 2.

    BAIL: MMS(3392): mmscrypt.cpp(2956): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(2528): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): mmscrypt.cpp(380): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): storeimp.cpp(635): 0x8009000b (Key not valid for use in specified state.)

    BAIL: MMS(3392): server.cpp(299): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): server.cpp(3335): 0x80231000 (The server failed to create or load its encryption keys.)

    BAIL: MMS(3392): service.cpp(1483): 0x80231000 (The server failed to create or load its encryption keys.)

    ERR: MMS(3392): service.cpp(966): Error creating com objects. Error code: -2145185792. This is retry number 3.

    BAIL: MMS(3392): service.cpp(980): 0x80231000 (The server failed to create or load its encryption keys.)

    Microsoft Identity Integration Server 3.3.0118.0"

    ===================================================================================

    But I can confirm that the key backup is taken from my Live production kit running on MIIS 2003 after stopping the service there.

    Regards,

    Venkat

     

    1. října 2010 8:05
  • Hi all,

    Finally I installed ILM FP1 on a physical Server. All issues got resolved.

    Inference: Please dont install ILM FP1 on Virtual Server. It is not stable and too risky to take a chance.

    Next coming up :

    To provision Exchange Server 2003 & 2007 on ILM 2007 FP1 - keep you posted on all nightmares !

    Regards,

    Venkat

     

    29. října 2010 5:38
  • Hi there all,

    I had this exact same issue, was setting service account settings and rights(absolutely sure i used the right accounts, tried both domain- and local with same accountname). Even set the registrykey rights for MIIS with no luck.

    Resolved it in the end by simply abandoning the old key set(threw and exception but working now and all is fine) and then exporting to a new keyset.

    Problem is solved for me at least.

    /Mikael

    PS: This was a new installation on a Virtual server, config and keyset came from an earlier server with the same version of ILM that resided on a physical server.
    7. února 2012 8:57