none
FIM MA

    Question

  • Trying to build a new DEV environment, and when I attempt to create a FIM Management Agent I keep getting the following error message (I blanked out the Domain name on purpose - otherwise it is there).

    I was able to build a SQL Management Agent that connects to an Instance on the same server as the FIM Instances.

    I'm sure this is a permission error with the service accounts, but I'm at a loss.

    Help Please!!!

    Friday, March 30, 2012 6:30 PM

Answers

  • Did you already have rollup 2 installed? I had a problem last week where I could not create the FIM MA after installing rollup 2 - the FIM MA had to be created first. I logged it on connect here: https://connect.microsoft.com/site433/feedback/details/734364/cannot-create-fim-ma-after-installing-rollup-2

    http://www.wapshere.com/missmiis

    • Marked as answer by MRMO Tuesday, April 03, 2012 4:27 PM
    Tuesday, April 03, 2012 3:49 AM

All replies

  • Try to log in the the database using SQL Server Management Studio on that box using the credentials you mentioned above. Afterward try to open the FIMService database. if any of these steps fail, then you have some permission issue. In that case, you would need to create a log in for that account in the SQL server and assign public right and FIM_SynchronizationService role to the account. That should work.
    Friday, March 30, 2012 9:23 PM
  • The account MUST be the same as the one you have specified during the FIM installation.
    It doesn't help to have an account with sufficient access rights to the SQL dB.

    The fastest method that typically helps to fix the 80% case is to run the FIM installation in change mode (Control Panel / Programs and Features) and to assign a new FIM MA account.
    That way, you know for sure that the account works.

    A bit more time consuming is troubleshooting by using a script.
    You can, for example, use How to Use PowerShell to Test the FIM Management Agent Account.

    The script displays the account name and the SID of the account you have configured as MA account during the installation of FIM.

    I have seen cases, where the account was deleted and recreated with the same name.
    Since the SIDs didn't match, the account didn't work anymore.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Friday, March 30, 2012 10:00 PM
    Owner
  • Hi FIM Guy,

    I was able to logon to the SQL server as each service account (svc-fim-sync, svc-fim-service and svc-fim-agent) and naviagte the Instance without any errors.

    Sunday, April 01, 2012 5:40 AM
  • Hi Markus,

    I tried the going into Control Panel / Programs and Features to run the install wizard in Change Mode several times.  I even fully uninstalled and reinstalled FIM, as well as blow away the SQL databases and still no joy.  When I run the script I get the following output...

    FIM MA Account Test
    ====================
     -Reading registry configuration
     -FIM MA account name: PLUGNPLAY\svc-fim-agent
     -FIM MA account SID : S-1-5-21-2036182890-1287684832-4196975618-2118
     -Reading MA configuration

    Error: Failure on making enumeration web service call.

    Filter = /ma-data[SyncConfig-category='FIM']
    Error= System.Runtime.Serialization.SerializationException: Error in line 1 position 339. Expecting element 'Metadata' from namespace 'http://schemas.xmlsoap.org/ws/2004/09
    /mex'.. Encountered 'Element'  with name 'Fault', namespace 'http://www.w3.org/2003/05/soap-envelope'.
       at System.Runtime.Serialization.DataContractSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)
       at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName)
       at System.ServiceModel.Channels.Message.GetBody[T](XmlObjectSerializer serializer)
       at System.ServiceModel.Channels.Message.GetBody[T]()
       at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
       at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema()
       at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()
       at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(SearchParameters searchParameters, LocaleAwareClientHelper localePreferences, ContextualSecurityToken s
    ecurityToken)
       at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()

    Sunday, April 01, 2012 6:02 AM
  • Did you run the script in the context of the FIM admin account?
    Can you create objects using the portal with that account?

    At least, you can get from the script that you don't have a SID issue with your MA account.
    Is your FIM computer a DC?

    In this case, your MA account also needs logon locally granted.
    It might be a good idea - just for troubleshooting - to configure an admin account as MA account.

    If that doesn't help, your best bet is CSS...

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Monday, April 02, 2012 10:07 PM
    Owner
  • When I run the script while logged in as the FIM-Admin I get the following:

    FIM MA Account Test
    ====================
     -Reading registry configuration
     -FIM MA account name: PLUGNPLAY\svc-fim-agent
     -FIM MA account SID : S-1-5-21-2036182890-1287684832-4196975618-2118
     -Reading MA configuration

    Error: There is no FIM MA configured on your system

    The above error makes sense because I cannot create a FIM MA due to my issue.  I doubt there is a SID issue because I completely nuked the VM that FIM was installed on, as well as the SQL databases.

    I was able to create a SQL MA that connects and reads a instance\database on the same SQL server.  I haven't tried anything in the portal since I have not pulled any users in.  When I do search the portal all I see is the FIM-Admin and the Built-In Sync accounts as expected.

    The FIM server and the SQL server are both individual VM's running on the same Hyper-V host - not running on a DC.

    The Event Viewer logs on the FIM server are all clean - no errors.

    The Event Viewer logs on the SQL server only show this one error:

    Log  Windows NT (Application)

    Source  MSSQL$FIM_SERVICE
    Category  Logon
    Event  3221243928
    User  XXXXX\SVC-FIM-Service
    Computer  sql-1.xxxxx.local

    Message
    Login failed for user 'XXXXX\svc-fim-service'. Reason: Failed to open the explicitly specified database. [CLIENT: 192.168.0.xx]

    Any ideas on what to look for in the SQL Instance, configuration that might be causing this?  I think that FIM is installed correctly, but something is clearly not right with SQL.

    Monday, April 02, 2012 11:01 PM
  • Did you already have rollup 2 installed? I had a problem last week where I could not create the FIM MA after installing rollup 2 - the FIM MA had to be created first. I logged it on connect here: https://connect.microsoft.com/site433/feedback/details/734364/cannot-create-fim-ma-after-installing-rollup-2

    http://www.wapshere.com/missmiis

    • Marked as answer by MRMO Tuesday, April 03, 2012 4:27 PM
    Tuesday, April 03, 2012 3:49 AM
  • That was exactly the issue.

    I went fron FIM 2010 - RTM to Update 2.

    I rolled back my VM to FIM 2010 - RTM and then went to HF v4.0.3594.2 and I was then able to create the FIM MA.

    Tuesday, April 03, 2012 4:29 PM
  • From MS PSS -

    .  If you are using FIM 2010 Update 2 (4.00.3606.2)
    then the below steps should resolve your issue.

    1. On the FIM Synchronization Service Machine, Stop the FIM
      Synchronization Service
    2. Navigate to %programfiles%\Microsoft Forefront Identity
      Manager\2010\Synchronization Service\Bin
    3. Edit the miiserver.exe.config file
    4. In the <startup> section, swap the order of the
      supportedRuntime

    FROM

     
    <startup useLegacyV2RuntimeActivationPolicy="true">
      
    <supportedRuntime version="v4.0.30319"></supportedRuntime>
       
    <supportedRuntime version="v2.0.50727"></supportedRuntime>

    </startup>

    TO

     
    <startup useLegacyV2RuntimeActivationPolicy="true">
      
    <supportedRuntime version="v2.0.50727"></supportedRuntime>
    <supportedRuntime version="v4.0.30319"></supportedRuntime>
    </startup>

    Save the miiserver.exe.config file

    1. Start the FIM Synchronization Service
    2. Create the FIM Service Management Agent
    • Proposed as answer by UNIFYBobMVP Monday, May 28, 2012 4:12 PM
    Thursday, April 05, 2012 12:32 PM