Identity Lifecycle Manager Forum

Silent ILM Hotfix Installation

Mon, 23 Nov 2009 15:49:27 Z

Hi all,

I’m trying to do a complete silent installation of ILM 2007 FP1 + hotfix.

For the ILM installation I use msiexec.exe using a command line. ILM is installed correctly.

Now I need to install the hotfix (KB946797) which is a .msp file. During the installation I must enter the service account password, but I didn’t find how to pass this parameter to my command msiexec.

For the moment I tried with msiexec.exe / q / p “c:/setup/ILM_2007_FP1_ENT_KB946797.msp” /Lime “c: / log / log.txt” servicepassword = MyPassword

But apparently the password parameter is not correctly passed, because I have the following error :

Microsoft Identity Integration Server - Error 25001.The Microsoft Identity Integration Server FP1 setup wizard can not validate the information for service account, password, or domain or local computer. Verify the information entered is correct, and then try again.

I appreciate any help.

Martha

Live@edu MA setup error

Mon, 21 Jul 2008 20:28:04 Z

So I have read and read the guide for Live@edu implementation. While well versed in AD/Exchange, etc, my knowledge is limited on IIS implementation so I need some help please:

AD is stood up and working like a clock.
SQL and ILM are installed with no errors.
When I try to import the XML configuration file that Microsoft provided for ILM, I get the error [Unable to create the management agent from this file. Object reference not set to an instance of an object].

The guide completely passes over the setup and configuration of ILM and this is the part that I need the most help with. If anyone has this implemented and has a short cheat-sheet, I would be most grateful. I have my XML file and PFX file all ready, but not quite sure the process I need to follow to get them implemented.

HELP! Deadline approaching and the nerves are getting a little jingly!

-Allen

Append date to log file

Thu, 12 Nov 2009 12:22:40 Z

Im using MASequenceConfiguration to sequence and run (at present manually) some of my MA's. In this config gui there is a box that says where the system should write the log file, the problem is that it seems to overwrite the contents of this file eachtime the sequence is run. So is it possible to either tell ILM to append the current date to the end of the log file or create a new one each time?

Thanks

stopped-parsing-errors in Import phase of an Oracle management Agent

Fri, 20 Nov 2009 15:05:40 Z

Hello all,

I am using ILM 2007 (v3.3.118.0) on Windows 2003 SP2 and the metaverse DB is on a SQL Server 2005 SP3 remote server.

The import run step of an Oracle management agent has stopped working a few days ago and I don't understand why.
The import starts but it never finish. When I enable the log file option "Resume run from existing log file", I get the error stopped-parsing-errors.

I don't see anything wrong in the log file data. Can someone help me please with some suggestions on how to debug such error?

Thank you,

Regards,
Sam

ILM 2007 and Windows 2008 Server (AD and CA)

Tue, 24 Nov 2009 07:49:37 Z

Hi.

i have several questions related to ILM 2007:

- Does ILM 2007 (not ILM2) support Active Directory built on 2008 Domain Controllers?
- Does ILM 2007 (not ILM2) support Microsoft Certification Authority from Windows 2008 Enterprise Server? [Most important question]
- (not related to ILM 2007 but in the same CA area): Windows 2008 is OCSP-enabled. Are some clients/softwares to be installed on the Domain machines in order to verify certificates via OCSP?: for example RSA Validation Manager (OCSP-enable) works with RSA Validation Clients (installed on the Domain computers) in order to real-time check the state of the Certificate.

The topology is the following: i need clustering between 2 CA servers using networked HSMs. This can be done only with 2008 Server but, the Smart Cards and their software do not have support for ILM2. (they provide support only for ILM 2007).

Thank you for your support.

More extension-entry-point-not-implemented

Sun, 15 Nov 2009 09:49:07 Z

Hello,
I am playing with ILM 2007 FP1 for learning more about ILM, the scenario as listed in technet works for me, However I want to know do some attribute flow using coding in order to learn more
I have used the same scenario as synchronizing SQL data to AD, just modified the description attribute to have advanced and flow rule name of (flowmaps), then placed the following code:

Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry, ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport

' TODO: write your import attribute flow code

Select Case FlowRuleName

Case "flowmaps"

' TODO: remove the following statement and add your scripted import attribute flow here

mventry(

"description").Value = "123"

Throw New EntryPointNotImplementedException()

Case Else

' TODO: remove the following statement and add your default script here

Throw New EntryPointNotImplementedException()

I am testing how the development works and trying simple things first, but everythime I run the full sync run profile I get the following error:
extension-entry-point-not-implemented

I have some questions to ask:
- I have description field populated in the MV entries, how I can null them, I am trying mventry("description").delete and mventry("description").values.clear with no luck.
- what is wrong with my code.
- how I can populate attribute that doesn't exist in the original CD, for example I use attributes that comes from the SQL CD which is the samaccountname and description, If I want to populate the upn or the phone number "as example" in the mv, how I can do that the problem that in the MA I can choose to flow data that exists in the SQL, and SQL might not have upn for example so how I can configure it.

thanks and sorry for the lame questions.

Regards, Mahmoud Magdy

ILM/OpenLdap

Fri, 13 Nov 2009 17:39:00 Z

Is there way to configure the OpenLDAPPasswordExtension to not send send password changes in clear text?
After a long time posting to the forums I finally got ILM working where we can use ctrl-alt-del to change a password and synch with OpenLDAP only to find that it puts the new password in LDAP in plain text. Any ideas?
Thanks.

Moving Oracle database to local ILM server

Wed, 11 Nov 2009 11:51:02 Z

Hi,

I have moved the oracle database to the locale ILM test server, when I run the importing from oracle it gives an error that "failed-connection".
by the way the tnsnames.ora is changed and the ODBC testing is success also when I configure the MA the names of the columns are showing.

any idea's :)

Exchange Mailbox Provisioning for Existing Users Clarification?

Thu, 12 Nov 2009 19:30:02 Z

Because of the way workflow works here, we will just about always be using ILM (ILM 2007) to provision exchange accounts well after we have already provisioned the AD account.

I've read Carol's excellent notes here as well as the other items I could find about Exchange mailbox provisioning. (Thanks!)

But I'm still a little fuzzy about what exactly is going on with the exchange account/mailbox creation. I wonder if someone please confirm that my understanding below is correct?

Scenario 1: For Exchange 2003 or 2003/2007 hybrid: (our current environment)

1) Leave "Enable Exchange 2007 Provisioning" unchecked.

2) When an existing AD user needs a mailbox, use flow rules to set the four required Exchange attributes in the AD MA.

3) RUS updates Exchange with the AD attributes. And Exchange creates the mailbox for the user when the first Exchange activity takes place for the user.

Scenario 2: For an Exchange 2007-only environment (soon)

1) Set "Enable Exchange 2007 Provisioning" to checked.

2) When an existing user needs a mailbox, use flow rules to set the four required exchange attributes in the AD MA.

3) On Export, the AD MA calls the Exchange powershell utilities when it detects changes in the exchange attributes to complete the creation of the Exchange mailbox. (Or maybe the Exchange 2007 powershell utils are called by ILM only when a new AD user also needs to be created?)

If someone could clear this up for me I would really appreciate it.

Thanks,

Al

Keysrtroke Dynamics as a second factor of authentication

Thu, 19 Nov 2009 04:47:14 Z

I had the privilege of listening yesterday to somebody that the FBI catalogues as a "Computer Enthusiast". This person has hacked into 4 of the 10 largest banks in the U.S.
The way he did it is by finding the user id and pwd of bank employees using methods that range from keyloggers, sniffers, and physhing to social engineering and root kits.
After hearing his conference it became clear to me that given the layered nature of pc software (whatever the operating system) key recognition it at one of the highest levels (as well as key-up and key-down events).
I've been hearing a lot about MicroSoft's new pressure detection keyboard and how it could become an answer to this problem as well as a means to create reliable keystroke-dynamics based second factor authentication.
I would like some more clarification on MS strategy on this point, given that I have a strong impression that more than 95% of enterprise security breaches are achieved through user id and password theft. With a second fractor as the one described above, this woudl be reduced dramatically (providing that the laptop or desktop's layered software is bypassed at when taking the biometric measures.
Could somebody please explain what the strategy is in this respect?
Thx
Felix

Dual AD forest, dual Exchange org scenario

Wed, 18 Nov 2009 21:01:11 Z

We acquired a company a while back who had their own AD forest and were using Exchange. We are now trying to integrate them. We need for the time being to keep their infrastructure seperate but we would like to be able to sync our e-mail address books and calendar free busy.

We are both in Exchange 2007, so will use the 'availability' service for calendar sync; the question is how best to sync the address books.

Currently we run ILM 2007, FP 1 in Forest A, but not in Forest B. We could set up a second AD MA to manage Forest B, but what then is the best way to resolve the address book issue? I understand that we shouldn't run GAL Sync on the MIIS system with the AD MA('s); though we could run it on a seperate system. But is that the best way?

If we were to provision to both forests, could we instead set up provisioning such that users in Forest A would get an e-mail mailbox in Forest A and a Contact in Forest B (and vice versa?) Or is there a third and better way?

Thanks.

Ed Bell - Specialist, Network Services, Convergys

Unexpected error during synchronization cycle in ILM 2007 build 3.3.1118.2

Thu, 12 Nov 2009 16:28:48 Z

Hello everybody,

I've just got some problems about ILM synchronization while the joining process is performed by extension rule.

ILM has been installed on the vmware that runs Windows Server 2k3 EE R2. At the beginning, the build version was 3.3.118.0.
In order to get supported by Microsoft for virtual environment, i've patched it by applying the hotfix KB KB946797 (build version 3.3.1087.2) and KB969742 (build version 3.3.1118.02)
I've scheduled the delta synchronization cycle every 1/2 hour from Monday to Friday and supervised the stability of the patched version.
Everything was going fine until a couple of days ago, The synchronization has been crashed by an unexpected error. I've found in the EventViewer the following error messages:

Source: MIIServer EventID: 6301

The server encountered an unexpected error in the synchronization engine:

"BAIL: MMS(3292): clrhost.cpp(597): 0x80131604
BAIL: MMS(3292): scripthostloader.cpp(401): 0x80131604
BAIL: MMS(3292): scriptmanagerimpl.cpp(990): 0x80131604
BAIL: MMS(3292): scriptmanagerimpl.cpp(1014): 0x80131604
BAIL: MMS(1840): scriptmanagerimpl.cpp(450): 0x80131604
BAIL: MMS(1840): scriptmanagerimpl.cpp(6687): 0x80131604
BAIL: MMS(1840): ScriptManager.h(246): 0x80131604
BAIL: MMS(1840): ScriptManager.h(440): 0x80131604
BAIL: MMS(1840): joinam.cpp(281): 0x80131604
BAIL: MMS(1840): amexec.cpp(1022): 0x80131604
BAIL: MMS(1840): join.cpp(664): 0x80131604
BAIL: MMS(1840): join.cpp(410): 0x80131604
ERR: MMS(1840): join.cpp(437): Join: failed with error 0x80131604
ERR: MMS(1840): synccoreimp.cpp(480): 0x80131604 - join failed 0x80131604
BAIL: MMS(1840): synccoreimp.cpp(481): 0x80131604
BAIL: MMS(1840): synccoreimp.cpp(342): 0x80131604
BAIL: MMS(1840): synccoreimp.cpp(5970): 0x80131604
BAIL: MMS(1840): synccoreimp.cpp(2218): 0x80131604
ERR: MMS(1840): synccoreimp.cpp(2240): 0x80131604 - CS to MV to CS synchronization failed 0x80131604:
BAIL: MMS(1840): synccoreimp.cpp(2076): 0x80131604
ERR: MMS(1840): syncmonitor.cpp(2502): SE: Rollback SQL transaction for: 0x80131604
MMS(1840): SE: CS image begin
MMS(1840): <cs-object cs-dn="" id="{A8A6DD6D-2FAC-4EAB-8651-56924F1C608F}" object-type="Person">
...
[sorry, info confidential]
...
<synchronized-hologram>
</synchronized-hologram>
<anchor encoding="base64">1nFLAPNwJcEDKm9EzNJmfx9bOAASciXB</anchor>
<connector>0</connector>
<connector-state>normal</connector-state>
<seen-by-import>1</seen-by-import>
<rebuild-in-progress>0</rebuild-in-progress>
<obsoletion>0</obsoletion>
<need-full-sync>0</need-full-sync>
<placeholder-parent>0</placeholder-parent>
<placeholder-link>0</placeholder-link>
<placeholder-delete>0</placeholder-delete>
<pending>1</pending>
<ref-retry>0</ref-retry>
<rename-retry>0</rename-retry>
<sequencers>
<current>
   <batch-number>0</batch-number>
   <sequence-number>0</sequence-number>
</current>
<unapplied>
   <batch-number>0</batch-number>
   <sequence-number>0</sequence-number>
</unapplied>
<original>
   <batch-number>0</batch-number>
   <sequence-number>0</sequence-number>
</original>
</sequencers>
<import-delta-operation>add</import-delta-operation>
<export-delta-operation>none</export-delta-operation>
<pending-ref-delete>0</pending-ref-delete>
<ma-id>{42F7766B-2130-4374-A0AD-9F8B7261F762}</ma-id>
<ma-name>BU SITA DOMINO MA</ma-name>
<partition-id>{1B140F1C-4D50-471F-BE7B-3A66F761B510}</partition-id>
<last-import-delta-time>2009-10-30 14:04:33.953</last-import-delta-time>
</cs-object>

MMS(1840): SE: CS image end
Microsoft Identity Integration Server 3.3.1118.2"

and i've got just after the second error message: ".NET Runtime 2.0 Error" EventID 1000

Faulting application miiserver.exe, version 3.3.1118.2, stamp 4a417000, faulting module miiserver.exe, version 3.3.1118.2, stamp 4a417000, debug? 1, fault address 0x0014d64e.

It seems that the error occured while the joining was performed. In fact, i used a extension rule to define the join, but the code is very simple and i don't have any idea why it could lead to this unexpected error.

Here is the code:

protected override void ProtectedMapAttributesForJoin(string FlowRuleName, CSEntry csentry, ref ValueCollection values)
        {
            switch (FlowRuleName)
            {
                case "JoinByMail":
                    string mail = csentry["InternetAddress"].Value.ToLower();
                    values.Add(mail);
                    break;

                default:
                    throw new EntryPointNotImplementedException();
            }
        }

At this stade, i 've tried to play a review on the error entry but everything went fine. I've tried also to run in debug mode but everything was ok.
After, i've been waiting for the next scheduled synchronization, and it performed correctly without error.
Today, i've got the same error, it's seems that the error is not persistent and somehow randomly that why i have no idea what the problem is.
I wonder if it was a bug of the patch version or what?

Any help would be greatly appreciated.

Thanks

Synchronization of two AD domains

Sun, 15 Nov 2009 20:58:13 Z

Hi,

I have a different requirement rather challenge in synchronizing two AD domains as described below.

I have old domain AD1 and new domain AD2 in the same enterprise. Majority (80%) of the users are migrated to AD2. Due to some application dependency we ought to live with AD1. Because of this all users of a department are still logging on to old domain AD1 still. Now we would like to make the users to login to the new domain keeping the dependency of old domain (AD1) in background and seamless to new users joining this department.

With this requirement our initial thought is to go for MIIS with old domain as slave AD

Catch here is due to another application dependency we cannot have same user id in both the domains. I mean if we have 'user1' in AD2, it should be 'user1-AD1' in the old domain AD1 but with the same password as in AD2. We cannot have samaccountname as 'user1' in both the domains.

While I install and explore MIIS 2003, can someone guide me if this is possible at all

Thank you

CLM - Use One Time Secrets but Do Not Distribute Them?

Tue, 17 Nov 2009 14:39:27 Z

So this has been eating at me since I first started working with idNexus. There is an option when configuring OTS' to create them but to not distribute them. For the life of me I've not been able to figure out a use case for this option. Can anyone on the product team provide an explanation of when this option would be used?

Thanks!

Paul Adare CTO IdentIT Inc. ILM MVP

Managing tables that don't auto-increment

Tue, 17 Nov 2009 02:55:16 Z

I need to provision records to an Oracle table that has a primary key that is not setup to auto-increment (and no, I can't change it!). I know that is generally frowned upon to be doing inserts/calling stored procs in your provisioning code, so what is the best solution here? Operational MA? I'm not really an Oracle person, but my other thought was to use a before_insert trigger that would fill in the id if it was null. Not sure if that would work or not. Anyways, how have you folks solved this problem in your projects?

Error in CLM

Tue, 17 Nov 2009 08:24:29 Z

Erro details:

Please note the following information and contact your system administrator:

No mapping between account names and security IDs was done

Technical Details

Type:	System.ComponentModel.Win32Exception
Source:
Stack Trace:

Go to Certificate Home Page

: We are facing this erros while search the user certificate details in CLM and downloading the certificate.

Please help me to get this resolved....

groupwise

Wed, 11 Nov 2009 15:58:03 Z

Is it possible to use ILM for synchronizing the GAL with groupwise accounts? We currently have Exchange 2007 however we keep an Exchange 2003 running the groupwise connector so that we can import Groupwise acounts as contacts for our GAL. We use GalSync to import other AD forest contacts and are wondering if this could be use with Groupwise.

Thanks,

Joe

Firewall ports needed for PCNS to work

Thu, 12 Nov 2009 11:22:33 Z

Hi,

Can somebody provide all ports I need to open on externall firewalls between MIIS and DCs to get PCNS working?
Now I receive error The password change notification target could not be contacted.

Looking on documentation for PCNS there are some ports (57500-57520, 135) but without directions so I have opened them bi-directional but still have the same issue.

I'm sure my configuration of MIIS is OK cause on DC without firewall PCNS works fine.
So what ports and in which way should be open?

Smartcard logon to ILM works, but after that, ILM functions give access_denied

Mon, 07 Jul 2008 18:20:27 Z

Hi.

I'm working with IML 2007 FP1. When using ILM with user/password for authentication, it works as expected. Then, I disable user/password authentication and enable smartcard logon only for the CLM virtual directory on IIS. The users can effectively log on into ILM using their smartcard, but, when they try to use ILM options, that's when the problem arises. It gives kind of an access-denied error.

Steps executed:

1. User cert is mapped to user account in AD using NameMappings for the corresponding accounts.

2. On CLM IIS virtual directory: "require client certificates" and "enable client certificate mappings" are both enabled.

3. "Enable the windows directory service mapper" is enabled on the IIS machine running ILM.

4. On CLM IIS virtual directory: all authentications are disabled, except the certs features mentioned.

The users can log on into ILM using their smartcards. The username is shown on ILM interface as the user expected (i.e. domain\username). But then, the users try to use ILM and they get access-denied.

So, it seems to me is an authorization/impersonation or user rights problem. What I don't understand is why this is happening with the smartcard logon only. The very same user, using username/password, has no problems at all.

Any thoughts?

Reconnecting Mailboxes in a Bulk

Mon, 16 Nov 2009 11:09:30 Z

Hello Folks

A situation exists where the mailboxes are in a disconnected state because of an accidental deletion of an OU containing users across a trusted forest. After this mishap, Forest A(Where OU Container existed) did an authoritative restore of the users.

In Forest B(Where Mailbox Database existed) the list of users were retrieved, created and reconnection of the mailboxes were done manually for 100+ users using the exchange management console.

Type of Mailboxes: Linked Mailbox
Topology: Exchange Resource Forest Topology

I was curious to know if we can write a script to automate the reconnection process?

Regards
Justin

Create DB user with ILM

Thu, 12 Nov 2009 11:26:22 Z

I have a newbie question regarding provisioning with ILM 2007 Feature Pack 1 which i have downloaded as 180 day trial from Microsoft to test things out.

Is it possible to create a DB user and assign him a DB role in Oracle DB 9 with ILM 2007?
The user then can normally log in to the DB and can do all the stuff his role entitles him to...

If not is that mybe possible for Microsoft SQL server 2005 ???

Thank you very much for your answers.

friendly name for certificates issues by CLM

Sat, 14 Nov 2009 18:23:52 Z

I have profile template that issues signing certificates to the users. but i want the friendly name of the certificates issued appears as the subject name of the ceritifcate , how can i do this?

ammarhasayen

Missing a dll for OpenLdap

Thu, 12 Nov 2009 20:31:16 Z

Here is my setup:

This is ILM 2007 Enterprise Edition
Version 3.3.118.0
I am not sure what type of license was used but I believe it was part of a volume licensing agreement..
The Sql server is on the same box and is 2005
Here is the version/build info:
Microsoft SQL Server Management Studio      9.00.4035.00
Microsoft Analysis Services Client Tools      2005.090.4035.00
Microsoft Data Access Components (MDAC)      2000.086.3959.00 (srv03_sp2_rtm.070216-1710)
Microsoft MSXML      2.6 3.0 4.0 6.0
Microsoft Internet Explorer      7.0.5730.13
Microsoft .NET Framework      2.0.50727.3082
Operating System      5.2.3790

Ilm is connected to AD 2003 Schema and OpenLdap.
We have configured MA for AD and OpenLdap.

Here is my goal.
To sync password changes in Ad to OpenLdap.
When a user does a Ctrl-Alt-Del to change their pw we want it to be synced to Openldap.
I have both the ADMA and OpenLDAP MA configured and working.

When I try to change a password in AD and have it synch with OpenLDAP I receive the following error:

Event Type: Warning

Event Source: MIIServer

Event Category: Password Synchronization

Event ID: 6901

Date: 11/12/2009

Time: 2:06:38 PM

User: N/A

Computer: MCBILM1

Description:

A password synchronization set operation has failed in a target connected data source.

Additional information:

Tracking ID: {5388C8E8-5482-420F-B172-3FED08FE2952}

Reference ID: {B18AD1CA-1C66-4FBC-9F6C-B7801B55726A}

Target Object GUID: {362663FE-1EF1-4CBD-9860-AA3791E17B81}

Target DN: uid=xxxxxxxx,ou=xxxxxxx,dc=xxxxxxx,dc=xxx

Target MA Name: OpenLdap

Retry Count: 8

ErrorCode: 0x80230727

ErrorString: (The specified extension could not be found.)

I believe this is referring to the OpenLDAPPasswordExtension.dll which does not appear to be on my system although it is supposed to be installed with the OpenLdap XMA setup. Any ideas where I can get this dll?

Question on performance expectations

Mon, 12 Oct 2009 21:57:31 Z

We recently upgraded from MIIS 2003 to ILM 2007 and we are finding

that most things are running considerably slower than they used to.

The Group Populator is incredibly faster with ILM 2007.

But the whole daily processing is slower. About 150% - 200% slower.

I'm thinking that perhaps we have sized our systems too small,

but would appreciate some help in determining what we do next.

On the older system we were running the Exchange Labs v2 Management Agent
and standard MIIS 2003 SP2

On the newer system we are running the newer Outlook Live
(Exchange Labs) v3 Management Agent, which makes heavy use of Power Shell.
Also the ILM 2007 that is installed on the new system is not the out of the
box ILM. It was modified by Microsoft specifically for working with
Outlook Live.

On the ILM 2007 system, while a daily run is going on,

I have noticed memory consumption of 90% - 97% utilization.
The CPU is only at about 1%-10% utilization across all processors together.
So the CPUs seem to be handling it just fine, but there is a lot of page faulting going on.

The miisserver is typically a 70-90 meg working set.
But when the Outlook Live MA runs, the miisserver working set swells to over 500 megs.
SQL server is typically a 1.7 gig working set and doesn't change much in size..
These two are doing most of the work.

Here are the systems:

Old System
MIIS 2003 SP2 (standard build)
Windows 2003
3.6ghz Xeon dual hyperthreaded processors (looks like 4)
3.5 gig ram
SQL 2000
dual contollers each with 256 meg cache
three mirrored raid 1 sets for OS, logs, data
2 - 300 gig disk mirrors
2 - 146 gig disk mirrors
4 - 72 gig disk mirrors

New System
ILM 2007 (special build from Microsoft for Outlook Live)
Windows 2008 32 bit mode
2.33 ghz Xeon dual quad core processors (looks like 8)
4.0 gig ram
SQL 2005
single controller with 512 meg cache
three mirrored raid 1 sets for OS, logs, data
2 - 146 gig disk mirrors
4 - 146 gig disk mirrors
2 - 146 gig disk mirrors

If I add more memory to the ILM 2007 system, how well will it be utilized?
Eg, can I get SQL to have a very large working set over 2 gigs?

I had heard from someone that more than 4 gigs of memory would not
really help the miisserver. is that true?

All help and ideas appreciated

Using IIFP "GALSync" on Multiple Sites with Multiple users with Multiple email addresses per user

Fri, 13 Nov 2009 01:18:07 Z

Hi guys,

I guess I am just a bit confsed and I hope you can help a little. Here is the scenario I hope you can help.

Lets get into it.

domain1

Users in this domain have email addresses:
@domain1.com <default SMTP address>
@aquired1.com
@aquired2.com

domain2
GALSync has run and syncd.
The details that have come across however if you look in the contact that is created. The follwoing is evident:
@aquired2.com will be set under the Exchange general tab so it would try and route mail to that address not to the default

Things you will need to know is there is a mail marshal system in place on both domain. They reference DNS internally so mx records are internal to domain1. External mx records for aquire2.com no longer exist.

Internal SMTP connectors have been configured on both are using domain1.com on domain2's address space then vice versa for domain1.

Why does the GALSync change addresses? Should it not keep the default SMTP address in the Exchange General tab

The main issue is that mails are getting bounced back.

Query Active Directory for Terminal Services Profile Path

Tue, 01 Sep 2009 20:48:07 Z

Hello, I would like to know how to query Active Directory for all user accounts who have the Terminal Services Profile Path and/or the Terminal Services Home Folder fields populated. When I perform a Custom Search, these fields do not appear in the drop-down list under "User". Is there an LDAP query for this? Thank you.

PCNSSVC Start and then stop with the following a event id 7000 error

Wed, 11 Nov 2009 19:11:51 Z

I have installed PCNS on 2 WIN 2k3 Domain Controllers with no problem, I have configure PCNS and SPN and it is working for those two domain controllers. I have installed PCNS on a third Win 2k3 DC. The installation was successfull and after the restart the service (pcnssvc) did not start on this DC. I have manually started the pcnsvc service but it stops after a few seconds. I have checked the eventviewer and have found this error:

Event Type: Error

Event Source: PCNSSVC

Event Category: Unexpected Error

Event ID: 7000

Date: 11/11/2009

Time: 10:43:32 PM

User: N/A

Computer: MS3

Description:

An unexpected error occurred. service.cpp (766): The target principal name is incorrect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 22 03 09 80 "..€

I would like to resolve the issue but I don't know were to look for the problem as I can't find anything regarding this error on the net.

PCNS state that has successfully installed on two 2K8 64bit DC, but when I restart the DC's PCNSSVC is not part of the services.

Wed, 11 Nov 2009 19:20:26 Z

I have successfully installed and configured PCNS on 2 WIN 2k3 32bit DCs. I have run the command "msiexec /a "Microsoft ...." successfully on two WIN2k8 DCs. The setup process start and ask me were do I want to install PCNS. If I select "c:\" or "C:\Program Files" it will create a new folder "Program Files 64" and then create the PCNS folder with the files "pcnscfg and pcnsvc". I will restart the DCs but the PCNSVC is not part of services when the DCs have restarted.

ILM

Sun, 08 Nov 2009 09:49:26 Z

HI ,
Is it possible to do synchronization between the useraccounts other than ILM i.e like by Extending Schema to store Child account details,or any other ways via active directory??

Please let me know any documents if exist on this.

Thanks in Adv,
Crew.

MIIS and .Net framework versions (unexpected errors).

Wed, 11 Nov 2009 09:08:37 Z

I have the problem described below:

I had working MIIS (MIIS 2003 enterprise version 3.0.692.0) and it was all good.

The extension etc were developed in Microsoft visual basic .net 2003 environment version 7.1.3088 and Microsoft .net framework 1.1 version 1.1.4322 sp1 (data taken from the about info)

The sync and provision don't work right now – I get unexpected errors when I get and I cannot debug and find the exact place it thrown)

I am sure it's because I have installed dot net framework version 3.5 since I had to have a web service running on the same machine that needs framework 3.5

Now the questions:

1. Am I correct and this is the problem?

2. What version of .net framework MIIS 2003 enterprise version 3.0.692.0 needs to work with?

3. can I have few .net frameworks on the same machine and have the MIIS associate and working with specific .net framework (version 2?) and the web service to work with different version (3.5)?

I have a thread regarding this but its regarding different version of MIIS:

http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/b4f30f09-1724-41f4-8a07-9a53b61bb2ac

4. How this can be done? Please be specific regarding the steps and operations.

Thank you all.

Database files - no space in c drive problem.

Mon, 09 Nov 2009 10:02:16 Z

Hello all,

I have installed MIIS on drive C:\ and now I have very small free space on this drive. This MIIS is in production.

I have found the following thread:

http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/db90e453-d54b-4c4d-9d8e-a6e0c232cbd6

My questions:

1. Can I keep the MIIS installation on drive c and somehow make the log file created/updated in another drive?

2. And If I can do that what I need to do with those 2 files (Found in c\program files\Microsoft Identity Integration Server\data ) -

MicrosoftIdentityIntegrationServer_log.LDF and MicrosoftIdentityIntegrationServer.mdf ?

3. if I can't have it that way - what is my best option? Clearing run history and shrinking the database? How can I decrease the size of those 2 files?

4. if I need to uninstall and install it again in another drive how can I recover to the same situation (data, MAs, sync etc in my current miis)?

Thank you.

ILM

Sun, 08 Nov 2009 11:31:06 Z

Hi ,
I have 3 applications on three data base servers :XY,YZ and ZX to access this applications i have three differnt user names and password.
Can any one suggest the best possible to use single user name and single password for differnt applications on differnt servers.

Regards
Crew

Disconnector doesn't rejoin

Mon, 09 Nov 2009 11:46:51 Z

Hi all,

Im new to ILM so my guess is i've missed something obvious here but I really can't figure it out. So...

I have a SQL MA that imports data from the HR system, this data is then pushed out to an AD MA and another different SQL MA, I have an anchor set in the SQL MA which is the employeeId and direct join rulles for this.

When a staff member is no longer returned from the HR system I have configured the Deprovision method in both MA's to do some simple housekeeping work and to then return DeprovisionAction.Disconnect. When I do a search in the HR connector space the object has disapeared, and in the other 2 MA's the object is still there with the connector value set to False and Explicit value also set to false, a search in the metaverse does not return an object for the user. I think this so far all seems to be correct, right?

Now if I do another import from the HR SQL MA and the staff member reappears the object is created in the HR connector space only, when I try to run a sync I then start getting errors. The SQL MA throws an extension-dll-exception which basically says that the DN already exists (the Dn is the employeeID).

How do I get ILM to join the disconnectors in the AD and 2nd SQL MA to the "new" object just imported in the HR MA?

Hope this all makes sense.

Thanks for any help

ILM 2007 AD MA not synching

Thu, 29 Oct 2009 14:33:17 Z

Here is my setup:

This is ILM 2007 Enterprise Edition
Version 3.3.118.0
I am not sure what type of license was used but I believe it was part of a volume licensing agreement..
The Sql server is on the same box and is 2005
Here is the version/build info:
Microsoft SQL Server Management Studio      9.00.4035.00
Microsoft Analysis Services Client Tools      2005.090.4035.00
Microsoft Data Access Components (MDAC)      2000.086.3959.00 (srv03_sp2_rtm.070216-1710)
Microsoft MSXML      2.6 3.0 4.0 6.0
Microsoft Internet Explorer      7.0.5730.13
Microsoft .NET Framework      2.0.50727.3082
Operating System      5.2.3790

Ilm is connected to AD 2003 Schema and OpenLdap.
We have configured MA for AD and OpenLdap.

Here is my goal.
To sync password changes in Ad to OpenLdap.
When a user does a Ctrl-Alt-Del to change their pw we want it to be synced to Openldap.
I am having a problem getting the sync to work with my AD MA. The import works but not the sync.
Originally we had this working but could not get the Openldap piece to work. Now we have the Ldap piece working but MY AD MA sync fails. During our troubleshooting of the original issue it appears that something was changed and I cannot figure out what.
When I try running a Full Import and Full Sync on the AD MA I get the following error:

The management agent "NewAdMA" failed on run profile "Full Sync" because the extension "OpenLDAPXMA.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly.

I am not using the OpenLdapXMA for the Ad MA. I am using it for the Openldap MA.
Do I need to use an extension on the AD MA.
Keeping in mind that we are only looking to sync passwords could anyone list what I should be configuring on the AD MA for:
Attributes
Connector Filter
Join and Projection Rules
Attribute Flow
Deprovisioning
Extensions

Also, Do I need to use an OpenLdapPasswordExtension.dll
I have seen this mentioned in several articles one of which shows it being installed with the OpenldapXMA but I cannot find it on my system.
The other pieces seem to work as far as sending the pcns notifications to ILM but obviously we error out at that point because it is not syncing.
Any help would be greatly appreciated.

Evaluate MIIS SP2 for Ctrl-Alt-Del Password reset

Fri, 02 Feb 2007 21:55:02 Z

Hi,

We are trying to evaluate MIIS for ctrl-alt-del password change sync to our SSO system.
I installed MIIS with SP1. But ctrl-alt-del password synsc doesn't seems to work.
Is this feature available in MIIS SP2? If so, how can I get an evaluation copy of SP2?
This feature is important for us beofre we make the purchase decision.

Thanks
Prashanth

DeprovisionAll() doesn't call deprovision methods on all connectors?

Mon, 02 Nov 2009 19:29:54 Z

Hi folks,

During an account rename I need to disconnect all of the CSentrys connected to an MVentry so that the join rules can be reevaluated and re-join correctly. However when I call DeprovisionAll() (i.e. mventry.ConnectedMAs.DeprovisionAll()), one of the MAs that uses references does not get disconnected. The deprovision rule for that MA is "Stage a delete on the object for the next export run".

Any ideas?

Thanks,

cs

Managing Exchange 2000/2003/2007 with ILM 2007

Sun, 08 Nov 2009 14:08:13 Z

This article covers the management of Exchange-enabled objects using the native Active Directory Management Agent that is included with ILM 2007 FP1.

The managed object types discussed are Users, Contacts, Groups and Dynamic Distribution Lists. The article also covers the special cases of adding mailboxes to existing accounts, and supporting a Resource Forest. Where extra steps are required for Exchange 2007 this has been highlighted.

It is assumed that the reader is comfortable with the concepts of Provisioning code and Advanced attribute flow rules.

Permissions

The service account used in the connection properties of the Management Agent must have sufficient rights to execute the required changes in AD.

Typically a Domain Admin account will be used, but if this is not permitted in your environment you will need to do some testing. The minimum permissions required are:

Replicate Directory Changes
Rights to create/delete/modify objects in the specific OUs
Exchange Administrator (2003) or Exchange Recipient Administrator (2007)

Users

Provisioning Mail Users

Exchange 2000/2003

Provisioning a mail user is most simply done using the CreateMailbox method of the ExchangeUtils class. This method will create a new user account, and populate the necessary mail attributes for you.

See the code sample Create a User with a Mailbox at the end of this document for an example of the provisioning code.

Mixed Exchange 2003 and 2007

In a mixed environment the RUS still runs so Exchange 2003 methods may be used. Make sure that you do not tick the “Enable Exchange 2007 provisioning” box in the Management Agent configuration.

Exchange 2007

The same code will work when provisioning to Exchange 2007, however there are some extra requirements for the ILM server:

ILM 2007 FP1 or later
Powershell
Exchange 2007 Management Tools
Latest rollup packs on Exchange and ILM servers

In addition you must tick Enable Exchange 2007 provisioning on the Extensions tab of the Management Agent.

Adding a Mailbox to an existing User

Sometimes you may need to create a mailbox for an existing account. As the account already exists this is not actually a provisioning task, and is therefore handled with export flow rules.

All you need to do is to populate the following attributes, in addition to the basic user attributes:

displayName – if not already set
mailNickname – with the local part of the email address (the bit before the “@”)
homeMDB – with the DN of the mail store
mDBUseDefaults – set to “True” to use the default quota settings

Special Mailbox Types

Exchange 2007 includes some extra mailbox types:

Room Mailbox,
Equipment Mailbox,
Linked Mailbox.

The Linked Mailbox is covered in the Resource Forest section below.

The Room and Equipment mailboxes are currently not supported by ILM 2007 provisioning. The only reliable method is to create a User Mailbox using ILM 2007, and then use the set-mailbox cmdlet to change the mailbox type.

Troubleshooting

Export Errors

The most common problems with provisioning Exchange users will relate to permissions. Make sure that the account used by the MA to connect to AD has permission to create Exchange users. Also make sure you have the latest service packs and rollups on the Exchange and ILM servers – at least SP1 RU9.

Where’s the Mailbox?

Exchange does not create the actual mailbox until it is opened or something is sent to it, therefore it is completely normal for no new mailboxes to be listed directly after the ILM export.

To confirm if the user is really mail-enabled:

In Exchange 2003, check that the user’s Exchange tabs have appeared in the Exchange-enhanced version of AD Users & Computers.
In Exchange 2007, use the get-user cmdlet to confirm the user’s object type is “UserMailbox”, or check that they appear as a Recipient in the Management Console.

Exchange 2007 and Global Catalog targeting

There is a known problem with Exchange 2007 provisioning and AD replication delays. On the MA’s Configure Directory Partitions tab you can hard-code the name of a preferred domain controller. Enter the name of the nearest Global Catalog to ensure that both the user creation and the mailbox creation are performed in the same place.

Note
Use the Resource Kit utility nltest to find Global Catalog servers: nltest /DSGETDC:mydomain.com /GC

Modifying Mail Users

You can change a user’s Exchange related attributes using export flow rules.

The following table is not exhaustive. If you wish to automate an Exchange modification the best thing to do is make the change manually and then inspect the attribute changes using ADSIEdit.
In this way you can discover which attributes you need to create flow rules for, and the types of value you should flow.

Attribute	Function	Comments
altRecipient	Used in forwarding – the DN or the mail-enabled object to forward all mail to.	When forwarding mail to an external account you must create a Contact object in this Exchange organization.
deliverAndRedirect	If forwarding is enabled, set to TRUE to deliver to both the mailbox and the forwarding address.	Use in combination with altRecipient.
extensionAttributen	Free-use string attributes where you can store any data you like.	Be consistent. If extensionAttribute4 is being used for star sign, then make sure it is only ever used for that.
homeMDB	Location of the mailbox.	Do NOT change once it has been set. If you need to move the mailbox use Exchange admin utilities.
mail	The user’s primary email address.	If changing the address you should also change mailNickname and the “SMTP:” value of proxyAddresses.

mailNickname	This should match the local part of the primary email address.
mDBUseDefaults	Use the default quota for the mail store.	Set to False if setting an individual limit.
mDBStorageQuota	The “Warning” limit Expressed in Kbytes.
mDBOverQuotaLimit	The “Block Send” limit Expressed in Kbytes.
mDBOverHardQuotaLimit	The “Block Send & Receive” limit	Expressed in Kbytes.
msExchHideFromAddressLists	Set to “True” to hide from the GAL.
msExchMailboxGuid	The unique identifier of the mailbox	DON’T CHANGE THIS! It can be useful to flow this back into the Metaverse if you need to test that the mailbox was created.
proxyAddresses	Multivalue attribute holding all possible email addresses for this account	The capital “SMTP:” address is the primary. The other “smtp:” addresses act as aliases.

Resource Forest

In a Resource Forest scenario the following accounts are needed:

An enabled user account in the Account Forest.
A disabled account in the Resource Forest with an attached mailbox.

The account creation in the two forests and the mailbox linking are simple enough to achieve with ILM. A provisioning code sample has been included at the end of this document under Create Account Forest and Resource Forest Accounts.

The difficulty comes with the permissions assignment piece of the puzzle – it is necessary for the user’s account to have the Full Access and Send As rights to the mailbox. This is not something that is possible with the native Active Directory MA.

While there are several ways to solve the permissions-assignment problem, the typical way is to run a script after the export step. The script might simply trawl AD looking for accounts to update or it could read details from the ILM export log and target the new accounts.

While outside the scope of this document, the following resources have been included for reference:

A Microsoft technote showing how to Script Exchange 2000/2003 mailbox permissions,
A PowerShell script for Exchange 2007 has been included in the Code section at the end of this article.

Contacts

Contacts are used for two primary functions in Exchange, both of which can be automated with ILM:

Adding organization-wide contacts to the Global Address List.
ILM could be used to import information from a CRM system and automatically create the contact object.
As a way to forward mail from a mailbox within the organization.
Some organizations (such as universities) allow users to forward their mail to another address. As long as ILM has the information about the forwarding request (perhaps entered by the user in a self-service portal) it can be configured to create the contact and set up the forwarding.

Provisioning

Contacts may be provisioned very simply using the CreateMailEnabledContact method from the ExchangeUtils class.
See the code sample Create a Contact at the end of this document for an example of the provisioning code.

Modifying

Attribute	Function	Comments
mail	The contact’s email address.	If changing the address you should also change targetAddress and the “SMTP:” value of proxyAddresses.
msExchHideFromAddressLists	Set to “True” to hide from the GAL.
proxyAddresses	Multivalue attribute holding all possible email addresses that will forward via the contact.	To work the contact needs an alias using “smtp:” in the local domain. The “SMTP:” address should match mail and targetAddress.
targetAddress	The email address that mail sent to this contact will be forwarded to.	One address only.

Distribution List

There are three types of Distribution list in Exchange:

Groups of type Distribution
Groups of type Security that have an email address
Dynamic distribution lists.

All three types can be created and managed with ILM, but the processes will differ.

Distribution Groups

To provision a standard Distribution Group use the CreateDistributionList method of the ExchangeUtils class. See Create a Distribution List at the end of this document for a code sample.

The main modification you will do with groups is to update the membership list. Group population is outside the scope of this document, though it is worth looking into Group Populator and Multi-Value tables.

Security Groups with Email Address

It is possible to mail-enable a Security group, allowing it to then also act as a distribution list.

Provisioning such a group is a simple matter of creating a security group and adding the mail address. See Create a Mail-Enabled Security Group under Code Samples at the end of this document.

Dynamic Distribution Lists

You may also use ILM to provision Dynamic Distribution Lists. All you need to do is to create an object of type msExchDynamicDistributionList and add values to the following attributes:

displayName
mailNickname
msExchDynamicDLFilter
msExchDynamicDLBaseDN

See Create a Dynamic Distribution List under Code Samples at the end of this document.

Code Samples

Create a User with a Mailbox

This MVExtension code is in addition to export flow rules to the user object type on the following attributes:

displayName
givenName
sAMAccountName
sn
userPrincipalName

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Const ADS_UF_NORMAL_ACCOUNT As Integer = &H200
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim homeMDB As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "person"

    MA = mventry.ConnectedMAs("MYDOMAIN")
    If <test that account should exist> AndAlso MA.Connectors.Count = 0 Then
      rdn = "CN=" & mventry("sn").Value & ", " & mventry("givenName").Value
      dn = MA.EscapeDNComponent(rdn).Concat("OU=Users,OU=MyOrg, " _
                                            & "dc=mydomain,dc=local")
      mailNickname = mventry("mailNickname").Value
      ' The following line assumes MDB, SG and MailServer have been
      ' populated for the user in the Metaverse.
      homeMDB = "CN=& mventry("MDB").StringValue _
         & ",CN=" & mventry("SG").StringValue _
         & ",CN=InformationStore,CN=" & mventry("MailServer").StringValue _
         & ",CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT)" _
         & ",CN=Administrative Groups,CN=First Organization" _
         & ",CN=Microsoft Exchange,CN=Services,CN=Configuration" _
         & ",DC=mydomain,DC=local"  

      csentry = ExchangeUtils.CreateMailbox(MA, dn, mailNickname, homeMDB)
      csentry.DN = dn
      csentry("unicodePwd").Values.Add("FirstP@ssw0rd")
      csentry("userAccountControl").IntegerValue = ADS_UF_NORMAL_ACCOUNT
      csentry.CommitNewConnector()
    End If

  End Select
End Sub

Create Account Forest Accounts and Resource Forest Accounts

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Const ADS_UF_NORMAL_ACCOUNT As Integer = &H200
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim homeMDB As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "person"

    'Create Account Forest account - no mailbox
    MA = mventry.ConnectedMAs("AccountForest")
    If MA.Connectors.Count = 0 Then
      rdn = "CN=" & mventry("sn").StringValue _
                  & ", " & mventry("givenName").StringValue
      dn = MA.EscapeDNComponent(rdn).Concat("OU=Users,OU=MyOrg, " _
                                            & "dc=accountdomain,dc=local")
      csentry = MA.Connectors.StartNewConnector("user")
      csentry.DN = dn
      csentry("unicodePwd").Values.Add("FirstP@ssw0rd")
      csentry("userAccountControl").IntegerValue = ADS_UF_NORMAL_ACCOUNT
      csentry.CommitNewConnector()
    End If
    
    'Create disabled account and mailbox in Resource forest. 

    '  This can only be done once the objectSID from the account domain 
    '  is available. Create a metaverse Binary attribute called SID
    '  and flow objectSid -> SID.

    '  The account is disabled because no password is set. Alternatively set
    '  a random password and disable using userAccountControl.

    MA = mventry.ConnectedMAs("ResourceForest")
    If MA.Connectors.Count = 0 AndAlso mventry("SID").IsPresent Then
      rdn = "CN=" & mventry("displayName").StringValue
      dn = MA.EscapeDNComponent(rdn).Concat("OU=LinkedMailboxes,OU=MyOrg, " _
                                            & "dc=resourcedomain,dc=local")
      mailNickname = mventry("mailNickname").StringValue
      homeMDB = "CN=" & mventry("MDB").StringValue _
         & ",CN=" & mventry("SG").StringValue _
         & ",CN=InformationStore,CN=" & mventry("MailServer").StringValue _
         & ",CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT)" _
         & ",CN=Administrative Groups,CN=First Organization" _
         & ",CN=Microsoft Exchange,CN=Services,CN=Configuration" _
         & ",DC=mydomain,DC=local"  
      csentry = ExchangeUtils.CreateMailbox(MA, dn, mailNickname, homeMDB)
      csentry.DN = dn
      csentry("msExchMasterAccountSid").BinaryValue = mventry("SID").BinaryValue
      'The following setting is optional but can help with tracking the mailbox user.
       csentry("extensionAttribute1").Value = "accountdomain\" _
                                              & mventry("uid").StringValue
       csentry.CommitNewConnector()
     End If

  End Select
End Sub

Assign Resource Mailbox Permissions – Exchange 2007, powershell

The following script assigns the FullAccess and SendAs permissions to a resource forest mailbox.
The resource forest account needs to have the domain\username of the user’s actual account written to extensionAttribute1, as per the provisioning code above.

$Filter = "(&(ObjectCategory=user)(extensionAttribute1=*))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)

$Searcher.Findall() | Foreach-Object -Process {
$alias = [string]$_.properties.item("mailNickname")
$user = [string]$_.properties.item("extensionAttribute1")
Add-MailboxPermission -Identity $alias -AccessRights FullAccess, SendAs -User $user
}

Create a Contact

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "person"
     MA = mventry.ConnectedMAs("MYDOMAIN")
     If MA.Connectors.Count = 0 Then
       rdn = "CN=" & mventry("displayName").StringValue
       dn = MA.EscapeDNComponent(rdn).Concat("OU=Contacts,OU=MyOrg, " _
                                            & "dc=mydomain,dc=local")
       mail = mventry("mail").StringValue
       'The mailNickname is only for internal Exchange purposes.
       'You could just as easily use an id number from the source data.
       mailNickname = mventry("mail").Value.Split("@")(0)
       csentry = ExchangeUtils.CreateMailEnabledContact(MA, dn, mailNickname, mail)
       csentry.DN = dn
       csentry.CommitNewConnector()
    End If

  End Select
End Sub

Create a Distribution List

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "group"
    MA = mventry.ConnectedMAs("MYDOMAIN")
    If MA.Connectors.Count = 0 Then
      rdn = "CN=" & mventry("cn").StringValue
      dn = MA.EscapeDNComponent(rdn).Concat("OU=Groups,OU=MyOrg, " _
                                            &"dc=mydomain,dc=local")
      mailNickname = mventry("mailNickname").StringValue
      csentry = ExchangeUtils.CreateDistributionlist(MA, dn, mailNickname)
      csentry.DN = dn
      csentry.CommitNewConnector()
    End If

  End Select
End Sub

Create a Mail-Enabled Security Group

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "group"
    MA = mventry.ConnectedMAs("MYDOMAIN")
    If MA.Connectors.Count = 0 Then
      rdn = "CN=" & mventry("cn").StringValue
      dn = MA.EscapeDNComponent(rdn).Concat("OU=Groups,OU=MyOrg, " _
                                            & "dc=mydomain,dc=local")
      mailNickname = mventry("mailNickname").StringValue
      csentry = MA.Connectors.StartNewConnector("group")
      csentry("groupType").Value = -2147483640  'Universal Security
      csentry("displayName").Value = mventry("cn").StringValue
      csentry("mailNickname").Value = mailNickname
      csentry.DN = dn
      csentry.CommitNewConnector()
    End If

  End Select
End Sub

Create a Dynamic Distribution List

This MVExtension code snippet creates Department DDLs.
The department names have been imported into department objects in the Metaverse.
The users’ department attribute matches exactly the department names.

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
  Dim csentry As CSEntry
  Dim MA As ConnectedMA
  Dim dn As ReferenceValue
  Dim rdn As String
  Dim mailNickname As String
  Dim mail As String

  Select Case mventry.ObjectType
  Case "department"

    MA = mventry.ConnectedMAs("MYDOMAIN")
    If MA.Connectors.Count = 0 Then
      rdn = "CN=" & mventry("cn").StringValue
      dn = MA.EscapeDNComponent(rdn).Concat("OU=DDLs,OU=MyOrg, " _
                                            & "dc=mydomain,dc=local")
      mailNickname = mventry("mailNickname").StringValue

      csentry = MA.Connectors.StartNewConnector("msExchDynamicDistributionList")
      csentry.DN = dn
      csentry("displayName").Value = mventry("cn").StringValue
      csentry("mailNickname").Value = mailNickname
       'The following filter selects users whose department equals the DDL cn
      csentry("msExchDynamicDLFilter").Value = "(&(!cn=SystemMailbox{*})" _
         & "(&(&(&(& (mailnickname=*)" _ 
         & "(| (&(objectCategory=person)(objectClass=user)" _
         & "(|(homeMDB=*)(msExchHomeServerName=*))) )))" _
         & "(objectCategory=user)(department=" _
         & mventry("cn").StringValue & "))))"
      csentry("msExchDynamicDLBaseDN").Value = "OU=Groups,OU=MyOrg, " _
                                            & "dc=mydomain,dc=local"
      csentry.CommitNewConnector()
    End If

  End Select
End Sub

ILM Forum Threads

About the Author

Carol Wapshere has been working in IT since 1990, and has since worked in many different organizations, across four different countries. She started out in Netware then moved into Microsoft server products, picking up an assortment of skills in other non-Microsoft systems along the way. She first started working with MIIS in 2005 and loved how it could be used to tie together disparate systems, bringing in much-needed order, and making lots of tedious jobs just disappear.

Thanks to Markus Vilcinskas and Peter Geelan for their help with this document.

http://www.wapshere.com/missmiis

ILM is trying to re-provision Live@Edu accounts into the cloud that already exist in Exchange Labs.

Mon, 08 Jun 2009 20:29:07 Z

I was wondering if someone can provide guidance, solutions or assistance regarding the following error. The error is logged repeatedly from accounts that have already been provisioned.
Thank you for your time and consideration.

Event Type: Error
Event Source: MIIServer
Event Category: Server
Event ID: 6801
Date:  6/8/2009
Time:  3:51:47 PM
User:  N/A
Computer: server
Description:
The extensible extension returned an unsupported error in MIIS.
The stack trace is:

"Microsoft.MetadirectoryServices.ExtensibleExtensionException: [ERROR] The name "user@live.example.ca" is already being used. Please try another name.

   at Microsoft.Exchange.XmaConnector.XmaExceptionManager.ReportErrorToILM(String errorMessage, ILMExceptionType errorType)
   at Microsoft.Exchange.XmaConnector.EmwsDataProvider.ExceptionHandlingWrapper(ParameterlessMethod method)
   at Microsoft.Exchange.XmaConnector.EmwsDataProvider.NewSyncMailbox(Dictionary`2 csentry)
   at Microsoft.Exchange.XmaConnector.XmaExportExLabs.Add(Dictionary`2 Entry)
   at Microsoft.Exchange.XmaConnector.MAExtension.IlmMAExtension.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
Microsoft Identity Integration Server 3.3.0118.0"

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

ILM and AD

Sun, 08 Nov 2009 09:50:42 Z

Database Management for the ILM Synchronization backend database

Thu, 05 Nov 2009 15:27:58 Z

The purpose of this article is to provide information to assist in making a strategic plan to maintain the backend MicrosoftIdentityIntegrationServer SQL database.
The articles focuses on providing key factors to review when making a database maintenance plan, as well as providing some good practices to follow in your environment.
As you know, the backend is a Microsoft SQL Server database.

Since each ILM configuration is different within each company, there is no documentation pertaining to

How often to re-index the tables
When to re-index the tables
When to backup the MicrosoftIdentityIntegrationServer database

These business rules need to be set from within the company based on their business needs.

Key Factors

Here are the key factors that you can utilize when attempting to make these decisions:

Execution of Run Profiles: How often are you doing imports, synchronizations, and exports? This is important, because for each run you are adding a record to the run history.
Size of Run History: You can determine this by looking in the lower right while viewing the operations tab. A good recommendation is to keep this as small as possible. Something in the hundreds.
Number of Management Agents: This matters because it can increase the number of records going into the run history for each execution. For example, if you have three management agents, then for each import you will have three records, for each synchronization you will have three records, for each export you will have three records, for each confirming import you will have three records. So for each cycle with three management agents, you could be looking at twelve records in the run history. Then if you run it twice a day, it will become 24 records a day.
Backing Up: How much data are you willing to lose?

Good Practices

In this section, you find a list of good practices for maintaining a healthy MIIS database.
Affected areas are:

Clear Run History
Backing up back-end data
Re-Building Table Indexes
Updating Statistics
Autogrow
Shrink Database
Database Files

Clear Run History

You will see a performance decrease the larger the run history table is.
Therefore, it is a good practice to implement a process that clears the run history on a nightly basis.
You can automate this task by using the command-line tool MIISClearRunHistory provided in the MIIS 2003 Resource Kit.
In addition to this, you can also find a related script in the ILM ScriptBox.

Backing up back-end data

A good practice for the backe-end data is to do a nightly backup of the MicrosoftIdentityIntegrationServer database.
This will assist in recovering data in case of a data disaster.

You can find a good overview about the different type of SQL Server backups and the process of building a good backup – restore strategy in Backing Up and Restoring Databases.

If the database is in “Full Recovery” model, one backup strategy is to do a Full backup once a week, and do daily transaction log backups.
Depending on the size of the transaction logs and available disk space more than one transaction log should be done each day.
Another option is to do a Full backup, Differential backup and transaction log backups to allow even quicker data recovery.

Here are some good resources for Backing up and Restoring Databases in SQL Server:

SQL 2000 - SQL Server 2000 Backup and Restore
SQL 2005 - Backing Up and Restoring Databases in SQL Server
SQL 2008 - Backing Up and Restoring Databases in SQL Server

Re-Building Table Indexes

A good practice from a SQL Server stand-point, is to do weekly re-build of indexes or if the indexes are more than 30% fragmented.
You can utilize SQL Server commands like DBCC ShowContig or DBCC Show_Statistics to see how the indexes look.
I would recommend reviewing the information in the MSDN articles to understand what you are seeing when you run these commands.

In a new Query window in Query Analyzer, you would execute the DBCC DBREINDEX.
You will need to do that for each table in the MicrosoftIdentityIntegrationServer database.

DBCC SHOWCONTIG and DBCC SHOW_STATISTICS are two different commands and report different information:

DBCC SHOWCONTIG is to look at fragmentation of indexes and data (also being removed from the product in the future and sys.dm_db_index_physical_stats should be used instead in SQL 2005 and higher).
DBCC SHOW_STATISTICS is great for showing current statistics for an index.

You can find more details on this in the Microsoft SQL Server 2000 Index Defragmentation Best Practices.

Updating Statistics

Statistics are the most important component for the Query optimizer to make the best execution plan.
Without good statistics data will likely not be returned in the quickest duration.
Here is a link on statistics and the optimizer:

SQL 2000 - Statistics Used by the Query Optimizer in Microsoft SQL Server 2000
SQL 2005 - Statistics Used by the Query Optimizer in Microsoft SQL Server 2005
SQL 2008 - Statistics Used by the Query Optimizer in Microsoft SQL Server 2008
Statistical Information
Index Statistics (2005)

Updating Statistics is a good practice to get into on a nightly basis.
You can find more details about this topic in Update Statistics.

Autogrow

It is a good practice to set the autogrow to MB rather than 10%. An example would be something like 100MB.

Shrink Database

You really only need to do this in the case of emergencies.

Database Files

In a SQL Server database there are three files related database files:

The MDF file
The LDF file
The TempDB file

It is a good practice to place these files on separate drive partitions.

Hypothetical Database Maintenance Plan

Building a database maintenance plan is something that needs to be done within the company’s business rules.
I have outlined below a hypothetical database maintenance plan for the MicrosoftIdentityIntegrationServer database.
The outline provides a snapshot of what a maintenance plan looks like, and gives you a guide to base your database maintenance plan.

Daily after your runs for the day:
- Clear Run History
- Update Statistics
- Differential Database Backup
- DBCC ShowContig
- Transaction Log backups need to be run multiple times a day
Weekly
- Rebuild Indexes
- Full Database Backup

Distaster Recovery Scenario

A few months ago I as working with a customer who had not done any type of maintenance on the backend MicrosoftIdentityIntegrationServer SQL database.
In light of this, we found ourselves in a crisis and had to come up with a recovery process.
We were able to put together valuable information that assisted in resolving the customer’s issue.
As a result, I have compiled a list of steps we used to help get through the crisis.

Delete the connector space
1. Backup the Management Agent first
  1. Click Management Agents
  2. Select the Management Agent in question
  3. From the Actions menu select Export Management Agent
  4. Save it to an easy to remember location and name it accordingly
2. From the Actions menu select Delete
3. You will receive a dialog with two radio buttons
4. Choose the top Radio Button “Delete Connector Space Only”
5. Click OK
Re-Index the MicrosoftIdentityIntegrationServer Tables
- In a new Query window in Query Analyzer, you would execute the DBCC DBREINDEX
- DBCC DBREINDEX
- You will need to do that for each table in the MicrosoftIdentityIntegrationServer database
Full Import
Full Synchronization

Additional Resources

You can find a collection of tips, tricks, and advices from the SQL Server Query Optimization Team in the related blog.

About the Author

I am a Microsoft Senior Support Engineer and have been at Microsoft for the last 9+ years.
For the last 1.5 years. I have been working with the Developer Support Identity & Access team.
As part of this support team, I have had the privilege of working with several customers in very unique customizations of the ILM product.
Previously I spent time on the Developer Support ADSI team allowing me the privilege of working with the ADSI and WMI technologies.

Timothy P Macaulay, MCSD, MCSD.NET, MCAD, MCP