Just wondering if anyone has come across an issue before where the domain attribute in WMI was null. I was getting no results back on this WMI query:
Select * from MIIS_CSObject where domain='<My Domain>' and account='<Username>'
Using wbemtest and querying WMI directly we discovered that the objects in the AD MA connector space had null values for the domain attribute. As some background this was with an AD MA that had been "built" in a DEV environment and then migrated across to a non-production environment where the issue was discovered (the same issue was not present in the DEV environment).
The only way that we found to resolve the issue in the non-production environment was to delete the Management Agent and re-import it again which while yes it fixed the issue wouldn't be ideal if this occurred in a production environment.
So this begs the following questions:
1. does anyone know what actually populates the Account and Domain WMI attributes on the CS objects for the AD MA?
2. Is there a way of fixing this issue without deleting the MA as this can have undesirable consequences particularly in production environments.
Edit: this is FIM 2010 R2 4.1.2273.0
- Editado Andrew Silcock quarta-feira, 1 de maio de 2013 00:21 add FIM version.
Todas as Respostas
It was all migrated using the Sync Service Import/Export wizards i.e. Export Server Configuration and then Import Server Configuration on the target environment. Domains have different names and SIDs.
It seems that there is some process that happens in the background when an AD MA is created that stores away the domain value in configuration somewhere - I can only assume this process failed for some reason and the only way to fix the "broken" MA is to delete it and re-create it.
The domain attribute value is not stored / populated in the connector space - the WMI query is implemented as a "on demand" query against AD.
The fact that you got null values back means that the AD query failed for some reason.
In other words, the issue is not related to a FIM process.
That recreating the MA has solved the issue seems to me like a case of "lucky coincidence".
It is very hard - if not impossible - to say what the reason for the issue was and why recreating the MA has fixed it.
At least, as far as I know, this is not a known issue for the MA import process.
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Markus, I don't think anyone was suggesting that the domain name is part of the CS data--in fact I ran up against the counterintuitive realtime-AD-lookup behavior a while ago debugging SSPR in the lab with obsolete AD MA credentials and wondering why wbemtest kept failing--but rather that FIM had somehow lost its memory of which MA pairs with the requested domain. Alas, it appears answering this question would require delving into the FIM source.
Steve Kradel, Zetetic LLC
Thanks for the explanation Markus.
The only other point of interest however is that whilst I had the AD MA showing the issue I was able to re-import another instance of it which didn't have the problem - so I had two MAs with the same configuration one which was showing the problem and the other that wasn't