none
sync-rule-flow-provisioning-failed RRS feed

  • Question

  • Hi Everyone,

    I am having the error bellow while trying to provision users from FIM Portal to Active Directory :

    Error Type:

    ------------------------------------------------------------------------------------------------------------------

    sync-rule-flow-provisioning-failed : Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: 0x80230405

    ------------------------------------------------------------------------------------------------------------------

    System Event viewer :
    ------------------------------------------------------------------------------------------------------------------

    The server encountered an unexpected error while performing an operation for a rules extension.
     
     "BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\csobj.cpp(8254): 0x80230404 (The operation failed because the attribute cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\sproc.cpp(1685): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\mvsqlsingle.cpp(1144): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\mvsqlsingle.cpp(1427): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\mvobj.cpp(2824): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\mvobj.cpp(3072): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sqlstore\csobj.cpp(2150): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sync\synccore.cpp(614): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\sync\syncrulesimp.cpp(337): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\server\rules\scriptmanagerimpl.cpp(6065): 0x80230405 (The operation failed because the object cannot be found)
    BAIL: MMS(3964): d:\bt\16961\private\source\miis\scrhost\scripthost\provisionerservices.cpp(525): 0x80230405 (The operation failed because the object cannot be found)

    From script host:
    Microsoft.MetadirectoryServices.Impl.InternalError: 0x80230405Forefront Identity Manager 4.1.3496.0"

    ------------------------------------------------------------------------------------------------------------------

    I will be grateful if you could help!

    Thanks in advance.

    Louban

    Thursday, July 10, 2014 9:27 AM

Answers

  • My FIM Server is not in the domain but it can contact the DC and resolve it's name.

    Here is the answer - what is going on. You have to have Kerberos between those two enabled and working - if it (FIM) is a machine in other domain, make sure you have trust configured. If it is a standalone machine, I don't think it's gonna work.

    I have never tried to build FIM on a standalone (not domain-joined) machine to manage AD. As most scenarios are very AD-oriented. For example PCNS or  FIM SSPR only works with Active Directory Domain.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by inlan95 Thursday, July 17, 2014 11:13 PM
    Thursday, July 17, 2014 4:28 PM
  • Can't you just add FIM to domain? It would be the easiest.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by inlan95 Wednesday, July 23, 2014 12:10 PM
    Friday, July 18, 2014 4:13 PM

All replies

  • what kind of synchronization do you run? if it is delta, please run full import and full synch.

    Check if you have any exports pending to FIM MA. If so (I bet there are phantoms to be exported), please run export to FIM and then import/sync.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, July 10, 2014 11:08 AM
  • Hi Dominik,

    Thanks a lot for your quick reply. 

    Yes I did a delta import and Sync after running the full Import and full Sync.

    Now I have followed your advise: I run a full Import and full Sync it raised me a another error :

    -----------------------------------------------------------------------------------------

    extension-dll-exception

    Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'Sync AD'. Details: Object reference not set to an instance of an object.
       at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

    -------------------------------------------------------------------------------------------

    Please help.

    Louban

    Thursday, July 10, 2014 3:32 PM
  • Please try to refresh the schema both of AD and FIM MAs. Refresh the schema of the FIM MA using the real FIM MA Service Account which we usually call FIMMAsvc

    Make sure you are using correct service account for FIM MA (for example: run a quick test of your FIM MA).

    Restart your Synchronization Service (just to be sure nothing is cached).

    This error is very generic error message and there are many reasons causing it.

    Please provide us more about the Synchronization Rule or maybe provide an screenshot of the.
    Maybe there is some misconfiguration or you use empty attributes in provisioning (like the DN initial flow), or some attribute constructions using empty attributes. Please provide a screens of workflow parameter tab especially.

    Also remember that even if you create synch rules on Portal, it works on Synch (with attributes from Metaverse), so make sure you have propagated all attributes used in SR to Metaverse.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by MKołódź Friday, July 11, 2014 6:01 AM
    Friday, July 11, 2014 6:00 AM
  • Hi Dominik,

    Sorry for this belated reply. I have been on weekend.

    I will try it and let you know as soon as possible.

    Regards,

    Louban.

    Tuesday, July 15, 2014 8:20 AM
  • Hi Dominik,

    Today I have followed your guide step by step. Errors above have disappeared.

    I am now having this error : kerberos-no-logon-server

    Apart from that, Provisioning has been successful but user the user account provisioned in AD is disabled.

    I have tried to enable it manually but there is a pop up saying : " Unable to update the password. The Value provided doesn't meet the length, complexity, or history requirement of the domain"

    I have create manually a new user with the same strong password used before and it works. So password is not the problem.

    My DNS Resolution is working perfectly

    The FIM AD user has the right to write on AD

    My FIM Server is not in the domain but it can contact the DC and resolve it's name.

    Do you have any idea about what is going on?

    Thanks in advance for you help.

    Louban


    • Edited by inlan95 Thursday, July 17, 2014 2:45 PM
    Thursday, July 17, 2014 2:45 PM
  • My FIM Server is not in the domain but it can contact the DC and resolve it's name.

    Here is the answer - what is going on. You have to have Kerberos between those two enabled and working - if it (FIM) is a machine in other domain, make sure you have trust configured. If it is a standalone machine, I don't think it's gonna work.

    I have never tried to build FIM on a standalone (not domain-joined) machine to manage AD. As most scenarios are very AD-oriented. For example PCNS or  FIM SSPR only works with Active Directory Domain.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by inlan95 Thursday, July 17, 2014 11:13 PM
    Thursday, July 17, 2014 4:28 PM
  • That's right. I agree with you!

    In this case, provisioning multi forests AD will not be possible through FIM Portal because the server should be joined to a particular DC?

    Multi Forest may  work in case of syncing users that already exist by using FIM Synchronization Service. Am I right?

    Thursday, July 17, 2014 11:13 PM
  • You can have only one FIM to multiple forests, but you would need trust between forests as well. Provisioning can work in multi-forest environment also, FIM Sync can handle it - it doesn't work "on existing users only". FIM can do both: create and manage users in external forest.

    Please find the following article:

    Cross-Forest Management Deployment Guide


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Friday, July 18, 2014 7:43 AM
  • Do you know how to configure trust between FIM server and the DC?
    Friday, July 18, 2014 2:14 PM
  • Can't you just add FIM to domain? It would be the easiest.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by inlan95 Wednesday, July 23, 2014 12:10 PM
    Friday, July 18, 2014 4:13 PM
  • I have installed FIM on two servers : one standalone and one joined to domain.

    The one joined works perfectly. And I'm still running to errors for the second.

    So the best choice was to use FIM in the domain.

    Thanks a lot for your assistance Dominik.

    Kind regards.

    Louban.

    Wednesday, July 23, 2014 12:09 PM
  • Great to hear that :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, July 23, 2014 12:31 PM