none
FIM R2 Hotfix Rollup 4.1.3451.0 rollback damages DCOM settings. RRS feed

  • Question

  • Hi,

    While trying to deploy hotfix rollup 4.1.3451.0 (for Synchronization Service only) and hitting an error for not being able to connect to SQL (permissions) I initiate a rollback. Once this is done the FIM Synchronization Service stops eventually and the FIM GUI cannot be opened anymore by someone with FIMSyncAdmin group permissions.

    The 5 FIM management groups are domain based (not local); the person trying to start the FIM GUI is member of domain-based SyncAdmins etc.

    The Windows Eventlog show numerous instances of DistrubtedCOM event ID 10016, which led me to investigate the DCOM permissions.

    On most DCOM objects for FIM in Component Services management console the 5 FIM management groups have been removed and (re)added by the hotfix installer, but what is added are SID's that do not resolve to the proper FIM domain group. These 5 domain groups for FIM do not use the convential out-of-the-box group names; the customer has a naming convention which I must obey.

    I adjusted all DCOM permissions for FIM objects (by comparing them with a healthy server) and was able to start the FIM Synchronization Service and gain access to the GUI.

    • Source: DistributedCOM
      Event ID: 10016
       
      The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {835BEE60-8731-4159-8BFF-941301D76D05} and APPID {835BEE60-8731-4159-8BFF-941301D76D05} to the user DOMAIN\FIMSVC SID (S-1-5-21-1454471165-343818398-682003330-1554363) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

    Note: user 'DOMAIN\FIMSVC' is fictitious, I removed the original values. ClassID and AppID {835BEE60-8731-4159-8BFF-941301D76D05} is the Synchronization Service.

    Kind regards,


    Danny Alvares Senior Technology Consultant


    Monday, July 8, 2013 12:03 PM

Answers

  • You can try re-running the FIM installation configuration under Programs and Features, by Selecting FIM Synchronization Service then selecting Change and specifying the correct groups after which the FIM installation will reset permissions to the groups specified as below:

    Just remember to make a backup of everything before applying the change


    Visit My Blog: http://theidentityguy.blogspot.com/

    • Marked as answer by Danny Alvares Tuesday, July 23, 2013 12:51 PM
    Wednesday, July 17, 2013 8:48 AM

All replies

  • You can try re-running the FIM installation configuration under Programs and Features, by Selecting FIM Synchronization Service then selecting Change and specifying the correct groups after which the FIM installation will reset permissions to the groups specified as below:

    Just remember to make a backup of everything before applying the change


    Visit My Blog: http://theidentityguy.blogspot.com/

    • Marked as answer by Danny Alvares Tuesday, July 23, 2013 12:51 PM
    Wednesday, July 17, 2013 8:48 AM
  • Thanks for that Jssting! I didn't think of that but if it happens again I'll try that approach.

    Best regards,


    Danny Alvares Senior Technology Consultant

    Tuesday, July 23, 2013 12:51 PM