none
FIM/MIM attribute flow issue when importing SQL management agent RRS feed

  • Question

  • Hi everbody,

    i am currently switching an ILM 2007 sync service to a a MIM 2016. When importing a certain SQL management agent, that was exported from the ILM, the import fails. Checking the application event log revealed the following error:

     "ERR_: MMS(5824): ..\eafxml.cpp(976): EAF: XML Element <export-flow> specifies a destination attribute 'dn'  that is readonly or immutable
    BAIL: MMS(5824): ..\eafxml.cpp(977): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\eafxml.cpp(400): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\xstack.cpp(540): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\xparse.cpp(544): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    ERR_: MMS(5824): ..\eafxml.cpp(159): EAF: invalid XML configuration
    BAIL: MMS(5824): ..\eafxml.cpp(160): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\eaf.cpp(222): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    ERR_: MMS(5824): ..\eaf.cpp(253): EAF: Initialize failed with error 0x80230511
    BAIL: MMS(5824): ..\eaf.cpp(97): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    ERR_: MMS(5824): ..\mastate.cpp(13071): Error creating export attribute flow rules object: 0x80230511
    BAIL: MMS(5824): ..\mastate.cpp(13077): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\mastate.cpp(1724): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    BAIL: MMS(5824): ..\server.cpp(1078): 0x80230511 (The export attribute flow rules XML defines an invalid/incomplete rule.)
    Forefront Identity Manager 4.4.1302.0"

    Some research took me to the following post: https://social.technet.microsoft.com/Forums/windows/en-US/4b6f9217-7d43-47cb-ad73-1f977be91746/fim-attribute-flow-issue?forum=ilm2

    It basically states that the name "dn" is not usable as column name.

    Although the SQL export to  the column "dn" should be possible as it is writable and the user has permission, the creation of the management agent fails. To my knowledge, in my configuration the dn is not used as anchor (as said in the linked article). Yet, the error says that it is immutable or write-only. With the ILM, this management agent works fine. Is this a fixed behavior of the FIM, can it be changed? I rather choose the option to rename the column as a last choice as this creates further additional effort. Any suggestions?

    Regards

    Wednesday, August 23, 2017 10:26 AM

Answers

  • So far I was not able to import MIIS management agents into MIM 2016. Therefore, chose the database import approach by installing FIM 2012 R2, importing and upgrading the database, uninstalling FIM 2012 and then installing MIM 2016 and import and upgrade the DB again. This way I could successfully port the old MIIS config to MIM 2016. Yet, the direct way from MIIS to MIM didn't work due to the above mentioned dn issue which caused the DB upgrade to fail.
    • Marked as answer by janciupka Monday, August 28, 2017 1:15 PM
    Monday, August 28, 2017 1:15 PM

All replies

  • As far as I know, you cannot upgrade from ILM to MIM, you need to first upgrade to FIM 2010

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, August 23, 2017 1:03 PM
  • hi,

    yes I know, but this is no in-place upgrade. I set up a new server with MIM 2016 Synchronization Services (the only component I am using) and then exported the server configuration/metaverse/management agents on the old  ILM 2007 machine and tried to import the config on the new machine (for most of the MAs and the metaverse it worked, but in case there is an export to the "dn" attribute in an SQL MA, the import fails.

    To my knowledge (see https://social.technet.microsoft.com/wiki/contents/articles/4268.fim-reference-migrating-from-miis-or-ilm-to-fim-2010.aspx#_Toc297155764) if I don´t do an in-place upgrade and do not want to reuse the old database, the import of the configuration of each MA and the metaverse should be a valid way, how this is what I am struggling with.

    Wednesday, August 23, 2017 1:34 PM
  • So far I was not able to import MIIS management agents into MIM 2016. Therefore, chose the database import approach by installing FIM 2012 R2, importing and upgrading the database, uninstalling FIM 2012 and then installing MIM 2016 and import and upgrade the DB again. This way I could successfully port the old MIIS config to MIM 2016. Yet, the direct way from MIIS to MIM didn't work due to the above mentioned dn issue which caused the DB upgrade to fail.
    • Marked as answer by janciupka Monday, August 28, 2017 1:15 PM
    Monday, August 28, 2017 1:15 PM