none
SIMPLE QUESTION: FIM 2010 R2 SSPR AUTOMATED VBS SCRIPTS NO LONGER WORK, NEED HELP ASAP RRS feed

  • Question

  • I have FIM 2012 R2 SSPR implemented by the book and everything was nice and cool. Replication was automated by using VBS scripts in the right following order:

    1. FIM - Full Import

    2. FIM - Full Synchronization

    3. AD - Full Import

    4. AD - Full Synchronization

    5. AD - Delta Synchronization

    6. AD - Delta Import

    7. FIM - Export

    8. FIM - Delta Import

    Recently I got complains that FIM password registration is no longer working. I checked Scheduled Tasks (running these 8 scripts in Scheduled Task as FIMMA user account, everything by the book and best practices) and found that none of the scripts is working now. Here is example of the first script:

    Const PktPrivacy = 6
    rem Const wbemAuthenticationLevelPkt = 6
    Set Locator = CreateObject("WbemScripting.SWbemLocator")
    rem
    rem Credentials must only be specified when Microsoft Identity Integration Server is on remote system.
    rem
    rem Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPkt
    rem Set Service = Locator.ConnectServer("MyServer", "root/MicrosoftIdentityIntegrationServer")
    rem Set Service = Locator.ConnectServer("MyServer", "root/MicrosoftIdentityIntegrationServer", "Domain\Me", "MyPassword")
    rem
    Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root/MicrosoftIdentityIntegrationServer")
    Set MASet   = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{EF0301DA-D804-4150-B313-F0287E733E43}'")

    for each MA in MASet
        WScript.Echo "Running " + MA.name + ".Execute(""Full import"")..."
        WScript.Echo "Run completed with result: " + MA.Execute("Full import")
    next

    You know, I did not create this script. You can get it from the FIM when you click on Script button in the Configure Run Profile window for either FIM or AD MA. So when I run manually any of the 8 scripts (that needs to run one after another in specific order) I get this error now:

    So obviously VB script does not like this line:

    Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root/MicrosoftIdentityIntegrationServer")

    But why out of sudden this started happening? Can anyone help?

    We upgraded Active Directory to 2012 several days ago, but I think that problem started several weeks ago as I do not see new Logs for weeks. My batch file run successfully only because of the //B switch (VBS in batch mode) so it did not generate any errors.

    Anybody can help? If I run these steps from FIM they do work, but I want my automated 8-scripts batch file to work again, I cannot go to FIM every day and manually run 8 scripts, this does not make sense!

    If you can help please let me know!


    • Edited by lync15 Wednesday, December 19, 2012 7:17 PM
    Wednesday, December 19, 2012 7:14 PM

Answers

  • When I upgraded from ILM to FIM, I took my old ILM vbs scripts and modified them.  The follow the general form:

    Dim MIIS_Service
    Set MIIS_Service = GetObject("winmgmts:root\MicrosoftIdentityIntegrationServer")
    Dim ManagementAgent,  Status
    Set ManagementAgent = MIIS_Service.Get("MIIS_ManagementAgent.Name='"& MA &"'")
    Status = ManagementAgent.Execute(Profile)

    where MA and Profile are variables that hold the name of the MA and the run profile being executed.  The scripts are run by a service account with the necessary permissions in FIM.

    A quick search of the web indicates that error may be due to the WMI namespace becoming unregistered.  I don't know what would cause that, but the Scriptomatic tool might help you determine if the namespace is still valid.

    Chris

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Wednesday, December 19, 2012 8:02 PM
  • I'm not sure this will help with your problem, but FIM SSPR Password Registration is not related at all to the operation of the FIM Synchronization Service MAs, except to the extent that the FIM Sync Service needs to populate user identities into the FIMService database so that they are allowed to enroll.

    The script you posted looks like the kind generated by the "Script" button in the Sync Service's "Configure Run Profiles" area.  Could point to WMI corruption if it suddenly stopped working.  Personally I would rather port my FIM Sync Service to a fresh new host rather than wrestle with WMI for more than about one hour.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Thursday, December 20, 2012 12:55 AM
  • Ok, I ended up re-installing server from scratch. I was able to keep database and I had encryption key backup so everything can be restored back.

    After rebuild all working properly. I guess it is not worth to investigate what happened. Anyway it was something related to WMI and VBS scripts.

    Too bad that FIM 2010 R2 SP1 is not out yet otherwise I could enjoy installing it on Windows Server 2012. I hate to have new deployments on R2...

    Anyway, case is closed. Thanks everybody for help!

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Monday, January 14, 2013 8:55 PM

All replies

  • When I upgraded from ILM to FIM, I took my old ILM vbs scripts and modified them.  The follow the general form:

    Dim MIIS_Service
    Set MIIS_Service = GetObject("winmgmts:root\MicrosoftIdentityIntegrationServer")
    Dim ManagementAgent,  Status
    Set ManagementAgent = MIIS_Service.Get("MIIS_ManagementAgent.Name='"& MA &"'")
    Status = ManagementAgent.Execute(Profile)

    where MA and Profile are variables that hold the name of the MA and the run profile being executed.  The scripts are run by a service account with the necessary permissions in FIM.

    A quick search of the web indicates that error may be due to the WMI namespace becoming unregistered.  I don't know what would cause that, but the Scriptomatic tool might help you determine if the namespace is still valid.

    Chris

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Wednesday, December 19, 2012 8:02 PM
  • I'm not sure this will help with your problem, but FIM SSPR Password Registration is not related at all to the operation of the FIM Synchronization Service MAs, except to the extent that the FIM Sync Service needs to populate user identities into the FIMService database so that they are allowed to enroll.

    The script you posted looks like the kind generated by the "Script" button in the Sync Service's "Configure Run Profiles" area.  Could point to WMI corruption if it suddenly stopped working.  Personally I would rather port my FIM Sync Service to a fresh new host rather than wrestle with WMI for more than about one hour.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Thursday, December 20, 2012 12:55 AM
  • If you dont want to mess around with VBScript anymore, there are other options -

    1) My MARunScheduler is gonna be free Again starting 2013 (do a charity Collection this year) - http://blog.goverco.com/p/marunscheduler.html

    With regards to your problem, then from what you write, I dont think that it is your script - more a problem with WMI on your FIM box (see http://support.microsoft.com/kb/281888?wa=wsignin1.0). Is there any event log indicating a problem with WMI on the box? You should make sure that you have a valid backup of your configuration and encryption key and then you could maybe try a repair (after the obvious "trying to reboot" :-))


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | twitter at https://twitter.com/#!/MrGranfeldt


    Friday, December 21, 2012 8:02 PM
  • Ok, I ended up re-installing server from scratch. I was able to keep database and I had encryption key backup so everything can be restored back.

    After rebuild all working properly. I guess it is not worth to investigate what happened. Anyway it was something related to WMI and VBS scripts.

    Too bad that FIM 2010 R2 SP1 is not out yet otherwise I could enjoy installing it on Windows Server 2012. I hate to have new deployments on R2...

    Anyway, case is closed. Thanks everybody for help!

    • Marked as answer by lync15 Monday, January 14, 2013 8:55 PM
    Monday, January 14, 2013 8:55 PM
  • >>>>>>Too bad that FIM 2010 R2 SP1 is not out yet otherwise I could enjoy installing it on Windows Server 2012. I hate to have new deployments on R2...
     
    SP1 was released a few days ago
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "lync15" wrote in message news:2cf3bd53-a158-4613-ac35-42a78295835a@communitybridge.codeplex.com...

    Ok, I ended up re-installing server from scratch. I was able to keep database and I had encryption key backup so everything can be restored back.

    After rebuild all working properly. I guess it is not worth to investigate what happened. Anyway it was something related to WMI and VBS scripts.

    Too bad that FIM 2010 R2 SP1 is not out yet otherwise I could enjoy installing it on Windows Server 2012. I hate to have new deployments on R2...

    Anyway, case is closed. Thanks everybody for help!


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 14, 2013 9:41 PM
  • Yes, I can see it now. I finish re-built of FIM server on January 10th because I needed to restore SSPR functionality ASAP. I assume that FIM 2010 R2 SP1 is now fully compatible with Windows Server 2012 and SQL Server 2012 and SharePoint Foundation 2013, right? Confirmation please?

    So what is the process to upgrade (Windows Server 2008 R2 + FIM 2010 R2 + SQL 2008 R2 + SharePoint Foundation 2010) to (Windows Server 2012 + FIM 2010 R2 SP1 + SQL 2012 + SharePoint Foundation 2013)?

    Let's say I will install Windows Server 2012. Then I install SQL 2012. Then SharePoint Foundation 2013. Then I install FIM 2010 R2 SP1 and chose to use existing database, right? Would it work? Anybody can confirm and guarantee that? FIM by it's own is most complicated product, and now we add even more complexity...

    Thanks!

    Tuesday, January 15, 2013 1:41 PM
  • Let's say I will install Windows Server 2012. Then I install SQL 2012. Then SharePoint Foundation 2013. Then I install FIM 2010 R2 SP1 and chose to use existing database, right? Would it work? Anybody can confirm and guarantee that? FIM by it's own is most complicated product, and now we add even more complexity...

    Thanks!

    Nobody knows yet what the supported configurations are, because the R2 SP1 release notes are not out.  Hopefully soon!

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Tuesday, January 15, 2013 3:11 PM