none
General Questions about FIM 2010 RRS feed

  • Question

  • Hi,

    We are almost ready to deploy our FIM 2010 R2 solution to the production environment.  I have a few questions around certain aspects as below:

    1. Orphaned EREs and DREs:  Even if objects are deprovisioned in the proper way I still end up with a few of these. (Also so some threads from other users here which experienced the same)  To prevent the build-up of these I have added a separate WF as part of the deprovisioning process to remove any Sync rules.  This means that for every WF which executes a SR there is one which will remove the sync rule when the object is deprovisioned. This seems to work in our environment.  Question is, is this the best way to do this or is there another better method?

    2. 1000s of requests are generated in the FIM Portal, should one do a clean-up on these to prevent the database from filling up with these?

    3. Runprofiles, are there suggested way or order to run them in?  I have automated the running of these with WMI VB script in SSIS.  I monitor the add, updates etc for every MA after a full sync and decide then which one to run next.  Of course when there are sync errors on a particular MA it will execute forever, to prevent this, I added a counter, in our environment 18 cycles seem to be enough to converge all MAs, also is there a better way of doing this?

    4. Full Sync, Even after working with FIM / ILM for so many years I am still not sure if it is required to run a Full Sync on every MA.  My understanding is that it is required to run a Full Sync only on 1 MA, this action will process all SR rules across all MAs, but sometimes a get conflicting results.  Is my understanding correct or not?

    Any help or guidance is much appreciated.

    Regards

    Johan Marais 


    JkM6228

    Thursday, January 24, 2013 7:48 AM

Answers

  • Markus,

    Thanks for your reply. I noticed that the hotfix in your link applies to FIM 2010, I am already running FIM 2010 R2 SP1. I couldn't find the stored procedure as indicated in the KB article, unless it is been renamed or moved to another SP?  Currently I have a Workflow which removes a sync rule when and object moves out of the Set which resulted in applying a particular sync rule.  This adds a lot of unnecessary overhead, but appears to be affective.  Is it OK to do it like this or will this approach result in problems later?

    Regards

    Johan Marais


    JkM6228

    Johan-

    I think the sproc is still out there in R2, but I haven't looked. Your approach with the sets should be fine, though.

    With regard to your question around run profiles, the sequencing and need for repeats within a cycle comes down to understanding the solution and where (and when) the sync engine will need to do work. Whether or not you need to repeat runs within a cycle is going to depend on how the solution works. Your best bet it sounds like is to step through each run with some live data, and look at what triggers the pending changes generated by that run. Based on this, you can think about how to a) potentially consolidate the number of run profiles in your cycle and b) think through the activities that trigger those pending changes.

    Assuming you don't have code (rules extensions, metaverse extensions) that trigger off something other than a change in an MA's connector space, full syncs shouldn't be necessary outside of some config changes. I generally consider a solution that requires a full sync during the normal course of business to be flawed and in need of rethinking.

    With regard to requests, you can configure the retention window by going to the Administration>Portal Configuration link in the portal. The system will automatically purge older requests based on this value. If I remember right, you may need to create an MPR to grant yourself the ability to make this change.

    Hope this helps!


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Johan Marais Wednesday, January 30, 2013 6:52 AM
    Monday, January 28, 2013 8:38 AM
    Moderator

All replies

  • Hi Johan -

    Responding to some of your questions...

    Understanding deletions are key to understanding orphaned EREs.

    Read this: http://social.technet.microsoft.com/wiki/contents/articles/1860.understanding-deletions-in-ilm-2007.aspx

    Then, here is a tool for removing orphaned EREs:

    http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/3db4100d-16da-4002-9708-43949659a4f8

    Understanding when to run which run profile is found in some of the introductory materials.  Look at the tutorials/examples on provisioning to AD and sync'ing with AD for basic understanding.  I have found that in some cases a FUll Import is required for importing new sync rules or for specific user changes.  And of course for initializing at MA.

    Hope some of this helps..

    Thursday, January 24, 2013 2:28 PM
  • Just a quick comment...

    The best practice for removing orphaned EREs and DREs is outlined under "Fixed issues in FIM Service, Issue 4" in KB 2520954.

    I will remove the scripted solutions because they have scalability issues.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation


    Thursday, January 24, 2013 4:00 PM
  • Markus,

    Thanks for your reply. I noticed that the hotfix in your link applies to FIM 2010, I am already running FIM 2010 R2 SP1. I couldn't find the stored procedure as indicated in the KB article, unless it is been renamed or moved to another SP?  Currently I have a Workflow which removes a sync rule when and object moves out of the Set which resulted in applying a particular sync rule.  This adds a lot of unnecessary overhead, but appears to be affective.  Is it OK to do it like this or will this approach result in problems later?

    Regards

    Johan Marais


    JkM6228

    Friday, January 25, 2013 6:07 AM
  • Osho27,

    Thanks for the info, but you link refers to ilm2007, I am running on FIM 2010 R2 SP1.  I do understand the deprovisioning process, but sometimes when an object is removed in the proper way orphaned EREs and DREs remain.  I am looking for a effective way to manage this.  Currently I have a method whereby the sync rule is removed from an object when it moves out of the Set which resulted in the Sync rule to be applied.  This method appears to be working, but I am not sure whether this approach will result in problems over the longer term.

    Maybe my question about running the run profiles was not clear, apologies for that.  I do know with which MA to start, but running them automatically until everything is converged, is what I was looking for.  I am using a combination of WMI vbscripts in SSIS and a maximum count to determine when to stop the cycle. As I have indicated in my original thread 18 cycles seem to be enough in our environment, I have 13 MAs.  The question is, is this approach good enough, or is there a more effective way in doing this?

    Thanks

    Johan Marais  


    JkM6228

    Friday, January 25, 2013 6:21 AM
  • Hi Johan

    have a look at the following link

    http://runjob.codeplex.com/

    and other use google or bing to search for other RUN MA Sequencers.

    Sunday, January 27, 2013 9:17 AM
  • Markus,

    Thanks for your reply. I noticed that the hotfix in your link applies to FIM 2010, I am already running FIM 2010 R2 SP1. I couldn't find the stored procedure as indicated in the KB article, unless it is been renamed or moved to another SP?  Currently I have a Workflow which removes a sync rule when and object moves out of the Set which resulted in applying a particular sync rule.  This adds a lot of unnecessary overhead, but appears to be affective.  Is it OK to do it like this or will this approach result in problems later?

    Regards

    Johan Marais


    JkM6228

    Johan-

    I think the sproc is still out there in R2, but I haven't looked. Your approach with the sets should be fine, though.

    With regard to your question around run profiles, the sequencing and need for repeats within a cycle comes down to understanding the solution and where (and when) the sync engine will need to do work. Whether or not you need to repeat runs within a cycle is going to depend on how the solution works. Your best bet it sounds like is to step through each run with some live data, and look at what triggers the pending changes generated by that run. Based on this, you can think about how to a) potentially consolidate the number of run profiles in your cycle and b) think through the activities that trigger those pending changes.

    Assuming you don't have code (rules extensions, metaverse extensions) that trigger off something other than a change in an MA's connector space, full syncs shouldn't be necessary outside of some config changes. I generally consider a solution that requires a full sync during the normal course of business to be flawed and in need of rethinking.

    With regard to requests, you can configure the retention window by going to the Administration>Portal Configuration link in the portal. The system will automatically purge older requests based on this value. If I remember right, you may need to create an MPR to grant yourself the ability to make this change.

    Hope this helps!


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Johan Marais Wednesday, January 30, 2013 6:52 AM
    Monday, January 28, 2013 8:38 AM
    Moderator