none
MIM 2016 - Users / Groups not importing RRS feed

  • Question

  • Hi all, desperate for some assistance here.

    I have followed this chapter for importing User and Groups to MIM Portal from our own AD:

    https://technet.microsoft.com/en-us/library/jj150428(v=ws.10).aspx#move_ou

    But when I come to verify that the import was successful, there are no users or groups whatsoever when I go into the portal (No Items).

    I am installing MIM 2016 fresh install on one server in a new domain. I am trying to import users from separate OU's in active directory, is there anything I could be missing here?

    Example AD where users are located:

    CONTOSO.COM --> (OU) Company 1 --> (OU) Admin Team --> (OU) Users

    Do I need to explicitly specify where the users are for the AD Inbound Sync Rule, similarly to that shown in point 16. of the Create the Group Synchronization Rule in TechNet article above?

    Hope someone can shed some light on this for me?

    Thanks

    Steve

    Thursday, September 8, 2016 1:09 PM

Answers

  • Hi everyone,

    Just following up on this as I said I would.

    When I had a look at Stephen's environment, he'd done most of it - the objects in the metaverse all had an account name, domain and objectSID, as well as a few other attributes (domain name and first and last name).  He'd also successfully set the export flows from the metaverse to the MIM service and had exported the users successfully.

    Stephen, just as a heads up: the connectors tab is after you've brought the properties of a user up in the metaverse.

    The joiners tab is something different, and where you can view any disconnectors (that is an object in a given system that is not connected to an object in the metaverse).

    If you need anything else, just shout.

    Thanks,
    Paul.

    • Marked as answer by Stephen_Clark Wednesday, September 14, 2016 7:22 AM
    Tuesday, September 13, 2016 12:46 PM

All replies

  • Hi Steve,

    Do you see the users and groups in the metaverse search, in the synchronization service manager?  I think we need to break things down first - so in order for you to see them in the portal, they first need to be imported into the sync service and from there into the MIM Service and portal.

    The synchronization rule will apply on import from AD into the sync service, but in order to get them out to the MIM portal, you'll just need to map the object types (person to person, group to group) and then define the attribute flows.  It's pretty automatic after that.

    Cheers,

    Paul.



    • Edited by Paul Green Thursday, September 8, 2016 2:15 PM
    Thursday, September 8, 2016 2:10 PM
  • Hi Paul, 

    Thanks for your help with this so far. 

    OK - so within Synchronization Service Manager under the Operations tab I can see that my AD Full Synchronization ran successfully and I can see all of the user objects it has pulled in. (I would paste a screen shot but I can't as my account hasn't been verified).

    So I ran the AD Full Import then ran AD Full Synchronization, then I run MIM Export, which completes with one error which is:

    "failed-creation-via-web-services"

    Call stack information from this error reads:

    Fault Reason: The request message contains errors that prevent processing the request.\r\n\r\nFault Details: <RepresentationFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><AttributeRepresentationFailure><AttributeType>ObjectSID</AttributeType><AttributeValue></AttributeValue><FailureMessage>Exception: ValueViolatesUniqueness 

    Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.InvalidRepresentationException: ValueViolatesUniqueness at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException, TransactionAndConnectionScope scope) at Microsoft.ResourceManagement.Data.DataAccess.ProcessRequest(RequestType request)   at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><AttributeFailureCode>ValueViolatesUniqueness</AttributeFailureCode><AdditionalTextDetails>The specified attribute value must be unique for this Resource Type.</AdditionalTextDetails></AttributeRepresentationFailure><CorrelationId>e798f9f5-7a85-4d25-9f83-772bd29ecf97</CorrelationId></RepresentationFailures>

    After that, I run the MIM Delta Import profile, which completes successfully without any errors. (Adds = 65, updates = 33).

    Then when I access the portal and go to "User, Profiles and Passwords" page, there's nothing there.

    I assume the object types are those that are explained in the URL I posted? 

    Maybe the error I've pasted has something to do with it, but i'm so new to this, i'm really clutching at straws.

    Thanks again,

    Steve

    Thursday, September 8, 2016 2:50 PM
  • Hi Steve,

    OK, so the clue is buried in that error message you pasted, ValueViolatesUniqueness.

    One of the things that MIM enforces is a uniqueness check on the combination of domain and accountname, and also on the SID when hitting the MIM service.  So I just wonder if you're somehow not actually setting the SID uniquely on the flow.

    Is Mental Health Concern a UK-based charity?  It looked that way from searching for you.  If so I'd be happy to spare 30 minutes to take you through some of the concepts, even help remotely.  We can then revisit this thread with our findings :-)

    Thanks,

    Paul.


    • Edited by Paul Green Thursday, September 8, 2016 4:01 PM
    Thursday, September 8, 2016 3:45 PM
  • Hi Paul,

    Yes we are a registered charity in England. I am leaving now and will return to work on Monday 8-4pm. I'm not sure how to send email addresses privately on here, so will try and figure something out on Monday when I return to work.

    All advice greatly appreciated. Steve.

    Thursday, September 8, 2016 4:01 PM
  • No worries Steve - not trying to flout the forum rules, and I think sharing knowledge is best, but sometimes you get more out of a quick phone call.  As I said, if we revisit this threat to enrich the forum too!

    I'm sure you'll find our company if you search for us.  I'm just paul@

    For now, I'd again check the metaverse search tab to see if the users have made it as far as the sync service.  From there you can double click on them to view their properties, and hopefully see that they have an account name, domain and objectSID.  You can also click the connectors tab, and you'll hopefully see an entry for the MIM service there too for each of them - double clicking on that should show you their account name, domain and object SID pending an export; I'm not convinced you will though, but that's definitely what you should be aiming for.

    Cheers,

    Paul.

    • Marked as answer by Stephen_Clark Tuesday, September 13, 2016 12:43 PM
    • Unmarked as answer by Stephen_Clark Wednesday, September 14, 2016 7:21 AM
    Thursday, September 8, 2016 4:09 PM
  • Hi Paul,

    I've checked the Metaverse Search in the Synchornisation Service Manager and I can see 166 matching records in there. I have displayed the columns for accountName, domain, objectSid and the records are there from AD.

    I couldn't see a "Connectors tab" so I assumed it could be the "Joiners" tab. Looking under this tab, I have selected the MIM Management Agent, and "All disconnector types". The status bar is showing "Retrieved 28 of 28 matching records, however the list is not displaying any data (which I think is what you have kindly explained/predicted above). 

    I have shown the following columns:

    AccountName

    ObjectSID

    Domain

    All of these are blank - but when I double click into them, there is data in there.

    If I click into one of the records, looking on the "Import" tab, I don't see the Attribute Names for those fields above. Kind of guessing this has something to do with the records not importing, but still unsure why there are only 28 matching records whereas the metaverse search shows up 166. 

    Hoping this information will help with the resolution of getting these users importing into the portal. 

    Thanks

    Stephen

    Monday, September 12, 2016 11:51 AM
  • Thanks Paul, appreciate your time so much on this. Thanks for checking it out for me and glad things look ok. 

    I didn't even think about click the search but on the right under the users section, but thanks again for passing your knowledge on sorting out the attribute flows and which database they would be coming from. 

    Can't thank you enough. 

    Regards

    Steve

    Tuesday, September 13, 2016 12:45 PM
  • Hi everyone,

    Just following up on this as I said I would.

    When I had a look at Stephen's environment, he'd done most of it - the objects in the metaverse all had an account name, domain and objectSID, as well as a few other attributes (domain name and first and last name).  He'd also successfully set the export flows from the metaverse to the MIM service and had exported the users successfully.

    Stephen, just as a heads up: the connectors tab is after you've brought the properties of a user up in the metaverse.

    The joiners tab is something different, and where you can view any disconnectors (that is an object in a given system that is not connected to an object in the metaverse).

    If you need anything else, just shout.

    Thanks,
    Paul.

    • Marked as answer by Stephen_Clark Wednesday, September 14, 2016 7:22 AM
    Tuesday, September 13, 2016 12:46 PM
  • Thanks again Paul, a great help.
    Wednesday, September 14, 2016 7:22 AM
  • Hi Paul,

    I've rebuilt my entire environment again and have it all configured...mostly.

    I have an issue now where the domain name isn't pulling through into the MIM Portal. I've checked the metaverse search for all the users in AD and there are entries for domain; accountName and objectSid.

    If I go into users in the portal, I can manually add the domain in by clicking into the user and select the domain name from the drop down list. When I do this, my password reset portal works a treat. No errors! Great! 

    I'm just wondering I'm going to need to manually add the domain name in for all users? The attribute flows on the MIM MA specifies a direct mapping for domain to export and import on the person Object Type.

    Any suggestions / help always appreciated. 

    Just about there, if I can get this sussed then we can start rolling out he add-ins to our devices to let users reset their own passwords.

    Thanks again.

    Stephen

    Monday, October 24, 2016 2:05 PM
  • Hi Stephen, Just flow it as a constant value on import on your AD management agent, and then a direct flow domain -> domain as export to the MIM service. Thanks Paul
    Monday, October 24, 2016 6:40 PM
  • Hi Paul, 

    On the AD MA, on the configure attribute flow section, under "User" from the 'data source object type' drop down, 'domain' isn't in the list. 

    Think I'll just manually update the records in the portal as I really don't want to mess this up again.

    Thanks again for your input. 

    Stephen

    Tuesday, October 25, 2016 10:34 AM
  • Hi Stephen,

    Domain isn't an attribute in AD - it can be inferred from the DN, or the SID of the object (the first part of the SID will be the same for all users in a given domain).  If you have a single domain, you can just select domain in the metaverse, leaving the data source attribute de-selected, but then hit "Advanced" on mapping type, click New and then change it to Constant, and type the NETBIOS domain name.

    If you're using synchronisation rules, you can do it similarly - shout if you are and need help talking through it.

    It's worth doing the above to cover any new users regardless.

    Cheers,

    Paul.

    Wednesday, October 26, 2016 1:33 PM
  • Thanks Paul.

    So I'm now in the synchronization manager, I have my AD MA properties open.

    Is this what I do:

    Select "<DN>" from the Data source attribute list, select "Advanced" as the Mapping Type.

    Flow Direction as Import or Export?

    Select "domain" from the Metaverse attribute list

    Click NEW. Select "Constant" in the "Advanced Import Attribute Flow Options" window and enter my NETBIOS domain name then OK?

    Then run the ADMA Synchronization, Export profiles and then the same on the MIM Agent profiles?

    Thanks again.

     


    Wednesday, October 26, 2016 2:06 PM
  • Hi all,

    Can anyone confirm that this is what I need to do?

    Thanks

    Wednesday, November 2, 2016 9:13 AM
  • Hi Stephen, Sorry, I thought I'd answered this. That will be fine. You don't need to select DN for a constant flow (but it'll work if you do) and you want to choose import as the direction (it's always from the point of view of the meta verse so you're importing into it in this case). Thanks Paul
    Wednesday, November 2, 2016 4:46 PM