locked
Unable to create FIM MA RRS feed

  • Question

  • I am unable to create a FIM Management Agent in one of our virtual servers. Earlier we had a FIM MA. But later for another part of our project, we deleted all MA's and created 26 new MA's. Now we are also trying to create the FIM MA but it is giving an error as "Failed to retreive the schema. failed to connect to the database or FIM service. Please check the specified database location,service host address, and account information".  Please can one give some help on the same?


    hima
    Monday, November 22, 2010 11:42 AM

Answers

  • What have you tried to troubleshoot the issue yet?
    What are the settings, you have entered in the MA configuration dialog?
    Have you looked at How can I manage my FIM MA account yet?

    Without more details, it is hardly possible to help you.
    You should also take a look at Peter's How to get the maximum return on your forum question.

    Cheers,
    Markus

     


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 22, 2010 12:03 PM
    • Does the FIM service and FIM Sync-Engine run on the same server or separate boxes - Firewall / communication issues?
    • Can you browse http://localhost:5725 from the FIM Sync-Engine Server. Should return a web page starting with "This is a Windows Communication Foundation service"?
    • Is the FIM Service started?
    • Does the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config file contain the service endpoint http://localhost:5725
    • Does the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config file contain a proper key="SyncEngineAccount"
    • Have you properly set up Kerberos delegation?
    • On the FIM MA connection page: did you try to specify the domain part with NetBIOS and FQDN names?
    • Has the FIM MA Service Account "Allow logon locally" privileges on the FIM Sync-Engine box?

    /Matthias
    Monday, November 22, 2010 3:42 PM
  •  Please go through this http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx  i am sure you might be missing something.

    For me it worked by giving access to logon locally.



    HBB

    • Marked as answer by Hira Lal Monday, December 3, 2012 10:43 AM
    Wednesday, November 21, 2012 10:57 AM

All replies

  • What have you tried to troubleshoot the issue yet?
    What are the settings, you have entered in the MA configuration dialog?
    Have you looked at How can I manage my FIM MA account yet?

    Without more details, it is hardly possible to help you.
    You should also take a look at Peter's How to get the maximum return on your forum question.

    Cheers,
    Markus

     


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 22, 2010 12:03 PM
  • Sorry these are the values we have used in connection page:

    server-localhost

    database-FIMService

    FIM service base address-http://localhost:5725

    windows authentication mode-

    username-fimma

     

    Checked out the link you have specified above, but still the problem continues.


    hima
    Monday, November 22, 2010 1:30 PM
    • Does the FIM service and FIM Sync-Engine run on the same server or separate boxes - Firewall / communication issues?
    • Can you browse http://localhost:5725 from the FIM Sync-Engine Server. Should return a web page starting with "This is a Windows Communication Foundation service"?
    • Is the FIM Service started?
    • Does the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config file contain the service endpoint http://localhost:5725
    • Does the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config file contain a proper key="SyncEngineAccount"
    • Have you properly set up Kerberos delegation?
    • On the FIM MA connection page: did you try to specify the domain part with NetBIOS and FQDN names?
    • Has the FIM MA Service Account "Allow logon locally" privileges on the FIM Sync-Engine box?

    /Matthias
    Monday, November 22, 2010 3:42 PM
  • Add "FIM MA" Account to "Domain Admins" Group and Relog. Or give "FIM MA" account the access to logon locally. I would assume that is your problem.
    Monday, November 22, 2010 3:44 PM
  • Add "FIM MA" Account to "Domain Admins" Group and Relog. Or give "FIM MA" account the access to logon locally. I would assume that is your problem.


    Both suggestions are actually incorrect.
    How can I manage my FIM MA account covers the requirements for the related account.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 22, 2010 7:21 PM
  • H_L_J,

    I would start with basic troubleshooting:

    • Check the event log
    • Check the SQL server log
    • Verify which port your SQL is listening on
    • Is the SQL browser service started? (convenient if you are on a non default port)
    • Is the PW of your FIM MA account still valid? Account not locked?
    • Is the FIM Service running?
    • Are you using the account for the FIM MA (as provided in the FIM Service installation wizzard?) Do not confuse this account with the FIM Service account!

    Markus,

    I'm wondering as I see it here in the topic, and also in the article you reference, isn't it a general best practise to pick a DNS name for the FIM Service? I picked fimsvc.contoso.com as a DNS entry for the FIM Service. This provides you a lot of flexibility: works for load balanced setups, works for single box setups,... And it's clean for the Kerberos SPN part when you register fimservice\fimsvc.contoso.com on the FIM Service MA account.

    I'm always itchy when I see services being referenced by "localhost". Kerberos does not like this. I know it's one the same box...but still.

    Regards,
    ThOmas


    http://setspn.blogspot.com
    Monday, November 22, 2010 8:19 PM
  • Markus,

    I'm wondering as I see it here in the topic, and also in the article you reference, isn't it a general best practise to pick a DNS name for the FIM Service? I picked fimsvc.contoso.com as a DNS entry for the FIM Service. This provides you a lot of flexibility: works for load balanced setups, works for single box setups,... And it's clean for the Kerberos SPN part when you register fimservice\fimsvc.contoso.com on the FIM Service MA account.

    I'm always itchy when I see services being referenced by "localhost". Kerberos does not like this. I know it's one the same box...but still.

    It is a Wiki - please feel free to update the article.
    I will definitely not reject your revisions in conjunction with this :o)

    Cheers,
    Markus

     


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 22, 2010 8:24 PM
  • Configure the service accounts running the FIM 2010 server components in a secure manner

    As mentioned previously, there are two service accounts that are used to run the FIM server components. They are called the FIM Service service account and the FIM Synchronization Service service account in this guide. The FIM MA account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.

    To enable the FIM MA to log on locally

    1. Click Start, and then click Administrative Tools.

    2. Click Local Security Policy, and then click Local Policies\User Rights Assignment.

    3. In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.

    Source (Before You Begin): http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx


    Regards, John Atick
    Monday, November 22, 2010 11:19 PM
  • Sorry, that was too fast on my side - you are right, log on locally is required but not the domain admin membership.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, November 22, 2010 11:33 PM
  • Yes, if allow logon locally was specified, there is no need to add FIM MA account to domain admins group (Which already has permissions to logon locally). Both ways work, but I would recommend to use logon locally, which is better for security related issues.


    Regards, John Atick

    Tuesday, November 23, 2010 12:16 AM
  • Hi Matthias and everyone,

     I have the same issue, I'm unable to create the FIM Management Agent.  When trying to do so I'm getting the error "Failed to connect to the specified database.  The extension operation aborted due to an internal error on FIM Synchronization Service".

    When opening the URL http://localhost:5725, I got the message "Metadata publishing for this service is currently disabled"

    The FIMMA Account does have access to logon locally, FIM Service and FIM Sync Service runs on the same server.  Both services are started and run properly.

    I'm stuck for two days on this part of the FIM configuration and I dont want to restart the whole installation.  Any support will be appreciated.

    Regards,

    Thursday, November 8, 2012 10:59 PM
  •  Please go through this http://technet.microsoft.com/en-us/library/ff512685(WS.10).aspx  i am sure you might be missing something.

    For me it worked by giving access to logon locally.



    HBB

    • Marked as answer by Hira Lal Monday, December 3, 2012 10:43 AM
    Wednesday, November 21, 2012 10:57 AM