Error syncing according to MIM 2016 guide RRS feed

  • Question

  • Hey guys, I'm trying to sync my AD / MIM agents according to https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/install-mim-sync-ad-service but it tries to sync my "a_eka" user which is a admin user that I used for install and to login at the portal with.

    It then creates 2 user objects in the metaverse after syncing AD and when I try to Export to MIM again it fails with a ValueUniquenessViolation error on ObjectSID, I'm guessing there's some kind of mismatch?

    Thursday, July 21, 2016 1:18 PM

All replies

  • Hi Endre,

    you can exclude a_eka from the syncs by going to the management agent properties -> Configuration Connector Filter -> click on Person -> New and add condition of AccountName Equals e_eka

    you can also exclude it on AD MA in the same way.

    the error ValueUniquenessViolation error on ObjectSID means you try to export an ObjectSID but you already have the ObjectSID set for some other user. ObjectSID has to be unique value. the easiest way to fix this is to delete your users from MIM portal since this is a new installation and allow the sync engine to recreate them. Now, don't delete your admin account (e_eka) or the (Built-in synchronization account).

    You should also exclude the (Built-in synchronization account) from the sync by adding a connector filter with the condition DisplayName Equals Built-in synchronization account

    Hope this helps.

    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Proposed as answer by Peter_Stapf Friday, July 22, 2016 10:54 AM
    Thursday, July 21, 2016 1:27 PM
  • At a guess you've projected one Metaverse user from your MIM (potal) MA and one from AD MA. If you intend to sync this account then the better approach would be to import from your MIM MA and join it to the appropriate AD MA CS object, either using join rules or the joiner tool. That way ADMA won't project the user and consequently that user won't be provisioned to MIM portal. 

    Starting with an empty Metaverse, an approach would be:

    1. MIM MA Import, Sync

    2. ADMA import

    3. ADMA sync if you have a join rule configured, otherwise manually join ADMA account to existing MV object

    Thursday, July 21, 2016 1:33 PM
  • Hi,

    I also take a look to the docu and the guys above are right, the docu seems to miss that filtering thing and I can remember that is was present at the old FIM documentation.

    Always filter out the built-in sync account and the first (fim portal installer) admin account from the importing to MV, because if something goes wrong there is a chance you delete that accounts by accident from portal which leads to not having any admin access to it.

    So best is to use an install admin account that is not used later, after install create/sync additional personal admin accounts in portal and put them to administrator set.

    The documentations should be updated to this.


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, July 22, 2016 10:58 AM