locked
FIM 2010 Update Rollup 2 problem RRS feed

  • Question

  • Hi All,

    Have just updated my FIM environment to Update Rollup 2 (build 4.0.3606.2) and have started seeing issues with the FIM MA.

    Issues encountered:

    When exporting on the FIM MA the export is performed very slowly, CS objects that look to have been exported (Add operation) properly and show as "Awaiting Export Confirmation" never appear in the FIMService.

    A full import and full sync from the FIM MA doesn't always cause the sync service to try a re-add for these users.

    If a modify operation is exported to the FIM MA for one of these users an exception (PermissionDeniedException) is thrown but I believe that this is being caused by the fact that the object does not exist.

    I have tried refreshing the MA credentials by going into the FIM MA Properties, this gives the following error "Failed to connect to the specified database with the specified credentials.

    From the SQL server I can see the following error:

    Login failed for user 'xx\fimsyncsvc'. Reason:Failed to open the explicitly specified database".

    I have confirmed that the correct FIM MA account has permissions on the FIM DB's and have run the test script to confirm that the FIM MA account looks ok.

    I have tried re-creating the FIM MA but the same problems persist.

    If anyone has any ideas it'd be greatly appreciated.

    Saturday, April 28, 2012 4:12 AM

Answers

  • The service account xxx\fimsyncsvc should be mapped to the FIMService database and needs to have the database role membership "FIM_SynchronizationService" which can be configured on the User mapping option when viewing the account within SQL Management Studio

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    • Marked as answer by Mr.Craig.Rose Tuesday, May 1, 2012 10:09 PM
    Tuesday, May 1, 2012 8:37 AM

All replies

  • By the looks of it, the account in question is your FIM Sync service account, not the FIM MA account. Can you validate that account's access? You should be able to use SQL Profiler to see what it's trying to do if the error doesn't include the database with issues.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Sunday, April 29, 2012 2:09 AM
  • Hi Brian,

    Looking at SQL Profiler the FIMSyncSvc account is trying to access FIMService database and having issues.

    Errors returned are:

    Cannot open database "FIMService" requested by the login. The Login failed.

    Error: 18456, serverity: 14, State: 38

    Login failed for xxx\fimsyncsvc. "Reason failed to open the explicitly specified database.

    I can see the user xxx\fimsyncsvc in SQL logins (mapped to AD account) with the server role "public" (no rights immediately visible on the FIMService DB)

    I have checked other environments but cannot see what rights this account should have on the FIMService DB.

    Are you able to advise any particular rights this account should have and the best process for granting them?

    Thanks

    Tuesday, May 1, 2012 5:44 AM
  • The service account xxx\fimsyncsvc should be mapped to the FIMService database and needs to have the database role membership "FIM_SynchronizationService" which can be configured on the User mapping option when viewing the account within SQL Management Studio

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    • Marked as answer by Mr.Craig.Rose Tuesday, May 1, 2012 10:09 PM
    Tuesday, May 1, 2012 8:37 AM
  • Hi Paul,

    Thanks for that, the user xxx\fimsyncsvc was not mapped to the FIMService DB at all, have mapped it to FIMService and given it the DB role membership "FIMSynchronizationService".

    do you have any idea why the account would not have had this mapping?

    Thanks

    Tuesday, May 1, 2012 10:10 PM
  • Great that it is working again, is the performance again what you expected?

    Don't know if the update rollup revoked the rights for the FIMsyncsvc, this account was also used before the rollup update?


    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Wednesday, May 2, 2012 10:21 AM