none
MIM Portal Sync Rules have become orphaned

    Question

  • We are running a MIM 2016 (latest patch) Portal/Service and Sync system (separate servers).  We created a few Synchronization rules within the MIM portal to perform data syncs from a SQL agent into an AD enviroment (group membership management).  The environment was not touched for a few weeks and when we came back to it the Portal was offline.  Upon starting the portal and going into the list of Synchronization rules each rule lists the following beside it:

    <guid>
    The referenced Management Agent has been deleted. Please delete this Synchronization Rule, update the external system field or re-import the deleted Management Agent)

    Please note.  We did NOT remove any of the management agents from the sync server.  We did not change any MA configuration such as service account details, etc.

    We checked the workflow history in the portal and found that the Built-in Synchronization account deleted the ma-data for each agent off the portal and when attempting to add it resulted in a error.

    Anyone experience something similar before and managed to resolve without wiping everything out and re-creating?


    AK

    Friday, August 31, 2018 10:39 AM

All replies

  • did you get any solution on that?

    MM

    Thursday, September 6, 2018 7:28 AM
  • Hi

    I just facing the same issue right after applying the latest update 4.5.26.0 this morning.

    I can see that some of the MAs could be be recreated the ma-data objects in the portal and get that failed error, so I assume it must be related to the last update and/or in combination with some actual patched maybe.

    I try to investigate and find a solution for that, any help appreciated.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, September 7, 2018 5:32 PM
  • Hi,

    tried a lot of the old hacks and workarounds I found out in the net or that where know to me but no solution so far.

    What I found out is:

    1. I got the following message in the "Forefront Identity Manager Management Agent" service event log:

    Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37,

    Message: Reraised Error 50000, Level 14, State 1, Procedure ReRaiseException, Line 37,

    Message: Reraised Error 2627, Level 14, State 1, Procedure UpdateResource, Line 224,

    Message: Violation of PRIMARY KEY constraint 'PK_ObjectValueBoolean'.

    Cannot insert duplicate key in object 'fim.ObjectValueBoolean'.

    The duplicate key value is (52, 32, 23818).

    Carol's old blog post helped me to get a bit closer to the correct attribute that has the issue.

    So I did a 

    select * from fim.AttributeInternal where [Key] = 52

    The attribute mentioned here is: CreateConnectedSystemObject

    So the issue seems not to be related to any of my attributes from the flow, instead it is a system one.

    2. The issue is only related to ma-data objects that have Sync Rules, all other MA with classic attribute flow update/recreate well when I save MA properties or enter PW on the MIM MA again to recreate all.

    I contacted the PG an hope the can provide more information on how to solve this without re-create the MIM MA (not sure if that would help in this case).

    I will provide an answer as soon as I got one from PG.

    In the meantime any further help is really appreciated to get maybe more information on what causes this issue. 

    /Peter 


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Sunday, September 9, 2018 12:48 PM
  • Hi,

    the answer I got is to proper track that issue, everyone who ran into that issue should please open a support case.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, September 11, 2018 7:03 PM
  • We are facing the same issue in our dev environment as we updated to 4.5.26.0. I also reproduced this error in my test-VM. As soon as the FIM Service management agent is updated, all management agent run into railed state in the workflow history (create ma-data). As a result all synchronization rules become unusable. Recreation of management agents or sync-rules did not work. So far we were not able to solve this issue and opened up a case at Microsoft.
     
    Any further help is appreciated.
     
    Thomas

    <u5:p></u5:p>
    Tuesday, September 18, 2018 10:56 AM
  • Hello Thomas,

    I was not able to open an support case, as this just effects my private test-lab current, and I don't want to destroy customers system to just open a case. So I skipped updating at all implementations in the meantime.

    It would be great if you come back here and post possible solutions (even to help others) before they need to open a case.

    Sadly I was not able to fix this on my own, nor have further information on that topic.

    Thanks in advance.

    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, September 18, 2018 11:02 AM
  • Hi,

    A colleague of mine have also experienced this after applying 4.5.26.0. Sync rules broke.

    We've opened a case @ Microsoft.

    Br,

    Leo Erlandsson


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Tuesday, September 18, 2018 11:41 AM
  • Same here.

    We just deployed update 4.5.26.00 on mockup environments and now sync rules are broken, and requests to create ma-data or update mv-data failed in MIM service.

    We tried with latest update 4.5.202.000 but the issue is still there.

    Ghislain

    Tuesday, September 18, 2018 6:36 PM
  • Hi all,

    I took a deeper look on that issue a a deep dive into the FIMService database.

    I found a "temporary" solution to get the sync rules back working, but please read and act carefully before doing this. It is not an official solution nor verified by anyone, So test this on your own.

    See: https://justidm.wordpress.com/2018/09/22/mim-2016-sync-rules-become-orphaned-broken-after-update-to-4-5-26-0/

    I was able to bring back my sync rules working, and are also able to edit them, and sync my complete environment. Everything is fine so far in my test lab system where I have that issue.

    Just when I trigger the re-create of the ma-data (enter password on the FIM MA) all sync rules got broken again.

    But in some cases it might be helpful to bring the system back to work until support resolves your issue completely or there will be a hotfix in the future.

    Again: If someone got a supported fix for that from the support case please let me know, also a response from product group with a general solution here (or a hotfix) would be great.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Saturday, September 22, 2018 6:52 PM
  • We received a private fix with build 4.5.253.0, which solves the initial issue. Broken sync-rules are repaired as soon as the corresponding management agent is updated. Also updating the portal ma does not cause any problems anymore.

    Unfortunately the fix causes a new issue. Attribute flows on sync-rules somehow cannot be changed or added. 

    MS is working on it. Currently I have no information when it will be officially released.

    Thomas

    Wednesday, September 26, 2018 2:25 PM
  • Hello Thomas,

    thanks for the update, so we all know that there is work in progress and assumable there will be a fix in the near future.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, September 26, 2018 2:36 PM
  • Hi,

    An update:

    We have received a private build with version numbers 4.5.261.0 for Service and Portal and 4.5.253.0 for Synchronization Service.

    It solved the sync rule problem, and also we haven't had any problems editing sync rules flows.

    Br,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Friday, October 5, 2018 7:02 AM
  • Hi all

    We have receiver the same private fix in Build Version 4.5.261.0.
    The MIM can be configured as known from older versions and sync rules are working fine.

    KR Mario

    Tuesday, October 9, 2018 5:58 AM
  • Hi,

    Official MIM2016 Hotfix 4.5.286.0 is out this morning! It fixes the deleted sync rule problem in 4.5.26.0 and 4.5.202.0.

    https://support.microsoft.com/en-gb/help/4469694/hotfixrolluppackagebuild452860isavailableformicrosoftidentitymanager20

    Br,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Wednesday, November 21, 2018 8:34 AM
  • Thanks Leo,

    so I can repair my demo-lab now.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, November 22, 2018 10:07 AM
  • Hi

    We were also able to repair our environments with the hotfix 4.5.286.0 and we noticed no further problems.

    KR Mario

    Thursday, December 6, 2018 3:05 PM