Synchronize Active Directory with Microsoft Identity Manager RRS feed

  • Question

  • Hello guys,

    this is my first entry in this forum :)

    I want to install Microsoft Identity Manager and so far i have followed those instructions:

    I have two Windows Server 2012 - one as a domain controller with Active Directory and the other one with SQL Server 2014 and SharePoint Server 2013 installed on it. On the second Server i installed MIM Synchronization Service and MIM Service and Portal without any errors or warnings. 

    So now i wanted to synchronize Active Directory with MIM Service by creating a MIM management agent. When i try to open the Synchronization Service Manager the following error message appears:

    "Unable to connect to the Synchronization Service.

    Some possible reasons are:

    1) The service is not started

    2) Your account is not a member of a required security group.

    See the Synchronization Service documentation for details."

    The services Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service are both running. I am not sure what the second error message means. Does it refer to the local administrator account, the domain administrator account or to any other account? What are the required security groups this account has to be a member of?

    Thank you for your help!

    • Moved by nzpcmad1 Thursday, September 22, 2016 6:54 PM From ADFS
    Thursday, September 22, 2016 7:11 AM

All replies

  • Hi,

    this error referrs to the Security Groups created by the MIM Installation.

    In this case you need to be member of MIMSyncAdmins or however you named your group.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, September 23, 2016 5:39 AM
  • Okay, i have had that idea before and made the account (the one i am logged in) member of nearly any group - and still the error appeared. 

    What user / account exactly has to be a member of this group?

    Friday, September 23, 2016 6:52 AM
  • That is strange, as the user you are corrently logged in need to be in the SyncAdmins group.

    Depending on how you installed this group can be either in the Domain or on the local MIM Server.

    Sometimes after a reboot the SyncService need some time to start or will not start at all, but I think you checked that already, right ?


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, September 23, 2016 7:00 AM
  • What do you mean by saying "how i installed this group"? 

    I have followed the instructions and installed the group in PowerShell as a domain controller. Currently i am on the second server trying to start the SyncService Manager.

    I have been trying to fix this for three days now, so reboot does not help - unfortunately.

    Friday, September 23, 2016 7:14 AM
  • Hi,

    I revied the docs, and the groups should be in your domain if you followed the docs, if you did not use format domain\MIMSyncAdmins then the groups will be created on the local Server. That is the difference of creating the groups by installer.

    Beside that you can run the installer of the Sync again and check this, but if nothing helps try to install again, as I have no other idea what might be wrong here.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, September 23, 2016 7:20 AM
  • Okay, thanks for your kind help so far! How do i find out if the groups are on the domain or on my local server?
    Friday, September 23, 2016 7:25 AM
  • I would say, check domain and local account db on the server and put the user in both groups, logoff and logon again and check if you can start sync manager console.

    If all is fine, remove user from one of the groups. In domain the groups should be where you created them or at least in the default container.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, September 23, 2016 7:35 AM
  • Meanwhile i have run setup again and when it asks to provide group names for Microsoft Identity Manager Synchronization Service it says "nameofmycomputer"\MIMSyncAdmins and so on for the other groups.

    If i try to change the name of my computer into the domain, error 25037 appears and tells me that the groups entered do not all exist or cannot be found. 

    Maybe that helps finding my mistake?

    Friday, September 23, 2016 9:20 AM
  • Hi,

    to place the Groups in a domain you must create them before, but it should also work with the local computer groups, you can put your domain account into that or nest a group from the domain into that local groups.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, September 23, 2016 10:05 AM
  • The groups are definitely in the domain. Any new ideas?

    Friday, September 30, 2016 10:35 AM