PURPOSE

Why are you deleting the connector space? It is very important to understand why you are getting ready to delete the connector space. You want to understand the ramifications of deleting the connector space in your identity management solution. It is important to understand this, as it could cause serious ramifications if not done correctly and thought out.

The main reason to delete a connector space is due to data corruption in the connector space. There are times that the connector space will end up with corrupted data and the only way around it is to delete the connector space. However, the metaverse object is ok, so we will want to leave that alone in some cases.

Is the connector space that you are deleting part of a complete FIM solution including the FIM Service Management Agent? If the answer is yes, then once you have completed these steps, then you want to review the wiki on deleting the FIM Service Management Agent Connector Space. Why? You will want to review this document, because you will want to be able to bring your environment back up in the quickest possible manner. The wiki will help cover these steps to allow you to bring your environment back and re-sync the objects from the FIM Portal with those in the metaverse.

Steps to guide you through deleting the connector space

 Note
If you are using Declarative Provisioning, then all of your DREs will be deleted. They will be re-created when the object is put back. It will, however, cause object synchronization “churn” that could extend the time it takes to recover from the connectorspace deletion.

 

BACKUP DATABASE

Thinking of disaster recovery, we want to be able to get back to the previous setup without too much trouble should the need arise. To do this, we recommend that the FIM Synchronization Service Database (MicrosoftIdentityIntegration Server database for IIFP/MIIS/ILM) is properly backed up prior to deleting the connector space. If you are using the FIM Service and Portal, then we recommend backing up the FIM Service database as well.

Find more information on backing up the backend database here.

VALIDATE THE OBJECT DELETION RULE

  1. In the Synchronization Service Manager, select Metaverse Designer

 

 Note
You will need to set this for each object type that you are working with in the connector space that is being deleted. (picture displays the person object type)

 

  1. Click Configure Object Deletion Rule
  2. Ensure that you have the top radio button selected. (Delete the metaverse object when the last connector is disconnected. Ignore connectors from the following list of management agents.)

  3. Click OK.

For more information on understanding the deprovisioning process, click here.

ATTRIBUTE RECALL

Attribute Recall is where the Synchronization Service decides if we need to leave the attribute information that has been provided by the management agent chosen to have its connector space deleted.

You can get here by:

  1. Viewing the Properties of the Management Agent
  2. Selecting the Configure Deprovisioning tab
  3. Checking the status of the check box for the attribute recall to ensure that it is checked.

DELETING THE CONNECTOR SPACE

At this point, we are ready to delete the connector space.

  1. In the Synchronization Service Manager, select Management Agents
  2. Select the Management Agent in question
  3. From the Actions menu, select Delete
  4. In this case, we are just going to delete the connector space, so we will choose the first radio button Delete connector space only

*NOTE* If you are actually deleting the management agent, then you would choose the second radio button. However, it is still very important to go through all the pieces of this document to ensure that we can get back to a previous state should the need arise.

  1. Click the OK.

DISABLE PROVISIONING

Once the deletion process has occurred, we want to be able to import and synchronize the objects back into the metaverse without running through provisioning. This will allow for objects to join back up to existing objects. If you are using Synchronization Rule Provisioning, you need to ensure that one is disabled as well.

  1. Inside of the Synchronization Service Manager, from the Tools menu select Options
  2. Uncheck “Enable Provisioning Rules Extension” and “Enable Synchronization Rule Provisioning
  3. Click Ok.

BRING THE OBJECTS BACK INTO THE METAVERSE (Import and Synchronization)

At this time, we should be ready to bring the objects back into the connector space first, and then send them to the metaverse. In doing so, we will take a safe path first by Previewing a few objects to ensure success. Since we do not have provisioning enabled, then we will be joining the objects to the existing metaverse objects.

  1. In the Synchronization Service Manager, select Management Agents
  2. Select the Management Agent in question
  3. From the Actions menu, select Configure Run Profiles
  4. Ensure that you have a Full Import (Stage Only) run profile.
    1. A single step that does nothing more than a Full Import (Stage Only).
  5. Click Ok
  6. From the Actions menu, select Run
  7. Select the Run Profile for a Full Import (Stage Only)
  8. Once the objects are imported, we can now Preview a few objects
  9. Ensure that the Management Agent in question is still selected
  10. From the Actions menu, select Search Connector Space
  11. Leave Scope on Sub-Tree and the textbox blank and then click Search.
    1. If you have a lot of objects, simply click stop, as you will only need to work with a few objects.
  12. Double click on an object to open its properties
  13. Click the Preview button
  14. Ensure that the Full Synchronization is selected (selected by default).
  15. Click Generate Preview
    1. The Generate Preview button allows you to see what is going to happen when you execute a full synchronization.
    2. Review the Join and Projection Rules to confirm that the object is joining to the existing objects.
  16. If all looks well then you can proceed. If you are having a join problem, you will need to investigate the join problem.
  17. If you want to walk the object all the way through, then click Start Preview, and then click Commit Preview. Depending on what happens to the object, it may or may not be staged export in the Target Management Agent.

CHECKING EXPORTS BEFORE ACTUALLY EXPORTING

A procedure such as deleting the connector space can bring some un-wanted results to appear. In light of that, we want to be extra cautious and review our Pending Exports before they are actually written to the connected data source.

There are two ways that we can actually execute this, and if the desire is to be as cautious as possible then execute them both.

Pending Exports Connector Space Search

  1. In the Synchronization Service Manager, select management Agents
  2. Select the Target Management Agent in question
  3. From the Actions menu, select Search Connector Space
  4. Change the Scope to Pending Exports
    1. Check all three to see the total number of objects going to be exported
    2. Check one at a time to see the number of objects for each item
    3. It is important to check the number of deletes to understand how many you will have, and if it is correct.
  5. Review the data in some of the objects to ensure the data is returning to its correct format.

If the data has returned to its correct format, and you feel comfortable, then you are ready to export the data to the connected data source, or execute the step below to Export to a Drop File.

Export to a drop file

Exporting to a drop file allows you to view the data that is going to be exported to a connected data source. Remember that exports are always delta, and only exporting changes. So the data that you will see in the drop file is just the objects that were changed, and the attributes that are being changed as well.

  1. In the Synchronization Service Manager, select management Agents.
  2. Select the Target Management Agent in question.
  3. From the Actions menu, select Configure Run Profiles.
  4. Click New Profile.
  5. Give a name to this profile (e.g. Export-DropFile).
  6. Click Next.
  7. Type: Export
  8. Click Log File Options
  9. Select the 3rd Option – Create Log File and Stop the Run. Do not export to Data Source.
  10. Give the Log File a name.
  11. Click OK.
  12. Click Next and finish the Run Profile creation.

The data will be dropped to an XML file in the %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\<Target Management Agent Name>. Review this file and understand what data will be exported, and the actions that will happen. Once the export to a drop file passes, then you are ready for the export.

RETURN THE SYSTEM BACK TO THE ORIGINAL CONFIGURATION

  1. Change the Metaverse Object Deletion Rules back to their original configuration.
  2. Re-Enable Provisioning.
  3. If Attribute Recall had not been enabled before this process, disable it.

ADDITIONAL INFORMATION