Thursday, March 25, 2010

Changing trial version to valid version

A customer of mine asked me if they could turn the trial version of FIM 2010 into a valid version if and when they decided to move on from a Proof of Concept workshop.

Now, during installation of the trial version, you are not presented with the option to enter a product key nor is there anywhere that you can enter a product key after installation (not that I've found anyway). I asked my "colleagues" in the forum the question and they provided some good answers. Simultaneously, I asked through my channels at Microsoft and got an answer that hopefully you'll found useful as well.

The Microsoft answer was: "There are two components which will timeout, the FIM Synchronization Service and FIM Certificate Management. The key is in included in the installation so you move from Eval to VL is by uninstalling Eval and install VL media. The configuration is stored in the database(s) so you do not lose any information in the upgrade. As usual, take a backup before you start and make sure you have a copy of the encryption keys for Sync."

See the thread in the forum here -

So go ahead, make appropriate backups of data and encryption keys and turn your trial into the real deal after purchasing a valid license.

I did this in our environment this evening and now I'll have to wait for 158 days to see if there is a hidden "gem" in the FIM Portal that someone didn't tell me about. I'll post an update if there are any news in the matter.

Have fun...

Saturday, March 20, 2010

Features of a Home Directory Management Agent?

I'm currently working on a Management Agent for provisioning and deprovisioning home directories (and other directories) for users in ILM / FIM environments. I do a lot of Proof of Concepts and a typical scenario is home folder handling. Therefore I'm working on building a generic homefolder MA that rocks and is highly customizable. Some basic features currently are -
  1. Create and apply ACLS for user
  2. Move / rename based on, i.e. sAMAccountName
  3. Deletion / removal
I'd very much like some additional feature that you see customers may need in the real world. I'll make the MA generally available for testing / PoC's when I'm done.

Tuesday, March 16, 2010

Move object in Active Directory by flowing dn

I had some trouble moving user objects in Active Directory by flowing a new distinguished name (DN) by using Outbound Synchronization Rule to my AD Management Agent. All my attribute flow where working just fine, it was just the moves / renames that wasn't getting through. I had a hard time figuring out the error.

Turned out that one of the attributes that I used for concatenating the new DN had no value (null) and this "broke" the entire concatenation of the string for the new DN without leaving any errors / trace.

Anyway, lesson learned and stored on this blog for future use :-) - see thread in forum here

Tuesday, March 9, 2010

Outbound Synchronization Rules not getting applied

I was struggling with my Outbound Synchronization Rules not getting applied for user in my Active Directory, but they were getting applied for my groups. And sometimes you just can't see the forest for the trees.

On my FIM MA I didn't import the ExpectedRulesList attribute to the metaverse, so how would FIM know which attributes to synchronize..

Gods of IdM - please forgive me for this stupid mistake; lesson learned ... doublecheck your flow to and from the FIM Portal if you're using codeless provisioning.

Monday, March 8, 2010

Uniqueness check

Came across this post to check for uniqueness of i.e. sAMAccountName / username (

Great post..!

Bug in FIM 2010?

Update on this:
Just an update on this; word has it that there is a hotfix being tested right now and it should be released by the end of January 2011.
I may have found a bug in FIM 2010. I'm synchronizing usernames from my HR system all in uppercase, however one of my users have been previuosly created through the FIM portal with a lowercase username / accountname. Now when I export the uppercase username to FIM, I get an Export Statistic that says that it went okay. However, doing a confirming import, I get the lowercase username back resulting in an exported change not reimported error? I've doublechecked my rules for any function or similar that might affect this but didn't find any. And now I'm seing this with an email address that have been changed from mixed case to all lowercase.

Have anyone else tried this and got an 'exported-change-not-reimported'?

I'll try to go through my usual "inside" channels and report this possible error.

Saturday, March 6, 2010

Scheduling FIM 2010 without MASequencer

UPDATE: Check out the MARunScheduler for FIM (get it here)

I don't know about you, but I've been unable to find an MASequencer for 64-bit. Therefore, for now, I've decided to use VBScript for scheduling my Synchronization Service runs. I've made a little "framework" below.

Remember to replace the guid's within the WMI select statements with your own MA guid's


Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root/MicrosoftIdentityIntegrationServer")

Set FIM = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{2B299011-65BA-4DD5-9A59-9BAF8A5C5332}'")
Set AD = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{B906936E-742D-4551-8C07-2FE4B72C4795}'")
Set HR = Service.ExecQuery("select * from MIIS_ManagementAgent where Guid = '{9CA3F96C-300A-4EFB-8246-89EDBC4047E5}'")

' main processing
Run HR, "Full Import and Full Sync"
Run FIM, "Delta Import and Delta Sync"
Run AD, "Delta Import and Delta Sync"

Run FIM, "Export"

'allow for FIM to do some processing
Wait 5

Run FIM, "Delta Import and Delta Sync"
Run HR, "Export"
Run AD, "Export"

Sub Wait(Seconds)
  WScript.Echo "Waiting " & Seconds & " seconds..."
End Sub

Sub Run(MASet, Profile)
  For Each MA In MASet
    WScript.Echo "Running " + + ".Execute('" & Profile & "')..."
    WScript.Echo "Run completed with result: " + MA.Execute(Profile)
End Sub
Sub ClearRuns(DaysAgo)

  Set Server = Service.Get("MIIS_Server.Name='localhost'")
  DeleteDate = FormatDateTime(Now()-DaysAgo, 2)
  WScript.Echo "Deleting Run Histories from " & DeleteDate
  WScript.Echo "Result: " & Server.ClearRuns(DeleteDate)
End Sub

Thursday, March 4, 2010

Exporting EmployeeStartDate to FIM 2010 Portal

Little documented is the date format of the EmployeeStartDate and the EmployeeEndDate in Forefront Identity Manager 2010.

If you look into the date format of the attributes of a user in the portal it self, it'll tell you that the format is M/d/yyyy hh:mm tt. Feeding the FIM MA this format will make it "sick".

The correct format would be to se the builtin function DateTimeFormat in the Inbound Synchronization Rule and use the function DateTimeFormat, so that the end result would be:


Here is a screenshot with an Inbound Flow Rule from a live installation doing just that (or close to, as I want a specific time stamp to go into the portal, but you should get the idea) -

This will convert a SQL DateTime attribute (HireDate) to the format the FIM portal wants it in.