Jorge 's Quest For Knowledge!

Provisioning Mailboxes In Exchange 2007/2010 By ILM/FIM

2010-03-10T22:37:41Z

MS-KBQ275636 explains which attributes are required (at a minimum) to provision a mailbox into an Exchange 2007 (E2K7) environment. For an Exchange 2010 (E2K10) environment the game is a little different. Let's have a look at the HOW and WHY.

The mailbox needs an identifier and needs a location where it should be stored. The identifier can be split into two parts, being the "Alias" to identify the mailbox itself as a minimum to generate the mail address if no custom e-mail address policy has been specified, or when one has been specified to use the Alias AND to generate the legacyExchangeDN. For the GAL, the identifier of the mailbox is the "Display Name" and it is required by Exchange. It is not required by AD. When creating a user in AD, you only need to/must specify the Full Name (a.k.a. CN or RDN), but not the Display Name. If you use Active Directory Users and Computers the Display Name is derived from the Full Name. When creating a mailbox in Exchange whereas there is no Display Name, the Display Name will still be populated and is derived from the Full Name. With regards to the location you need to at least specify an Exchange Server and preferably a mailbox database on that Exchange Server. If you do not specify a mailbox database, Exchange will select a mailbox database randomly. In this case I personally do not like the random stuff, therefore I'd rather specify both the Exchange Server and the mailbox database. Other attributes such homeMTA and msExchHomeServerName are derived from the specified value for homeMDB. Let's have a look at the small differences between E2K7 and E2K10.

Provisioning Exchange 2007 Mailboxes

When provisioning mailboxes in Exchange 2007 you need to at least (the minimum) specify the following attributes:

mailNickname
homeMDB (e.g.: CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2007 contains both the Mailbox Database Name and the Exchange Server Name (the bold parts)

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

PS.: I have no clue what the option "Exchange 2007 RUS Server" is used for. The weird thing is that there is no RUS anymore in Exchange 2007. The RUS existed in Exchange 2000/2003.

UPDATE 11-03-2010: According to my MVP friend, Brian Desmond, "Actually RUS still exists in Exchange 2007, it's just a synchronous thing inside the System Attendant which the cmdlets make an RPC call to for it to do its' work. SP2 added a parameter (the same as the optional option in the ADDS MA) to the various cmdlets to specify which Exchange server the cmdlet should call out to for RUS. I would leave it blank unless you have a good reason not to"

Exchange Server 2007 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

PowerShell v1.0 (or PowerShell v2.0) for the execution of local PowerShell CMDlets.
Exchange Management Console providing the required CMDlets

For Exchange Server 2007, in AD the attributes look like:

dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN= Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

Provisioning Exchange 2010 Mailboxes

When provisioning mailboxes in Exchange 2010 you need to at least (the minimum) specify the following attributes:

mailNickname
homeMDB (e.g.: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)
msExchHomeServerName (e.g. /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2010 only contains the Mailbox Database Name and NOT the Exchange Server Name. The Exchange Server Name is stored in the value for the attribute called msExchHomeServerName

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

PS.: For the option "Exchange 2010 RPS URI" you need to specify a URL in the form as shown of an Exchange Server that is hosting the "Client Access Server Role" so that the ILM/FIM server can use remote PowerShell CMDlets against it.

Exchange Server 2010 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

PowerShell v2.0 for the execution of remote PowerShell CMDlets.

REMARK: Provisioning of Exchange 2010 mailboxes does not require the Exchange Management Console to be installed on the ILM/FIM server as remote PowerShell CMDlets are used!

For Exchange Server 2010, in AD the attributes look like:

dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

UPDATE 11-03-2010: I had a discussion with my friend on the "darkside", Tomek, about the information above. We discussed that the flow of the attributes as mentioned is required when using the Synchronization Rules in the FIM Portal. However you can still use "the old fashioned" Export Attribute Flow in the ADDS MA if you want to. Another way to provision mailboxes is to use the function "ExchangeUtils.CreateMailbox" in a Rules Extension DLL. Whatever the case, you really need to be careful when just flowing attributes. For example, the flow of the Mailbox Database and Exchange Server should only occur initially, meaning at the moment when creating the mailbox. It should therefore not be flowed anymore _after_ the creation of the mailbox, unless you would like to have issues! J

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Automatically Deleting Expired Objects in FIM 2010

2010-03-08T14:11:16Z

With FIM it is possible to automatically delete objects when those objects meet certain criteria. Examples of criteria are:

Expired objects at the end of their lifecycle. This could be based upon for example the defined ExpirationTime, which in turn may be based upon the EmployeeEndDate + 1 day.
Objects that were created but have never been used within a defined amount of time. This could be based upon for example the defined CreatedTime + 30 days
Objects that were created and have been used, but are not used anymore while still within their valid object lifecycle (between EmployeeStartDate and EmployeeEndDate). This could be based upon for example the LastLogonTimeStamp + 180 days.

The basic idea here is that you first define which objects are candidates to be deleted. Let's use the first example. In addition to the following you need to make sure that in this case the the "ExpirationTime" attribute is set. That could be based on the "EmployeeEndDate" + 1 day. Why "+1 day"? Well if the EmployeeEndDate is the last working day, you do not want to delete the object on that same date, but rather a day later.

You could create the following SET:

Name: "_SET: All People For Which ExpirationTime Has Passed Today" (Remark: I'm not saying "Expired Objects" because what's the definition of an expired object? I like to have clear naming so that's why the SET is called like this)

XPATH Filter: "/Person[ExpirationTime < fn:current-dateTime()]"

Then you need something (a process) that will carry out the deletion of the object. By default, FIM provides a workflow that will delete an object. The name of the workflow is "Expiration Workflow". The description is "This workflow will delete the resource to which it is applied."

Then you need something that's triggered based on the required condition and that it executes the workflow.

You could create the following MPR:

Name: "_MPR: TRN - Notify and Delete Expired Identities"

MPR Type: "Set Transition"

Transition Type: "Transition In"

Transition Set: "_SET: All People For Which ExpirationTime Has Passed Today"

Policy Workflows (Action Only): "Expiration Workflow" + "_WFW: Send Notification Because Of Expired Identity" (The first one suffices, but I also wanted to send the manager of the user a notification that the object was deleted)

So with this configuration, and after making sure an object has an ExpirationTime defined, the results are as follows. As soon as the user becomes a member of the SET ""_SET: All People For Which ExpirationTime Has Passed Today" because the ExpirationTime < Today AND the "FIM_TemporalEventsJob" has executed, the MPR will be triggered and execute the Workflow. In the requests you will see stuff like below. As soon as the object becomes a member of the SET a system event is generated as shown below, but with a PostProcessingError.

As you can see the, Expiration Workflow is the actual requestor/originator when trying to delete the object "Anne Pinto" and in this case it has been denied that action.

Looking closer at the System Event Request, you will see:

You will also see which MPR caused the System Event

What did we forget here? We made sure the action is carried out, but we forgot to assign the correct permissions so that the action is carried out correctly. In this case the "Expiration Workflow" needs to have DELETE permissions to be able to delete the objects in scope. Let's go through that configuration to see what's needed.

Permissions can only be assigned through SETs and a SET is just a grouping of objects that match certain criteria.

So we first need to create a SET that includes the Expiration Workflow. An example of such a SET is:

Name: "_SET: Expiration Workflow System"

XPATH Filter: "/*[ObjectID = 'f6d0bfce-df36-4756-98a2-cb8917428bae']" (this just references a specific object with the GUID specified. If I'm not mistaken this GUID is the same for the Expiration workflow in all FIM deployments)

Then you need something (a process) that allows the deletion of the object. Because it is about assigning permissions you need/must use a REQUEST based MPR. You cannot use TRANSITION based MPRs.

You could create the following MPR:

Name: "_MPR: RQP - Expiration Workflow Can Delete Expired Identities"

MPR Type: "Request"

Requestor: "_SET: Expiration Workflow System"

Operation: "Delete Resource"

Grants Permission: "TRUE"

Target Before Request SET: "_SET: All People For Which ExpirationTime Has Passed Today" (In this case I'm assigning permissions only to those objects that meet certain criteria. If I would have objects meet other criteria that are also candidates for deletion I would create additional MPRs/SET to fulfill that need.)

Resource Attributes: "All Attributes"

Policy Workflows (Action Only): "NONE"

Now a question that could arise is "Could I combine MPRs?" In this case the answer is NO. Why? Well for the action itself I need a transition based MPR which is great for time-based criteria. For the permissions part I need a request based MPR. Transition based MPRs cannot assign permissions.

Let's try this again. So with this configuration, and after making sure an object has an ExpirationTime defined, the results are as follows. As soon as the user becomes a member of the SET "_SET: All People For Which ExpirationTime Has Passed Today" because the ExpirationTime < Today AND the "FIM_TemporalEventsJob" has executed, the MPR will be triggered and execute the Workflow. The other MPR will allow the action to be performed.

As you can see the Expiration Workflow now successfully completed the request to delete the object "Anne Pinto"

As you can see below the actual request to delete the object matches the MPR that assigns the permission to do so. If you expected to see the MPR called "_MPR: TRN - Notify and Delete Expired Identities", then that's not correct. That MPR would be matched in the System Event that causes the action.

Cheers,

Jorge

Speaking at TEC 2010 USA (Los Angeles)

2010-03-08T12:19:29Z

Yes, it's that time of the year again! TEC 2010 USA is coming and is planned for the last week of April 2010. It is not is Las Vegas and it is not in Chicago. It is in Los Angeles this time. I'll be delivering two pre-conference workshops this year about disaster recovery together with Guido Grillenmeijer and Gil Kirkpatrick. The three of us are the "Masters of Disaster" J

In addition to that I'll be presenting about the DC Locator in AD for authN and SYSVOL/NETLOGON

Information about the conference:

Event: The Experts Conference (TEC) 2010
Website: http://www.tec2010.com/
Location: Los Angeles
Date: April 25^th – 28^th
Workshops: http://www.theexpertsconference.com/agenda-speakers/workshops/
Agenda – TEC Directory/Identity: http://www.theexpertsconference.com/agenda-speakers/directory-identity-training/conference-agenda/
Agenda – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/conference-agenda/
Agenda – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/conference-agenda/
Sessions – TEC Directory/Identity: http://tec2010.com/agenda-speakers/directory-identity-training/session-abstracts/
Sessions – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/session-abstracts/
Sessions – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/session-abstracts/
Speakers – TEC Directory/Identity: http://tec2010.com/agenda-speakers/directory-identity-training/speaker-bios/
Speakers – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/speaker-bios/
Speakers – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/speaker-bios/

Cheers,

Jorge

Speaking At Microsoft TechDays 2010 in Antwerp (Belgium)

2010-03-08T11:05:47Z

Microsoft is organizing an event at the end of the month called Microsoft TechDays 2010. The location is the Metropolis in Antwerp (like last year). Amongst others, I'm one of the speakers and I'll be talking about Forefront Identity Manager (FIM) 2010. I hope to see you there!

Information about the conference:

Event: Microsoft TechDays 2010
Website: http://www.techdays.be/
Location: Metropolis in Antwerp
Date: March 30th, 31st and april 1st
Practical Information: http://www.microsoft.com/belux/techdays/2010/practical.aspx
Agenda: http://www.microsoft.com/belux/techdays/2010/agenda.aspx
Sessions: http://www.microsoft.com/belux/techdays/2010/agenda.aspx
Speakers: http://www.microsoft.com/belux/techdays/2010/speakers.aspx

My session: March 31^st, 17:45-19:00

Cheers,

Jorge

Forefront Identity Manager 2010 has RTMed!

2010-03-02T11:48:48Z

Forefront Identity Manager 2010, ILM 2007 FP1's successor, has RTMed! Finally! J

Get the evaluation version here.

Cheers,

Jorge

Update 3 has been released for FIM 2010 RC1

2010-01-30T12:55:54Z

Microsoft has released Update 3 for FIM 2010 RC1. It is available connect here. This is the final pre-release of the product before RTM. I think this is a major release because it can be installed as an update or as a new install from scratch. It contains a (new) installation guide. Make sure to read the release notes FIRST before installing it!!!

Summary of changes in Update 3

This package contains multiple updates to the following Microsoft® Forefront™ Identity Manager 2010 feature areas. It also contains a number of general improvements to FIM functionality and reliability.

New prerequisites:

Windows® Installer 4.5 for all server components
For the FIM Service: Microsoft SQL Server® 2008 Service Pack 1 (SP1)
For the FIM Add-In for Outlook: Microsoft Office Outlook® 2007 Service Pack 2 (SP2)

New supported platforms for FIM Certificate Management:

Windows Server® 2008 R2
Windows Server Datacenter Edition

FIM Synchronization Service improvements:

Fixed customer-reported failures in FIM Synchronization Service.
Fixed issues with multimastered attributes.
The FIM management agent (MA) will now store error messages with the operation during export. You do not have to look in the FIM Service event log anymore to view the errors.
You can now have several MAs that are responsible for deleting a resource. This solves a common problem in which custom code was necessary for Declarative provisioning.
Added two new Declarative provisioning functions:
Null – This SR should not contribute a value.
ReplaceString – Find and replace a substring in another string.

Introduces new Management Policy Rule (MPR) types:

The new Set Transition MPR type allows for easy creation of Policies that apply to Set membership changes (that is, when resources enter or leave a specific Set).
During Update 3 installation, all existing MPRs in the system are marked as Request-based MPRs.
The Run On Policy Update flag is now applicable only to the new Set Transition MPRs.
Temporal policy definitions require the use of the new Set Transition MPRs.

Fixes an issue in which queries did not evaluate correctly if they contained three or more conditions and at least two of them used the not() operator.
Adds support for Exchange 2010, which includes the following:

FIM Synchronization Service support for Active Directory MA and global address list (GAL) MA
The FIM Service sending and receiving mail
Outlook 2007 on Exchange 2010 sending approvals and group membership requests

Adds support for SQL Server Failover Clusters for High Availability.
Adds support for taking database backups without stopping the FIM Service.
Removes DomainSynchronizationActivity and replaces it with built-in logic to support cross-forest group management.

Important

This update deletes the WorkflowDefinition Group management workflow: Domain information synchronization for cross-forest resources, which has the Resource ID 955e3366-fbcc-43ee-b6e4-2001b81971da. You should back up any changes you may have made to this resource before installing the update and then re-create the functionality in a new activity.

Cheers,

Jorge

ADLDS (ADAM) for Windows 7

2010-01-12T08:12:12Z

In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,

Jorge

Re-Awarded for the 5th Time – MVP Directory Services

2010-01-01T18:51:19Z

Today I received an e-mail I was re-awarded again with the MVP Award for Directory Services. This year is the fifth time I have received this award! J

----------

Dear Jorge de Almeida Pinto,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year

----------

!!! THANKS !!!

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 5)

2009-12-14T21:24:26Z

Reporting/Auditing

With RC0, a web services client could reconstruct resources via Requests, or betweenTime, atTime and allTime functions

With RC1, a web service client will be able to reconstruct resources via Requests

More attributes on Request, and new creator and target fields in RequestParameters values available
Configurable request trimming interval to auto-delete requests which have been archived

Also see: http://theexpertscommunity.com/item/show/blog/1381

Password Reset Feature

Configuring the MPRs for Password reset was quite complicated. In RC1 these MPRs are pre-configured by default, but are disabled. If you want to use the Password Reset feature you need to enable the MPRs!

Windows XP SP2 is now also supported.

Expect a huge change in how you will be able to use this feature. Very promising! J In time I will tell more about this.

Also interesting to know: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/7d538ef4-a286-481f-8ff1-6e4f886e2f1d

FIM MA Run Profiles

The FIM MA only supports Full Imports at the moment (see release notes)

FIM Portal Schema

Attributes of type "Unindexed String" are not yet supported by the FIM Portal and will not show up the UI for queries/filters.

It is possible to use a dash '-' in the systemName of an attribute, but you should not use it. Why? Well, other parts that may want to use that attribute may not accept that dash in the name. Look at the pictures below.

One of those places where this was found is in a workflow activity. For example… let's say you have created a string type attribute with the systemName 'My-Test-ID' and displayName 'My Test ID'. When using the function evaluator activity you can select as the destination [//Target/My-Test-ID]. You can type this in manually or first select //Target as your workflow parameter and then select 'My Test ID' as your parameter attribute. Click Save and you will see the error in the picture.

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 4)

2009-12-11T23:11:36Z

XPATH Filter changes

Double negations are not supported/possible anymore. An example of a double negation is "/Person[not(MyAttribute != '_$$$_')]"

In addition:

"contains()" function now works like SQL Full Text Search
descendants(), betweenTime(), atTime(), allTime() removed
membersof() changed syntax

Patches

After RC1, patches will be made available through Windows Update. You can also download these manually through the Windows Update Catalog.

At the time of writing, Update1 and Update2 have been released.

For the release notes see: FIM 2010 RC1, Update1 and Update2.

Management Agents (MA)

Support for:

Active Directory in Windows Server 2008
SQL Server 2008
Novell eDirectory 8.8
Sun Java System DS 6.2
IBM DB2 9.1, 9.5

To connect to RACF, ACF2, OS400, TopSecret, you will still need ILM 2007FP1.

FIM Service Partition

Checking Uniqueness during object creation

Sync Rules

Sync rules are now bidirectional, meaning that both inbound and outbound within one sync rule is possible.

New functions that are available for "External System Scoping":

NotContains, NotStartsWith, NotEndsWith

New functions that are available for attribute flows:

IsPresent

The GUI to create the Attribute Flows also changed. Previously you could create the attribute flows on one screen. Now you have one screen with two tabs for each attribute flow you need. One tab is for the source attribute and the other tab is for the destination attribute. I really do not like this change.

This is the main screen with all the attribute flows. When you want to create a new flow you click "New Attribute Flow"

This is what you will see when creating a new attribute flow.

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 3)

2009-12-11T21:16:53Z

Export/Import Portal Configuration

In ILM 2007 you were able to export the complete Sync Engine configuration and move that to some other instance instead of reconfiguration everything manually. That saved you a lot of work AND mistakes! Although it is possible export/import individual Mas, you need to be careful about that precedence configuration may not be configure the same as with the instance where you did the export. Sometimes it may be better to export the complete server configuration!

In ILM "2" RC0 it was not possible to export ANYTHING from the portal. So, you basically had to reconfigure stuff over and over and over again, until you get annoyed and start dying to be able to use FIM 2010 RC1! Why? FIM 2010 RC1 does allow you to export and import the portal configuration through PowerShell CMDlets. YES ! YES ! YES!!!!!!!!!!!

So, how do you do this? Follow the next steps:

Start PowerShell
Execute: Add-PSSnapin FIMautomation

The following FIM CMDlets become available:

Export-FIMConfig
- The Export-FIMConfig cmdlet extracts configuration objects from the FIM Service using the web service interface. The cmdlet recursively follows references contained in objects in order to extract a full representation of the service's configuration. If a reference points to an object which is not marked as a configuration object, the cmdlet downloads the entire representation but does not follow any references.
Import-FIMConfig
- The Import-FIMConfig cmdlet takes in a list of ImportObject objects and executes the web service calls. Please be warned that all ImportObjects sent to Import will be executed. As objects are created, the references are automatically resolved in subsequent update and create operations.
Join-FIMConfig
- The Join-FIMConfig cmdlet takes two lists of Export Objects and joins them into Match Objects. The cmdlet performs the join using criteria specified as arguments to the cmdlet. The join criteria is specific attributes to compare using case-sensitive matching. You may specify individual join criteria for each object type. For example, you may join on EmployeeID for Person and MailNickname for Groups. You may also use multiple attributes as join criteria. For example, you may join ConstantSpecifier objects on both the DisplayName and Value. No default join criteria is provided. The reason you must specify the join criteria is to ensure that this tool joins on attributes or collections of attributes that are unique in your organization.
Compare-FIMConfig
- The Compare-FIMConfig cmdlet takes in a list of MatchObject and performs an attribute-level comparison on the source and target objects. The cmdlet returns a list of changes to make to the target system such that it looks like the source system. The list of changes is guaranteed to be in precedence order. For example, if a Workflow Definition references an Email Template, then the cmdlet guarantees that the EmailTemplate exists prior to creating the WorkflowDefinition. All objects are processed generically without regard to object type except for ManagementPolicyRule objects. These objects are processed in a special way: the cmdlet guarantees that all dependent sets are updated prior to workflow definitions.
ConvertFrom-FIMResource
- The ConvertFrom-FIMResource serializes objects used elsewhere in the FIM Automation Snapin into xml. The motiviation of this cmdlet is so you can save intermediate work and transfer it among computers. The cmdlet serializes the objects using XmlObjectSerializer in .NET. It is necessary to use this cmdlet over Export-Clixml because Export-Clixml does not preserve nested and complex types.
ConvertTo-FIMResource
- The ConvertTo-FIMResource deserializes objects used elsewhere in the FIM Automation Snapin from xml. This is the complement cmdlet to ConvertFrom-FIMResource. The cmdlet deserializes the objects using XmlObjectSerializer in .NET.

Using the GET-Help CMDlet you can get additional information on how to use each FIM CMDlet, including examples (e.g. Get-help Export-FIMConfig)

Remark: Make sure to read this too!

WorkFlow Activities designed for ILM "2" RC0 to be used in FIM 2010 RC1

Short one. Check the following URL: http://blogs.dirteam.com/blogs/jorge/archive/2009/10/04/workflow-activities-designed-for-ilm2-rc0-may-not-work-for-fim-2010-rc1.aspx

Enable/Disable codeless provisioning

In RC0 you could only disable/enable scripted (through Rules Extensions) provisioning. As soon as an object mapping was defined in the ILM2 MA provisioning would occur, assuming other prerequisites were also met (initial flow only for anchor attributes and criteria). It was not possible to disable codeless provisioning. In RC1 you now can disable codeless provisioning through the Identity Manager GUI. If the setting is not checked, provisioning through Codeless Provisioning will not work. AND it is disabled by default!

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 2)

2009-12-11T21:06:37Z

MPRs

New MPRs have been defined or existing MPRs have been redefined. In ILM "2" RC0 an MPR called "Administrators have Full Control" existed which gave administrators Full Control permissions over existing stuff and new created stuff. In FIM 2010 RC1 I created a new object type called COMPUTER including the attributes I wanted on that. I then wanted to create a computer object and at the end when I clicked SUBMIT I got an access denied. Researching a bit more I found out that administrators only have Full Control over configuration stuff in the FIM Portal. They are not allowed to create users and in my case also computers. So, for those object types I had to create an MPR that gave the administrators Full Control over those objects. Now you can take two different approaches: (1) create a permissions based MPR for each object type or, (2) create a permissions based MPR that gives the administrators Full Control over ALL objects.

In addition, it is possible to disable and re-enable MPRs. Now you do not have to delete them or change them in a way so that there were not used by the system. Remember that when you get an access denied you cases might apply: (1) no MPR is available, or (2) an MPR is available but it is disabled!

After you have configured your FIM system with all kinds of MPRs, SETs, Workflows, etc. How are you going to find out or troubleshoot, after 6 months for example, how a particular system works? In ILM"2" RC0 that was a pain in the well-known behind! In FIM 2010 RC1 you will find a button called MPR Explorer (see below). It is "just" button and because of that you might miss it.

Clicking that button shows you the following screen which allows you to select what you want to check/do.

After that, for what you want to do, you define criteria as shown below. In my case I wanted to know which "enabled" "permissions-based MPRs" apply when "ADM.ROOT" makes a request to "Create a resource", "Delete a resource", "Read resource", "Add a value to a multi-valued attribute", "Remove a value from a multi-valued attribute" OR "Modify the value of a single-valued attribute" against "All Objects".

The results of the query I'm making are shown below

SCOM Management Pack

A SCOM Management Pack will be made available for FIM 2010.

Component	# Monitors	# Events
FIM Service	9	8
FIM Portal	11	10
FIM Sync	7	6
FIM CM	6	6

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 1)

2009-12-11T20:31:34Z

So FIM 2010 RC1 came out in the beginning of October are my first impressions, or changes I found (either through my own testing/reading or through some other posts):

OS Support

FIM 2010 now both supports Windows Server 2008 (x64) and Windows Server 2008 R2 (x64). Be aware though; if you want to combine all kinds of technologies on one server (e.g. test/demo environment) check all requirements and pre-requisites of all components. For example, Exchange Server 2007 is not supported on Windows Server 2008 R2 and FIM 2010 does not support Exchange Server 2010 yet. However, Microsoft changed their plans and has decided to support Exchange Server 2007 on Windows Server 2008 R2 in the (near) future!

Additional Options During install + FIM Portal Access

FIM 2010 Portal itself

The graphics department at Microsoft has been busy changing its looks and rebranding everything within the system from "Identity Lifecycle Manager "2"" to "Forefront Identity Manager 2010"

BEFORE

AFTER

Other Stuff within the product that was rebranded is:

ILM "2" RC0 Naming	FIM 2010 RC1 Naming
Identity Lifecycle Manager "2"	Microsoft Forefront Identity Management
ILM Service	FIM Service
MIIS / Sync Engine	FIM Synchronization Service
CLM	FIM Certificate Management
Object Type	Resource Type
Object Visualization Configuration (OVC)	Resource Control Display Configuration (RCDC)
Service: Microsoft Identity Integration Server	Service: Forefront Identity Manager Synchronization Service
Service: Microsoft Identity Lifecycle Manager Service	Service: Forefront Identity Manager Service
Service: Microsoft ILM Password Service	Service: Forefront Identity Manager Password Reset Client Service
Service: Certificate Lifecycle Manager	Service: Forefront Identity Manager CM Update Service
Identity Manager	Synchronization Service Manager

FIM MA in Identity Manager

Connection information for the FIM MA is different. You now need to specify the SQL Server, the SQL DB for the portal (to read from) and the address of the FIM Service you want to use for writes (You can have more than one FIM Service and you can dedicate a FIM Service instance for the FIM Sync Engine if you need/want to)

Cheers,

Jorge

Enabling FIM Portal Access for a Regular AD User Account

2009-12-11T20:19:14Z

To be able to access the FIM portal as a regular user, the following MUST be true:

The user has an AD user account
The attributes "Domain", "AccountName" and "ObjectSID" must have values populated about that AD user account synched by the FIM Sync Engine
The correct permissions have been configured for the AD user account in the FIM Portal (see more below)

To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal:

Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)
Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

In addition to this all, you as an administrator need to enable a few MPRs which by default are disabled. I'm talking about the following MPRs:

"General: Users can read non-administrative configuration resources"
"User management: Users can read attributes of their own"

You can check the MPRs in the FIM Portal or use can use this powershell script to do that for you. The result may look like:

This is for simple plain FIM Portal access. If you want to allow a user to do more, you need to create and/or enable additional MPRs.

Cheers,

Jorge

EXPORT CMDlet of FIM Migration Tooling not working as expected

2009-12-11T17:27:45Z

FIM 2010 provides CMDlets to migrate the configuration of the FIM Portal from one server to another. The first step is exporting the configuration of the SOURCE server. The Powershell script you can use for that is:

---------

# ExportPilot.ps1

# The purpose of this script is to export the current configuration in the pilot environment.

# The script stores the configuration into file "pilot.xml" in the current directory.

Add-PSSnapin FIMAutomation

$pilot_filename = "pilot.xml"

Write-Host "Exporting configuration objects from pilot."

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

Write-Host "Exported " $pilot.Count " objects from pilot."

$pilot | ConvertFrom-FIMResource -file $pilot_filename

Write-Host "Pilot file is saved as " $pilot_filename "."

Write-Host "Export complete. The next step is to copy " $pilot_filename " to production and run SyncProduction.ps1."

---------

This script will export policy configuration, schema configuration and portal configuration. If you want to export custom configuration such certain object types you need to replace a line as specified in the documentation.

REPLACE

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

WITH

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Person")

However as soon as you execute your adjusted powershell script, you will get the following error:

-------------

Export-FIMConfig : Failure on making enumeration web service call.

Filter = Group

Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: c

annot filter as requested

at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.Enumerat

eResources(SearchParameters parameters)

at Microsoft.ResourceManagement.WebServices.ResourceManager.MoveNext()

at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()

At C:\_FIM-CONFIG\ExportFIMConfigFromSource.ps1:10 char:27

+ $Source = Export-FIMConfig <<<< -uri http://localhost:5725/ResourceManagemen

tService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Pers

on")

+ CategoryInfo : InvalidOperation: (:) [Export-FIMConfig], Invali

dOperationException

+ FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automa

tion.ExportConfig

-------------

This is telling you the filter of the customConfig option is wrong. That is weird as the way I'm using is also mentioned in the help of the CMDlet. However, it appears that you need to use the XPATH filter notation. So the correct line would be:

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("/Group","/Person")

Oh, by the way… This is for FIM 2010 RC 1 Update2

SOURCE: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/6e543d7a-2543-4975-9b5d-0615ae341e47

Cheers,

Jorge