Update 1/19/2017

There are 3 ways to set up Join Logic for objects in the Connector Space of an MA to “Join” to objects in the Metaverse.

1st.

Direct Join on the MA , configured on the MA within the properties and by selecting “Join and Projection”, yes this is the same section you would configure projection. The Below image is the most basic of Join Logic on an MA and is a Direct Mapping from Connector Space with an Object in the Metaverse.

The biggest thing to remember is you need to make sure you select the correct Metaverse Object Type when setting up the Direct Join, i cant tell you how many times i have had customers with join issues and its a basic direct Join except instead of selecting Person or Group or what ever the object they wanted to try and join to the left it with the default Metaverse object type of “Any” just make sure you select the correct Object Type you wish to to try and join to in the Metaverse

Doesn’t get much more basic than that, in the below example the Join logic on the MA looks at the object in the Connector Space ( more specifically the sAMAccountName of the object) and looks in the Metaverse of a Person object with a matching accountName attribute value.

2nd

Using Sync Rules, in an environment where Sync Rules are being used sometime this environment is called “Code less” or “Code Light”

When configuring A Sync Rule on the Relationship Tab this is where you would configure the Join “logic” that can be used to join objects from the Connector Space to the Metaverse, the image below shows the same “join logic” that was configured on the MA except this is just a different way to achieve the same result.

Now remember when I said careful that you select the correct object type to join to when configuring the Join logic in the MA, what same thing applies with Sync Rules except with Sync Rules its controlled in the  Scope Tab of the Sync Rule Configuration UI, The image below shows where the selection of Object Type is made, this step is “Doubly” important on the Sync Rule because this also can affect what type of object is Created in the Portal.

Very Important to note that the Join Logic on a Sync Rule is only applied to Inbound Sync Rules, when you configure an Outbound Scoping Filter Sync Rule it will allow you to configure the Join logic but once you complete the Sync Rule Configuration if you open up the Sync Rule that you just configured the Relation Tab is gone

The first 2 methods for Configuring “Join Logic” are very basic and are able to cover a Large Percentage of the scenarios for Joining objects from a Data Source to the Metaverse, now for some reason if you have Join Logic configured on the MA as well on A Sync Rule that connect to that same MA, the Join Logic set on the MA will get applied first.

Now I know I have said a few times within this post that you need to make sure that you have selected the correct Object Type for Joining Weather it be on the MA Join Configuration or the Sync Rule Configuration, There are times that you may need to Join 2 objects that are not of the same object type best example is User or Person Objects to “FSP’s” (foreignSecurityPrincipalys). See the following blog for more info Cross Forest Management – (Create groups with FSP’s as Members) Part 1

3rd

Using a Custom MA Extension, There are many reasons you would need to use a custom MA Extension that would include complex Join Logic and it would be impossible to go over every scenario, but an example  would be the following Scenario

2 Forest

Forest 1 Contoso

Forest 2 Fabrikam

Group objects from the Contoso Forest are created in Fabrikam with 2 Separate MA’s, 1 MA is created with the Same Information from Contoso, Same displayName, samAccountName, memberships etc. the 2nd MA creates the group with the characters “SP_” in the beginning of each the groups displayNames, samAccountName etc. ideally I would have used a separate attribute to write the value of the source info and did a join like extenisionAttribute1 to accountName but some times we are working in environments where you don’t have extra attributes or you are coming behind someone else and you are playing cleanup.

Please see the following Post  Rules Extensions – MapAttributesForJoin for writing the code for Join Logic in a Custom MA Extension.

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

In this post we will discuss the Configuration of Attributes flows within a management agent to utilize an attached .dll .

The assumption is you already have a Management Agent Created of some sort and now you wish to add advanced attribute flows which utilize a custom extension that is compiled as a .dll and attached to the desired Management Agent as opposed to direct attribute flows which basically just syncs the data from the source to its destination “as is” without any major modification or scenarios such as what to do when the source data meets X criteria or is missing or any other scenario which needs to be considered to deliver the correct data to the destination.

The only requirement when configuring the Attribute flow is that the Management Agent before the configuration of the attribute flow on the Management Agent. What I mean by this is if your Attribute flow is for an custom attribute that doesn’t exist exist at the source or destination you can not pre define the attribute flow, Yes I know that sounds very elementary but I have often received questions on this very topic when people are trying to get some prep work completed with the intention of completing other steps later.

I usually Have the Code written prior to to updating the Management Agent but it is not necessary but keep in mind if you update the MA prior to having the code written and attached the Management Agent will not be able to run any syncs.

So lets configure the Management Agent to use a custom dll.

Mapping the DLL to the Management Agent

On the Management Agent that you wish to configure the attribute flows to use the advanced attribute flows, Right click the Management Agent and select Properties

In the Properties Window click on the Configure Extensions section

In the Configure Extensions Section click on Select

In the window that pops up select the .dll file that you created, Note when the dll must be in the Extensions folder usually located at

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions

When the correct dll has been selected click on OK to close out the window, now verify that the extension now is displayed in the text field next to Rules Extension name:

Click on OK to save current configuration of the Management Agent.

When you are ready to Configure the attribute flows once again go into the properties menu of the Management Agent and select Configure Attribute Flows.

As you can see in the above image I have some Direct Attribute flows but we will now create some “Advanced” attribute flows which will utilize a custom extension.

Now lets add a new attribute flow but first lets take a look at a previous post Rules Extensions – MapAttributesForImport and lets look at the function for objectSidString

    case “objectSidString”:

          byte[] objectSidString = csentry[“objectSid”].BinaryValue;
          mventry[“objectSidString”].StringValue = ConvertSidToString(objectSid);
    break;

when we create an advanced attribute flow we will need the following information..

Highlighted in Yellow is the Flow Rule Name: what ever is used here in quotes needs to be entered as is and is case sensitive.

Highlighted in Green is the attribute that will need to be selected for source or destination depending on the attribute flow direction.

Highlighted in Blue is another attribute that will need to be selected for source or destination depending on the attribute flow direction.

Now lets take a look at how this looks on the Management Agent

Notice that on the Data source attribute side I have selected the attribute that I had previously highlighted in Green in this example objectSid

On the Metaverse attribute side I have previously highlighted in Blue in this example objectSidString additionally this attribute is a custom attribute that was previously created in the Synchronization Service.

Now look at the Flow rule name: notice it matches what was highlighted in Yellow previously exactly. If this doesn’t match you will find yourself wondering why an expected attribute flow was not hit.

Additionally when setting up the attribute flow and you need to reference a dll you must select Advanced for the Mapping Type. When configuring attribute flows that require multiple attributes to be selected at the “SOURCE” which are used to define the value for an attribute at the “destination”

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

Installation of the MIM WAL can sometimes be problematic especially if you are just getting started or even just an armature developer. The objective of this post is to:

1. ) Help in the collection of all files needed to compile the Workflow Activity Library

2.) Prepare solution to be compiled

3.) Install the Workflow Activity Library

4.) Verify Workflow Activity Library was successfully installed.

Step 1. What is the WAL (Workflow Activity Library

Please review the following resources

The MIMWAL (Custom Workflow Activity Library)

MIMWAL

MIM WAL WIKI

Step 2. Download files needed to compile the Workflow Activity Library

Download latest version of MIM WAL

Download hotfix rollup package (build 4.1.3496.0) is available for Forefront Identity Manager 2010 R2 (Do not download the latest hotfix for this, I know that would make too much sense right but instead download this old one.)

Download Windows SDK

Notice the 3 option

GRMSDK_EN_DVD.iso is x86 version

GRMSDKX_EN_DVD.iso is AMD64 version

GRMSDKIAI_EN_DVD.iso is itanium version

Step 2. Extract files from MIM hotfix

Navigate to the folder where the Extracted Hotfix files are located and find the file FIMService_x64_KB3171342.msp

if  7-zip is installed on your machine Right click on the file FIMService_x64_KB3171342.msp and click on 7-Zip and select Extract files

In the Extract to window enter the destination of the extracted files.

Now lets verify files have been extracted.

Navigate to the destination where you set the extraction location.

Locate the file MSDN.cab

Now click on this file

Locate the wsp file MicrosoftILMPortalCommonDlls.wsp

Right click the wsp file and click on Extract and extract it to a specified location

This now click on the extracted file which looks alot like the file you just clicked on to extract from

Rename this file to MicrosoftILMPortalCommonDlls.wsp

when you open up this file you will see

Locate the following files

• Microsoft.IdentityManagement.WebUI.Controls.dll
• Microsoft.IdentityManagement.WFExtensionInterfaces.dll
• Microsoft.ResourceManagement.dll
• Microsoft.ResourceManagement.WorkflowContract.dll

Copy those files to a location you will easily be able to find.

If your not already logged into the server that host the FIM / MIM Service log into the server open up Powershell

type in the following command

cd C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35

Then enter the following cmd

copy .\System.Management.Automation.dll <enter path to location where you have the other .dlls>

or you could just navigate to the source and copy it but this file may be hidden in your environment depending on your settings.

Before we continue we need to get the gacutil.exe and the sn.exe

Locate the file GRMSDK_EN_DVD.iso or which ever version you downloaded earlier

Extract the files

open the Extracted files navigate to the folder “Setup”

Open the Setup Folder

Locate the folder “WinSDKNetFxTools”

Open the “WinSDKNetFxTools” and locate the file cab1.cab

Open the cab1.cab file

There will be a bunch of files locate the following 2 files, be sure to get the correct files as a few files are named very similar

FL_gacutil_exe_30517_x86_enu

FL_sn_exe_24885_x86_enu

copy these files to the location where you copied the previously downloaded .DLLs

Rename these files

Rename FL_gacutil_exe_30517_x86_enu to gacutil.exe

Rename FL_sn_exe_24885_x86_enu to sn.exe

now that we have the files needed lets get ready to compile it.

Please continue to MIM WAL–Installation Guide Part 2

This post is a continuation of  MIM WAL–Installation Guide Part 1

Navigate to the location where you have the MIM WAL Source Code

Open the Folder “ReferencedAssemblies”

In this Folder we want to copy the System.Management.Automation.dll file

Once the file is copied into this folder

Now open the folder “4.1.3496.0”

Now copy the following .DLL Files into the 4.1.3496.0 folder

• Microsoft.IdentityManagement.WebUI.Controls.dll
• Microsoft.IdentityManagement.WFExtensionInterfaces.dll
• Microsoft.ResourceManagement.dll
• Microsoft.ResourceManagement.WorkflowContract.dll

Now step back a few folders

open the Scripts Folder and copy the Files gacutil.exe and sn.exe into the Scripts folder.

Open up Visual Studios Command Prompt and enter cd <enter path of location where you have the other copied files>

Now that we have all the files required to compile the MIM WAL open up Visual Studios or you can just navigate to the MIM WAL Source Files that you downloaded previously and click on WAL.sln

At the time of Blog Posting Visual Studios 2017 was not supported, so I had to use 2015

Once you have the solution open

lets replace the current snk that is associated with the Source Code

In Visual Studios in the Solution Explorer you will see 3 locations where WAL.snk already exist

Right click on the 1st WAL.snk you find under the Solution ‘WAl’(1 project) section

Right click on the file and select Remove

Now Right click on Solution ‘WAl’(1 project) and select Add

Than select Existing Item

Navigate to location where the new .SNK file you created exist.

you may get a warning message, accept the warning and continue

Repeat these steps for the remaining 2 WAL.snk files

Right Click on WorkflowActivityLibrary and click on properties than select signing

for choose strong name key file browse to the location where the new .snk file is located and select the new one. (note : The old one may still show up)

Uncheck Delay sign only

Right Click on WorkflowActivityLibrary.UI and click on properties than select signing

for choose strong name key file browse to the location where the new .snk file is located and select the new one. (note : The old one may still show up)

Uncheck Delay sign only

In Visual Studios Change Debug to Release

Now click on Build

And select Build Solution

Look in the output window

And verify that it either says Build or Rebuild All and it shows successful.

Navigate to the Location where your WAL Source Code is Located and copy the folder Solution Output

Place the Solution Folder on a shared drive or a location you have easy access to.

Continue to MIM WAL – Installation Guide Part 3

This post is a continuation of  MIM WAL–Installation Guide Part 2

This is the 3rd part of the MIM WAL Installation Guide Series, and in this section we will take the newly compiled Solution

Navigate to the location where you copied the Solution Folder, If you have not yet copied the Solution Folder yet Navigate to the Location where your WAL Source Code is Located and copy the folder SolutionOutput folder to a shared drive, your desktop or any location you have easy access to.

Open the SolutionOutput

Within this folder you will see a .PS1 File (PowerShell Script) named Register.ps1

Right click on the File Register.ps1 and make a copy, Rename the copy to BackUpRegister.ps1

Now Right click on the original Register.ps1and click on Edit, this should open the Register.ps1 file with PowerShell ISE if for some reason the file doesn’t automatically open in ISE just open up PowerShell ISE or your scripting editor of choice and then open the Register.ps1 file/

Now on a server that host the FIM / MIM Portal open IIS Manager

On a Server that host the FIM / MIM Portal click on the Start Menu Key and type IIS

The text window will probably auto fill in addition key words

Click on the Icon for Internet Information Services (IIS) Manager

Expand the Server to the left by clicking on the Arrow

Now expand the Sites by clicking on the Arrow

Now take note of the name of the Site that the FIM/ MIM portal is hosted on , in this example it is “FIM”

Now navigate back to the Script Editor that you have the Register.ps1 file open

Now lets looks at the script Below I circled the section you need to focus on

replace what’s circled with the following (in this example we typed in FIM in quotes but you will put the name of the site you looked up in in the IIS Manager in the previous step.

param (
[string] $PortalSiteName =$(“FIM”)
)

$PortalSiteName

OPTIONAL

The next part I update just to eliminate the chance that the script cant locate the proper referenced dll’s.

In a few lines below where you updated the site name look for the following

if your having a hard time finding this section

Now lets comment out each of these lines by adding a Pound sign before the line

Notice that the lines turn green

Now to make this easy lets consider where we are going to place the This SolutionOutput Folder on each of the servers that this solution needs to be installed on. (Remember This Solution Needs to be installed on every Server that Host the FIM / MIM Service or Portal. It may be easiest if you can place this folder directly on the C drive but no matter where you place it try to make it in a consistent location that the path is the same across all servers or you will need to update the path for each server you need to install on.

So if you place the SolutionOutput Folder directly on the C Drive the path would look like “C:\SolutionOutput”

Once you have your path determined update the following with the

Once you have everything updated save the Register.ps1 file and copy the SolutionOutput Folder to all server that need the Solution installed on in the path that we determined before such as the root of C

Depending on your environment You may need to run with elevated permissions,

Once your ready you can run the PowerShell Script as is but I prefer to Open up a PowerShell Console so I can review that actions.

You should see a bunch of text probably blue

scroll down

Notice it says Internet services Successfully stopped, doing the install the portal is taken offline

Once you see the Serviced Restarted and you have the Solution Deployed on all your Servers that Host either the FIM / MIM Service or Portal open up the FIM / MIM Portal Page

Navigate to the Workflows Section and begin creating a Workflows and select Action

Notice the extra activities, congratulations you successfully installed the WAL.

Ok so you might ask what does this posting have to do with FIM, MIM, or Identity Management … Well it doesn’t not Directly. I was involved in a scenario where I am Synchronizing Data across many Data Sources that Some are Read only to the Synchronization Service and when dealing with legacy data we all know that in the past People did not always follow the rules or naming standards and accounts were created any which way the “admin” liked, You might say it was the Wild West of Identity Management. One of the reasons a lot of Customers are now using tools Like Microsoft Identity Manager (MIM) is because of this past behavior. While working with the customer to analyze the current environment they dumped out a .csv file of one of their Data Bases so we could look at it to determine how we can use this data, how we can join this data up with existing data and how we can take this data and provision it to other networks, if we have enough information without grabbing attributes from other sources etc.

So lets look at Sample Scenario I created to represent the issue.

In the image above the AccountName is supposed to represent the BaseID and an Type of account if Defined. Standard accounts do not get a Type Listed and accounts Such as Admin, Service Etc.

In the customers scenario Some accounts were created correctly but others were not and they wanted a quick function to show what all BaseID should have been if created correctly.

1st I created a new Column BaseID2

2nd I clicked on the the 1cell under BaseID2 in this example F2

Next I typed the following Function in the Cell Block

=IF(ISERROR(FIND(CONCATENATE(“-“,C2),A2))=TRUE,B2,SUBSTITUTE(B2,CONCATENATE(“-“,C2),””))

Now when you click on Enter the Correct BaseID if needed to be corrected will be displayed, or if the BaseID was already correct it would be coppied over to BaseID2

Finally to update this for all accounts in the new Column, in this example F (BaseID2) Copy the function and paste using the updated function for each row

This post is focused on Helper Functions  that Multiple Methods can call to complete a task, additionally talks about Function Overloading, “Overloaded functions enable programmers to supply different semantics for a function, depending on the types and number of arguments.”

See Referenced Documents:

Understanding the Helper Function

Function Overloading

Account-Expires attribute

Pwd-Last-Set attribute

Last-Logon-Timestamp attribute

When-Created attribute

The following is a snippet of code which I use to allow multiple methods to call the same functions with out the need to copy the function into each method. This way if I need to update a function I am only updating the function in one place.

The following code can be found on on the “Rules Extensions – MA Extension” Post I use a reference example to detail what the completed MA Extension should look like (as in format and placement of the code not the actual code, all environments are different and this code is to be used as a guide only)

#region helper functions

//1st GetDateString Function

private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)
{
if (dtInt == 0 || dtInt == 9223372036854775807)
{
// This is a special condition, do not contribute and delete any current value
mventry[mvAttrib].Delete();
}
else
{
DateTime dtFileTime = DateTime.FromFileTime(dtInt).AddDays(days);
if (targetFormat.Equals(“LONG”, StringComparison.OrdinalIgnoreCase))
{
mventry[mvAttrib].Value = dtFileTime.ToLongDateString();

}
else if (targetFormat.Equals(“SHORT”, StringComparison.OrdinalIgnoreCase))
{
mventry[mvAttrib].Value = dtFileTime.ToShortDateString();
}
else
mventry[mvAttrib].Value = dtFileTime.ToString(targetFormat);
// mventry[mvAttrib].Value = DateTime.FromFileTimeUtc(dtInt).ToString(targetFormat);
}
}
// 2nd GetDateString function

//(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string targetFormat, int days = 0)
private static void GetDateString(CSEntry csentry, MVEntry mventry, string dateStr, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)
{
DateTime dt = DateTime.ParseExact(dateStr, sourceFormat, CultureInfo.InvariantCulture);

// drops into 1st GetDateString Function
GetDateString(csentry, mventry, dt.ToFileTime(), mvAttrib, sourceFormat, targetFormat, days);
}
private static string ConvertFileTimeToFimTimeStamp(long fileTime)
{
return DateTime.FromFileTimeUtc(fileTime).ToString(“yyyy-MM-ddTHH:mm:ss.000”);
}

private static string ConvertSidToString(byte[] objectSid)
{
string objectSidString = “”;
SecurityIdentifier SI = new SecurityIdentifier(objectSid, 0);
objectSidString = SI.ToString();
return objectSidString;
}

#endregion

Now the above Snippet shows the helper functions which can be called but now lets look at how these functions are called.

Lets start with the first helper function and lets looks at the first couple of lines

private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

now lets look at a method that calls this function which can be found Rules Extensions – MapAttributesForImport

case “employeeEndDate”:
csAttrib = “accountExpires”;
mvAttrib = “employeeEndDate”;
dtInt = csentry[csAttrib].IntegerValue;
//targetFormat = “yyyy’-‘MM’-‘dd’T’HH’:’mm’:’ss’.000′”;
targetFormat = “yyyy-MM-ddTHH:mm:ss.000”;
//targetFormat = “M/d/yyyy h:mm tt”;
sourceFormat = string.Empty;
GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
break;

Notice the Highlighted section GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);

and now look at the first line of the helper function private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

What do you notice? The Method supplies 6 arguments but the Helper Function has 7 arguments 1 being a constant int days = 0 we will get deeper into that in a minute but for now just know that because it is a constant you don’t need to send that in as an argument from the method unless the value is different than the default constant value which in this example is 0 Zero.

As long as the Method that is calling the function by the function name which in the example is GetDateString and sending at a minimal of 6 arguments in the same order that the Helper Function is expecting them, you should be able to call the function within the method.

if you notice in the referenced post of Rules Extensions – MapAttributesForImport there are several methods that all call the same function.

case “employeeEndDate”:

case “pwdLastSet”:

case “pwdExpires”:

case “lastLogonTimestamp”:

case “createdDate”:

 

The first 4 methods all have the same type of source attribute that represents the Date Time but the 5th method createdDate uses the source Active Directory attribute which is a UTC String attribute which defers from the other values which are a value that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires. So in order to be able to use the same function across all Methods I need to do what is called Function Overloading which looks at the incoming arguments and drops the call into the corresponding function with the same name.

Function 1

private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

Function 2

private static void GetDateString(CSEntry csentry, MVEntry mventry, string dateStr, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

Notice they both have the same Function Name of GetDateString

If you look into the 2nd Function you will see that it takes the arguments being fed into and prepares it to be dumped into the 1st Function

GetDateString(csentry, mventry, dt.ToFileTime(), mvAttrib, sourceFormat, targetFormat, days);

The following is just an example of what an MA Extension would like like and should only be used as a reference on how to build your own MA Extension, I use this post as a reference for all my MA Extension Post which I have broken up into sections

Rules Extensions – ShouldProjectToMV

Rules Extensions – MapAttributesForImport

Rules Extensions – MapAttributesForJoin

2 Way Account Expires Rules Extension

 

using System;
using Microsoft.MetadirectoryServices;
using System.Globalization;
using System.Security.Principal;

// Date Changed 23 June 2017
namespace Mms_ManagementAgent_MAExtension
{
/// <summary>
/// Summary description for MAExtensionObject.
/// </summary>
public class MAExtensionObject : IMASynchronization
{
const string FSP = “foreignSecurityPrincipal”;
const string ADMA1 = “Contoso ADMA”;
const string ADMA2 = “Fabrikam ADMA”;
const string ADMA3 = “Fabrikam SPMA”;
public MAExtensionObject()
{
//
// TODO: Add constructor logic here
//
}
void IMASynchronization.Initialize()
{
//
// TODO: write initialization code
//
}

void IMASynchronization.Terminate()
{
//
// TODO: write termination code
//
}
//bool IMASynchronization.ShouldProjectToMV(CSEntry csentry, out string MVObjectType)
//{
//    MVObjectType = “foreignSecurityPrincipal”;
//    bool ShouldProject = false;
//    if (csentry[“whatever”].StringValue.Length >= 30)
//    {
//        ShouldProject = true;
//    }

//    return ShouldProject;
//}
bool IMASynchronization.ShouldProjectToMV(CSEntry csentry, out string MVObjectType)
{
string fsp = “foreignSecurityPrincipal”;
bool ShouldProject = false;
MVObjectType = null;
switch (csentry.MA.Name)
{
case ADMA1:
{
MVObjectType = “person”;
ShouldProject = true;
}
break;

case ADMA2:
{
MVObjectType = “group”;
ShouldProject = true;
}
break;

case ADMA3:
switch (csentry.ObjectType)
{
case FSP:
{
MVObjectType = fsp;
if (csentry[“cn”].StringValue.Length >= 30)
{
ShouldProject = true;
}
}
break;
}
break;

default: throw new EntryPointNotImplementedException();
}

return ShouldProject;
}

DeprovisionAction IMASynchronization.Deprovision(CSEntry csentry)
{
//
// TODO: Remove this throw statement if you implement this method
//
throw new EntryPointNotImplementedException();
}

bool IMASynchronization.FilterForDisconnection(CSEntry csentry)
{
//
// TODO: write connector filter code
//
throw new EntryPointNotImplementedException();
}
void IMASynchronization.MapAttributesForJoin(string FlowRuleName, CSEntry csentry, ref ValueCollection values)
{
switch (FlowRuleName)
{
case “SPAccountName”:
//
// TODO: write join mapping code
//
values.Add(csentry[“samAccountName”].StringValue.Replace(“SP_”, “”));
break;

case “BuildAccountName”:
if (csentry[“accountName”].IsPresent)
{
values.Add(csentry[“accountName”].StringValue);
}
else if (csentry[“firstName”].IsPresent && csentry[“lastName”].IsPresent)
{
values.Add(csentry[“firstName”].StringValue + “.” + csentry[“lastName”].StringValue);
}
break;
}

}

bool IMASynchronization.ResolveJoinSearch(string joinCriteriaName, CSEntry csentry, MVEntry[] rgmventry, out int imventry, ref string MVObjectType)
{
//
// TODO: write join resolution code
//
throw new EntryPointNotImplementedException();
}

void IMASynchronization.MapAttributesForImport(string FlowRuleName, CSEntry csentry, MVEntry mventry)
{
string csAttrib;
string mvAttrib;
long dtInt;
string targetFormat;
string sourceFormat;

//
// TODO: write your import attribute flow code
//
switch (FlowRuleName)
{
case “getDate”:
mvAttrib = “deprovisionDate”;
if (mventry.ConnectedMAs[ADMA1].Connectors.Count == 0)
{
if (mventry[mvAttrib].IsPresent && !string.IsNullOrWhiteSpace(mvAttrib))
{
DateTime depoDate;
if (!DateTime.TryParse(mventry[mvAttrib].Value, out depoDate))
{
//mventry [“deprovisionDate”].Value = DateTime.Now.AddDays(90).ToString(“yyyy’-‘MM’-‘dd’T’HH’:’mm’:’ss’.000′”);
mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString(“yyyy-MM-ddTHH:mm:ss.000”);
}
else
{
mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString(“yyyy-MM-ddTHH:mm:ss.000”);
}

}
else
{
mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString(“yyyy-MM-ddTHH:mm:ss.000”);
}
}
break;

case “removeDate”:
mvAttrib = “deprovisionDate”;
if (mventry.ConnectedMAs[ADMA1].Connectors.Count == 1)
{
if (mventry[mvAttrib].IsPresent)
{
mventry[mvAttrib].Values.Clear();
}
}
break;

case “employeeEndDate”:
csAttrib = “accountExpires”;
mvAttrib = “employeeEndDate”;
dtInt = csentry[csAttrib].IntegerValue;
//targetFormat = “yyyy’-‘MM’-‘dd’T’HH’:’mm’:’ss’.000′”;
targetFormat = “yyyy-MM-ddTHH:mm:ss.000”;
//targetFormat = “M/d/yyyy h:mm tt”;
sourceFormat = string.Empty;
GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
break;

case “pwdLastSet”:
csAttrib = “pwdLastSet”;
mvAttrib = “pwdLastSet”;
dtInt = csentry[csAttrib].IntegerValue;
targetFormat = “M/d/yyyy h:mm tt”;
sourceFormat = string.Empty; ;
if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
///mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
else
mventry[mvAttrib].Delete();
break;

case “pwdExpires”:
csAttrib = “pwdLastSet”;
mvAttrib = “pwdExpires”;
dtInt = csentry[csAttrib].IntegerValue;
targetFormat = “M/d/yyyy h:mm tt”;
sourceFormat = string.Empty;
if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat, 180);
///mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
else
mventry[mvAttrib].Delete();
break;

case “lastLogonTimestamp”:
csAttrib = “lastLogonTimestamp”;
mvAttrib = “lastLogonTimestamp”;
dtInt = csentry[csAttrib].IntegerValue;
targetFormat = “M/d/yyyy h:mm tt”;
sourceFormat = string.Empty;
if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
//mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
else
mventry[mvAttrib].Delete();
break;

case “createdDate”:
csAttrib = “whenCreated”;
mvAttrib = “createDate”;
string dateStr = csentry[csAttrib].StringValue;
targetFormat = “M/dd/yyyy h:mm:ss tt”;
sourceFormat = “yyyyMMddHHmmss.0Z”;
GetDateString(csentry, mventry, dateStr, mvAttrib, sourceFormat, targetFormat);
break;
case “objectSidString”:
string objectSidString = ConvertSidToString(csentry[“objectSid”].BinaryValue);
mventry[“objectSidSTring”].StringValue = objectSidString;
break;

}
}

 

void IMASynchronization.MapAttributesForExport(string FlowRuleName, MVEntry mventry, CSEntry csentry)
{
//
// TODO: write your export attribute flow code
//

//
// TODO: write your export attribute flow code
//

switch (FlowRuleName)
{

case “accountExpires”:
CultureInfo provider = CultureInfo.InvariantCulture;

if (mventry[“employeeEndDate”].ToString() != “”)
{
//DateTime dtFileTime = DateTime.ParseExact(mventry[“employeeEndDate”].Value, “yyyy’-‘MM’-‘dd’T’HH’:’mm’:’ss’.000′”, provider);
DateTime dtFileTime = DateTime.Parse(mventry[“employeeEndDate”].Value, provider);

csentry[“accountExpires”].IntegerValue = dtFileTime.ToFileTime();
}
else
{
csentry[“accountExpires”].Value = “9223372036854775807”;
}

break;
}
}
#region helper functions

private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)
{
if (dtInt == 0 || dtInt == 9223372036854775807)
{
// This is a special condition, do not contribute and delete any current value
mventry[mvAttrib].Delete();
}
else
{
DateTime dtFileTime = DateTime.FromFileTime(dtInt).AddDays(days);
if (targetFormat.Equals(“LONG”, StringComparison.OrdinalIgnoreCase))
{
mventry[mvAttrib].Value = dtFileTime.ToLongDateString();

}
else if (targetFormat.Equals(“SHORT”, StringComparison.OrdinalIgnoreCase))
{
mventry[mvAttrib].Value = dtFileTime.ToShortDateString();
}
else
mventry[mvAttrib].Value = dtFileTime.ToString(targetFormat);
// mventry[mvAttrib].Value = DateTime.FromFileTimeUtc(dtInt).ToString(targetFormat);
}
}
//(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string targetFormat, int days = 0)
private static void GetDateString(CSEntry csentry, MVEntry mventry, string dateStr, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)
{
DateTime dt = DateTime.ParseExact(dateStr, sourceFormat, CultureInfo.InvariantCulture);
GetDateString(csentry, mventry, dt.ToFileTime(), mvAttrib, sourceFormat, targetFormat, days);
}

 
private static string ConvertFileTimeToFimTimeStamp(long fileTime)
{
return DateTime.FromFileTimeUtc(fileTime).ToString(“yyyy-MM-ddTHH:mm:ss.000”);
}

private static string ConvertSidToString(byte[] objectSid)
{
string objectSidString = “”;
SecurityIdentifier SI = new SecurityIdentifier(objectSid, 0);
objectSidString = SI.ToString();
return objectSidString;
}

#endregion
}
}

This is Part 5 in a series of commonly used management agents. In Part 1 we looked at configuration of an Active Directory Management Agent (ADMA); in Part 2 we looked at the configuration of the FIM Service Management Agent (FIMMA), and in Part 3 we looked at the configuration of a Microsoft SQL Management Agent (SQLMA) and, finally, in Part 4 we configured a Delimited Text File Management Agent. With this post, we’ll take a look at what I consider to be the last of the most commonly used management agent types: Active Directory Lightweight Directory Service.

As before, to begin navigate to your Synchronization server.

From here, click “Create”. Using the “Management agent for:” drop down menu, select “Active Directory Lightweight Directory Services”. Enter a name, then click “Next”.

In the “Connect to Active Directory Lightweight Directory Services” screen, enter a server, port, username/password and domain, then click “next” to continue.

Under “Configure Directory Partitions”, select the AD-LDS partition you’d like to connect to, then click “Containers'” at the bottom.

This will open the “Select Containers” dialogue. Select the AD-LDS containers you’d like to manage, then click “OK”. This will return you to the “Configure Directory Partitions” screen. Click “Next” to continue.

As with Active Directory Directory Services, if you need MIM to auto-create containers as part of object provisioning, complete this section. Otherwise, you may leave it default and click “Next” to continue.

Under “Select Object Types”, select the object types in AD-LDS you wish to manage (i.e., “user”). Click “Next” to continue.

Under “Select Attributes”, you may select any and all attributes you wish to manage that will be present in your AD-LDS instance, then click “Next” to continue.

Here we see some commonly selected attributes.

Unless you have a specific need to filter objects, you may leave this section default and click “Next” to continue.

Next, we must configure a join rule. Click “New Join Rule”.

Under “data source attribute”, select an attribute to attempt a join on with a corresponding attribute under “metaverse attribute”. Here, I am attempting a join from “empoyeeID” (a standard AD-LDS attribute) to “PoliticianID” (a custom metaverse attribute I created). Click “Add Condition”. You may receive the following message; if so, click “OK”, then click “Next” to continue.

Here, you may configure your direct attribute flows if either you plan to use provisioning code or you plan to only flow update values for existing objects (no provisioning). If you intent to use synchronization rules (portal based environment) you may leave this section blank and click “Next” to continue.

In this scenario, I am deploying a sync only solution driven by provisioning code. Here you can see my configured attribute flows.

Here you must choose how you’d like to handle deprovisioning. Here’s an in-depth look at disconnectors, explicit disconnectors and deletions. Once you have made your selection, click “Next” to continue.

Finally, click “Finish” to complete.

We should now see our newly created management agent.

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

While we’ve touched on sync rules in the past with some examples, I’d like to dedicate some time to actually stepping through the creation of various types of sync rules. To start off, we’re going to do what I would consider the most common and one of the first (if not the first) to be created in most environments: inbound users from AD. Now, the “from AD” piece, while important, is less important. The main purpose of sync rules is to move objects (users, groups, etc.) and/or their attributes from point A to point B. That being said, there are subtle differences between sync rules to/from different data sources (such as AD, SQL, Oracle, etc.). Aside from that, the primary reason I like to call out the data source in the name is for human readability. When I create a sync rule named

“Inbound Users from Contoso AD”

It tells me everything I need to know. I get the direction relative to MIM (inbound) the object class being managed (users) and the connected data source (Contoso AD).

To begin, click on “Administration” in the bottom left-hand corner. This will open the “Administration” screen. Here, select “Synchronization Rules”. When the “Synchronization Rules” screen opens, at the top, select “New”:

This will open the “Create Synchronization Rule” dialogue. Enter a Display Name and (optionally) a Description. Select a Data Flow Direction (in this case, “Inbound”), and click “Next” to continue.

Now we must scope this SR to an object class and data source. For Metaverse Resource Type, select “person”. Under External System select the Active Directory you wish to connect to. *NOTE: If this were, for example, a SQLMA, we would instead select SQL from the drop down menu.* Under External System Resource Type, select “user”. Please note, while there are “Inbound System Scoping Filters”, the use case is less common and not covered in this scenario. Click “Next” to continue.

Under “Relationship Criteria”, we must define a relationship mapping. This will be, ideally, a globally unique value mapped for the purpose of effecting joins. In my lab, I am using a custom attribute (PoliticianID) mapped to employeeID. Also, please note, if you would like these users to actually be created in the MIM portal if they do not already exist, you MUST select Create Resource in FIM. Failure to select this checkbox will result in a new user from AD not being created in the portal and also not giving an error. After all, you didn’t tell it to create the user, so it didn’t. This is easily missed and can be mildly infuriating.

Next, we must define some attribute flows. In a code driven, sync only solution, these flows would have been created directly on the ADMA under the “Configure Attribute Flow” tab. Now, in an SR based solution, we simply move those flows here. Click New Attribute Flow and select your data source object. Next, click on the Destination tab and select the data target attribute, then click OK.

Here are some example flows from my environment. Please note that, while there are certainly commonly used attributes and flows, this will in large part be defined by your environment. I don’t know your business or data and cannot even begin to guess at what attributes you need. Also, please remember that in certain data sources (such as Active Directory), attributes may have peculiar or unclear names that don’t directly match MIM attributes. For example, “givenName” in AD maps to “firstName” in MIM.

Also note that you are not limited to static flows. For example, your environment may have multiple AD forests or domains. As such, you may have multiple SRs bringing users into the portal. For human readability in the portal, its nice to have a “domain” attribute set, and this can be easily done with a string value on the ISR. Rather than selecting an attribute, scroll to the bottom and select “string”.

Then enter the friendly name of your domain. Under the Destination tab, select “domain”.

Once you have reviewed and are satisfied with the values, click “Submit” to create the sync rule.

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

Welcome to Part 2 of the “Sync Rule Walk Through” series. In Part 1 we talked about an inbound user synchronization rule from AD into MIM. Now that we have users in the portal, the next logical step is getting them back out. As with the inbound sync rule example, this one will be connecting to AD and, please remember, there are subtle differences between connected data sources. Also worth noting is there are two types of outbound sync rules: traditional (based on a sync policy with a set, workflow and MPR) and system scoping filter based. In this scenario, we will be focusing on the latter.

As before, click on “Administration” in the bottom left-hand corner. This will open the “Administration” screen. Here, select “Synchronization Rules”. When the “Synchronization Rules” screen opens, at the top, select “New”:

As before, enter a Display Name and, optionally, a Description. For Data Flow Direction, this time select “Outbound”. Now, we must choose how to apply; “to specific metaverse resources of this type based on Outbound Synchronization Policy” or “To all metaverse resources of this type according to Outbound System Scoping Filter”. For a discussion on the primary differences between these two, please see here. Click “Next” to continue.

As with the ISR, we must defined the scope. In similar fashion, for Metaverse Resource Type, select “person”. For External System select your AD, and for External System Resource Type select “user”. Now, however, we must define an Outbound System Scoping Filter. This scoping filter will determine to which user objects this rule applies and, as such, which will get synced out to AD.

Here, I am using the filter “email contains @adatum.com”. The logic for this is such: during my new hire onboarding process, there are several stages where approval is required. A new employee may be hired, but prior to having their account created in AD or their mailbox created, they must complete new hire training for HR. Once that has been completed, the final box gets checked and an email adderss is created for them in the portal. Seeing as, in my environment, email address creating in MIM is the final step, I now know this user is ready to be created in AD (and anywhere else they may exist). Again, please note this will be specific to your environment. I don’t know your business or your data and can’t tell you what to use here.

As before, we must now define the Relationship Criteria. Also as before, in this example I will be using the (custom) attribute “PoliticianID” in MIM mapped to “employeeID” in AD. Also, where we checked Create resource in FIM before, we must now check Create resource in external system. Failing to do so will result in a user not being provisioned to AD. Again, you didn’t tell it to create the object, so it didn’t (no error generated).

As with the ISR, attribute flows must be defined. Also, as with the ISR, please be aware of the differences in attributes between MIM and your connected data source (i.e., firstName –> givenName).

Here is a significant difference between inbound and outbound sync rules: initial flows. There are certain attributes that we should flow initially. For example, I like to flow an integer value of 0 to “pwdLastSet”. This will force my newly provisioned user to change their password the first time they login to AD. Likewise, I use a custom expression to set an initial value for “unicodePWD”. This is their default password the first time they log in to AD. The other significant point to note here is the necessity to build the dn for a newly provisioned user. This can be either a static path or, as shown below, dynamically built by a series of attributes. While I may cover this more in-depth at a later date, for the time being I will not. Again, please remember these are just example flows from my environment and are not meant to be taken as the word of law.

Once you have reviewed everything on the “Summary” tab, click “Submit” to create your outbound system scoping filter based OSR.

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

Something I get asked about a lot are the different types of outbound synchronization rules. When creating a new outbound synchronization rule, the astute observer will notice there are two specific types here:

Those of you who remember the old days of FIM 2010 RTM will recall we only had the first type available to us. To get users from FIM out to AD or wherever, in addition to the sync rule you had to create a set, workflow and MPR. In those days, a criteria based set would define the users who we wished to sync out. A set transition MPR would detect the change and fire the workflow (which called the actual sync rule) against the members of the set. That process was OK and we didn’t know any better because that was the only option we had.

Then along came FIM 2010 R2 and with it came the concept of system scoping filters. These days, many people use them, with their lack of sets/workflows/MPRs and much prefer the simplicity, but not many understand the true differences between the two and why, if possible, you should use these – from a performance perspective if nothing else.

As such, with this post I’d like to dig deeper into what are, in my opinion, the two primary differences between what I will call “traditional” and “scoping filter” outbound sync rules.

The first thing I’d like to talk about are what we call Expected Rule Entries (or EREs for short). EREs do a couple of things, but their primary purpose is to create a relationship between an object and the sync rule that applies to it. While that piece is all fine and good, my problem with EREs is that they can cause a performance hit in larger environments. To understand why, let’s first talk about how they get applied/stored.

I like to describe EREs as sort of like barcodes applied to the objects by the sync rule managing them. When a large mega retailer stocks their warehouses, do they just back up the trucks and dump everything out? No, because then they’d have no way of efficiently sorting through everything or finding specific items. In much the same way, MIM cannot simply dump 350,000 users into a metaverse without any way of cataloguing, associating or locating them. This is where EREs come into play.

As an outbound sync rule applies to an object type, let’s say a user, and carries them out of the portal, through the MIMMA connector space and metaverse and drops them in the target connector space, it stamps each user with an ERE identifying that user as essentially belonging to that sync rule. While this may not on the surface sound like a big deal, consider that all these EREs must go somewhere. In this case, that somewhere is the MIMSynchronization database. And while it is also true that an ERE is nothing more than a bit of text (like a GUID), if you have enough of them it becomes significant. Think of is this way: while a grain of sand may be tiny, all of the vast deserts and endless beaches in the world are made of sand. A billion of anything, no matter how small, when piled up becomes significant.

“But I don’t have a billion users, so what’s the problem?” you may be asking. True, you probably don’t, but these EREs are created on specific objects by each sync rule that touches them. Let’s say you have 100k users, a single AD and a single sync rule – you have 100k EREs.

Now, let’s say you have 100k users and two Ads (prod and QA, for example). Now you have two sync rules and 200k EREs.

What if you’re a global corporation and, for whatever reason, you have 3 forests with the same 100k users in each?

I realize this may not be realistic (why have multiple forests with the same users?) but it illustrates my point. Still, that doesn’t change the fact that if you’re a very large organization with hundreds of thousands of users spread across multiple forests in different geographies, you’re probably going to have a lot of outbound sync rules. My point, then, is that in a real-world scenario, it’s entirely plausible that your very large organization may well have hundreds of thousands (if not millions) of EREs just sitting there in the sync database, taking up space and slowing things down.

In addition to EREs, a “traditional” outbound sync rule (OSR for short) relies on a set, a workflow and a management policy rule to function. Not so bad, right? Let me clarify: you need a set, workflow and MPR for each traditional OSR. Have 50 outbound sync rules? Guess what, you’ll get to create 50 sets, 50 workflows, and 50 management policy rules, too. More moving parts equals more complexity; more complexity equals higher probability things will break down.

By contrast, an outbound system scoping filter based sync rule doesn’t utilize a set, a workflow or an MPR; nor does it create EREs in your sync database. So, while those two aspects alone are reason enough to use this type over a traditional rule, they’re still not the reason I prefer them. Rather, I appreciate the speed boost I pick up during a sync job. To better understand the speed difference, allow me to explain with this example:

With a traditional rule (set/workflow/MPR), the Built-in Synchronization Account climbs up on a soap box with a megaphone and announces, “Everybody line up, single file”. He then proceeds to go to each person in line and individually asks them, “Do you have an update?”. Let’s say there are 100k users and only 5 have a change; he must still ask all 100k people individually. Once all 100k have been asked and the 5 changed identified, he tells them to get on the boat (sync rule) and leave the island (connector space).

With a system scoping filter based outbound sync rule, the Built-in Synchronization Account again climbs up on his soap box with a megaphone, only this time he says, “Raise your hand if you have an update”. Of the 100k users, the 5 changed people raise their hands and he tells them to leave. So, under the traditional method he may ask the same questions one hundred thousand times; with a scoping filter sync rule, he asks one question one time to one hundred thousand people.

Now, granted, for a single AD with 100k users, there might not be a huge difference in speed. If, however, you’re a giant organization with dozens of sync rules and hundreds of thousands of users, this can become significant.

“So”, you may be asking, “why wouldn’t I just use scoping filter syncs rules all the time? Why does the other option even still exist?”. Two reasons: The first being scoping filters are designed really with a single criterion in mind (i.e., “employeeType equals FTE”). If you need to use two or more they become and “and” as there is no concept of “or”. In certain circumstances this may be desirable, such as “employeeType equals FTE” and “location equals Kentucky”. But what do we do if the second scope needs to be “location equals Kentucky or Texas”? With a scoping filter sync rule there is no way to accomplish this. In this case, you’d have to use a traditional sync rule (and you can specify and/or on the criteria of a set).

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space##

Special Thanks to Mr. David Hodge for putting the WAL Workflow Documentation together

Things to keep in mind

• the RemoveValues function requires a “List” to be passed to it. Adding in the GUID into the RemoveValues function didn’t seem to do it.
• An example PowerShell activity that allows you to build a list of object GUIDs to pass to the Update Resources activity.

Referencing https://social.technet.microsoft.com/Forums/en-US/63213b2d-4f31-416d-8e70-b871f37a7db8/removevaluesstringlist-not-removing-values?forum=Mimwal

Below is how I modified it… We could probably be more elegant by add

function New-GenericObject

{

<#

.Synopsis

Create a new generic object.

.Description

Create a new generic object.

.Example

New-GenericObject -TypeName System.Collections.Generic.List  -TypeParameters Microsoft.MetadirectoryServices.CSEntryChange

#>

[CmdletBinding()]

[OutputType([object])]

param(

[parameter(Mandatory = $true)]

[string]

$TypeName,

[parameter(Mandatory = $true)]

[string[]]

$TypeParameters,

[parameter(Mandatory = $false)]

[object[]]

$ConstructorParameters

)

process

{

$genericTypeName = $typeName + '`' + $typeParameters.Count

$genericType = [Type]$genericTypeName

if (!$genericType)

{

throw "Could not find generic type $genericTypeName"

}

# Bind the type arguments to it

$typedParameters = [type[]] $TypeParameters

$closedType = $genericType.MakeGenericType($typedParameters)

if (!$closedType)

{

throw "Could not make closed type $genericType"

}

# Create the closed version of the generic type, don't forget comma prefix

,[Activator]::CreateInstance($closedType, $constructorParameters)

}

}

$MembersToAdd = New-GenericObject System.Collections.Generic.List Microsoft.ResourceManagement.WebServices.UniqueIdentifier

$MembersToRemove = New-GenericObject System.Collections.Generic.List Microsoft.ResourceManagement.WebServices.UniqueIdentifier

#########################################################

#Example of how to add/remove a MIM Object by GUID

#########################################################

#$FIMService = New-Object Microsoft.ResourceManagement.WebServices.UniqueIdentifier("e05d1f1b-3d5e-4014-baa6-94dee7d68c89")

#$BulitInSyncAccount = New-Object Microsoft.ResourceManagement.WebServices.UniqueIdentifier("fb89aefa-5ea1-47f1-8890-abe7797d6497")

#$MembersToAdd.Add($FIMService)

#$MembersToAdd.Add($BulitInSyncAccount)

#$MembersToRemove.Add($FIMService)

#$MembersToRemove.Add($BulitInSyncAccount)

$ObjectID = New-Object Microsoft.ResourceManagement.WebServices.UniqueIdentifier("e05d1f1b-3d5e-4014-baa6-999999999999")

$MembersToRemove.Add($ObjectID)

return @{ "MembersToAdd" = $MembersToAdd; "MembersToRemove" = $MembersToRemove }

Recently I have received several questions and “Ridiculous”  Comments on the Posting 2 Way Account Expires Rules Extension , before I continue please understand that this Blog Site is intended to be a guide, and a tool to assist with your Identity Management Solution. But without know what modification, changes or updates that have been applied to your Environment there is NO way the I can guarantee that the information that is provided in this blog will be 100 % correct for you. I can say that every effort has been made to endure that the information is correct and properly tested. For example the posting that seems to be causing the most concern is from an actual working Lab. This leads me to believe that the Blog posting could possibly need some further detail.

This image shows the account “Samuel Adams” having the “accountExpires” attribute changed to “Monday ,December 25, 2017”

This Next image shows the change within the “Attribute Editor” Tab within ADUC

This next image shows what the newly set date of “Monday ,December 25, 2017” looks like under the hood so to speak.

After running an Import on the Management Agent which is connected to the Active Directory Environment that the change was made on we now see an update which is coming into the connector space for that object.

Before we go into the attribute flow of accountExpires to employeeEndDate lets look at the Management Agent that just picked up that change, notice in the Attribute Section I have the following attributes selected accountExpires, lastLogonTimestamp, and pwdLastSet

Now lets look at the Attribute Flow Settings

Now lets look at the change that came into the Connector Space for that account we changed the accountExpires Date for.

If we look at this object from the Metaverse we will see the value that was inserted via the Inbound Attribute Flow on the MA that connects to our data source.

If we navigate back to the Management Agents Tab on the Synchronization Service (Console) and right click on the “FIMMA” or which ever MA that you use to connect to the FIM Service / MIM Service and you select Search Connector Space and for the scope you select “Pending Export” and select the “modify” filter and click on Search, locate the object that represents the object that had the accountExpires attribute changed in Active Directory. Notice that the attribute “EmployeeEndDate” has a value , notice the format, notice the strange format the value is in including the “T” in the middle of the date time. If the “T” is not in the DateTime value FIM / MIM will fail to recognize the Value.

Run on Export on the FIMMA / MIMMA and verify that the object was exported into the FIM / MIM Portal.

Now locate the object in the FIM / MIM Portal and within the “Work Info” Tab which is the default location you will find the “Employee End Date” attribute and the value should now match the value defined in Active Directory.

If for some reason you can not locate the “Employee End Date” attribute the RCDC may have been modified and the attribute could have been moved to a different TAB or removed from the UI all together. You can always locate the attribute by clicking on the “Advanced View”  button at the bottom of the popup window and click on “Extended Attributes”

Notice the format of the DateTime now as it is being displayed in the FIM / MIM Portal

Now that we have successfully modified the Employee End Date via the accountExpires attribute in on an object in Active Directory lets demonstrate what happens when we update the same object in the FIM / MIM Portal “Employee End Date”

Update the object in the FIM / MIM Portal to a completely new date for the “Employee End Date”, save the change and run an Import on the “FIMMA / MIMMA”

Verify  the change has been brought into the Connector Space of the “FIMMA / MIMMA”

Run a sync on the “FIMMA / MIMMA” and verify and run an Export on the “ADMA” or which ever MA that is connected to the Active Directory Source you wish the object to be updated in.

Check the “accountExpires” attribute in Active Directory

If for some reason this doesn’t work verify the following

1. "FIMMA / MIMMA” has an Attribute Flow for EmployeeEndDate ---> employeeEndDate Direct Flow

2. Verify that “Use equal precedence” is selected for the “employeeEndDate” attribute in the Metaverse.

3. Verify that the attribute flow on the “ADMA” is set for accountExpires to employeeEndDate like the image below.

4. Verify the rules extension that is used. Rules Extensions –Understanding Date Time Conversion Part 2

In this post we will continue the understanding of using functions in a rules extension to manage Date Time Attributes into and out of the Metaverse. The most popular use of these DateTime functions is to convert the accountExpires attribute to the employeeEndDate attribute in the FIM / MIM Portal.

Now lets take a look at the “MapAttributesForImport” section of a Management Agent Rules extension, this section is used to manage attributes from a Connector Space or in simpler terms (a copy of the data source) and it synchronizes that data into the Metaverse and other data sources if any.

You will notice all the functions in this example all deal with DateTime in one format or another, so to simplify this I have also added a helper function that these functions all feed values into. There are 5 default Variables that are defined

1. string csAttrib;
2. string mvAttrib;
3. long dtInt;
4. string targetFormat;
5. string sourceFormat;

void IMASynchronization.MapAttributesForImport(string FlowRuleName, CSEntry csentry, MVEntry mventry)
         {
             string csAttrib;
             string mvAttrib;
             long dtInt;
             string targetFormat;
             string sourceFormat;

            //
             // TODO: write your import attribute flow code
             //
             switch (FlowRuleName)
             {
                 case "getDate":
                     mvAttrib = "deprovisionDate";
                     if (mventry.ConnectedMAs[ADMA1].Connectors.Count == 0)
                     {
                         if (mventry[mvAttrib].IsPresent && !string.IsNullOrWhiteSpace(mvAttrib))
                         {
                             DateTime depoDate;
                             if (!DateTime.TryParse(mventry[mvAttrib].Value, out depoDate))
                             {
                                 //mventry ["deprovisionDate"].Value = DateTime.Now.AddDays(90).ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");
                                 mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString("yyyy-MM-ddTHH:mm:ss.000");
                             }
                             else
                             {
                                 mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString("yyyy-MM-ddTHH:mm:ss.000");
                             }

                        }
                         else
                         {
                             mventry[mvAttrib].Value = DateTime.Now.AddDays(90).ToString("yyyy-MM-ddTHH:mm:ss.000");
                         }
                     }
                     break;

                case "removeDate":
                     mvAttrib = "deprovisionDate";
                     if (mventry.ConnectedMAs[ADMA1].Connectors.Count == 1)
                     {
                         if (mventry[mvAttrib].IsPresent)
                         {
                             mventry[mvAttrib].Values.Clear();
                         }
                     }
                     break;

                case "employeeEndDate":
                     csAttrib = "accountExpires";
                     mvAttrib = "employeeEndDate";
                     dtInt = csentry[csAttrib].IntegerValue;
                     //targetFormat = "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'";
                     targetFormat = "yyyy-MM-ddTHH:mm:ss.000";
                     //targetFormat = "M/d/yyyy h:mm tt";
                     sourceFormat = string.Empty;
                     GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
                     break;

                case "pwdLastSet":
                     csAttrib = "pwdLastSet";
                     mvAttrib = "pwdLastSet";
                     dtInt = csentry[csAttrib].IntegerValue;
                     targetFormat = "M/d/yyyy h:mm tt";
                     sourceFormat = string.Empty; ;
                     if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
                         GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
                     ///mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
                     else
                         mventry[mvAttrib].Delete();
                     break;

                case "pwdExpires":
                     csAttrib = "pwdLastSet";
                     mvAttrib = "pwdExpires";
                     dtInt = csentry[csAttrib].IntegerValue;
                     targetFormat = "M/d/yyyy h:mm tt";
                     sourceFormat = string.Empty;
                     if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
                         GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat, 180);
                     ///mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
                     else
                         mventry[mvAttrib].Delete();
                     break;

                case "lastLogonTimestamp":
                     csAttrib = "lastLogonTimestamp";
                     mvAttrib = "lastLogonTimestamp";
                     dtInt = csentry[csAttrib].IntegerValue;
                     targetFormat = "M/d/yyyy h:mm tt";
                     sourceFormat = string.Empty;
                     if (csentry[csAttrib].IsPresent && csentry[csAttrib].IntegerValue != 0)
                         GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat);
                     //mventry[mvAttrib].Value = ConvertFileTimeToFimTimeStamp(csentry[csAttrib].IntegerValue);
                     else
                         mventry[mvAttrib].Delete();
                     break;

                case "createdDate":
                     csAttrib = "whenCreated";
                     mvAttrib = "createDate";
                     string dateStr = csentry[csAttrib].StringValue;
                     targetFormat = "M/dd/yyyy h:mm:ss tt";
                     sourceFormat = "yyyyMMddHHmmss.0Z";
                     GetDateString(csentry, mventry, dateStr, mvAttrib, sourceFormat, targetFormat);
                     break;

            }
         }

Notice all the functions above use the following helper function “GetDateString” which requires the default variables defined earlier, “GetDateString(csentry, mventry, dtInt, mvAttrib, sourceFormat, targetFormat)”

The Helper Function below takes a values of the required variables defined by the initializing function and converts the value of the source DateTime to the Desired target DateTime. This one Helper function can be used by multiple functions because each function defines the variable that is required to process the conversion.

private static void GetDateString(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

{
     if (dtInt == 0 || dtInt == 9223372036854775807)
     {
         // This is a special condition, do not contribute and delete any current value
         mventry[mvAttrib].Delete();
     }
     else
     {
         DateTime dtFileTime = DateTime.FromFileTime(dtInt).AddDays(days);
         if (targetFormat.Equals("LONG", StringComparison.OrdinalIgnoreCase))
         {
             mventry[mvAttrib].Value = dtFileTime.ToLongDateString();

        }
         else if (targetFormat.Equals("SHORT", StringComparison.OrdinalIgnoreCase))
         {
             mventry[mvAttrib].Value = dtFileTime.ToShortDateString();
         }
         else
             mventry[mvAttrib].Value = dtFileTime.ToString(targetFormat);
         // mventry[mvAttrib].Value = DateTime.FromFileTimeUtc(dtInt).ToString(targetFormat);
     }

}

//(CSEntry csentry, MVEntry mventry, long dtInt, string mvAttrib, string targetFormat, int days = 0)

private static void GetDateString(CSEntry csentry, MVEntry mventry, string dateStr, string mvAttrib, string sourceFormat, string targetFormat, int days = 0)

{
     DateTime dt = DateTime.ParseExact(dateStr, sourceFormat, CultureInfo.InvariantCulture);
     GetDateString(csentry, mventry, dt.ToFileTime(), mvAttrib, sourceFormat, targetFormat, days);

}

Now lets take a look at the “MapAttributesForExport” section of a Management Agent Rules extension, this section is used to manage attributes from the Metaverse to the Connector Space or in simpler terms (a copy of the data source).

void IMASynchronization.MapAttributesForExport(string FlowRuleName, MVEntry mventry, CSEntry csentry)
         {

            switch (FlowRuleName)
             {

                case "accountExpires":
                     CultureInfo provider = CultureInfo.InvariantCulture;

                    if (mventry["employeeEndDate"].ToString() != "")
                     {
                         //DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);
                         DateTime dtFileTime = DateTime.Parse(mventry["employeeEndDate"].Value, provider);

                        csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTime();
                     }
                     else
                     {
                         csentry["accountExpires"].Value = "9223372036854775807";
                     }

                    break;

             }
         }

To simplify this code the MapAttributesForExport section for this example only contains an attribute flow for converting the “employeeEndDate” attribute from the Metaverse to the “accountExpires” attribute in AD. This is because this is probably the only DateTime attribute in AD you would ever set outside of Active Directory.

Notice the formats of the source and the target, in this case the target is the AD Object and the attribute is the “accountExpires” attribute which only takes one format and considering the “employeeEndDate” attribute in the Metaverse should only be in the other format I did not use the helper function.

Using This Guide:

Introduction:

This document is intended to be used as an operational build document for the Microsoft Identity Management 2016 Synchronization Server installation. You may perform search and replace on the variables listed below to create a detailed build guide customized for your environment.

Document Variables:

Requirements:

Virtual Server / Hardware Requirements:

Please reference the following document for best practice guidance on MIM Synchronization Server configurations.

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms

In this Synchronization Server build example, we install two Windows 2012 R2 virtual servers. These servers provide for the Primary Synchronization server and an Offline Spare Synchronization Server. Each server should have a minimum of 2 virtual CPUs and 32 Gb of RAM. The two servers in this example have the following disk allocations:

C:\ 100 gb Operating System and Software

E:\ 200 gb MIM 2016, associated management agents and rules extensions.

SQL Server Requirements:

Please reference the following Microsoft document for best practice guidance on SQL server configuration settings and builds for MIM Synchronization Server.

https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

In this Synchronization Server build example, we install a separated Microsoft SQL Server 2016 instance entitled SYNC.

Server Names and Related Information:

Account Requirements:

The following new Active Directory domain accounts are needed to support the installation:

Server Software Installation:

Windows 2012 R2 Server Options Installation:

Launch Server Manager

Click Add Roles and Features, Next

Select Role-based or feature-based installation, Next

Next

Server Roles:

Select Next

Features:

Select .Net Framework 3.5 Features

In the event you are notified that you may need to specify an alternate source path,

select Specify an Alternate source path.

Enter the drive letter for your Windows 2012 R2 Server Install disk and specify \sources\sxs\ as the path. (ex. E:\sources\sxs\)

Select Next, Install

Upon Successful completion

Select Close

Install SQL Client:

You can download the SQL Client installer (sqlncli.msi) from the Microsoft SQL Server 2012 SP2 Feature Pack located at the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=43339

Launch the Microsoft SQL Server 2012 Native Client Installer

On the Welcome to the installation Wizard for SQL Server 2012 Native Client select Next

Review and Accept the License Terms to continue installation

Select Next

On the Feature Selection window, select Next

On the Ready to Install the Program pane, select Install

Upon successful completion, select Finish

Optional Tools:

Some popular tools and utilities that you may consider installing include:

-  NotePad++

-  VisualStudio

-  Telnet Client

-  Active Directory Users and Computers

-  LDAP Client

-  SQL Server Management Studio

-  Oracle Server Client (If connecting to Oracle database)

MIM 2016 Sync Server Installation:

Overview:

The following document is intended to function as an operations guide for the installation of the MIM 2016 Synchronization Server. This document covers both the installation of the Offline Spare and Primary MIM 2016 Synchronization Servers.

The Offline Spare functions as a pre-installed synchronization engine whose MIM service is disabled until needed (re. in the event of failure of the primary synchronization server). The Offline Spare is installed first, followed by the installation of the Primary Synchronization Server.

Only one MIM Synchronization Server may be operational at a time. The Offline Spare and Primary Synchronization Server share a common SQL database (FIMSynchronizationService) that retains all configuration options, source code, and management agent configurations. The database name is defined via the Microsoft Identity Manager installer and should not be modified.

Prerequisites:

Installation Media:

The installation media can be obtained from the Microsoft Customer Portal.

SQL Server Considerations:

· This installation document covers the installation of a stand-by synchronization server which requires the SQL server database to be hosted on a separate SQL server.

· The SQL Server client will need to be pre-installed on this server prior to installation of the MIM Synchronization Server Software.

· The SQL Server will need to be enabled for remote access.

· The SQL Server and SQL Server Agent services for the instance (Ex. Sync) need to be running.

Active Directory Service Accounts:

· Installation Account with SQL Admin rights.

· Sync Service Account with SQL read/write rights.

Active Directory Management Groups:

· [Admin Group Name]

· [Operators Group Name]

· [Joiners Group Name]

· [Browse Group Name]

· [PW Group Name]

Firewall and Port Consideration

· TCP Port 1433 open between Sync Servers and SQL Server.

o [Primary Sync Server] [Primary Sync Server IP] – [SQL Server] [SQL Server IP]

o [Offline Sync Server] [Offline Sync Server IP] – [SQL Server] [SQL Server IP]

MIM Synchronization Service Install:

Server Build Order:

The stand-by synchronization server is installed prior to the primary synchronization server.

Offline Server Build Action:

Login to the Offline Synchronization server [Offline Sync Server] using the Installation Account [Install Account].

Primary Server Build Action:

Login to the Primary Synchronization server [Primary Sync Server] using the Installation Account [Install Account].

Installation Software:

Mount the installation Media.

In Windows Explorer navigate to the root of the MIM 2016 installation media and double-click on FIMSplash to begin the installation.

If prompted how to view .htm files, select Internet Explorer.

This will open the MIM installation menu.

Note: This installation guide does not include screen captures of the installation process. If you prefer to view screen shots of the installation, please reference the following link provided below. Please be aware that you will need to return to this document for the remaining steps in completing the installation of the offline spare or Primary Synchronization Server. https://blogs.msdn.microsoft.com/connector_space/2015/08/26/installing-the-microsoft-identity-manager-2016-synchronization-service-clean-install/

Under Identity Manager Synchronization Service, Select Install Synchronization Service

Select Run

If prompted to allow the program to make changes to this computer, you must select Yes to continue the installation.

Microsoft Identity Manager 2016 – Synchronization Service Setup Wizard.

Click Next to continue.

End User License Agreement

Read and accept the terms of the License Agreement.

To continue installation, select Next.

Custom Setup

The default Installation Location is C:\program files\Microsoft Forefront Identity Manager\2010\

If you would like to modify the Installation Location, select the Change button, and enter the custom path setting.

Once complete, select Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Database Connection

When installing your Synchronization Service with a warm stand-by, you must use a remote SQL Server configuration. The Stand-by and Live Synchronization servers reference the same SQL database.

SQL Server is located on:

Select A remote machine

Then enter the common name of the SQL server [SQL Server]

Note: Installation of the SQL Client is required as referenced in the Prerequisites section of this document.

The SQL Server instance is:

Select A named instance

Then enter the instance name [SQL Server Instance]

Select Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Service Account

Enter the Service account information under which the MIM Sync Service will run:

Service Account: [Synchronization Service Account]

Password: **********

Service Account Domain: [Domain]

Select Next when completed.

Configure Microsoft Identity Manager Synchronization Service – Security Groups

When implementing a stand-by synchronization server you should use Domain groups. This ensures your access groups remain consistent after implementing the stand-by server.

Prior to proceeding with the installation, the security groups should be created in Active Directory. You may use any naming convention you like for these groups, or you may choose to retain the default group names (Re. FIMSyncAdmins, FIMSyncOperators, FIMSynchJoiners, FIMSyncBrowse, and FIMSyncPasswordSet).

To configure for use with Domain groups, enter the following information:

Administrator: [Domain]\[Admin Group Name]

Operator: [Domain]\ [Operators Group Name]

Joiner: [Domain]\[Joiners Group Name]

Connector browse: [Domain]\[Browse Group Name]

WMI password Management: [Domain]\[PW Group Name]

Click Next to continue.

Configure Microsoft Identity Manager Synchronization Service – Security Changes

Check the box to Enable firewall rules for inbound RPC communications

Select Next, Install

Note: Warning messages are expected as part of the normal installation process. Please pay close attention to any Warning or Error messages received. Actions may differ for Offline Spare vs. Primary Synchronization Server. See details below for specific actions.

Warning 25051:

Warning 25051. The Microsoft Identity Manager Synchronization Service service account is not secure in its current configuration. For more information about best practices for securing the service account, please see Microsoft Identity Manager Synchronization Service Help.

For Offline Spare and Primary Synchronization Server builds,

Select OK to continue.

To address this issue after installation, please refer to the following documentation:

https://blogs.msdn.microsoft.com/connector_space/2015/08/28/warning-25051-service-account-is-not-secure-in-its-current-configuration/

Error 25009:

Error 25009. The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database.

For Offline Spare and Primary Synchronization Server builds,

Select Ok to continue.

The installation will rollback, select Finish.

Verify your installation account has SQL admin rights and the .net 3.5 Components are installed via server manager. Once resolved, you will need to start the installation process from the beginning.

Warning, A Microsoft Identity Manager Synchronization Service database already exists:

A Microsoft Identity Manager Synchronization Service database already exists. If you click Yes, you will restore the configuration with this database. If you click No, you must manually remove the previous database before installation can continue. Do you want to use the existing database?

Offline Spare Server build action only:

If you are building the Offline Spare for the first time, you should not receive this message. Verify you are connecting to the correct SQL server and instance. This could occur if you are reinstalling the synchronization server. In such a case, you will need to manually remove the database from the SQL server to proceed. As a matter of extreme caution, always backup the database before removing it.

Primary Synchronization Server build only:

Select Yes

You should receive the following Warning:

The Microsoft Identity Manager Synchronization Service setup Wizard will restore the configuration using the previous database. You must provide the encryption key set to use the previous database. Do you want to do this now?

Select Yes

Select the encryption key file (ex. E:\MIM\Keys\SyncKeys.bin)

Select Open

Database Encryption Key

Offline Spare Server build action only:

At this point you will be prompted to back up the database encryption key.

Click OK

Select a location and enter a name for this key file, then click Save

Primary Synchronization Server build only:

If you installed an Offline Spare, you should not receive this message.

Completing the Microsoft Identity Manager Synchronization Service Setup Wizard:

When notified of successful completion,

Click Finish to complete setup.

You may receive the following Warning:

You must logoff and relogon your system for the security group membership to take effect. Please close the other applications and click Yes if you want to logoff now. You may click No if you want to logoff later.

Select Yes

Launch the Synchronization Service Client:

You should now be able to open the MIM 2016 Sync Service. (Start, Run

To verify the version, click Help and About.

While the trademark is stamped Microsoft Forefront Identity Manager 2010 R2, the MIM 2016 R1 starts at 4.4.xxxx.x whereas FIM 2010 R2 begins at 4.1.xxxx version.

Perform the following steps for the Offline Spare build Only:

From the Service management Console,

Right Click Forefront Identity Manager Synchronization Service

select Properties

On the General Tab, next to Startup Type select Disabled.

If Service Status is “Running” select Stop

Select Apply, Ok

Perform the following Steps for the Primary Synchronization Server build Only:

Once complete with the Offline Spare build, repeat the build instructions following all steps for the Primary Synchronization Server and skipping those steps noted for the Offline Spare build.

If you have completed the steps for both the Offline Spare and the Primary Synchronization Server, the synchronization server build process is complete.

Introduction:

Some application installers require specific versions of .Net to be used to successfully complete installation. One such application is SharePoint Foundations 2013 SP1 that requires the .Net Framework 4.5. Later versions of .Net Framework 4.6 and higher must be removed and the machine restarted for the installation to succeed.

I should also note that this information is destined to become stale as subsequent updates and versions of .Net are released by Microsoft. Please feel free to post updates as responses to this post.

Temporarily Disable Windows Updates:

The Windows Update service will need to be temporarily disabled on the server to prevent removed updates from being downloaded and reinstalled prior to installation. Once the software installation is completed, Windows Updates can be re-enabled.

Launch Server Manager

Select Local Server

Adjacent to Windows Update select the link to access the Windows Update settings page.

Select Change Settings

Select Never Check for updates (not recommended)

Select OK

Close the Windows Update window

Exit Server Manager

Uninstall all KBs associated with .Net 4.6 and higher:

I found that uninstalling the .Net 4.6 and higher updates was enough to complete a successful installation of SharePoint Foundation 2013 SP1. This may not be the case for all software installations.

Select Start, Control Panel

In the Search Panel enter Add or Remove Programs

Launch the Add and Remove Programs link

Select View Installed Updates

Tip: In the search window, enter KB and the first three numbers of those listed below to simplify locating the KBs installed on your server.

Remove the following KBs if they exist and select Restart Later.

KB4096417 - (.Net Framework 4.6, 4.61, 4.62, 4.7, 4.7.1)

KB4054980 - (.Net Framework 4.6, 4.61, 4.62, 4.7, 4.7.1)

KB4055001 - (.Net Framework 4.6, 4.61, 4.62, 4.7, 4.7.1)

KB4041777 - (.Net Framework 4.6, 4.61, 4.62, 4.7)

KB4040972 - (.Net Framework 4.6, 4.61, 4.62, 4.7)

KB4054854 - (.Net Framework 4.7.1)

KB4033369 - (.Net Framework 4.7)

KB3186539 - (.Net Framework 4.7)

KB3102439 - (.Net Framework 4.6.1)

KB3045562 - (.Net Framework 4.6)

KB3045563 - (.Net Framework 4.6)

KB3102467 - (.Net Framework 4.6.1)

Once all KBs have been removed, restart the system.

Introduction:

This document is intended to be used as an operational build document for the installation of SharePoint Foundation 2013 SP1 for use with Forefront Identity Manager 2010 R2 or Microsoft Identity Management 2016 MIM Service and Portal Server installations.

Using this Guide:

You may perform search on the variables listed below and replace with your respective data values to create a detailed build guide customized for your environment.

Document Variables:

Preparing for Installation

SharePoint Foundation 2013 SP1 Installation Media:

The download for SharePoint Foundation 2013 SP1 is located at the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=42039

Temporarily Disable Windows Updates:

To successfully install SharePoint Foundation 2013, some updates must be removed prior to installation. Windows Updates are temporarily disabled during the installation procedure to prevent these updates from being downloaded and reinstalled.

Launch Server Manager

Select Local Server

Adjacent to Windows Update select the link to access the Windows Update settings page.

Select Change Settings

Select Never Check for updates (not recommended)

Select OK

Close the Windows Update window

Exit Server Manager

Temporarily Disable IE Enhanced Security Configuration for Administrators:

The SharePoint Foundation 2013 SP1 Prerequisite installer requires access to multiple sites to download prerequisite installers. Temporarily disabling IE Enhanced Security for Administrators will allow access to these sites to complete the installations.

Launch Server Manager

Select Local Server

Adjacent to IE Enhanced Security Configuration select the link to access the configuration settings page.

Under Administrators, select Off

Select Ok

Restart the server

Uninstall .Net Framework 4.6 and higher

SharePoint Foundation 2013 SP1 requires .Net version 4.5 and requires the removal of later version 4.6 and higher to install properly. Please refer to the blog post below for .Net removal instructions and updates.

https://blogs.msdn.microsoft.com/connector_space/2018/05/31/windows-server-2012-r2-uninstalling-net-framework-4-6-4-6-1-4-6-2-4-7-4-71/

Install SharePoint Foundation 2013 SP1 Prerequisites:

Connect to the server using the [INSTALL ACCOUNT] service account

Right click SharePoint.exe and select run as Administrator

If asked to allow program to make changes to this computer, select Yes.

Under Install, select Install software prerequisites.

On the Welcome to the Microsoft SharePoint 2013 Products Preparation Tool pane, select Next

To continue installation, Review and Accept the terms of the license agreement.

select Next to proceed with prerequisite installations.

If prompted that your system needs to restart to continue, select Finish

Please Note multiple server restarts can occur during installation.

Reconnect to the server using the [INSTALL ACCOUNT] service account

If asked to allow program to make changes to this computer, select Yes.

If prompted that your system needs to restart to continue, select Finish

Repeat this section as many times as necessary to complete the installation of Prerequisites.

Once installation of prerequisites completes, select Finish.

Select Start, Update and Restart if available, otherwise Restart.

Repeat this section as many times as necessary to complete the installation of all updates.

Once installation of prerequisites completes, select Finish.

Install SharePoint Foundation 2013 SP1

Login as the [INSTALL ACCOUNT] account

Right click SharePoint.exe and run as Administrator

Select Yes to allow the installer to make change to the server.

The SharePoint Foundation 2013 splash screen will appear.

Under Install, select Install SharePoint Foundation

If you are prompted with a setup error and informed that the product requires .Net Framework 4.5 refer to the section above entitled Uninstall the following KBs. .Net Framework 4.6 and higher must be removed and the machine restarted for the installation to succeed.

On the Read the Microsoft Software License Terms screen, review the terms and accept as appropriate.

Select Continue

On the Server Type panel, select Stand-alone option, then Install Now

The Installation Progress bar will be displayed.

On the Run Configuration Wizard pane, select Run the SharePoint Products Configuration Wizard now

Option

Select Close.

On the Welcome to SharePoint Products page, select Next.

When notified that services may need to be restarted, select Yes

The Configuring SharePoint Product page will be displayed.

Once notified Configuration Successful, select Finish.

The SharePoint 2013 Foundation Home Page will be displayed.

Close the browser,

Exit SharePoint Foundation 2013 installer.

Restart the server.

Prepare SharePoint Foundation 2013 SP1 for use with FIM / MIM:

Configure SharePoint Farm Admins

Select the Windows Start button, type SharePoint 2013 Central Administration

If prompted, select Yes to allow program to make changes to computer.

Select Security, Manage the farm administrators group

Add the following accounts as members of the Farm Administrators group:

[INSTALL ACCOUNT] (This should be present.)

[MIM SERVICE ACCOUNT]

Remove the SharePoint-80 Configuration

In SharePoint, Central Administration select Application Management,

Under Web Applications, select Manage Web Applications,

Select SharePoint-80,

Select Delete from menu bar.

When prompted select Yes to delete content databases and delete IIS web sites.

Select Delete, and Ok to continue.

Note: This may take several minutes to complete at which time the open window will close and return you back to the SharePoint Central Admin Console.

Close the SharePoint Central Admin Console.

Ensure Deletion of the default SharePoint Application Pool

Start, Internet Information Services Manager

On left expand the server, and select Application Pools

If present, delete the SharePoint-80 Application pool.

Close Internet Information Services Manager

Running the MIM SharePoint Foundation 2013 Configuration Script Notes:

The PowerShell script included below was obtained from the original Connector Space blog post by Anthony Marsiglia located at: https://blogs.msdn.microsoft.com/connector_space/2014/09/23/sharepoint-foundations-2013-configuration-script/

The script provided in this document is updated to include remarks on how to manually perform some of the script’s actions, thereby simplifying code review. Additionally, search and replace document variables used throughout this document are incorporated into the script to customize the installation script for your environment.

During script processing PowerShell will display the following Warning message which can be ignored:

WARNING: The Windows Classic authentication method is deprecated in this release and the default behavior of this cmdlet, which creates Windows Classic based web application, is obsolete. It is recommended to use Claims authentication methods. You can create a web application that uses Claims authentication method by specifying the AuthenticationProvider parameter set in this cmdlet. Refer to the http://go.microsoft.com/fwlink/?LinkId=234549 site for more information. Please note that the default behavior of this cmdlet is expected to change in the future release to create a Claims authentication based web application instead of a Windows Classic based web application.

When copying and pasting the script to Notepad, be sure to verify that all " quotes copy correctly. Additionally, ensure the line containing "STS#0" (open quote, letters STS, pound, zero, close quote) is properly typed and does not contain special characters.

You should not experience PowerShell errors (Errors appear in red text) during execution of this script. If you do experience errors, review the error message and resolve accordingly. Rerunning the script may cause other errors to occur due to partial completion during the first run.

Finally, be patient, the script may take several minutes to complete its processing and at times may appear as if it is not running.

Create and Execute the SharePoint Foundation 2013 Configuration Script:

Create and Execute SharePoint Foundation 2013 Configuration Script

Launch Notepad

Copy the below script into Notepad

Save the file entitled SPConfig.ps1 and save on [MIM SERVER 1].

Copy the script from [MIM SERVER 1] to [MIM SERVER 2].

Start PowerShell as Administrator.

Run the script on the [DOMAIN] domain Servers [MIM SERVER 1] and [MIM SERVER 2].

Enter the FIMSPFPoolAccount password when prompted.

####################################################################################

## BEGIN SCRIPT

##This first line only needs to be run if you’re not running the Sharepoint 2013 Management Console.

Add-PSSnapin Microsoft.SharePoint.PowerShell -EA SilentlyContinue

function Prompt-ForInput

{

Param($message)

$success = "n"

while($success -ne "" -and $success.ToLower() -ne "y")

{

$val = Read-Host $message

$success = Read-Host "You entered: $val. Is this correct? Enter y or n"

}

return $val

}

## This next block of code sets your variables the script will need to build your Sharepoint Site

## Below you will need to know the following information

## NetBIOS Domain name

## The account that will be used run the actual website

## An account that will be used as a Farm Administrator

## ------------------------------------------------------------------------------------------------------------

## SCRIPT VARIABLES

## ------------------------------------------------------------------------------------------------------------

## $Domain = $(Get-ADDomain).NetBIOSName

$Domain='[DOMAIN]'

## $svcFIMPool = Prompt-ForInput "Enter the FIM Service Pool Service

$svcFIMPool = '[MIM SAP ACCOUNT]'

## $FarmAdminUser = Prompt-ForInput "Enter the Primary Site Collection Administrator Account"

$FarmAdminUser = '[INSTALL ACCOUNT]'

## $SecFarmAdmin = Prompt-ForInput "Enter the Secondary Site Administrator Account"

$SecFarmAdmin = '[MIM SERVICE ACCOUNT]'

#$Site = "http://" + $(Prompt-ForInput "Enter the site url")

$Site = 'http://FIMPortal'

## ------------------------------------------------------------------------------------------------------------

## SET THE CREDENTIALS FOR THE SHAREPOINT SITE

## ------------------------------------------------------------------------------------------------------------

## MANUAL METHOD:

## The steps to manually configure this setting in the SharePoint Central Admin Console follow

## Start SharePoint Central Admin

## Under Security section select Configure Service Accounts

## Select the Register new managed account link

## Enter User Name and Password

## select OK

## POWERSHELL SCRIPT:

## A pop up will appear for you to type in the Password of the account that was set as the variable of $svcFIMPool

## You may need to correct the username in the following format DOMAIN\ACCOUNT NAME

## Enter the Password in the window

New-SPManagedAccount -Credential (Get-Credential -Message "FIMSPFPoolAccount" -UserName "$Domain\$svcFIMPool")

## ------------------------------------------------------------------------------------------------------------

## CREATE THE SHAREPOINT APPLICATION POOL

## ------------------------------------------------------------------------------------------------------------

## MANUAL METHOD:

## The steps to manually configure this setting in the SharePoint Central Admin Console follow

## Start SharePoint Central Admin

## Under Application Management Select Manage Service Applications

## From the Menu Bar select New

## Select App Management Service

##

## POWERSHELL SCRIPT:

New-SPServiceApplicationPool -Name FIMSPFPool -Account $svcFIMPool

##This next block of code This creates a Web application that uses classic mode windows authentication

New-SPWebApplication -Name "FIM" -Url $site -Port 80 -SecureSocketsLayer:$false -ApplicationPool "FIMSPFPool" -ApplicationPoolAccount (Get-SPManagedAccount $($svcFIMPool)) -AuthenticationMethod "Kerberos" -DatabaseName "FIM_SPF_Content"

##This block of code creates the creates the SP Site

New-SPSite -Name "FIM" -Url $Site -CompatibilityLevel 14 -Template "STS#0" -OwnerAlias $FarmAdminUser

##This next block of code sets Secondary Site Administrator

Set-SPSite –Identity $Site –SecondaryOwnerAlias "$Domain\$SecFarmAdmin"

##This block of code disables server side view state which is required for FIM

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

$contentService.ViewStateOnServer = $false

$contentService.Update()

##This last block of code disables self-service upgrade to 2013 Experience mode

#2013 Experience mode is not supported by FIM

$SPSite = SPSite("http://FIMPortal")

$SPSite.AllowSelfServiceUpgrade = $false

## END OF SCRIPT

####################################################################################

Set the SharePoint Administration Service to Automatic and start the service

Start, Services.msc

Right Click the SharePoint Administration service, select Properties

Set Startup type to Automatic

Select Start

Select OK

Remove SharePoint Search Service Application and Proxy

Select the Windows Start button, type SharePoint 2013 Central Administration

If prompted, select Yes to allow program to make changes to computer.

Select Application Management

Under Service Applications, select Manage service applications

Highlight Search Service Application Proxy,

Select Delete button.

On the Delete Service Application Connection page

Select Delete Data associated with the Service Application connections

Select Ok

When notified Service Application connection has been deleted, select Ok

Highlight Search Service Application,

Select Delete button.

On the Delete Service Application page

Select Delete Data associated with the Service Applications

Select Ok

When notified Service Application has been deleted, select Ok

Close the SharePoint Central Administration Window

Enable Windows Updates:

To successfully install SharePoint Foundation 2013 SP1, Windows Update was disabled prior to the installation. Windows Updates should be enabled after the installation procedure is completed to ensure proper patching of the system.  Application patches are not enabled,  opting to manually install application updates after proper testing.

Launch Server Manager

Select Local Server

Adjacent to Windows Update select the link to access the Windows Update settings page.

Select Change Settings

Select Install Updates automatically (recommended)

Under Microsoft Update

Do Not select Give Me Updates for other Microsoft products when I update Windows

Select OK

Close the Windows Update window

Exit Server Manager

Enable IE Enhanced Security Configuration for Administrators:

The SharePoint Foundation 2013 SP1 Prerequisite installer required access to multiple sites to download prerequisite installers. We temporarily disabled IE Enhanced Security for Administrators to allow access to these sites.  Now that the installation is complete, this can be turned back on. 

Launch Server Manager

Select Local Server

Adjacent to IE Enhanced Security Configuration select the link to access the configuration settings page.

Under Administrators, select On

Select Ok

Restart the server

Introduction:

This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 MIM Service and Portal Server installation. This guide covers the service accounts, Service Principal Names, and Delegation needed for use with the MIM 2016 Service and Portal.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

Service Accounts:

The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Setup Service Principal Names for MIM Service Accounts:

Configure SPN Commands:

SETSPN -S http/[MIM SERVER 1] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 1].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 2] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM SERVER 2].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM VIP] [MIM SAP ACCOUNT]

SETSPN -S http/[MIM VIP].[FQDOMAIN] [MIM SAP ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 1] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 1].[FQDOMAIN] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 2] [MIM SERVICE ACCOUNT]

SETSPN -S FIMService/[MIM SERVER 2].[FQDOMAIN] [MIM SERVICE ACCOUNT]

Setup Kerberos Delegation:

After configuring the Service Principal Names noted in the previous section, the following delegations must be configured to ensure proper Kerberos delegation functionality.

MIM SAP ACCOUNT [MIM SAP ACCOUNT] DELEGATION

Launch Active Directory Users and Computers

Select the [MIM SAP ACCOUNT] service account

Right Click and Select Properties.

Select Delegation Tab

Select Trust this user for delegation to specified services only

Select use Kerberos only

Select Add

Select Users or Computers button

Enter [MIM SERVICE ACCOUNT]

Select Check Names

Select Ok

Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:

Service Type User or Computer

http [MIM VIP].[FQDOMAIN]

http [MIM SERVER 1].[FQDOMAIN]

http [MIM SERVER 2].[FQDOMAIN]

MIM SERVICE ACCOUNT [MIM SERVICE ACCOUNT] DELEGATION

Launch Active Directory Users and Computers

Select the [MIM SERVICE ACCOUNT] service account

Right Click and Select Properties.

Select Delegation Tab

Select Trust this user for delegation to specified services only

Select use Kerberos only

Select Add

Select Users or Computers button

Enter [MIM SERVICE ACCOUNT]

Select Check Names

Select Ok

Once complete, delegation for the [MIM SAP ACCOUNT] account should appear as follows:

Service Type User or Computer

FIMService [MIM VIP].[FQDOMAIN]

FIMService [MIM SERVER 1].[FQDOMAIN]

FIMService [MIM SERVER 2].[FQDOMAIN]

Introduction:

This document is intended to be used as an operational preparatory document for the Microsoft Identity Management 2016 base MIM MA installation.

Using this Guide:

You may perform search and replace on the variables listed below to create a detailed implementation guide customized for your environment.

Document Variables:

Service Accounts:

The following service accounts are used in the installation and configuration of the MIM Service and Portal. Rights associated with each account are listed below:

Configure the MIM MA:

From the Primary Synchronization Server [PRIMARY SYNC SERVER] Server

Logon as the Install Account [INSTALL ACCOUNT]

Launch the MIM Synchronization Service Manager

Select Management Agents tab

Under Actions, select Create

The Create Management Agent Window should display.

Create Management Agent:

Select Management Agent For: FIM Service Management Agent

Name: MIM_MA

Description: MIM Service Management Agent

Select Next

Update MV Schema:

Select Next

Connect to Database:

Server: [SQLSERVER]\[SQL INSTANCE]

Database: [SERVICE DB NAME]

FIM Service base address:

If using a single MIM Portal server, enter HTTP://[MIM SERVER 1]:5725

If using load balancing, enter the common name of the MIM Portal URL HTTP://[MIM PORTAL URL]:5725

For Windows Integrated Authentication mode enter

User Name: [MIM MA SERVICE ACCOUNT]

Password: ***************

Domain: [DOMAIN]

Select Next

Select Object Types:

Check the following objects:

if synchronizing person and group objects to the portal check:

DetectedRuleEntry

ExpectedRuleEntry

Person

Groups

SynchronizationRule

Select Next

Select Attributes:

Select Next

Configure Connector Filter:

Select Next

Configure Object Type Mappings:

Highlight Person

Select Add Mapping

Select person, OK

Select Next

Configure Attribute Flow:

Select Next

Configure Deprovisioning:

Select Next

Configure Extensions:

select Finish

Setup MIM MA Run Profiles: 

From the Synchronization Service Manager,

Select Management Agents

Select MIM_MA

Right Click MIM_MA

Select Configure Run Profiles

Full Import (FI)

Select New Profile

On the Profile Name Page, For Name enter FI

Select Next

On the Configure Step page, For Type select Full Import (Stage Only)

Select Next

Select Finish

Delta Import (DI)

Select New Profile

On the Profile Name Page, For Name enter DI

Select Next

On the Configure Step page, For Type select Delta Import (Stage Only)

Select Next

Select Finish

Full Sync (FS)

Select New Profile

On the Profile Name Page For Name enter FS

Select Next

On the Configure Step page For Type select Full Synchronization

Select Next

Select Finish

Delta Sync (DS)

Select New Profile

On the Profile Name Page For Name enter DS

Select Next

On the Configure Step page For Type select Delta Synchronization

Select Next

Select Finish

Export (EX)

Select New Profile

On the Profile Name Page For Name enter EX

Select Next

On the Configure Step page For Type select Export

Select Next

Select Finish

Select OK

Perform the First Import of the MIM MA

From the Synchronization Service Manager,

Select Management Agents

Select MIM_MA

Right Click MIM_MA

Select Run, Full Import, OK

The initial Full Import should generate 2 adds in the Synchronization Statistics Frame.

Filter the FIM Install Account and Built-in Synchronization Account

Double Click Adds

Double Click the First Entry 7fb2b853-24f0-4498-9534-4e10589723c4

Highlight the Distinguished Name value

Right click, select copy

Select Close, Close

Double Click MIM_MA

Select Configure Connector Filter

Select Person

Select New

For the Data Source Attribute value select <dn>

For the Operator value select Equals

For the Value paste the clipboard value 7fb2b853-24f0-4498-9534-4e10589723c4

Select Add Condition

Select OK, OK

Double Click Adds

Double Click the Second Entry fb89aefa-5ea1-47f1-8890-abe7797d6497

Highlight the Distinguished Name value

Right click, select copy

Select Close, Close

Double Click MIM_MA

Select Configure Connector Filter

Select Person

Select New

For the Data Source Attribute value select <dn>

For the Operator value select Equals

For the Value paste the clipboard value fb89aefa-5ea1-47f1-8890-abe7797d6497

Select Add Condition

Select OK, OK