quick and easy fim r2 upgrade guide

As I pointed out in my last post, Microsoft has some conflicting documentation on TechNet.  Here is a quick guide that should get you a safe upgrade:

  1. Backup everything.  Databases, configs, and bare metal/complete backup of your servers/VMs just incase.  (Side note: Checkout PHD Virtual for good, cheap VMware backup software).
  2. Make sure you are on build 3606 at the very least on both your FIM Service and Synchronization Server.
  3. One of the TechNet guides recommends setting the Recovery type on both databases to Simple so go ahead and do that if they aren’t already.  You can skip this step if you know what you’re doing and want Full on the FIMService database.
  4. Upgrade your Synchronization Server.
  5. Download SharePoint 2010 Foundation, launch it, install Pre-Req’s, and then install it on your Portal Server.
  6. Run the following query on the FIMService database to enable the SQL Broker which is required for the upgrade.  ”alter database FIMService set enable_broker with rollback immediate;”
  7. Upgrade your Service and Portal Server.

using fim2010 for ad provisioning with outlook live or live@edu

If you want to use Forefront Identity Manager 2010 to provision to Active Directory and you are also using Outlook Live or Live@edu you will need a second FIM synchronization server.  Once you install Galsync_x64.msi (obtained from support currently) it modifies metaverse attributes that will prevent your synchronization rules created in FIM from working.  This is “working as intended” according to Microsoft support.  So you need one sync server and one portal server to do AD provisioning, and then one sync server with just the Galsync.msi MA’s for Live@edu provisioning.

using fim2010 with live@edu or outlook live

So the documentation for using Forefront Identity Manager 2010 with Live@Edu/OutlookLive is pretty much non-existent right now.  I was told that though it’s an officially supported configuration the documentation is still a couple months out from being published.  So if you want to get this setup without a consultant you face an uphill battle.  It took me a few days of running into issue after issue, but finally I got it all working.  Here are my notes on getting a successful install completed.  Hopefully it will help someone:

  1. Request 64bit GALSync.msi from MS Support.  This is important, make sure you get the right one from support.
  2. Install FIM Sync Service like normal on Windows 2008 R2. (this could be a guide on it’s own sorry)
  3. Update FIM via Windows Update.  Make sure to click “Update other MS Products” link to get FIM updates.
  4. On Sync Server install hotfix  : The hotfix is http://support.microsoft.com/kb/2272389 and the file name should be FIMSyncService_x64_KB2272389.
  5. On Sync Server install GALSync.msi, installer should say “Outlook Live Management Agent”.  If installer fails to complete, reboot, remove it if it shows up Add/Remove programs, and try again.
  6. Create UPN Suffix for same domain that Live@Edu will use if it is not currently the same in your domain.
  7. Create an OLSync account in domain (give it above UPN Suffix) and Live@Edu.
  8. In the Live@Edu Management Console, create a new role and add OLSync account to it so you can use this account as your service account for syncing between on-prem and hosted.  Alternatively you can follow these instructions.
    • Users and Groups
    • Outlook Live Control Panel
    • Roles & Auditing
    • New Role
    • Name it something like “OLSync Role”
    • Under Roles click add and choose “GalSynchronizationManagement”
    • Under Memebers click add and choose your OLSync Account
    • Save
  9. Go here and start at Step 6: http://help.outlook.com/en-us/140/Dd490636.aspx
  10. After Step 7 in the above link don’t forget to populate your OU’s with a couple test users if they are empty and be sure to set an email address for the users as well (otherwise sync will error out).

using fim with live@edu or outlook live

The Outlook Live Management Agent (OLSync) is a modified version of GALSync for Outlook Live (Live@edu). It consists of two MAs (OnPremises MA & Hosted MA) that sit on the Synchronization Service server. It uses custom rules extensions to read from AD (OnPremises Connector Space) and to provision to Outlook Live (Hosted Connector Space). It has pre-built (but customizable to some degree) Attribute Flow and Projection/Join rules. 

It may be possible to integrate the provisioning code from the Hosted MA into the synchronization rules in the FIM Portal. To my knowledge, however, this is not currently supported with Live@edu. By “not currently supported,” I mean that Microsoft Live@edu Support may not provide technical support and/or guidance in this scenario. On the other hand, OLSync MA installed on FIM sync server is supported by Live@edu Support. 

You can receive the x64 OLSync MA from Live@edu Support. As I mentioned previously, OLSync is a modified version of GALSync. So, the file that Support will deliver is usually called Galsync.msi. This can be confusing.  When you attempt to install it, the installation wizard should say Outlook Live Management Agent. If not, contact support again.

error registering for password reset in fim

If you are just getting password reset implemented with FIM 2010 and your client gets ”An error was encountered.  Please call helpdesk or your system administrator for further assistance.” try the following:

  1. Download the PSTools bundle from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  2. Extract PsExec.exe to your C:\ drive
  3. Open a command prompt as administrator and enter “cd c:"
  4. Now enter “psexec.exe -s -d -i cmd.exe”
  5. A new command prompt window should open.  Now enter “mmc.exe”.
  6. Go to File -> Add/Remove Snap-ins
  7. Select Certificates on the left and click the “Add >” button in the middle
  8. Select “Computer Account” from the window that pops up, then Next, and then select “Local computer” and hit Finish
  9. Hit Ok and you should be taken to the MMC window
  10. Expand Certificates on the left, then expand Personal, and finally click on Certificates under Personal
  11. Right click on the “ForefrontIdentityManager” certificate and choose “All tasks” then “Manage Private Keys…”
  12. Click add and enter the name of the account running as the service account for the FIM Service
  13. Make sure “Read” is checked under Allow and hit OK

This apparently is a known bug with build 4.0.2592.0 (current version as of this writing).  Supposedly it will be fixed in Update 1 which does not have a street date just yet.

free online training for forefront identity manager 2010

I’m currently working on implementing Microsoft’s identity management solution, Forefront Identity Manager 2010, and came across this TechNet page with a free “course” for FIM 2010.  Upon further inspection (check out the PDF names) it looks to be the exact material for the MS official course 50382A