Thursday, May 20, 2010

Restoring your FIM databases to the moment before oops

At the FIM Birds of a Feather (BOF) after a discussion about FIM database backups I was asked to make a blog post to more fully elucidate the benefits of using the full recovery model.

Since Recovery models affect the transaction log you may find it useful to have the following background about transaction logs:

•The Data in tables and indexes are stored in data files not the transaction log

•The Transaction Log (T-Log) is like a court stenographer, serially noting down everything that took place without sorting/cataloging

• This gives SQL Server Reliability, recoverability and speed because as data changes happen they happen on the Data pages loaded into RAM and to the T-Log on disk (done in a quick serial fashion)

•Upon checkpoint (approx 1/min) changed pages are written to data files

The first thing to note is that there are three recovery models for SQL Databases, but you will find yourself choosing between Full and Simple, as Bulk-Logged is one that is used temporarily.



There are also 3 backup types:


If you are in Simple you can not backup the Log

If you are in Full you must backup the log, because after your first full backup the log will begin to fill up and will not empty itself (truncate) until you perform a log backup or switch the database to Simple.

The benefit to being in full is that you can then restore your databases to a moment in time.

So let’s say that you are doing a long running initial load process into the FIM Service database, or you just get done and then you begin something new and to your horror you realize that you just imported from a test system into production FIM. Or you were moving over config from test to prod and it goofed up. Well back in the ILM days you could clear your connector spaces and reload. You can do that today although I was told that you shouldn’t ever clear the FIM MA connector space. Additionally reloading data into the FIM Service can be quite time consuming.

So it can much more productive to restore the affected database right up to the moment before the disaster. You may need to restore both databases to the same moment or only one maybe affected. I will illustrate with one.

The first step is to confirm the time at which you want to stop by examining the request history in the FIM Service or in the Synchronization Service Manager.

Next stop the appropriate Services.

From here on this is a sql script and all directions are prefaced with double dashes to make the comments in T-SQL

--Perform a log backup with no truncate, some refer to this as an emergency log backup or backup the tail of the log

Backup Log FIMService To Disk = 'c:\sqlbackups\FIMService_taillog.bak' With NO_TRUNCATE, NORECOVERY

--Next is to restore your latest full backup (you will need to ensure that no one is connected to the database)

Restore Database FIMService From Disk = 'c:\sqlbackups\FIMService_full.bak' with NORECOVERY, stats=10

--The no_recovery option tells sql that you have more to restore and not make the database available yet

-- Then restore all of the intervening transaction log backups in order since the full backup and leading up to but not including the log backup with no truncate.

Restore Log FIMService From Disk = 'c:\sqlbackups\FIMService_log1.bak' with NORECOVERY, stats = 10

-- You will need to repeat the above command for every transaction log backup since the full but not including the tail

--Finally restore the tail and here is the magic

Restore Log FIMService From Disk = 'c:\sqlbackups\FIMService_taillog.bak' with NORECOVERY, stats = 10, STOPAT = 'Mar 15, 2010 12:15:23 AM’


-- Then restart the appropriate services

Tuesday, May 18, 2010

ADFS v.2 shipped

Active Directory Federation Services v2 Ships!

This is awesome stuff – with ADFS v2 we can help you setup SSO with your SaaS vendors.



Here is an example that has been rendered generic.

ADFS 2.0 supports SAML 2.0 (the idp lite profile and rdp lite profile) which opens up many federation doors and WIF allows us to write custom security token services (sts) just in case the idp lite and rdp lite profile support isn’t up to handling the interaction.

TEC Decks Posted!

If you attended TEC you can now get the Slide Decks by registering on

and accessing the following item: TEC 2010 Conference Materials Have Been Posted!

You can find my sessions here:

session Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS

Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RM... continue reading "Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS"

session FIM 2010 Performance Tuning (SQL and more)

Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how cruci... continue reading "FIM 2010 Performance Tuning (SQL and more)"

Brad Sessions are here:

  • Applying Policy Retroactively with FIM 2010
    Abstract not available. ...
  • Using DFS and GPO in ILM High Availability Scenarios
    This presentation will demonstrate how ILM Architects, Engineers, and Administrators can leverage Active Directory Distributed File System (DFS) to replicate solution content between the primary ILM server and the warm-standby server as well as...

    Joe Zamora:

    Custom Workflow Development in FIM 2010
    Get an in-depth look at the extensibility of Forefront Identity Manager 2010 through the use of custom workflow development. Although FIM 2010 includes a new “codeless provisioning” feature set, you’ll find that you can’...

    Other Ensynch Presentations:

    Federated SSO Solutions Using SharePoint 2010
    In the world of on premise and hosted “cloud based” solutions, how can you best simplify your coexistence strategy? Attend this session presented by Ensynch’s Identity Management and SharePoint teams to see how the combined kn...


  • Building Exchange 2010, Managing and Integrating with Exchange Online via Microsoft Business Productivity Online Services (BPOS)
    Microsoft Exchange 2010 is available both as on-premise software and as a hosted service, and you can now choose the right deployment option for your organization, whether you deploy Exchange Server on-premises, host your mailboxes with Exchange Onli...
  • Monday, May 17, 2010

    TEC 2010 -- Results

    TEC 2010 was a blast. In the Kickoff Gil Kirkpatrick issued several challenges including one to Brad Turner to simulate the workings of the FIM Sync Engine. Eventually we expect to see a video of the final presentation posted to YouTube. In the interim Brad has some nice pictures posted: TEC 2010 – Annual Wook Lee Memorial Challenge for Identity Results


    I attended Craig Martin’s session “Automate FIM deployment with Powershell” and learned a few things about the FIM Powershell commandlets.

    Next I split my time between Joe Zamora’s session on Custom Workflow in FIM 2010 and Gil and Jeremy’s session on Reporting in FIM 2010. (I had swapped my session time on Monday with Joe’s Wednesday time as I was worried that the Icelandic Volcanic Ash cloud was going to keep me from getting there on Monday – but it didn’t). I enjoyed both. I am afraid my late arrival in Gil and Jeremy’s session caused a bit of a stir as they were discussing some of their SQLXML tricks and Jeremy told everyone that wanted to know more about it to ask me (as I am looking at their stuff for the first time).  I think Gil and Jeremy had a great presentation with a fascinating proof of concept. I heartily endorse their statements regarding this not being a production ready setup but I love what they showed.

    Other concerns caused me to miss the rest of the afternoon. The Quest Hospitality Suite was nice.

    Tuesday morning I put the finishing touches on my presentations and then attended Jack Kabat’s session on Deploying FIM, he provided some good advice on how to handle the initial load scenario.

    After lunch I presented on Care and Feeding of Databases. I had quite a wide range of attendees. Some were interested in the SharePoint databases others in OCS and of course the majority for FIM Service and Sync. There were also a few who needed to know about FIM CM. I did also show a few photos from my recent trip to Prague including my evidence of elven habitation (they had their own check in kiosk at the Prague Airport).

    IMAG0113 IMAG0083

    That night we (Ensynch) had a great party at the ESPN Zone watching the Lakers eliminate the Oklahoma City Thunder. We rented out the Championship Lounge which is above the rest of the facility and feels like a skybox, including big windows out which you can see the big screen at the Bar. We were 100 yards away from the Staples center so after the game we had to fend off some game attendees intent on crashing our party.

    Wednesday morning I presented on FIM Performance tuning and talked about the performance improvements that are possible. Then Brad spoke about using ROPU (Run On Policy Update, which we pronounce Rope You, because it ropes you into doing more things) and its power.

    If you want access to the slides and videos etc you need to register on