Amazon–FIM Best Practices Volume 1

Apparently one of the Amazon marketplace sellers has decided to list my book on Amazon.

So I am excited that it can now be found on Amazon, but it should be noted that Old Shingled House has marked it up to $49.95 a 99.5% markup. Old Shingled House is buying them through Lulu at the regular rate of $25.00. If you buy it through Amazon or through Lulu, I still get my normal cut, the question is how much you pay. Now lest you think Old Shingled House is being greedy, I did look at what it takes to make the book available on Amazon through the marketplace or by having Lulu place it out there, and there certainly are extra costs. So if you found it through Amazon good. If you found it at Lulu and bought there even better for you.

Buy FIM Vol 1 and Get free ground shipping through Dec 12th

From LULU:

Enter coupon code HOLIDAY305 to receive free ground shipping. Shipping address must be within the United States. The maximum savings for this offer is $45. Sorry, but this offer is only valid in US dollars and cannot be applied to previous orders. You can only use this code once per account, and unfortunately you can't use this coupon in combination with other coupon codes. This great offer expires on December 12, 2010 at 11:59 PM PST, so don't miss out! While very unlikely, we do reserve the right to change or revoke this offer at anytime, and of course we cannot offer this coupon where it is against the law to do so.

Click here to look at the book: http://www.lulu.com/spotlight/david_lundell

Law of Unintended Consequences

In the process of setting up to teach 50382A - Implementing Forefront Identity Manager 2010 in Phoenix, AZ (Feb 8-11 and May 23 – May 26 – registration info to follow in a subsequent post) and looking at other courses in the Microsoft Courseware library I have noticed an interesting trend – most courses have lots of very bland reviews like this:

“Good Course”

“Good one”

“Good content and best practices”

“nice course”

“passed”

“Good course”

“passed”

Why in the world would one class have so many reviews that just say the same thing – which is to say nothing? Why would so many courses have a similar listing of vacuous reviews? Could you imagine if the reviews on BN.com or Amazon were all like this?

The Law of Unintended Consequences: Microsoft made a change to their partner program for training centers (Learning Solution Partners). Part of the change involves how they earn enough points to maintain their competency and how they earn enough points to go from Silver to Gold. One of the ways to earn points is to submit reviews on courses. So by reviewing a number of courses people working for Learning Solutions partners can earn points for their employer. Thank goodness there is a limit on how many they can earn this way or I am afraid there would be a never ending feed of inane reviews. This actually is a good idea to encourage people to review courses, however there is not a real quality check, somehow I suspect that the reviewers who provided these vapid comments didn’t read the course, perform the labs, or at the very least they certainly lack imagination, I mean they could have looked at the outline and said oh I like module X on topic Y. At least their “reviews” would appear a bit more convincing.

Having these idiotic reviews is worse than having none at all.

So remember this when setting up your incentive systems, lest the Law of Unintended Consequences reaches out to muddy up your system.

Get 25% off of FIM Best Practices Volume 1 Today only

Valid today only through 11:59 PM (EST) and only valid in the US, Lulu is offering 25% off. So you can order FIM Best Practices at 25% off. Enter the following promo code at Checkout: CYBER305

Click here to look at the book: http://www.lulu.com/spotlight/david_lundell

Webinar is available for viewing

The webinar on Friday went well. Here it is available for viewing at your pleasure.

Case Study: Real World organizations simplify Identity Management

Tomorrow morning at 8 AM PST I will be participating as a speaker in a webinar with Jonathan Sander from Quest.

 

http://www.brighttalk.com/webcast/22703 

 

Successful identity and access management means different things to different organizations, but in almost every case, it requires complex, time-consuming, and expensive solutions. However, an ever-growing number of organizations have found a new way to achieve their identity and access management objectives simply, inexpensively, and powerfully.

In this webcast, identity and access management experts will discuss how organizations like yours have discovered and are implementing a simplified approach to identity and access management.

 

WHEN:  Live Tomorrow, November 12, 8am PDT / 11am EDT, or after on demand

TOPICS COVERED:

• Consolidating identities and directories
• Automating processes
• Unifying roles, policy, workflow, and attestation

The webcast can be viewed and shared using this link: http://www.brighttalk.com/r/V6f

TEC 2010 Europe – Sweet German Chocolate!

Overall TEC 2010 Europe  in Dusseldorf Germany was pretty cool. I enjoyed the speakers reception on Sunday night and got to meet some folks from the SharePoint side some of whom are even interested in FIM and one of them bought my book!

For the first time I was able to bring my wife along to TEC! We enjoyed some good time in Dusseldorf including seeing Schloss (Palace) Benrather.

Monday we started off with a keynote from  Uday Hegde and Mark Wahl on the future of Directory and Identity Technologies. It was mostly an overview and demo of the various MSFT Identity technologies, FIM, RMS, ADFS etc. I did enjoy Mark’s well prepared video demo. He clearly had practiced the timing quite well, explaining as the mouse moved across the screen carrying out his demo.

I spent some time in the solution lab taking a look at Quest’s newest acquisition, Active Entry (part of the Voelcker acquisition). It is quite an exciting product, with Role Mining, and RBAC capabilities. More on that at another time.

I loved Brian Komar’s presentation on how to screw up your PKI. I know he has titled the other way but if you take your notes the wrong way then he is teaching you how to screw up. But if you study it the right way it is quite an insightful look into how to avoid huge mistakes!

For the next session to attend it was a close call between “Claims Provisioning and the Cloud” by Mark Wahl and Andreas Kjellman and attending Joe Kaplan’s “Add LDAP and Two-Factor Auth to ADFS v2”. I chose to attend Joe Kaplan’s session. it really was quite interesting to see the tact he took to add in LDAP auth and two-factor. Even funnier was how Joe revealed his grand deception that his two factor authentication component was accepting any password.

After lunch I skipped Jeremy Palenchar’s awesome session on Logging and Auditing with FIM (I saw it in LA back in April) in order to relax for my care and feeding of identity databases. As always presenting at TEC is great fun. I gave away a few copies of FIM Best Practices Volume 1 in the session. Then Brad Turner spoke in FIM and ILM High availability.

Monday nights reception was great fun. I had quite a thrill talking to so many readers of blog and book.

Tuesday morning I enjoyed Mark Wahl’s presentation on Integrating FIM into IT Service Management. While it was geared towards using Service Center Service Manager as a data warehouse, the thought of integrating automated Identity Management with help desk and asset management is quite intriguing. Then Brad spoke about Applying FIM Policy retroactively with ROPU “Run on policy update” which we refer to as Rope You.

I attended part of Jackson Shaw’s Evolution of the Identity Market. He had a fascinating story of how the destruction of one company’s directory led to the meta directory concept.

After lunch I delivered my session on FIM Performance Tuning. It was a bit surreal but I was asked to personalize several copies of FIM Best Practices Volume 1.

I enjoyed being able to attend Andreas Kjellman’s how to avoid a FIM support call. I thought the feedback about the common support items was invaluable.

Wednesday we skipped out to some sight seeing.

Details of Errata

 

Here is what the text on page 183 should say (the italicized items are the new or changed bits of text)

Unattended Install of the FIM Client

This is the component that you will perhaps most desperately see the need for unattended install.

Use the following table to help you plan your install as well as to understand the relationship between the UI parameters, the Unattended parameters and where these items are persisted. These items can also be controlled through Group Policy templates that are shipped with the product.

These items are persisted in one of four spots in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\

Add-ins

Extensions

Extensions\Intranet

Errata and Updates to FIM Best Practices Volume 1

Thanks to several readers including Freek Berson, for catching a few errors I made while revising after my first round of reviewers.

Changes: in version 1.1 (Sept 28, 2010)

Chapter 1, updated the manager to director card, previously the word director was not visible (page 2)

Manager Director

Chapter 1 Fixed “Error Missing Reference” in Chapter 1 (page 4) to refer to Figure 1-2 Actual Photo of Smart Card

Fixed client unattended install in Chapter 7: deleted reference to config files and corrected registry references.

Updated bio

 

Here is the beauty of Print on Demand I have fixed the errors listed above and released a new version of FIM Best Practices Volume 1 through Lulu. As of now all new copies ordered will have the above corrections.

A lot of folks have asked about an e-book and I am looking into that. Others have asked about volume 2 and I am working on that. For now my target date for volume 2 is December

Extinguishing Cystic Fibrosis

Well, we are on our way towards our goal of $2000, but we need more help (please make a donation).

Refresher:

Every year Ensynch sponsor’s the Ensynch Stairclimb and Firefighter challenge. The purpose of the event is to raise money for research on Cystic Fibrosis. The event is this Saturday, in Phoenix at Arizona Center - 5th Street & Van Buren.  This year I am heading up the Stripes team, we have a goal of raising $2000 by this Saturday. Many of our team mates at Ensynch will be climbing stairs. If you live in Phoenix or will be here this Saturday you can participate too (you can climb or come and cheer as part of the no-sweat supporters). Alternatively, you can sponsor one, make a donation in our team’s name. The event also includes cheering on different firefighting teams as they perform their challenges!

 

Last year there was food and various family friendly activities. My kids had a blast!

Fighting Cystic Fibrosis

Every year Ensynch sponsor’s the Ensynch Stairclimb and Firefighter challenge. The purpose of the event is to raise money for research on Cystic Fibrosis. The event is this Saturday, in Phoenix at Arizona Center - 5th Street & Van Buren.  This year I am heading up the Stripes team, we have a goal of raising $2000 by this Saturday. Many of our team mates at Ensynch will be climbing stairs. If you live in Phoenix or will be here this Saturday you can participate too (you can climb or come and cheer as part of the no-sweat supporters). Alternatively, you can sponsor one, make a donation in our team’s name. The event also includes cheering on different firefighting teams as they perform their challenges!

 

Last year there was food and various family friendly activities. My kids had a blast!

 

Default GalSync Connector Filter

Using FIM 2010 RTM Update 1:

The default GalSync Connector Filter is to filter out user objects that are hidden from the addressbook, OR missing the legacyExchangeDN, OR missing both the msExchangeHomeServerName and targetAddress are missing, OR proxyAddresses are missing, OR if it is a Mailbox Plan, Arbitration Mailbox, or Discovery Mailbox.

Consequently, this answers the question are mail-enabled users filtered out by default?

No they are not, as a mail-enabled user will have the target address populated, and none of the other rules will filter it out.

When moving the FIM DB ensure FT Indexing enabled

I just found a very intriguing blog post from Thomas Vuylsteke, about a potential danger when moving your FIM Service Database from SQL Server to another: The case of the new attributes that didn’t want to be found

In short there is the potential that when you move the database that it might arrive on the new server with the Full Text Indexing disabled. The way Thomas tumbled to the problem was that he couldn’t search for a new attribute.

His post has a clever title and is well written, exposing a potential problem.

TEC Europe – Come hear me speak!

I will be presenting at TEC Europe in Dusseldorf Germany Oct 4-6. During my sessions I will give away a copy or two of my book FIM Best Practices Volume 1 .

FIM 2010 Performance Tuning (SQL and more)
Speaker: David Lundell

Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how crucial SQL is to FIM performance and what to do about it. You’ll also learn tips for workflows and the FIM web service and receive a crash course in the SQL Server Optimization.

Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS
Speaker: David Lundell

Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RMS, SharePoint and OCS logging), chaos will result. Learn to conquer the chaos as David Lundell, SQL expert and ILM/FIM MVP, teaches you appropriate backup strategies, database and index maintenance tactics, and performance optimization tricks including guidance on fillfactor settings for SharePoint. You will also receive a crash course in the SQL Transaction Log, SQL Recovery Models, Database Maintenance Plans, Index Optimization, SQL Backups, and SQL Agent Jobs.

 

The Book is here! FIM Best Practices Volume 1 is Available

 

To purchase a copy of the book please follow this link.

The best view to present from the lulu site is probably this one: http://www.lulu.com/spotlight/david_lundell as it has the brief description of the book and the author bio.
You also have the ability to preview a few parts of the book
The book came out to be 258 pages from cover to cover, and yes we included an index! By publishing it through Lulu.com (a Print on Demand company) we got to be much more in control of the whole process, and had faster time to market.
Here are some comments from folks that have had access to pre-release copies:

“This first volume is really one for the bookshelf, close at hand. Really looking forward for more of this! … David and Brad did a good job on this first volume, by breaking up the information in to digestible pieces. And the great sense of humor makes it nice to read” – Peter Geelen, FIM MVP, Sr. Consultant Identity Management, Traxion

“I found this to be a valuable, clear and thorough guide to the FIM 2010 installation and setup process.” – Glenn Zuckerman, Microsoft Corporation

“The volume is well laid out and provides loads of detail.” – Craig Martin, FIM MVP, Sr. Manager, Edgile


Contents
CHAPTER 1: What is Identity Management? .................................... 1
Not Image Consulting! ....................................................................................... 1
What is Identity Management? ......................................................................... 1
Why is IDA important or why should you care? ................................................. 5
Business Problems .............................................................................................. 6
Technical Problems ............................................................................................. 7
CHAPTER 2: Forefront Identity Manager 2010 ............................... 11
The History of Forefront Identity Manager 2010 ..............................................11
FIM’s Capabilities .............................................................................................13
Provisioning ....................................................................................................... 14
Automatically updated groups .......................................................................... 16
Self-Service Password Management ................................................................. 17
Self-Service Profile Management ...................................................................... 20
Synchronization ................................................................................................. 20
Self-Service Group Management ...................................................................... 21
Provision a contractor using the FIM Portal ......................................................22
Policy Management and Workflow ...................................................................23
Certificate and smart card management ..........................................................24
Deprovisioning ..................................................................................................24
CHAPTER 3: FIM Architecture ........................................................ 25
FIM Components .............................................................................................. 26
Overview ...........................................................................................................26
Listing ................................................................................................................26
Identity Stores .................................................................................................. 27
FIM Synchronization Service ............................................................................ 29
FIM Sync Database ............................................................................................31
Management Agents .........................................................................................32
FIM Web Service .............................................................................................. 35
FIM Web Service Clients ................................................................................... 37
FIM Certificate Management............................................................................ 39
FIM Extensibility ............................................................................................... 39
Architecture Summary ..................................................................................... 40
CHAPTER 4: FIM Installation Topologies ........................................ 43
FIM Server Roles .............................................................................................. 43
Role Combinations ............................................................................................44
Scale ................................................................................................................. 45
High Availability ...............................................................................................46
Various Topologies ...........................................................................................49
CHAPTER 5: Sizing Your FIM Installation ........................................ 63
Philosophy – One size does not fit all ...............................................................63
Hardware .........................................................................................................64
Scale .................................................................................................................65
Database Sizing ................................................................................................. 68
Load .................................................................................................................69
Complexity .......................................................................................................71
Scale, Load and Complexity Points ...................................................................72
Choose your topology and hardware ................................................................72
Choosing the Right Edition of SQL Server ......................................................... 73
Sizing SQL Server for the FIM Service DB .......................................................... 76
Sizing SQL Server for the FIM Synchronization Service DB ............................... 77
Sizing FIM Service Servers and FIM Portal Servers ........................................... 77
CHAPTER 6: Installing the Prerequisites ......................................... 79
Service Accounts ..............................................................................................81
FIM Sync Domain Groups vs. Local Groups ....................................................... 82
Create Domain Global Groups for FIMSync: ..................................................... 82
Installing Prerequisites .....................................................................................88
FIM Sync Prerequisites ...................................................................................... 88
FIM Service Prerequisites ..................................................................................98
FIM Portal and Password Portal Prerequisites ............................................... 110
FIM Client Prerequisites ................................................................................. 126
CHAPTER 7: Installing FIM ........................................................... 129
Installing the FIM Synchronization Service ..................................................... 130
Verifying the Installation of FIM Sync Service ................................................ 141
Unattended install of FIM Synchronization Service ....................................... 145
FIM Sync Post Install Tasks ............................................................................. 148
Installing the FIM Service and Portals ............................................................. 149
Verifying the FIM Service and Portal Installation ........................................... 163
Installing the 2nd Instance of the FIM Service and Portal Together ............... 166
Installing Just the FIM Service ........................................................................ 166
Installing 2nd Instance of Just the FIM Service ................................................ 166
Installing Just the FIM Portal or Password Portal ........................................... 167
Installing 2nd Instance of Just the FIM Portal or Password Portal .................. 167
Unattended installation of the FIM Service and Portal .................................. 167
Post Install Tasks for FIM Service ................................................................... 172
Installing the FIM Client ................................................................................. 173
Verifying the FIM Client Install ....................................................................... 182
Unattended Install of the FIM Client .............................................................. 183
CHAPTER 8: Updating the FIM Components ................................. 187
Finding updates .............................................................................................. 187
Preparing for updates ..................................................................................... 188
Applying Updates ........................................................................................... 192
Sync ................................................................................................................. 192
Validating the Sync update ............................................................................. 194
Service and Portal ........................................................................................... 195
Validating FIM Service update ........................................................................ 197
Client Update .................................................................................................. 197
CHAPTER 9: Post Install Tasks ...................................................... 201
Database Configuration .................................................................................. 201
Database Maintenance .................................................................................. 205
Adding other users to the Portal .................................................................... 208
Portal Configurations ..................................................................................... 210
Edit the PortalConfiguration object and change the default timezone .......... 210
Remove the RegEx from EmployeeType attribute and binding ...................... 215
Enable and modify a few Management Policy Rules ...................................... 217
Create some custom search scopes ................................................................ 221
Conclusion ...................................................................................................... 227
Index .......................................................................................... 229

Book update

Early last week I sent the book out for review. I have been digesting the excellent feedback I have gotten (thanks to Peter Geelen, Paul Loonen, Andreas Kjellman, and Glenn Zuckerman). Apparently, they liked Brad’s architecture diagrams more than mine (so do I) so I need to update the other architecture diagrams to be like his. They really do look neater. Check out this one on FIM multi-tier with an admin partition:

 

The larger obstacle to updating the book has been my back – I hurt it last Saturday lifting some furniture. That has made for a difficult time sitting and editing. Nonetheless, I persevere. New target date for release is Monday.

ADFS v2 Test Report -- Found

Something has happened with the project liberty website and most links to it are now broken, including the link to the test results from last year which includes which profiles ADFS v2 passed. So here it is:

http://projectliberty.org/liberty/content/download/4732/32917/file/SAML_3Q09_%20IOP_Test_Event_Final_Report.pdf

ADFS v2 passed: IDP Lite, SP Lite, eGov 1.5

The Book: FIM Best Practices Volume 1

In two weeks we (Brad Turner is my co-author) will make available for ordering a book on FIM entitled:

FIM Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010

Information on order will be posted here on my blog

This will be the first book on Forefront Identity Manager in English that is not focused on Certificate Management (Brian Komar wrote on book on FIM Certificate Management deployment and two gentlemen from Japan wrote a book on FIM in Japanese as blogged about by fellow MVP, Naohiro  Fujie.

Here is the Current Table of Contents:

Chapter 1: What is Identity Management?	Provides a brief introduction to Identity Management
Chapter 2: Forefront Identity Manager 2010	Introduces one to Forefront Identity Manager 2010 including a walkthrough of the lifecycle of one user Feather Stone a new employee at Snappy Slackers.
Chapter 3: FIM Architecture	This gives a good understanding of FIM Architecture
Chapter 4: FIM Installation Topologies	Discusses how the various FIM components can be installed and discusses why to choose one topology over the other
Chapter 5: Sizing Your FIM Installation	This expands greatly upon the FIM Capacity Planning guide from Microsoft, helping you estimate your scale, load and complexity and then provides a methodology for sizing your FIM Servers and picking your topology. Includes flow charts to help you decide which components need to be highly available and which Edition of SQL Server to use.
Chapter 6: Installing the Prerequisites	Installing the Prerequisites is complex so we have created excellent flow charts to help you through it and include lots of discussion around decision points (like WSS stand-alone or farm).
Chapter 7: Installing FIM	Screen shot by screen shot we guide you through installing the FIM components. Also not to be missed our sections on unattended install where we match the UI install settings to the unattended ones and note where they are persisted (registry, databases, config files etc).
Chapter 8: Updating the FIM Components	FIM already has an update learn screen shot by screen shot where to go to get, prepare for it and install it.
Chapter 9: Post Install Tasks	Get ready to get rolling with FIM by setting up some database maintenance and creating a few objects in the portal.

 

This will be the first of several books in a series.

The following are possible titles for follow ups:

• FIM Best Practices Volume 2: Using Forefront Identity Manager 2010 to Provision, Deprovision, Synchronize and provide Self-Service
• FIM Best Practices Volume 3: Microsoft Forefront Identity Manager 2010 Operations and DBA Guide
• FIM Best Practices Volume 4: Go Codeless -- Digging Deep with Advanced Features in Microsoft Forefront Identity Manager 2010
• FIM Best Practices Volume 5: Got Code? Customizing Microsoft Forefront Identity Manager 2010 with .NET Code

Work on Volume 2 is underway and will cover:

• Synchronization from HR to the Portal
• Synchronization To and From AD and the Portal
• Sets, Management Policy Rules, Workflows
• Self-Service Profile Management
• Self-Service Password Reset
• Self-Service Group Management
• Policy Management and Workflow
• Deprovisioning

Embedding comments in your XPATH Filters

 

One thing I love to do is provide self-documenting code and configurations. Well when I have to customize sets the XPATH filter can get a bit complex so I recently found a way to comment the XPATH Filter in my sets and groups:

/Person[starts-with(DisplayName,'%')] <!-- Only with DisplayName --> </Filter>

 

By using <!--  --> to enclose my comments and only after the last closing ] of the predicate I can comment on the filter itself.

The following will error (don’t put the comment inside the predicate [].

/Person[starts-with(DisplayName,'%') <!-- Only with DisplayName -–> ]</Filter>

MVP’d again

Thanks to the folks at Microsoft for continuing to recognize my contributions to the world of FIM. I awarded MVP for the fourth time.

Finding a Binary Value in the Haystack (FIMService Database)

While Query the FIM Service Database at the SQL layer is not supported by Microsoft I had an issue the other day where I couldn’t find what object had a conflicting SID that was preventing the update of another user. I could see in the error detail that it referenced the ObjectSID attribute. So I created this script and replaced the binary value down below with the SID of the object I was looking for.

This SQL Script will find any person object that has any binary attribute with this value in it.

USE FIMSERVICE

GO

SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

GO

select * from fim.Objects where [ObjectKEY] IN (

select ObjectKey from fim.ObjectValueBinary where ObjectKey in

(

select ObjectKey from fim.Objects o

where o.ObjectTypeKey = (SELECT oti.[key] from fim.ObjectTypeInternal oti where Name = 'person')

)

and ValueBinary = 0x010200000000000916000000C83BFC025A1C2A4F9175596438570000

Technical Overview Whitepaper on FIM released!

Technical overview whitepaper on FIM 2010 (download)

Brad and I spent many long hours writing this! Glad to see it come out in the long form. Thanks to the product group for the opportunity and the Brjann, Mark, and Markus for reviewing and editing it.

Ensynch’s Identity Practice -- Finalist for WPC Award

Microsoft has honored the efforts of our Identity and Secure Access Management Practice by making us a finalist for 2010 Partner of the Year, Core Infrastructure Solutions, Server Platform, as a result of our work with FIM, ILM, AD, AD FS and AD CS.

 

 

Dependent Sync Rules – Disconnection on removal of a dependent Sync Rule

Recently, I discovered that under certain conditions the removal of a dependent sync rule could cause the disconnection of objects in AD or other connected data sources. So I had to investigate the inner workings of dependent Sync Rules to uncover this mystery and fix it.

FIM allows us to create dependent Sync Rules. First let me explain the what and then a little why. Then allow me to explain a bug that I discovered and how to work around it.

A Dependent Sync Rule is an outbound sync rule, or and inbound and outbound sync rule (with only the outbound side working) that depends on and inherits (at the time of creation) from its parent or base sync rule.

A base Sync Rule is one that doesn’t depend on any other sync rule.

A dependent sync rule can depend on another dependent sync rule.

A dependent sync rule cannot be applied to a resource until its parent sync rule has been applied

When you create a sync rule as a dependent sync rule it inherits a number of attributes from the parent

Let’s break it down:

The resource Type is obviously sync rule

Create External System Resource, Create FIM Resource, and Disconnect External System Resource are all set to false because this is a dependent sync rule. Back in RC 1 Disconnect External System Resource inherited the value of the parent which leads to odd behavior I will describe further on in the post. The attributes and their corresponding actions are the province of base sync rules.

Data Flow Direction (1 for outbound or 2 for in and out), External System, External System Resource Type, FIM Resource Type, and Relationship criteria are inherited from the parent.

Workflow Parameters and persistent flow can be set as well as the DisplayName and the Description. Initial flow can’t be set as that is also the province of base sync rules.

Why implement dependent sync rules? Flow additional attributes in a situational fashion but only if some base sync rule is already applied.

One danger can occur. If you create a base sync rule, set the Disconnect External System Resource to true and then change it to a dependent sync rule, the disconnect remains true and you have no way in the UI to change it since the scoping and relationship tabs are hidden for dependent sync rules. So the bug is either that you can’t change it in the UI or that the UI or service should be changing it to false if the rule becomes dependent.

If this setting is set to true then it might disconnect the resource when the dependent sync rule is removed.

This can also happen if you load a sync rule through the web service as dependent and set the Disconnect External System Resource to true.

How did it get this way? Well if you were an RDP or TAP customer and you had RC 1 and then upgraded your FIM Service database it could be that way. Or if you export the FIM sync rule from one system and it was like that and then went to another it would load in with it set to true

How to find out if you have this?

Assuming you have already imported and sync’d from the FIM MA then In the Sync Service Manager, go to metaverse search. Search for Sync rules. Search for those with the DisconnectConnectedSystemObject set to true and dependency is present. If anything turns up then you have this issue.

To solve it you can use the UI or this  PowerShell script against the web service.

To use the UI you open the dependent sync rule change it to not have a dependency and then change it back to depend on the one that it had before. That seems to tell the UI to set Disconnect External System Resource to false

Initially your dependent sync rule looks like this:

 

So change it to look like this (but don’t click OK and submit – not yet anyway)

Then change it back

Then click OK and you should see this and nothing else getting changed

Then click Submit.

Or use PowerShell on your next import and sync from FIM your sync rule will be fixed.

 

. C:\FIMTasks\FIMHelper\FIMPowerShell.ps1

# includes the helper functions from: http://technet.microsoft.com/en-us/library/ff720152(WS.10).aspx

# and the GenerateFilter from http://technet.microsoft.com/en-us/library/ff720142(WS.10).aspx

# and GetAttributeValueFromResource from http://technet.microsoft.com/en-us/library/ff720158(WS.10).aspx

# take the above helper functions and create a file called FIMPowerShell.ps1 and put them in it

# Purpose of this script is to Identify sync rules with dependencies

# where the DisconnectConnectedSystemObject=true and set it to false

# step 1 find Sync rules with dependencies and DisconnectConnectedSystemObject=true

# step 2 Modify the DisconnectConnectedSystemObject=false for each of these

# step 3 commit to FIM

function QueryResourceOnlyBase

{

PARAM($Filter, $Uri = $DefaultUri)

END

{

$resources = Export-FIMConfig -CustomConfig $Filter -Uri $Uri -OnlyBaseResources

$resources

}

}

# step 1 find Sync rules with dependencies and DisconnectConnectedSystemObject=true

$uri = "http://localhost:5725/ResourceManagementService"

$exportedSyncRules = QueryResourceOnlyBase -Filter "/SynchronizationRule[DisconnectConnectedSystemObject=true

and Dependency = /SynchronizationRule ]" -Uri $Uri

Write-Host ("The script has exported " + $exportedSyncRules.Count + " sync rules based on the filter: " + $query)

# step 2 Modify the DisconnectConnectedSystemObject=false for each of these

$importList = @()

foreach ($syncRule in $exportedSyncRules)

{

$importObject = ModifyImportObject $syncRule.ResourceManagementObject.ObjectIdentifier "SynchronizationRule"

SetSingleValue $importObject "DisconnectConnectedSystemObject" "false" 1

$importList += $importObject

}

# step 3 commit to FIM

if ($importList.Count -gt 0 )

{

$undoneChanges = $importList | Import-FIMConfig -Uri $Uri

# Use ConvertFrom-FIMResource cmdlet to convert contents of $undoneChanges to the file "undone.xml".

if ($undoneChanges.Count -gt 0)

{

Write-Host "There are " + $undoneChanges.Count + " sync rules that failed to update"

Write-Host "The undone imports are written to undone.xml"

$undoneChanges | ConvertFrom-FIMResource -file undone.xml

}

Write-Host "Import complete"

}

else

{

Write-Host "Nothing to import"

}

Object reference not set to an instance of an object

 

Lessons learned:

1) Run the Do a FIM MA account configuration quick test script.

2) Always refresh the schema of the FIM MA using the real FIM MA Service Account which we usually call svc-FIMMA.

Scenario:

You have just modified the schema of FIM Service by creating a new Boolean attribute and have bound it to the user resource type. You refresh the FIM Schema, select the new attribute setup a direct export attribute flow from the corresponding Boolean metaverse attribute to the FIM MA attribute. You sync and the only pending export is to this attribute, and then when you run the export to FIM MA you get:

failed-modification-via-web-services

Then when you click on details:

There is an error executing a web service object modification request.
Type: System.NullReferenceException

Message: Object reference not set to an instance of an object.

Stack Trace:    at MIIS.ManagementAgent.RavenMA.DoAttributeLevelExport(DataSourceObject dsObject, String objClass, UninitializedResource resource)
   at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)
   at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)

Inner Exception:

I have encountered this twice and Brad once. The first time (1 month ago)  I discovered that the FIM MA was set to use the svc-fimws (this is the credentials used to run the FIM Service) user account instead of the svc-fimma (the account that actually belongs to the Synchronization Engine Set and therefore has all of the permissions to modify objects in the portal and bypasses the authn and authz workflows and is sometimes referred to as the Built-in Synchronization account). So I changed the FIM MA to use the svc-fimma account and when prompted clicked yes Refresh Schema.  The Do a FIM MA account configuration quick test script had told me that the two weren’t the same (go FIM Scriptbox!)

Which means that when I ran the refresh schema the first time it was under the svc-fimws account not the svc-fimma account.

The second time we refreshed the schema using the credentials of an admin user as opposed to the svc-fimma credentials. I tried refreshing the schema with the svc-fimma account but of course it said no changes. I tried stopping and starting all of the services. I turned on messaging logging (this isn’t even sending messages it is dying on the MA without even talking to the web service). So after carefully studying my memory (foolish me I didn’t blog it or make a note) and the request history on the other system I remembered what the root problem and solution had been. But I had already checked if the MA was using the true Built-in Synchronization Account using the Do a FIM MA account configuration quick test script . So then I thought what if I create the exact same problem I had last time and then fix it. So I changed the FIM MA to use an admin user account and when prompted clicked yes Refresh Schema. Then I changed the FIM MA to use the svc-fimma account and when prompted clicked yes Refresh Schema. Then my export worked!

Lessons learned:

1) Run the Do a FIM MA account configuration quick test script.

2) Always refresh the schema of the FIM MA using the real FIM MA Service Account which we usually call svc-FIMMA. (Anyone from Microsoft want to give an official statement of best practice on that?)

I plan to repro this in a test environment to ensure this is the problem.

FIM Sets, XPATH, finding nulls with Strings

 

A little while ago I encountered some rather strange behavior of a Set vs. the XPATH query in FIM 2010.

Using the Export-FIMConfig with the -onlyBaseResources -CustomConfig switches I run the following query to see if there are any users without a DisplayName

/Person[not(starts-with(DisplayName,''))]

It showed 20

So then I created a set, called “~ People with no displayname”, with that as the custom filter. I checked it doesn't violate any of the limitations listed in the Business Policy Modeling doc (which I must say is a pretty good doc)

Then when I look at the Set and click view members on the criteria tab it shows 20 users. So far so good

But when I go to Search for users and it Resource ID in “~ People with no displayname” it shows me over 10,000

Indeed using the commandlet to run this query /Person[ObjectID=/Set[DisplayName='~ People with no displayname']/ComputedMember]") I get over 10,000

Jeremy made a suggestion:

/Person[not(starts-with(DisplayName,'%'))]  

Sure enough it works both as the SET filter and as the XPATH query and showed 20 records.

So to test a string for null, use:

not(starts-wth(Attribute,'%'))

in the XPATH predicate.

Why does this work?

The starts-with function works just like using the LIKE operator in T-SQL with an implied % at the end. not(starts-wth() does a NOT LIKE '%' with the implied %. Since % will match anything as long as it is not null this effectively tests for null.

All of the wildcards available in the LIKE operator work

I have tested it using the single wildcard character _ as well as ranges like [a-c] and other more complex patterns.

This also means that you can effectively do a contains in a set or group filter by doing:

starts-wth(attribute,'%searchvalue')

That’s right just prefix your searchvalue with % and what happens behind the scenes is a LIKE '%searchvalue%' which will find searchvalue anywhere in the string.

Warning about View Members on a set (possibly groups too)

Apparently when I click on view members on the Set’s Criteria tab it runs the XPATH query right then. But when you save the set with its new filter it runs the query in a slightly different fashion by first persisting the SET criteria to the database and then reloading the criteria and running the query and then persisting the membership results in the database to speed up look ups. (Naturally, the penalty is every create, delete, modify, add and remove request requires each set to be examined for impact and possible recalculation). So when you use the filter do do /Person[not(starts-with(DisplayName, '%'))] it stores that piece of the criteria as the literal string %% and the operator as LIKE. But when you use /Person[not(starts-with(DisplayName, ''))] it seems to delete that piece of the criteria effectively making it a set of all Persons. If you are implementing a ROPU (pronounced Rope You – Run on Policy Update) enabled workflow and this kind of thing happens to you it can me that a workflow is being applied to 10,000 objects instead of 20.

Accelerate Your Business Now with Identity Management & Single-Sign-On (SSO)

• Jun 10, 2010

  1:00 p.m. Eastern / 10:00 a.m. Pacific (60 minutes)

• To Register follow this link

• 

  Christopher Yeich - Editor, Strategic Content - Ziff Davis Enterprise

  David Lundell - Identity Management Practice Director, Ensynch | Microsoft Identity Management MVP

  Jonathan Sander - IAM and Security Analyst - Quest Software

  Has your business experienced identity theft, with unauthorized access to your systems, data, and/or trade secrets?
  Have you lost business because your customers and/or employees didn’t have access when needed?
  How much time have you wasted in producing compliance/regulatory reports for various auditors?
  These are all real-life situations that business and IT leaders like you are experiencing every day. Breaches lead to millions—sometimes billions—in lost monies every year. Additionally, there's also confusion, frustration, and lost productivity that organizations deal with every day as they fight to manage appropriate access to information and tools that employees, business partners, and customers actually need.
  Join Microsoft Identity MVP David Lundell of Ensynch, and Jonathan Sander, IAM and Security Analyst of Quest Software, for a candid presentation that uncovers ways you can protect and accelerate your business—as well as save money—with identity and secure access management (ISAM).
  Topics of discussion will include:

  • Business Goals of Identity Management
  • Methods for Achieving Identity Management Business Goals
  • Business Value of Single-Sign-On (SSO) and Federation and Overview of Business Ready SSO and Federation Solutions
  • Business Value of Identity and Secure Access Management
    -Value of Automating Identity Management
    *Overview of Business Ready Identity Management Solutions: Quest One ARS and Forefront Identity Manager 2010
    -Value of Strong Authentication
    *Overview of Business Ready Strong Authentication Solution: Quest Defender
  • Real-Life Case Studies
  • How an Identity + SSO Business Accelerator Assessment can help uncover the right solutions for your organization that will solve a variety of business problems

• 

  Ensynch

  Quest Software

To Register follow this link

Searching an entire database for a Guid or Unique Identifier

Searching an entire database for a Guid or Unique Identifier can be a bit of a tricky proposition. However a little bit of using T-SQL to generate T-SQL and viola

DECLARE @GUIDHunted nvarchar(60)
SET @GUIDHunted = '0A24EC0C-65EE-4519-89DF-ABD3DD24F7EF'

SELECT *, 'UNION ALL SELECT ''' + s.name + '.'  +  ao.name + ''', count(*) FROM '
+ s.name +'.[' + ao.name  + '] WHERE ' + ac.name + ' = ''' + @GuidHunted + ''''
FROM sys.all_columns ac
JOIN sys.all_objects ao
    ON ac.[object_id] = ao.[object_id]
JOIN sys.schemas s
    ON ao.[schema_id] = s.[schema_id] 
where user_type_id = 36 -- UniqueIdentifier
and s.name != 'sys'

Here is the output result for a fictional database (just copy the results into a new query window, delete the first UNION ALL and execute).

UNION ALL SELECT 'myschema.Objects' , count(*) FROM myschema.Objects WHERE ObjectID = '0A24EC0C-65EE-4519-89DF-ABD3DD24F7EF'

UNION ALL SELECT 'myschema.Objects2' , count(*) FROM myschema.Objects2 WHERE ObjectID = '0A24EC0C-65EE-4519-89DF-ABD3DD24F7EF'

This assumes that programmers weren’t storing guids in nvarchar types or that the programmers didn’t create other user types using unique identifiers

Restoring your FIM databases to the moment before oops

At the FIM Birds of a Feather (BOF) after a discussion about FIM database backups I was asked to make a blog post to more fully elucidate the benefits of using the full recovery model.

Since Recovery models affect the transaction log you may find it useful to have the following background about transaction logs:

•The Data in tables and indexes are stored in data files not the transaction log

•The Transaction Log (T-Log) is like a court stenographer, serially noting down everything that took place without sorting/cataloging

• This gives SQL Server Reliability, recoverability and speed because as data changes happen they happen on the Data pages loaded into RAM and to the T-Log on disk (done in a quick serial fashion)

•Upon checkpoint (approx 1/min) changed pages are written to data files

The first thing to note is that there are three recovery models for SQL Databases, but you will find yourself choosing between Full and Simple, as Bulk-Logged is one that is used temporarily.

 

There are also 3 backup types:

If you are in Simple you can not backup the Log

If you are in Full you must backup the log, because after your first full backup the log will begin to fill up and will not empty itself (truncate) until you perform a log backup or switch the database to Simple.

The benefit to being in full is that you can then restore your databases to a moment in time.

So let’s say that you are doing a long running initial load process into the FIM Service database, or you just get done and then you begin something new and to your horror you realize that you just imported from a test system into production FIM. Or you were moving over config from test to prod and it goofed up. Well back in the ILM days you could clear your connector spaces and reload. You can do that today although I was told that you shouldn’t ever clear the FIM MA connector space. Additionally reloading data into the FIM Service can be quite time consuming.

So it can much more productive to restore the affected database right up to the moment before the disaster. You may need to restore both databases to the same moment or only one maybe affected. I will illustrate with one.

The first step is to confirm the time at which you want to stop by examining the request history in the FIM Service or in the Synchronization Service Manager.

Next stop the appropriate Services.

From here on this is a sql script and all directions are prefaced with double dashes to make the comments in T-SQL

--Perform a log backup with no truncate, some refer to this as an emergency log backup or backup the tail of the log

Backup Log FIMService To Disk = 'c:\sqlbackups\FIMService_taillog.bak' With NO_TRUNCATE, NORECOVERY

--Next is to restore your latest full backup (you will need to ensure that no one is connected to the database)

Restore Database FIMService From Disk = 'c:\sqlbackups\FIMService_full.bak' with NORECOVERY, stats=10

--The no_recovery option tells sql that you have more to restore and not make the database available yet

-- Then restore all of the intervening transaction log backups in order since the full backup and leading up to but not including the log backup with no truncate.

Restore Log FIMService From Disk = 'c:\sqlbackups\FIMService_log1.bak' with NORECOVERY, stats = 10

-- You will need to repeat the above command for every transaction log backup since the full but not including the tail

--Finally restore the tail and here is the magic

Restore Log FIMService From Disk = 'c:\sqlbackups\FIMService_taillog.bak' with NORECOVERY, stats = 10, STOPAT = 'Mar 15, 2010 12:15:23 AM’

RESTORE DATABASE FIMService WITH RECOVERY

-- Then restart the appropriate services

ADFS v.2 shipped

Active Directory Federation Services v2 Ships!

This is awesome stuff – with ADFS v2 we can help you setup SSO with your SaaS vendors.

 

Here is an example that has been rendered generic.

ADFS 2.0 supports SAML 2.0 (the idp lite profile and rdp lite profile) which opens up many federation doors and WIF allows us to write custom security token services (sts) just in case the idp lite and rdp lite profile support isn’t up to handling the interaction.

TEC Decks Posted!

If you attended TEC you can now get the Slide Decks by registering on TheExpertsCommunity.com

and accessing the following item: TEC 2010 Conference Materials Have Been Posted!

You can find my sessions here:

 http://theexpertscommunity.com/item/list/type/session/meta_expert_tag/speaker%3Adavidlundell

Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS

Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RM... continue reading "Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS"

FIM 2010 Performance Tuning (SQL and more)

Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how cruci... continue reading "FIM 2010 Performance Tuning (SQL and more)"

Brad Sessions are here:

http://theexpertscommunity.com/item/view/type/expert/id/1760

Applying Policy Retroactively with FIM 2010
Abstract not available. ...

Using DFS and GPO in ILM High Availability Scenarios
This presentation will demonstrate how ILM Architects, Engineers, and Administrators can leverage Active Directory Distributed File System (DFS) to replicate solution content between the primary ILM server and the warm-standby server as well as...

 

Joe Zamora:

Custom Workflow Development in FIM 2010
Get an in-depth look at the extensibility of Forefront Identity Manager 2010 through the use of custom workflow development. Although FIM 2010 includes a new “codeless provisioning” feature set, you’ll find that you can’...

Other Ensynch Presentations:

Federated SSO Solutions Using SharePoint 2010
In the world of on premise and hosted “cloud based” solutions, how can you best simplify your coexistence strategy? Attend this session presented by Ensynch’s Identity Management and SharePoint teams to see how the combined kn...

 

Building Exchange 2010, Managing and Integrating with Exchange Online via Microsoft Business Productivity Online Services (BPOS)
Microsoft Exchange 2010 is available both as on-premise software and as a hosted service, and you can now choose the right deployment option for your organization, whether you deploy Exchange Server on-premises, host your mailboxes with Exchange Onli...

Technorati Tags: session:fim2010performancetuning,session:databases

TEC 2010 -- Results

TEC 2010 was a blast. In the Kickoff Gil Kirkpatrick issued several challenges including one to Brad Turner to simulate the workings of the FIM Sync Engine. Eventually we expect to see a video of the final presentation posted to YouTube. In the interim Brad has some nice pictures posted: TEC 2010 – Annual Wook Lee Memorial Challenge for Identity Results

 

I attended Craig Martin’s session “Automate FIM deployment with Powershell” and learned a few things about the FIM Powershell commandlets.

Next I split my time between Joe Zamora’s session on Custom Workflow in FIM 2010 and Gil and Jeremy’s session on Reporting in FIM 2010. (I had swapped my session time on Monday with Joe’s Wednesday time as I was worried that the Icelandic Volcanic Ash cloud was going to keep me from getting there on Monday – but it didn’t). I enjoyed both. I am afraid my late arrival in Gil and Jeremy’s session caused a bit of a stir as they were discussing some of their SQLXML tricks and Jeremy told everyone that wanted to know more about it to ask me (as I am looking at their stuff for the first time).  I think Gil and Jeremy had a great presentation with a fascinating proof of concept. I heartily endorse their statements regarding this not being a production ready setup but I love what they showed.

Other concerns caused me to miss the rest of the afternoon. The Quest Hospitality Suite was nice.

Tuesday morning I put the finishing touches on my presentations and then attended Jack Kabat’s session on Deploying FIM, he provided some good advice on how to handle the initial load scenario.

After lunch I presented on Care and Feeding of Databases. I had quite a wide range of attendees. Some were interested in the SharePoint databases others in OCS and of course the majority for FIM Service and Sync. There were also a few who needed to know about FIM CM. I did also show a few photos from my recent trip to Prague including my evidence of elven habitation (they had their own check in kiosk at the Prague Airport).

That night we (Ensynch) had a great party at the ESPN Zone watching the Lakers eliminate the Oklahoma City Thunder. We rented out the Championship Lounge which is above the rest of the facility and feels like a skybox, including big windows out which you can see the big screen at the Bar. We were 100 yards away from the Staples center so after the game we had to fend off some game attendees intent on crashing our party.

Wednesday morning I presented on FIM Performance tuning and talked about the performance improvements that are possible. Then Brad spoke about using ROPU (Run On Policy Update, which we pronounce Rope You, because it ropes you into doing more things) and its power.

If you want access to the slides and videos etc you need to register on www.theexpertscommunity.com

Escape from Prague – Good to go for TEC

I went to Prague for a project intending to stay one week, but unfortunately I was delayed an additional week (volcanic ash cloud from Iceland – reread the news if you missed it). While Prague is a beautiful city and I met many wonderful people, the uncertainty of when I would be able to get home weighed heavily on me. I was worried about being separated from my family for weeks? months? More importantly ;) I was worried about getting back for The Experts Conference!

Well I have made good my escape! I am back home and will be heading to TEC! Hope to see you there!

BTW, Joe Zamora and I traded speaking slots (I was afraid I wasn’t going to arrive at TEC before Tuesday). No worries now, but we are keeping the schedule change. Joe will speak Monday after lunch and I will speak both Tue after lunch and then Wed at 8 AM.

FIM 2010 Technical Overview Published – short version

Microsoft has published a short version of the FIM Technical Overview whitepaper written by David Lundell (me), Brad Turner, Chris Calderon and Joe Zamora. The longer version will come out a bit later. Short version, long version makes me feel kind of like I am figure skating in the Olympics. Thank you to Brjann Brekkan, Mark Wahl, Joe Schulman, Darryl Russi, Jack Kabat and Andreas Kjellman for their support, editing, eluciations on blogs and encouragement on this paper.

Microsoft has also released the updated FIM documentation for RTM. Congrats to Dave Kreitler, Markus, Brad Benefield and the rest of the documentation team!

I love the capacity planning guide section as well as the section Expected State Detection (formerly Object State Detection, and also referred to as Existence Test, Detected Rules Entry, Detected Rules List).

 

Fellow FIM Bots, Fellow FIMers, Fellow FIMians, Fellow FIMsters! Enjoy!

FIM Pitfall for old ILM hands

In the days of MIIS 2003 and ILM 2007 we usually wrote our provisioning code to provision a new AD account only when the particular metaverse object didn’t already have any connectors in the AD connector space. With FIM your outbound synchronization rule is quite happy to provision another AD account if the existing one it is joined to doesn’t meet the relationship criteria. So I have usually been in the habit of not worrying about extraneous provisioning if I already had an account connected to that metaverse object.

Well a few days ago I learned that old habits die hard. Fortunately, only 7 duplicate accounts were created and only in the connector space as pending exports of type add. So they were easily dealt with. Nonetheless, it just reminded me that when technology changes sometimes your old instincts can betray you.

One another note: in writing this post I felt a bit like my friend and former co-worker, Craig Martin, who in is very humorous TEC speaker BIO wrote:

Craig Martin speaks in the third person when writing his own brief biography … spending countless hours weeding out issues in his lab environments learning CLM lessons the hard way in order to beat his chest in triumph and share his scars as lessons in a self-deprecating manner.

Man what a crack up. Of course his bio shows up right after mine on the speakers bio page! Gosh don’t I feel a bit pompous with the contrast as I list off all of my accomplishments dating back to grade school. Oh, I forgot to mention in my bio that I won 1st place in the Gilroy Unified School District Math Contest when I was in 4th grade! That treasured trophy was kept in a cardboard box for many years until one day my then six year old son asked if I ever earned any trophies – and it has endured several repair jobs since my son got his hands on it. Well I suppose, I just wanted to let people know that I have some cool things to share this TEC and hope you come along to hear them

I also encourage everyone to attend Craig’s session (hopefully he won’t lose his voice this year), of course if you attend Brad Turner’s session right beforehand you won’t even have to change rooms!

Register for TEC 2010 – hope to see you there

 

Register using this code to get a discount: ATESENSYNC

TEC 2010 – Speaking and Sponsoring

I am super excited about speaking at The Experts Conference 2010 (I also spoke at Directory Experts in ‘07, and ‘08 as well as last year’s The Experts Conference).

Register using this code to get a discount: ATESENSYNC

Once more Ensynch is sponsoring TEC but this year we are a gold sponsor for TEC 2010.

Here is the lineup of Ensynch Speakers at The Experts Conference (also see Brad Turner’s take on our new speakers)

Track	Speaker	Picture	Topic	Date
Exchange – Pre conference workshop	Justin Hiedeman		Exchange 2010 Migration to Microsoft Exchange Online: Hands-on Workshop	Sunday April 25th 1pm-5pm
Directory & Identity	David Lundell		FIM 2010 Performance Tuning (SQL and more)	Monday April 26th 1:00 pm
Directory & Identity	Brad Turner		Using DFS and GPO in ILM High Availability Scenarios	Monday April 26th 2:15 pm
Directory & Identity and SharePoint	Chris Calderon   and Jeff Holliday	Jeff	Federated SSO Solutions Using SharePoint 2010	Tuesday April 27th 9:45 am
Directory & Identity	David Lundell		Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS	Tuesday April 27th 1:30 pm
Directory & Identity	Joe Zamora		Custom Workflow Development in FIM 2010	Wednesday April 28th 8:00 am
Directory & Identity	Brad Turner		Practical Converged Physical and Logical Access Control	Wednesday April 28th 9:45 am

FIM Technet Webcasts

The FIM product group has some great webcasts coming up on technet

Forefront Identity Manager 2010 has RTM'ed

This first webinar is using many of the slides that I created as part of our engagement to write the FIM 2010 Technical Overview Whitepaper (due out soon). Anyhow it makes me feel cool.

 

3/9/2010 6 PM Pacific time- TechNet Webcast: Forefront Identity Manager 2010: Technical Overview and Deployment (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444011&Culture=en-US

3/18/2010 - TechNet Webcast: Forefront Identity Manager 2010: Monitoring and Troubleshooting FIM in Production (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444015&Culture=en-US

3/30/2010 - TechNet Webcast: Forefront Identity Manager 2010: Deploying FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444017&Culture=en-US

4/5/2010 - TechNet Webcast: Forefront Identity Manager 2010: Extending FIM (Level 300)

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444019&Culture=en-US

FIM 2010 RTM Today!

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

Yeah!

FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.

 

According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Final Update for FIM RC1 released

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

https://connect.microsoft.com/site433/Downloads

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

• Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
• Less need for custom old style code
  • Now more than 1 MA can be authoritative for deleting an object (resource)
  • New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
    • Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
    • ReplaceString
• New type of MPR – Set Transition MPRs vs. request based MPRs
  • Run on Policy Update only applies to this type
  • All other MPRs are – request based MPRs
  • This should easy some of the difficulty in wrapping heads around MPRs.
• DBA’s will love these:
  • Backups without stopping the FIM Service and now supported!
  • SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
• Prereqs have changed
  • Server Components
    • Windows Installer 4.5 is required,
  • FIM Service requires SQL 2008 SP 1
  • The addin for Outlook now needs Outlook 2007 SP 2

 

 

Even the certificate management side got some improvements: Windows Server 2008 R2

 

Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1