Revisiting GUIDs, Octets and Base64

After re-reading my earlier post on this subject I decided I could be clearer.

GUIDs are often used in three different formats:

Representation	Example
Canonical form	8c4ac332-975f-4717-ad7b-ba4a4e968fff
Octet String	32c34a8c5f971747ad7bba4a4e968fff
Base64 Encoded	MsNKjF+XF0ete7pKTpaP/w==

 

Representation	Comment	Used in
Canonical form	This format stems from the way GUIDs (UUIDs) are generated. Each dash separating the various components. In version one of the UUID specification, the first the last component was the MAC address of the computer that generated the GUID.	Most places
Octet String	This shows the GUID in little Endian order. In essence the first three groups had their bytes listed in reversed order and the dashes removed. The last two groups did not get switched. So the 8c4ac332 became 32c34a8c, the 975f became 5f97 and 4717 became 1747. The last two components remained the same.	ADSI Edit when changing certain attributes like attributeSecurityGUID which is used for assigning permissions to attributes
Base64 Encoded	This is the Base64 encoding of the OctetString and is the most compact of the three forms (Depending on the Padding, GUIDs in BASE64 are 22 to 24 characters in length)	LDIF files for all GUID attributes (at least all of them that I recall)

 

PowerShell Code Snippets

To Generate a new GUID (with a new random number)

Code:

[system.guid]::newguid()

Output (you out should vary. If it doesn't call me and we can explore other mathematical improbabilities together, like the winning lottery numbers -- actually I don't play and neither should you):

8c4ac332-975f-4717-ad7b-ba4a4e968fff

To Convert from the canonical form to Octet String (for ADSI Edit for some attributes)

Code (put your GUID inside the parenthesis replacing mine):

[System.String]::Join('',(( new-object system.guid('8c4ac332-975f-4717-ad7b-ba4a4e968fff') ).ToByteArray() | ForEach-Object { $_.ToString('x2') } ) )

Output:

32c34a8c5f971747ad7bba4a4e968fff

To Convert from the canonical form to Base64 Encoded (for use in LDIF files)

Code:

[System.Convert]::ToBase64String((new-Object system.Guid("8c4ac332-975f-4717-ad7b-ba4a4e968fff")).ToByteArray())

Output

MsNKjF+XF0ete7pKTpaP/w==

To Convert from Base64 Encoded to Canonical form

Code:

new-Object -TypeName System.Guid -ArgumentList(, ( ([System.Convert]::FromBase64String("MsNKjF+XF0ete7pKTpaP/w==")) ) )

Output

8c4ac332-975f-4717-ad7b-ba4a4e968fff

FYI – I chose to express all of these in PowerShell as opposed to C# as many readers are not C# developers and I still wanted to give all the ability to do these transforms without the complexity of compiling code or downloading an executable.

Thanks to John Geitzen whose reply to someone else’s question helped me see how to make the correct call to be able to pass the array as a whole parameter to the guid constructor instead of it getting splatted.

Thanks to Poshololic whose comment on this post showed how to do the Guid to Octet conversion in one line. 

5 reasons to be thankful for Identity Management

On the eve of Thanksgiving I offer 5 reasons to be thankful for Identity Management (user provisioning, deprovisioning, group and role management, etc.):

1. What other compliance project can actually have a positive ROI?
   1. You get improved compliance (and the ability to show it)
   2. You also get better security as accounts are disabled quickly
   3. Then you save money through the automation
2. Identity Management can help support your corporate goals
3. You can empower users to serve themselves with password resets, group/role requests
4. It can help keep your organization out of the shame columns in the trade rags
   1. We have all read about the disgruntled former employee accessing data.
5. The joy of automation, the joy of not having to do double data entry!

5 things in Identity Management in 2012 for which I am thankful

1. The release of Microsoft Forefront Identity Manager 2010 R2
   1. Web based Password Reset
   2. Reporting
   3. BHOLD suite for RBAC
2. Releasing FIM Best Practices Volume 1 updated for R2
3. Being Renewed as a FIM MVP (since 2007 so that makes 6 awards!)
4. Attending and speaking at The Experts Conference 2012 and attending the Cloud Identity Summit
5. Having a great job at Insight where I lead an excellent team in delivering solutions in an area of passionate interest.
1. We are hiring. We need:
1. FIM Architects
2. AD Architects (ADFS, PKI too if you got it)
3. AD Migration experts

FIM Lives! UAG Lives! TMG will not

Today Microsoft announced the discontinuing or subsuming of many products in the Forefront line 

To be crystal clear Forefront Identity Manager (FIM) and Forefront Unified Access Gateway (UAG) live on as separate products with ongoing investment!

Insert the obligatory Mark Twain quote here. “The rumors of my death have been greatly exaggerated”

Product	Fate
Forefront Identity Manager (FIM)	Lives on. R2 was just released in June
Forefront Unified Access Gateway (UAG)	Lives on. SP 2 just released in August
Forefront Threat Management Gateway (TMG)	Discontinued as of Dec1 2012 – support available until April 14, 2015 (extended until 2020) Use DirectAccess and RRAS to provide VPN functionality or switch to UAG.
Forefront Threat Management Gateway Web Protection Services(TMG WPS)	Discontinued as of Dec 1 2012. I hadn’t even heard of this offshoot.
Forefront Endpoint Protection (FEP) before that it was Client Security (FCS)	Previously announced as System Center Endpoint Protection (SCEP)
Forefront Protection for Exchange Server (FPE)	Becomes part of Exchange Server 2013
Forefront Protection for SharePoint Server  (FPSP) Forefront Protection for Office Communication Server (FSOCS)	SharePoint and Lync Servers will continue to offer the built-in security capabilities that many customers use to protect shared documents
Forefront Online Protection for Exchange (FOPE)	Is now Exchange Online Protection.

I think it is safe to say that we are seeing the Forefront brand being disbanded.

I wonder what new names they will come up with for Forefront Identity Manager and Forefront Unified Access Gateway. I guess we will have to wait and see which family of products adopts them.

FIM Best Practices Volume 1 has been updated for R2

Just this morning I have published the updated for R2 edition of FIM Best Practices Volume 1. Now called FIM R2 Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010 R2. The EBook edition is in color!

Print Edition of FIM R2 Best Practices Volume 1 is still B/W

Go to the lulu.com home page to get a coupon code for 20% off (offer expires 11:59 PM Sept 7 2012).

Updates (over 50 pages more content than before, now at 319 pages, plus lots of revision):

• New screenshots at every step of the way.
• Over 260 Figures.
• 36 Code Fragments
• 49 tables
• The architecture discussion covers the new components, Reporting, BHOLD, and Password Reset.
• Installing the FIM Password Reset Portal, the FIM Password Registration Portal, Installing the reporting component. 
• Added sample scripts so that almost every step has an option for performing it in scripted fashion.
• Redesigned the flow of the Service Accounts, Groups, SPNs and aliases to make it easier to follow and to hand off those portions to others. In fact parts of the book read like a “Choose-Your-Own-Adventure” book guiding you to skip past sections that are irrelevant for your particular case.
• The section on SPNs has been completely re-written to provide an even better explanation of Kerberos and SPNs, but also the ability to jump right to what needs to be done for those that already know the concepts.
• The chapter on Pre-requisites covers using SharePoint Foundation 2010.
• The Chapter on updating FIM is much expanded to help you deal with Roll Back scenarios.
• Added several more bits of humor to see if you are still awake.

New version PCNS, new FIM hotfix

On Aug 24th Microsoft released a new version of PCNS. Version number 4.1.2515.0.

No release notes are provided with the download. However, this version number matches the version number of the latest FIM R2 hotfix rollup http://support.microsoft.com/kb/2734159 and it does tell us what is fixed:

Assume that you run Password Change Notification Service (PCNS) setup together with the SCHEMAUPDATE=TRUE option and the schema is updated successfully. In this situation, an error message is displayed at the end of the setup process incorrectly.
After this update is installed, the Setup program does not display the error message when the schema update is successful.

It should be noted that this FIM hotfix is only for FIM 2010 R2 (version 4.1.2273.0)

Apparently there were some issues with unicode characters for usernames in the FIM Portal and folders and filenames with unicode characters that the Sync Service used.

FIM Sync had a problem with deleting AD users that had active sync devices added to their account – solved!

Full import on a large connector space was sometimes having a problem with obsoletion and getting an error “0 is not a valid DN depth”

There have also been some issues with the upgrade to R2 failing while trying to upgrade the sync engine. They now have a tool that you can get from support to work around the failure by upgrading the database separately.

The hotfix solves a problem introduced by R2 (build 2273) incorrect removal of members from sets and groups where the filter looks like: /Person[(FirstName=”John”) or (FirstName=”Bill)]

There is even a fix for FIM certificate management “to improve error messages handling.”

How to import the Domain attribute into the FIM Portal Part 2

In Part 1 of How to import the Domain attribute into the FIM Portal I provided you the simple technique for the single domain forest, and the technique that works although is a bit unwieldy – that of looking at the first 41 characters of the object’s SID and using a lookup table through nested IIF statements and this doesn’t .

What if there was a simpler way?

What about using the Domain Component option in the attribute flow?

Well the problem is that the component starts from left and goes to the right, so if you have objects of varying OU depth, you can’t use this to get what you need reliably. You can use this to get the rDN but that is all. If only you could input negative numbers to tell it to go right to left that would be something. But then that would still have problems with domains of varying depths.

Of course this wouldn’t work if the NetBios Domain Name is not the first domain component of the DN. For example, SnappySlackers.com but NetBios Name of HQ.

What about all of those functions in the Sync Rules? Can we use those? Yes.

If we replace the “,DC=” with the | and use the Word function to split it up and grab the one we want.

Word(ReplaceString(dn,",DC=","|"),2,"|")

What if the DC= comes across as lower case? What if one of the OU’s contains the pipe character:

Word(ReplaceString(ReplaceString(UpperCase(dn),"|"," "),",DC=","|"),2,"|")

Although we still face the same exception about NetBios Domain Name, we can use IIF to handle the exceptions. So if SnappySlackers.com has a netbios domain name of HQ but all of the others have a corresponding NetBios Domain name such as NA.SnappySlackers.com is NA and EMEA.SnappySlackers.com is EMEA then the following would work and would even handle new domains as long as the NetBios Domain Name and the first Domain Component match.

IIF(Eq(Word(ReplaceString(ReplaceString(UpperCase(dn),"|"," "),",DC=","|"),2,"|"),”snappyslackers”),”HQ”,Word(ReplaceString(ReplaceString(UpperCase(dn),"|"," "),",DC=","|"),2,"|")

How to import the Domain attribute into the FIM Portal Part 1

If you have a single domain forest then you should use a constant flow in your sync rule or advanced attribute flow. If you have a multi-domain forest, then using a constant in the advanced attribute flow won’t work.

You could create multiple inbound sync rules one for each domain with scoping filters and then use a constant. However, this seems like a waste.

You could also follow the guidance provided in article originated by my friend Markus Vilcinskas and maintained by the community http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx

Which for one domain looks like this:

IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-4220550486-1538840966-3184992408"),"FABRIKAM","Unknown")

and for three looks like:

IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-4220550486-1538840966-3184992408"),"FABRIKAM",IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-4220550586-1538840966-3184992408"),"SnappySlackers",IIF(Eq(Left(ConvertSidToString(objectSid),41),"S-1-5-21-4220550486-1538840966-3184992408"),"bluesky","Unknown")))

However it requires ferreting out the SIDs of the domains (although Markus does provide a script to generate the expression http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/50088024-d86a-49dc-bb03-3243ebd677eb ). This technique uses the fact that the first 41 characters of the SID (after converting it to a string) of every object is the domain SID.

As you can see the custom expression gets very unwieldy, very fast. In Part 2 I shall propose a more elegant solution that works in all cases with one notable exception, that can be worked around.

Award for Me, Award for Insight

What a good week – Insight was awarded Microsoft Desktop Partner of the Year, and I just received news of my MVP award in the Forefront Identity Management area has been renewed.

The Desktop Partner of the Year is a great accomplishment by our Systems Management and Virtualization practice. This one will be added to all of the awards we won as Ensynch:

As for the MVP, I am always honored. I truly enjoy trying to enhance the FIM community. This marks the 6th time I have received the award (2007, 2008, 2009, 2010, 2011, and 2012). There are so many cool experiences I get to have with the the other FIM MVPs, I treasure them.

I look forward to another year of contributions.

PS Look for some book related announcements in the next two weeks.

FIM 2010 R2 released today to MSDN

Look what just turned up on the MSDN list of downloads:

Along with FIM 2010 R2 it looks like the BHOLD Suite is available too! Although you can see that it appears to be a separate download.

I don’t know when the retail version will be available.

TEC 2012 Summary

Wow TEC 2012 is already over and I am already back home. What a week!

The venue was great. San Diego is always a great place to be, cool yet not too cold. Right on the bay. Great hotel. The Marriot Marquis and Marinas has an awesome pool – went for a great swim on Monday night. Tuesday morning I really enjoyed a jog on the Boardwalk. I ran up to the USS Midway. Tons of other attractions right nearby.

The sessions were very good. Unfortunately, I couldn’t attend all of the sessions I wanted to attend. I had a few conference calls and sometimes they were at the same time.

The keynote by Uday Hegde was quite good – he covered how Windows 8 (Windows Server 2012) will extend the File Classification Infrastructure type technology to permissions. We will be able to do claims based permissions on files! Pretty cool. Deployment of AD will become simpler – less running around to different machines to run prep this and prep that.

I skipped Adam and Ken’s session on Reporting with FIM R2. I am sure it was excellent and very similar to what they showed us at MVP summit (that and a con call meant I wasn’t there). I also had to pass on Jeremy’s session on SCIM, which was also at the same hour as Laura Hunter’s session on Protection at MSFT.

In the afternoon I conducted the showdown between Classic and Declarative and had a great time, but was wishing I could have split in two and attended Brian Desmond’s session on Office 365 prep to see if he has come up with a different way to solve the issues.

I then yielded the stage to Carol Wapshere for the Sync Service migration toolkit – looking forward to those scripts.

Then a con call interrupted my attendance.

The Meet the experts was fun, I got to meet a lot of folks that came over to get a copy of the book signed. Signing books is still a bit of a surreal experience (today we gave Anil Desai a ride to the airport – he wrote one of the first Windows books I read).

The Party was on the terrace and it was a bit breezy but quite fun with pool tables and a woman wearing dress with a table, yes a table. Bob Bobel of Quest told me that she was a party crasher. Well she certainly was a conversation piece.

Tuesday morning I caught Craig Martin’s session on PowerShell and SSRS to do reporting from FIM. It is brilliant work, however Craig keeps insisting on calling SSRS, scissors! I keep telling him to not to run (PowerShell) with Scissors (SSRS)

After lunch I saw Lutz deliver his session on BYOD and the cloud. Then we prepped for his Wed sessions.

Lutz attended several of the RMS related sessions and said they were very sparsely attended.

Tuesday night I attended the reception for a brief bit and then slipped out to dinner with a relative that lives nearby.

Wednesday, I was about to slip into Bob Bradley’s session on self-healing FIM, when I saw him sit down to breakfast. So after discovering that his session got changed to 9:45 he and I got to talking. That’s a fellow with head full of bright ideas.

Then I attended Lutz’s session on PKI housekeeping. Good job Lutz! I gave him a slide promoting the book, and he told his audience that he was leveraging that for an upgrade to business class on his next flight

Man I was hoping to see Eric Huebner’s session on manipulating data in FIM. Similar to the showdown but come at it from a very different angle, instead of arguing which is better, he discussed some of the performance considerations of one vs. the other and I understand that he even discussed “Request Splitting” in FIM 2010 R2 – allows you to have child requests that do go through the full pipeline and are subject to approval requests!

Then I went to Ehaib Isaac’s session – already blogged a lot about that one. One more mention. Ehaib mentioned he is working on his master’s degree but then showed us a slide of Jobs, Gates, and other billionaire college dropouts. In general more education is correlated with higher pay, although there a few exceptions. Great job!

The lunch on Wednesday had a great dessert! Fortunately I resisted the temptation to have seconds. Phew!

Two people at my lunch table won in the drawing. It was cool to be near two such lucky people!

RCDC Replacement

FIM User Interface Implementation: Replace the rigid RCDC with a customizable UI
Speaker: Eihab Isaac

Eihab delivered a very well-reasoned presentation on the pros and cons of replacing some of the forms, especially the create person (user) form. Excellent demo showing creating multiple requests for creating the user as well as requests for additional attributes, and application access. Great session.

FIM Reporting Craig Martin style

Craig’s session is on how to get data out from the FIM Service and FIM Sync with PowerShell and displaying it with SSRS, which he has dubbed Scissors!

Ok Craig we get it! You have even persuaded me that PowerShell is important! I have started writing scripts. SQL Server of course is still important.

Key is to hook up a pipeline from PowerShell to pass into his custom SSRS PowerShell Data Processing Extension (DPE). Craig uses export-clixml and import-clixml to serialize data before it is expired from the FIM system.

One thing he does point it is that you can’t use the Report Builder, you must use BIDS to create your reports, because DPE’s are not supported with Report Builder

Overall Craig does an excellent job of reusing the tools and capabilities for other areas to show us some really useful stuff with FIM.

Migrating from ILM to FIM

Carol Wapshere delivered an excellent session yesterday at TEC 2012 on the thought process for migrating from MIIS/ILM to FIM.

I loved the incisive logic to focus on the main issue being solved: getting the customer onto supported software (getting the MIIS database off SQL 2000, getting off MIIS/ILM). Avoid the temptation to try and fix everything else at the same time. She had a great list of gotchas. Even more impressive were her discovery scripts designed to analyze the existing implementations and her rubric for estimating the work.

Look what I found in the news

I didn’t even know that Identity and Access Management (IAM) workers had a union!

Of course, imagine my disappointment to learn that it is International Association of Machinists and Aerospace Workers union.

SharePoint 2010 User Profile Synchronization Service

The SharePoint 2010 User Profile Synchronization Service is really FIM 2010 pre-packaged in a very special way. Need evidence? Look at the tables in User Profile Service Application_SyncDB

See how it has mms_connectorspace, mms_cs_link etc. Those are table commonly found in the FIM sync database. See the attributeInternal, the BindingInternal, all of the Membership* tables those are all part of the FIM Service database. So interestingly enough they have both FIM Service and FIM sync merged into a single DB.

FIM 2010 R2 Showdown: Classic vs. Declarative

Well I delivered my session FIM 2010 R2 Showdown: Classic vs. Declarative. During lunch they changed the location. But the room was packed by 5 min after I began (guessing about 45-50 people). Many familiar faces.

We had a rollicking good time. I presented how things worked with Classic and Declarative presented some findings and asked for other opinions. Boy did I receive them.

My basic conclusion is that Declarative can reduce the code used and in turn improve the maintainability of the FIM implementation.

Some folks agreed. Some few misguided folks disagreed . I did take a bunch of ribbing from many who prefer the code.

We had lots of fun sharing opinions. I think all can agree that the Declarative Sync Rules give us a lot of promise for doing things without code and in a several ways falls short. Where we differ is how that affects the way we implement FIM. Some ignore the sync rules and do everything Classic. However, some of us try to use the Sync Rules for everything possible and the classic code only when needed.

One thing is certain, the product is definitely heading in the direction of more and more declarative capabilities.

Picking a mobile phone plan: AT&T

I am currently a Sprint customer, and I am in the process of considering a replacement. So I analyzed AT&T’s plans. I found some interesting things:

They have three individual plans that don’t include long distance to Canada but do include US long distance.

min	cost	$/min	Over $/min	Min over to break even with next plan	Rollover	Weekend min
450	$   39.99	$   0.089	0.45	44	yes	5000
900	$   59.99	$   0.067	0.4	25	yes	unlimited
Unlimited	$69.99				n/a	unlimited

They include unlimited calls to other AT&T mobile customers. For $8.99/mo more you can get early nights and weekends.

The first interesting thing to notice is that on the 450 min plan if you will go 45 min over per month it is cost effective to go with the 900 plan. So if you will do 495 min/mo then the 900 min plan is better.

The next thing is that if you go 25 min over the 900 min plan it is more cost effective to do the Unlimited plan.

The most interesting thing is that if you are on the 900 plan and thinking about spending the extra $8.99 per month for earlier nights and weekends (7 pm instead of 9pm) why not spend $1.00 more per month to have all day be a night and weekend (since you have unlimited minutes).

Phoenix area part-time MBA program comparisons at public universities

Even though I already have the MBA from Eller College at the U of A I recently put together the following analysis for a friend comparing the MBA options in Phoenix from U of A and ASU.

	Eller College of Management (University of Arizona) Evening	Eller College of Management (University of Arizona) Executive	WP Carey School of Business (ASU) Professional Evening	WP Carey School of Business (ASU) Professional Weekend	ASU Executive
Length and Start Date	20-22 months: January to August	16 months: August to early November	21 months, August start date	19 months, January start start date	21 months, August start date
Locations	Scottsdale, Arizona and Tucson, Arizona	Scottsdale, Arizona	Tempe Campus North Scottsdale	Tempe Campus	Tempe Campus
Cost	$40,000*	$56,000*	$51,600 - $60,300	$52,300 - $58,600	$76,600
Times	Classes meet one night per week from 4 p.m. to 10 p.m., plus initial residential session a 10-day international trip	Classes meet Fri. 8 a.m. to 5:30 p.m. and Sat. 8 a.m. to 5:30 p.m. every other week + a full-week session a 10-day international trip	Classes meet two nights a week from 6 p.m. to 10 p.m. Electives offered on Saturdays, online or at international locations	Classes meet every other weekend (Friday from 4:30 - 9:00 p.m. and Saturday 8:00 a.m. - 5:00 p.m. Core courses consist of 60% classroom learning and 40% online learning Electives offered online or at international locations	Classes meet every two weeks on Friday and Saturday

*— includes books and course materials, weekly dinner and meals, and hotel accommodations for residential portion of program; does not include international trip expenses or admission and enrollment fees

http://ellermba.arizona.edu/choose/

http://wpcarey.asu.edu/mba/evening/why-WPC/comparison.cfm

For cost compare

U of Phoenix is about $30k+

Thunderbird’s Exec MBA :

Tuition for the 2011-2013 Executive MBA-US program is $88,700 USD. Tuition is charged in a series of installments over the course of the program.

Opening Edit instead of view from a uocListView

When using the uocListView control in the FIM RCDC you can have it return a list of objects. However when you open them, they also open for viewing, not editing.

The key to this is to add a button control inside the uocListView control. You then specify the redirectURL property for the button. Additionally ShowActionBar must be true, ItemClickBehavior must be ModelessDialog (which is the default). Enable Selection must also be true.

I examined the Policy Explorer to figure this out.

Here is an example that I first posted on the forum:

<my:Control my:Name="RequestViewCompleted" my:TypeName="UocListView" my:Caption="All Completed Role Requests" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=Owner}">

<my:Buttons>

<my:Button my:Name="Edit" my:Caption="Edit" my:ImageUrl="/_layouts/images/MSILM2/details.png" my:ClickBehavior="ModalDialog" my:EnableMode="OnlyOne" my:RedirectUrl="../customized/EditCustomizedObject.aspx" />

</my:Buttons>

<my:Properties> <my:Property my:Name="EmptyResultText" my:Value="There are no role requests for this role." />

<my:Property my:Name="PageSize" my:Value="5" />

<my:Property my:Name="SearchControlAutoPostback" my:Value="true" />

<my:Property my:Name="SearchOnLoad" my:Value="true" />

<my:Property my:Name="ShowTitleBar" my:Value="true" /> <my:Property my:Name="ShowActionBar" my:Value="true" />

<my:Property my:Name="ShowPreview" my:Value="false" />

<my:Property my:Name="ShowSearchControl" my:Value="true" />

<my:Property my:Name="EnableSelection" my:Value="true" />

<my:Property my:Name="SingleSelection" my:Value="true" />

<my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" />

<my:Property my:Name="UsageKeywords" my:Value="RoleRequestCompleted"/>

</my:Properties>

</my:Control>

FIM DB Sizing Calculator

FIM has two databases (well three if we count the FIM Certificate Management service):

• FIMService
• FIMSynchronizationService

Here is a calculator in excel that you can download and use to calculate how big to make your databases.

In my experience the FIMService database size depends mostly on how many request objects are in the database.

The FIM Sync Database depends mostly on how much run history details (step object details) you generate and keep.

Let me know how you like it. Remember this is to give you a range and help you with your first order approximation. I tried to carefully spell out all of my assumptions (even taking a Goldilocks approach with High, Low and Probable assumptions) and make them accessible in separate cells, while still trying to preserve the simplicity of how many users, how many groups, how many MA’s dealing with each.

I have tried to make it accurate to my experience. However if you find an outright error or find that it doesn’t match your existing setup let me know.

Darth Vader – Project Manager Part 2

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader?

In Part 1 I analyzed the good side of his skills. In Part 2 I tried to find the bad but I only find more good.

Once more thanks to George Lucas for inventing Star Wars and thanks again my co-workers for not utilizing Darth Vader's style.

More Good

Characteristic	Example	Comments
He promotes from within, and holds people accountable	[Darth Vader has just learned of Admiral Ozzel's big blunder, and activates a viewscreen] Admiral Ozzel: [appearing onscreen with Captain Piett] Lord Vader, the fleet has moved out of lightspeed and we're preparing to... [Ozzel stops, and suddenly begins to choke, clutching at his throat] Darth Vader: You have failed me for the last time, Admiral. Captain Piett? Captain Piett: Yes, my lord? Darth Vader: Make ready to land our troops beyond their energy field, and deploy the fleet, so that nothing gets off the system. [beside Piett, Admiral Ozzel utters one last strangled gasp, and falls over dead] Darth Vader: You are in command now, Admiral Piett. Admiral Piett: Thank you, Lord Vader.	Promoting from within can be a good thing, however, Vader’s method of creating openings is a bit suspect. Perhaps he should have studied Crucial Confrontations. He could have learned more appropriate ways to hold subordinates accountable. He clearly didn’t know how to “confront with safety.” He should have prepared by mastering his own stories, then privately confronted him, described the gap in expectations, trying to motivate while lowering barriers. That might have gone a little more like this Darth Vader: Admiral Ozzel, come see me on my ship. Admiral Ozzel: Right away Lord Vader. [Ozzel arrives on Vader’s ship]  Darth Vader: Admiral Ozzel, I detect a disturbing pattern of failures. Today, you emerged from lightspeed close enough to the planet for the Rebels to detect our fleet. As a result surprise was lost. On the following previous occasions I noticed similar results. [Vader realizing that many failures result from a lack of ability and/or motivation, asks questions to try and find out which factors are involved.] Did you plan for surprise, as I requested? [If yes then it is an ability issue, if no then motivation, he wasn’t motivated to obey.]
He can motivate the workers	[Darth Vader steps out of his shuttle on the Death Star.] Moff Jerjerrod: Welcome, Lord Vader. This is an unexpected pleasure. We are honored by your presence. Darth Vader: You may dispense with the pleasantries, Commander. I am here to put you back on schedule. Jerjerrod: I assure you, Lord Vader, my men are working as fast they can. Vader: Perhaps I can find new ways to motivate them. Jerjerrod: I tell you that this station will be operational as planned. Vader: The Emperor does not share your optimistic appraisal of the situation. Jerjerrod: But he asks the impossible! I need more men! Vader: Then perhaps you can tell him yourself when he arrives. Jerjerrod: [alarmed] The Emperor's coming here? Vader: That is correct, Commander, and he is most displeased with your apparent lack of progress. Jerjerrod: We shall double our efforts. Vader: I hope so, Commander, for your sake. The Emperor is not as forgiving as I am.	Wow Vader certainly doesn’t subscribe to Patrick Lencioni’s philosophy of building enough trust on your team to allow someone to feel vulnerable. In this instance Vader is more of the project sponsor and Moff Jerjerrod is the PM. Moff Jerjerrod is clearly operating in a culture of fear and refuses to reveal bad estimates of the situation. So he is clearly using avoiding to hide the truth. Avoiding is a form of Silence. When we feel threatened in a conversation we tend to move towards silence or violence depending upon our natural tendencies as well as the power dynamics of the relationships involved. One of the two of them needs to recognize that safety is definitely at risk in this conversation, well Jerjerrod’s life too. They need to make it safe. How you do so depends on whether you are working at cross purposes or one of you is feeling not respected. Another factor is why. So in this case it doesn’t seem to be respect so much as not having the same purpose. Is it a result of a misunderstanding or do they genuinely want different things? Jerjerrod’s purpose in this conversation seems to be to not get in trouble, lose his job, his life and get his family exiled to Tatooine. His strategy in the conversation is to avoid the conversation with “pleasantries”, then a desperate confession followed by an overly “optimistic appraisal of the situation,” another desperate confession, and finally a somewhat fatalistic acceptance of the impossible deadline. Vader’s purpose is to get the Death Star operational on the Emperor’s deadline. His strategy is to make veiled threats. Although coming from a 6 ft. plus Sith Lord who has choked several co-workers to death with a slight movement of his fingers, the threat is not so veiled. They need to invent mutual purpose. Jerjerrod: Lord Vader we seem to have some different strategies, but I think we both want the same thing: to get the Death Star operational without working people so hard that they make errors that can result in tragic mistakes later on, such as leaving an exhaust port unprotected that could lead to a chain reaction and destroy the death star. Do you agree or do you see a different goal? Vader: The power to destroy the Death Star is insignificant compared to the power of the force. Ahem sorry, I was compelled to get that out there. Yes I believe that is the goal. [Vader and Jerjerrod retire to a conference room to discuss the PERT and GANTT charts and see what they can do]

Quotes from the Star Wars movies, found on:

http://www.imdb.com/title/tt0076759/quotes

http://www.imdb.com/character/ch0000005/quotes

http://en.wikiquote.org/wiki/Star_Wars_Episode_VI:_Return_of_the_Jedi

Nothing new under the sun

Just a few weeks ago I was discussing with my team how Cloud computing bore a lot of similarities to outsourcing of Data Processing back in the height of the mainframe era. Just this morning I saw the following on Dave Kearns blog “While it’s true that there is really nothing new under the sun – “cloud computing,” for example, has remarkable similarities to datacenter computing from the ‘60s and ‘70s – it’s also true that there is always a different way to look at data, facts, or technology which can give insights into better ways to conduct business.”

Back in the 1990’s my father had founded a software company to help organizations manage their Local Area Networks. During that time he said that the LAN market was paralleling many of the trends that had occurred in the mainframe world. Ever since then I have found instructive to study those trends.

Kearns, makes several points among them, then in talking about cloud apps, “people were still having the same discussion that they’d had 10 years ago – only the names were different,” now arguing  about datacenter vs. the cloud and previously it was Linux vs. Windows. Instead, he says we should “pick the right application or service – that one that best fills our need. Choosing the platform first is like choosing a restaurant because of the color of the plates they use.” Pretty funny, however I disagree (at least partially). For one thing, even in eating the plate does matter. The plate size more so than color. According to Change Anything: The New Science of Personal Success (page 114) “plate size [has] an enormous impact on how much it [takes] .. to get equally full.”

While I agree that the business needs need to be considered first, platform must also be considered. Just as the plate size can make a big difference for someone trying to manage their weight, so too can platform make a big difference to someone trying to manage their data security.

What does “no commitment” really mean?

I recently received a mailer for YouFit Health Clubs, offering me “$1 down, $10 month with no commitment” for a club they opened near my house (limited to the first 125 to sign up).

Sounds good, but following the principle of caveat emptor (buyer beware), I always read the fine print. According to the “Billing for Monthly Dues” agreement you may “discontinue your Month-to-Month membership you may do so at any time with a payment of a twenty-five (25) dollar processing fee.”

You also agree that “monthly dues are subject to a $5.00 per month increase of dues if EFT payment is stopped or changed.” Sounds like even changing the account I use would result in the increase.

Hmm. That sounds like this no-commitment includes a commitment. Although it sounds reasonable, I wouldn’t call the arrangement “no commitment.” Perhaps they meant that compared to some other gyms there is virtually no commitment.

This serves as an important reminder to fully understand your commitments and customer requirements.

It is important to verify customer statements, like “all employees get AD accounts.” They may commit that this is the truth but their commitment may turn out to have some “no commitment” buried in the fine print.

You must dig deeper for the other shoe – so it can drop. There is always an exception, even to this rule about exceptions. For example, “all employees get AD accounts, except employees below grade 12.” Watch out for the exception to the exception “Except when the employees below grade 12 get approval from their manager. Unless someday their manager revokes their AD account.”

So will this “no commitment” gym get a commitment out of me? Perhaps, after all as a married man I am not afraid of commitment. Although I might be afraid of “no commitment.”

Vol 1 -- 1000 copies! -- 29% off

A few weeks ago FIM Best Practices Volume 1 has surpassed 1000 copies! In honor of that achievement and Leap Day use the following code to get 29% off LEAPYEAR305

FIM 2010 -- Update Rollup 2 4.0.3606.2

FIM 2010 Update Rollup 2 is now available. Download from here

Before blindly applying this update it is critical that you read the release notes, as XMA's or ECMA's may not run after the update. If you changed the MIISServer.exe.config file to tweak the FIM MA performance the update won't replace your file. So you have to make some updates to it by hand. This is documented in the release notes.

There are lots of fixes, my most favorite is that they have rolled back the change I mentioned [ranted about] in a previous blog post: What the %_ is the deal with wildcards in FIM Queries in the latest hotfix?

My next favorite new feature and this one alone will get a separate blog entry, is the release of the ECMA 2.0 (information available on the beta and RC of the ECMA 2.0 here).

A few sync engine crash issues have been fixed.

Support for writing rules extensions in .NET 4.

Update to the update: Do not run the stored procedure mentioned below, it can result in incorrect set query results.

Update: The KB article was updated today and the item dealing with this stored procedure mentioned below has been removed. You should know that this stored procedure is intended to solve a specific performance problem and should only be implemented with guidance from PSS. You should also know that running it is a one-way trip i.e. the only way to undo it is to restore the FIMService database from backup.

Another key item that once more underscores the need to read the release notes, is a fix for the FIM Service dealing with large criteria based sets and groups. In order to take advantage of this performance enhancement it is necessary to run a stored procedure (EXECUTE [fim].[EnableSetPartitioningAndTabularFunctions]) by hand. Based on the name I expect that this procedure is doing some table partitioning, more on that when I get a chance to take a look. (Please see the update above)

Darth Vader – Project Manager Part 1

Have you ever wondered what it would be like to be on a project that was managed by Darth Vader? 

Let’s analyze the good side of his skills.

But before we do a little housekeeping:

I would like to thank my George Lucas for inventing such wonderful characters and a wonderful story, that has entertained me and so many others, many many times. I would also like to thank my co-workers for not utilizing Darth Vader's style.

The Good

Characteristic	Example	Comments
He vigorously defends projects he is leading	Admiral Motti: Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained. This station is now the ultimate power in the universe! I suggest we use it! Darth Vader: Don't be too proud of this technological terror you've constructed. The ability to destroy a planet is insignificant next to the potential of the Force. Admiral Motti: Don't try to frighten us with your sorcerous ways, Lord Vader. Your sad devotion to that ancient Jedi religion has not helped you conjure up the stolen data tapes, or given you enough clairvoyance to find the rebels' hidden fortress... [Vader makes a pinching motion and Motti starts choking] Darth Vader: I find your lack of faith disturbing	Well maybe ignoring problems and attacking or counterattacking individuals with verbal violence or force violence isn’t such a good thing. After Vader’s attempt to bring him down a peg, Admiral Motti wasn’t feeling safe enough to remain in dialogue, so he counterattacked with labeling (“sorcerous”) and attacking (“sad devotion”). I wonder if Crucial Conversations training could have helped. So Vader escalates. Instead he should have recognized “uh-oh things are getting heated, hmm I am not feeling safe, but before I use the force to choke him, I should ask myself what do  really want (long-term) out of this conversation? I want a team that can help me crush the rebellion to protect the empire that I kind of thought I would rule someday.” Next he needed to recognize that Admiral Motti was feeling unsafe, what is the evidence? The labeling and attacking. Then he needed to restore safety. Well was it mutual purpose or respect at risk? Respect. Vader’s dismissive comment about the Death Star really irked his would-be minion, I mean co-worker. In this case a clarification of intent using contrasting would be useful. E.g. ”Admiral, my earlier comment was not intended as a personal attack on your engineering abilities nor on your creation. I did want to caution us all about the dangers of overconfidence. I agree that the Death Star is powerful , so too is the Force. Imagine what we can do wielding them together.”
He focuses on results	Darth Vader: Yes, Admiral? Admiral Piett: Our ships have sighted the Millennium Falcon, Lord. But it has entered an asteroid field and we can not risk... Darth Vader: [interupting] Asteroids do not concern me, Admiral. I want that ship, not excuses.	If only Vader could have learned to look he could have realized that Piett wasn’t feeling safe. As evidenced by Piett falling out of dialogue into silence. Oh wait that was his intention. How could the recently promoted Piett handle this? He believes and with some degree of reasonability that he faces a choice between speaking up and losing his life. Is this a sucker’s choice? Is there a way he can speak up and save his life too? Probably. One key thing you learn about Crucial Conversations is about picking what conversation to have and preparing for it. He should probably take this up at a different time, and discuss the whole pattern of killing subordinates. ”Hey, uh, Lord Vader?” ”Yes, Admiral?” ”I was wondering if I could discuss some ideas I have about helping us be an effective rebellion crushing team. Would it be ok if we spent some time discussing this?” <<In this way Admiral Piett is establishing a mutual purpose and is asking permission to broach the topic which is very powerful in being able to get to dialogue>> ”Proceed, Admiral.” ”I don’t want to say your not an effective leader in the empire. I do want to discuss how to we can be more effective as a team.” <<Proactive Contrasting>> So I have noticed that my predecessor made a mistake in coming out of hyperspace too close to the planet. Then you used the force to kill him. I have observed that some of the fleet officers and myself have become more hesitant in our actions for fear of suffering similar consequences. It appears that  you might have reacted in anger, not intending to have a debilitating effect on the fleet staff. It might cause us to hesitate when we need to be bold or be afraid to tell you about a critical problem until it is too late to solve it. How do you see it?” << This way Piett starts with the facts, tells his interpretation of the facts and asks how Vader sees it, but he does so with tentative language and in a way that encourages testing.>> ”That is most unfortunate Admiral Piett.” [Darth raises his hand making the choking motion with his fingers, but then pauses] Vader mutters to himself, “Wait I have always wondered why I am surrounded by incompetence, perhaps this my opportunity to understand.” …

Well I think Luke was right, there was good in him still.

It is so sad. Had Vader and the rest of the staff been able to remain in dialogue they might have been able to recognize their problems, and work together to solve them. In short they could have “crushed the rebellion once and for all”

Quotes from the Star Wars movies, found on:

http://www.imdb.com/title/tt0076759/quotes

http://www.imdb.com/character/ch0000005/quotes

http://en.wikiquote.org/wiki/Star_Wars_Episode_VI:_Return_of_the_Jedi

FIM R2 Showdown -- Classic vs. Declarative

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

My colleague Lutz Mueller-Hipper has been selected to present three sessions:

Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper

In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.

EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper

It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.

Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper

The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.

For all of the Directory and Identity Abstracts