Wednesday, October 19, 2016

MIM 2016 SP1 -- Implications

Earlier this month Microsoft released MIM 2016 SP1
But what does this mean for you?

Biggest Implications
  1. Exchange Online (Office365) for the MIM Service 
    1. without losing the ability to approve requests from within Outlook, and the requesting of groups within Outlook.
      1. Since lots of orgs are using Office 365 no more embarrassing conversations about these great features you can't have.
  2. Support for other browsers for MIM Portal
    1. SSPR already supported other browsers but now MIM Portal will support Chrome, Firefox and Safari.
      1. This means less customer resistance
  3. Platform Support -- MIM now supports all of the latest platforms Windows 2016, Active Directory 2016, SQL 2016, SharePoint 2016, Exchange 2016.
    1. Sync, Service and Portal
      1. Can now run on these
    2. Portal can now run on SharePoint 2016
      1. But there is not a foundations version meaning a free version
        1. So keep running on SharePoint 2013 Foundations for now unless MSFT starts including a license for SharePoint 2016
    3. SharePoint 2016 no longer uses FIM/MIM 
      1. You can use MIM, but the default is the new built in Active Directory Import
      2. If you do use MIM to synch to SharePoint check Spencer Harbar's notes
    4. BHOLD
      1. The supported platform page lists that with MIM 2016 SP1 BHOLD now supports SQL 2014
        1. Say what? Why not SQL 2016? is this an error? If true this implies that BHOLD isn't as highly prioritized.
    5. MIM Certificate Management
      1. Lists the only supported client as Windows 7
        1. Again -- if true this suggest lower priority. In general most new MFA solutions aren't using smart cards and certs.
    6.  PAM now supports Windows Server 2016 and forest functional level 2016
      1. Kerberos tickets are now time limited based on the time left on your role activation
        1. Improved security!


at No comments:

Monday, October 17, 2016

Post Migration Your MIM/FIM Attribute Flow Precedence is Incorrect

Have you ever found out that attribute flow precedence is messed up, wrong or otherwise in error just after you followed the steps to migrate your MIM/FIM configuration from Dev to Prod or vice-versa? Well I am finally blogging about a discovery I made. The list of steps (reproduced below from the above link) are incomplete:
  1. Back up the pilot and production environments by using the Backup and Restore procedures.
  2. Export the FIM Service schema configuration.
  3. Export the FIM Synchronization Service configuration.
  4. Export the FIM Service policy and FIM Synchronization Service configuration resources.
  5. Install the FIM Synchronization Service and the FIM Service in the production environment.
  6. Enable the maintenance mode in the production environment.
  7. Import the FIM Service schema configuration.
  8. Import the FIM Synchronization service configuration.
  9. Install the custom DLLs necessary for custom workflows.
  10. Import the FIM Service policy and FIM Synchronization Service configuration.
  11. Disable maintenance mode in the production environment.
After Step 10 "Import the FIM Service Policy" your attribute flow precedence will get messed up if you had changes to inbound sync rules that write to the same attributes as any import attribute flows defined in the management agents.

Here is why: After step 10 you have imported the sync rules into the FIM Service and Portal but until you run an import on the FIM MA those sync rules and their attribute flows are not yet in the sync engine. Once you run the FIM MA import then you have those flows but the precedence may not match the precedence in the source environment.

Solution: After step 10 Run a Delta Import and Delta Sync on the FIM MA. Then reimport the FIM Sync configuration (Step 8).

Why this works: This gets the sync rules and their attributes flows into the Sync engine and then reapplies the attribute flow precedence from the source environment.
at No comments: