Tuesday, 9 December 2014

FIM 2010 R2 SP1: Inbound Sync Rule CustomAttributes Script "DomainObjectSid_IFFSStatement.ps1" script provided by The FIM Scriptbox. "Error: Could not find a forest identified by: 'domain'."

After reviewing the Microsoft guide "Syncing Active Directory with FIM", I got to the stage of populating the Synchronization Rules using the FIM Portal. In the guide the following section outlines how you must generate a CustomExpression string.
 
How to Sync Active Directory with FIM.


As the domain I was trying to sync with Active Directory was Windows Server 2003 based, which does not natively have PowerShell (or the AD DS PowerShell cmdlets) I used a Windows Server 2012 R2 VM with the AD DS server role installed.
At first I had to reconfigure the ExecutionPolicy to allow Unrestricted scripts. I then tried to run the DomainObjectSid_IFFSStatement.ps1 script provided by The FIM Scriptbox. I received the error Error: Could not find a forest identified by: 'domain'.
To recognize where in the code the script was failing I opened the script in the PowerShell ISE and selected small sections of the code and used the Run Selection button to break out where then the code encounters an error.
 
In this instance it was on Line 10 $ForestObject = Get-ADForest that was causing the script to fail. At first I thought it was a DNS issue that was causing the issues so I did all the usual things and could not find anything.
The fix in this case was to configure the Active Directory Web Services service to start Automatically on the system starting. Once I did this and re-run the script it generated the required CustomExpression string I needed to continue.

Thursday, 4 December 2014

Forefront Identity Manager 2010 R2 (FIM) portal "Service not available."

When you try to access the FIM 2010 R2 portal you receive the following screen stating that "Service not available. Please contact your help desk or system administrator."
 
In the Event Logs there is a continuous error "Event 3, Microsoft.ResourceManagement" in the error states that "System.Net.WebException: Unable to connect to remote server ---->" and "No connection could be made because the target machine actively refused it 10.25.1.40:433." That IP was actually one of my Domain Controllers, so I disabled the Windows Firewall to see if it would resolve the error. No change unfortunately.
 
After a bit research with some travling through TechNet blogs I came across this link which is "A hotfix rollup package (build 4.1.3508.0) is available for Forefront Identity Management 2010 R2" http://support.microsoft.com/kb/2913228/en-us although my issue was not directly mentioned in th More Information section I though it would be best to install the updates for the components I had deployed.
 
I installed FIMSyncService_x64_KB2913228.exe first.
 
Then FIMService_x64_KB2913228 secondly.
After the second patch was applied the FIM portal then started to work.
 

Wednesday, 3 December 2014

FIM 2010 R2 SP1: Password Registration and Reset Portals Service Principal Names (SPN's) and Kerberos Delegation

If you complete the installation of Forefront Identity Manager 2010 R2 SP1 and do not manually create the Service Principal Names (SPN's) and configure Kerberos delegation when you try to browse to the Password Registration and Reset sites you will receive a cannot display website page, much like the IIS service has stopped or the ApplicationPool is not functioning correctly.
 
 
 
The following commands can be run on a Domain Controller to created the required SPN's, you must state the FQDN for both the Password Registration and Password Reset websites. You must also set the SPN for the FIM Service Account you have used throughout installing FIM.


setspn –s  HTTP/FQDNpasswordregservice DOMAIN\fimserviceaccount
 


setspn –s  HTTP/FQDNpasswordreset DOMAIN\fimserviceaccount
 
Some applications such as SQL Server automatically generate SPN's when they are installed this is not the case with this component of Forefront Identity Manager, however if you receive an error "Duplicate SPN: Operation Cancelled" from the setspn.exe, you can use the following command to display all the SPN's associated with a particular object.


setspn –l DOMAIN\computer or user object
 
Once the SPN's are created when you try to browse to the portal's you will see they are now starting to respond, you will receive the credentials box like below as Kerberos Delegation has not been configured. Delegation of authentication allows the client to send it's identity in the form of a Kerberos ticket to the front-facing web server. The front-facing web server can then relay the ticket to "back-end" servers to authentication requests.
 
Open the web.config file for the FIM Password Registration and Reset portals which can be found at C:\inetpub\wwwroot\wss\VirtualDirectories\80, you can open the file with Notepad.
Press CTRL + F to bring up a find window and type <resourceManagementClient and click Find. This will take you to a string in the web.config file you must edit.
 
The following string of text must be added to that line of the code requireKerberos="true". Once completed the entire string should read something like;
 


<resourceManagementClient resourceManagementServiceBaseAddress=http://FIMSERVER:5725 timeoutMilliseconds=”60000” requireKerberos=”true” />
 Next open up CMD and do an iisreset.
Now when you attempt to connect to the FIM Password Registration and Reset portals you should now see the splash screens.

Tuesday, 2 December 2014

FIM 2010 R2 SP1: Creating Management Agents to Active Directory Forest fails with "failed-connection Error Server Down Error Code 0x51"

When you try to create a new Management Agent from Forefront Identity Manager (FIM) 2010 R2 you get the error "failed-connection Error Server Down Error Code 0x51". This error was basically stupid of me and down to name resolution between the two domains. The FIM server was in the new 2012 R2 Active Directory and it could not resolve DNS names in the forest I was trying to configure FIM to query.
 
 
The fix was to enable Zone Transfers (in this case to To Any Server), on the source Active Directory DNS server.
 
From the new Active Directory DNS server I then created a new Active Directory Secondary Zone, which I pointed to the IP of a known Domain Controller in the source AD. Because I configured Zone Transfers the Secondary Zone was immediately populated.
 
From the FIM server I flushed the DNS cache and click Next again. I could then continue creating the Management Agent.
 

FIM 2010 R2 SP1: Installing FIM Password Portal and FIM Reporting "The SharePoint 2010 Administration Service is not running. Please start it and then click "Retry". Click "Cancel" to abort setup."

After going through the massively complex installation process of Forefront Identity Manager Installation wizard for the Password Reset portal and the Reporting Services components you receive the following error "The SharePoint 2010 Administration Service is not running. Please start it and then click "Retry". Click "Cancel" to abort setup." it's pretty self-explanatory as an error. Basically the SharePoint 2010 Adaministration Service is not running on the SharePoint Server (which in this case also the FIM server).
 
 
I had forgot to reconfigure the SharePoint 2010 Administration (or SPAdminV4) service to start Automatically, I did the manually from the services.msc MMC.
 
After this I clicked Retry and the setup continued.


Thursday, 27 November 2014

FIM 2010 R2 SP1: Reporting and Auditing Services with System Centre Service Manager 2010 SP1 "The SSRS Web Services URL is not valid." and SQL Reporting Service "The report server installation is not initialized (rsReportServerNotActivated)

I have been building out a full Forefront Identity Manager 2010 R2 SP1 solution including the optional component of Reporting and Auditing Services. The components of Reporting and Auditing Services for FIM 2010 R2 SP1 are System Centre Service Manager 2010 (SCSM 2010) and SQL Server Reporting Services. I was in the middle of installing the System Centre Service Manager Data warehouse component of SCSM 2010 and the installation was stopped when I was asked to "Configure the Reporting Server for the Data Warehouse", I pointed to the SQL Reporting Service Server and it returned the error "The SSRS Web Services URL is not valid." this stopped me from continuing.
 
 
For testing I tried to open one of the preconfigure Reporting Services websites, when I did this the website was not operational with the error SQL Reporting Service "The report server installation is not initialized (rsReportServerNotActivated).

 
The solution in this case was to click on the Encryption Keys page and under Delete Encryption Content us the delete key to remove the encryption files.
 
 

You will be asked to confirm you want to delete the encrypted content.

 
After doing that I returned to the website and did a refresh the website was then functioning. When I returned to the Server Manager interface and refreshed that, the error was also resolved and I could continue with the install.


Forefront Identity Manager 2010 R2 SP1 (FIM): Connection to SQL Server 2008 R2 for FIM Sync Service "Connection Failed: SQL State: '08001' SQL Server Error: 5 Could Not open a Connection to SQL Server [5]. Connection Failed: SQLState: 'HYT00' SQL Server Error: 0 [Microsoft][SQL Server Native Client 10.0]Login Timeout Expired"

Recently I have been building a FIM 2010 R2 SP1 Sync Service Server using an external SQL instance running on SQL Server 2008 R2. When I was creating the ODBC Data Source using the SQL Server Native Client 10.0 I receieved the following error "Connection Failed: SQL State: '08001' SQL Server Error: 5 Could Not open a Connection to SQL Server [5]. Connection Failed: SQLState: 'HYT00' SQL Server Error: 0 [Microsoft][SQL Server Native Client 10.0]Login Timeout Expired".
 
 
The solution here was to enable TCP/IP from the SQL Server Configuration Manager to do this launch the SQL Server Configuration Manager MMC expand SQL Server Network Configuration and click Protocols for MSSQLSERVER right click and select Properties on the TCP/IP protocol. From the Properties window click IP Addresses using the Active drop downs select Yes for IP1 and IP2. Click OK.
 
For the changes to apply you must restart the SQL instance to do this click on SQL Server Services from the left hand list, right click SQL Server (MSSQLSERVER) and select Restart.
 
To finish off open the SQL Management Studio and login using Windows Authentication.

 
Right click on the top (local) database icon and select Properties.

 
Click on the Security tab and change the Server Authentication to SQL Server and Windows Authentication Mode. Click OK.
 
Again the SQL Server must be restarted. In this instance I rebooted the entire server.
 
Once this has been done you can continue with the ODBC Data Source Connector.

Active Directory "Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "name.domain". The error was: No mapping between account names and security ID's was done. when attempting to add Windows Server 2008 R2 Server to Domain. C:\Windows\Debug\NetSetup "NetpSetDnsHostNameAndSpn: NetpGetcomputerObjectDn Failed: 0x534"

After some rebuilding of lab VM's you have recreated a VM, assigned an IP and are now trying to re-join the domain. You are attempting to use the same hostname as the VM had previously, the old Computer Objects have been deleted from Active Directory. When you try to join the domain you receive the error "Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "name.domain". The error was: No mapping between account names and security ID's was done. "
 

To look further into this issue I opened up the C:\Windows\Debug\NetSetup log file and it stated "NetpSetDnsHostNameAndSpn: NetpGetcomputerObjectDn Failed: 0x534".
 
 
After some research there was loads of blogs stating the error "NetpSetDnsHostNameAndSpn: NetpGetcomputerObjectDn Failed: 0x534" could be resolved by disabling NetBIOS etc, I was not convinced as it was functioning correctly the day before. To check on the health of the domain I used the command dcdiag /a from one of the Domain Controllers.
The dcdiag /a returned the following errors
"0x0000165B The session setup from computer "blank hostname" failed because the security database does not contain a trust account "blank hostname" referenced by the specified computer."
"0x000016AD The session setup from the computer "blank hostname" failed to authenticate."
 
The issue in this case was down to my own patience, I had deleted the old computer objects on one of the Domain Controllers. As the replication topology was configured to replicate every 15 minutes the other DC's in the domain had not received the directory changes.
The quick fix was to force and Active Directory replication from the Active Directory Sites and Services MMC.
 
When I tried to add another VM to the domain it worked without issue and the computer object appeared under the default Computers OU as expected.

Tuesday, 25 November 2014

Forefront Identity Manager (FIM) Synchronization Service Evaluation is having trouble contacting SQL server using the provided information. Please note that Forefront Identity Manager Synchronization requires Microsoft SQL Server 2008 SP1 or better. Verify the version, server and instance names as well as firewall.

When you try to install the Forefront Identity Manager (FIM) 2010 R2 SP1 Synchronization Service to use an off-box SQL Server instance you receive the following error "Forefront Identity Manager Synchronization Service Evaluation is having trouble contacting SQL server using the provided information. Please note that Forefront Identity Manager Synchronization requires Microsoft SQL Server 2008 SP1 or better. Verify the version, server and instance names as well as firewall."
 
 
In this particular instance FIM 2010 R2 SP1 is running on Windows Server 2008 R2 and the SQL Server is Windows Server 2012 R2 with SQL 2012 Standard. As with all off-box SQL instance I had created a ODBC (64-bit) from the FIM server, to the SQL. When I tested connectivity it all came back as working.
As part of the troubleshooting I tried the following things without success
·      Connectivity and Name Resolution
o     Ping and Nslookup
·      SQL Services
o     Ensured SQL Server Browser and SQL Server Agent were set to Automatic and Running
·      Disabled the SQL Server Firewall
o     To rule out any issues with port 1433, then tried Telnet all OK

Although all of these tests came back positive the issue was not resolved. The issue was with the SQL ODBC connection from FIM to SQL. I had created the ODBC using the standard SQL Server Client build into Windows Server 2008 R2.
The fix was to install the SQL Server 2012 Native Client, which can be downloaded from Microsoft http://microsoft.com/en-gb/download/confirmation.aspx?id=29065




 
Once I recreated the ODBC connection with the SQL Server 2012 Native Client the setup then allowed me to continue, the next step was to configure the FIM security groups.

Friday, 21 November 2014

Windows Server 2012 R2: Enabling the Active Directory Recycle Bin from the Active Directory Administrative Center "The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner."

Windows Server 2012 R2: Enabling the Active Directory Recycle Bin from the Active Directory Administrative Center "The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner." prevents you from enabling the Active Directory Recycle Bin.
 
 
From an Administrative Command Prompt I used the following command to confirm the FSMO role holders.


netdom query fsmo

Everything looked normal here so I continued to the next step which was to run the Active Directory Best Practice Analyser from Server Manager.
 
The Active Directory BPA came back with the error "The primary domain controller (PDC) emulator specification master in this forest is not configured to correctly synchronize time from a valid time source".
I used the following command from an Administrative CMD to configure the PDC Emulator to use time.microsoft.com as it's authoritive time source.


w32tm /config /manualpeerlist:time.microsoft.com /syncfromflags:manual /reliable:yes /update
 
 
I then issued this command on all of the other Domain Controllers to ensure they reflected the changes.


w32tm /config /syncfromflags:domhier /update
 
After this I re-run the Active Directory Best Practice Analyser and the error had been resolved.
 
I could then continue and enable the Active Directory Recycle Bin.

Comments system

Disqus Shortname