- Microsoft Identity Manager 2016
- Synchronization Service – FIM Service Management Agent
- Service and Portal
PROBLEM SCENARIO DESCRIPTION
- Running an Export Run Profile on the FIM Service Management Agent produces the Run Status of stopped-server. We want to understand the best way to clear out data in the FIM Service Management Agent connector space to assist with resolving this issue.
To learn more about the different Run Profile Status’ that is returned by the WMI RunStatus Property when executing Run Profiles, review this MSDN information: https://msdn.microsoft.com/en-us/library/windows/desktop/ms699322(v=vs.100).aspx
FIM SERVICE MANAGEMENT AGENT ERRORS
- Failed-creation-via-web-services (in this specific scenario, we received 5000+)
NOTE The failed-creation-via-web-services error is a fairly common error. Here is some information around this error that may assist in resolving some of the different errors that you can receive with this error.
FIM Troubleshooting: Failed-Creation-Via-Web-Services: InvalidRepresentationException: ValueViolatesUniqueness: https://social.technet.microsoft.com/wiki/contents/articles/17242.fim-troubleshooting-failed-creation-via-web-services-invalidrepresentationexception-valueviolatesuniqueness.aspx
[Troubleshooting]: Failed-Creation-Via-Web-Services Troubleshooter: https://blogs.msdn.microsoft.com/ms-identity-support/2013/05/11/troubleshooting-failed-creation-via-webservices-troubleshooter/
FIM Troubleshooting: Failed-Creation-Via-Web-Services: The endpoint could not dispatch the request: https://social.technet.microsoft.com/wiki/contents/articles/17245.fim-troubleshooting-failed-creation-via-web-services-the-endpoint-could-not-dispatch-the-request.aspx
- The Connector Space for the FIM Service Management Agent was deleted and data from the Service and Portal was not reimported into the FIM Service Management Agent Connector Space. This allowed some data to still exist in the Service and Portal that the FIM Service Management Agent has staged as Pending Export Adds.
|NOTE||One of the causes of this issue was the deletion of the FIM Service Management Agent connector space. The recommendation is to review information around this topic prior to deleting a connector space. Find more information here:
- Remove all the Users from the Service and Portal
- The best way to achieve this for many objects is to utilize a PowerShell Script. The “How to use PowerShell to Delete All Users from the FIM Portal” (https://social.technet.microsoft.com/wiki/contents/articles/2108.how-to-use-powershell-to-delete-all-users-from-the-fim-portal.aspx) is a sample illustration that works great.
It is extremely important to note that this script will delete objects in the Service and Portal. Once the user object is removed, until it is populated again into the Service and Portal that user will not have access to the Portal.Additionally, we highly recommend testing any process like this in a staging and/or testing environment prior to executing in production. This is to safe guard your data.
Once you are ready to execute, be certain that you have a verified backup of your backend FIMService and FIMSynchronizationService databases in regard to disaster recovery.
- Ensure that the Service and Portal are clear of all EREs
- Execute a Full Import (Stage Only) on the FIM Service Management Agent
- This will bring in all of the Synchronization Rules into the FIM Service Management Agent Connector Space.
- Execute a Full Synchronization on the FIM Service Management Agent
- Review Pending Exports to understand the data that you will be exporting.
- You can do this through Search Connector Space > Pending Exports
- Once Pending Exports is confirmed, proceed with running an Export on the FIM Service Management Agent
- From the Actions menu, select Run and then Export
- Once the Export is finished, execute a Delta Import (Stage Only) to confirm the Exported Changes
Deletion of connector spaces
- Deleting a connector space should be a large task to consider. Here is some information around the deletion of a connector space.
- FIM Reference: Things to Look at before Deleting a Connector Space: https://social.technet.microsoft.com/wiki/contents/articles/4189.fim-reference-things-to-look-at-before-deleting-a-connector-space.aspx
- FIM Service Management Agent: Deleting the Connector Space: https://social.technet.microsoft.com/wiki/contents/articles/4195.fim-service-management-agent-deleting-the-connector-space.aspx
- FIM 2010: How to delete Management Agent and Connector Space: https://social.technet.microsoft.com/wiki/contents/articles/4191.fim-2010-how-to-delete-management-agent-and-connector-space.aspx
Management Agent Run Status
- Executing a Run Profile, you can see the status of the Run on the Operations Tab of the Synchronization Service Manager GUI. The Run Status is returned to the GUI as the result that is returned from the WMI RunStatus Property. Here is some good information around this topic:
- RunStatus Property: https://msdn.microsoft.com/en-us/library/windows/desktop/ms699322(v=vs.100).aspx
- Support-Info: (FIM Service MA): RunStatus: Stopped-Server Troubleshooter Resources: https://blogs.technet.microsoft.com/iamsupport/2017/11/15/support-info-fim-service-ma-runstatus-stopped-server-troubleshooter-resources/
- Management Agent Run Error Codes: https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/maerrorcodes