This was a silly mistake on my part, but when I searched for the error, I didn't come up with any results, so I thought I would post it in case it helps someone else.

I had created a sync rule that saved without any errors. When I tried to add it as an activity to a workflow, I got the error:

"workflow could not be validated as at least one activity had a configuration error"

It turns out I had added an attribute flow mapping in the sync rule to the DN. Took that out and I could create the workflow.

I've recently started working with Forefront Identity Manager (FIM) and had things swimming along pretty well with getting users provisioned into AD. A requirement came up to provision users into an OU based on their Office Location attribute.

As soon as I made that change, I started getting the error "The DN must be set before calling CSEntry.CommitNewConnector".

I checked the Lineage, and the Office Location value was set, so I was very confused.

After way too long, I realized I needed to add an attribute flow from the FIM MA to the OnPremise AD MA to flow OfficeLocation to officeLocation. I had to do this in the Synchronization Service Manager. It was already set in the sync rule.

Having to set attribute flows in two places is going to take some getting used to. I hope this will help someone else.

I was creating a new workflow and got an Access Denied error.

This post showed me how to trace the MPR that was blocking the request (http://www.identitychaos.com/2008/11/ilm-2-rc0-access-denied-when-adding...), but I couldn't edit it. All of the form fields were diabled.

Turns out that although you can view the MPR details from the Search Requests and it looks like they are form fields, you can't edit it from that page. So, I went to "Management Policy Rules" and edited the ""Administrators control configuration related resources" MPR from there.

And huge thanks to this post: http://c--shark.blogspot.com/2010/02/error-defining-activity-information... That access denied error was incredibly confusing.

I'm on my first cup of coffee on a Saturday after a huge launch effort, so maybe that's why I got confused, but thought I would post in case it helps someone else just learning...

I have a client who wanted to know which objects had encountered errors on their way to be provisioned to Live@edu from the Hosted MA.

No one had ever asked me before and a quick search turned up the CSEntry tool. It's super simple:

In a command prompt, nav to c:\program files\microsoft identity integration server\bin

The command to get all of the export errors on the Hosted MA is:
Csexport Hosted c:\log\HostedExportErrors.xml /f:e /o:e

http://certsrv.ru/fim2010.en/html/d08e473a-483e-4de1-8585-068ec5405119.h... provides more information on the parameters and options. You can get more than just errors--you can find all disconnectors, etc.

I had this error occurring in ILM when provisioning users in Live@edu.

The onPremise attribute flow to OnPremiseObjectType is called IAF-OnPremiseObjectType. It takes many values from the source, but I had set it to just use 'mail'.

Turns out the objects reporting the error didn't have a 'mail' attribute, so the attribute flow rule never got called. I changed 'mail' to something all of the objects have; 'samAccountName' and voila! Happy objects in the metaverse.

Hope that helps someone else.

I'm not a Perl programmer by any means, but I needed to work with iMapSync. One of the requirements was to create a log file of everything that is written to the terminal window while still updating the output in the terminal window.

My buddy Ryan S. figured it out for me:

perl [script] [args] 2>&1 | tee -a [file to write output to]

He even gave me an example based on what I'd sent him:

perl imapsync -host1 host1.example.com -user1 ltest100@example.com -authuser1 user1 -password1 pwd1 -host2 host2.anotherserver.com -user2 ltest100@anotherserver.com -password2 pwd2 -authmech2 PLAIN -ssl2 --fast --reconnectretry2 1 --useheader 'Message-Id' --useheader 'Message-ID' --skipsize --delete2 --uidexpunge2 --expunge2 -debug 2>&1 | tee -a IMapSyncLog.txt

Many thanks to Ryan! :-)

After much failed effort on my part, Matt Stehle at Microsoft graciously provided me the following function to set the PidTagMessageDeliveryTime on a mail item. Thank you, Matt!

public static void SetReceivedDate(ExchangeService service, ItemId itemId, DateTime date)
{
Item item = Item.Bind(service, itemId, new PropertySet(BasePropertySet.IdOnly));

item.SetExtendedProperty(new ExtendedPropertyDefinition(0x0E06, MapiPropertyType.SystemTime), date);

item.Update(ConflictResolutionMode.AutoResolve);
}

To set proxy addresses in Live@edu, I had to change this:

PCommand.AddCommand("Set-Mailbox");
PCommand.AddParameter("Identity", emailName);
PCommand.AddParameter("MailboxPlan", "GalDisabledMailboxPlan");
PCommand.AddParameter("EmailAddresses", sProxyAddresses);

To this:

Dim addresses As New ArrayList
addresses.Add("SMTP:" & emailName)
addresses.Add("smtp:" & sProxyAddresses)

PCommand.AddCommand("Set-Mailbox")
PCommand.AddParameter("Identity", emailName)
PCommand.AddParameter("MailboxPlan", "GalDisabledMailboxPlan")
PCommand.AddParameter("EmailAddresses", addresses)

Thanks to: http://powershellcommunity.org/Forums/tabid/54/aff/3/aft/195/afv/topic/D...

I accidentally managed to create two targets with the same name in PCNSCFG. The command line to remove one of them wouldn't work because it was not a unique target name.

To fix this, I went into my AD Users area and refreshed the domain. Then, wmaking sure "Advanced Features" was turned on under "View", I navigated to "System" then "Password Change Notification Service". It showed the list of the two targets and I could delete the incorrect one.

This was in a development environment. In a production system, you want to be careful about missing any password changes that happen any time you are configuring your PCNS service.

This forum post provided the guidance I needed: http://social.technet.microsoft.com/Forums/en/identitylifecyclemanager/t...

Completely copied from this site. Useful stuff and I'm glad he posted the code with all of the comments.:

http://www.sharepoint-tips.com/2007/03/sample-event-handler-to-set-permi...

using System;
using System.Globalization;
using System.ComponentModel;
using System.IO;
using System.Data;
using System.Text;
using System.Xml;
using System.Collections;
using System.Configuration;
using System.Diagnostics;
using System.Web;
using System.Security;
using System.Security.Policy;
using System.Security.Principal;
using System.Security.Permissions;
using System.Runtime.InteropServices;
using Microsoft.SharePoint;
namespace SharePointTips.SharePoint.Samples.EventHandlers
{
///
/// This is the event receiver that traps the item added event of the sharepoint list it is attached to.
///
class ListItemSecuritySetter:SPItemEventReceiver
{
#region constants
///