Windows Server 2008 Active Directory Users and Computers

I am not a systems administrator, but my work sometimes requires me to have access to Active Directory Users and Computers (ADUC). I was on a new server and needed to gain access to this feature. Here’s how I did it:

1. Made sure the “Remote Server Administration Tools” were installed. (I actually did this by trying to install them and receiving an error “This update does not apply to your system”. Turns out they were already installed.

2. Opened Server Manager and selected “Features”.

3. “Add features”

4. Here’s where I got a bit stuck. When I went to “Remote Server Administration Tools”, there was no “Active Directory Users and Computers” option. After some hunting, I found it here:
– Role Administration Tools
– Active Directory Domain Services Tools
– Active Directory Domain Controller Tools

Hope this helps someone else!

SharePoint: Cannot import Web Part error

I get this quite often when moving webparts to other servers. In addition to the usual troubleshooting provided in posts like these:

http://www.dotnetmafia.com/blogs/dotnettipoftheday/archive/2008/10/06/tr…

http://stackoverflow.com/questions/120928/sharepoint-error-cannot-import…

One thing I have found I need to do is check that the web.config file has all of the appSettings keys I am using in my code. If these are missing it can throw this error.

Another thing to check is that the web.config “” is set to “Full” if your dll requires that.

Additionally, make sure any files you need in the “bin” folder are there if you are using that instead of the GAC for anything.

Setting group owner in FIM via Workflow

I just had to create a workflow to set the group owner in FIM and details were a little scarce on the Internet on how to do this.

I’m new to FIM, so this may not be the by-the-book approach (since I haven’t FOUND a book yet), but here’s what I did.

1. Started with the Ensynch sample project on Codeplex. (http://www.codeplex.com/ILM2WFActivity/Release/ProjectReleases.aspx?Rele…)
2. Read the PDF from the same site.
3. In addition to the currentRequestActivity, I added a codeActivity and followed that with an updateResourceActivity.
4. In the code view of the Activity designer page, I added a new function “setGroupOwner”. (See code at bottom of post. I’ve left a couple of commented out lines that were used before I had the ResourceId as a parameter in the UI.)
5. Back in the design view, on the codeActivity, set the “ExecuteCode” property to “setGroupOwner”.
6. On the updateResourceActivity, bind the ResourceId property to “TargetId” and bind the UpdateParameters field to “MyUpdateParameters”. (Thanks to the CShark post for this instruction. http://c–shark.blogspot.com/2009/02/generate-accountname-in-ilm-2-custo…) If you have trouble, check out this other post: http://c–shark.blogspot.com/2009/03/caution-binding-multi-valued-activi…
7. I created a parameter in the UI for the ResourceId by basically finding all instances of “txtActivityName” and “logActivityName” and using those as a template for a new one called “txtResourceId” and “logResourceId”.
8. Used the Ensynch PDF guide to follow the rest of the instructions on deploying the workflow. (Note: I got an access denied error when trying to create the Activity Information Configuration. Going to “Search Requests” showed me which MPR was blocking the request. On the Targeted Resourced of the MPR, you can browse and filter on Activity Information Configuration and see the attributes you might need to add.)
9. When it came time to create the workflow, I already had one that was calling an inbound sync rule for groups and I added the GroupOwnerActivity as another action on that existing workflow.

Short and quick post because I am in deadline crunch mode, but I hope it saves someone else some time and research. Would love to know if it helps you or if anyone sees any problems with this approach.

//SET GROUP OWNER
private void setGroupOwner(object sender, EventArgs e)
{
try
{
ReadOnlyCollection requestParameters = this.currentRequest.ParseParameters();
//— Tell the UpdateResourceActivity to update the Target object.
TargetId = currentRequest.Target.GetGuid();
//— Add the account name to the update parameters.
updateResourceActivity1.UpdateParameters = new UpdateRequestParameter[]
{
new UpdateRequestParameter(“Owner”, UpdateMode.Modify, new Guid(this.LogResourceId)),
//new UpdateRequestParameter(“Owner”, UpdateMode.Modify, new Guid(“fb89aefa-5ea1-47f1-8890-abe7797d6497”))

new UpdateRequestParameter(“DisplayedOwner”, UpdateMode.Modify, new Guid(this.LogResourceId))
//new UpdateRequestParameter(“DisplayedOwner”, UpdateMode.Modify, new Guid(“fb89aefa-5ea1-47f1-8890-abe7797d6497”))
};

}
catch (Exception ex)
{
this.SimpleLogFunction(ex.ToString(), “”, EventLogEntryType.Information, 10002, 100);
}
}
public Guid TargetId;
public UpdateRequestParameter[] MyUpdateParameters;

SWBemServicesEx Not Found

I was trying to create a vbs script to run syncs in FIM and found the start sync loop scripts in the Microsoft lab.

I modified them and tried to run them in my dev environment, but immediately saw the error: “SWBemServicesEx Not Found”.

It turns out I had done two things wrong:

1. Misspelled the name of one of my MAs.
2. Was trying to reference an MA that didn’t exist. (I hadn’t created it yet in this dev environment.)

It’s a misleading error and sent me off trying to enable components and such when all I needed to do was learn how to spell.

FIM error when creating a workflow

This was a silly mistake on my part, but when I searched for the error, I didn’t come up with any results, so I thought I would post it in case it helps someone else.

I had created a sync rule that saved without any errors. When I tried to add it as an activity to a workflow, I got the error:

“workflow could not be validated as at least one activity had a configuration error”

It turns out I had added an attribute flow mapping in the sync rule to the DN. Took that out and I could create the workflow.

“The DN must be set before calling CSEntry.CommitNewConnector”

I’ve recently started working with Forefront Identity Manager (FIM) and had things swimming along pretty well with getting users provisioned into AD. A requirement came up to provision users into an OU based on their Office Location attribute.

As soon as I made that change, I started getting the error “The DN must be set before calling CSEntry.CommitNewConnector”.

I checked the Lineage, and the Office Location value was set, so I was very confused.

After way too long, I realized I needed to add an attribute flow from the FIM MA to the OnPremise AD MA to flow OfficeLocation to officeLocation. I had to do this in the Synchronization Service Manager. It was already set in the sync rule.

Having to set attribute flows in two places is going to take some getting used to. I hope this will help someone else.

Forefront Identity Manager Editing MPR

I was creating a new workflow and got an Access Denied error.

This post showed me how to trace the MPR that was blocking the request (http://www.identitychaos.com/2008/11/ilm-2-rc0-access-denied-when-adding…), but I couldn’t edit it. All of the form fields were diabled.

Turns out that although you can view the MPR details from the Search Requests and it looks like they are form fields, you can’t edit it from that page. So, I went to “Management Policy Rules” and edited the “”Administrators control configuration related resources” MPR from there.

And huge thanks to this post: http://c–shark.blogspot.com/2010/02/error-defining-activity-information… That access denied error was incredibly confusing.

I’m on my first cup of coffee on a Saturday after a huge launch effort, so maybe that’s why I got confused, but thought I would post in case it helps someone else just learning…

ILM Find objects that have errored on Export

I have a client who wanted to know which objects had encountered errors on their way to be provisioned to Live@edu from the Hosted MA.

No one had ever asked me before and a quick search turned up the CSEntry tool. It’s super simple:

In a command prompt, nav to c:\program files\microsoft identity integration server\bin

The command to get all of the export errors on the Hosted MA is:
Csexport Hosted c:\log\HostedExportErrors.xml /f:e /o:e

http://certsrv.ru/fim2010.en/html/d08e473a-483e-4de1-8585-068ec5405119.h… provides more information on the parameters and options. You can get more than just errors–you can find all disconnectors, etc.

Attribute “OnPremiseObjectType” is not present.

I had this error occurring in ILM when provisioning users in Live@edu.

The onPremise attribute flow to OnPremiseObjectType is called IAF-OnPremiseObjectType. It takes many values from the source, but I had set it to just use ‘mail’.

Turns out the objects reporting the error didn’t have a ‘mail’ attribute, so the attribute flow rule never got called. I changed ‘mail’ to something all of the objects have; ‘samAccountName’ and voila! Happy objects in the metaverse.

Hope that helps someone else.

Writing Perl output to a file and the terminal window

I’m not a Perl programmer by any means, but I needed to work with iMapSync. One of the requirements was to create a log file of everything that is written to the terminal window while still updating the output in the terminal window.

My buddy Ryan S. figured it out for me:

perl [script] [args] 2>&1 | tee -a [file to write output to]

He even gave me an example based on what I’d sent him:

perl imapsync -host1 host1.example.com -user1 ltest100@example.com -authuser1 user1 -password1 pwd1 -host2 host2.anotherserver.com -user2 ltest100@anotherserver.com -password2 pwd2 -authmech2 PLAIN -ssl2 –fast –reconnectretry2 1 –useheader ‘Message-Id’ –useheader ‘Message-ID’ –skipsize –delete2 –uidexpunge2 –expunge2 -debug 2>&1 | tee -a IMapSyncLog.txt

Many thanks to Ryan! 🙂