MIM Event Broker Forum
Welcome to the community forum for MIM Event Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Create tooltips and page descriptions to clarify as much activity as possible
As much as possible, Management Studio should be populated with tooltips and page descriptions to explain:
- Parameters, describing their use, and where applicable, their format
- Descriptions of plugin, group and agent purposes
- Page titles should also be used on all pages
Nothing distinguishes an exclusion group if it has no trigger members
There is nothing that stands out about an exclusion group compared to a normal group on the groups page, or on the page of the group itself unless it has trigger members. The UI representation of the group should be updated with some sort of mark to distinguish it as an exclusion group, both on the groups page, and on the page of the group itself.
Ability to nominate a prioritised set of specific DCs for the AD Sync Changes plugin
The FIM/ILM AD Management agent allows the nomination of a list of specified DCs in connection priority order, to override the default arbitary selection of any DC on a domain. When the AD Sync Changes plugin is used in a multi DC environment where there are even minor replication delays, the plug-in can fire before the DC to which the AD MA performs the delta import (change log read) has been updated, causing the change to be missed (in particular object deletions it seems). The above scenario could be mitigated if the plugin configuration was allowed to mimic this exact capability, thereby reducing (if not elminating) the possibility that changes are missed.
For more details refer to the blog post below.
Pending Exports not firing corresponding Outgoing Operation List
Although ILM pending exports are present for an MA ("CIT AD") and a corresponding Outgoing Operation List is defined for this MA specified with (default) "Autorun on Outgoing Provisioning Pending", the export run profile "E" for this MA is never fired. The log (in Debug mode) shows no pending exports or any errors.
DEVAPP011VS.EvB.config.xml
EventBrokerLog.txt
OutgoingOperationList.EvB.Config.png
PendingExportsForAllMAs.Query.png
pendingExportsQuery.sql
PendingExportWaiting.png
EvB3.1 Updating web config puts shortcut out of date.
I don’t know what the solution would be but if you change the web config to make evb hosted at a different address or port then the shortcut to event broker becomes out of date.
Identity Broker PowerShell Connector begin/process/end sections
Further to an email thread with Adam van Vliet 2 days ago, and the linked issue MCS-30, the following is an idea on how export performance for the PowerShell connector might be improved.
FYI only - the script below is the O365 update connector script from QBE hosted by Soren’s PowerShell MA. The 3 outer section headings correspond to the FIM MA SDK methods (BEGIN=Initialize, PROCESS=Export, END=Terminate).
I am thinking that the IdB PowerShell connector could be substantially improved if it were to adopt the same approach for exports, whereby the overhead of setting up/tearing down a single export each time (establishing connections, loading libraries, etc.) can be done once per export batch instead.
param
(
$Username = "",
$Password = "",
$AccountSkuId = "qbetest:ENTERPRISEPACK",
$LogFilePath = "E:\Packages\FIM.Synchronisation\SvN\FIM2\Operations\Scripts\Logs",
$LogFileName = ""
)
BEGIN
{
Import-Module MSOnline -Force
$ErrHandle = ""
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential $Username, $SecurePassword
Connect-MsolService -Credential $Creds
if ($ErrHandle -ne "")
{
# handle any logon errors
$message = 'Could not log on O365 with ' + $($Username) + ' to update licenses. ' + $ErrHandle
exit
}
#List of Service Plans
#ServicePlan ProvisioningStatus
#----------- ------------------
#YAMMER_ENTERPRISE Success
#RMS_S_ENTERPRISE Success
#OFFICESUBSCRIPTION Success
#MCOSTANDARD Success
#SHAREPOINTWAC Success
#SHAREPOINTENTERPRISE Success
#EXCHANGE_S_ENTERPRISE Success
# Create MsolLicenseOptions only for OFFICESUBSCRIPTION
#$O365Licences = New-MsolLicenseOptions $AccountSkuId -DisabledPlans SHAREPOINTWAC, SHAREPOINTENTERPRISE
$MAName = "PowerShell Connector"
$FIMRegKey = "hklm:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters"
$FIMParameters = Get-ItemProperty $FIMRegKey
$cacheFileName = "cachedExports.xml"
$office365MappingFile = "office365LicenseProfileGroupMapping.xml"
# Set up hash table of cached exports for loading exported MemberOf property (to obsolete export)
$cachePath = [System.IO.Path]::Combine($FIMParameters.Path, "MaData", $MAName, $cacheFileName)
$office365MappingPath = [System.IO.Path]::Combine($FIMParameters.Path, "Extensions", $office365MappingFile)
[xml]$office365Mapping = Get-Content -Path $office365MappingPath
$cachedExports = @{}
if (Test-Path $cachePath)
{
$cachedExports = Import-Clixml -Path $cachePath
}
}
PROCESS
{
function log( $message )
{
if ( $LogFileName -and $message )
{
$message | out-file ([System.IO.Path]::Combine($LogFilePath, $LogFileName)) -append
}
}
#Initialise values
$Errorstatus = "success"
$ErrorDetail = $null
$IsLicensed = $null
$IsLicensedChg = $null
#Get UPN of the user
$Anchor = $_."[Anchor]"
#Get Identifier
$Identifier = $_."[Identifier]"
#Get Group Membership
$MemberOf = $_.MemberOf
#Get Object Modification Type
$Action = $_."[ObjectModificationType]"
$IsLicensedChg = $_.IsLicensed
#$IsLicensedChg = $false
#log $_
$error.clear()
try
{
$msoluser = Get-MsolUser -userprincipalname $Anchor -ErrorAction SilentlyContinue
$IsLicensed = $msoluser.IsLicensed
# Loop through each of the registered DNs in the hash table at the top of this script to find a match
$profileToAssign = "none"
# Loop through each configured profile to find a match in the MemberOf dn collection
foreach ($group in $office365Mapping.o365LicenseProfiles.profiles.profile.group) {
if ($MemberOf.Contains($group.dn)) {
#$IsLicensedChg = $true
$_.IsLicensed = $true
$profileToAssign = $group.parentNode.name
break;
}
}
#foreach ($dn in $defaultProfileGroupDNs.Keys) {
# if ($MemberOf.Contains($dn)) {
# $IsLicensedChg = $true
# break;
# }
#}
log ("IsLicensed:" + $IsLicensed)
log ("IsLicensedChg:" + $IsLicensedChg)
#region unsupported operations
if ($Action -eq 'Add')
{
throw "Add is not supported. Will be processed when Active Directory user is added/joined."
}
if ($Action -eq 'Delete')
{
throw "Delete is not supported. Will be processed when Active Directory user is removed."
}
#endregion
if ($Action -eq 'Replace')
{
if($IsLicensedChg)
{
if(!$IsLicensed)
{
## Execute to get the list of SKU's for the client environment
$Skus = Get-MsolAccountSku
switch ($profileToAssign) {
"default" {
$O365Licences = New-MsolLicenseOptions -AccountSkuId $Skus[0].AccountSkuId -DisabledPlans $Skus[0].ServiceStatus[4].ServicePlan.ServiceName, `
$Skus[0].ServiceStatus[5].ServicePlan.ServiceName
Set-MsolUserLicense -UserPrincipalName $Anchor -AddLicenses $AccountSkuId -LicenseOptions $O365Licences
#Assigned new license
log "Assigned new license"
}
"TBA" {
# TODO: Copy the "default" section above and adjust according to the name configured in the xml mapping file
}
"none" {
# Do nothing
}
default {
throw "undefined Office 365 License Profile configured: $profileToAssign"
}
}
}
else
{
#Already licensed
log "Already assigned license"
}
}
else
{
log "No change ..."
if($IsLicensed)
{
#Remove any Previous Licenses
Set-MsolUserLicense -UserPrincipalName $Anchor -RemoveLicenses $msoluser.Licenses.AccountSkuId
log "Removed any Previous Licenses"
}
}
# Cache export
if (-not $cachedExports.ContainsKey($Anchor)) {
log ("Caching new export" + $Anchor)
$cachedExports.Add($Anchor, @{})
$cachedExports.($Anchor).Add("MemberOf", $MemberOf)
$cachedExports.($Anchor).Add("PendingDelta", $true)
} else {
log ("Caching existing export " + $Anchor)
$cachedExports.($Anchor).("MemberOf") = $MemberOf
$cachedExports.($Anchor).("PendingDelta") = $true
}
}
}
catch
{
$Errorstatus = "powershell-script-error"
$ErrorDetail = $error[0]
}
# return status about export operation
$status = @{}
$status."[Anchor]" = $Anchor
$status."[Identifier]" = $Identifier
$status."[ErrorDetail]" = $ErrorDetail
}
END
{
$cachedExports | Export-Clixml -Path $cachePath
}
Event Broker 3.2 Logon as a service not being added
After selecting "Add log on as a service rights" tick box on the service account install page the service would not start with error "Error 1069: The Service did not start due to a logon failure"
Generic LDAP Listener configuration
The Monash Directory Service is an Oracle LDAP Directory.
We are creating a Generic LDAP Listener as part of the Event Broker implementation to detect changes and trigger operation lists on our MDS MA.
We are unable to complete the creation of the LDAP Directory Agent as it states that 'Domain' is a mandatory field if left blank and returns an error, regardless of the helper test stating that it is not.
Please advise
EvB - LDAP Listener.jpg
Unify.EventBroker.Agents.Web.dll
Typo for FIM Event Broker Confgure MA wizard
Operation lists are now being generated with the text <MA> Agemt <xxx>
Handle case changes for Modify Anchor
Consider using the logging engine to catch and report errors, or simply do not perform the modify anchor in these cases.
Migration Failure Message.png
Customer support service by UserEcho
