NLB for Two FIM Service and portal servers in single domain

Similar Messages

• FIM Service and Portal Installation Ends Prematurely

  Hello All,
      I'm in the process of setting up a new production FIM 2010 R2 server. I have already installed the FIM synchronization service and I was able to install this successfully.
  I have already installed SharePoint services (WSS 3.0) and configured it for FIM. But when I try to install the FIM Service and Portal.
  I keep getting and error that says " FIM Service and Portal Installation Ends Prematurely" with no other details. If anybody has any advice please let me know. 
      I have already installed everything on a stand alone box in a dev environment and it all works correctly however I am unable to now install in a production environment 

  Cameron is right - you should consider FIMService account nearly as normal AD account for user*
  An installer account should be admin on the box, where you are installing FIMService and he should be sysadmin on SQL during installation of FIMService. An installer account should be other than FIMService account itself.
  *FIMService account:
  Lock down the Service Account
  The service account should not be used by any other services or users. The account must not be used to logon interactively and requires no access to any additional resources beyond those granted during setup. The service account is used to provide the security
  context for the MIIS service as it accesses resources on the MIIS server and the associated database. It also provides the security context for the execution of any rules extensions.
  Lock down the service account to ensure no malicious user is able to sign in using its credentials and gain access to MIIS data. Configure Group Policies to lock down the account and restrict access to this account. Since the MIIS service only needs the account
  to run as a service, restrict the account as follows:
  Deny logon as a batch job.
  Deny logon locally.
  Deny logon through Terminal Services.
  Deny access to this computer from the network.
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.
  Good topic for a Wiki article:
  http://social.technet.microsoft.com/wiki/contents/articles/23330.technet-guru-contributions-for-march.aspx
  Thanks Dominic and Jose!
  Ed Price, Power BI & SQL Server Customer Program Manager (Blog,
  Small Basic,
  Wiki Ninjas,
  Wiki)
  Answer an interesting question?
  Create a wiki article about it!

• Error installing FIM Service and Portal R2

  Trying to make a test FIM R2 installation, I get this error when I install the Service and Portal:
  Action ended 14:41:10: CheckServiceEmailAccountFormat. Return value 1.
  MSI (s) (68:BC) [14:41:10:973]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIE17.tmp, Entrypoint: IsSharepointAdminServiceRunning
  Action start 14:41:10: CheckSharepointAdminServiceRunning.
  SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIE17.tmp-\
  SFXCA: Binding to CLR version v2.0.50727
  Calling custom action Microsoft.IdentityManagement.SharePointCustomActions!Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning
  Exception thrown by custom action:
  System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning(Session session)
     --- End of inner exception stack trace ---
     at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
     at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
  CustomAction CheckSharepointAdminServiceRunning returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
  Action ended 14:41:11: CheckSharepointAdminServiceRunning. Return value 3.
  Action ended 14:41:11: INSTALL. Return value 3.
  I got this by running the msi from the command line, as otherwise no error message is reported in the installation or in the event log.
  Any idea what could be the cause?
  Paolo Tedesco - http://cern.ch/idm

  Hi Paolo,
  Check if the SharePoint Administration Service is not running, to start the service
  http://technet.microsoft.com/en-us/library/ee513050(v=office.14).aspx
  Regards Andre van der Westhuizen

• Emulating RBAC using FIM Service and Portal

  Hi!
  I am trying to create a simple RBAC using standard objects of FIM Service. So i am associating type "Set" with role, expanding it with multivalue reference attribute "ListOfPermissions". I want to achieve the next behavior: when user dynamically
  join to the set the MPR is executing custom workflow that adds this user to the members of according permission object. Rather simple, BUT is there a way not to specify MPR for every set manualy, but specify it ones with next logic for example: when someone
  join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above? The straight-line methods have not yielded results.
  Need any help, thanks in advance!

  is there a way (...) to specify it ones with next logic for example: when someone join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above?
  Yes, there is - you have to create a Set that have members of other sets inside it. Let's say "Master Set". So you can create MPR that runs a MasterWorkflow after entering Master Set.
  But here is some tricky part - if you have multiple sets with IsRole flag and each set gives different roles assignment, in workflow you have to check where user belongs (to which set) and based on that calculate his membership.
  So I am not really sure if it would be easier. Even if it would look cleaner in FIM Portal, it would be harder to check what gone wrong in case of any failure. And it would be harder to add new roles/sets as you would have to rebuild such workflow.
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• MIM PAM - Service and Portal Install Error

  Guys,
  I'm having an issue deploying MIM Service and Portal. 
  I have downloaded the MIM CTP from the Microsoft Connect and following the MIM CTP test lab guide for PAM. 
  I'm on page 25/26 trying to launch the Service and Portal msi to install. When I launch the setup as the 
  administrator I get the following error.
  When I enabled msiexec logs, the only error I see is shown below. Any ideas?
  Any Ideas appreciate...

  On Mon, 17 Nov 2014 08:07:14 +0000, Sameera_man wrote:
  I'm having an issue deploying MIM Service and Portal. 
  I have downloaded the MIM CTP from the Microsoft Connect and following the MIM CTP test lab guide for PAM. 
  I'm on page 25/26 trying to launch the Service and Portal msi to install. When I launch the setup as the 
  administrator I get the following error.
  <https://social.technet.microsoft.com/Forums/getfile/567822>
  When I enabled msiexec logs, the only error I see is shown below. Any ideas?
  Have you filed a bug on Connect? That is the preferred support method for
  the CTP.
  Paul Adare - FIM CM MVP
  Q. how many hackers does it take to screw in a light bulb?
  A. Huh?...What? Oh, it's dark in here?

• Error Installing Service and portal of MIM Public Preview

  I try to install the Public Preview. Right at the beginning of the Setup Procedure of the Service and Portal the Setup stops with the error below.
  Thanks for your help.
  Henry
  MSI (c) (70!D0) [08:55:53:380]: Creating MSIHANDLE (5) of type 790531 for thread 5840
  Calling custom action Microsoft.IdentityManagement.PasswordResetCAs!Microsoft.IdentityManagement.ManagedCustomActions.PasswordResetCustomActions.GetIISVersion
  MSI (c) (70!D0) [08:55:53:411]: Closing MSIHANDLE (5) of type 790531 for thread 5840
  MSI (c) (70!D0) [08:55:53:426]: Creating MSIHANDLE (6) of type 790531 for thread 5840
  Error: could not load custom action class Microsoft.IdentityManagement.ManagedCustomActions.PasswordResetCustomActions from assembly: Microsoft.IdentityManagement.PasswordResetCAs
  MSI (c) (70!D0) [08:55:53:426]: Closing MSIHANDLE (6) of type 790531 for thread 5840
  MSI (c) (70!D0) [08:55:53:426]: Creating MSIHANDLE (7) of type 790531 for thread 5840
  System.IO.FileLoadException: Could not load file or assembly 'Microsoft.IdentityManagement.PasswordResetCAs, Version=4.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. Strong name validation failed. (Exception from HRESULT:
  0x8013141A)
  File name: 'Microsoft.IdentityManagement.PasswordResetCAs, Version=4.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' ---> System.Security.SecurityException: Strong name validation failed. (Exception from HRESULT: 0x8013141A)
  The Zone of the assembly that failed was:
  MyComputer
     at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)
     at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
     at System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
     at System.AppDomain.Load(String assemblyString)
     at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.GetCustomActionMethod(Session session, String assemblyName, String className, String methodName)
  MSI (c) (70!D0) [08:55:53:426]: Closing MSIHANDLE (7) of type 790531 for thread 5840
  CustomAction GetIISVersionFromRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
  MSI (c) (70:9C) [08:55:53:442]: Closing MSIHANDLE (2) of type 790542 for thread 5144
  Action ended 8:55:53: GetIISVersionFromRegistry. Return value 3.
  Action 8:55:53: FatalError.
  Action start 8:55:53: FatalError.
  Action 8:55:53: FatalError. Dialog created
  Action ended 8:55:55: FatalError. Return value 2.
  Action ended 8:55:55: INSTALL. Return value 3.

  On Thu, 8 Jan 2015 09:46:27 +0000, henryschl wrote:
  I found a way to overcome the Setup error on my test Server. I disabled StrongNameVerification.
  "c:\Install\MIM Preview\MIM PAM and SSPR 1484"\sn.exe -Vr *,31bf3856ad364e35
  Steps 20 and 21 on pages 24 and 25 of the lab guide.
  Paul Adare - FIM CM MVP
  "...the nam-shub of Ousterhout." -- Malcolm Ray about Tcl

• How to use Batch operation for two xsodata services?

  Hi All,
  I have two xsodata services. How to use submit batch for two xsodata services
  Thanks,
       Mj

  Gateway Batch Calls from SAPUI5

• HT4314 I have two ipods in my house that were set up under the same email.  I have since assigned two different emails.  How can I change the game center account so that is not shared by both ipods because it is for two different users and they are not ha

  I have two ipods in my house that were set up under the same email.  I have since assigned two different emails.  How can I change the game center account so that is not shared by both ipods because it is for two different users and they are not happy?

  By "game center account", do you mean Apple ID?
  If so, you can change it.
  1. Tap settings and navigate to iTunes and App Stores
  2. Tap "Apple ID" and then tap "Sign Out"
  3. Log in with a different ID.

• After formatting iPod to NTFS and restoring back with iTunes, the player works for two-three weeks and crashes afterward. It then requests to restore it through iTunes.

  After reformatting iPod to NTFS and restoring back with iTunes, the player works for two-three weeks and crashes afterward. It then requests to restore it through iTunes. When connected to iTunes, it sees it in the restore mode and also asks to restore the iPod. It happens over and over for the last months. What could be the problem?
  iPod Classic 80Gig.
  Thanks in advance.

  Dear planb77
  Thanks for a reply. iPod does not support ntfs - you're right. that means it will never work on that. While restoring ipod using iTunes, itunes reformats it no matter what filesystem is there. So the issue is not that. ipod is now on fat32 and it works for a certain period of time, but then crashes and asks to restore through itunes. Resetting/restarting does not help.

• [svn:fx-trunk] 13169: * Fixes for two FB issues and two regressions caused by recent fixes.

  Revision: 13169
  Revision: 13169
  Author:   [email protected]
  Date:     2009-12-22 14:39:59 -0800 (Tue, 22 Dec 2009)
  Log Message:
  Fixes for two FB issues and two regressions caused by recent fixes.
  QE notes:
  Doc notes:
  Bugs: SDK-24708, SDK-24668, SDK-24827, SDK-24829
  Reviewer: Corey
  Tests run: checkintests, com.adobe.flexbuilder.project JUnit tests
  Is noteworthy for integration: Yes, fixes two FB issues
  Code-level description of changes:
    modules/compiler/src/java/flex2/tools/oem/Library.java
    modules/compiler/src/java/flex2/tools/Compc.java
    modules/compiler/src/java/flex2/tools/Fcsh.java
    modules/compiler/src/java/flex2/compiler/asdoc/AsDocAPI.java
      Modified calls into SwcAPI's setupClasses() and
      setupNamespaceComponents() to pass in the SourceList.
    modules/compiler/src/java/flex2/tools/VersionInfo.java
      Added null check to getBuild().
    modules/compiler/src/java/flex2/compiler/CompilerAPI.java
      Modified compile() to only add elements of "classes" to "sources"
      if not already contained.  This covers the case of a Source being
      in the SourceList and the manifest.
    modules/compiler/src/java/flex2/compiler/swc/SwcAPI.java
      Modified setupClasses() and setupNamespaceComponents() to check the
      SourceList before the SourcePath when looking up sources.
    modules/compiler/src/java/flex2/compiler/SourceList.java
      Made getPaths() public.
    modules/compiler/src/java/flex2/compiler/CompilationUnit.java
      Modified setState() to skip disconnecting the root's Logger.  This
      fixes SDK-24827 and SDK-24829.
    modules/compiler/src/java/flex2/tools/oem/internal/OEMReport.java
      Added sourceList variable, modified procressSources() to
      initialize it, and modified init() to recursively store a
      timestamp for each path in the SourceList.  This fixes SDK-24708.
  Ticket Links:
      http://bugs.adobe.com/jira/browse/SDK-24708
      http://bugs.adobe.com/jira/browse/SDK-24668
      http://bugs.adobe.com/jira/browse/SDK-24827
      http://bugs.adobe.com/jira/browse/SDK-24829
      http://bugs.adobe.com/jira/browse/SDK-24827
      http://bugs.adobe.com/jira/browse/SDK-24829
      http://bugs.adobe.com/jira/browse/SDK-24708
  Modified Paths:
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/CompilationUnit.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/CompilerAPI.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/SourceList.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/as3/SignatureExtension.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/asdoc/AsDocAPI.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/compiler/swc/SwcAPI.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/tools/Compc.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/tools/Fcsh.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/tools/VersionInfo.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/tools/oem/Library.java
      flex/sdk/trunk/modules/compiler/src/java/flex2/tools/oem/internal/OEMReport.java

• I have paid for the annual service and and unable to use it? I have proof of payment and a welcoming email, however when I log in it say's I have the "free" option???

  I have paid for the annual service and and unable to use it? I have proof of payment and a welcoming email, however when I log in it say's I have the "free" option???

  Thank you for purchasing a subscription for Adobe PDF Pack.
  Unlimited online conversions to Adobe PDF.
  The ability to combine multiple source files into a single merged PDF.
  Unlimited conversions from PDF files to editable Word (DOCX) or Excel (XLSX) documents.
  Anytime, anywhere access to your converted PDF files through a web browser.
  The link in the email takes me to: https://cloud.acrobat.com/?trackingid=ISNAI

• After moving my music library from my old mb to the new one, my new mb pro does not play the files evenly. It takes a break for two sec's and starts playback where it stopped. Ideas anyone?

  After moving my music library from my old mb to the new one, my new mb pro does not play the files evenly. It takes a break for two sec's and starts playback where it stopped. Ideas anyone?

  I may have found an answer here:
  http://www.ilounge.com/index.php/articles/comments/moving-your-itunes-library-to -a-new-hard-drive
  They only thing I can assume is that my external hard drive was slow to start and iTunes defaulted to its old directory (see the last paragraph at the link above). However, once my external was recognized shouldn't everything have fixed itself?
  Message was edited by: williamson42
  Message was edited by: williamson42

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• Error Installing FIMService_x64_KB2870703.msp when FIM Service and FIM Portal (SharePoint) are on two different servers!

  I'm trying to install KB2870703 however I have our servers setup this way:
  Server A: FIM Service & Sync Service
  Server B: SharePoint 2013, Password Reset Portal, Password Registration Portal
  When attempting to install FIMService_x64_KB2870703.msp It starts and dies almost instantly
  The errors from the log:
  Action 12:27:15: CheckSharepointAdminServiceRunning.
  Action start 12:27:15: CheckSharepointAdminServiceRunning.
  SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIEE5B.tmp-\
  SFXCA: Binding to CLR version v2.0.50727
  Calling custom action Microsoft.IdentityManagement.SharePointCustomActions!Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning
  Exception thrown by custom action:
  System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'
  or one of its dependencies. The system cannot find the file specified.
  File name: 'Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' ---> System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'
  or one of its dependencies. The system cannot find the file specified.
  File name: 'Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'
  WRN: Assembly binding logging is turned OFF.
  To enable assembly bind failure logging, set the registry value  (DWORD) to 1.
  Note: There is some performance penalty associated with assembly bind failure logging.
  To turn this feature off, remove the registry value .
     at Microsoft.IdentityManagement.ManagedCustomActions.SharepointCustomActions.IsSharepointAdminServiceRunning(Session session)
     --- End of inner exception stack trace ---
     at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
     at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
  CustomAction CheckSharepointAdminServiceRunning returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
  Action ended 12:27:15: CheckSharepointAdminServiceRunning. Return value 3.
  Action ended 12:27:15: INSTALL. Return value 3.
  Property(S): Data = C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Data\

  On Wed, 26 Mar 2014 00:15:57 +0000, jmanley WI wrote:
  I installed it on server B I need to install on server A to update the Database Schema. My understanding is having the portal seperated from the portal is supported. Is that incorrect?
  You don't mention the FIM Portal at all in your first post.
  Paul Adare - FIM CM MVP
  "The day Microsoft makes something that doesn't suck is probably the day
  they
  start making vacuum cleaners" -- Ernst Jan Plugge

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards