Wednesday, January 16, 2013

What's New in Forefront Identity Manager 2010 R2 SP1

Last week we got the bits on MSDN (TechNet for me actually) and now we have some reading to go through:

What's New in Forefront Identity Manager 2010 R2 SP1

Lots of support for Microsoft’s latest and greatest OS and server applications.  I’d probably trade a lot of it for .NET 4.5 support so we could mash-up PowerShell WF with FIM WF, but am certainly glad to see the huge increase in support.  I can just hear the tester when they shared the plan to support all that stuff, “You want me to increase my matrix by WHAT?!”.

My Canadian MVP colleagues will be happy to see that even FIM CM saw some SP1 love:

FIM Certificate Management (CM)

Support for the DataCard CD800 printer has been added.

Tuesday, January 15, 2013

FIM Sync: Deprecated Features And Planning For The Future

Hot off the press is a very interesting TechNet article:

Deprecated Features And Planning For The Future

This is a signal that big changes are about to happen in the product (or at least in the Sync Engine).  I’m willing to trade a lot of those deprecated features for new features in that future release of FIM. The big questions are:

  • When is the future release of FIM?
  • What will the upgrade/migration story look like?

My opinion is that the Sync Engine gave us a decade of pretty good upgrade experiences (MIIS—>ILM—>FIM) so now is probably a reasonable time to introduce a version of the product that breaks compatibility, but only if those new features are sufficiently awesome!  If I had to spend money on either a nice upgrade experience or awesome new functionality, then as an integrator I’d opt for the awesome new functionality.

Monday, January 14, 2013

Scrum and FIM Deployments

Been using Scrum for FIM deployments lately and believe it to be a major success factor, but also a great stabilizer for an otherwise seemingly crazy deployment cycle. 

Another practitioner summarizes it somewhat positively in this post:

Scrum: Even Better than Getting Slapped

In my case, I really enjoy the quick deployments, and the relief of only doing detailed design work in smaller chunks.  Makes it way easier to break something down into tasks that are much easier to estimate in hours instead of days or weeks.

My experience has also been that a strong Scrum master is required to really drive the process for a team, at least for the first few iterations until the rhythm is established and everybody understands what they are responsible for and when.  Coming from an IT Pro / Sys-Admin background, the Dev overhead doesn’t seem natural at first (in fact it can be quite onerous) but a quick dose of DevOps and some doctrine from Jeffrey Snover leads me to believe that every FIM deployment should be done with Scrum, if anything to avoid getting slapped.

Wednesday, January 09, 2013

FIM 2010 R2 SP1 Ships–New PowerShell Commands!

Paul Smith installed SP1 and ran get-command over and voila!  New commands!  they seem to be related to the ADMA and password sync configuration, but unfortunately they shipped without help (boo!) so one can’t be sure yet.
The bits on TechNet and MSDN ship ahead of documentation, which is fine, so we’ll have to wait to see the docs for the new PowerShell goodness.


I cornered somebody and got more detail ;-)  The new commands support a new feature that was hinted at on some of the slides we saw at the Redmond Identity and Access Summit whereby DirSync synchronizes objects and attributes, AND passwords.  Not sure if anybody else noticed it, but it was simply the word 'Passwords' on one of the slides.  That hints at a solution for customers that do not want to use ADFS with Office 365, but would rather have password synchronization.  As far as I know, this isn't real password synchronization (phew!) so DirSync will not be messing with clear-text passwords, but instead dealing with hashes, which explains the keyword 'hash' in the new commands. 
The new commands for this feature are:
  • Get-PasswordHashSyncConfiguration 
  • Set-PasswordHashSyncConfiguration
  • Remove-PasswordHashSyncConfiguration

Dispatching Puppies

I mentioned in a talk I gave yesterday how bunnies did not fare so well when people use Write-Host.  That was guidance I  gleaned from Don Jones’ (PowerShell MVP) Proverbs:

Every time someone writes a PowerShell script that outputs text, rather than objects, God kills a puppy.

This came out in one of Don's PowerShell classes at a conference, as a way of driving home the fact that PowerShell is an object-based shell, not a text-parsing system. Working with the shell, rather than against it, makes for a more efficient administrator and a better experience for all.

In general when you’re using Write-Host, you should usually be using Write-Verbose or Write-Warning.

Also, if you find yourself formatting output, chances are you’re doing it wrong.  PowerShell is all about objects, so output objects.  Formatting should be the very last thing that happens (if at all).

Monday, January 07, 2013


FIM ships more PowerShell tools!  We saw this demonstrated a couple years ago at the MVP summit, and now in R2 we have this really cool tool.  Invoke-QuickStart is located in a ZIP file, so you have to unzip it then xcopy it before you can use it.  This is all covered in on TechNet:

Using the QuickStart Tool

Pretty sure this will ONLY work on a FIM Sync server that is not already in use (it can’t already be running an existing configuration) because I’m also pretty sure this command uses the PowerShell snap-in to load the sync config, and to update the AD MA and FIM MA.

This is the same approach taken by the DirSync appliance setup program, and the same approach taken by the Outlook Live Sync setup, and the same setup we should all use for automating our own deployments!

Saturday, January 05, 2013

Set-MIISFIMMAConfiguration : The requested name is valid, but no data of the requested type was found

Came across an issue using Set-MIISFIMMAConfiguration today.  I use this command all the time to automate the configuration of the FIM MA.  It is a handy command because that MA can be a bugger to configure by hand, and this command allows the automation of it, usually saving team members lots of time troubleshooting the FIM MA, and giving everybody else the excuse to say, “it works on MY machine”.

Anyhow, I have a FIM Sync configuration stored in source control.  The sync config export was produced BEFORE I made changes to the FIM Service (schema changes in this case).  The changes I made to the FIM Service seem to have disturbed the Set-MIISFIMMAConfiguration command, making it produce a less-than-useful error message.

Set-MIISFIMMAConfiguration : The requested name is valid, but no data of the requested type was found

The workaround was pretty simple, just use the Sync Manager to update the FIM MA manually, then export the Sync configuration again to XML.

The next time the updated sync config is used to import configuration to FIM Sync, it will have the updated FIM MA XML, so the Set-MIISFIMMAConfiguration command will work.

This is probably a design symptom of the FIM Service and FIM Synchronization Service being loosely coupled.  The FIM Service stores the entire FIM Sync configuration in the FIM Service database (boo!).  That stored configuration must be kept in sync (the sync config must be sync’d?).  When the configuration falls out of sync, issues like this pop up.  Kinda explains why we have a WMI method on the management agent to keep these two in sync.

Thursday, January 03, 2013

FIM 2010 R2 Service and Portal Configuration Backup Tool

I was looking for something today and stumbled upon this:
FIM 2010 R2 Service and Portal Configuration Backup Tool
While I love seeing new tools, I was a little bummed that it wasn’t provided as a bunch of new PowerShell commands, but instead as an EXE.  Don’t get me wrong, I’m still happy to have a new tool for FIM!
For anybody interested, you could of course get some re-use from the tool since it is a .NET EXE that can be loaded in PowerShell.  BTW – the sample below is totally unsupported, it is just intended to show that PowerShell can be used to consume tools that otherwise would require C#, and that PowerShell can be used as a discovery tool to see what is inside a file.

### Add-Type won't work here because the file isn't a DLL
$filepath = 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Tools\Configuration Backup\Microsoft.IdentityManagement.ConfigurationBackup.exe'
### Try calling one of the static methods
UPDATE: had a bad URL - thanks Peter Geelen!

Machine Automation–Working with ISO Files

Server 2012 brings a lot of goodies for Hyper-V and PowerShell, which lowers the bar for automating machine creation.  An ideal FIM environment has some solution for creating new FIM machines so easily and quick that nobody should be tempted to share a FIM machine for development or test purposes.  There are grown-up solutions such as System Center VMM and Microsoft Lab Manager (so awesome) but often the only dependency you can take is the OS and Hyper-V.

I’ve been looking for time to update a machine automation tool to Windows Server 2012 and PowerShell 3.0, and little things like this make it really enticing:

#PSTip Working with ISO files

Tuesday, January 01, 2013

FIM MVP’d Again!

I’m honoured to have received the MVP award again, and a year of reasons to say MVP’ness!  Last year was a fun year of contributing to CodePlex, and I’ve managed to get help from a few people that are smarter than me, so I’ve been learning from other people in addition to the learning from my own fails.  Posting solution components is one thing, but it has been fun to use them in production, see others use them in production, and to update the projects with feedback from those deployments. 

2012 saw way more CodePlex check-ins than forum posts, and I really enjoyed it but will try to find a little more balance this year.  CodePlex seems to satisfy the introvert in me, while TechNet forums seem to force the extrovert to engage as well.

Most of my deployments this year have custom FIM UX plans, so I expect to also share a lot of lessons learned as I win and lose in that arena.  Some are small web apps to complement the FIM Portal, others are complete replacements.  An interesting FIM tradition seems to be the gravitational force it exerts to pull us into new areas of software such as WF, WS-*, and UX (look for an upcoming post on CodeLess).

Finally I’d like to thank NetPro for the Directory Experts Conference.  It changed names through the years and acquisitions but really started with Gil and the gang when they adopted MMSUG.  That show gave MVPs the chance to participate in a small venue with heavy product group participation, and forced a lot of MVPs to contribute to the community just in time for the show.  It doesn’t look like Dell will continue the show, but OCG has stepped up and I am sure they will bring the success of their annual UK event to the US.

Happy New Year!