Forefront Identity Manager
2010 Installation &
Configuration
General Troubleshooting
Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to
you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot
guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief
highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
ii
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
General Troubleshooting
Issue:
When installing the Forefront Identity Manager Synchronization Service which points to a remote SQL DB you
receive the Verify computer/domain name, account name and password entered are correct.
At this point you are unable to continue the installation.
Cause:
This is a misspelling on either the Service Account, Computer or domain information.
Resolution:
Verify all account information is spelled correctly and in correct format if necessary.
Page 3
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
This issue would normally be discovered after the initial install, and is usually discovered after the first FI (Full
Import) on the ADMA.
Cause:
Incorrect permissions set at the root of the domain for the ADMA account that connects to Active Directory
Resolution:
 Navigate to Active Directory Users and Computer,
 Right click on the Root of the domain and select Properties
 Select the Security Tab (If the Security Tab is not available on the menu bar at the top click on View and
Select Advanced Features) and navigate back to properties on the Root of the Domain and select
Security.
Page 4
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Add Click on Add, and add the service account that is to be used to connect to active directory from the
sync engine via the ADMA.
Page 5
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Highlight the account and scroll down and select the following permissions for the service account.
Read
Replicate Directory Changes
Read Domain Password Lockout
Policies
Page 6
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Back in the Synchronization Engine Rerun the FI (Full Import) on the ADMA to verify connectivity has
been established and all objects and containers in scope are now brought into the connector space.

Click on the number next to Adds and the Object Details Window will pop up and display he objects
brought into the connector space. Note that in this instance only the root and containers in scope show
up in the connector space and no actual user objects are yet brought in. This is due to the Containers
being empty, had the containers had users in them they would also have been imported.
Page 7
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
When trying to open the Synchronization Engine, the Synchronization engine fails to open with the following
error
Cause:
The Forefront Identity Manager Synchronization Service is not started. The Service sometime fails to start after
a reboot, If the server was recently rebooted and you would like to ensure that this service starts up after the
next reboot follow the steps for A
Page 8
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Resolution:
On the server that host the Forefront Identity Manger Synchronization Service navigate to the Services.msc
console
Right Click on the Forefront Identity Manger Synchronization Service and click on Properties and then click on
Start, you could also just highlight the service and click on Start to the left of the screen.
Page 9
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
Forefront Identity Manger Synchronization Service doesn’t restart after a reboot of the Server that host the
Forefront Identity Manger Synchronization Service.
Cause:
Two reasons why the Forefront Identity Manger Synchronization Service would fail to restart after a reboot.
1. The Service account used to run the Forefront Identity Manger Synchronization Service is not in the
Log on as a service.
If the Forefront Identity Manger Synchronization Engine is installed on the same server as the SQL Database
the Forefront Identity Manger Synchronization Service is dependent on the SQL Database to be started first and
the Forefront Identity Manger Synchronization Service fails to restart because it is pending on the start of the
SQL Server Service.
Resolution:
1. To Solve the first issue
a. on the server that host the Forefront Identity Manger Synchronization Service open up Local
Security Policy
b. Expand Local Polices
c. Click on User Rights Assignment
d. Scroll down to Log on as a service
e. Right Click on Log on as a service and click on properties and then click on Add user or group, Add
the correct (User) Service account that the Forefront Identity Manager Service uses.
Click on Ok.
Page 10
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
2. To Solve the Second issue
a. On the server that host the Forefront Identity Manger Synchronization Service after completing the
steps above for adding the service account to Log on as a service navigate to the services.msc
console.
b. Right Click on the Forefront Identity Manger Synchronization Service and click on Properties.
c. On the General Tab for Startup type: Make sure automatic (Delayed Start) is selected. This will
allow the SQL Server Service to start prior to the Forefront Identity Manager Synchronization
Service starting.
Click on Ok
Page 11
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
When installing the Forefront Identity Manager Synchronization Service or the Forefront Identity Manager
Portal you may be presented with a popup Warning 25051 which informs you that the service account is not
secure in its current configuration. You are able to continue with the installation if you wish or you could stop
the installation and secure the service account being used prior to installation of these features.
Cause:
Prior to installing the Forefront Identity Manager Synchronization Service or portal the Service accounts used
for each feature are not configured on the server that the feature is to be installed on using the secure method.
Resolution:
1. On the server that the Forefront Identity Manager Synchronization Service will be installed on or has
already been installed on:
a. on the server that host the Forefront Identity Manger Synchronization Service open up Local
Security Policy
b. Expand Local Polices
c. Click on User Rights Assignment
d. Scroll down to locate the following policies
i.
Deny log on as a batch job
ii.
Deny log on locally
iii.
Deny access to this computer from the network
f. For each of the above add the service account that is used for the installing feature. For example on
the server that the Synchronization Service is installed on this may be the FIMSync Service account,
and on the server that host the FIM portal it may be the FIMService account that is used during the
initial configuration. Right Click on the policy you wish to add the service account to and click on
properties and then click on Add user or group, Add the correct (User) Service account for the
feature being installed to that policy. Repeat steps for each policy.
e. Click on Ok.
Page 12
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
Error Code: 40007 is an error that you may receive when trying to access the FIM Password Reset feature.
Page 13
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
You may also see this error as well
Cause:
This is due to not having the correct permissions in the FIM Portal.
Resolution:
Permissions in the FIM portal are granted by MPR’s
1. log onto the FIM Portal
2. Navigate to the Management Policy Rules section
3. Check the associated MPR’s to verify that the user in question is a member of the set that is able to reset
their own password.
Page 14
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
Could not connect to the password reset service, this error may pop up on a remote workstation that has the FIM
password reset client installed.
Page 15
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
In the Event Log you may see the following:
Cause:
This is due to the Forefront Identity Manager Password Reset Service not started on the workstation.
Resolution:
Start the Forefront Identity Manager Password Reset Service, if the service does not start chances are it has an
error of 1053 if so follow the steps to resolve this issue on the workstation.
Page 16
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Issue:
Error 401.1 – Unauthorized when clicking on the Register For Password Reset link from the FM Home page.
Cause:
This is due to not having the correct permissions in the FIM Portal.
Resolution:
Permissions in the FIM portal are granted by MPR’s
1. log onto the FIM Portal
2. Navigate to the Management Policy Rules section
3. Check the associated MPR’s to verify that the user in question is a member of the set that is able to reset
their own password.
Page 17
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering