Forefront Identity Manager
2010 Installation &
Configuration
Using the FIM Synchronization Service Management
Console
Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to
you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot
guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief
highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
ii
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Using the FIM Synchronization Service Management Console
The FIM Synchronization Service Manager console serves as the primary administrative interface for
monitoring status, history, and errors associated with synchronization events. Additionally, the Synchronization
Service Manager may be used to evaluate identity objects in the connector space or metaverse.
To start the FIM Synchronization Service Manager console you need to login to the machine WNP2388
where the FIM Synchronization Service is running. You also need to be member of one of the following local
groups which give you different level of access permission to the FIM Synchronization Service:




FIMSyncAdmins: grants administrator privileges. Members of this group have full access.
FIMSyncOperators: grants permission to run management agent run profiles.
FIMSyncJoiners: grants permission to use the manual joiner.
FIMSyncBrowse: grants permission to search the metaverse.
The console implements five components which may be used to monitor and troubleshoot the solution:
Operations, Management Agents, Metaverse Designer, Metaverse Search, and Joiner.

Operations: this interface provides you with the history of the management agent runs that have been
executed by FIM as well as information relating to changes pending to be imported or exported. Every
time you run a management agent, information is logged in the run history database on the SQL Server.
This information includes the time of the run, the run profile that was used, whether it was successful or
not, synchronization statistics and errors. In case a run step failed, you can click on it and see the reason
for the failure. At the same time the list of the objects for which the synchronization process generated an
error is given in the lower right pane.
Page 3
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
By double clicking on the objects that failed during synchronization, a separate window opens up showing you
the attributes stored in these objects and more detailed information about the cause of the failure. From this
window you can then run a “Preview” on the object to find out what specific rule generated the error.
Page 4
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
For an explanation of the errors reported (such as “ambiguous-import-flow-from-multiple-connectors”, as
displayed on the screen shot above), please refer in the FIM online help to the section “Management agent run
error codes” which you can access from Start  All Programs  Microsoft Forefront FIM Synchronization Service
Manager  Synchronization Help Contents and Index).

Management Agents: this interface is where the FIM management agents are configured, imported, and
exported. Run profiles are managed from this location, and the last manual run results can be viewed.
From this section of the Synchronization Service Manager, the connector space for a particular connected
system can be searched and evaluated.
Page 5
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Metaverse Designer: this interface allows you to see and modify the metaverse schema elements such as
object types and attributes. When troubleshooting an attribute flow issue, you can use this interface to
check on the precedence of the attribute and determine which MA is the authoritative source for the
attribute. To find out the conditions that lead to the deletion of objects in the metaverse, you can also
access the object deletion rules from this interface.
Page 6
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Metaverse Search: This interface is where search criteria can be supplied to locate objects in the
metaverse. This can be especially useful when attempting to trace object links and attribute flows. Objects
in the metaverse are read-only and cannot be edited. To change a value in the metaverse, the value must
be changed in the directory that contributed the attribute. You can create complex search queries by
combining multiple clauses.
By double clicking any one of these objects, the “Metaverse Object Properties” dialog box opens up
showing you all the object attributes, including some information relative to these attributes that are
maintained by FIM. For example you can find out the name of the MA that last contributed a value to a
specific attribute in an object and the time that attribute was last modified. Furthermore, by selecting the
“Connectors” tab in this same dialog box, you see the lineage information which tells you what objects
this metaverse object is connected to. In the Object Properties, Connectors Tab interface also allows you
to disconnect a connector object in a connector space from a metaverse object. If you disconnect an
object in a specific management agent connector space, the next time you run a Full or Delta
Synchronization operation FIM will reapply to the object the join rule configured for the MA. If the join
rule cannot find a match for this disconnector then no additional synchronization rule can be applied to
Page 7
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
the object and therefore no data can flow to or from it. You may need to perform this operation on
objects that have been incorrectly joined.
Page 8
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
To disconnect an object you first have to select the object that you want to disconnect from the
Connector tab. Then you click on the Disconnect button (shown above). By clicking on “Disconnect” you
get the choice of making the object a “Disconnector (default)” or an “Explicit Disconnector”. Explicit
disconnectors do not participate in the join process and therefore no synchronization rule will ever apply
to them. Selecting the “Disconnector (default)” option will make sure that the join rules will be applied
again to the object the next time you run a Synchronization operation on the MA that you disconnected it
from.
Disconnecting an object could also be useful in the following cases:

You can remove pending exports on an object. If for some reason you do not want to export some
changes to Active Directory for example, you can use this feature by changing the connection type
of the object to normal disconnector. That will remove all changes pending to be exported for that
object to AD.

Change an object type from “Disconnector” to “Explicit Disconnector”. Doing this will prevent the
object from being evaluated by the FIM sync rules every time you do a delta or full sync operation.
Page 9
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Making them explicit Disconnector will speed up the sync process as these objects will be ignored
by the synchronization engine.
Note that you may get the error show below when disconnecting an object:
In this case you would need to temporarily disable the Synchronization Rule Provisioning by selecting
Options from the Tools menu and de-selecting the checkbox “Enable Synchronization Rule Provisioning”:
Page 10
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration

Joiner: this interface is used to manually link objects that are not automatically linked by the join rules for
a management agent. Disconnectors in the Joiner should be reviewed on a regular basis.
In the “Management Agent” drop down list you select the management agent whose connector space
contains the disconnected object that you want to join. Let’s assume that the object you want to join is in
the Active Directory connector space. In this case select “Active Directory MA”.
In the “Disconnector Type” drop down list select “Disconnectors””. This will exclude from the list of
disconnectors displayed the “Explicit” and “Filtered” disconnectors. Then click on Search.
The list of all the disconnectors in the Active Directory MA connector space is displayed. Click on the
“Column Settings” link to specify the list of the attributes that you want to display for each disconnector.
You can then click on the name of each attribute to sort the list of disconnectors based on that attribute.
The metaverse objects that matched the filter criteria are displayed in the lower window, you can click on
each object and examine its attributes. If you find out that a metaverse object is the right match for the
AD object you can click on the Join button to permanently link them. As soon as the Active Directory
object is joined with the metaverse object that you selected above, the synchronization rules are applied
to the object. In this case the correct employeeID flows from the metaverse to the object in the Active
Page 11
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering
Forefront Identity Manager 2010 Installation & Configuration
Directory connector space. You will then have to run an “Export” operation to push that change to Active
Directory
Page 12
Prepared by Anthony Marsiglia & Kristopher Tackett
Microsoft Premier Field Engineering