Using the Synchronization Service in SharePoint 2010 – Forefront Identity Manager 2010

If you use the User Profile Synchronization Service in SharePoint 2010, you may not realise that you are also getting an identity management product included – Forefront Identity Manager 2010 (or FIM 2010). FIM 2010 is a full-featured identity management system, and included with SharePoint 2010 is the basic version that does not have a lot of the “extras” (like Certificate Management, the FIM portal, etc) but is used to import and export data between identity systems. Typically this is SharePoint 2010 User Profiles and Active Directory (other systems are also supported).

To view the FIM 2010 interface you can open the Synchronization Service Manager, which is by default located at:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

Note that this is only installed when you configure the User profile Sychronization Service on SharePoint 2010, so if you have a multi-server deployment you need to be on the server that has the User Profile Synchronization Service running.

I’ve implemented a full FIM 2010 deployment previously so was quite interested to note that it is indeed the same product, with some reduced functionality. This has been helpful a couple of times when the synchronization has failed from SharePoint 2010 and I have needed to troubleshoot the issue by opening the Sync Service Manager.

Synchronization Service for SharePoint 2010

Synchronization Service Manager for SharePoint 2010

I was getting the following error in the Application event log after a Full Sync was being performed:

Event ID 6298 (Timer)
The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 719df063-5757-4542-8ed1-a2c1622f6603) threw an exception. More information is included below.
Generic failure

I also noted that the FIM Sync Service was stopping on the server, but the SharePoint 2010 Central Admin reported the service still running. 10-20 minutes later, the FIM Sync Service would start again.  I opened up the Sync Service Manager and checked the Management Agent Operations under the “Operations” tab. This tells you which Management Agents (responsible for synchronising data between systems) had been run recently and the result. My sync runs had not started at all.

I decided to run a full sync on all Management Agents in the following order:

1. On the Active Directory Domain Services management agent, I ran the profiles: DS_FULLIMPORT and DS_FULLSYNC

2. On the Extensible Connectivity type management agent (which is the customised SharePoint management agent), I ran the profiles: DS_FULLIMPORT, DS_FULLSYNC, DS_EXPORT, DS_DELTAIMPORT

(for FIM-people, this is the export and confirming import required to ensure data is full synchronised)

The imports completed successfully and further “normal” syncs via the SharePoint interface worked too.

FIM Sync Results

FIM Synchronization Results

It is possible to adjust the synchronization settings via the Sync Service Manager, but I wouldn’t recommend it – there is no documentation about the connection between SharePoint and the FIM Sync Engine, so it is possible you could break the interface by making changes.

Advertisements

Tags: , ,

One Response to “Using the Synchronization Service in SharePoint 2010 – Forefront Identity Manager 2010”

  1. Barrie Gray Says:

    Gavin, I don’t know if you can help me, but I have exactly the same error in my AD sync in SP 2010, except the event Id is 6398. I ran all of the FIM service profiles you suggest and even ran the MOSS_DELTASYNC profile and all ran successfully. I see the accounts imported, yet when I run the SP 2010 User Profile import, I still get the same error. It seems to be failing on enumerating the Management Agents. Any ideas? — thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: