Posts Tagged ‘FIM’

Using the Synchronization Service in SharePoint 2010 – Forefront Identity Manager 2010

June 25, 2012

If you use the User Profile Synchronization Service in SharePoint 2010, you may not realise that you are also getting an identity management product included – Forefront Identity Manager 2010 (or FIM 2010). FIM 2010 is a full-featured identity management system, and included with SharePoint 2010 is the basic version that does not have a lot of the “extras” (like Certificate Management, the FIM portal, etc) but is used to import and export data between identity systems. Typically this is SharePoint 2010 User Profiles and Active Directory (other systems are also supported).

To view the FIM 2010 interface you can open the Synchronization Service Manager, which is by default located at:

C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe

Note that this is only installed when you configure the User profile Sychronization Service on SharePoint 2010, so if you have a multi-server deployment you need to be on the server that has the User Profile Synchronization Service running.

I’ve implemented a full FIM 2010 deployment previously so was quite interested to note that it is indeed the same product, with some reduced functionality. This has been helpful a couple of times when the synchronization has failed from SharePoint 2010 and I have needed to troubleshoot the issue by opening the Sync Service Manager.

Synchronization Service for SharePoint 2010

Synchronization Service Manager for SharePoint 2010

I was getting the following error in the Application event log after a Full Sync was being performed:

Event ID 6298 (Timer)
The Execute method of job definition Microsoft.Office.Server.UserProfiles.UserProfileImportJob (ID 719df063-5757-4542-8ed1-a2c1622f6603) threw an exception. More information is included below.
Generic failure

I also noted that the FIM Sync Service was stopping on the server, but the SharePoint 2010 Central Admin reported the service still running. 10-20 minutes later, the FIM Sync Service would start again.  I opened up the Sync Service Manager and checked the Management Agent Operations under the “Operations” tab. This tells you which Management Agents (responsible for synchronising data between systems) had been run recently and the result. My sync runs had not started at all.

I decided to run a full sync on all Management Agents in the following order:

1. On the Active Directory Domain Services management agent, I ran the profiles: DS_FULLIMPORT and DS_FULLSYNC

2. On the Extensible Connectivity type management agent (which is the customised SharePoint management agent), I ran the profiles: DS_FULLIMPORT, DS_FULLSYNC, DS_EXPORT, DS_DELTAIMPORT

(for FIM-people, this is the export and confirming import required to ensure data is full synchronised)

The imports completed successfully and further “normal” syncs via the SharePoint interface worked too.

FIM Sync Results

FIM Synchronization Results

It is possible to adjust the synchronization settings via the Sync Service Manager, but I wouldn’t recommend it – there is no documentation about the connection between SharePoint and the FIM Sync Engine, so it is possible you could break the interface by making changes.