My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Thursday, October 30, 2008

Live ID's are now Open ID's, Geneva supports SAML 2.0

At the PDC Microsoft's Kim Cameron and colleague Bertocci Vittorio announced that Microsoft Live is now an Open Id provider. Additionally, when signing into Live you can use Information Cards (Info Card, Card Space, Geneva Card Space).

They also demonstrated the new Geneva Framework (formerly known as Zermat) -- essentially a successor to Windows Server 2008 Active Directory Federation Services, and showed it supporting SAML 2.0 the "protocol" not just SAML 2.0 the token.

Other new announcements included the Microsoft Federation Gateway, which allows you to federate with Microsoft,  Live (including both managed domains and individual consumers -- all 400 million of them), other Geneva (ADFS) organizations, and other third party Service Token Services (STS). They also showed issuing LINQ queries against the .Net Access Control Service to retrieve roles to make authorization decisions.

Good show gentlemen! This is a tremendous step forward for interoperability. I just hope that the interoperability between Geneva and other third parties STS's is much easier to implement than the brittle, painful interoperability between ADFS and Shibboleth (that didn't support SAML 2.0). Hopefully, Shibboleth will be one of those 3rd parties!

Labels: , , , , ,

Wednesday, October 22, 2008

The Semi-Automated Install of ILM 2 Beta 3

ILM 2 Beta 3 won't perform a completely automatic quiet install but we can come close. Colleague Brad Turner and I have developed the following approach to the install and the post install tasks.

Brad worked out most of the issues with the ILM 2 Services install itself and then I worked on most of the issues with the post install tasks. I will cover the install of the Metadirectory services first, then the ILM 2 Beta 3 Identity Management Platform Services including its batch files and then discuss the post install tasks and present its related files.

First up the install of the Metadirectory services. At this point I assume you have covered the prerequisites mentioned in the ILM "2" Beta 3 Installation Guide (of course we posted some of this to the community content there).

Be sure and put in your own preexisting AD groups and path to the installation folder, as well as service account and password.

InstallSync.cmd

@echo off
rem This section specifies Group names, adding the domain\ in front configures them as a domain based group
set GROUPADMINS="info\ILM Admins"
set GROUPOPERATORS="info\ILM Operators"
set GROUPACCOUNTJOINERS="info\ILM Joiners"
set GROUPBROWSE="info\ILM Browse"
set GROUPPASSWORDSET="info\ILM PasswordSet"

rem ILM or DB directory?
set DBFileLocation=SQLDefault
set DBFILEMMSLOCATION="0"

rem To Use local server and instance (Default):
set SQLServerStore=LocalMachine
set SQLServerInstance=DefaultInstance

rem Installation Folder for x64
set INSTALLDIR64="E:\Program Files\Microsoft Identity Integration Server"

rem SERVICEACCOUNT is the Sync Engine Account
set SERVICEACCOUNT=svc.ilmsync
rem SERVICEDOMAIN is the domain the Sync Engine Account is in
set SERVICEDOMAIN=info
rem SERVICEPASSWORD is the password for the Sync Engine Account
set SERVICEPASSWORD=P@$$w0rd

msiexec /i "Identity Lifecycle Manager Evaluation.msi" /norestart /log setup.txt SERVICEACCOUNT=%SERVICEACCOUNT% SERVICEDOMAIN=%SERVICEDOMAIN% SERVICEPASSWORD=%SERVICEPASSWORD% DBFILEMMSLOCATION=%DBFILEMMSLOCATION% SQLServerStore=%SQLServerStore% SQLServerInstance=%SQLServerInstance% DBFileLocation=%DBFileLocation% GROUPADMINS=%GROUPADMINS% GROUPOPERATORS=%GROUPOPERATORS% GROUPACCOUNTJOINERS=%GROUPACCOUNTJOINERS% GROUPBROWSE=%GROUPBROWSE% GROUPPASSWORDSET=%GROUPPASSWORDSET% DBFILEMMSLOCATION=%DBFILEMMSLOCATION% INSTALLDIR64=%INSTALLDIR64%

Brad and I like to use environmental variables defined in the batch file to "self-document the batch file." Since the install and the post install tend to reuse many of the same settings I moved all of the environmental variables into one batch file which is then called from the InstallSever.cmd file and the PostInstallTasks.cmd file. This file is called SetInstallVariables.bat:

@echo off

set MAIL_SERVER="mail.ensynch.info"
set SERVICE_ACCOUNT_NAME=svc.ilmws
set SERVICE_ACCOUNT_PASSWORD=P@$$w0rd
set SERVICE_ACCOUNT_DOMAIN=info
set SERVICE_ACCOUNT_EMAIL="svc.ilmws@ensynch.info"
set RMS_PORT=526
set SERVICEADDRESS=localhost
set STS_PORT=527
set SHAREPOINT_PWD_RESET_SITE_URL="http://%COMPUTERNAME%/PasswordPortal/"
set SHAREPOINT_SITE_URL="http://localhost/identitymanagement/"
set SQLSERVER_SERVER="."
set SYNCHRONIZATION_SERVER_ACCOUNTNQ=info\svc.ilmma
set SYNCHRONIZATION_SERVER_ACCOUNT="%SYNCHRONIZATION_SERVER_ACCOUNTNQ%"

SET WSSSTSADM="%commonprogramfiles%\microsoft shared\web server extensions\12\bin\stsadm"

SET INTIAL_EMAIL_ALIAS=%USERNAME%@%USERDNSDOMAIN%
SET INITIAL_DESCRIPTION="%USERNAME% Initial Admin for ILM Portal"

rem Don't work...
set SQMOPTINSETTING=0
set MAIL_SERVER_IS_EXCHANGE=0
set MAIL_SERVER_USE_SSL=0

rem Shows up in the UI, but doesn't apply...
rem set INSTALLDIR="E:\Program Files\Microsoft Identity Management\"

The installServer.cmd file:

@echo off

CALL SETINSTALLVARIABLES.bat

msiexec /i ilm-server-64bit.msi /log ilmserverx64.txt ACCEPT_EULA=1 MAIL_SERVER=%MAIL_SERVER% SERVICE_ACCOUNT_NAME=%SERVICE_ACCOUNT_NAME% SERVICE_ACCOUNT_PASSWORD=%SERVICE_ACCOUNT_PASSWORD% SERVICE_ACCOUNT_DOMAIN=%SERVICE_ACCOUNT_DOMAIN% SERVICE_ACCOUNT_EMAIL=%SERVICE_ACCOUNT_EMAIL% RUNNING_USER_EMAIL=%USERNAME%@%USERDNSDOMAIN% MAIL_SERVER_IS_EXCHANGE=%MAIL_SERVER_IS_EXCHANGE% MAIL_SERVER_USE_SSL=%MAIL_SERVER_USE_SSL% RMS_PORT=%RMS_PORT% SERVICEADDRESS=%SERVICEADDRESS% STS_PORT=%STS_PORT% SHAREPOINT_PWD_RESET_SITE_URL=%SHAREPOINT_PWD_RESET_SITE_URL% SHAREPOINT_SITE_URL=%SHAREPOINT_SITE_URL% SQLSERVER_SERVER=%SQLSERVER_SERVER% SQMOPTINSETTING=%SQMOPTINSETTING% SYNCHRONIZATION_SERVER_ACCOUNT=%SYNCHRONIZATION_SERVER_ACCOUNT%

After installation of ILM 2 Beta 3 you have several post install tasks per the ILM "2" Beta 3 Installation Guide:

  1. Grant Full Control rights to the ILM "2" SharePoint site to the initial user of the site
  2. Grant user rights for the ILM “2” Windows SharePoint Services site to domain users who require it
  3. Configure the ILM “2” Password Management Portal for anonymous access
  4. Disable SharePoint Indexing
  5. Exchange Server 2007 Web Service (EWS) Configuration
  6. Exchange Server 2007 Certificate installation
  7. ILM MA permissions (SQL permissions)
  8. Verify ILM Service account group membership
  9. ILM “2” Web Portal Access

For items 1 and 2 the guide provides a command line but for steps 3-9 the guide only provides steps that must be done through the GUI.

With the help of some stsadm custom extensions written by SharePoint MVP Gary LaPointe we can easily automate step #3. We will use gl-setanonymousaccess

Step 4 could be automated by using the following standard stsadm command to stop the Search service

stsadm -o osearch -action stop -f

Or this could be handled during your WSS 3.0 install, which is how we did it. I'll have to ping another Ensynch colleague Jeff Holliday (he calls his blog the SharePoint Redemption)  to see how he did that when he created our install for WSS 3.0

Steps 5 and 6 are manual as is 9 (well 9 is pretty involved), but 7 (ILM MA user account SQL Permissions) is easy to automate with a SQL Script. (For the time being I am going to be lazy about step 8 -- which could be automated but which I leave as an exercise to the reader).

We need to create a login for the account we specified for the ILM 2 MA, grant it a user in the MSILM database and make it a member of the db_owner fixed database role.

You'll see that I took advantage of sqlcmd's ability to do some preprocessing replacement using parameters or environmental variables. In this case I used environmental variables. You can see wherever it says [$(something)] -- like this: [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] which is set in the SetInstallVariables.bat file

These environmental variables are set in a batch file that calls sqlcmd to execute this file: ILMMA_Permissions.sql

USE [master]

CREATE LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FROM WINDOWS WITH DEFAULT_DATABASE=[MSILM]
GO

USE [MSILM]
GO
CREATE USER [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FOR LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)]
GO

EXEC sp_addrolemember N'db_owner', N'$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)'

GO
DECLARE @myvar int
SELECT @myvar = (SELECT CASE
WHEN 1 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)')
AND 1 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND 1 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
) THEN 0
WHEN 0 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)')
THEN 1 -- Couldn't create Login
WHEN 0 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
THEN 2 -- Couldn't map user to MSILM database
WHEN 0 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
)
THEN 3 -- Couldn't assign user to db_owner role
ELSE 4 -- unknown error
END)
EXIT(SELECT @myvar)

Here is the PostInstallTasks.cmd file:

@echo off

CALL SETINSTALLVARIABLES.bat

sqlcmd -S %SQLSERVER_SERVER%  -E -i ILMMA_Permissions.sql
if {%errorlevel%} == {4} (Echo  Unknown SQL Error
                goto SQLPermissionsError)
if {%errorlevel%} == {3} (Echo  Couldn't assign user %SYNCHRONIZATION_SERVER_ACCOUNTNQ% to db_owner role
                goto SQLPermissionsError)
if {%errorlevel%} == {2} (Echo  Couldn't map user %SYNCHRONIZATION_SERVER_ACCOUNTNQ% to MSILM database
                goto SQLPermissionsError)
if {%errorlevel%} == {1} (Echo  Couldn't create Login %SYNCHRONIZATION_SERVER_ACCOUNTNQ% On SQL Server
                goto SQLPermissionsError)

echo %WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin %USERDOMAIN%\%USERNAME% -useremail %INTIAL_EMAIL_ALIAS% -username %INITIAL_DESCRIPTION%  -role "Full Control"
%WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin %USERDOMAIN%\%USERNAME% -useremail %INTIAL_EMAIL_ALIAS% -username %INITIAL_DESCRIPTION%  -role "Full Control"
echo Done Setting access for initial user
echo %WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin "%SERVICE_ACCOUNT_DOMAIN%\Domain Users" -useremail users@%USERDNSDOMAIN% -username "Domain Users" -role "Contributor"
%WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin "%SERVICE_ACCOUNT_DOMAIN%\Domain Users" -useremail users@%USERDNSDOMAIN% -username "Domain Users" -role "Contributor"

REM comes from here http://stsadm.blogspot.com/2008/03/set-anonymous-access.html
echo Using This tool from http://stsadm.blogspot.com/2008/03/set-anonymous-access.html   to set anonymous access
%WSSSTSADM% -o gl-setanonymousaccess -url %SHAREPOINT_PWD_RESET_SITE_URL% -anonstate entireweb
if {%errorlevel%} NEQ {0} goto oopsNeedCustomstsadm

goto end

:SQLPermissionsError
echo please  run and troubleshoot ILMMA_Permissions.sql in SQL Management studio
echo remember to replace $(SYNCHRONIZATION_SERVER_ACCOUNTNQ) with %SYNCHRONIZATION_SERVER_ACCOUNTNQ%
goto end

:oopsNeedCustomstsadm
echo go download http://www.thelapointes.com/blog/stsadm.zip then run Package\ReleaseWSS\deploy.bat
echo if the deploy.bat doesn't work then change the first line to have the .wss.wsp like so
echo SET SOLUTION_NAME="Lapointe.SharePoint.STSADM.Commands.wss.wsp"

:end

Labels: ,

SQL Server Agent should be running or install of ILM 2 Services fails

I posted the following to the Community Content Section of the ILM 2 Beta 3 Installation Guide

The SQL Agent Service account must be a sql sysadmin and the SQL Agent Service must be running or during install you may get "error -2147217900

Failed to execute sql string addtemporaleventsjobtoSQLServer" while trying to install ILM 2 Beta 3 Identity Management Platform Services. Apparently, the install routine needs to create a SQL Agent Job and with SQL 2005 the Agent must be running to create a job.

The job it creates is called ILM_TemporalEventsJob and according to its description it "Periodically identify workflows to be run on objects that have transitioned to or from temporal sets." It is scheduled to be run every day at 1 AM.

It has only one step of type T-SQL: EXEC dbo.TriggerTemporalEvents. So later on if you find that objects are not getting transitioned to and from temporal sets you might need to come and check this job's history, and ensure that the SQL Agent is running.

image

Labels: , ,

Changing SQL Service Account Passwords for a Cluster

Here is an excellent script for changing service account passwords and should work fine as long as you restart the SQL services afterwards.

However the following blog post indicates that more is going on than just a password change:

"never use the plain old Windows Service Control Manager (SCM) to manipulate SQL Services.  The SQL Server Configuration Manager does a lot more work in the background to keep security consistent across the installation. "

This next blog post points out a way to change the SQL Service Account password programmatically in a way that is equivalent to use the Configuration Manager.

So here I have combined several approaches with the help of the WMI Code Creator.

My goal is to create a script that will accept a list of computers (set at the beginning of the script -- design time) and a two command line parameters, the user account and the password and then go change the password for all SQL Services on all computers listed (nodes of the cluster) that use that service account. So here it is:

' Change SQL Service Acct Passwords
' Equivalent to using SQL Configuration Manager
' Change passwords on multiple computers for all
' sql services using the supplied username
' Execute after changing the password in Active Directory
' Ideal for Clusters
' SQL 2005 or later
' Copyright 2008 David Lundell
' dlundell@ensynch.com

'1st parameter is the username domain\user or in the case of a local user
Set objArgs = WScript.Arguments
If objArgs.Count <> 2 Then
        Wscript.Echo "Usage is:"
    Wscript.Echo "cscript SQLSvcPasswordManagement.vbs /""domain\user"" /""NewPassword"""
    WScript.Quit(1)
End IF

SvcAcct = objArgs(0)
SvcPassword = objArgs(1)

' replace the array with the list of computers in the cluster
arrComputers = Array("mbinb2")
For Each strComputer In arrComputers
   WScript.Echo
   WScript.Echo "=========================================="
   WScript.Echo "Computer: " & strComputer
   WScript.Echo "=========================================="

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\Microsoft\SqlServer\ComputerManagement")
WScript.Echo  "SELECT * FROM SqlService WHERE StartName = '" & SvcAcct & "'"
Set ServiceCol = objWMIService.ExecQuery( _
    "SELECT * FROM SqlService WHERE StartName = '" & SvcAcct & "'",,48)
For Each objItem in ServiceCol
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "SqlService instance"
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "StartName: " & objItem.StartName

    Wscript.Echo "-----------------------------------"
    Wscript.Echo "ServiceName: " & objItem.ServiceName
ServiceName = objItem.ServiceName
SvcType = objItem.SQLServiceType

' Obtain an instance of the the class
' using a key property value.
Set objShare = objWMIService.Get("SqlService.ServiceName='" & ServiceName & "',SQLServiceType='" & SvcType & "'")

' Obtain an InParameters object specific
' to the method.
Set objInParam = objShare.Methods_("SetServiceAccountPassword"). _
    inParameters.SpawnInstance_()

' Add the input parameters.
objInParam.Properties_.Item("AccountNewPassword") =  SvcPassword
objInParam.Properties_.Item("AccountOldPassword") =  ""

' Execute the method and obtain the return status.
' The OutParameters object in objOutParams
' is created by the provider.
Set objOutParams = objWMIService.ExecMethod("SqlService.ServiceName='" & ServiceName & "',SQLServiceType='" & SvcType & "'", "SetServiceAccountPassword", objInParam)

' List OutParams
If objOutParams.ReturnValue = 0 Then
    WScript.Echo  ServiceName & ": Successfully changed the password"
Else
    WScript.Echo  ServiceName & ": failed to change the password with error code " & objOutParams.ReturnValue
End IF
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Next
Next

Wednesday, October 15, 2008

Installing a Multi-Instance SQL 2005 Cluster

Some of you may run into a problem when installing a multi-instance SQL Server Cluster, in particular when you install the second or third instance in your cluster.

Like this one:

image

Microsoft SQI Server 2005 Setup
SQL server Setup has determined that the Following account properties are not specified: 
‘SQLBROWSERACCOUNT’. The properties specify the startup account for the services that are installed. To proceed, refer to the template.ini and set the properties to valid account names. If you are specifying a windows user account, you must also specify the password for the account.

This may happen if you install the second instance (virtual server) on a node that is part of the first instance (virtual server). This occurs because the browser service is running on that node.  So SQL setup detects the existence of the browser service and does not prompt you for the credentials for all three services, only for SQL Server and SQL Agent leaving out the SQL Browser. You will then see the above error.

Normally during the install you have the ability to customize all three services:

clip_image002

But when installing the second instance in the cluster on a node that is part of the first virtual server (instance) all you get is this:

clip_image002[5]

If you use the same account for all of the services you may not see this error. If you use the same accounts across instances you may not see this error.

That is one other thing that sets this multi-instance SQL cluster apart from others; we tried to follow best practices for security by using separate accounts for each service for each instance. See the two tables below showing the user accounts and global groups created in Active Directory (domain local groups would work too). All of these user and group objects should exist in the same domain as the computer accounts for the Nodes.

SQL Instance 1

Parameter

Value (filled in by Client)

Service account for SQL Server Database Engine

DOMAIN\ MOSS_SQL_SER_1

Group for Service Account for SQL Server Database

DOMAIN\GMOSS_SQL_SER_1

Members of Group Above

DOMAIN\ MOSS_SQL_SER_1

Service account for SQL Server Agent

DOMAIN\ MOSS_SQL_AGE_1

Group for SQL Server Agent

DOMAIN\ GMOSS_SQL_AGE_1

Members of Group Above

DOMAIN\ MOSS_SQL_AGE_1

Service account for SQL Server Full Text Engine (FTE)

DOMAIN\ MOSS_SQL_FTE_1

Group Service account for SQL Server Full Text Engine (FTE)

DOMAIN\ GMOSS_SQL_FTE_1

Members of Group Above

DOMAIN\ MOSS_SQL_FTE_1

DOMAIN\ MOSS_SQL_SER_1

 

SQL Instance 2

Parameter

Value (filled in by Client)

Service account for SQL Server Database Engine

DOMAIN\ MOSS_SQL_SER_2

Group for Service Account for SQL Server Database

DOMAIN\GMOSS_SQL_SER_2

Members of Group Above

DOMAIN\ MOSS_SQL_SER_2

Service account for SQL Server Agent

DOMAIN\ MOSS_SQL_AGE_2

Group for SQL Server Agent

DOMAIN\ GMOSS_SQL_AGE_2

Members of Group Above

DOMAIN\ MOSS_SQL_AGE_2

Service account for SQL Server Full Text Engine (FTE)

DOMAIN\ MOSS_SQL_FTE_2

Group Service account for SQL Server Full Text Engine (FTE)

DOMAIN\ GMOSS_SQL_FTE_2

Members of Group Above

DOMAIN\ MOSS_SQL_FTE_2

DOMAIN\ MOSS_SQL_SER_2

According to Microsoft CSS (or PSS or whatever you want to call the boys and girls on the other end of the 800 number) the SQL Server Product group is aware of this and has declared that this is an "Expected Program Behavior" (notice the absence of the words bug and feature) that just isn't documented, yet and won't be changed in the future.

However, CSS was kind enough to discuss the workarounds, and help us through them.

There are two workarounds: the first is to install SQL from the command line. You can try to use the command line options or configure an ini file.

Start /wait <CD or DVD Drive>\servers\setup.exe /qn

VS=MOSS-ENT-SQL2

INSTALLVS=SQL_Engine INSTANCENAME=MOSSENTSQL2 ADDLOCAL=SQL_Engine,Client_Components ADDNODE=node1,node2,node3

GROUP=MOSS-ENT-SQL2

IP=15.13.15.16,Public 15.13.15.x Interface" ADMINPASSWORD=<StrongPassword>

SAPWD=<StrongPassord>

INSTALLSQLDIR="d:\Program Files\Microsoft SQL Server\" INSTALLSQLDATADIR=”k:\Microsoft SQL Server” SQLACCOUNT=theDomain\moss_sql_ser_2 SQLPASSWORD=<DomainUserPassword> AGTACCOUNT=theDomain\moss_sql_age_2 AGTPASSWORD=<DomainUserPassword> SQLBROWSERACCOUNT=theDomain\moss_sql_ser_2  SQLBROWSERPASSWORD=<DomainUserPassword> SQLCLUSTERGROUP="theDomain\gmoss_sql_ser_2" AGTCLUSTERGROUP="theDomain\gmoss_sql_age_2" FTSCLUSTERGROUP="theDomain\gmoss_sql_ser_2" ERRORREPORTING=1, SQMREPORTING=1 SQLCOLLATION=SQL_Latin1_General_CP1_CI_AS

The pure command line options approach did not work for me and Ramana Akula (Satyam Computer Services), the DBA at the client. If you can find the error in the use of the command line options please let me know.

We did not attempt the ini file method -- perhaps that would have worked.

Since this was a new cluster we took the second workaround: remove one node from the virtual server (SQL instance), which removes the SQL Browser Service, and then run the install on that node. This worked.

To remove a node from an instance or virtual server

1) logon to the node that owns the SQL Instance from which you wish to remove a node.

2) Go to Control Panel -> Add/Remove Programs -> Microsoft SQL Server and click change.

3) Select the instance and click next (ok we cheated on this screen shot this one is actually after we have done everything successfully):

clip_image002[7]

4) Then select Database Engine (Clustered) and click Next

clip_image002[9]

5) Then click Next on the Welcome Wizard.

clip_image002[11]

6) Click Next after the System Consistency Checker or is it System Configuration Check (the SQL documentation vacillates between these two titles) is done

clip_image002[13]

7) Then click next

clip_image002[15]

8) Then click Maintain the Virtual Server. (Do not click Remove Microsoft SQL Server as this will uninstall the instance -- the virtual server).

clip_image002[17]

9) Then in the list of Selected Nodes select the node you want to remove from the Instance/Virtual Server. Click Remove and then click Next.

clip_image002[19]

10) After the uninstall is complete log off from the Node where you ran this and connect to the node you removed from the Instance/Virtual Server.

11) Then run the Install creating a new Failover Cluster.

When that is done, and before applying your SQL service packs, readd this node to the Instance/Virtual Server.

If this were a car repair manual I would simply say installation is the reverse of removal and no one would bat an eye. Instead I will give you a little more help:

Repeat steps 1-8

Then in the list of Available Nodes Select the node to be added and click Add. Then click Next.

clip_image002[21]

As the installation completes you will then receive a warning about needing to reapply service packs to the node you just added to the Instance/Virtual Server.

A reboot may be required on the node to be re-added. But if you wish to avoid it

 

Additional Links and Articles

Failover Cluster Troubleshooting (I added some Community Content to this page to see it go to the Failover article and scroll to the bottom)

SQL Service Account needs to be in the group for Full Text Searching

Troubleshooting Task Scheduler for your SQL Cluster Install

Labels: ,

Wednesday, October 8, 2008

Projections showing up as Joins?

https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=373881&SiteID=433

So I found a slight inconsistency when following some of the ILM 2 walk-throughs. When you setup an inbound synch rule that creates objects in ILM the lineage says that the connector space object became a connector through join rules instead of projection rules. Minor bug -- but it sure can be confusing.

image

image

image

HR Inbound Sync Rule

General Information

Created Time

8/27/2008 8:10:09 PM

Connected System

{0cd165ec-2745-4afd-95c0-a8f7dbeefe44}

Connected Object Type

person

ILM Object Type

managed:Person

Precedence

1

Create ILM Object

True

Create Connected System Object

False

Disconnect Connected System Object

False

Flow Type

Inbound

Relationships

ILM Attribute

Data Source Attribute

managed:EmployeeID

EmployeeID

Parameters

Parameter Name

Type

Initial Import Flows

Destination

Source

managed:EmployeeID

EmployeeID

Persistent Import Flows

Destination

Source

managed:AccountName

UserID

managed:Company

Company

managed:FirstName

FirstName

managed:LastName

LastName

managed:Manager

Manager

managed:EmployeeType

EmployeeType

managed:DisplayName

FirstName  +  " "  +  LastName

Labels: ,