My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Wednesday, April 15, 2009

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

Labels: , , , ,

Saturday, November 1, 2008

ILM 2 Web Services Part 1 The Service Reference

Together, Mark Struck of Ipseity Inc and I, have figured out (after much beating of our heads against brick walls) how to use the ILM 2 Enumeration Endpoint to perform some basic reporting. (I figured out how to send the enumeration and get a response and then Mark figured out how to correctly form the pull messages so as to be able to retrieve the actual objects -- teamwork at its finest). We would also like to thank Mark Gabarra and Rob Ward for their input.

Here are some lessons we learned:

First lesson: the SDK provided with ILM 2 Beta 3 is incomplete and in some cases misleading. (Just one of those areas that hasn't been well documented yet)

Second lesson: Reading the WS-Enumeration specification is like drinking from a firehouse.

Third lesson: Case matters when specifying the endpoint.

Today's post will show you how to setup the Service Reference.

Type in http://localhost:526/ResourceManagementService/MEX/

The case of the url is important. R M S must be capitals and so must MEX.

The name you type in for name space is important as it is the name you will use in your code.

I recommend replacing the ServiceReference1 that you see in the figure with ILM_RMS.

image

After you click Go it shows you the various services available and operations for each service. The Search Service is the one we will want.

image

Once you click OK you see the following show up under service reference:

image

An enumeration.wsdl file is generated and your app.config file will also be populated with lots of settings such as this one.

   <binding name="ServiceMultipleTokenBinding_Search" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false" contextProtectionLevel="Sign">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="false" />
</security>



You can also generate this info through a command line approach using the svcutil.exe utility.



Then in your code you make use of it like this as you see in my code:




Dim scReporting As ILM_RMS.SearchClient 
scReporting = New ILM_RMS.SearchClient("ServiceMultipleTokenBinding_Search")



See how to use the Namespace that you setup when you made the service reference, and how you need  use the binding name setup in the app.config file. Instead of using the settings in the config file you can use a programmatic approach to setting up the bindings. Look at the example from Mark Struck's C# code:




WSHttpContextBinding wsBinding = new WSHttpContextBinding(); 
// Cannot use WSHttpBinding since it does not allow you to Sign the EnumerationContext element
// WsHttpContextBinding provides a property called ContextProtectionLevel which defaults to Sign, which is
// what is needed to communicate with the web service when the action is Pull.
// WsHttpBinding will work if you are just calling the web service with the Enumerate action.
//WSHttpBinding wsBinding = new WSHttpBinding();

// Set binding properties
wsBinding.ReceiveTimeout = new TimeSpan( 0, 5, 0);
wsBinding.SendTimeout = new TimeSpan( 0, 5, 0);
wsBinding.Security.Mode = SecurityMode.Message;
wsBinding.Security.Message.EstablishSecurityContext = false;
wsBinding.Security.Message.NegotiateServiceCredential = true;
wsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
wsBinding.Security.Message.AlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Default;

// Create EndpointAddress object and create the SearchClient object with the binding and endpointaddress objects
EndpointAddress ep = new EndpointAddress(ILMSERVICE_URI_ENUMERATION);
SearchClient searchClient = new SearchClient(wsBinding, ep);

Labels: , , , ,

Under the hood of ILM 2 -- Part 2 Read the WCF Trace!

Take a look at Part 1 to enable tracing

To view the log you need to have installed the Windows SDK and then you use the Service Trace Viewer

C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\SvcTraceViewer.exe

If the file is over 50 MB you will get the partial loading screen like this one. Try and limited the estimated size, if you open too much it will be very slow. Even 20 MB can be really slow.

image

If you need to adjust this after you open the file you can

image

To view what is happening you click on Activity 00000000000000 and then browse through the  actions

image

Most of it is just noise -- "The Policy Application Manager is executing" or "The Policy Application Manager has finished executing" (the first two showing below.

image

Take a look at the next action ExecuteQuery.ExecuteReader where in it is retrieving a list of Workflow Definitions objects (See the detail information where it shows the XPath query filter inside the parenthesis

Query: QueryProcessor.ExecuteQuery.ExecuteReader(/WorkflowDefinition)

image

The you can see how it retrieves the objects that were returned as part of the query

image

The process continues to retrieve objects and then sets up a WorkflowServiceHost for the workflows

image

Labels: , ,

Under the hood of ILM 2 -- Part 1 Enable WCF Tracing!

Want to understand what is happening with your custom ILM 2 workflow? or your calls to the web service?

Try enabling WCF Tracing. By enabling WCF tracing for the Identity Lifecycle Manager Resource Management Service you get to track requests to the webservice. This can help you figure out if your requests are even getting to the webservice.

To enable tracing open the config file:

C:\Program Files\Microsoft Identity Management\Common Services\

Microsoft.ResourceManagement.Service.exe.config

In the <configuration> after </configsections> and before <appsettings> add the following:

<!-- Enable Tracing -->
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="Microsoft.ResourceManagement" switchValue="All">
<listeners>
<add name="text" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\logs\service.txt" traceOutputOptions="Timestamp,ThreadId,DateTime"/>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="c:\logs\service.svclog" traceOutputOptions="Timestamp,ThreadId,DateTime"/>
</listeners>
</source>
</sources>
</system.diagnostics>
<!-- End Enable Tracing -->



Then you need to create a directory called c:\ILMLogs and restart the ILM Common Services. If you don't create the directory then the logging still won't work, and you'll have to restart the service.



To view the log you need to have installed the Windows SDK and then you use the Service Trace Viewer



C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\SvcTraceViewer.exe



For more info on how to read and interpret the trace see Part 2.



For more info on writing your own traces from your own code see Craig Martin's post on WCF tracing.

Labels: , ,

Wednesday, October 22, 2008

The Semi-Automated Install of ILM 2 Beta 3

ILM 2 Beta 3 won't perform a completely automatic quiet install but we can come close. Colleague Brad Turner and I have developed the following approach to the install and the post install tasks.

Brad worked out most of the issues with the ILM 2 Services install itself and then I worked on most of the issues with the post install tasks. I will cover the install of the Metadirectory services first, then the ILM 2 Beta 3 Identity Management Platform Services including its batch files and then discuss the post install tasks and present its related files.

First up the install of the Metadirectory services. At this point I assume you have covered the prerequisites mentioned in the ILM "2" Beta 3 Installation Guide (of course we posted some of this to the community content there).

Be sure and put in your own preexisting AD groups and path to the installation folder, as well as service account and password.

InstallSync.cmd

@echo off
rem This section specifies Group names, adding the domain\ in front configures them as a domain based group
set GROUPADMINS="info\ILM Admins"
set GROUPOPERATORS="info\ILM Operators"
set GROUPACCOUNTJOINERS="info\ILM Joiners"
set GROUPBROWSE="info\ILM Browse"
set GROUPPASSWORDSET="info\ILM PasswordSet"

rem ILM or DB directory?
set DBFileLocation=SQLDefault
set DBFILEMMSLOCATION="0"

rem To Use local server and instance (Default):
set SQLServerStore=LocalMachine
set SQLServerInstance=DefaultInstance

rem Installation Folder for x64
set INSTALLDIR64="E:\Program Files\Microsoft Identity Integration Server"

rem SERVICEACCOUNT is the Sync Engine Account
set SERVICEACCOUNT=svc.ilmsync
rem SERVICEDOMAIN is the domain the Sync Engine Account is in
set SERVICEDOMAIN=info
rem SERVICEPASSWORD is the password for the Sync Engine Account
set SERVICEPASSWORD=P@$$w0rd

msiexec /i "Identity Lifecycle Manager Evaluation.msi" /norestart /log setup.txt SERVICEACCOUNT=%SERVICEACCOUNT% SERVICEDOMAIN=%SERVICEDOMAIN% SERVICEPASSWORD=%SERVICEPASSWORD% DBFILEMMSLOCATION=%DBFILEMMSLOCATION% SQLServerStore=%SQLServerStore% SQLServerInstance=%SQLServerInstance% DBFileLocation=%DBFileLocation% GROUPADMINS=%GROUPADMINS% GROUPOPERATORS=%GROUPOPERATORS% GROUPACCOUNTJOINERS=%GROUPACCOUNTJOINERS% GROUPBROWSE=%GROUPBROWSE% GROUPPASSWORDSET=%GROUPPASSWORDSET% DBFILEMMSLOCATION=%DBFILEMMSLOCATION% INSTALLDIR64=%INSTALLDIR64%

Brad and I like to use environmental variables defined in the batch file to "self-document the batch file." Since the install and the post install tend to reuse many of the same settings I moved all of the environmental variables into one batch file which is then called from the InstallSever.cmd file and the PostInstallTasks.cmd file. This file is called SetInstallVariables.bat:

@echo off

set MAIL_SERVER="mail.ensynch.info"
set SERVICE_ACCOUNT_NAME=svc.ilmws
set SERVICE_ACCOUNT_PASSWORD=P@$$w0rd
set SERVICE_ACCOUNT_DOMAIN=info
set SERVICE_ACCOUNT_EMAIL="svc.ilmws@ensynch.info"
set RMS_PORT=526
set SERVICEADDRESS=localhost
set STS_PORT=527
set SHAREPOINT_PWD_RESET_SITE_URL="http://%COMPUTERNAME%/PasswordPortal/"
set SHAREPOINT_SITE_URL="http://localhost/identitymanagement/"
set SQLSERVER_SERVER="."
set SYNCHRONIZATION_SERVER_ACCOUNTNQ=info\svc.ilmma
set SYNCHRONIZATION_SERVER_ACCOUNT="%SYNCHRONIZATION_SERVER_ACCOUNTNQ%"

SET WSSSTSADM="%commonprogramfiles%\microsoft shared\web server extensions\12\bin\stsadm"

SET INTIAL_EMAIL_ALIAS=%USERNAME%@%USERDNSDOMAIN%
SET INITIAL_DESCRIPTION="%USERNAME% Initial Admin for ILM Portal"

rem Don't work...
set SQMOPTINSETTING=0
set MAIL_SERVER_IS_EXCHANGE=0
set MAIL_SERVER_USE_SSL=0

rem Shows up in the UI, but doesn't apply...
rem set INSTALLDIR="E:\Program Files\Microsoft Identity Management\"

The installServer.cmd file:

@echo off

CALL SETINSTALLVARIABLES.bat

msiexec /i ilm-server-64bit.msi /log ilmserverx64.txt ACCEPT_EULA=1 MAIL_SERVER=%MAIL_SERVER% SERVICE_ACCOUNT_NAME=%SERVICE_ACCOUNT_NAME% SERVICE_ACCOUNT_PASSWORD=%SERVICE_ACCOUNT_PASSWORD% SERVICE_ACCOUNT_DOMAIN=%SERVICE_ACCOUNT_DOMAIN% SERVICE_ACCOUNT_EMAIL=%SERVICE_ACCOUNT_EMAIL% RUNNING_USER_EMAIL=%USERNAME%@%USERDNSDOMAIN% MAIL_SERVER_IS_EXCHANGE=%MAIL_SERVER_IS_EXCHANGE% MAIL_SERVER_USE_SSL=%MAIL_SERVER_USE_SSL% RMS_PORT=%RMS_PORT% SERVICEADDRESS=%SERVICEADDRESS% STS_PORT=%STS_PORT% SHAREPOINT_PWD_RESET_SITE_URL=%SHAREPOINT_PWD_RESET_SITE_URL% SHAREPOINT_SITE_URL=%SHAREPOINT_SITE_URL% SQLSERVER_SERVER=%SQLSERVER_SERVER% SQMOPTINSETTING=%SQMOPTINSETTING% SYNCHRONIZATION_SERVER_ACCOUNT=%SYNCHRONIZATION_SERVER_ACCOUNT%

After installation of ILM 2 Beta 3 you have several post install tasks per the ILM "2" Beta 3 Installation Guide:

  1. Grant Full Control rights to the ILM "2" SharePoint site to the initial user of the site
  2. Grant user rights for the ILM “2” Windows SharePoint Services site to domain users who require it
  3. Configure the ILM “2” Password Management Portal for anonymous access
  4. Disable SharePoint Indexing
  5. Exchange Server 2007 Web Service (EWS) Configuration
  6. Exchange Server 2007 Certificate installation
  7. ILM MA permissions (SQL permissions)
  8. Verify ILM Service account group membership
  9. ILM “2” Web Portal Access

For items 1 and 2 the guide provides a command line but for steps 3-9 the guide only provides steps that must be done through the GUI.

With the help of some stsadm custom extensions written by SharePoint MVP Gary LaPointe we can easily automate step #3. We will use gl-setanonymousaccess

Step 4 could be automated by using the following standard stsadm command to stop the Search service

stsadm -o osearch -action stop -f

Or this could be handled during your WSS 3.0 install, which is how we did it. I'll have to ping another Ensynch colleague Jeff Holliday (he calls his blog the SharePoint Redemption)  to see how he did that when he created our install for WSS 3.0

Steps 5 and 6 are manual as is 9 (well 9 is pretty involved), but 7 (ILM MA user account SQL Permissions) is easy to automate with a SQL Script. (For the time being I am going to be lazy about step 8 -- which could be automated but which I leave as an exercise to the reader).

We need to create a login for the account we specified for the ILM 2 MA, grant it a user in the MSILM database and make it a member of the db_owner fixed database role.

You'll see that I took advantage of sqlcmd's ability to do some preprocessing replacement using parameters or environmental variables. In this case I used environmental variables. You can see wherever it says [$(something)] -- like this: [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] which is set in the SetInstallVariables.bat file

These environmental variables are set in a batch file that calls sqlcmd to execute this file: ILMMA_Permissions.sql

USE [master]

CREATE LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FROM WINDOWS WITH DEFAULT_DATABASE=[MSILM]
GO

USE [MSILM]
GO
CREATE USER [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)] FOR LOGIN [$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)]
GO

EXEC sp_addrolemember N'db_owner', N'$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)'

GO
DECLARE @myvar int
SELECT @myvar = (SELECT CASE
WHEN 1 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)')
AND 1 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND 1 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
) THEN 0
WHEN 0 = (SELECT COUNT(*) FROM sys.syslogins where name = '$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)')
THEN 1 -- Couldn't create Login
WHEN 0 = (SELECT COUNT(*) FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
THEN 2 -- Couldn't map user to MSILM database
WHEN 0 = (SELECT COUNT(*)
FROM sys.database_role_members
WHERE member_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='$(SYNCHRONIZATION_SERVER_ACCOUNTNQ)' )
AND role_principal_id =
(SELECT top 1 principal_id FROM sys.database_principals WHERE name ='db_owner')
)
THEN 3 -- Couldn't assign user to db_owner role
ELSE 4 -- unknown error
END)
EXIT(SELECT @myvar)

Here is the PostInstallTasks.cmd file:

@echo off

CALL SETINSTALLVARIABLES.bat

sqlcmd -S %SQLSERVER_SERVER%  -E -i ILMMA_Permissions.sql
if {%errorlevel%} == {4} (Echo  Unknown SQL Error
                goto SQLPermissionsError)
if {%errorlevel%} == {3} (Echo  Couldn't assign user %SYNCHRONIZATION_SERVER_ACCOUNTNQ% to db_owner role
                goto SQLPermissionsError)
if {%errorlevel%} == {2} (Echo  Couldn't map user %SYNCHRONIZATION_SERVER_ACCOUNTNQ% to MSILM database
                goto SQLPermissionsError)
if {%errorlevel%} == {1} (Echo  Couldn't create Login %SYNCHRONIZATION_SERVER_ACCOUNTNQ% On SQL Server
                goto SQLPermissionsError)

echo %WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin %USERDOMAIN%\%USERNAME% -useremail %INTIAL_EMAIL_ALIAS% -username %INITIAL_DESCRIPTION%  -role "Full Control"
%WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin %USERDOMAIN%\%USERNAME% -useremail %INTIAL_EMAIL_ALIAS% -username %INITIAL_DESCRIPTION%  -role "Full Control"
echo Done Setting access for initial user
echo %WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin "%SERVICE_ACCOUNT_DOMAIN%\Domain Users" -useremail users@%USERDNSDOMAIN% -username "Domain Users" -role "Contributor"
%WSSSTSADM% -o adduser -url %SHAREPOINT_SITE_URL% -userlogin "%SERVICE_ACCOUNT_DOMAIN%\Domain Users" -useremail users@%USERDNSDOMAIN% -username "Domain Users" -role "Contributor"

REM comes from here http://stsadm.blogspot.com/2008/03/set-anonymous-access.html
echo Using This tool from http://stsadm.blogspot.com/2008/03/set-anonymous-access.html   to set anonymous access
%WSSSTSADM% -o gl-setanonymousaccess -url %SHAREPOINT_PWD_RESET_SITE_URL% -anonstate entireweb
if {%errorlevel%} NEQ {0} goto oopsNeedCustomstsadm

goto end

:SQLPermissionsError
echo please  run and troubleshoot ILMMA_Permissions.sql in SQL Management studio
echo remember to replace $(SYNCHRONIZATION_SERVER_ACCOUNTNQ) with %SYNCHRONIZATION_SERVER_ACCOUNTNQ%
goto end

:oopsNeedCustomstsadm
echo go download http://www.thelapointes.com/blog/stsadm.zip then run Package\ReleaseWSS\deploy.bat
echo if the deploy.bat doesn't work then change the first line to have the .wss.wsp like so
echo SET SOLUTION_NAME="Lapointe.SharePoint.STSADM.Commands.wss.wsp"

:end

Labels: ,

SQL Server Agent should be running or install of ILM 2 Services fails

I posted the following to the Community Content Section of the ILM 2 Beta 3 Installation Guide

The SQL Agent Service account must be a sql sysadmin and the SQL Agent Service must be running or during install you may get "error -2147217900

Failed to execute sql string addtemporaleventsjobtoSQLServer" while trying to install ILM 2 Beta 3 Identity Management Platform Services. Apparently, the install routine needs to create a SQL Agent Job and with SQL 2005 the Agent must be running to create a job.

The job it creates is called ILM_TemporalEventsJob and according to its description it "Periodically identify workflows to be run on objects that have transitioned to or from temporal sets." It is scheduled to be run every day at 1 AM.

It has only one step of type T-SQL: EXEC dbo.TriggerTemporalEvents. So later on if you find that objects are not getting transitioned to and from temporal sets you might need to come and check this job's history, and ensure that the SQL Agent is running.

image

Labels: , ,

Wednesday, October 8, 2008

Projections showing up as Joins?

https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=373881&SiteID=433

So I found a slight inconsistency when following some of the ILM 2 walk-throughs. When you setup an inbound synch rule that creates objects in ILM the lineage says that the connector space object became a connector through join rules instead of projection rules. Minor bug -- but it sure can be confusing.

image

image

image

HR Inbound Sync Rule

General Information

Created Time

8/27/2008 8:10:09 PM

Connected System

{0cd165ec-2745-4afd-95c0-a8f7dbeefe44}

Connected Object Type

person

ILM Object Type

managed:Person

Precedence

1

Create ILM Object

True

Create Connected System Object

False

Disconnect Connected System Object

False

Flow Type

Inbound

Relationships

ILM Attribute

Data Source Attribute

managed:EmployeeID

EmployeeID

Parameters

Parameter Name

Type

Initial Import Flows

Destination

Source

managed:EmployeeID

EmployeeID

Persistent Import Flows

Destination

Source

managed:AccountName

UserID

managed:Company

Company

managed:FirstName

FirstName

managed:LastName

LastName

managed:Manager

Manager

managed:EmployeeType

EmployeeType

managed:DisplayName

FirstName  +  " "  +  LastName

Labels: ,

Tuesday, September 16, 2008

a sprinkling of understanding Workflow in ILM 2

So by now all of you know that understanding Windows Workflow Foundation is going to be quite helpful in implementing ILM 2.

Having lived 9 of the last 12 months in Redmond, WA, I now understand a lot more about sprinkling

So I thought I would provide a sprinkling of understanding about Windows Workflow Foundation: a categorization of the built in workflows.

Category Activity Composite Notes
  Invoke Web Service    
Conditional Conditional Activity Group    
Conditional IfElse    
Conditional Policy   Akin to a switch statement or Select Case
Conditional While    
Custom Code    
Error Compensate    
Error Fault Handler    
Error Throw    
Flow Delay    
Flow EventDriven    
Flow Listen X 2+ event driven
Flow Parallel X 2+ sequence
Flow Replicator   for each
Flow state    
Flow Sequence X  
Flow setstate    
Flow StateInitialization X  
Flow Suspend    
Flow Terminate    
Flow Transaction Scope    

Labels: , ,

Friday, September 12, 2008

ILM 2 Beta 3 Bug: Action Process Function Evaluator Activity doesn't work when using only one field

ID: 367381


Description

Action Process Function Evaluator Activity doesn't work when using only one field, but when I concatenate with 2 it works.

Repro Steps

Create an action Process
Add one activity -- Function Evaluator
Set a destination to an attribute (like DisplayName) and select only one field in the value -- LastName
Then build an MPR to apply to All People (don't check Grants Permission), Operations: Create and Modify
Requestors: All People
All Attributes
Condition Before All People
Condition After All People
Policy Workflows: Add your Action Process
Then create or modify a user
open the user again and note that it did not work
Then look at search requests, view the request and note the following error: Data at the root level is invalid. Line 1, position 1.

This fails

image

 

and when used gives this error:

clip_image001

 

But this works (as does concatenating with a "" string)

clip_image001[7]

Please repro and validate as a bug

Labels:

Tuesday, September 2, 2008

Expanding a Windows Server 2008 System partition on a HyperV Guest

While building out some virtual machines for our ILM 2 Beta 3 environment...

We setup a few virtual machines 64 bit Windows Server 2008 SP 1 (since SP 1 is built in to the RTM) running on HyperV. Everything is very slick! Except we only set aside 16 GB for the virtual disk for the system partition. Despite installing SQL, SharePoint, and ILM 2 to another drive the system partition quickly filled up, and didn't have enough room for Visual Studio (even though I wanted to install it on another partition). All of these programs install a lot of stuff on the system partition no matter what I select. While moving the paging file freed up some space it wasn't enough.

Then of course someone went and reread the Windows Server 2008 requirements and they said minimum 10 GB recommended 40 GB. So we decided to go for 64 GB. But expanding your system partition is not all that straightforward.

Here is how:

4:21 PM

If the virtual disk needs to be expanded you need to ensure that there are no snapshots and that it is shutdown. If there are snapshots you will need to delete them. This deletion will require a disk merge to take place and will take a while

clip_image001

Highlight the VM and click settings

Navigate to the Hard drive you wish to expand

clip_image001[4]

Then click Edit. On the choose action screen select expand. (if this is a fixed disk then you will need to do a convert)

clip_image001[6]

Enter the new size and click finish Then wait a while

clip_image001[8]

Next configure the VM to boot from CD/DVD

Configure the DVD to use a windows server 2008 WinPE iso image

Which can be obtained from here by downloading

http://www.microsoft.com/downloads/details.aspx?familyid=94BB6E34-D890-4932-81A5-5B50C657DE08&displaylang=en

clip_image001[10]

image

Before starting the VM realize that you only have a short window to tell it to boot from CD/DVD

So Connect to the VM before you turn it on

clip_image001[12]

Within a few seconds it will prompt you to click any key to boot from cd or dvd

Then windows files will load if you are prompted to press ctrl alt delete then it didn't work shut down and try again

If you see this then you are successful. Wait another few seconds for the prompt to appear

clip_image001[14]

Enter DiskPart by typing DiskPart at the command prompt

clip_image001[16]

Select the disk you want (select disk 0) and confirm by typing detail disk

If you need help type list disk

Next select the right volume (select volume 1)

clip_image001[18]

 

Then expand the volume by entering in how much larger to make it -- not the new size, but the difference between the current size and the new size

clip_image001[20]

Then reboot by typing exit then hitting enter, twice (once to leave bootpart and then once to leave the WPE)

(If you want you can also change your boot order as this will eliminate a small delay in the boot process)

Then log on and confirm it is done

clip_image002

 

While I had fun uncovering the secrets of HyperV (thanks to Ian Henry for teaching me about WPE), the most valuable thing I did today was to play tee-ball and soccer with my eight year old daughter and my three sons.

Labels: , ,

Wednesday, July 30, 2008

Pending Exports Report in ILM

Hopefully this topic will stir up some excitement among those wondering how to query objects in the connector space. The technique I am about to explicate for you works for both exports and imports.

As many of you aware, my colleague and fellow ILM MVP Brad Turner created the community reporting pack for MIIS/ILM some time ago. This is a package of reports written in SQL Server Reporting Services (SSRS).

Most of you are also aware that you can tell an import or export run profile step to drop an audit file. The audit file is in DSML format (an XML format). You can use XML files as the source for SSRS reports, they can also be used.

A later report he created was for Pending Exports, to show clients what records are about to be exported (drop audit file and stop) or what records were just exported (drop audit file).

1) Turn on the drop audit file for the export run profile step.

2) Create a virtual directory in IIS that points to the MAData subfolder location and allows you to see the file

3) Create a data source in SSRS for that file and only that file. This means you have to create a data source for each audit file. Wow -- doable but painful!

A short while ago I took this process and made it even slicker. I present the background of all this to show why Brad and I form the nucleus of a great team. I had not thought of creating a report based on the audit file. I viewed the audit file as a troubleshooting technique, not as a great way to be able to report on exports or imports. My inspiration was how to make this more flexible.

I created a stored procedure (only works on SQL 2005) that uses SQLXML (specifically the sp_xml_preparedocument and OpenXML to shred the XML data to relational data). 

Additionally, I created the stored procedure so that it can accept a lot of parameters, allowing us to report the pending exports (or just exported) for any of the MAs).

That means that we only need one data source -- pointing to the database that houses the stored procedure.

First allow me to demonstrate the basic technique:

SET NOCOUNT ON

DECLARE @ADXMLData XML

SELECT @ADXMLData = BulkColumn 
FROM OPENROWSET(BULK 'C:\Ensynch_projects\Reports\ILMReports\copy of admaexports.xml',SINGLE_NCLOB) AS AD

DECLARE @docHandle int
EXEC sp_xml_preparedocument @docHandle OUTPUT, @ADXMLData, '<mmsml xmlns:a="http://www.microsoft.com/mms/mmsml/v2"/>'

            SELECT * 
            FROM OPENXML(@docHandle, N'//a:mmsml/a:directory-entries/a:delta/a:dn-attr/a:dn-value/a:dn',2) 
             With (
                    DeltaOp varchar(100) '../../../@operation'
                    ,DNAOp varchar(100) '../../@operation'
                    ,DNVOp varchar(100) '../@operation'
                    --,ObjType varchar(50) '../../../primary-objectclass'
                    ,ObjectDN varchar(1000) '../../../@dn'
                    ,AttrName varchar(100) '../../@name'
                    ,dn        varchar(1000) '.'
            ) Export
ORDER BY GroupDN

EXEC sp_xml_removedocument @docHandle

For this query I was first focused on some group updates. I need to show the client how we were going to update their distribution lists.

This query takes the XML from the DSML file and shreds it back to relational data like so

 

update add   CN=Group1, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=MontyHALL, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add   CN=Group1, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=Joe Montana, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add   CN=Group1, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=Steve Young, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add   CN=Group1, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=Fred Idaho, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add add CN=Group2, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=Fred Idaho, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add add CN=Group2, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=MontyHALL, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org
update add add CN=Group2, OU=Distribution Groups, OU=Enterprise Groups, DC=Aclient,DC=org member CN=Joe Montana, OU=Groupwise Directory Sync - SJHS,OU=Exchange, DC=Aclient,DC=org

 

Next week I will show how to add the parameters and then I will show how to make the report. If you are lucky I might even make a video and post it!

Labels: , , ,

Thursday, July 3, 2008

I like my passwords Plain --in plaintext that is


Bug in ILM2 Beta 3 -- go vote on MSConnect to register your taste!

Look for Bug ID 354953

Do you like your passwords plain or with encrypted butter?

As for me and my house we will choose the encrypted butter! I mean passwords.
ILM 2 codeless provisioning looks great! You can add complex rules without code and then you can even see these rules as they get synchronized into the ILM synch engine (what we know and love from the MIIS 2003 and ILM 2007 days). But then oops! you can see my default password in plaintext!

7/3/2008
In the ILM2 Portal when I configure an initial outbound attribute flow for unicodepwd (an initial password for AD users) and then in Identity Manager looking at the resulting Synchronization rule object in the connector space I can see the password in plaintext!
Repro Steps
1) Assume use of VPC image from ILM product group2) Open Identity Manager3) Search the ILM 2 MA connector space -- look for the synchronization rule for provisioning users in my system the id begins with 102df8d94) Click on the elipsis button in the string column of the initial flow attribute then look for Pass@word15) Realize that your password is stored in plaintext!

Bigger screenshot of Identity Manager here:






Labels:

Monday, June 16, 2008

Tech Ed -- Lotsa Buzz ILM 2 and CLM

On Tuesday Bob Muglia made a big announcement -- ILM 2 Beta 3 has been released. While the beta install is only 64 bit on Microsoft Connect you can download the 32-bit Virtual PC. At the ILM 2 booth at Tech Ed the Microsoft ILM Product Group and I were handing them out like crazy.

Thanks to Nima for inviting me to participate at the booth.

Best session I went was by Candy Stark from MS IT. She presented on the smart card deployment at MSFT using CLM.

Labels: , , , , ,