Hi guys, I'm doing a lest lab from technet: Importing users from AD to FIM http://social.technet.microsoft.com/wiki/contents/articles/how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx After import I can see Projection number grater then 0, so some user objects have been imported to FIM. But when I open FIM portal I cannot find any AD users on Users tab. Any ideas?

If I search connector space both AD agent and FIM agent I can see users there though...

I think you need to run an export for the FIM MA, that will create the users within the FIM portal.Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

I get this error when try to run Export for FIM MA: There is an error executing a web service object creation request. Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException Message: Fault Reason: Policy prohibits the request from completing. Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"></RequestFailures> Stack Trace: at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request) at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody) at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource() Inner Exception: Policy prohibits the request from completing.

There is a MPR probably that is not configured to allow what you want, what are you creating ? groups, users?Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

users that's what I have when check MPR status with script: FIM MPR Configuration For Synchronization Check =============================================== PS C:\Users\fimservice> c:\checkmpr MPRs that need to be enabled: -General: Users can read non-administrative configuration resources -User management: Users can read attributes of their own Caution: Your current MPR configuration requires your attention!

Can u use the Policy Explorer and check if the sync engine is allowed to create the users maybe you missed some MPRNeed realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

I enabled both rules that were pointed by the script so now it says everything is ok with policies but I still get the same error. I check MPR list on FIM portal - looks fine to me (though I don't exactly know how they have to be set)

You can use the policy explorer and set the requestor to the Synchronization account and see if there is a grant permission on the user (People) object But i think this policy should be there in default "Synchronization: Synchronization account controls users it synchronizes" that has checked "Create Resource" Are you sure you are only creating users on export? Is the error thrown for all objects in the connector space during export? Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

Yes, Paul, it's for all objects which are to export. Just to make it clear, do you mean this page as a policy explorer? http://rmststim01/IdentityManagement/aspx/policy/AllPolicies.aspx I've enabled all rules except hte ones that are abou permissions for users themselves... Synchronization: Synchronization account controls users it synchronizes rule has following settings: Create, Delete, Add, Modify, Remove

No i mean this link: http://localhost/identitymanagement/aspx/policy/PolicyExplorer.aspx?_p=1 The url you provided is showing all the policies, the button "Explore" is on the above button bar next to "New, Details and Delete" Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

I've tied to check permssions via Policy browser, but cannot define target resource. I can only choose from 2 accounts: fim service and built-in syncronization account

I've added FIM Service account to Domain Admins group. Now while trying to export users I get following error message: There is an error executing a web service object request. Type: System.ServiceModel.EndpointNotFoundException Message: Could not connect to http://localhost:5725/ResourceManagementService/MEX. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:5725. Stack Trace: Server stack trace: at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout) at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at System.ServiceModel.Description.IMetadataExchange.Get(Message request) at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier) at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema() at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.get_Instance() at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.get_SchemaManager() at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject) Inner Exception: Unable to connect to the remote server And after it there're all usual PermissionDeniedException errors... How can I check whether web services are ok?

Created user on FIM portal and check Built-in Synchronization Account permissions on it. There's Synchronization: Synchronization account controls users it synchronizes rule with Create Delete Add Modify Remove permissions. I suppose it's a web service or SQL issue...

I'm still looking for the answer...

There is no reason why you should add the FIM Service account to Domain Admins. Portal permissions are managed entirely internally and are not effected by AD permissions. You mention an EndpointNotFoundException - did this happen right after you added the acount to domain admins? What happens when you remove it from that group? The error "Policy prevents the request from completing" is only ever about one thing - MPRs not set correctly. You mentioned the Sync account MPR - but what is listed in Target Attributes? The simplest thing is to set it to "All attributes" because there may be just one single attribute not explicitly listed, but which you are trying to export to the Portal. That is enough to block the export. http://www.wapshere.com/missmiis

hi Carol, EndpointNotFoundException is gone now. I changed Synchronization: Synchronization account controls users it synchronizes rule parameter to All atributes as you said, but it didn't help...