Hi Markus, some notes about the "Introduction to the Configuration Migration Tool " document. 1) When re-importing the configuration, the document states that you should import the synch service configuration (step 6) and later import FIM service configuration (step 8). However, this creates problems if there are additional attributes in the FIM schema in the source server. Importing the FIM MA will fail with something like this: Rules validation for management agent 'FIM' starting... Validation of the attribute inclusion FAILED. The Attribute 'x' could not be located in the schema. ... Validation of the attribute flow rules FAILED. However, I could not find in the document any statement about equal schemas being a pre-requisite for migration (I don't think it is, since there's a -schemaConfig flag in the FIM configuration export cmdlet...). Could you please clarify what's the correct way to proceed in this case? make a first export/import with the schema only, then another with anything except the schema, or just perform step 8 before 6? 2) Which are the prerequisites for migrating the configuration? For example, should the production and pilot domains have the same name? 3) Where does the ConvertFrom-FimResource CmdLet write data if the file parameter is not a full path? I think it writes in the start folder of PowerShell, but I could not find this... could you specify it? Wouldn't it be better to use absolute paths in scripts (even if I understand perfectly that the provided scripts are just examples) Cheers, Paolo Paolo Tedesco - http://cern.ch/idm

Thanks, Paolo!Since your feedback is about a specific doc, I have moved it into a separate post and sent a message to the doc owner.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hello, I am experiencing the same issue as Paolo. I recreated the schema in the portal manually. I restarted the fim service and IIS but still get the same errors.Markus, What do you mean by "Moved into a seperate post"? Paolo, were you able to solve your problem and if so could you elaborate?Thanks in advanced!-Paul

I apologize. I didnt follow my own documentation. After you create a new attributes resource type you still need to add it to the Syncronization Filter. Lots of gotchas with this product.Markus, I believe Paolo comments are very relevant. A new step should be added to pre-create the new schema. Hopefully the step can be scripted but I dont have time to figure that out at the moment. If anyone else has solved this problem please post it.Thanks!!!!-Paul

Hi Paul, I solved this issue by separating the schema, policy and portal configuration in three separate steps, i.e. specifying the -config flags of the Export-FimConfig CmdLet one at a time, something like Write-Host "Exporting schema." $pilot = Export-FIMConfig -uri $uri -schemaConfig -MessageSize $messageSize $pilot | ConvertFrom-FIMResource -file $pilot_schema Write-Host "Exported $($pilot.Count) objects to $pilot_schema" Write-Host "Exporting policy." $pilot = Export-FIMConfig -uri $uri -policyConfig -MessageSize $messageSize $pilot | ConvertFrom-FIMResource -file $pilot_policy Write-Host "Exported $($pilot.Count) objects to $pilot_policy" Write-Host "Exporting portal." $pilot = Export-FIMConfig -uri $uri -portalConfig -MessageSize $messageSize $pilot | ConvertFrom-FIMResource -file $pilot_portal Write-Host "Exported $($pilot.Count) objects to $pilot_portal" Then, when I import configuration, I import the schema first: # Export production schema $production = Export-FIMConfig -uri $uri -schemaConfig -MessageSize $messageSize $production | ConvertFrom-FIMResource -file $production_schema # Read pilot schema $pilot = ConvertTo-FIMResource -file $pilot_schema $matches = Join-FIMConfig -source $pilot -target $production -join $joinrules -defaultJoin DisplayName $changes = $matches | Compare-FIMConfig Write-Host "Identified $($changes.Count) changes to apply to production." Write-Host "Saving changes to $changes_schema" $changes | ConvertFrom-FIMResource -file $changes_schema Write-Host "Synchronization complete. Commit the changes using commit-changes.ps1." After importing the schema, I import the synchronization service configuration (this part cannot be scripted, as the synchronization service pops up several dialogs to handle the domain differences) and then I import the policy and portal configurations. Hope this helps, Paolo P.S: please note that the above scripts are not complete, they are just snippets to show what I'm doing.Paolo Tedesco - http://cern.ch/idm

We apologize for the issues you experienced. Our team is working on a revision to the document you referenced above that includes new scripts, which are pasted below for your reference. We are hoping to have those revisions published by the end of the month (January 2010). Thank you very much for the thorough feedback and recommended resolution!Appendix A: PowerShell Scripts This appendix includes scripts which demonstrate recommended usage of the PowerShell cmdlets to migrate FIM configuration. Many customers will have specific, custom requirements to migrate configuration and will need to modify these scripts. Consider using the PowerShell model to include additional processing between the cmdlets. For example, some customers need to replace pilot DNS names with production DNS names. These customers would modify the scripts so that the DNS names are replaced prior to calling Compare-FIMConfig. ExportSchema.ps1# ExportSchema.ps1 # Copyright (c) 2009 Microsoft Corporation # The purpose of this script is to export the current schema configuration # in the pilot environment. # The script stores the configuration into file "schema.xml" in the current directory. # Please note you will need to rename the file to pilot_schema.xml or production_schema.xml. # See the documentation for more information. if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} $schema_filename = "schema.xml" Write-Host "Exporting configuration objects from pilot." # Please note that SynchronizationFilter Resources inform the FIM MA. $schema = Export-FIMConfig -schemaConfig -customConfig "/SynchronizationFilter" if ($schema -eq $null) { Write-Host "Export did not successfully retrieve configuration from FIM. Please review any error messages and ensure that the arguments to Export-FIMConfig are correct." } else { Write-Host "Exported " $schema.Count " objects from pilot." $schema | ConvertFrom-FIMResource -file $schema_filename Write-Host "Pilot file is saved as " $schema_filename "." if($schema.Count -gt 0) { Write-Host "Export complete. The next step is to run ExportPolicy.ps1." } else { Write-Host "While export completed, there were no resources. Please ensure that the arguments to Export-FIMConfig are correct." } } ExportPolicy.ps1 # ExportPolicy.ps1 # Copyright (c) 2009 Microsoft Corporation # The purpose of this script is to export the current policy and synchronization configuration # in the pilot environment. # The script stores the configuration into file "policy.xml" in the current directory. # Please note you will need to rename the file to pilot_policy.xml or production_policy.xml. # See the documentation for more information. if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} $policy_filename = "schema.xml" Write-Host "Exporting configuration objects from pilot." # In many production environments, some Set resources are larger than the default message size of 10 MB. $policy = Export-FIMConfig -policyConfig -portalConfig -MessageSize 9999999 if ($policy -eq $null) { Write-Host "Export did not successfully retrieve configuration from FIM. Please review any error messages and ensure that the arguments to Export-FIMConfig are correct." } else { Write-Host "Exported " $pilot.Count " objects from pilot." $policy | ConvertFrom-FIMResource -file $policy_filename Write-Host "Pilot file is saved as " $policy_filename "." if($policy.Count -gt 0) { Write-Host "Export complete. The next step is run SyncSchema.ps1." } else { Write-Host "While export completed, there were no resources. Please ensure that the arguments to Export-FIMConfig are correct." } } SyncSchema.ps1 # SyncSchema.ps1 # Copyright (c) 2009 Microsoft Corporation # The purpose of this script is to identify what changes should be applied to # the production environment. # This script assumes that the production environment is the local machine and # that the pilot export is available in pilot_schema.xml # and the production export is available in production_schema.xml $pilot_filename = "pilot_schema.xml" $production_filename = "production_schema.xml" $changes_filename = "changes.xml" $joinrules = @{ # === Schema configuration === # This is based on the system names of attributes and objects # Notice that BindingDescription is joined using its reference attributes. ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; } if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} Write-Host "Loading production file " $production_filename "." $production = ConvertTo-FIMResource -file $production_filename if($production -eq $null) { throw (new-object NullReferenceException -ArgumentList "Production Schema is null. Check that the production file has data.") } Write-Host "Loaded file " $production_filename "." $production.Count " objects loaded." Write-Host "Loading pilot file " $pilot_filename "." $pilot = ConvertTo-FIMResource -file $pilot_filename if($pilot -eq $null) { throw (new-object NullReferenceException -ArgumentList "Pilot Schema is null. Check that the pilot file has data.") } Write-Host "Loaded file " $pilot_filename "." $pilot.Count " objects loaded." Write-Host Write-Host "Executing join between pilot and production." Write-Host $matches = Join-FIMConfig -source $pilot -target $production -join $joinrules -defaultJoin DisplayName if($matches -eq $null) { throw (new-object NullReferenceException -ArgumentList "Matches is null. Check that the join succeeded and join criteria is correct for your environment.") } Write-Host "Executing compare between matched objects in pilot and production." $changes = $matches | Compare-FIMConfig if($changes -eq $null) { throw (new-object NullReferenceException -ArgumentList "Changes is null. Check that no errors occured while generating changes.") } Write-Host "Identified " $changes.Count " changes to apply to production." Write-Host "Saving changes to " $changes_filename "." $changes | ConvertFrom-FIMResource -file $changes_filename Write-Host Write-Host "Sync complete. The next step is to commit the changes using CommitChanges.ps1." SyncPolicy.ps1 # SyncPolicy.ps1 # Copyright (c) 2009 Microsoft Corporation # The purpose of this script is to identify what changes should be applied to # the production environment. # This script assumes that the production environment is the local machine and # that the pilot export is available in pilot_policy.xml # and the production export is available in production_policy.xml $pilot_filename = "pilot_policy.xml" $production_filename = "production_policy.xml" $changes_filename = "changes.xml" $joinrules = @{ # === Customer-dependent join rules === # Person and Group objects are not configuration will not be migrated. # However, some configuration objects like Sets may refer to these objects. # For this reason, we need to know how to join Person objects between # systems so that configuration objects have the same semantic meaning. Person = "MailNickname DisplayName"; Group = "DisplayName"; # === Policy configuration === # Sets, MPRs, Workflow Definitions, etc. are best identified by DisplayName # DisplayName is set as the default join criteria and applied to all object # types not listed here. # === Schema configuration === # This is based on the system names of attributes and objects # Notice that BindingDescription is joined using its reference attributes. ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; # === Portal configuration === ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey"; SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order"; ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView" } if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation} Write-Host "Loading production file " $production_filename "." $production = ConvertTo-FIMResource -file $production_filename if($production -eq $null) { throw (new-object NullReferenceException -ArgumentList "Production Schema is null. Check that the production file has data.") } Write-Host "Loaded file " $production_filename "." $production.Count " objects loaded." Write-Host "Loading pilot file " $pilot_filename "." $pilot = ConvertTo-FIMResource -file $pilot_filename if($pilot -eq $null) { throw (new-object NullReferenceException -ArgumentList "Pilot Schema is null. Check that the pilot file has data.") } Write-Host "Loaded file " $pilot_filename "." $pilot.Count " objects loaded." Write-Host Write-Host "Executing join between pilot and production." Write-Host $matches = Join-FIMConfig -source $pilot -target $production -join $joinrules -defaultJoin DisplayName if($matches -eq $null) { throw (new-object NullReferenceException -ArgumentList "Matches is null. Check that the join succeeded and join criteria is correct for your environment.") } Write-Host "Executing compare between matched objects in pilot and production." $changes = $matches | Compare-FIMConfig if($changes -eq $null) { throw (new-object NullReferenceException -ArgumentList "Changes is null. Check that no errors occured while generating changes.") } Write-Host "Identified " $changes.Count " changes to apply to production." Write-Host "Saving changes to " $changes_filename "." $changes | ConvertFrom-FIMResource -file $changes_filename Write-Host Write-Host "Sync complete. The next step is to commit the changes using CommitChanges.ps1." CommitChanges.ps1 # CommitChanges.ps1 # Copyright (c) 2009 Microsoft Corporation # This script applies the changes necessary to migrate configuration. $changes_filename = "changes.xml" $undone_filename = "undone.xml" $imports = ConvertTo-FIMResource -file $changes_filename if($imports -eq $null) { throw (new-object NullReferenceException -ArgumentList "Changes is null. Check that the changes file has data.") } Write-Host "Importing changes into production." $undoneImports = $imports | Import-FIMConfig if($undoneImports -eq $null) { Write-Host "Import complete." } else { Write-Host Write-Host "There were " $undoneImports.Count " uncompleted imports." $undoneImports | ConvertFrom-FIMResource -file $undone_filename Write-Host Write-Host "Please see the documentation on how to resolve the issues." } ResumeUndoneImports.ps1 # ResumeUndoneImports.ps1 # Copyright (c) 2010 Microsoft Corporation # This script resumes incomplete imports once the specific error has been identified. # It may be necessary to edit the first ImportObject in the undone imports file. # Some changes include removing the object altogether or removing a particular attribute value. $undone_filename = "undone.xml" $undoneImports = ConvertTo-FIMResource -file $undone_filename if($undoneImports -eq $null) { throw (new-object NullReferenceException -ArgumentList "Changes is null. Check that the undone file has data.") } Write-Host "Resuming import" $newUndoneImports = $undoneImports | Import-FIMConfig if($newUndoneImports -eq $null) { Write-Host "Import complete." } else { Write-Host Write-Host "There were " $newUndoneImports.Count " uncompleted imports." $newUndoneImports | ConvertFrom-FIMResource -file $undone_filename Write-Host Write-Host "Please see the documentation on how to resolve the issues." }

Kurt,Thank you for quickly posting the latest version of the scripts. As a slight addition, please note the new process that will be included in the document: 1. Backup Pilot and Production environments using the Backup and Restore procedures. 2. Export FIM Service Schema Configuration 3. Export FIM Synchronization Service Configuration 4. Export FIM Service Policy and Synchronization Configuration Resources 5. Install in the Production environment FIM Synchronization Service and FIM Service 6. Enable “Maintenance Mode” of Production environment 7. Import FIM Service Schema Configuration 8. Import FIM Synchronization Service Configuration 9. Install custom DLLs necessary for custom workflows 10. Import FIM Service Policy and Synchronization Configuration 11. Disable “Maintenance Mode” of Production environment Please let us know how we can further improve the documentation.Joe

Hi Joe and Kurt,Just another quick note on the migration process.If you have a MPR that grants permissions (e.g. permission to create Activity Information Configurations) and other objects that depend on those permissions (e.g. an Activity Information), then the first attempt to run CommitChanges may fail, but in that case it's just sufficient to run ResumeUndoneImports.Maybe it could be worth mentioning in the documentation.Cheers,PaoloP.S: in the "ExportPolicy" script Write-Host "Export complete. The next step is run SyncSchema.ps1." should be Write-Host "Export complete. The next step is run SyncPolicy.ps1." Paolo Tedesco - http://cern.ch/idm

Thanks everyone! This is exactly what I needed and it might actually make up the time I lost trying to figure it out. :>)