Sorry for double posting and let’s a moderator decide (I duplicated it in Windows Server forum - directory services) We try to install FIM CM in our WIN2003 domain (in has R2 schema). I don’t want to modify our domain original schema, so I want to use an ADAM instance (AD LDS Win2008R2 server feature). I want to install a local ADAM instance, modify its schema as FIM CM demands and then install FIM CM “through it”. It’s my first case with the ADAM, so I have some unclearness about how it works and how it can help me. FIM CM is planned to be located at fimsrv.msk.company.local . Company.local contains our original domain’s schema. So I didn’t modified schema via standard script “modyfyschema.vbs”. Instead of that I installed ADAM instance on fimsrv.msk.company.local under Enterprise Admin privileges. First, I used the following command: ldifde -i -s localhost:389 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetadata.ldf to extend local ADAM instance schema to default Windows2003 schema. Second, I extended the schema of the local ADAM instance as FIM CM demands, running ldifde with clm.ldif for a local ADAM instance. So all 12 entries modified successfully, and these entries appeared in local instance ADAM schema (CN=Schema,CN=Configuration,CN={3B20917C-3080-4304-A3B4-D2C36E619FB7}). What I expected is that CM CONFIG WIZARD somehow would “ locate” local ADAM instance with the desired schema objects. I know nothing about how application should know about ADAM instances. Whether it tries to find necessary objects (entries) in company.local schema and company.local “gives FIM” a hint to try to find this objects in the extended ADAM instance. Or whether CM CONFIG WIZARD first tries to do smth. with the local ADAM instance and fails. Or some other logic takes place. Or… Or is it ever possible to install FIM CM using modified schema of an ADAM instance but not modify the original domain schema?? If it is possible, it seems to me that I missed some steps that somehow “bind” local ADAM instance with the original domain so as the FIM CM installation become a success without modifying original domain schema. Is any step by step guide exist how to install enterprise apps using ADAM? By the way we made an exclusion and tried to modify original schema with a part (only one entry of clm.ldif) Clm_mini.ldif: # # FIM CM attribute and object classes # dn: CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=local changetype: add adminDescription: Allows storing XML policy definition for the FIM CM Profile Template. adminDisplayName: ms-Clm-Data attributeID: 1.2.840.113556.1.6.41.1.2.1 attributeSyntax: 2.5.5.12 cn: ms-Clm-Data instanceType: 4 isSingleValued: TRUE isMemberOfPartialAttributeSet: FALSE rangeUpper: 1024000 lDAPDisplayName: msClm-Data distinguishedName: CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=company,DC=com objectClass: top objectClass: attributeSchema oMSyntax: 64 name: ms-Clm-Data schemaIDGUID:: bq7sYAgLMUaL9K9Kc46+PQ== showInAdvancedViewOnly: TRUE The result of the ldifde + clm_mini.ldif was: C:\Windows\system32>ldifde -i -v -f "C:\!!!\clm_mini.ldif" -k -c "DC=company,DC=local" "DC=company,DC=local" -j "C:\Windows\System32" Connecting to "hq-dc2.msk.company.local" Logging in as current user using SSPI Importing directory from file "C:\!!!\clm_mini.ldif" Loading entries 1: CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=local Add error on entry starting on line 4: Referral The server side error is: 0x202b A referral was returned from the server. The extended server error is: 0000202B: RefErr: DSID-030A09EC, data 0, 1 access points ref 1: '21018a21-72c0-4ce9-981c-d8ca3be9eb96._msdcs.company.local' 0 entries modified successfully. An error has occurred in the program And ldif.log fail is as the follow one: Connecting to "hq-dc2.msk.company.local" Logging in as current user using SSPI Importing directory from file "C:\!!!\clm_mini.ldif" Loading entries 1: CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=local Entry DN: CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=local changetype: add Attribute 0) adminDescription:Allows storing XML policy definition for the FIM CM Profile Template. Attribute 1) adminDisplayName:ms-Clm-Data Attribute 2) attributeID:1.2.840.113556.1.6.41.1.2.1 Attribute 3) attributeSyntax:2.5.5.12 Attribute 4) cn:ms-Clm-Data Attribute 5) instanceType:4 Attribute 6) isSingleValued:TRUE Attribute 7) isMemberOfPartialAttributeSet:FALSE Attribute 8) rangeUpper:1024000 Attribute 9) lDAPDisplayName:msClm-Data Attribute 10) distinguishedName:CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=local Attribute 11) objectCategory:CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=company,DC=local Attribute 12) objectClass:top attributeSchema Attribute 13) oMSyntax:64 Attribute 14) name:ms-Clm-Data Attribute 15) schemaIDGUID: UNPRINTABLE BINARY(16) Attribute 16) showInAdvancedViewOnly:TRUE Add error on entry starting on line 4: Referral The server side error is: 0x202b A referral was returned from the server. The extended server error is: 0000202B: RefErr: DSID-030A09EC, data 0, 1 access points ref 1: '21018a21-72c0-4ce9-981c-d8ca3be9eb96._msdcs.company.local' 0 entries modified successfully. So if it stay unresolved, this project will be closed…

Ribentrop - unfortunately, using AD LDS to support a FIM CM installation is not supported. FIM CM requires ADDS and the necessary CLM schema extensions. Out of interest, what's the reason for not extending your company.local AD forest schema? Cheers, MMS_guru

Thanks for your reply! So sad... Is the situation with CLM 2007 the same? Only ADDS and no any ADAM Schema Extensions? As for you question about our "untouchable" forest schema - it is the "holy cow" for our admins, so all methods should be tested and the last one is modifying the schema. So the last one remains.))

CLM 2007 is the same it requires AD DS.David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

Your schema admins should not see this as presenting a high level of technical risk. The CLM extensions are COTS MS extensions, are registered & will have been fully tested for collisions, etc. If they have deployed Exchange or OCS, this should get similar consideration. Cheers MMS_guru