Using PowerShell to Export and Import mv-data and ma-data
Has anyone tried this? It would really nice if I could avoid using Server Import UI in the sync engine. I am able export the "pilot" and "Production" mv-data, perform the compare but when I try to import the changes I am getting a "Import-FIMConfig : Failure to make a web service call". In the system event log I see this error and when i look the AppID up it is the IISadmin. I am unable to grant the netwrok service permissions to IISadmin because the options in the DCOM config are greayed out.Also I created a shell FIM_MA on the target because otherwise the export attempt on the target will come up empty.here is the join-fimconfig command I am using. $matches = join-fimconfig -source $Pilot_imports -target $Production_imports -defaultjoin "DisplayName"SourceObjectIdentifier : urn:uuid:8be53a7d-3130-4052-bcf1-ee8708011eadTargetObjectIdentifier : urn:uuid:0b6e0e20-54e1-439a-92b2-90224ae71f2fObjectType : mv-dataState : PutChanges : {SyncConfig-password-sync, SyncConfig-provisioning-typ e, SyncConfig-schema, SyncConfig-version...}AnchorPairs : {DisplayName}This all seems right but I have hit a wall and was hoping someone else may have succesfully migrated sync engine data using the fimservice powershell cmdlets.BTW, I have got to the ma-data import yet because I am fairly certain that the mv-data is requiredThanks in advanced!Log Name: SystemSource: Microsoft-Windows-DistributedCOMDate: 2/21/2010 1:06:39 PMEvent ID: 10016Task Category: NoneLevel: ErrorKeywords: ClassicUser: NETWORK SERVICEComputer: FIMDEV05.GMEOCMS.GBL.DEVDescription:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} and APPID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" /> <EventID Qualifiers="49152">10016</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-02-21T21:06:39.000000000Z" /> <EventRecordID>11485</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>FIMDEV05.GMEOCMS.GBL.DEV</Computer> <Security UserID="S-1-5-20" /> </System> <EventData> <Data Name="param1">application-specific</Data> <Data Name="param2">Local</Data> <Data Name="param3">Activation</Data> <Data Name="param4">{61738644-F196-11D0-9953-00C04FD919C1}</Data> <Data Name="param5">{61738644-F196-11D0-9953-00C04FD919C1}</Data> <Data Name="param6">NT AUTHORITY</Data> <Data Name="param7">NETWORK SERVICE</Data> <Data Name="param8">S-1-5-20</Data> <Data Name="param9">LocalHost (Using LRPC)</Data> </EventData></Event>Import-FIMConfig : Failure when making web service call.SourceObjectID = urn:uuid:8be53a7d-3130-4052-bcf1-ee8708011eadError = Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException:The endpoint could not dispatch the request. at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate() at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update() at Microsoft.ResourceManagement.Automation.ImportConfig.UnifiedClientPut(List`1 changeList, UniqueIdentifier objectIdentifier, String objectType, CultureInfo locale) at Microsoft.ResourceManagement.Automation.ImportConfig.ProcessLocaleBucket(String objectIdentifier, String objectType, Dictionary`2 localeBucket) at Microsoft.ResourceManagement.Automation.ImportConfig.Put(String objectIdentifier, String objectType, List`1 changeList) at Microsoft.ResourceManagement.Automation.ImportConfig.EndProcessing()At D:\FIMSetup\MVCommit.ps1:57 char:45+ $undoneImports = $imports | Import-FIMConfig <<<< + CategoryInfo : InvalidOperation: (:) [Import-FIMConfig], Invali dOperationException + FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automa tion.ImportConfig
February 22nd, 2010 12:26am
I don't think what you are trying to do is supported. Also, there is no way to turn off the automatic sync of information from the Sync Engine to the FIM Service. Likely you'd get the two out of synch and get some wierd errors.What is the goal you are trying to accomplish.Eric
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2010 9:34pm
I have a fairly complex environment and migrating from a pilot to a production environment using the sync engine UI to import the server config is not impossible but it is definitely not practical. My goal is export the mv-data and the ma-data nodes from pilot and import them into production. The problem is that all the MA connection and ldaps paths are different in the production environment which means a very painful and possibly error prone manual input process. Getting it wrong in production could cause unintended results. The MV (mv-data) export and import seem fairly straight forward (with the exception of the error on import) because the data is generic to both pilot and production. However, the MA (ma-data) export and import will have lot of environment specific config information. My goal is massage the xml with the production config info and then run an import. Sounds like a great tool for the script box. :>) Hope that helps
February 22nd, 2010 11:18pm
I'm not sure I see the benifit since the number of places that you could mess up hacking XML vs the MA conections strings is much higher. If a connection string or password is wrong, generally you only can't connect.This would be one where you should talk with Microsoft Premier support but I'd bet that they won't recomment or support it. I don't know what integrity/version checking/delta the sync and fim service use between each other. Likely your changes would be overwritten the first time you make a change on the sync side.Honestly the only way I see this is worth the effort is that you previously built both test and dev by hand rather then exporting the sync config and importing into Prod initially and now the MA Guids don't match making import/upate the nightmare you describe. If you fixed it once by importing from one to the other (either way) and get the MA Guid's synched up, it should just update the changes automatically the way FIM wants. That is unless your dev and prod envionments are wildly different and you're doing a manual hack of the XML files to address the differences in which case you've got bigger problems. Eric
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2010 11:42pm
Thanks Eric!I wouldn't be hacking the the xml, imo. I have known connection strings in each environment and I could easily seach and replace those strings in the xml file programatically. Let's set aside the debate on its merits if you dont mind. I appreciate your time. If anyone else has some thoughts on technical feasibility or the error I posted I would really appreciate it?
February 23rd, 2010 2:13am