What causes Import-FIMConfig to give an InvalidOperationException ?
Trying desperately to migrate FIM 2010 R2 from Dev to Test.
Following the migration document and running the powershell scripts. I get my changes.xml file and run CommitChanges.ps1
I get all Sets which have been changed somehow rejected with Error:
At C:\FIM\scripts\migration\CommitChanges.ps1:15 char:45
+ $undoneImports = $imports | Import-FIMConfig <<<<
+ CategoryInfo : InvalidOperation: (:) [Import-FIMConfig], InvalidOperationException
+ FullyQualifiedErrorId : ImportConfig,Microsoft.ResourceManagement.Automation.ImportConfig
No matter how I edit the undone.xml I ALWAYS get this error message.
What gives?
July 20th, 2012 8:26am
Any hints in the request log? (I.e. Search Requests in the portal.)
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 10:49am
There are a number of possibilities here, but from experience I have a strong hunch you have a set with an invalid reference ... i.e. a reference to an object which has since been deleted. This should show up as a warning when you are running the earlier
export policy script ... so go back over the output to this and you should have your clue. Look for something like an "object reference doesn't exist" error.Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM
July 21st, 2012 10:12am
Well. On review the export policy script, there were NO errors and NO warnings.
The Portal "Manage My Requests" seemed to give some hints though.
All of the failed Set Creations have the status "Denied" - am I right in thinking that this is due to an MPR mismatch.
When I open up one of the "Denied" requests I see:
Create Set: 'All Global SGs' Request
Under the General Tab I see:
Request Summary Create Set: 'All Global SGs' Request
Request Date 18.7.2012 4:21:20
Requestor administrator
Request Completion Date 18.7.2012 4:21:21
Status Denied
Request Workflow Remarks Blue circle with i and the error message below.
Forefront Identity Management Service is not able to serialize this XOML definition '<ns0:SequentialWorkflow x
:Name="SequentialWorkflow" ActorId="00000000-0000-0000-0000-000000000000" WorkflowDefinitionId="00000000-0000-0000-0000
-000000000000" RequestId="00000000-0000-0000-0000-000000000000" TargetId="00000000-0000-0000-0000-000000000000" xmlns:x
="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0="clr-namespace:Microsoft.ResourceManagement.Workflow.Activiti
es;Assembly=Microsoft.ResourceManagement, Version=4.1.1906.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <
;ns0:FilterValidationActivity FilterScopeIdentifier="06185a61-75a1-401e-a698-498351b9f9b5" x:Name="FilterValidationActi
vity1" /> </ns0:SequentialWorkflow>'.</RequestStatusDetail><RequestStatusDetail xmlns:xsi="http://www.w3.org/2
001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" DetailLevel="Information" EntryTime="2012-07-18T11
:00:46.7462389Z">Forefront Identity Management Service is not able to serialize this XOML definition '<ns0:Sequentia
lWorkflow x:Name="SequentialWorkflow" ActorId="00000000-0000-0000-0000-000000000000" WorkflowDefinitionId="00000000-000
0-0000-0000-000000000000" RequestId="00000000-0000-0000-0000-000000000000" TargetId="00000000-0000-0000-0000-0000000000
00" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0="clr-namespace:Microsoft.ResourceManagement.Workfl
ow.Activities;Assembly=Microsoft.ResourceManagement, Version=4.1.1906.0, Culture=neutral, PublicKeyToken=31bf3856ad364e
35"> <ns0:FilterValidationActivity FilterScopeIdentifier="06185a61-75a1-401e-a698-498351b9f9b5" x:Name="FilterVal
idationActivity1" /> </ns0:SequentialWorkflow>
Detailed Content Tab gives
Operation Create
Target Resource Type Set
Request Contents
(details of the data contained in the request)
Attribute Type
Value
Creator Reference:User administrator
DisplayName String
All Global SGs
Filter Text
Resource ID ID
a guid
Resource Type String
Set
Temporal Boolean
False
Applied Policy Tab shows
Matched Management Policy Rules.
Display Name
Grants Right AuthN WF AuthZ WF Action WF
Administration: Administrators control set resources Yes No
Yes No
General WF Filter attribute Validation for Admins Yes No
Yes No
What I am surprised by is the BLANK Filter in the Detailed Contents Tab. My xml being imported HAD a Filter which was presumably built by the Export step which gave no errors.
These 2 MPRs exist in my production setup (the environment I am migrating to) they look OK.
I am really baffled by this!!
*HH
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 3:48am
I have found that the filter permissions do not always migrate correctly. Try setting the filter permissions manually (Administration/Filter Permission) and importing again.
July 23rd, 2012 3:58am
The amended Filter Permission was migrated OK. First thing I looked at as we use EmployeeStatus as a criterium.
Anyways I edited it unchecking employeeStatus submiting and reediting it.
Rerun the import and No effect.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 5:35am
The amended Filter Permission was migrated OK. First thing I looked at as we use EmployeeStatus as a criterium.
Anyways I edited it unchecking employeeStatus submiting and reediting it.
Rerun the import and No effect.
July 23rd, 2012 5:36am
Problem traced to a Version mismatch.
We upgraded from R2RC to R2 RTM and then migrated this (upgraded) system to another host.
Seems that the versions are not quite exact. Anyways we fixed it by hacking the pilot_xml to massage the version numbers to suit.
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2012 4:48am