MIM PAM: New-PAMGroup : The pointer for this method was null
Introduction
It's easy to miss a step deploying MIM PAM, especially if you choose to configure it manually (hint: you should use the configuration scripts). The result can sometimes be a very confusing error message after you expect things to be working. In an attempt to save everyone some troubleshooting time, I will be posting several wikis related to installation and troubleshooting of MIM PAM.
Error
You will see this exception thrown in the PowerShell window when running New-PAMGroup.
New-PAMGroup : The pointer for this method was null.
The PAM event log contains much more useful information about this error:
| EventID | Level | Source | General |
| 272 | Information | Microsoft.IdentityManagement.PamPowerShell | Group 'TestGroup' could not be added to the PAM system. Starting rollback |
| 273 | Information | Microsoft.IdentityManagement.PamPowerShell | Group 'TestGroup' was deleted from domain 'priv.local' |
| 274 | Information | Microsoft.IdentityManagement.PamPowerShell | Group 'TestGroup' rollback completed |
| 276 | Information | Microsoft.IdentityManagement.PamPowerShell | Group 'TestGroup' from domain 'contoso.com' could not be added to the PAM system. Exception: The pointer for this method was null |
| 260 | Warning | Microsoft.IdentityManagement.PamPowerShell | Unable to create shadow group 'TestGroup' in domain 'contoso.com'. Exception: 'System.NullReferenceException: The pointer for this method was null." |
| 278 | Error | Microsoft.IdentityManagement.PamPowerShell | Failed to copy SIDHistory for group 'TestGroup' from domain 'contoso.com', DC 'CorpDC.contoso.com' to domain 'priv.local', DC 'PrivDC.priv.local. Exception: System.NullReferenceException: The pointer for this method was null. |
Cause
To understand why the error (event ID 278) is telling, it is important to note that in this environment, the bastion forest is at Forest Functional Level 2016. In this configuration, MIM PAM should not be trying to copy SIDHistory of the group object in corp forest. It turns out, in this lab I forgot to prepare my bastion forest by enabling the AD Optional Feature: Privileged Access Management.
Solution
- Log on to Priv domain controller as an administrator
- Launch PowerShell
- Get-ADOptionalFeature -Identity "Privileged Access Management Feature" | Enable-ADOptionalFeature
- You should now see the Shadow Principal Configuration container in Active Directory Sites and Services, within the Services Node
Note: if you do not see the Services node, highlight the root for Active Directory Sites and Services, select View -> Show Services Node.
Conclusion
That's it! If you find any other causes for this error, reply in comments and I will update the wiki.