Share via

FIM 2010: How to delete Management Agent and Connector Space

  • Article

 

Purpose

The overall goal or purpose of this document is to provide guidance and instruction when the need arises to delete a connector space. The document will cover steps that should be done, and should be thought about prior to deleting the connector space.

 

Why delete the connector space?

Why are you deleting the connector space? It is very important to understand why you are getting ready to delete the connector space. You want to understand the ramifications of deleting the connector space in your identity management solution. It is important to understand this, as it could cause serious ramifications if not done correctly and thought out.

The main reason to delete a connector space is due to data corruption in the connector space. There are times that the connector space will end up with corrupted data and the only way around it is to delete the connector space. However, the metaverse object is OK, so we will want to leave that alone in some cases. 

Is the connector space that you are deleting part of a complete FIM solution including the FIM Service Management Agent? If the answer is yes, then once you have completed these steps, then you want to review the wiki on deleting the FIM Service Management Agent Connector Space. Why? You will want to review this document, because you will want to be able to bring your environment back up in the quickest possible manner. The wiki will help cover these steps to allow you to bring your environment back and re-sync the objects from the FIM Portal with those in the metaverse.

 

Steps

Steps to guide you through deleting the connector space

 

Note

If you are using Declarative Provisioning, then all of your DREs will be deleted. They will be re-created when the object is put back. It will, however, cause object synchronization “churn” that could extend the time it takes to recover from the connectorspace deletion.

 

  1.  Backup Database
  2.  Backup Management Agent Configuration
  3.  Validate the object deletion rule
  4.  Attribute Recall
  5.  Deleting the Connector Space
  6.  Disable Provisioning
  7.  Recreate Management Agent
  8.  Bring the objects back into the metaverse
  9.  Re-enable provisioning
  10.  Checking Exports before actually exporting
  11.  Return system back to the original configuration

 

Backup Database

Thinking of disaster recovery, we want to be able to get back to the previous setup without too much trouble should the need arise. To do this, we recommend that the FIM Synchronization Service Database (MicrosoftIdentityIntegration Server database for IIFP/MIIS/ILM) is properly backed up prior to deleting the connector space. If you are using the FIM Service and Portal, then we recommend backing up the FIM Service database as well.

Find more information on backing up the backend database here.

 

Backup Management Agent Configuration

The need may arise where you have to actually delete the Management Agent as well. If you do have to delete the Management Agent, then here are steps to back up the Management Agent. If you do not have to delete the connector space, then skip this section.

  1. In the Synchronization Service Manager, select Management Agents
  2. Select the Management Agent in question
  3. From the Actions menu, select Export Management Agent
  4. Save it to an easy to remember, secure location
  5. Click OK

If you have to recreate the management agent from scratch, then

  1. Download and Install the Resource Kit 2.0 for Microsoft Identity Integration Server 2003
  2. Use the Management Agent Configuration Viewer to view the information in the Management Agent in a clean HTML format. It will help you review the existing information.

 

Validate object deletion rule

  1. In the Synchronization Service Manager, select Metaverse Designer

    Note

You will need to set this for each object type that you are working with in the connector space that is being deleted. (picture displays the person object type)

 

  1. Click Configure Object Deletion Rule

  2. Ensure that you have the top radio button selected. (Delete the metaverse object when the last connector is disconnected. Ignore connectors from the following list of management agents.)

  3. Click OK

 

 

For more information on understanding the deprovisioning process, click here.

 

Attribute recall

Attribute Recall is where the Synchronization Service decides if we need to leave the attribute information that has been provided by the management agent chosen to have its connector space deleted. 

You can get here by:

  1. Viewing the Properties of the Management Agent
  2. Selecting the Configure Deprovisioning tab
  3. Checking the status of the check box for the attribute recall to ensure that it is checked.

 

 

Deleting the connector space

At this point, we are ready to delete the connector space. 

  1. In the Synchronization Service Manager, select Management Agents

  2. Select the Management Agent in question

  3. From the Actions menu, select Delete

  4. In this case, we are just going to delete the connector space, so we will choose the first radio button Delete connector space only

     

    Note

*** ***If you are actually deleting the management agent, then you would choose the second radio button. However, it is still very important to go through all the pieces of this document to ensure that we can get back to a previous state should the need arise.

 
  1. Click the OK button.

 

 

Disable provisioning

Once the deletion process has occurred, we want to be able to import and synchronize the objects back into the metaverse without running through provisioning. This will allow for objects to join back up to existing objects. If you are using Synchronization Rule Provisioning, you need to ensure that one is disabled as well.

  1. Inside of the Synchronization Service Manager, from the Tools menu select Options
  2. Uncheck “Enable Provisioning Rules Extension” and “Enable Synchronization Rule Provisioning
  3. Click OK. 

 

Recreate the management agent

 

Caution
If you have not exported the management agent prior to deleting the management agent, then you will have to re-create the management agent from memory or restore a backup of the backend SQL Server database and go through the steps again.

At this point, you are ready to rebuild the Management Agent. If you have not already downloaded and installed the Resource Kit 2.0 for the Microsoft Identity Integration Service 2003, please do so now as the Management Agent Configuration Viewer is a valuable asset when having to re-create the Management Agent.

  1. Open the Management Agent Configuration Viewer

  1. Click the Browse Button and locate the exported management agent
  2. Click Open

  1. Click the Show Configuration Button
  2. Use the information in this HTML file to rebuild the Management Agent.

 

Bring the objects back into the metaverse (Import and Synchronization)

At this time, we should be ready to bring the objects back into the connector space first, and then send them to the metaverse. In doing so, we will take a safe path first by Previewing a few objects to ensure success. Since we do not have provisioning enabled, then we will be joining the objects to the existing metaverse objects.

  1. In the Synchronization Service Manager, select Management Agents
  2. Select the Management Agent in question
  3. From the Actions menu, select Configure Run Profiles
  4. Ensure that you have a Full Import (Stage Only) run profile. 
    1. A single step that does nothing more than a Full Import (Stage Only).
  5. Click OK
  6. From the Actions menu, select Run
  7. Select the Run Profile for a Full Import (Stage Only)
  8. Once the objects are imported, we can now Preview a few objects
  9. Ensure that the Management Agent in question is still selected
  10. From the Actions menu, select Search Connector Space
  11. Leave Scope on Sub-Tree and the textbox blank and then click Search.
    1. If you have a lot of objects, simply click stop, as you will only need to work with a few objects.
  12. Double click on an object to open its properties
  13. Click the Preview button
  14. Ensure that the Full Synchronization is selected (selected by default).
  15. Click Generate Preview
    1. The Generate Preview button allows you to see what is going to happen when you execute a full synchronization.
    2. Review the Join and Projection Rules to confirm that the object is joining to the existing objects.
  16. If all looks well then you can proceed. If you are having a join problem, you will need to investigate the join problem. 
  17. If you want to walk the object all the way through, then click Start Preview, and then click Commit Preview. At this point, the object that you are working with here should be joined.
  18. At this point, you can make the decision to continue testing with one object, or to press forward and run a Full Synchronization on the Management Agent to join all objects to existing metaverse objects. 

 

Re-enable provisioning

We are ready to re-enable provisioning. If you are using Synchronization Rule Provisioning, you need to ensure that one is enabled as well.

  1. Inside of the Synchronization Service Manager, from the Tools menu select Options
  2. Check “Enable Provisioning Rules Extension” and “Enable Synchronization Rule Provisioning
  3. Click OK.

Now, based on your decision above, you can continue working/testing with one object in with provisioning enabled. If you do, simply go through the steps above in Bring the objects back into the metaverse starting at number 10.

Once you are satisfied with how one object looks, you will then be ready to run a Full Synchronization with Provisioning enabled.

 

Checking exports before actually exporting

A procedure such as deleting the connector space can bring some un-wanted results to appear. In light of that, we want to be extra cautious and review our Pending Exports before they are actually written to the connected data source.

There are two ways that we can actually execute this, and if the desire is to be as cautious as possible then execute them both.

  1. In the Synchronization Service Manager, select management Agents
  2. Select the Target Management Agent in question
  3. From the Actions menu, select Search Connector Space
  4. Change the Scope to Pending Exports
    1. Check all three to see the total number of objects going to be exported
    2. Check one at a time to see the number of objects for each item
    3. It is important to check the number of deletes to understand how many you will have, and if it is correct.
  5. Review the data in some of the objects to ensure the data is returning to its correct format.

If the data has returned to its correct format, and you feel comfortable, then you are ready to export the data to the connected data source, or execute the step below to Export to a Drop File.

 

Export to a drop file

Exporting to a drop file allows you to view the data that is going to be exported to a connected data source. Remember that exports are always delta, and only exporting changes. So the data that you will see in the drop file is just the objects that were changed, and the attributes that are being changed as well.

  1. In the Synchronization Service Manager, select management Agents
  2. Select the Target Management Agent in question
  3. From the Actions menu, select Configure Run Profiles
  4. Click New Profile
  5. Give a name to this profile (e.g. Export-DropFile)
  6. Click Next
  7. Type: Export
  8. Click Log File Options
  9. Select the 3rd Option – Create Log File and Stop the Run. Do not export to Data Source.
  10. Give the Log File a name
  11. Click OK
  12. Click next and finish the Run Profile creation. 

The data will be dropped to an XML file in the %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\Target Management Agent Name>. Review this file and understand what data will be exported, and the actions that will happen. Once the export to a drop file passes, then you are ready for the export.

 

Return the system back to the original configuration

  1. Change the Metaverse Object Deletion Rules back to their original configuration
  2. Re-Enable Provisioning
  3. If Attribute Recall had not been enabled before this process, disable it.

 

See also