Powershell Tip: FIM/MIM Explicit Disconnectors be gone… quickly!!!

Happy New Year!!! Hope everyone had a great 2017 and hopefully an even better 2018

If you know disconnectors then you definitely know how irritating the FIM/MIM GUI can be to convert a disconnector from explicit to normal or vice versa when you have potentially 10’s or 100’s of them… Joiner tab isn’t really friendly to select multiple disconnectors and “batch” convert them.

Thanks to Lithnet MIIS Powershell you can do the conversion of 100’s of them in 1 line and in couple of seconds

If you have a MA with 100’s of explicit disconnectors just run the following command (replacing the <MA NAME> with the ….. MA Name )

Done… Simples… You can ofcourse do the opposite as well if you wish i.e. Normal disconnectors -> Explicit Disconnectors.

MIM AD Sync Error: Unable to update the password – Another POV

So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.

Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.

cd-error

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Although the password policy is the same between the two domains.

After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.

Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script

 

After this, the sync engine fixed the user up automatically.

Generic LDAP MA Error on Upgrade to AADConnect v1.1.649.0

Hey Guys

Another day – another bug #bugmaster (although a very small one)

If you use Azure AD Connect and manually upgrading to v1.1.649.0 and have a Generic LDAP MA in your configuration, after the upgrade you will get a “no-start-ma” error on Delta / Full Import or an “extension-dll-exception” on an export or when syncs start automatically after the upgrade.

Fix: Easy one – open the MA and click through each config page to refresh the MA manually.

Microsoft has acknowledged the bug and will fix it in the next release.

I am surprised as there aren’t that many MA extensions in AADConnect so how this was missed in their internal testing..

Powershell Tip: Send quick Email when a service goes down [Update: And bring it back up]

Yes we have SCOM monitoring and stuff, but if some testing or debugging is going on and do don’t want to do down the hassle of setting up alerts and just simply want to get notified when a service goes down, here is a simple script

 

It’s pretty self explanatory.

You can also send it to multiple recipients

 

Voila!! It will check every 10 seconds and if the service is in any other state apart from “Running”, it will send you an email and stop execution.

Update: And easy to bring it back up when it goes down. Run the following in PS as Admin. It will send a mail when service is down and bring it back up.

 

 

Google API Bug: orgUnitPath not returning after modification via patch / update

Another day.. Another bug!!!

We use Google API to provision and manage users in GoogleApps via Google MA FIM/MIM.

I have recently found that when you make changes to a user’s orgUnitPath and send it as a patch / update to Google, the API does not confirm it by returning the value in the return. But the change is actually made and if you do a GET for the user you can see the modified orgUnitPath

It fails to do the same with Google API Explorer and OAUTH Playground

Request

Response (no orgUnitPath is returned although change has been made)

Google has confirmed this as a high priority bug (b/65534998) but its been a week since reported.. Their current workaround suggested is to use GET after doing a PUT or a PATCH and not rely on the current return values of them. Doesn’t really solve the issue for us in an extremely large environment and also means changing the code etc..

Keep calm and wait!!!