Sometimes, the hardest part of troubleshooting is figuring out where to start, especially when MIM involves so many technologies. A single problem could be caused by one or more MIM server(s), an MIM component, the MIM configuration, a rules extension logic problem, the network, invalid or incorrect data entered at the source system(s), or other things such as the underlying infrastructure of domain controller(s), DNS, SQL Server, SharePoint, or IIS.

One way to start troubleshooting is to think of how the components are installed in your specific environment—that is, determining the systems or components involved in a particular problem.

Let's take the basic data problem in which an account has missing or wrong data and list a few possible causes. The source system could be down, source data could have been accidentally deleted or entered incorrectly, or the service account being used by MIM could have issues such as incorrect permissions, password reset, or the account being disabled...

A quick and simple way to determine whether an MIM solution is working as you expect is by looking at the MIM synchronization statistics and the FIM service statistics. MIM provides the synchronization engine with operational statistics through Synchronization Service Manager by clicking on Tools | Statistics:

How can looking at numbers help you troubleshoot a problem? Let's say your environment has a source system responsible for projecting to the Metaverse, yet when you look at the statistics, you notice that less than half of the objects are connectors. There could be a data issue or a misconfiguration (or misunderstanding) with the connector filter or rules extension. That is, the synchronization statistics provide a sense of a potential problem. A large number of explicit disconnectors or explicit connectors is another sign that there are (or used to be) data issues or that the Management Agent configuration may need adjustment.

The FIM service provides operational...

The sync engine server is a great place to start because we can easily see data sync errors, the state of the Metaverse object(s), and that of the connector space object(s). The quickest way to know whether the sync engine is experiencing errors is to look at Operations Tool. If a run profile returns a status of anything other than success, then there is an error, such as shown here:

If you click on the row containing the error, the lower pane is split into a statistics window and an error window. With a few exceptions, the error window will contain a hyperlink to the object reporting an error, which you can click on and receive more information:

Another method to identify and work through problems is to search the Metaverse or the connector space directly. We have already discussed how searching using the Metaverse Search tool should be intuitive. Let's look at troubleshooting as its typically done: from the point of the object having issues or at the connector-space...

Let's take another example in which data is not flowing from the source system to the target system. We will use a simple error for our example; however, the steps we will now show can be applied to any scenario. When debugging rules, the extension code is needed. In this scenario, you have come back from vacation after some changes have been made and are told that several objects are not updating their displayName attribute in AD. One such object is Ed Bush, TFC\EBush, who should have the displayName attribute of Edward Bush. Here, we will look at the connector space object and find a Synchronization Error tab that tells us that HRExtension.dll has a problem, specifically a problem with the import flow on displayName. If we click on the Stack Trace button, we can see more information about the error:

The error informs us that we are attempting to use middleName in HRExtension.dll, but Edward Bush's HR record does not have a middleName value. Sometimes...

If you have a rules extension, it may be useful to utilize logging. You can create a log file for a rules extension by adding the \Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\Logging.dll reference to your Management Agent project:

Then, within your rules extension code, add a logging event similar to this:

Logging.Log("Error in account: " + csentry.DN.ToString(), True, 2)

The three parameters are as follows:

Logging.Log(logMessage, addTimeStamp, loggingLevel)

Here is what they mean:

If you have deployed the MIM portal and are experiencing problems with it as a source or target system, a good place to start is the request history. You can search the request history by clicking on Search Requests:

Let's take a look at a common support call where a MIM request is failing and figure out the problem simply by looking at the request history. In this situation, an update to the Jeff Ingalls Direct Reports group is failing, as shown in the following screenshot:

If we click on the Detailed Content tab, we can see that we are trying to update description on the group:

Click on the Advanced View button and the Extended Attributes tab and look for Parent Request:

Next, click on the Applied Policy tab, and we can see numerous Management Policy Rules that were applied, as seen here:

If we click on the MPR object TFC: AD Group Provisioning and look at the details of its workflows, we will see a Set Description function that sets the value Managed by MIM Portal...

You can debug the execution of a custom activity the same way as a rules extension. Open the project in Visual Studio, and in the Debug menu, select Attach to Process. In the Attach to: field, select Managed Code, and in Available Processes, select Microsoft.ResourceManagement.Service.exe. Set breakpoints as already described. Debug a custom activity UI by attaching to the w3wp.exe process, creating a workflow, and selecting the custom activity.

You can increase the events sent to the Forefront Identity Manager Application log by editing \Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config, changing switchValue from Error to Verbose, and then restarting the MIM service (the Forefront Identity Manager service).

One of the most common problems for PCNS is the service not installed or running on a domain controller that handled a user's password reset. Recall that PCNS must be installed on all source domain controllers. Another common problem is that password synchronization is not enabled within the synchronization engine. There are three places to verify within the synchronization engine: the source MA's Configure Directory Partitions section should have Enable this partition as a password synchronization source checked and targets specified, the target MA should have Enable password management enabled in the Configure Extensions tab, and the global setting should be Enable Password Synchronization in Tools | Options. MIM logging is enabled by adding a REG_DWORD entry FeaturePwdSyncLogLevel to the registry subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService\Logging. A value of 0 indicates minimal logging, 1 is normal (default...

In this chapter, we discussed using statistics to find potential problems, how to use the Synchronization Service Manager tool to find a data problem, and how to debug a rules extension and custom activity. We showed you how to increase application logging and investigate MIM service requests to find the cause of a failing request.

In the next chapter, we will look at some operational best practices that can be used to help you with your implementation and keep your Microsoft identity solution operationally sound and healthy.