ILM2 RC0 Part 2 – Migrating configuration from ILM 2007

After successfully installing the ILM2 RC0 server, my next goal was to migrate the data, MAs and extension dlls from a production ILM 2007 server.

Copying the database

One of the great things about ILM is that all configuration is contained in the MicrosoftIdentityIntegrationServer database. So I need only backup the database and then restore it to the new server. Once the Sync Service has been configured to use the new database I should find all my MAs, data and Extension dlls exactly where they should be.

I also needed a copy of the keyset file from the old server. (If you can’t remember where you put it then just export a new one using miiskmu.exe.)

Restoring the database

I found that I had to remove the existing database before I could restore the copied one. I also stopped the Microsoft Identity Integration Server service before beginning.

Reinstalling the Sync Service

I may have been able to attach the new database by using miisactivate.exe, but actually I just went the approach of uninstalling and then reinstalling the Sync Service.

I got a couple of error messages about missing reg keys during the uninstall, but it completed nonetheless. The reinstall went fine and was quite happy to accept the restored database.

It all looked ok…

Everything appeared to be there – until I tried to Sync an MA and got a stopped-extension-dll-invalid-assembly. In the event log is Event 6157 with “The management agent “AD” failed on run profile “Full Sync”. The run step stopped because the extension dll “MVExtension.dll” is not a valid assembly and could not be loaded.”

Recompiling the code

I initially tried just recompiling an extension in VS2008, but that wasn’t enough.

I then created a new extension project and noticed that MicrosoftIdentityIntegrationServer.dll has been replaced by MicrosoftIdentityIntegrationServerEx.dll. I tried updating my references and recompiling, but the dlls would still not load.

In the end I created new extension projects for the Metaverse and all my MAs and then copied the code across from the old files. After compiling these new dlls, and updating the Extension settings in the MAs, the sync jobs ran!

Logging

While fiddling with the extensions I noticed that MicrosoftIdentityIntegrationServer.Logging has gone missing. This is certainly no great loss for me, I much prefer writing to the Event Log, but some of the code I was porting did make use of it. It’s all commented out now and I will have to put something else in place when I eventually do this migration for real.

Service stopping

The other odd thing was that the MIIS service stopped every time I updated the Extensions folder, and I had to manually restart it. I sincerely hope this is not a new “feature”!

Postscript

I may have managed to get this ILM2 installation looking pretty much like the old ILM 2007 one, but when I tried to add an ILM type MA (this is the one that connects it to the ILM Portal database) I’m getting an error: “Unable to create the management agent. The XML format of the join rules is invalid.”

I guess I’m not there yet…

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


4 thoughts on “ILM2 RC0 Part 2 – Migrating configuration from ILM 2007”

  1. An update on that postscript – I posted this to Microsoft Connect, and what an excellent service! I got a response back within hours. It turns out that RC0 does not support join rules to “Any”, but that this has been corrected in the final release version.

    Apparently this was covered in the release notes … I tried to read ’em, honest…

  2. Carol
    I’m also at a site and getting the same error – but there are no “Any” join rules in this case. However there are 2 instances of the OpenLDAP xMA on this server where the xMA itself has not been installed (and hence the Properties tab for this MA is greyed out). I expect that as soon as I install the xMA it will allow me to create the ILM2 MA …

  3. Carol – I’ve managed to solve my problem, and I expect there will be a lot more folks running into this one …
    The MIIS SP2 metaverse schema turned out to already have an attribute with the name objectSID, and when the ILM2 MA tries to update the metaverse schema with its own “objectSid” (lower case id) it throws the above (slightly misleading) error message. What lead me to discover this was the BAIL error text which pointed to a “Join: Invalid mv object type mv-object-type for element”, which according to the MSDN doco (http://msdn.microsoft.com/en-us/library/ms698391(VS.85).aspx) indicated a schema mismatch. I discovered the problem when I attempted to manually import the MV schema from a clean ILM2 image and got an error pointing to the existing (legacy) objectSID attribute.
    There will be a lot of sites which use ILM/MIIS to populate ADLDS/ADAM instances with userProxyFull objects, as is the case here, which necessitates adding the objectSid to the metaverse. If the ILM implementor happens to spell the attribute name in any way other than “objectSid” (i.e. matching case) it will fail with this error.

Comments are closed.