Upgrading to FIM 2010 from MIIS 2003/ILM2007 – Pre Upgrade Check?

Just thought I’d let you know about a little "gotcha" lurking around the corner for anyone trying to upgrade their existing ILM solution to FIM – the potential for a clash of the new FIM (RC0) metaverse schema.
Like many others, I have used ILM/MIIS in the past to provision userProxyFull objects to a connected ADAM instance, involving the syncing of the AD objectSid attribute.  To do this you typically set up a new objectSid attribute in your metaverse and everything works like a charm … until you upgrade to FIM and happen to named your "objectSid" attribute with a different case (e.g. ObjectSid, or objectSID) …
I ran into a problem on a client site where there was a metaverse attribute already in use called objectSID.  All was fine until I created the ILM MA for the first time, causing the ILM metaverse schema update to be invoked.  What I found was that it wanted to add a new "objectSid" attribute, but threw an Unable to create the management agent. The XML format of the join rules is invalid error because this couldn’t co-exist with "objectSID".  The error wasn’t particularly friendly either, and apart from taking ages to nail down to this problem, in a production upgrade scenario this may have caused dramas because the only resoluton I could come up with was to (a) remove the existing attribute flows (thereby losing the data), delete and recreate the metaverse attribute as "objectSid", and (c) recreate the attribute flows.
I would argue that this is actually an oversight of the upgrade process … maybe there needs to be a "FIM Upgrade Compatibility Test" or something???  I would hope that RC1 won’t be so unforgiving :|.

About bobbradley1967

Microsoft Identity and Access Professional with 2 decades of successful IAM implementations in APAC, specialising in MIM and its predecessors (FIM/ILM/MIIS) and now with SoftwareIDM. A Microsoft IAM MVP prior to that with a background in MS.Net applications development/SI. Now with a particular interest how Identity and HyperSync Panel provide the Identity and Access orchestration presently missing in the Azure Entra Suite to effectively enforce Zero Trust on the M365 platform.
This entry was posted in FIM (ForeFront Identity Manager) 2010, ILM (Identity Lifecycle Manager) 2007 and tagged , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.