Friday, November 20, 2009

Windows 2008 R2 Administration tools

If you are running a Windows 7, you probably heard about the Remote Administration Tools for Windows 7. But what about the server version?

Well guys running a Windows 2008 R2 OS do have this pretty powerfull powershell module called "ServerManager":

Import-Module ServerManager
$mod = Get-Module ServerManager

When we run the Get-WindowsFeature cmdlet, a list of all the Windows features that could be installed is shown. Each checked box means the feature is alredy installed.

In particular, we do have a list of windows features, which their name is prefixed with "RSAT", which means Remote Server Administration Tools. And it is the same features than the package mentionned above for Windows 7.

I needed to install only the Hyper-V administration tools:

Add-WindowsFeature RSAT-Hyper-V


I am now able to list my virtual machines:

Wednesday, November 18, 2009

FIM - execute management agents run profiles with powershell

Here is a script I created which permits an easy automatic execution of certain FIM MA run profiles.

Here is an example of output:

And here is the source code:
# @author: Fabien Duchene
# @mail: fabien.duchene1 **at**

$params_ComputerName = "." # "." is the current computer
$params_delayBetweenExecs = 30 #delay between each execution, in seconds
$params_numOfExecs = 0 #Number of executions 0 for infinite
$params_runProfilesOrder =
type="Forefront Identity Management (FIM)";
profilesToRun=@("Full Import";"Full Synchronization");
type="Active Directory";
profilesToRun=@("Full Import";"Full Synchronization";"Export");

$line = "-----------------------------"
function Write-Output-Banner([string]$msg) {
Write-Output $line,("- "+$msg),$line


$MAs = @(get-wmiobject -class "MIIS_ManagementAgent" -namespace "root

\MicrosoftIdentityIntegrationServer" -computername $params_ComputerName)
$numOfExecDone = 0

do {
Write-Output-Banner("Execution #:"+(++$numOfExecDone))
foreach($MATypeNRun in $params_runProfilesOrder) {
$found = $false;
foreach($MA in $MAS) {

if(!$found) {
if($MA.Type.Equals($MATypeNRun.type)) {
Write-Output-Banner("MA: "+$MA.Type)
foreach($profileName in $MATypeNRun.profilesToRun) {
Write-Output (" "+$profileName)," -> starting"
$datetimeBefore = Get-Date;
$result = $MA.Execute($profileName);
$datetimeAfter = Get-Date;
$duration = $datetimeAfter - $datetimeBefore;
$msg = "done. Duration: "+$duration.Hours

} else { $msg = "Error: "+$result }

Write-Output (" -> "+$msg)
if(!$found) { Write-Output ("Not found MA type :"+$MATypeNRun.type); }

$continue = ($params_numOfExecs -EQ 0) -OR ($numOfExecDone -lt $params_numOfExecs)
if($continue) {
Write-Output-Banner("Sleeping "+$params_delayBetweenExecs+" seconds")
Start-Sleep -s $params_delayBetweenExecs
} while($continue)

Sunday, November 15, 2009

Mac OS X: automator: create a new file

In a Windows OS, it is really simple to create a new text file: right-click > New > Text file.

On my dear Macbook Pro, it is still not out-of-the-box.
Hopefully Automator is here to fill the gap.Please note that this method does not require additional software. Only standard Mac OS X components are used.

First let's have a look at the final result:

1/ Right click on the folder in which you want to create a new file, and select "New file"

2/ Type the name of the file. For example: New file.txt or New file.docx

3/ The file is automatically created inside the folder we specified before and after opened in your favorite editor.

Now let's integrate this to your Mac OS X system.

- First method. the easy one:
- download the automator workflow. It is stored on my skydrive: Mac OS X Create a new file
- install it on your mac: put this file into the ~/Library/Services/ folder
- open it. (it will be opened within Automator)
- Press Cmd+S or click File > Save to register it within the Contextual menu
- Close automator

- Second method. Create an automator workflow according to these instructions:
- Launch located in the Applications folder.
- Create a new Service

- File > Save or Cmd + S

- Here is an overview of the workflow:

As you can see:
- this Service Workflow receives Folder as input and is only available in Finder
- we will also need 2 variables: "Filename" and "Path"

Here is the detail of the workflow:
- Once this is done, just press Cmd + S to save it and register this service within the

Enjoy this new file creation!

Saturday, November 14, 2009

Disable Exchange 2010 arbitration mailboxes

For the purpose of my Forefront Identity Manager 2010 RC1, I had to use to Exchange 2007 instead of Exchange 2010 I was using (because at this stage FIM RC1 does not yet support Exchange 2010, but this is planned).

Here are the steps to achieve this:

- First you have to disable all users mailboxes in the Exchange 2010 Management console.

- Then you have to remove the Arbitration mailboxes.
Here is the script I created to remove them:

Foreach($mbdb in Get-MailboxDatabase) {
$mailboxes = Get-Mailbox $mbdb.Name -Arbitration
$mailboxes Disable-Mailbox -Arbitration
$mailboxes Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

NOTE: (please add a "pipe" after the two last $mailboxes. This stupid blogspot does remove them!)

For more details about arbitration mailboxes, please check this blog:

Monday, November 2, 2009

Forefront Identity Manager 2010 CM: errors and solutions

Unable to check CA in Edit Profile template

Something is wrong with the SQL connection between the CA Exit Module and the SQL Server.
Try to check the password if using SQL Auth. Try to check kerberos' spn elsewise.
Check log: Application and Services Logs > FIM Certificate Management
Restart AD CS, and check 10 seconds later if any warning is raised inside that log.

Value cannot be null. Parameter name byte

If you installed manually certificates in agents store, you have to fill certificate hashes in web.config. Please see Installation > Edit the web.config
Open the web.config file of certificatemanagement.
Search for "Hash", and check that the hash is the one of the fim cm agent certificate.

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

If you are on a x64 system, please install FIM CM x64 and user Internet explorer 64 bits.

FIM CM: while reading the smart card

Client encountered an unexpected error while trying to communicate with the server.
Error number: -2146828218
Error description: Permission denied

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.

Currently, FIM 2010 RC1 CM only does support v2 templates.
Not sure if for RTM any improvments will be made.
Please note that this event is related to the following ones:

Windows Logs > Security > Failed login - Key Migration failed

Event ID 5059. Key operation migration failed
clmAgent ; User key ; RSA ; import of persistent cryptographic key 0x80090029 The requested operation is not supported;----------------------------------
Key migration operation.
Cryptographic Parameters:Provider Name: Microsoft Software Key Storage ProviderAlgorithm Name: RSA

...Additional Information:Operation: Import of persistent cryptographic key.Return Code: 0x80090029

- When performing an enroll request on behalf of another user: Data at the root level is invalid. Line 1, position 1
- When executing a software certificate enroll: Invalid provider type specified.