FIM 2010 R2, SCSM Reporting and the Access to the SQL Server Instance was Denied Error

Posted on May 14, 2012 by Dominik Zemp

If you plan to install (collocate) to System Center Service Manager (SCSM) Management Server on the same server as the FIM Synchronization Service, FIM Service, FIM Portal, etc., for example in your home lab for testing, you have to think about installing multiple SQL server instances. One of the reasons why you should install multiple SQL instances are SCSM’s requirements, for example because of the collation (multi-language support).

But there is something you should be aware of: Please do not use something like MSSQLSERVER_SCSM as the name of the instance, otherwise the SCSM Management Server installation wizard will fail! What you will see in the wizard is the error “access to the sql server instance was denied”, with the instance listed as Default_SCSM. If you use something like SCSM as the name for your instance, everything works smoothly…

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ)

Posted on May 3, 2012 by Dominik Zemp

Microsoft has responded to the Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ) for Windows Azure, Office365 and Dynamics CRM. The responses have been posted on the CSA web site online:

In this document we provide our customers with a detailed overview of how Microsoft Online Services fulfill the security, privacy, compliance, and risk management requirements as defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).

Posted in Office 365, Windows Azure | Tagged | Leave a comment

FIM DB Sizing Calculator

Posted on April 26, 2012 by Dominik Zemp

David Lundell, the writer of the FIM Best Practices Volume 1, has published a very useful tool when you have to size the two required FIM databases – FIM Service and FIM Synchronization Service (the database for FIM Certificate Management is not included). The tool is an automated Excel sheet that calculates the database and transaction log sizes, based on the number of users and groups, how many MAs are involved, how long you want (have) to retain requests in the FIM Service database, etc.

You can find the download link for this Excel sheet and some further information on http://blog.ilmbestpractices.com/2012/04/fim-db-sizing-calculator.html.

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

FIM 2010 Terminology Document

Posted on April 24, 2012 by Dominik Zemp

Jeff Ingalls has posted an article about an updated comprehensive FIM 2010 terminology documentation, that he and others have been created. This updated comprehensive terminology documentation ‘replaces’ the original list available on TechNet (http://technet.microsoft.com/en-us/library/ee534910(v=WS.10).aspx) with some very useful descriptions and explanations, and contains a Word and PDF file.

But please note, this is not an official FIM 2010 terminology documentation from Microsoft (the FIM product group).

Url: http://blogs.technet.com/b/jingalls/archive/2012/04/20/a-comprehensive-fim-2010-terminology-document.aspx

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

FIM Object Visualizer now hosted on Codeplex

Posted on April 16, 2012 by Dominik Zemp

Markus Vilcinskas is currently working on a new version of the awesome FIM Object Visualizer (FIMOV), which is now hosted on Codeplex.

For those of you how don’t know what the FIMOV is, here a short description:

The FIM Object Visualizer is a tool to create reports of various configurations such as:

  • FIM Active Metaverse Schema configuration
  • Attribute Flow Precedence Configuration
  • Management Policy Rules
  • Synchronization Rules
  • Workflows
  • FIMMA Schema configuration
  • Management Agent Attribute Selection
  • Management Agents
  • Metaverse Schema
  • Replication Configuration

The FIMOV is now built with a .NET Windows Forms application and is available as a ClickOnce app as well.

Url: http://fimov.codeplex.com/

Posted in Forefront|Forefront Identity Manager | Tagged | Leave a comment

Microsoft’s Antimalware Protection in the Cloud – MEP for Windows Azure CTP

Posted on March 20, 2012 by Dominik Zemp

If you are a subscriber of the Microsoft Downloader Center, then you have already seen this interesting announcement – If not, I hope this post helps! Smile

Microsoft Endpoint Protection for Windows Azure provides the ability to include an antimalware protection agent in each Windows Azure virtual machine running your Windows Azure service. It extends the Windows Azure SDK by providing an antimalware import which provides antimalware configuration and deployment capabilities.

When you deploy MEP to Windows Azure, the following core technologies are enabled by default:

  • Real-time protection – monitors activity on the system to detect and block malware from executing.
  • Scheduled scanning – periodically performs targeted scanning to detect malware on the system, including actively running malicious programs.
  • Malware remediation – takes action on detected malware resources, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
  • Signature updates – installs the latest protection signatures (aka “virus definitions”) to ensure protection is up-to-date.
  • Active protection – reports metadata about detected threats and suspicious resources to Microsoft to ensure rapid response to the evolving threat landscape, as well as enabling real-time signature delivery through the Dynamic Signature Service (DSS).

And of course, the monitoring of MEP (btw, I just assume that MEP will be the acronym for Microsoft Endpoint Protection, similar to FEP or SCEP) is addressed as well. So obvious, System Center should be your monitoring tool to use (System Center Monitoring Pack for Windows Azure, http://www.microsoft.com/download/en/details.aspx?id=11324)

Download URL and documentations: http://www.microsoft.com/download/en/details.aspx?id=29209

Posted in Endpoint Protection, Windows Azure | Tagged , | Leave a comment

Windows Server 8 Beta and Remote Access (DirectAccess and RRAS)

Posted on March 8, 2012 by Dominik Zemp

With the release of the Windows Server 8 beta, Microsoft introduced several new and/or enhanced capabilities within the Remote Access role. One of this new and enhanced capability is DirectAccess, which has slightly been improved since Windows Server 2008 R2. Smile

To keep things simple, Windows Server 8 DirectAccess now includes all features and functions from Forefront UAG DirectAccess, as well as a few new capabilities:

  • DirectAccess and RRAS coexistence
  • Simplified DirectAccess management for small and medium organization administrators
  • Removal of PKI deployment as a DirectAccess prerequisite
  • Built-in NAT64 and DNS64 support for accessing IPv4-only resources
  • Support for DirectAccess server behind a NAT device
  • Simplified network security policy
  • Load balancing support
  • Support for multiple domains
  • NAP integration
  • Support for OTP (token based authentication)
  • Automated support for force tunneling
  • IP-HTTPS interoperability and performance improvements
  • Manage-out support
  • Multisite support
  • Support for Server Core
  • Windows PowerShell support
  • User and server health monitoring
  • Diagnostics
  • Accounting and reporting
  • Site-to-site IKEv2 IPsec tunnel mode VPN

Therefore it is not a surprise, that a Forefront UAG DirectAccess migration is already in place on TechNet (http://technet.microsoft.com/en-us/library/hh831658.aspx).

Posted in Windows DirectAccess | Tagged | Leave a comment

FIM 2010 Update Rollup 2 (Build 4.0.3606.2)

Posted on February 29, 2012 by Dominik Zemp

In case you have missed this important announcement:

http://support.microsoft.com/kb/2635086

Update Rollup 2 (build 4.0.3606.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. This hotfix package resolves several issues and adds several features that are described in the “More Information” section. Additionally, this update contains all servicing fixes that were made since the release of FIM 2010.

Posted in Forefront|Forefront Identity Manager | Tagged | Leave a comment

[Update2] FIM 2010 and Exchange 2010 Provisioning and which Account must be Member of the Exchange Recipient Administrators Group?

Posted on February 10, 2012 by Dominik Zemp

With this short blog, I would like to point you to another confusing statement that you can find in the article on http://technet.microsoft.com/en-us/magazine/ff472471.aspx:

image

If you just add the service account to the Exchange Recipient group, you will see the following error event in EventLog (and of course, the run profile will stop/fail with the error stopped-extension-dll-exception).

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException

Message:

“Microsoft.MetadirectoryServices.ExtensionException: Processing data from remote server failed with the following error message: The user “<domain>/<ADMAAccount>” isn’t assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.

So based on the error, it’s clear that you have to add the account used for the Active Directory Management Agent to the Exchange Recipient Administrators group, instead of the FIM Sync Service service account.

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

[Update] BitLocker and How To Change the User PIN

Posted on February 9, 2012 by Dominik Zemp

I’ve just seen that this blog post about BitLocker and how a Windows standard user can change the PIN got many hits in the last couple of days. So I’ve just decided to write a short update on that topic…

My old blog (http://blog.gocloud-security.ch/2009/12/09/bitlocker-and-how-to-change-the-user-pin/) describes a possible solution/approach with a custom service or process that calls the manage-bde command. Now, since a couple of month, there is a much smarter way to allow your Windows standard users to change the BitLocker PIN – MBAM (Microsoft BitLocker Administration and Monitoring)!

MBAM has been released in August 2011 as part of MDOP and integrates different capabilities that have been missed with BitLocker. For example a helpdesk key recovery UI, single recovery keys (the MBAM client will create a new key once a BitLocker recovery key has been exposed), and different audit and compliance reports.

You can find a technical slide deck with all required information about MBAM
on http://media.ch9.ms/teched/na/2011/ppt/WCL317.pptx.

Posted in Uncategorized, Windows BitLocker | Leave a comment