Symptoms:
Management Agent hangs on Export and cannot be cancelled through Sync Engine. This causes scheduled jobs to get stuck. Requires killing the miiserver.exe process to resume scheduled sync jobs

Steps to reproduce:
Issue is difficult to reproduce but does consistently happens over a weeks worth of time running scheduled jobs on an hourly basis.

I speculate the problem is one of several possible things:

1. Memory bloat of the miiserver.exe process due to import-pssession calls. import-pssession should be avoided at all costs as it causes memory leaks.
2. Hang up of remote PS session during processing, for example, re-cycling skype server during an Export run
3. WSMAN sessions (client\server side) not being cleaned up properly causing process to hang

I see a comment in the Import script around line 76 ##TODO: Support multivalue?

My use case is O365 licensing, I have a flat file that contains 2 columns: UPN and Licenses.AccountSkuId; my Licenses.AccountSkuId column is multivalued and formatted "contoso:ENTERPRISEPACK contoso:EMS".

For my use case I had to update the flat file schema to support multivalued attributes:

foreach ($c in $Columns)
{
if ($c.Name -like "Licenses.AccountSkuId ")
{
$SchemaType | Add-xADSyncPSConnectorSchemaAttribute -Name $c.Name -Multivalued:$true -DataType string -SupportedOperation ImportExport
"Got Here!" | Out-File c:\TEMP\test.txt -Append
} else {
$SchemaType | Add-xADSyncPSConnectorSchemaAttribute -Name $c.Name -Multivalued:$false -DataType string -SupportedOperation ImportExport
}
}

I am reading here that multivalued columns are not supported in MIM: https://technet.microsoft.com/en-us/library/cc708679%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

What I want to do is to be able to enumerate that AccountSkuId collection so I can manage user license assignment deltas via the MIM portal.

On Exporting:
**Also: the xADSyncPSConnectorModule.psm1 has a syntax error in the New-GenericObject function that must be fixed prior to doing multivalued exports.

After fixing this error I tried to export proxyaddresscollection as a flat file multivalued example and am getting an error in the sync MA.
ERROR: ambiguous-export-flow-to-single-valued-attribute
sync step: Export flow
Data source attribute: ProxyAddresses

When We started to export a Client Policy, some replication latency between DC caused a problem. After debugging, we fund that the Grant-CsClientPolicy don't use the variable $preferredDomainController to set the prefered DC.

So we change code to

if ($archivingPolicyChanged) { $cmd += " | Grant-CsArchivingPolicy -PolicyName '$archivingPolicy' -PassThru  -DomainController '$preferredDomainController'" }
if ($clientPolicyChanged) { $cmd += " | Grant-CsClientPolicy -PolicyName '$clientPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($clientVersionPolicyChanged) { $cmd += " | Grant-CsClientVersionPolicy -PolicyName '$clientVersionPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($conferencingPolicyChanged) { $cmd += " | Grant-CsClientVersionPolicy -PolicyName '$conferencingPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($dialPlanChanged) { $cmd += " | Grant-CsClientVersionPolicy -PolicyName '$dialPlan' -PassThru -DomainController '$preferredDomainController'" }
if ($externalAccessPolicyChanged) { $cmd += " | Grant-CsExternalAccessPolicy -PolicyName '$externalAccessPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($hostedVoicemailPolicyChanged) { $cmd += " | Grant-CsHostedVoicemailPolicy -PolicyName '$hostedVoicemailPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($locationPolicyChanged) { $cmd += " | Grant-CsLocationPolicy -PolicyName '$locationPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($pinPolicyChanged) { $cmd += " | Grant-CsPinPolicy -PolicyName '$pinPolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($presencePolicyChanged) { $cmd += " | Grant-CsPresencePolicy -PolicyName '$presencePolicy' -PassThru -DomainController '$preferredDomainController'" }
if ($voicePolicyChanged) { $cmd += " | Grant-CsVoicePolicy -PolicyName '$voicePolicy' -PassThru -DomainController '$preferredDomainController'" }

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

I migrate my Powershell Management Agent from an older Version and get an error in the "End Import" script part.
The script run successfully in Version:
FIM Powershell Management Agent Version 4.3.1082.0
Now I tried these versions:
MIM Powershell Management Agent Version 1.1.830.0 and Version 1.1.8610
The script is quit simple
[CmdletBinding()]
param(
[Microsoft.MetadirectoryServices.ConfigParameterKeyedCollection]
$ConfigParameters,

#[ValidateNotNull()]            
[Microsoft.MetadirectoryServices.OpenImportConnectionRunStep] $OpenImportConnectionRunStep,  
#[ValidateNotNull()]            
[Microsoft.MetadirectoryServices.CloseImportConnectionRunStep] $CloseImportConnectionRunStep,          
            
[PSCredential] $PSCredential,            
        
[string] 
$scriptDir = [Microsoft.MetadirectoryServices.MAUtils]::MAFolder             

)
$result = (New-Object Microsoft.MetadirectoryServices.CloseImportConnectionResults)
$result.CustomData = "My custom data"
Write-Output $result

The Error is:
The extensible extension returned an unsupported error.
The stack trace is:
"Microsoft.MetadirectoryServices.ExtensionException: The following exception occurred while executing the PowerShell commands: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityManagement.Connector.PowerShell.Engine.PowerShellRuntime.InvokePowerShell(PSCommand command)
at Microsoft.IdentityManagement.Connector.PowerShell.Engine.PowerShellRuntime.InvokePowerShell(PSCommand command)
at Microsoft.IdentityManagement.Connector.PowerShell.Engine.PowerShellContext.ExecuteScript(List`1 commandParameters, String scriptFilePath, Boolean enableSetLocation)
at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ImportBridge.GetCloseImportConnectionResult(String scriptFileConfigKey, CloseImportConnectionRunStep closeImportRunStep)
Forefront Identity Manager 4.5.202.0"

If I do not use a script in "End Import" at all, the sync runs without error. But I need this step to set additional information in the CustomData field.
Any help is appreciated

Best regards,
Thomas

Hello!

1. At setup stage I get this error:
   "The validation result returned from the PowerShell compliant server is null"
   Can you say there can be error?
2. Does your solution need access to Internet?
   Thanks!

I have set up Lync connector with only four attributes, three in and four out.
All users are filtred out when importing, ou are not.
Lync 2010.

Importing

I have no Inbound System Scoping Filter set.
Relation between accountName and SamAccountName
Only flowing Enabled, RegistrarPool and SipAddress.

Outbound

4 attributes in Outbound.

• DN
• RegistrarPool
• Enabled
• SipAddress

Error

I have enabled tracelog and gets this in the log.
Its seems strange to search for 9*, any clues or am I on wrong tracks?

Method Name : PowerShellRuntime : Initialize
The progress record is parent = -1 id = 1 act = Import-Users stat = Invoking Get-CsUser -LdapFilter '(&(objectCategory=person)(objectClass=user)(msRTCSIP-PrimaryUserAddress=sip:9*))' cur =  pct = -1 sec = -1 type = Processing

Running exchange import script in the powershell MA ends up with the following error :
"You cannot call a method on a null-valued expression."

This is coming from the line that contains : $Global:DirSyncCookieString = [System.Convert]::ToBase64String($Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie())

The cookie variable is returning a null value.

When I ran the script separately, I saw that when $Searcher.FindAll() were not assigned to a variable (and just runs on the script as an output) the cookie is well assigned. But everytime a variable is assigned before that, the script ends up with a "null-valued" error.

So the solution was to assign $Global:AllUsers and then to output its value.

Then, when I did this on the import powershell script, I got another error :
"An error occurred while enumerating through a collection: Access is denied."

--> It seems this time to be an error from the account that's being used : MA Connector has not enough rights to run the findall() command.

Workaround

I did find a workaround for the last error (I'm sure it can be way more better... ) :

This is the old code :
`$Searcher = New-Object -TypeName 'System.DirectoryServices.DirectorySearcher' -ArgumentList $DirectoryEntry, "(&(objectCategory=person)(objectClass=user))", $DeltaPropertiesToLoad, $SearchScope
if($OpenImportConnectionRunStep.ImportType -eq 'Delta') {
$Searcher.TombStone = $true
}
$Searcher.CacheResults = $false

                    if ($null -eq $CustomData.watermark.DirSyncCookie) {
                        $Searcher.directorysynchronization = new-object -TypeName system.directoryservices.directorysynchronization
                    } else {
                        # grab the watermark from last run and pass that to the searcher
                        $DirSyncCookie = ,[System.Convert]::FromBase64String($CustomData.WaterMark.DirSyncCookie)
                        $Searcher.directorysynchronization = new-object -TypeName system.directoryservices.directorysynchronization -ArgumentList $DirSyncCookie
                    }
                    $Global:AllUsers = $Searcher.FindAll()
                    $null = $Global:AllUsers.Count
                    $Global:DirSyncCookieString = [System.Convert]::ToBase64String($Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie())

`

And this is the new one :
`
$Global:results = Invoke-Command -Credential $Credential -ComputerName "MYACTIVEDIRECTORYSERVERNAME" -ScriptBlock {
param([Parameter(Position=0)]$dir,[Parameter(Position=1)]$filter,[Parameter(Position=3)]$DeltaProperties,[Parameter(Position=4)]$Scope)

						$Searcher = New-Object -TypeName 'System.DirectoryServices.DirectorySearcher' -ArgumentList $dir,$filter, $DeltaProperties,$Scope

					   if($Using:OpenImportConnectionRunStep.ImportType -eq 'Delta') {
							$Searcher.TombStone = $true
						}
						$Searcher.CacheResults = $false

						if ($null -eq $Using:CustomData.watermark.DirSyncCookie) {
							$Searcher.directorysynchronization = new-object -TypeName system.directoryservices.directorysynchronization
						} else {
							# grab the watermark from last run and pass that to the searcher
							$DirSyncCookie = ,[System.Convert]::FromBase64String($Using:CustomData.WaterMark.DirSyncCookie)
							$Searcher.directorysynchronization = new-object -TypeName system.directoryservices.directorysynchronization -ArgumentList $DirSyncCookie
						}
						 $value = "" | Select-Object -Property Users,Cookie

						$value.Users=$Searcher.FindAll()
						$value.Users
						$value.Cookie=$Searcher.DirectorySynchronization.GetDirectorySynchronizationCookie()
						
						$objObjects = @()
						foreach ($objResult in $value.Users)
							{
								$objObjects += $objResult.Properties 								
							}
						$value.Users=$objObjects
						
						return $value
					} -ArgumentList $DirectoryEntry.path,$filter,$DeltaPropertiesToLoad,$SearchScope 	

					$Global:AllUsers = $Global:results.Users
                    $null = $Global:AllUsers.Count
                    $Global:DirSyncCookieString = [System.Convert]::ToBase64String($Global:results.Cookie)	`

And also replace in the section below that this value $User = $Global:AllUsers[$i] by this one:
$User = $Global:results[$i]

And finally :

1 - Be sure to put the name of an active directory DC in the configuration of the MA (server attribute)
2 - Be sure to choose the root partition

Hello!
I have a problem with some points in your Lync script.

1. You have an expression CustomExpression(IIF(Eq(xSkypeEntitlement,"Active"),"true","false" → Enabled. Correctly I understand, what if in MV attribute xSkypeEntitlement will be something like "Active", parameter "Enabled" will get "true" value and user will get Skype access? If this attribute will be empty, what will happenes? It can be empty, for example, for fired users.
2. In my first configuration I don't use this attribute, but I have many disabled users and this script want to give all this users acces to Skype. Now I have added this attribute and sync flow for it, but Lync MA anyway want to give acces for this users to Skype. But if I correctly understand conditions for rule from question 1 it must not be happened.
3. Maybe it would be better to make this rule pool1.contoso.com → RegistrarPool only to initial flow? If I have 2 pools, I can provision them to first one and later administrator will move users to second if needed. And my sync rule will not update this attribute after provisioning.
   Thank for you work and help!

To reproduce create a 2 step run profile starting with an Export then a Delta Import.
The Delta Import will fail. Looking through the source, I believe the issue is that End-ExportScript-Lync.ps1 line 46 removes the PSSession however the object still exists in a closed state so then Begin-ImportScript-Lync.ps1 on line 137 references that because the scope of the variable is global, and line 134 never replaced the object reference due to error.

Below is a snippet of the reproduced problem

So solution would be to also check for Closed session
if ((!$session) -or ($session.State -eq "Closed")) { Write-Host "Open new Session" }

When an OU contains illegal LDAP characters, they are not escaped and cause the import script to halt. To reproduce, add a slash to an OU name and run a full import. Using an example OU of "OU=This/That,DC=domain,DC=com", the value for $rootDN in Get-OrganizationalUnits should be "OU=This/That,DC=domain,DC=com".

Hi, I have created MA for reading text file. But when I run Full Import Iam getting below error. Have enabled verbose but nothing much of help. Can you please help me fix the issue.
Error is: DN is Unavailable, missing-dn

Have used the same sample file as provided by you.

Hello everybody,

does anyone know how we can enable debug and verbose logging on a PowerShell Management Agent?
At the wiki on the Flat file MA is a printscreen about the RunProfile with the option DebugPreferences and VerbosePreferences.
This isn't showing up in the latest version.
When I perform the config over the miisserver.exe.config at the debug section for ConnectorsLog I can perform some verbose logging, but this doesn't Printout the Write-Verbose and Write-Debug commands.

Best regards,
Thomas

Hi Nilesh,

Would it be possible to update the Connector Space Design table in the Wiki with the corresponding AD attributes? For example, 'SipAddress' maps to 'msTRCSIP-PrimaryUserAddress'.

Thanks in advance,

Tom

In the list of PS-connectors, there is mentioned a "Home Drive Provisioning (Coming soon...)"-MA.
Does anyone know if this is really comming soon, or is it just a polite encouragement for anyone to make it? Our MIM-implementation is using an ECMA2-MA for this task, but it is so extremely slow so I would be the first one to try something else :-)

When an included OU has been removed from AD (or moved), Get-OrganizationalUnitHierarchy fails when calling FindAll. Need to either test for existence first, or handle the exception. Should probably just ignore it. As a workaround, the Inclusion OU list is updated and the offending OU removed when re-visiting the "containers" selection screen on the MA.

If I configure a Password Extension Script while leaving Common Module Script, Begin Password Script and End Password Script empty, I get the following type of event log error when I change a password:

The password management extension encountered an error.
 The stack trace is:
 
 "Microsoft.MetadirectoryServices.ExtensionException: The script content is blank
   at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.BridgeBase.GeneratePSContentScript(String fileContent, Boolean isCommonModuleScript, Boolean ignoreEmptyScript, Boolean isMADataFolder)
   at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.PasswordBridge.ExecuteConnectionOperation(ScriptType scriptType, String scriptFileConfigKey)
   at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.PasswordBridge.OpenPasswordConnection(String scriptFileConfigKey)
Forefront Identity Manager 4.4.1302.0"

If I specify $true in the text fields for Common Module Script, Begin Password Script and End Password Script, the errors go away and the password change runs fine. Would it be possible to update the connector code to allow empty values for these fields?

Hi,

I'm not sure of the best way to contribute to information in the wiki since I haven't found a way to do a pull request on a wiki. I've cloned the wiki and pushed it to my own repository where I've made a few changes. If there is a better way to contribute, please steer me in the right direction.

There are typos in the MarkDown for the following pages:
https://github.com/Microsoft/MIMPowerShellConnectors/wiki/Flat-File-Connector-Setup-and-Configuration
https://github.com/Microsoft/MIMPowerShellConnectors/wiki/Flat-File-Connector-Troubleshooting

I've changed them in my fork in this commit: Fixed MarkDown syntax

Best regards,
Simon

Sorry, I feel this is the wrong channel for asking this but I haven't found a better way.
However my question is what timeframe you have for releasing the not yet released ones?
I'm in a project and very interested in having a look at the Sharepoint and Homedrive connectors if they will suit my needs.

//Henrik Nilsson

Hello,

When migrating a sync server configuration from Dev to Prod, updating the Lync MA connection information and setting the new partition doesn't seem to work or stick. If you open up the MA after this, the Dev values remain.

To work around this, we exported the MA in-place from production, did a find and replace of the Dev partition to the Prod partition values in the XML, and then updated the management agent. An example would be to find and replace DC=contosolab,DC=com to DC=contoso,DC=com within the MA XMl and then re-import.

The MA seems to run a Full Import profile correctly now, but the UI still does not reflect the selected containers at this point. The partitions are correct.

Please provide any thoughts or recommendations?

Thanks,
Bryan

Hi, I found a script bug in Lync Connector Export script.

Error during export was:

It turns out there's an extra single quotation mark on line 465 in the export script that gives the error (highlighted):

I tried setting up the Flat file connector using the latest MIM Powershell MA. When done configuring "Capabilities" I get an error retrieving the schema:

The event log outputs the following:

The extensible extension returned an unsupported error.
 The stack trace is:

 "Microsoft.MetadirectoryServices.ExtensionException: The Schema returned from the PowerShell compliant server is null
   at Microsoft.IdentityManagement.Connector.PowerShell.Bridge.ConfigBridge.GetSchema()
Forefront Identity Manager 4.3.1935.0"

Hi!
Struggeling with the problem that there's no good way of clearing an attribute value against Skype for Business. Currently we need to be able to clear ConferencingPolicy to use the default policy and LineURI for making a phonenumbers available to someone else.

Tried flowing empty string but the import will return null so empty string is flowed again. Also tried flowing Null() (Allow Null values checked) but that doesn't clear the attribute value.

What are your recommendations for clearing attribute values or is this something you have foreseen?