This morning I read about two new updates for the FIM Synchronization and FIM Service services on Brad Turners Blog: FIM 2010 - Update 1 Released to Windows Update
So I went forward. The update for the Synchronization Service installed fine, but the update for the FIM Service started with the following error:
Error 25070.Error connecting to database FIMSynchronizationService. Invalid class string
It went on, but eventually rolled back the second update… I wanted to verify the Sync Service by opening the Synchronization Service Manager:
In my event log DCOM was becoming unhappy and was complaining for both the sync service account and my account.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{835BEE60-8731-4159-8BFF-941301D76D05}
and APPID
{835BEE60-8731-4159-8BFF-941301D76D05}
to the user CORP\thomas SID (S-1-5-21-1739285864-795146598-2204218754-1104) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
The DCOM ID seems to be the “Forefront Identity Manager Synchronization Service”. Verifying it’s permissions I found out that the FIM groups (which the installer configured) were gone and replace by SID’s unknown to my domain.
My user his SID looks like:
After manually re-adding the groups it looked like this:
All I needed was a restart of the Forefront Identity Manager Synchronization Service and I could access the FIM Synchronization Manager again. Oef!
However the update wasn’t installed yet… So I tried again. Again the error popped up and my component services permissions screwed:
The funny thing is the SID’s now start at 1018… I have no clue what is going on. I have no time to go further on this. But I’m curious if there’s anyone out there experiencing the same.
[update] I posted this issue over at technet forums and Andreas Kjellman pointed me to the fact that if SQL is off-box from the Sync Engine, the Microsft SQL Server 2008 Native Client has to be installed. After installing the client the update went flawless.
A link to the client: SQL 2008 Native Client
I think it would be nice if they added this information to the Hardware and Software Requirements for FIM on technet.
2 Response to FIM 2010 update (KB978864) install issue
Glad Andreas was able to get this resolved for you. The SQL client requirement is an old one, I think it was in one of the Install guides but it could be missing elsewhere. As for the DCOM error, it's an unrelated IIS issue. You are probably using the same ID for Sync as you are for the WSS app pool which you probably shouldn't - in any event, accounts running your app pools should be in the local WSS_WPG and WSS_ADMIN_WPG. You will want to grant these groups Local Launch and Local Activation (via Group Policy is better). See also this link:
http://support.microsoft.com/kb/920783
I did have a seperate account for the apppools, also member of they required IIS groups. The sharepoint part is fine. The DCOM errors were realy referring to the Synchronization Service DCOM component. And the security principles upon that one really are the 5 groups the FIM setup delivers or lets you select.
Add Your Comment