With Microsoft Identity Manager and SharePoint 2016 Microsoft changed the way on how to synchronize user profiles between Active Directory and SharePoint 2016. SharePoint 2010 and 2013 did integrate the Forefront Identity Manager (FIM).
In the past I had many problems with FIM. Sometimes the FIM Service did not start or was stuck starting. Some other times the sync did not synchronize….
I really like the idea of having an independent server that manages the sync of user profiles. I installed Microsoft Identity Manager (MIM) on an extra server.
Microsoft offers a toolset on GitHub to configure MIM with SharePoint 2016. Sadly, Microsoft does not process the pull requests…
A few weeks ago, I had the need to configure one MIM with several SharePoint Farms.
Trevor obviously had the same need:
@vesajuvonen is there support for multi SPMAs per MIM instance? Secondary SPMAs appear to just fail (compl-no-objs) with appropriate config.
— Trevor Seward (@NaupliusTrevor) March 11, 2017
Are there any prerequisites?
Microsoft released several MIM versions:
- First Release – Version 4.3.2064
- Service Pack 1 – Version 4.4.1237
- MIM with Service Pack 1 – Version 4.4.1302
Before you go any further, make sure to have the latest MIM 2016 SP1 RTM installed. This will be the prerequisite for any further patching.
Also make sure to download MIM toolset from: MIM toolset and patch the PowerShell Module with Trevor’s or mine PRs or download my modified module (see further down). Otherwise you won’t be able to run the configuration with the latest version of MIM.
How to configure the toolset for MIM to create (several) SPMAs?
The toolset for MIM comes with a PowerShell Module “SharePointSync.psm1”. We will have to do some modifications to this file to configure (multiple) SharePoint Management Agents.
The toolset has a strong dependency on two xml files:
These two files hold the configuration of the default management agents. Both configurations get imported into MIM when you run the SharePointSync.psm1. During this process both files get changed and are useless afterwards. There will be a backup file, but this is not a help. To get rid of this behavior we have to modify the toolset:
Rename the following files:
- MA-ADMA.xml to TEMPLATE-MA-ADMA.xml
- MA-SPMA.xml to TEMPLATE-MA-ADMA.xml
- SynchronizationRulesExtensions.cs to TEMPLATE-SynchronizationRulesExtensions.cs
- MV.xml to TEMPLATE-MV.xml
Download the modified PowerShell Module from: SharePointMultiSync.psm1
The new module has two new parameters:
- ADMAName: Name of the Active Directory Management Agent
- SPMANames: Array of names for the SharePoint Management Agents
and won’t override the templates. The new module will create all SPMAs named in SPMANames and changes the “SynchronizationRulesExtensions.cs” file. The other SPMAs will be added as connected objects.
If you plan to run the module several times, remove the created MA-XYZ.xml files prior the run.
Please update the configuration of your SPMAs to meet your requirements.
Issue There is a know issue: Not all SharePoint Management Agents get imported into MIM. Quick fix: Export the SPMA Foreach SPMAName in SPMANames Import the SPMA and set the name to meet the SPMAName
This will create the Management Agents.
Source of the issue The MV.xml has to be modified to reference the additional SPMAs. Each SPMA file has to have unique IDs. I’m working on a fix.
[Update: 03/23/2017: Issue should be resolved]
More details on the XML structure used for Identity Manager are available in this PDF document: User Profile Synchronization (UPS): Configuration Data Structure