FIM 2010: Language Pack Update 1 Install Issue

Published on Sunday, March 13, 2011 in

Again I’m posting with some FIM 2010 Update 1 issue. I’m not trying to make a statement regarding the stability of the FIM software, I’m just active in an instable environment Sad smile. This error I received when trying to update a FIM 2010 Service and Portal Language Pack installation to Update 1.

The installer for Update 1 is a next next finish, but somewhere in the middle an application error occurs and the rollback is performed.

The error:


In words:

Microsoft.ResourceManagement.Setup.LanguagePack.Resource has stopped working.

I had absolutely no clue what the cause could be. I was logged on using a FIM Installer Account, so permissions should have been fine. On the list of todo’s for this environment I also had a WSS security hotfix. This is the hotfix I mentioned in WSS Killer Security Update. I prefer to install it in a controlled way instead of receiving it through WSUS. However installing the update didn’t work out. The setup just failed. The log files pointed me to: KB939308: Error message when you try to modify or to delete an alternate access mapping in Windows SharePoint Services 3.0: "An update conflict has occurred, and you must re-try this action"

After following the actions in that KB article, I reran the installer of the hotfix and everything worked out fine.

And guess what: the Language Pack Update 1 installer finished just fine too! I have no proof that they are related, but I ran the update multiple times, every time resulting in a crash. Once I cleared the cache of WSS as described in the article the update ran fine.

Happy updating!


FIM 2010 Update 1 Installation Issue

Published on in

In the release notes of FIM 2010 Update 1 (KB978864), one of the things mentioned is that you have to make sure the Portal is reachable on http://localhost. Another known issue for things to go wrong seems to be the FIM Service Certificate. During the installation you get the following options:


From Microsoft PSS I heard that there’s a known issue to upgrade to FIM 2010 Update 1 if you choose a customized certificate. One of the requirements for the FIM Service certificate is, is that it has CN=ForefrontIdentityManager in it’s subject. My customer had generated a custom certificate from their internal CA, and of course the subject was different from the required one.

This caused the update to fail and rollback. The following errors were shown in the Application event log:

Entries from the event log, first line logged first:

  • Error : MicrosoftILMPortalCommonDlls.wsp already exists
  • An error occurred while deploying FIM portal solution packs.
  • Error : MicrosoftIdentityManagement.wsp already exists
  • An error occurred while deploying FIM portal solution packs.
  • Error : ILMPasswordPortal.wsp already exists
  • An error occurred while deploying FIM portal solution packs.

To resolve this situation you can run the RTM installer again, but now chose “change”. You’ll be prompted to fill in all setup questions again, but now you can choose “Generate a new self-signed certificate”. After running this successfully you can try to update again.

Some other items I found on my quest for a solution:

Installing update failed because sharepoint not installed on "localhost"?

In my opinion removing .WSP’s your self in WSS is not a great idea. The FIM Update installers really depend on the fact that they expect the .WSP’s to be in place. If you start messing with them you might break things completely. If you are having issues reaching your portal at http://localhost, verify the bindings for the SharePoint site in IIS. You could add:

  • 80
  • ::1 80

To ensure proper access to http://localhost. In case you don’t have “all available addresses 80” set as the binding.

Another possible solution: ILM 2 Beta 3 Premature Failure - ilmpasswordportal.wsp already exists Again, I would really advise against deleting .WSP’s yourself. Even if they are in error, try running the FIM Service & Portal setup in Change mode. You’ll see it will re-deploy the .WSP solutions.

P.S. If you want detailed information regarding a failure for an update, try running the update.msp file like this: msiexec /p update.msp /L*V c:\update.log


FIM MA Full Import Broken

Published on in

One of my customers had the following error when they ran a Full Import on the FIM MA: app-store-import-exception


In the application event log I found the following error which was occurring every time they ran a Full Import.


A copy paste of the error:

The description for Event ID 6500 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

There is an error executing ILM MA full import.
Type: System.ArgumentNullException

Message: Value cannot be null.
Parameter name: key

Stack Trace:    at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
   at System.Collections.Generic.Dictionary`2.FindEntry(TKey key)
   at System.Collections.Generic.Dictionary`2.TryGetValue(TKey key, TValue& value)
   at Microsoft.ResourceManagement.Schema.ServerSchemaManager.GetAttributeSchema(String attributeName)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadFragment(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader)
   at Microsoft.ResourceManagement.Data.Sync.FullImportGetNext(Int64 beginObjectKey, Int64 maxObjectKey, Int32 batchSize)
   at MIIS.ManagementAgent.RavenMA.FullImportGetNextBatch(Int64 maxObjectKey, Int32 batchSize)

the message resource is present but the message is not found in the string/message table

A search on Google led me to the following TechNet forum post: App-Store-Import-Exception

And then I spent quit some time on SQL tracing and trying to find out which key was null. I found none… I don’t know how I got to it, but I figured refreshing the schema couldn’t hurt to perhaps get a more descriptive error. It seemed that someone had been modifying the schema!:


After the schema refresh imports started running again. It’s obvious to refresh the schema if you changed something to the schema in the Portal. However if you start from the given error it wasn’t as obvious to refresh the schema… Case Solved!


Active Directory Quick Tips

Published on Tuesday, March 1, 2011 in ,

1. Use GPMC GPO Backup Feature To Locate Unresolvable SIDs

Sometimes you might have GPO’s which reference SID’s which cannot be resolved. Their might be various reasons for that. Someone might have configured the GPO to reference a certain account in a setting whilst that account was deleted somewhere in time afterwards. Or like I encountered: you use GPO backups to import & export your GPO’s from a lab to an acceptance environment and you simply forget to translate some of the SIDs.

A neat trick which I found out by accident is the “Backup All…” GPO option from the Group Policy Management Console. This will try to resolve all accounts used in your GPO’s and throw a warning if there’s a problem. You could do this every now and then to keep your GPO’s squeaky clean.


2. Generate an HTML Report Of All Your GPO’s

Whenever you’re documenting your GPO’s, or you simply want to have a snapshot in time of the settings, versions, links, security, …. you can choose to create a GPO report from the GPMC. Using PowerShell however you can issue the following command to get a single-file HTML which will nicely give you all the required information. It would perhaps be a nice idea to run this monthly or even more frequently if you want to have some auditing trail as to what is changed. But if you really need this, I think AGPM will be a better fit.

Get-GPOReport -All -Domain contoso.com –Server dc01 -ReportType HTML -Path C:\Users\thomas.vuylsteke\Desktop\GPO_Report\GPO_Report.html

The following screenshot shows an example of the layout. By default everything, except the subsections of each GPO, is hidden. You can easily scroll from GPO to GPO, and I can imagine it’s very simple to edit the HTML file if you only want a subset of the policies in your report.