MIM 2016 SP2 on S2k12R -> in-place upgrade of Windows Server 2012R2 to 2019

This article could be helpful for anyone who is managing existing installation of MIM 2016 SP2 on Windows Server 2012 R2 and need to perform upgrades to extend Microsoft support to year 2026 (end of support for MIM 2016 SP2)

Software versions before upgrade:

  • 2 x MIM 2016 SP2 portals (using SharePoint foundation 2013 ) hosting on Windows Server 2012 R2
  • 1 x MIM 2016 SP Sync server hosting on Windows Server 2012 R2
  • MS SQL 2016 SP3 DB server for portals & sync service, hosting on Windows Server 2012 R2

Expected software versions after upgrade:

  • MIM 2016 SP2 portals – > hosting on Windows Server 2019 & SharePoint 2016
  • MIM 2016 SP Sync server – > hosting on Windows Server 2019
  • MS SQL 2016 DB server – > hosting on Windows Server 2019

Upgrade will be performed in following order

  1. MIM PORTALS servers
  2. MIM Sync Server
  3. MIM DB Server

Upgrade of MIM PORTALS servers

  1. Perform backup of your system
  2. backup config file „Microsoft.ResourceManagement.Service.exe.config“ in installation path, default is – > C:\Program Files\Microsoft Forefront Identity Manager\2010\Service or whole „Service“ folder, it is up to you
  3. Uninstall correctly MIM components via add/remove SW in control panel
  4. Uninstall correctly SharePoint via add/remove SW in control panel
  5. Mount installation media of Server 2019, run setup.exe
  6. Select installation „Desktop Experience“ & „keep app and files“ !
  7. In-place upgrade of OS can takes hours, be patience
  8. Once server is up and you can logon via RDP, install all Windows patches
  9. Verify if server still has configured static DNS servers! My VM’s lost this configuration !
  10. Run MS SQL Agent on DB server!
  11. Install SharePoint 2016 (needs key, this version is not free like it is with SP 2013 Foundation, which ends 2023 ) , follow steps describe on Microsoft web site, it works in this case fine 🙂 – Configure SharePoint for Microsoft Identity Manager 2016 | Microsoft Docs
  12. Use existing MS SQL DB server
  13. In manual above, replace service accounts for already existing accounts used in original MIM/SP installation, same for the name of your portal http://identityportal.xxxxxxx.local/
  14. Once SharePoint installation is done, verify that web site is running
  15. Run MIM installation (follow installation wizard). During the MIM installation, use existing FIM DB used by original portal installation!
  16. If your installation is not already with SP2, install MIM and once it finish, continue with installation and install MIM 2016 SP2 for portal
  17. Overwrite new Microsoft.ResourceManagement.Service.exe.config by old (backup) file, original config in my case contains extra lines for SMS and etc.
  18. Run portal
  19. All settings as workflows, RCDC, email templates, … etc. should be there! because uninstallation did not remove it, 🙂 which is good 🙂
  20. Do some tests, but PORTAL should be ok
  21. Do the same on second MIM PORTAL

Upgrade of MIM SYNC server

  1. Perform backup of your system
  2. Stop MIM Sync service (for MIM SYNC, I did NOT uninstall MIM Sync service!)
  3. Disable schedule tasks, Shutdown MIM PORTALS
  4. Install Windows Server 2019 (in-place) , select installation „Desktop Experience“ & „keep app and files“ !
  5. In-place upgrade of OS can takes hours, be patience
  6. Once server is up and you can logon via RDP, install all Windows patches
  7. Verify if server still has configured static DNS servers! My VM’s lost this configuration !
  8. After install, re-run installation of MIM Sync (will fix MIM Sync after OS in-place), select configure
  9. Re-run SP2 if installation of MIM 2016 is not already with SP2
  10. Verify if Sync console is working
  11. Enable scheduled tasks
  12. Run full , delta sync and verify that all is working fine

Upgrade of DB server

  1. Perform backup of your system
  2. Shutdown MIM Portals and Sync server
  3. Stop all MS SQL services
  4. Install Windows Server 2019 (in-place) , select installation „Desktop Experience“ & „keep app and files“ !
  5. In-place upgrade of OS can takes hours, be patience
  6. Once server is up and you can logon via RDP, install all Windows patches
  7. Verify if server still has configured static DNS servers! My VM’s lost this configuration !
  8. Open MS SQL MGMT and verify that all work fine
  9. Start MIM PORTALS and SYNC server

Can I change custom attributes in EO once user lost EO license ? (Hybrid env.)

Answer is yes, you can, however not to the any value you want. If your organization sync AD extensibleAttributes to EO, and use them for some advance filtering etc. could be problem once user lost EO license and some change in extensibleAttributes in AD happens (usually you do some cleanup of values, or you replace original value by some neutral which means user is not active etc. ). This change is not sync to EO anymore, because user is missing EO license (O365 license).
Result can looks like this: in AD extansibleAttribute1 = “” , in EO customAttribute1 = “Marketing”


This could be the problem when you use Dynamic Distribution Groups which have members based on customAttributes . User does not have license, and customAttributes still show in EO original values from AD from age of success AD sync.

There are some ways how to solve it. You coul add back EO license to the user and wait for sync which will change the value/’s in customAttributes in EO, or setup/cleanup values in AD in extensibleAttributes, wait for Azure AD sync (this action requires that user without EO license is still sync to Azure !) and setup same value in EO via powershell 🙂 , yes simple, but sometime can head may spin:)

Delegate permission to manage „User cannot change password“ in User ‚Account Options‘

Hey, have you noticed, when you delegate write permissions for nt_SecurityDescriptor, you still cannot change an option ‚User cannot change password‘ ? When you try mark this option and save, all looks fine, because you can save it, but once you open user account properties again, you see that option ‚User cannot change password‘ is blank :\ . This is cause by missing permission to add ‚Everyone‘ – DENY in security Tab. Yes, you also must have permission to modify permission of user object. If you do not want to give Full permission, you must explicitly add and allow ‚modify permissions‘

User Object – Account Options

get-adgroupmember : The size limit for this request was exceeded

Although I have worked in big infrastructures, it is not long time ago, I have personally met with the limitation of ADWS service.  Because exists good reasons why this limit should not be changed on DC server, command-let get-adgroupmember can be easily replaced by Get-ADGroup ‚GroupName‘ -properties Member | select-object -ExpandProperty member 🙂

https://docs.microsoft.com/en-us/archive/blogs/activedirectoryua/active-directory-maximum-limits-and-scalability-topic-updated
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

ADLDS and Password Policies

Have you ever thought about how password policies are managed in ADLDS ? This short article will describe how it works.

When host server of the ADLDS instance is domain member, domain password policies are applied.  Host server in workgroup is using local password policies. To ignore inherited domain password policies can be done by using ADSIEdit.
Open ADSIEdit and connect to the Configuration naming context on the LDAP server., please find path below.

On the object:
CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={guid},
there is a multi-valued attribute called msDS-Other-Settings. The attribute ADAMDisablePasswordPolicies has by default value 0, set value to 1 means disable inheritance from domain and start using local password policies of the host server.