Configuring MIM 2016 Full and Incremental Imports for SharePoint
Recently I was assigned to help get MIM 2016 working with SharePoint 2016. The initial MIM Install was pretty straightforward. I am going to assume you have installed MIM and have run the PowerShell for Full and Delta imports using SharePointSync.psm1 and that they are working correctly. I am also going to assume you have SP1 and at least KB4021562 for FIM.
For some reason I struggled with getting the Delta and Full imports scheduled in Task Scheduler, so I am writing this blog for my reference in the future.
First, we need to create a couple of PowerShell Scripts (one for the full import and one for the Delta Import).
The scripts should look like below. Save them to a directory (because I was on a test system I only had a C drive, so I saved to c:\ScheduledScripts
Delta.ps1 | Import-Module C:\SharePointSynchronization\SharePointSync.psm1Start-SharePointSync -Delta -Confirm:$false |
Full.ps1 | Import-Module C:\SharePointSynchronization\SharePointSynch.psm1Start-SharePointSync -Confirm:$false |
Now load task Scheduler and create task. Enter Name (MIM Delta Import). Click Change user or Group account for running task to a service account that is not part of MIM or SharePoint (Plan for MIM Security) Click Run whether user is logged in or not. Click to check Run with Highest Privileges. This account will need to be assigned the user right Logon as Batch in secpol.msc. Note: This will as for and save the credentials for the service account that you use for running this task. If your security posture will not allow you to save credentials you will only have two options. You can run only when the service account is logged in or you can configure this to run as NT Authority\System. Both of these have drawbacks and should be thoroughly evaluated.
Select Triggers Tab. Select New. Select appropriate days/times for schedule. Click OK.
Select Actions tab. Select New. For Program/Script: input box type PowerShell. For Add Arguments (optional) input box type -noprofile -executionpolicy bypass -file C:\ScheduledScripts\delta.ps1 . Click OK.
Click OK. Screen should look like below:
Click OK to save. Enter the password of the service account you used if prompted.
Repeat steps above for full import.
Now off to the right click RUN to test the script.
First Error I received was for the PSM1 file:
Security warning Run only scripts that you trust.
While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message.
To fix open PowerShell as admin and run Unblock-file c:\SharePointSync.psm1
Click to Run again.
This time import fails with no information. Looking in Event Viewer I found Event Viewer Error 10016.
Opening up Regedit and searching for the GUID {835BEE60-8731-4159-8BFF-941301D76D05} I see it belongs to ForeFront Identity Management Syncronization.
Opening up component Services and then DCOM Config. I see that the only accounts/groups listed with Launch and Activation Permissions is the local groups created by MIM.
Open up computer Management and add you service account to the local group MIMSyncAdmins. See referenced (Plan for MIM Security)
Comments
- Anonymous
May 15, 2018
In our "Start a program", we have the entire path for powershell.