Hi,

While trying to deploy hotfix rollup 4.1.3451.0 (for Synchronization Service only) and hitting an error for not being able to connect to SQL (permissions) I initiate a rollback. Once this is done the FIM Synchronization Service stops eventually and the FIM GUI cannot be opened anymore by someone with FIMSyncAdmin group permissions.

The 5 FIM management groups are domain based (not local); the person trying to start the FIM GUI is member of domain-based SyncAdmins etc.

The Windows Eventlog show numerous instances of DistrubtedCOM event ID 10016, which led me to investigate the DCOM permissions.

On most DCOM objects for FIM in Component Services management console the 5 FIM management groups have been removed and (re)added by the hotfix installer, but what is added are SID's that do not resolve to the proper FIM domain group. These 5 domain groups for FIM do not use the convential out-of-the-box group names; the customer has a naming convention which I must obey.

I adjusted all DCOM permissions for FIM objects (by comparing them with a healthy server) and was able to start the FIM Synchronization Service and gain access to the GUI.

• Source: DistributedCOM
  Event ID: 10016
   
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {835BEE60-8731-4159-8BFF-941301D76D05} and APPID {835BEE60-8731-4159-8BFF-941301D76D05} to the user DOMAIN\FIMSVC SID (S-1-5-21-1454471165-343818398-682003330-1554363) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Note: user 'DOMAIN\FIMSVC' is fictitious, I removed the original values. ClassID and AppID {835BEE60-8731-4159-8BFF-941301D76D05} is the Synchronization Service.

Kind re