Failed to connect to the specified database or Forefront Identity Management Service #1

I was testing a configuration migration in a customer environment and, when importing the FIM MA, I hit the good old error:

Failed to connect to the specified database or Forefront Identity Management Service. Please check the specified database location, service host address, and account information.

There’s several reasons why you can hit this error.  I’m going to blog about them all, but I’m going to dedicate a post to each.  In this post, the reason was communications.  Specifically the FIM Synchronization Service couldn’t connect to the FIM Service web service.

Here’s the error (from verbose tracing):

mscorlib: System.ServiceModel.EndpointNotFoundException: Could not connect to http://idweb:5725/ResourceManagementService/MEX.  TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.99.104:5725.  –> System.Net.WebException: Unable to connect to the remote server –> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.99.104:5725 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at …

I immediately checked the firewall and yes the rules for the FIM Service: Forefront Identity Manager Service (STS) and Forefront Identity Manager Service (Webservice) were present and enabled.

I verified I could access the FIM Service from the system, i.e. I browsed to the portal.  I also tested name resolution for the hostname of the FIM server and the virtual hostname (the URL).

I then looked into the IE settings for the FIM Synchronization Service, i.e. I reset the IE zone settings to default; added the virtual hostname to INTRANET zone; and ensured a proxy wasn’t configured and that automatically detect a proxy server was off.  I retried this with the FIM MA account too.

Nothing worked.  I looked at the NIC properties on the FIM Synchronization Service server for the second time and it hit me.  The network was public.  I jumped back onto the FIM Service server and the network connection here too was public.  I bounced the Network Location Awareness Service (NLASVC) and then the box was on a domain network.  Back to the FIM Synchronization Service box, bounce NLASVC and this too is now on a domain network.  Retry the connection and bingo, we’re through and the FIM MA goes off and creates.

The reason?  The two firewall rules created by the FIM Service installation are only configured for the Domain profile.  Disabling the firewall’s not an option and neither is, in my opinion, changing the scope of the rules.

Why hadn’t NLA sorted out the networks?  I don’t know that yet but I’ll try and dig into my suspicions and will post back on that if I ever get to the bottom of it.

Summary

One of the reasons for not being able to create a FIM MA (manually or via configuration import) or not being able to update the schema on an existing FIM MA is connectivity.  By default, the FIM Synchronization Service process needs to be able to access the Resource Management Service which is listening on TCP 5725.  In order to access this port both the FIM Service node(s) and the FIM Synchronization Service node need to be connected to a domain network.  If authentication and name resolution are working (GPUPDATE is a good way of quickly validating this) and the network isn’t picking up the fact that either server is on a domain network then consider either disabling and enabling the NIC or restarting the Network Location Awareness (NLA) service.

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010, Troubleshooting and tagged , , , , , , , , . Bookmark the permalink.

8 Responses to Failed to connect to the specified database or Forefront Identity Management Service #1

  1. Ionut says:

    Hi,
    In my case I found this message on a second application server which runs on VMware ESX and which probably was moved to a different IP. Because the second APP(or the one with an IP from a different subnet) failed to connect to the APP1 server where User Profile synchronization service runs and also CA, the sync with Active Directory failed. This happens because SharePoint creates firewall rules in Windows firewall only for the local subnet, other IP’s are not allowed to connect. I hope it helps other people as the error message is not related to the task performed and usually you don’t take it very seriously.
    Thanks!

  2. Dipan says:

    Hi Paul
    Thanks for the blog. A quick question. I previously created a FIMMA and that works fine. I can refresh and re-run this. But when I want to create a new FIMMA, it gives me the error. I am using exactly the same credentials and other input values. Any ideas as to why this is happening?
    Regards,

    • I assume this is from a different FIM SYNC server? Look at the local user rights. The FIMMA account needs logon locally rights. If that doesn’t help you’ll need to enable tracing and see exactly what error is thrown and where.

      Re. FIMMA tracing:
      https://blog.msresource.net/2011/10/24/fim-service-management-agent-tracing/

      • Dipan says:

        Hi Paul
        thanks for your response. It is on the same management server. The fim management agent account has got local admin rights on the Sync server. I am trying to create anoter FIM service MA. The error that I get on the Connect to database page when I enter the details and click next is “Failed to retreive the schema. Failed to connect to the specified database of FIM Management Service. Please check the specified database location, service host address, and account information.” When I click on the properties of the MA that is working at present, I see the same details on the connect to DB page, but the password field is empty.
        Does this mean that I can’t create two MA of the same type?
        I am a complete newbie in this technology and would appreciate any help in this regard.

        Thanks again. Much appreciated.
        Regards,

      • Why are you trying to create a 2nd FIMMA? To my knowledge that is not a supported configuration and could be your problem…

  3. Dipan says:

    Hi Paul
    Thanks for your response. The reason I want to create two FIMMA is because, I want to use one for Synchronizing AD accounts with the web service and another because that is needed for SSPR. Is it not a correct option? Because I am completely new to this and I apologize if these questions are quite basic.
    Thanks again for your help.
    Regards,
    Dipan

  4. Dipan says:

    Hi Paul
    Thanks for your response. Yes that makes sense. So just to confirm, any server with FIM Synchronization installed can have only one FIM MA? So if multiple FIM components are involved, would one FIM MA cater for all of them?
    Thanks again for the clarification. You have been a massive help!!

    Regards,
    Dipan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s