FIM 2010 Build Overview

FIM 2010 Build Overview

The goal of this article is to provide an overview of the available builds for FIM as well as a short overview of the new features they introduce.

This article will not provide an overview of all solved issues.



Build 4.0.2592.0 (RTM)

  • RTM feature set

Build 4.0.3531.2 (Update 1): KB978864

  • Support for the Active Directory Recycle Bin. There is a known issue which is fixed in Build 4.0.3573.2
  • Resume Full Sync
  • Post-Installation step: Delete the old “Users can create registration objects for themselves” (Action Type: Create, Modify) MPR

Build 4.0.3547.2: KB2028634

  • A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.
  • The hotfix improves the performance when an object is joined to several management agents.
  • ADMAUseACLSecurity as an alternative to the DirSync permission in Active Directory.
  • ECMAAlwaysExportUnconfirmed registry key for Extensible Connectity Management Agent (ECMA).
  • eDIR MA change to allow connection to any 8;x version without the requirement for a registry key.

Build 4.0.3558.2: KB2272389

  • PrivacyLink: Password Reset registration wizard can provide a link to the company data policy.
  • MinimalObjectLogging: This lets less information be logged if an error has occurred during a run.
  • Enables an outgoing synchronization rule to use a flow scope that accommodates more than two resource types.
  • An error message is written to the event log when a management agent run encounters staging errors.
  • Behavior for MA's with multiple partitions when unselecting partitions.

Build 4.0.3561.2: KB2417774

  • Replaced by build 4.0.3573.2

Build 4.0.3573.2: KB2417774

  • FIM CM updated to support data encryption that uses key pairs that are stored by using a Key Storage Provider.
  • Support for running the FIM 2010 CM bulk client on Windows 7.
  • Password history policy from Active Directory Domain Services (AD DS) is applied for password reset operations in Forefront Identity Manager
  • The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
  • Approval operations can now be processed by any instance of the FIM service.
  • The filter in a comment is included within the SQL statement that executes the query. This feature improves query troubleshooting.
  • Asynchronous export mode for FIM MA
note Note
However there is an issue with Build 3573.2 that if you install it without first installing update 1, it corrupts the FIMService Database and must be resolved by resorting to a backup and then applying update 1 and then Build 3573.2 or by calling Microsoft Support.

Build 4.0.3576.2: KB2502631

  • Use key pairs for data encryption in FIM CM. The key pairs are stored by using a key storage provider.
  • Run the FIM 2010 CM Bulk Client in Windows 7.
  • Use FIM Sync service account in the AD MA configuration.
  • Export subattributes in Sun Directory Services LDAP.

Build 4.0.3576.2: KB2520954

  • Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.The FIM 2010 Active Directory Management Agent (AD MA) honors now the preferred domain controller list when passwords are exported.
  • This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.
  • Adds the ability to filter objects before they are imported into the AD MA connector space.
  • Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.

Note: This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade. 

Build 4.0.3606.2 (Update Rollup 2): KB2635086

  • A new Connector (formerly Management Agent) development framework that is named Extensible Connectivity Management Agent 2.0 (ECMA2.0) is included. This is listed as a new entry in the Management Agent drop-down list.

  • The FIM Synchronization Service now supports running the Microsoft .NET Framework 4 extension code. This can be used both in rules extension and for Management Agents such as the ECMA 262 language specification version 2.0. The FIM Synchronization Service will auto detect the latest version of the .NET Framework on the server. If it is needed, you can disable the .NET Framework 4 by removing it from the Runtime section in the Miiserver.exe.config file.

  • Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters. The functionality of some existing customer deployments may use these characters as wildcard characters. This update reverts the earlier change.

IMPORTANT: FIM 2010 Update Rollup 2 (build 4.0.3606.2) contains a feature that is intended to improve Query performance in the case of certain complex queries. This “tabular functions” feature is turned off by default. The product team has discovered an issue in this feature that could return incorrect query results when the query includes at least two statements and the same attribute is referenced in the statements. We strongly advise customers NOT to turn on the Set Partition feature.

Build 4.0.3617.2: KB2688078

  • Fixed issues in the Sync Engine (ECMA 2.0, ECMA 1.0 and organizational unit provisioning related)

  • Fixed issues in setup (database upgrade & change/remove installation related)

Build 4.0.3627.2: KB2737503

  • Fixed issues in the Sync Engine

  • Fixed issues in the FIM Service MA (.net 4.0 bug, additional logging for FIM MA exceptions)

  • Adds support to configure the Query and Sets feature to treat underscores as literals instead of as SQL wildcard characters

Build 4.0.3644.2: KB2750673

  • Fixed DB2 MA issue when connecting to a server that is running on an IBM iSeries V6 server or a later.

  • When the FIM password reset activity does not connect to the Active Directory, the WMI components now return an error code.

  • Fixed .NET version numbers in Microsoft.MetadirectoryServicesEx.dll as changes occurred in build 4.0.3617.2, but the version number was not incremented.

Build 4.0.3684.2: KB2819338

  • Fixed Exchange configuration options on the Active Directory Management Agent

Build 4.1.2773.0: FIM 2010 R2

 

Build 4.1.2515.0: KB2734159 (for R2)

  •  (to be completed)

Build 4.1.2548.0: KB2750671 (for R2)

  •  (to be completed)

Build 4.1.3114.0: KB2772429 (Service Pack 1 for FIM 2010 R2)

  • An upgrade to FIM 2010 R2 from an earlier version may be unsuccessful in certain scenarios if the imported changes from a management agent are not synchronized before the upgrade.
  • A connection to Active Directory Lightweight Directory Services (AD LDS) when SSL is enabled is unsuccessful.
  • When a connector is synced to a metaverse object that already has an un-synced connector in the same connector space, the sync on the object fails with stopped-server. In this case, the synchronization engine incorrectly considers this as an invalid state.
  • Multiple issues with ECMA 2.0 are fixed.
  • A reinstallation of the reporting components does not update the System Center registry value in the FIMService registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMService).   

Build 4.1.3419.0: KB2814853

  •  (to be completed) 

Build 4.1.3441.0: KB2832389

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma" error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors "The image or delta doesn't have an anchor."
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.
    • Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service's contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.

FIMCM

  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

SSPR

  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client"

BHOLD

  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.
note Note
All hotfix rollups are cumulative, this means you can start from RTM and install the desired build level without having to install all previous released build versions.

Best practices

  • Apply patches in a test or a lab environment before patching your production servers.
  • Keep all FIM solution components on the same patch level.

Recommended Reading

Related FIM Forum Posts


Additional Resources

 

note Note
To provide feedback about this article, create a post on the FIM TechNet Forum.
Leave a Comment
  • Please add 4 and 6 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price - MSFT edited Revision 32. Comment: Tags

  • Thomas Vuylsteke edited Revision 31. Comment: fixed link to KB

  • Thomas Vuylsteke edited Revision 30. Comment: Added build 4.0.3684.2

  • Peter Geelen - MSFT edited Revision 29. Comment: fixed color issue

  • Peter Geelen - MSFT edited Revision 24. Comment: Added FIM2010 R2 build info

  • Richard Mueller edited Revision 20. Comment: Fix <a name> tags

  • Thomas Vuylsteke edited Revision 19. Comment: Added build 4.0.3617.2 and build 4.0.3627.2

  • Peter Geelen - MSFT edited Revision 14. Comment: fixed layout & TOC

  • Richard Mueller edited Revision 13. Comment: Fixed HTML <h> tags so TOC works

  • Frank van Rijt edited Revision 9. Comment: included Build 4.0.3594.2 update

Page 1 of 2 (12 items) 12
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Peter Geelen edited Revision 2. Comment: Added See also links

  • David Lundell -- ILM MVP edited Revision 5. Comment: documenting issue with build 3573

  • After installing 4.0.3576.2 you may find your FIM MA exports start failing with a "The request does not conform to the expected request message format of the protocol" exception ... and if you do, chances are you have been using a different service account identity for your FIM MA to that which you specified when you installed the FIM Service.  If you get to this point you will need to (a) find out the service account you should be using (HKLM->System->CurrentControlSet->services->FIMService->SynchronizationAccount) and (b) change the FIM MA identity back to this value.

    If you then find that you are getting a "Failed to connect to the specified database or Forefront Identity Manager Service. Please check the specified database location, service host address, and account information" error thrown, the problem is database connectivity.  Your case might be different, but mine is a lab environment where the FIM Sync Service is also a DC ... I followed the advice of this article - crosbysite.blogspot.com/.../fim-service-management-agent-creation.html - and added the service account to the domain builtin administrators group and I was good again (not that this is a sensible production configuration!).

  • Correction to my post a few minutes ago ... the problem is indirectly database access, but what I meant to say is that the error is because of missing local logon rights for the FIM MA account.

  • I would like to get info in the hotfix released notes for Windows 2008 R2 SP1 support, and regarding OS pacth support after SP1

  • Build 4.0.3594.2 is out: support.microsoft.com/.../en-us

    -export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.

    -Honor the Active Directory Management Agent (AD MA) the preferred domain controller list when passwords are exported.Feature 3

    -Adds the ability to filter objects before they are imported into the AD MA connector space.

    -Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.

  • Frank van Rijt edited Revision 9. Comment: included Build 4.0.3594.2 update

  • Update Rollup 2 (build 4.0.3606.2) (support.microsoft.com/.../2635086)  is out.

    RSS feed is not updated yet :(

    Please, be aware of the following issue: social.technet.microsoft.com/.../fc8c75bf-65af-453c-9dd7-4bd7557be968

  • Richard Mueller edited Revision 13. Comment: Fixed HTML <h> tags so TOC works

  • Peter Geelen - MSFT edited Revision 14. Comment: fixed layout & TOC

  • Thomas Vuylsteke edited Revision 19. Comment: Added build 4.0.3617.2 and build 4.0.3627.2

  • Richard Mueller edited Revision 20. Comment: Fix <a name> tags

  • Peter Geelen - MSFT edited Revision 24. Comment: Added FIM2010 R2 build info

  • Peter Geelen - MSFT edited Revision 29. Comment: fixed color issue

  • Thomas Vuylsteke edited Revision 30. Comment: Added build 4.0.3684.2

Page 1 of 2 (17 items) 12