Applies ToForefront Identity Manager 2010

Introduction

Update Rollup 2 (build 4.0.3606.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. This hotfix package resolves several issues and adds several features that are described in the "More Information" section. Additionally, this update contains all servicing fixes that were made since the release of FIM 2010.

Update information

A supported update is available from Microsoft. We recommend that all customers apply this update to their production systems.This update is available from the following Microsoft websites.

Microsoft Update

http://update.microsoft.com

Microsoft Update Catalog

http://catalog.update.microsoft.com/v7/site/Home.aspx

Microsoft Support

If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Component update packages

The following table contains the component update packages that are available for download from Microsoft Support.

Component

File name

FIM 2010 Add-ins and Extensions

FIMAddinsExtensions_xnn_KB2635086.mspNote Versions are available for x86 and for x64.

FIM 2010 Add-ins and Extensions Language Pack

FIMAddinsExtensionsLP_xnn_KB2635086.mspNote Versions are available for x86 and for x64.

FIM 2010 Certificate Management

FIMCM_xnn_KB2635086.mspNote Versions are available for x86 and for x64.

FIM 2010 Certificate Management Client

FIMCMClient_xnn_KB2635086.mspNote Versions are available for x86 and for x64.

FIM 2010 Service and Portal

FIMService_x64_KB2635086.msp

FIM 2010 Service Portal Language Pack

FIMServiceLP_x64_KB2635086.msp

FIM 2010 Synchronization Service

FIMSyncService_x64_KB2635086.msp

Prerequisites

To apply this update, you must have Forefront Identity Manager 2010 (build 4.0.2592.0 or a later build) installed.

Restart requirement

You must restart the computer after you apply the FIM 2010 Add-ins and Extensions component. Additionally, you may have to restart the server components.

Registry information

To use one or more of the hotfixes in this update, you may have to change the registry. The following issues and features may require a registry change.

Replacement information

This update replaces the following updates:

2520954 A hotfix rollup package (build 4.0.3594.2) is available for Forefront Identity Manager 20102502631 A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 20102417774 A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 20102272389 A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 20102028634 A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010978864 Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name

File version

File size

Date

Time

FIMAddinsExtensionsLP_x64_KB2635086.msp

4.0.3606.2

4,620,800

30-Jan-2012

01:13

FIMAddinsExtensionsLP_x86_KB2635086.msp

4.0.3606.2

3,710,464

30-Jan-2012

01:00

FIMAddinsExtensions_x64_KB2635086.msp

4.0.3606.2

3,261,952

30-Jan-2012

01:13

FIMAddinsExtensions_x86_KB2635086.msp

4.0.3606.2

2,759,168

30-Jan-2012

01:00

FIMCMClient_x64_KB2635086.msp

4.0.3606.2

5,805,568

30-Jan-2012

01:13

FIMCMClient_x86_KB2635086.msp

4.0.3606.2

5,143,040

30-Jan-2012

01:00

FIMCM_x64_KB2635086.msp

4.0.3606.2

13,950,976

30-Jan-2012

01:13

FIMCM_x86_KB2635086.msp

4.0.3606.2

13,545,984

30-Jan-2012

01:00

FIMServiceLP_x64_KB2635086.msp

4.0.3606.2

4,685,312

30-Jan-2012

01:13

FIMService_x64_KB2635086.msp

4.0.3606.2

17,946,624

30-Jan-2012

01:13

FIMSyncService_x64_KB2635086.msp

4.0.3606.2

121,602,048

30-Jan-2012

01:13

More Information

Known issues in this update

Issue 1

After you install Update Rollup 2, rules extensions and custom management agents that are based on the Extensible MA (ECMA) may not run, with a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs and you had previously changed the configuration file for MIISServer.exe. For example, you might have edited the file to change the default batch size for processing sync entries for the FIM Service MA.In this case, the Synchronization Engine installer for this update intentionally does not replace the configuration file in order to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by Update Rollup 2 will not be present in the file, and the Sync Engine will not load any rules extension .dlls when it runs a Full Import or Delta Sync run profile.To correct this issue, follow these steps:

  1. Make a backup copy of the MIIServer.exe.config file.

  2. Open the MIIServer.exe.config file in a text editor or in Visual Studio.

    • Make sure that you open the text editor by using the Run as Administrator option so Windows will let you save the changes.

    • If you do not open the text editor by using the Run as Administrator option and the UserAccountControl option is enabled, Windows will not let the file be saved to the \bin folder.

  3. Make the following change in the file.Current text:

    <bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" />

    Updated text:

    <bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.1.0" />
  4. Insert the following line directly under the line that you changed in step 3:

    <bindingRedirect oldVersion="4.0.0.0" newVersion="4.0.1.0" />
  5. Locate the following line:

    <startup useLegacyV2RuntimeActivationPolicy="true">
  6. Insert the following line directly under the line that you located in step 5:

    <supportedRuntime version="v4.0.30319"></supportedRuntime>
  7. Make sure that the startup section resembles the following (ordering is important):

    <startup useLegacyV2RuntimeActivationPolicy="true">  <supportedRuntime version="v4.0.30319"></supportedRuntime>  <supportedRuntime version="v2.0.50727"></supportedRuntime></startup>
  8. Save the changes to the file.

  9. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).

  10. Verify that the rules extensions and custom management agents now work as expected.

More information

Together with Update Rollup 2, we included a new version of Microsoft.MetadirectoryServicesEx.dll (a.k.a. interface DLL). This is version 4.0.1.0. If you have MA extensions for ECMA1/XMA or rules extensions, you might have to take additional actions for these extensions to continue working. This is because your DLL will have references to version 4.0.0.0 (the older version). If your Management Agent is 64-bit and is running in-proc, the binding redirects in Miiserver.exe.config will be sufficient, and you do not have to take any further action. If your Management Agent is running out-of-proc, either as 32-bit or as 64-bit, you have to take one of the following actions:

  • Recompile your Management Agent Extension, and reference the new 4.0.1.0 version of the interface DLL.

  • Copy Miiserver.exe.config to the folder %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service, and then rename it as "Dllhost.exe.configwo."

The important section in this config file is the binding redirect. This allows processes that are running out-of-proc to find the new version of the interface DLL. If rules extensions are not working together with Update Rollup 2, verify that the Mmsscrpt.exe.config file in the bin folder has the same binding redirect statements that are described for Miiserver.exe.config in this Microsoft Knowledge Base article. These statements would be missing only if the config file was changed outside the setup process.

Issues that are fixed or features that are added in this update

This update includes the previously released hotfixes that are described in the following Microsoft Knowledge Base articles:

2520954 A hotfix rollup package (build 4.0.3594.2) is available for Forefront Identity Manager 20102502631 A hotfix rollup package (build 4.0.3576.2) is available for Forefront Identity Manager 20102417774 A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 20102272389 A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 20102028634 A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010978864 Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Schema

Issue 1

You cannot delete objects and object classes that contain bindings. For example, you may have assigned a custom attribute to an object class. This creates a binding. With this update, if you try to delete an object or object class before you delete all bindings to that object or class, you receive the following generic error message:

Unable to process your request.

In earlier updates, this error message gave more specific instructions for resolving this issue. You must delete all bindings to the object or class and then delete the object or class.

FIM Synchronization Service

Issue 1

Build 4.0.3587.2 introduced a special ECMA mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix caused delta sync to add new items into pending export that are not merged with escrowed exports. With this update, if the ECMAAlwaysExportUnconfirmed registry key is set to 1, the escrowed and pending changes are merged.

Issue 2

Fixes a rare case in which the sync engine may crash during full imports.

Issue 3

The Sync engine now honors the UserCannotChangePassword flag in the Active Directory Users and Computers (ADUC) snap-in.

Issue 4

Fixes an issue in which the Sync Engine may crash on FIM MA delta sync of a multivalue, equal-precedence, non-reference attribute whose last value was deleted.

Issue 5

Fixes an issue in FIM MA in which objects were not deprovisioned on delta import after they were deleted in FIM.

Issue 6

Fixes an issue in which objects may continue to be displayed as connectors even when they were deleted. This issue occurs when the recycle bin is enabled.

Feature 1

A new Connector (formerly Management Agent) development framework that is named Extensible Connectivity Management Agent 2.0 (ECMA2.0) is included. This is listed as a new entry in the Management Agent drop-down list. For more information, visit the following Microsoft TechNet website:

Forefront Identity Manager ECMA 2.0 Documentation

Feature 2

The FIM Synchronization Service now supports running the Microsoft .NET Framework 4 extension code. This can be used both in rules extension and for Management Agents such as the ECMA 262 language specification version 2.0. The FIM Synchronization Service will auto detect the latest version of the .NET Framework on the server. If it is needed, you can disable the .NET Framework 4 by removing it from the Runtime section in the Miiserver.exe.config file.

Sets and query

Issue 1

Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters:

  • Underscore (_)

  • Percent (%)

  • Opening bracket ([)

The functionality of some existing customer deployments may use these characters as wildcard characters. This hotfix reverts the earlier change.

FIM Service MA

Issue 1

When the FIM Service request log contains consecutive deletions whose count exceeds the out-of-box setting of the DeltaImportPageSize registry key, the FIM MA delta import may stop processing deletions after it reaches the DeltaImportPageSize value.

FIM Service

Issue 1

Fixes an issue that could prevent upgrading FIM 2010 builds 4.0.3594.2 and earlier to FIM 2010 R2.Assume that you have a FIM 2010 build earlier than 4.0.3594.2 installed with SharePoint 2007. If you upgraded to SharePoint 2010 before you upgraded FIM 2010 to R2, the FIM installer would fail, and you would receive the following error message:

The SharePoint Timer Service is not running.

This update lets you perform the FIM 2010 R2 and the SharePoint upgrades in any order.

Outlook add-in

Issue 1

Fixes an issue with the Outlook add-in that prevents Outlook from closing. This issue occurs when an email message is created by using the Windows Explorer shortcut command (right-click any file, click Send To, and then click Mail recipient).

Declarative provisioning

Issue 1

Fixes an issue in which the MVObjectDeletetionRule sync rule is triggered incorrectly even if the sync rule is configured to trigger deprovisioning of an object when the rule is removed.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.