IntroductionA hotfix rollup package (build 4.0.3573.2) is available for Microsoft Forefront Identity Manager (FIM) 2010.
This hotfix rollup package includes all the previous hotfixes that are described in the following Microsoft Knowledge Base (KB) articles:
978864 Update package 1 for Microsoft Forefront Identity Manager (FIM) 2010
Hotfix Rollup informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Important You must install FIM 2010 Update 1 (build 4.0.3531.2) before you apply this hotfix (build 4.0.3573.2). Failure to do so will cause FIM MA export operations to fail.
If you are running FIM 2010 RTM (build 4.0.2592.0), first install Update 1, and then install this hotfix.
If you have previously installed this hotfix on FIM 2010 RTM (that is, you have not installed Update 1), follow these steps:
- Contact CSS for a SQL script you’ll need to work around this issue.
- Install this hotfix.
- Run the SQL script you got from CSS.
PrerequisitesTo apply this hotfix rollup package, you must have Forefront Identity Manager (FIM) 2010 installed.
Restart requirementYou must restart the computer after you apply the Add-ins and Extensions hotfix rollup package. You may need to restart the server components.
Hotfix replacement informationThis hotfix rollup package replaces the following hotfix rollup packages:
978864 Update package 1 for Microsoft Forefront Identity Manager (FIM) 2010
File informationThe global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
For all supported versions of FIM 2010
|File name||File version||File size||Date||Time|
Consider the following scenario:
- You install a European localized version of FIM on a computer that is running Windows XP Service Pack 3 (SP3).
- You try to use the Self-Service Password Reset Client feature in Forefront Identity Manager.
Resolved issues and features that are related to FIM Synchronization Service
When you export a group that has more than one member to a SQL server, a DN-attribute error occurs.
You receive some staging errors in a delta import in the recycle bin on a computer that is running Windows Server 2008 R2.
Assume that the recycle bin is enabled in AD and that FIM is authoritative for groups and users. In this situation, deleted users results in an “exported-change-not-reimported” error message for the groups in which the user is a member.
A change to an incoming Synchronization Rule that includes a constant flow or an expression is not recalculated correctly during a full synchronization.
Assume that you are performing a delta import from AD MA. Two objects that have the same distinguished name (DN) but different GUIDS are deleted. In this situation, you may infrequently receive the following error message:
The dimage has an anchor that differs from the image.
A delta import on the Sun One Management Agent (MA) causes the following error message if the same object is changed two times during the same delta import:
changelog out of order
If an invalid synchronization rule is present in the Sync Engine, a warning message appears in the event log and the processing continues.
An extension DLL does not load additional assemblies from the extensions folder, but does load additional assemblies from the bin folder.
There is a memory leak in the Sync Engine when you use classic scripted flow rules. When the service is slow, you have to restart the server.
If you develop a custom MA by using XMA, members may be represented as GUIDs but not DNs during export. When you confirm the import, you may receive one of the following error messages:
PCNS does not synchronize passwords to AD when the target AD is untrusted by the forest that FIM is located in.
This issue occurs because of a regression introduced in build 4.0.3561.2.
This hotfix rollup package applies the password history policy from Active Directory Domain Services (AD DS) for password reset operations in Forefront Identity Manager.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
To make sure that the eDirectory attributes can be unlocked, the lockedByIntruder attribute is set to FALSE, the loginIntruderAttempts attribute is set to 0, and the loginIntruderResetTime attribute is set to current time.
Resolved issue that is related to the FIM Portal
The functionality of browser language detection is not always correct in the FIM portal.
Case-only changes that are made to existing attributes are not applied to the FIM service database even though the Requests are marked as Completed.
The About box is not displayed in the portals of the FIM 2010 portal if the currently installed build version is 4.0.3558.2.
Resolved issue that is related to Setup
You cannot apply Synchronization Engine hotfixes if the currently installed build version is 4.0.3547.2.
Note This hotfix includes a change to the Synchronization Engine setup to resolve this issue. After you apply Synchronization Engine hotfix build 4.0.3561.2 or a later build, you will be able to install any newer hotfixes.
Resolved issues and features that are related to FIM Service
The FIM service ignores requests that only contain changes in the values of attributes.
A performance bottleneck exists in request evaluation.
Object types other than User and Group cannot be added to cross-forest domain-local groups.
To address the issue, the DomainConfiguration attribute is now added and updated automatically when a Domain attribute is created or updated on any object that binds it. This functionality was previously limited to User and Group object types only.
For cyclical groups that reference themselves, the GroupValidation workflow activity may cause the FIM service to crash.
Some set memberships do not match their intended filter and must be corrected by the Maintain Sets SQL job.
This hotfix rollup package enables approval operations to be processed by any instance of the FIM service. This hotfix improves the installation process in an environment that has multiple instances of the FIM Service deployed.
This hotfix includes the filter in a comment within the SQL statement that executes the query. This feature improves query troubleshooting.
Resolved issues that are related to FIM MA
A “login denied” error occurs during the final stages of export in FIM MA.
This issue occurs because FIM MA uses the FIMSynchronization service logon instead of the FIM MA logon to connect to the FIMService Database.
Throughput of FIM MA is slow when the FIM database is first loaded.
To resolve the issue, the hotfix provides a new asynchronous export mode for FIM MA. This enables the parallel export of objects. This parallel execution provides an increase in the export rate at the cost of increasing the load on the FIM service SQL database. This mode was primarily designed for use when data is first loaded, when sacrificing portal usability for increased performance is not a concern.
Configuration settings are provided for this new export mode. The configuration settings enable performance and FIM portal usability to be balanced during FIM MA export in your environment. We recommend that you experiment with these settings in a test and staging environment before you consider making any modifications to a production server.
The hotfix adds support for an asynchronous request evaluation mode for requests that are created by the synchronization engine account. When the new mode is enabled, the FIM MA provides a preliminary response to the synchronization engine for the export operation. This happens as soon as the request is created but before it is evaluated by the FIM Service. The request is queued in the FIM service for full evaluation through a set of worker threads in an asynchronous manner. At the same time, the synchronization engine feeds additional requests for export into the FIM MA. When the requests are being processed by the FIM Service, they are left in Escrow state until the FIM service can confirm their processing status. Asynchronous request processing is available only for requests that are generated by the FIM MA. All other requests continue to be executed through the regular process.
Errors that are related to the synchronization request processing in FIM service are now available in the request interface of the FIM portal. These can be accessed from the Search Requests navigation item. A search for requests that are created by the synchronisation service returns the status of these requests. Error information for failed requests is now available in the Request Status Details attribute for each request.
Note We always recommend that you verify hotfixes in a nonproduction environment before you deploy to production. Because of the level of functional change that is contained in this fix, we strongly repeat this recommendation. We also recommend that customers only install this hotfix if they are experiencing an issue that the hotfix addresses.
We recommend that you continue to use the synchronous mode during the usual operation of FIM MA. You should use the asynchronous mode of operation when a higher FIM export processing rate is necessary. Increasing the export rate for the FIM MA can affect the processing rate and latency of requests that are submitted by users. Configuration settings are provided to enable you to tune the load that the FIM MA will put on the FIM service. We recommend that you configure these settings to suit the individual needs of your deployment and the available system resources.
Configuration Settings:FIM service configuration file
The new asynchronous mode of operation for the FIM MA export is controlled by a switch in the FIM service configuration file. This switch has three modes of operation:
<resourceManagementService synchronizationExportThrottle="Single" />
<resourceManagementService synchronizationExportThrottle="Limited" requestRecoveryMaxPerMinute="60" />
This is the default mode when the new switch is not specified. It is identical to the mode that is included in FIM 2010.
In this mode, request evaluation happens immediately on the worker thread and the FIM service will use the maximum throughput of the system. This setting is only recommended when you perform the initial load of data into the system and when no other load on the system is expected.
In this mode, requests are put in a SQL queue, re-dispatched back into the FIM service, and controlled by the requestRecoveryMaxPerMinute throttle setting. You should use this setting to increas performance if other loads on the system are expected (for example, portal operations). We expect that customers will have to optimize this setting to for their environment, and to accommodate their hardware capabilities and portal load. To tune this setting, monitor the FIM database SQL CPU usage and the Windows Workflow Foundation Workflows In Memory performance counters. Adjust the throttle up or down until you obtain a maximum throughput state. Example target metrics include SQL CPU usage of about 70% and Windows Workflow Foundation not building up a large queue in the Workflows in Memory performance counter.
This setting can be changed dynamically You do not have to re-start the FIM service.
Configuration settings: synchronization engine configuration file
Additional configuration settings for FIM MA are controlled from the synchronization engine configuration file (Miiserver.exe.config). You can configure the new settings by adding a new “resourceSynchronizationClient” section that specifies a property and a value to be configured. The following example demonstrates the general format of the “resourceSynchronizationClient” section:
<resourceSynchronizationClient propertyName="value" />
The following specific example configures the exportFetchResultsPollingTimerInSeconds property:
<resourceSynchronizationClient exportFetchResultsPollingTimerInSeconds ="5" />
The following example shows the new section in the context of the synchronization engine configuration file:
<section name="resourceManagementClient" type="Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClientSection, Microsoft.ResourceManagement"/>
<section name="resourceSynchronizationClient" type="MIIS.ManagementAgent.ResourceSynchronizationClientSection, mmsmafim"/>
<resourceSynchronizationClient propertyName="value" />
The new configuration properties are described in the following table:
|Property Name||Default Value||Description|
|exportFetchResultsPollingTimerInSeconds||5||When the Synchronization service is exporting objects in asynchronous mode, this property controls the frequency of polling results that are returned from the FIM service by the FIM MA. Changing this value may give a higher processing rate, depending on your system configuration.|
|exportRequestsInProcessMaximum||50||When the Synchronization service is exporting objects in asynchronous mode, this property controls how many requests can be queued up in the FIM service for processing. If this limit is met, FIM MA will wait until asynchronous results are sent back before resuming additional exports. Setting this value higher may provide additional processing throughput during export. However, during system failures, these objects may have to be re-exported from the synchronization engine when the FIM-Export process restarts.|
|exportWaitingForRequestsToProcessTimeoutInSeconds||600||This is the time-out value that FIM MA will use to wait for the FIM service to process a request. If no response is received from the FIM service within this time, FIM MA will end the export with a “cd-error” error.|
- When operating in the asynchronous mode, a few operations may fail with an “Access Denied” error. This issue is most common on small data sets that have interdependent references. In these cases, a the next FIM MA export will resolve the problem.
- During FIM MA export in the asynchronous mode, the FIM service may need lots of time to process all the requests that are submitted by the synchronization engine. During this time, any additional operations for new exports or imports (delta or full) will be ended with a “Stopped-server” error. Under ordinary conditions, the synchronization engine will wait for all requests to be fully processed by the FIM service and not allow the operator to perform additional operations.
- The synchronization engine service may take 10 minutes to shut down. This is the default length of time that the synchronization engine will wait for FIM MA to return status results for a FIM export operation. If the synchronization engine is shut-down during this time, you may have to wait for the time-out to expire.
- The synchronization engine may not receive a response for an object that is processed by the FIM service under some error conditions. In this case, the synchronization engine will re-send the object for export. The FIM service will detect this replay and signal it with a “Resource Identifier Already Exists” error. To clear objects that are reported with this error, you must perform a Delta Import and Delta Sync, followed by a FIM MA export sequence.