Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-10-24) A Hotfix Rollup Package (Build 4.0.3594.2) Is Available For Forefront Identity Manager 2010

Posted by Jorge on 2011-10-24


This hotfix rollup package both resolves issues and also introduces new features. I have not tried myself yet, but I’m particularly interested in “issue 2” mentioned in the “Fixed Issues In Sets And Query”

SOURCE: http://support.microsoft.com/kb/2520954

Fixed issues in Workflow Engine

* Issue 1

Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance:

Cannot enlist in the transaction because a local transaction is in progress on the connection.

Additionally, the time stamp is the same as the time when the operation fails.

Fixed issues in Sync Engine

* Issue 1

An ExpectedRulesEntry (ERE) object is associated to a child synchronization rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse object.

* Issue 2

Fixes an access violation when a custom extension calls a COM+ object.

* Issue 3

An earlier hotfix introduced a special Extensible Connectivity Management Agent (ECMA) mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix causes delta sync to add new items that are not merged with an escrowed export into a pending export. After you install the hotfix that is mentioned in this article, if the ECMAAlwaysExportUnconfirmed registry entry is set to 1, the escrowed and pending changes are merged.

* Issue 4

Fixes an SQL query construction issue that occurs during an import. This issue affects a DB2 database that uses a non-Unicode character set.

* Issue 5

Fixes many "Export not reimported" errors that might occur because of errors in SQL.

* Issue 6

Improves the performance of all Sync Engine operations.

Note This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.

* Issue 7

A password reset that uses the ADMAEnforcePasswordPolicy registry setting fails when the user is in the Administrator group but is not an administrator.

* Feature 1

Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation. The time stamp is stored as a TimeDate data type.

To enable this behavior, set the following registry subkey to a nonzero DWORD Value: HKLM\

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\NotesMAExportPwdTimestamp

* Feature 2

The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\<MA_name>

Value: UsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False)

This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.

* Feature 3

Adds the ability to filter objects before they are imported into the AD MA connector space.

* Feature 4

Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA. To do this, you can run the tool by using the following command-line options:

Storechk.exe -sync –repair

Fixed issues in Sets and Query

* Issue 1

Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.

* Issue 2

Revised the FIM "Query and Sets" features to treat underscores and percent signs as literals instead of as SQL wildcard characters.

Fixed issues in Certificate Management

* Issue 1

Enables the random number generator in the server key generation function.

* Issue 2

Improves the performance when enrolling a smartcard that has not previously been used with FIM Certificate Management (CM).

Fixed issues in FIM Management Agent (MA)

* Issue 1

Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.

Fixed issues in FIM Service

* Issue 1

Fixes an issue with SQL Server deadlocks that might occur during periods of high concurrency of requests or approvals.

* Issue 2

Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.

* Issue 3

Fixes an issue when you add or remove a value for a multivalued string attribute. If the request was subject to authorization such as request reevaluation, the request would fail after approval.

* Issue 4

Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.

These orphaned objects have no functional impact on FIM. However, over time, these orphaned objects can cause a decrease in performance for both FIM operations and Sync operations that are related to FIM, such as import or export by using the FIM MA.

A pruning stored procedure, [debug].[DeleteOrphanedRulesByType], was added to the [debug] namespace of the FimService database. This stored procedure must be run separately for the DetectedRuleEntry object and the ExpectedRuleEntry object. The stored procedure also has a "reportOnly" mode, and this mode can be used to determine the presence and number of orphaned DetectedRuleEntry and ExpectedRuleEntry objects in the system.

The @ruleType parameter expects one of the following well-known values:

  • N’Detected’ for DetectedRuleEntry objects
  • N’Expected’ for ExpectedRuleEntry objects
  • To determine the number of orphaned objects in the system, run the stored procedure in "reportOnly" mode as follows.

    DECLARE @deletedRulesFound BIT; EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @reportOnly=1, @deletedRulesFound=@deletedRulesFound OUTPUT;

    To loop through and actually delete orphaned objects in the system, run the stored procedure as follows. @deletionLimit=1000 instructs the procedure to stop when it has deleted 1,000 objects. If there are more than 1,000 orphaned objects in the system, either run the procedure multiple times (recommended) or increase the deletionLimit value.

    DECLARE @deletedRulesFound BIT, @startDateTime DATETIME, @endDateTime DATETIME; SELECT @deletedRulesFound = -1; WHILE @deletedRulesFound <> 0 BEGIN SELECT @startDateTime = CURRENT_TIMESTAMP; EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @deletionLimit=1000, @reportOnly=0, @deletedRulesFound=@deletedRulesFound OUTPUT; SELECT @endDateTime = CURRENT_TIMESTAMP; SELECT @startDateTime AS [StartTime], @endDateTime AS [EndTime], @deletedRulesFound AS [WereDeletedRulesFound]; END

    Cheers,

    Jorge

    ———————————————————————————————

    * This posting is provided "AS IS" with no warranties and confers no rights!

    * Always evaluate/test yourself before using/implementing this!

    * DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

    ———————————————————————————————

    ############### Jorge’s Quest For Knowledge #############

    ######### http://JorgeQuestForKnowledge.wordpress.com/ ########

    ———————————————————————————————

     

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

     
    %d bloggers like this: