Rollup fix for ILM 2007 available - Win2008 support for CLM and more...
Rollup Fix for Identity Lifecycle Manager 2007 FP1 released
With the release of Identity Lifecycle Manager 2007 FP1 version 3.3.1087 we now support all components running on Windows Server 2008 32 bit as well as using Windows Server 2008 32 bit certificate authorities including clustered CA support. You can also set up multiple CLM servers using Network Load Balancing for redundancy on this layer as well. Running the ILM 2007 metadirectory services features on Windows Server 2008 has been supported for some time but we wanted to wait for CLM to support this as well before updating the system requirements pages on our ILM 2007 product pages. If you want all updates below you should download and apply the updates in KB946797
We have just released two rollup packages.
· KB957181 - ILM 2007 FP1 version 3.3.1080.2
Examples of updates in this version: Updates to how Lotus Notes Management agent as well as password synchronization honors the use of "Run this management agent in separate process".
· KB946797 - ILM 2007 FP1 version 3.3.1087.2
Examples of updates in this version: fix for issue with export only MA's and deprovisioning, fix for issue with creating strong-named extensible MA's and rules extensions, fixes to four issues with CLM including support for Windows Server 2008 32 Bit
Since the release of Featurepack 1 for Identity Lifecycle Manager 2007 there has been a few updates.
· KB952308 - ILM 2007 FP1 version 3.3.1051.2
Examples of updates in this version: Updates with attribute flows as well as some specific issues around connecting to SunOne Directory
· KB952327 - ILM 2007 FP1 version 3.3.1067.2
Examples of updates in this version: Update for how access checks in AD are performed by Certificate Lifecycle Manager
- Changed TypeMarkus VilcinskasMSFT, ModeratorTuesday, April 14, 2009 12:43 AM
All Replies
- I am attempting to apply the patch from KB article KB946797 to a fresh install of ILM 2007 (v3.3.118.0); however, I am getting the following error message:
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded my be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch."
Any idea what version this patch is for?
Erich Karch - Senior Solution Architect, EMC Microsoft Practice (Federal) - Eric,
I just attempted this myself on the retail version of 3.3.118(ILM FP1). Can you go to Help->About and verify version and let me know what your product ID is? From product ID, I should be able to determine if the fix is meant to patch the version that you have. Thx. I am running versin 3.3.118.0. My product ID is: 91375-640-0000007-60095
Thanks!
Erich Karch - Senior Solution Architect, EMC Microsoft Practice (Federal)- Eric
You have the MSDN version, I will verify if that patch is supposed to work with this or not.
Glenn Zuckerman
Microsoft Developer Support We are building out a proof-of-concept using the MSDN license. The reason for my desire to apply this patch is that I am hoping it will resolve the issue I described here: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/44e556ad-f850-4aea-805f-2dcbd56b0b6e
Erich Karch - Senior Solution Architect, EMC Microsoft Practice (Federal)- Glenn Zuckerman [MSFT] said:
Eric
You have the MSDN version, I will verify if that patch is supposed to work with this or not.
Glenn Zuckerman
Microsoft Developer Support
Any news about this ? - I am running into the same problem?
Any solution?
Regards
JP
Alphamosaik - Hello Glenn,
Any news on this?
Is the 3.3.1087.2 rollup hotfix supported on a MSDN version?
Kind regards,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.traxion.com) I am having a different issue trying to install the 1087 update to a base install (3.3.118.0) and I'm using the VL edition (not MSDN). I'm using an install account that has the following permissions:
- Domain account with local Administrator priviliges (through nested domain based ILM Admins group)
- Priviliges in SQL (Roles):
- dbcreator
- public
- securityadmin
- sysadmin
- SQL User Mapping (install account) for MIIS DB:
- db_owner
- public
The error is:
Error 25009. The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.
I've completely reinstalled the product and I'm using the same account to install the patch as I used to install the product. A select from the MA table works (it's empty, but no errors). The only deviation we have from a "Typical" installation is that we're using domain based security groups instead of local. I don't see anything telling in the install log...
This is Server 2008 Enterprise x86 w/SP1, and SQL Server 2008 Enterprise w/CU3.
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com- After running SQL Profiler I still can't find any smoking guns - these are the last statements I see after just before the install fails:
EXEC sp_grantlogin N'DEV\svc.ilmsync'
select name from dbo.sysusers where sid =0x0105000000000005150000001E5D2CE933BA7F72A48386A845060000
EXEC sp_addrolemember N'db_owner',N'DEV\svc.ilmsync'
update [mms_server_configuration] set [administrators_sid] = 0x0105000000000005150000001E5D2CE933BA7F72A48386A846060000,[operators_sid] = 0x0105000000000005150000001E5D2CE933BA7F72A48386A847060000,[account_joiners_sid] = 0x0105000000000005150000001E5D2CE933BA7F72A48386A848060000,[browse_sid] = 0x0105000000000005150000001E5D2CE933BA7F72A48386A849060000,[passwordset_sid] = 0x0105000000000005150000001E5D2CE933BA7F72A48386A84A060000
update [mms_server_configuration] set [computer_id] = N'ILMDEV6'
update [mms_server_configuration] set [operation_bitmask] = 9223372036854743037
I see the SQL:BatchStarting and BatchCompleted entries for all of the above, but then I get the Error 25009 right after the last statement. No errors are logged in the Profiler trace.
FYI - svc.ilmsync is the ILM Service account, the account I'm logged in with is a different account - the one that I installed ILM with originally. The GPO "deny" policies have been set per best practices to prevent the service account from logging on locally, batch, terminal services, etc.
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com - Hello Erich,
we had the same problem a few months ago, when the hotfix was not yet officially released. After some support calls, it turned out that the hotfix could not be used with the MSDN-Version. We had to re-install using a non-MSDN Edition. - I have a client that is looking to install ILM 2007 FP1 on a Windows Server 2008 32-bit server. In reading through the responses to this posting, I'm a little confused as to whether the retail version of ILM 2007 FP1 can be installed on 2008.
So, can you install the retail version (3.3.118.0) on a Windows Server 2008 32-bit server, and then apply the 3.3.1087.2 hotfix?
Or do I need to obtain, through some other channel, a full installation package for version 3.3.1087.2?
Thanks,
Marc
Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc. Hi Marc,
Despite my difficulties I am reassured that the 3.3.118.0 build of FP1 is fully supported on Windows Server 2008 and now SQL Server 2008. I have loaded the slipstreamed 3.3.1087.2 package and am still unable to apply and subsequent patches but I have spoken with others that have not had any difficulty with this configuration so I just must be special. :)
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
