FIM 2010 Build Overview

FIM 2010 Build Overview

The goal of this article is to provide an overview of the available builds for FIM as well as a short overview of the new features they introduce.

This article will not provide an overview of all solved issues.


Short URL

Bookmark this page as :


↑ Return to Top

See also

Microsoft's Identity Software: Public Release Build Versions


↑ Return to Top

FIM 2010 RTM

Build 4.0.2592.0 (FIM 2010 RTM)

Publication date: 2/mar/2010

  • RTM feature set


Build 4.0.3531.2 (Update 1): KB978864

Article ID: 978864 - Last Review: October 13, 2010 - Revision: 3.0

  • Support for the Active Directory Recycle Bin. There is a known issue which is fixed in Build 4.0.3573.2
  • Resume Full Sync
  • Post-Installation step: Delete the old “Users can create registration objects for themselves” (Action Type: Create, Modify) MPR


Build 4.0.3547.2: KB2028634

Article ID: 2028634 - Last Review: March 15, 2011 - Revision: 4.0

A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.

  • The hotfix improves the performance when an object is joined to several management agents.
  • ADMAUseACLSecurity as an alternative to the DirSync permission in Active Directory.
  • ECMAAlwaysExportUnconfirmed registry key for Extensible Connectivity Management Agent (ECMA).
  • eDIR MA change to allow connection to any 8;x version without the requirement for a registry key.


Build 4.0.3558.2: KB2272389

Article ID: 2272389 (09-Sep-2010) - Last Review: November 11, 2010 - Revision: 3.0

  • PrivacyLink: Password Reset registration wizard can provide a link to the company data policy.
  • MinimalObjectLogging: This lets less information be logged if an error has occurred during a run.
  • Enables an outgoing synchronization rule to use a flow scope that accommodates more than two resource types.
  • An error message is written to the event log when a management agent run encounters staging errors.
  • Behavior for MA's with multiple partitions when unselecting partitions.


Build 4.0.3561.2 (superseded)

  • Replaced by build 4.0.3573.2


Build 4.0.3573.2: KB2417774

Article ID: 2417774 (21-Jan-2011) Last Review: April 27, 2011 - Revision: 7.0

  • FIM CM updated to support data encryption that uses key pairs that are stored by using a Key Storage Provider.
  • Support for running the FIM 2010 CM bulk client on Windows 7.
  • Password history policy from Active Directory Domain Services (AD DS) is applied for password reset operations in Forefront Identity Manager
  • The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
  • Approval operations can now be processed by any instance of the FIM service.
  • The filter in a comment is included within the SQL statement that executes the query. This feature improves query troubleshooting.
  • Asynchronous export mode for FIM MA
However there is an issue with Build 3573.2 that if you install it without first installing update 1, it corrupts the FIMService Database and must be resolved by resorting to a backup and then applying update 1 and then Build 3573.2 or by calling Microsoft Support.


Build 4.0.3576.2: KB2502631

Article ID: 2502631, 02-Mar-2011 - Last Review: March 23, 2011 - Revision: 1.0

  • Use key pairs for data encryption in FIM CM. The key pairs are stored by using a key storage provider.
  • Run the FIM 2010 CM Bulk Client in Windows 7.
  • Use FIM Sync service account in the AD MA configuration.
  • Export subattributes in Sun Directory Services LDAP.


Build 4.0.3594.2: KB2520954

Article ID: 2520954, 11-Oct-2011 - Last Review: July 3, 2012 - Revision: 3.0

  • Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.The FIM 2010 Active Directory Management Agent (AD MA) honors now the preferred domain controller list when passwords are exported.
  • This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.
  • Adds the ability to filter objects before they are imported into the AD MA connector space.
  • Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.


This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.
  • A new Connector (formerly Management Agent) development framework that is named Extensible Connectivity Management Agent 2.0 (ECMA2.0) is included. This is listed as a new entry in the Management Agent drop-down list.
  • The FIM Synchronization Service now supports running the Microsoft .NET Framework 4 extension code. This can be used both in rules extension and for Management Agents such as the ECMA 262 language specification version 2.0. The FIM Synchronization Service will auto detect the latest version of the .NET Framework on the server. If it is needed, you can disable the .NET Framework 4 by removing it from the Runtime section in the Miiserver.exe.config file.
  • Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters. The functionality of some existing customer deployments may use these characters as wildcard characters. This update reverts the earlier change.


FIM 2010 Update Rollup 2 (build 4.0.3606.2) contains a feature that is intended to improve Query performance in the case of certain complex queries. This “tabular functions” feature is turned off by default. The product team has discovered an issue in this feature that could return incorrect query results when the query includes at least two statements and the same attribute is referenced in the statements. We strongly advise customers NOT to turn on the Set Partition feature.


Build 4.0.3606.2: KB2635086

Article ID: 2635086 - Last Review: March 30, 2012 - Revision: 5.0


Build 4.0.3617.2: KB2688078

Article ID: 2688078 - Last Review: May 30, 2012 - Revision: 1.0
  • Fixed issues in the Sync Engine (ECMA 2.0, ECMA 1.0 and organizational unit provisioning related)
  • Fixed issues in setup (database upgrade & change/remove installation related)


Build 4.0.3627.2: KB2737503

  • Fixed issues in the Sync Engine
  • Fixed issues in the FIM Service MA (.net 4.0 bug, additional logging for FIM MA exceptions)
  • Adds support to configure the Query and Sets feature to treat underscores as literals instead of as SQL wildcard characters


Build 4.0.3644.2: KB2750673

  • Fixed DB2 MA issue when connecting to a server that is running on an IBM iSeries V6 server or a later.
  • When the FIM password reset activity does not connect to the Active Directory, the WMI components now return an error code.
  • Fixed .NET version numbers in Microsoft.MetadirectoryServicesEx.dll as changes occurred in build 4.0.3617.2, but the version number was not incremented.


Build 4.0.3684.2: KB2819338

  • Fixed Exchange configuration options on the Active Directory Management Agent


Build 4.0.3714.2:  KB2887498

Article ID: 2887498 - Last Review: November 27, 2013 - Revision: 2.0

  • Issue 1 FIM synchronization cannot deprovision computer objects in Active Directory when there are other child objects, such as printers and file share objects, present on the computer object.
  • Issue 2 An export-only ECMA1 Management Agent might give the error "There is no primary object class on this image" during export of an object delete operation.


Build 4.0.3733.2:  KB2926490

Article ID: 2926490 - Last Review: February 7, 2014 - Revision: 3.0

  • Fixed Exchange configuration options on the Active Directory Management Agent


↑ Return to Top

FIM 2010 R2

Build 4.1.2773.0: FIM 2010 R2


Build 4.1.2515.0 (for R2): KB2734159

  • (to be completed)


Build 4.1.2548.0 (for R2): KB2750671

  • (to be completed)


Build 4.1.3114.0: KB2772429 (Service Pack 1 for FIM 2010 R2)

  • An upgrade to FIM 2010 R2 from an earlier version may be unsuccessful in certain scenarios if the imported changes from a management agent are not synchronized before the upgrade.
  • A connection to Active Directory Lightweight Directory Services (AD LDS) when SSL is enabled is unsuccessful.
  • When a connector is synced to a metaverse object that already has an un-synced connector in the same connector space, the sync on the object fails with stopped-server. In this case, the synchronization engine incorrectly considers this as an invalid state.
  • Multiple issues with ECMA 2.0 are fixed.
  • A reinstallation of the reporting components does not update the System Center registry value in the FIMService registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMService).


Build 4.1.3419.0 (for R2): KB2814853

  • (to be completed)


Build 4.1.3441.0 (for R2): KB2832389

Article ID: 2832389 - Last Review: April 25, 2013 - Revision: 3.0

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma" error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors "The image or delta doesn't have an anchor."
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.
    • Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service's contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.


  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.


  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client"


  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.


Build 4.1.3451.0 (for R2): KB2849119


Build 4.1.3461.0 (for R2): KB2870703


Build 4.1.3469.0 (for R2): KB2877254

Article ID: 2877254 - Last Review: November 27, 2013 - Revision: 2.0


Build 4.1.3479.0 (for R2): KB2889529


Build 4.1.3496.0 (for R2): KB2906832

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service and FIM Portal

Issue 1: When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:

  • Scenario 1: An authorization workflow could get stuck.
  • Scenario 2: An authorization workflow could be executed again after a FIMService restart
  • Scenario 3: An authorization workflow parent request may not be set to expire.
Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.

To resolve scenario 1, an additional AuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.

New feature 1: By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal.

FIM Synchronization Service

  1. Issue 1: During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message: The operation failed because the attribute cannot be found.
  2. Issue 2: In certain scenarios, the FIM Service MA may return the following error message: Type: System.ArgumentOutOfRangeException
    This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.
  3. Issue 3: In rare cases, an import could receive a staging error because of duplicate references in the connector space.
  4. Issue 4: In rare cases, an import could receive a staging error because an object was moved in the connected directory.
  5. Issue 5: An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Windows Azure Active Directory connector that is provided by Microsoft.
  6. Issue 6: In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.

Build 4.1.3508.0 (for R2): KB2913228


FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, the FIMService instance may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports that have a run status of stopped-server. Additionally, the following exception is logged in the Forefront Identity Manager event log:
System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

Consider the following scenario:

  • A Transition Out management policy rule is using a dynamic set together with a multivalued attribute.
  • Two or more elements are removed from the attribute in a single request.
  • One of the removed elements triggers the Transition-Out ManagementPolicyRule (MPR) resource. 

In this scenario, the request fails. Additionally, you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint 'PK__#1B54B73__5330D0771D3CFFB1'. Cannot insert duplicate key in object 'dbo.@transitionOutapplicableRuleBuffer'.

Issue 3

When an export that is run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a failed-modification-via-web-services exception may be returned. When you review the details of the exception, you find that an SQL deadlock occurred.

FIM Synchronization Service

Issue 1

If a multivalued attribute is exported and then changed directly in the target system, the change is not evaluated during delta synchronization. For example, this issue occurs in the following scenario when the Active Directory Management Agent is used:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses directly in Active Directory outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.
In this scenario, the next delta sync will not process the change.

Issue 2

If an exception is thrown by the Connector’s password extension during password synchronization, the Connector will be unloaded from memory. This behavior may cause high processor usage on the computer that is hosting the FIM Synchronization Service when that computer processes password synchronization if it is under load or is synchronizing passwords to multiple Connectors.

After this update is installed, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface and unload the Connector. This lets the interface to be reused for another password operation to the connected data source. The password operation will not be retried and is removed from the queue. Any other exception will still unload the Connector and reload it at the next password operation.


↑ Return to Top

FIM 2010 LDAP connector

Build 4.3.1082 (for R2):KB2936070

  • Issue 1: When you try to connect to a Lightweight Directory Access Protocol (LDAP) server that has Secure Sockets Layer (SSL) protocol/Transport Layer Security (TLS) protocol enabled, the connection fails unless mutual authentication is enabled. After this update is applied, the certificate information on the connectivity page is used only when mutual authentication is enabled. If the server uses SSL/TLS, the certificate that is presented is visible on the global page.
  • Issue 2: A DN-rename operation fails for some LDAP directories during a delta import if the connected system returns more results than the configured page size on the connector can hold.
  • Issue 3: When a change in an attribute value involves only a change in letter case (uppercase to lowercase or vice-versa), the change fails for some LDAP directories. For example, if the attribute value is changed from “contoso” to “Contoso,” the change fails for some LDAP directories.
  •  Feature 1 Added support for the following additional LDAP directories, including delta import support:
    • Open DS
    • Open DJ
    • Active Directory Lightweight Directory Services (AD LDS)
    • Active Directory Global Catalog (AD GC)


↑ Return to Top

FIM 2010 Lotus Domino MA

Build 5.0.601.0: KB2784728

Article ID: 2784728 - Last Review: December 20, 2012 - Revision: 1.0


Build KB2823899

Article ID: 2823899 - Last Review: April 2, 2013 - Revision: 1.0


Build 5.3.407.0: KB2854415

Article ID: 2854417 - Last Review: June 27, 2013 - Revision: 1.0


Build 5.3.520.0: KB2741896


Build 5.3.534.0: KB2875551

Article ID: 2875551 - Last Review: August 9, 2013 - Revision: 1.0


Build 5.3.721.0: KB2899874

Article ID: 2899874 - Last Review: October 28, 2013 - Revision: 1.0

All hotfix rollups are cumulative, this means you can start from RTM and install the desired build level without having to install all previous released build versions.


Build 5.3.1003.0: KB2932635

Article ID: 2932635 - Last Review: February 19, 2014 - Revision: 1.0
  • Issue 1 You export group members that are other groups (also known as nested groups) to Domino. If the groups are located in the root of the directory, the membership will be incorrect. To correctly export group members in this scenario, set the Enable Creation of _Contacts object option on the global page to None.
  • Issue 2 In a Domino system where records are updated by a back-end process, some records might not appear in a full import. This behavior occurs if search indexes are out-of-date in Domino. This causes some of the records in the FIM Synchronization Service to be deleted. If you experience this problem, change the new Perform Full Import By option from the default setting of Search to Views.
  • Issue 3 Password synchronization operations are always reported as successful even if the user is not present in Domino. An operation that fails because of a deleted user is now reported as Failed in the event log.


↑ Return to Top

Best practices

  • Apply patches in a test or a lab environment before patching your production servers.
  • Keep all FIM solution components on the same patch level.


↑ Return to Top

Recommended Reading


↑ Return to Top

Related FIM Forum Posts


↑ Return to Top

Additional Resources

To provide feedback about this article, create a post on the FIM TechNet Forum.


↑ Return to Top

Sort by: Published Date | Most Recent | Most Useful
  • After installing 4.0.3576.2 you may find your FIM MA exports start failing with a "The request does not conform to the expected request message format of the protocol" exception ... and if you do, chances are you have been using a different service account identity for your FIM MA to that which you specified when you installed the FIM Service.  If you get to this point you will need to (a) find out the service account you should be using (HKLM->System->CurrentControlSet->services->FIMService->SynchronizationAccount) and (b) change the FIM MA identity back to this value.

    If you then find that you are getting a "Failed to connect to the specified database or Forefront Identity Manager Service. Please check the specified database location, service host address, and account information" error thrown, the problem is database connectivity.  Your case might be different, but mine is a lab environment where the FIM Sync Service is also a DC ... I followed the advice of this article - - and added the service account to the domain builtin administrators group and I was good again (not that this is a sensible production configuration!).

  • Correction to my post a few minutes ago ... the problem is indirectly database access, but what I meant to say is that the error is because of missing local logon rights for the FIM MA account.

  • I would like to get info in the hotfix released notes for Windows 2008 R2 SP1 support, and regarding OS pacth support after SP1

  • Build 4.0.3594.2 is out:

    -export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.

    -Honor the Active Directory Management Agent (AD MA) the preferred domain controller list when passwords are exported.Feature 3

    -Adds the ability to filter objects before they are imported into the AD MA connector space.

    -Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.

  • Update Rollup 2 (build 4.0.3606.2) (  is out.

    RSS feed is not updated yet :(

    Please, be aware of the following issue:

Page 1 of 1 (5 items)