The goal of this article is to provide an overview of the available builds for FIM as well as a short overview of the new features they introduce.

This article will not provide an overview of all solved issues.

Table of Contents

 


Short URL

Bookmark this page as :http: //aka.ms/fimbuilds

 

Return to Top


See also

 

Return to Top


FIM 2010 RTM

Build 4.0.2592.0 (FIM 2010 RTM)

Publication date: 2/mar/2010

  • RTM feature set

 

Build 4.0.3531.2 (Update 1): KB978864

Article ID: 978864 - Last Review: October 13, 2010 - Revision: 3.0

  • Support for theActive Directory Recycle Bin. There is a known issue which is fixed in Build 4.0.3573.2
  • Resume Full Sync
  • Post-Installation step: Delete the old “Users can create registration objects for themselves” (Action Type: Create, Modify) MPR

 

Build 4.0.3547.2: KB2028634

Article ID: 2028634 - Last Review: March 15, 2011 - Revision: 4.0

A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.

  • The hotfix improves the performance when an object is joined to several management agents.
  • ADMAUseACLSecurity as an alternative to the DirSync permission in Active Directory.
  • ECMAAlwaysExportUnconfirmed registry key for Extensible Connectivity Management Agent (ECMA).
  • eDIR MA change to allow connection to any 8;x version without the requirement for a registry key.

 

Build 4.0.3558.2: KB2272389

Article ID: 2272389 (09-Sep-2010) - Last Review: November 11, 2010 - Revision: 3.0

  • PrivacyLink: Password Reset registration wizard can provide a link to the company data policy.
  • MinimalObjectLogging: This lets less information be logged if an error has occurred during a run.
  • Enables an outgoing synchronization rule to use a flow scope that accommodates more than two resource types.
  • An error message is written to the event log when a management agent run encounters staging errors.
  • Behavior for MA's with multiple partitions when unselecting partitions.

 

Build 4.0.3561.2 (superseded)

  • Replaced by build 4.0.3573.2

 

Build 4.0.3573.2: KB2417774

Article ID: 2417774 (21-Jan-2011) Last Review: April 27, 2011 - Revision: 7.0

  • FIM CM updated to support data encryption that uses key pairs that are stored by using a Key Storage Provider.
  • Support for running the FIM 2010 CM bulk client on Windows 7.
  • Password history policy from Active Directory Domain Services (AD DS) is applied for password reset operations in Forefront Identity Manager
  • The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
  • Approval operations can now be processed by any instance of the FIM service.
  • The filter in a comment is included within the SQL statement that executes the query. This feature improves query troubleshooting.
  • Asynchronous export mode for FIM MA
 Note
However there is an issue with Build 3573.2 that if you install it without first installing update 1, it corrupts the FIMService Database and must be resolved by resorting to a backup and then applying update 1 and then Build 3573.2 or by calling Microsoft Support.

 

Build 4.0.3576.2: KB2502631

Article ID: 2502631, 02-Mar-2011 - Last Review: March 23, 2011 - Revision: 1.0

  • Use key pairs for data encryption in FIM CM. The key pairs are stored by using a key storage provider.
  • Run the FIM 2010 CM Bulk Client in Windows 7.
  • Use FIM Sync service account in the AD MA configuration.
  • Export subattributes in Sun Directory Services LDAP.

 

Build 4.0.3594.2: KB2520954

Article ID: 2520954, 11-Oct-2011 - Last Review: July 3, 2012 - Revision: 3.0

  • Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.The FIM 2010 Active Directory Management Agent (AD MA) honors now the preferred domain controller list when passwords are exported.
  • This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.
  • Adds the ability to filter objects before they are imported into the AD MA connector space.
  • Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.
 Caution
This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.
  • A new Connector (formerly Management Agent) development framework that is named Extensible Connectivity Management Agent 2.0 (ECMA2.0) is included. This is listed as a new entry in the Management Agent drop-down list.
  • The FIM Synchronization Service now supports running the Microsoft .NET Framework 4 extension code. This can be used both in rules extension and for Management Agents such as the ECMA 262 language specification version 2.0. The FIM Synchronization Service will auto detect the latest version of the .NET Framework on the server. If it is needed, you can disable the .NET Framework 4 by removing it from the Runtime section in the Miiserver.exe.config file.
  • Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters. The functionality of some existing customer deployments may use these characters as wildcard characters. This update reverts the earlier change.

 

 Important
FIM 2010 Update Rollup 2 (build 4.0.3606.2) contains a feature that is intended to improve Query performance in the case of certain complex queries. This “tabular functions” feature is turned off by default. The product team has discovered an issue in this feature that could return incorrect query results when the query includes at least two statements and the same attribute is referenced in the statements. We strongly advise customers NOT to turn on the Set Partition feature.

 

Build 4.0.3606.2: KB2635086

Article ID: 2635086 - Last Review: March 30, 2012 - Revision: 5.0

 

Build 4.0.3617.2: KB2688078

Article ID: 2688078 - Last Review: May 30, 2012 - Revision: 1.0
  • Fixed issues in the Sync Engine (ECMA 2.0, ECMA 1.0 and organizational unit provisioning related)
  • Fixed issues in setup (database upgrade & change/remove installation related)

 

Build 4.0.3627.2: KB2737503

  • Fixed issues in the Sync Engine
  • Fixed issues in the FIM Service MA (.net 4.0 bug, additional logging for FIM MA exceptions)
  • Adds support to configure the Query and Sets feature to treat underscores as literals instead of as SQL wildcard characters

 

Build 4.0.3644.2: KB2750673

  • Fixed DB2 MA issue when connecting to a server that is running on an IBM iSeries V6 server or a later.
  • When the FIM password reset activity does not connect to the Active Directory, the WMI components now return an error code.
  • Fixed .NET version numbers in Microsoft.MetadirectoryServicesEx.dll as changes occurred in build 4.0.3617.2, but the version number was not incremented.

 

Build 4.0.3684.2: KB2819338

  • Fixed Exchange configuration options on the Active Directory Management Agent

 

Build 4.0.3714.2: KB2887498

Article ID: 2887498 - Last Review: November 27, 2013 - Revision: 2.0

  • Issue 1: FIM synchronization cannot deprovision computer objects in Active Directory when there are other child objects, such as printers and file share objects, present on the computer object.
  • Issue 2: An export-only ECMA1 Management Agent might give the error "There is no primary object class on this image" during export of an object delete operation.

 

Build 4.0.3733.2: KB2926490

Article ID: 2926490 - Last Review: February 7, 2014 - Revision: 3.0

  • Fixed Exchange configuration options on the Active Directory Management Agent

 

Return to Top


FIM 2010 R2

Build 4.1.2773.0: FIM 2010 R2

 

Build 4.1.2515.0 (for R2): KB2734159

  • (to be completed)

 

Build 4.1.2548.0 (for R2): KB2750671

  • (to be completed)

 

Build 4.1.3114.0: KB2772429 (Service Pack 1 for FIM 2010 R2)

  • An upgrade to FIM 2010 R2 from an earlier version may be unsuccessful in certain scenarios if the imported changes from a management agent are not synchronized before the upgrade.
  • A connection to Active Directory Lightweight Directory Services (AD LDS) when SSL is enabled is unsuccessful.
  • When a connector is synced to a metaverse object that already has an un-synced connector in the same connector space, the sync on the object fails with stopped-server. In this case, the synchronization engine incorrectly considers this as an invalid state.
  • Multiple issues with ECMA 2.0 are fixed.
  • A reinstallation of the reporting components does not update the System Center registry value in the FIMService registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMService).

 

Build 4.1.3419.0 (for R2): KB2814853

  • (to be completed)

 

Build 4.1.3441.0 (for R2): KB2832389

Article ID: 2832389 - Last Review: April 25, 2013 - Revision: 3.0

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma" error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors "The image or delta doesn't have an anchor."
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.
    • Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service's contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.

FIMCM

  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

SSPR

  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client"

BHOLD

  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.

 

Build 4.1.3451.0 (for R2): KB2849119

 

Build 4.1.3461.0 (for R2): KB2870703

 

Build 4.1.3469.0 (for R2): KB2877254

Article ID: 2877254 - Last Review: November 27, 2013 - Revision: 2.0

 

Build 4.1.3479.0 (for R2): KB2889529

 

Build 4.1.3496.0 (for R2): KB2906832

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service and FIM Portal

Issue 1: When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:

  • Scenario 1:An authorization workflow could get stuck.
  • Scenario 2:An authorization workflow could be executed again after a FIMService restart
  • Scenario 3:An authorization workflow parent request may not be set to expire.
Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.

To resolve scenario 1, an additionalAuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.

New feature 1: By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal.

FIM Synchronization Service

  1. Issue 1: During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message: The operation failed because the attribute cannot be found.
  2. Issue 2: In certain scenarios, the FIM Service MA may return the following error message: Type: System.ArgumentOutOfRangeException
    This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.
  3. Issue 3: In rare cases, an import could receive a staging error because of duplicate references in the connector space.
  4. Issue 4: In rare cases, an import could receive a staging error because an object was moved in the connected directory.
  5. Issue 5: An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Windows Azure Active Directory connector that is provided by Microsoft.
  6. Issue 6: In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.

 

Build 4.1.3508.0 (for R2): KB2913228

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, the FIMService instance may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports that have a run status of stopped-server. Additionally, the following exception is logged in the Forefront Identity Manager event log:
System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

Consider the following scenario:

  • A Transition Out management policy rule is using a dynamic set together with a multivalued attribute.
  • Two or more elements are removed from the attribute in a single request.
  • One of the removed elements triggers the Transition-Out ManagementPolicyRule (MPR) resource.

In this scenario, the request fails. Additionally, you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint 'PK__#1B54B73__5330D0771D3CFFB1'. Cannot insert duplicate key in object 'dbo.@transitionOutapplicableRuleBuffer'.

Issue 3

When an export that is run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a failed-modification-via-web-services exception may be returned. When you review the details of the exception, you find that an SQL deadlock occurred.

FIM Synchronization Service

Issue 1

If a multivalued attribute is exported and then changed directly in the target system, the change is not evaluated during delta synchronization. For example, this issue occurs in the following scenario when the Active Directory Management Agent is used:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses directly in Active Directory outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.
In this scenario, the next delta sync will not process the change.

Issue 2

If an exception is thrown by the Connector’s password extension during password synchronization, the Connector will be unloaded from memory. This behavior may cause high processor usage on the computer that is hosting the FIM Synchronization Service when that computer processes password synchronization if it is under load or is synchronizing passwords to multiple Connectors.

After this update is installed, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface and unload the Connector. This lets the interface to be reused for another password operation to the connected data source. The password operation will not be retried and is removed from the queue. Any other exception will still unload the Connector and reload it at the next password operation.

 

Build 4.1.3510.0 (for R2): KB2934816

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, it can may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports with a run status of "stopped-server." Additionally, the following exception is logged in the Forefront Identity Manager event log:

System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

You use a multivalue attribute in a dynamic set. This dynamic set is used in a Transition Out management policy rule. If two or more elements are removed from the attribute in a single request, and if of the elements triggers the Transition-Out MPR, the request fails, and you receive the following exception:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint 'PK__#1B54B73__5330D0771D3CFFB1'. Cannot insert duplicate key in object 'dbo.@transitionOutApplicableRuleBuffer'.

Issue 3

When an export run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a "failed-modification-via-web-services" exception can be returned. When you review the details of the exception that is returned, you see that an SQL Deadlock occurred.

FIM Synchronization Service

Issue 1

In the Active Directory management agent, changes to a multivalue attribute such as proxyAddresses are not synchronized to the metaverse in the following scenario:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.

Issue 2

After you apply this update, exceptions of typePasswordPolicyException and PasswordIllFormedException no longer discard the password interface. This enables the interface to be reused for another password operation to the connected data source.

BHOLD

Issue 1: If a regular expression policy rule is applied for an ABA role, all applied ABA roles are stuck in the pending state for the users and are never assigned.

Issue 2:If a user has an ABA role, and if you try to change a user attribute that is not related to the ABA role, all ABA roles are again marked for policy validation. Additionally, assigned permissions are removed and assigned back

Issue 3: When you have more than 500 permissions in BHOLD and search permissions on the Supervised Permissions tab of Default Supervisor Role, no results are returned, and you are returned to the previous page.

Issue 4:When you configure an attribute-based role assignment for a role and then you try to click the Show Impact link in the policies section of a role, you receive the following error message: Object reference not set to an instance of an object

Issue 5:The SP1 build does not let you re-create a permission that was removed from BHOLD earlier.

Issue 6: When you try to change and save a user without changing the end date, you receive the following error message: Invalid date format.

Issue 7:When you try to move an organization unit in the BHOLD Core Portal, you receive the following warning message: Session ID missing: The Session ID is not found in URL. You can continue working using the menu at the left

Issue 8:The "User by Role" report cannot be generated after the limit of 50,000 users is reached. Additionally, you receive an "Out of memory" exception.

Issue 9:In the BHOLD Self-Service Portal, the role information screen under the Role Requests-Current Roles tab displays no role descriptions or permission details.

Issue 10:When you log on as a typical end-user in the BHOLD Service Portal, the "My Roles" screen is displayed as an empty page even though the user is assigned with both "active" and "proposed" roles.

Issue 11:The BHOLD - Access Management agent cannot perform full imports because of an SQL time-out issue that occurs when there is a load of more than 50,000 to 100,000 users.

Issue 12:BHOLD cannot add permissions to a user by using the BHOLD Connector after these permissions are denied.Issue 13: When a steward in the BHOLD Attestation portal has multiple resources to attest and is working on approving or denying permissions for one user, other permissions for a different user are changed in the user interface.

 

Build 4.1.3559.0 (for R2): KB2969673

<to be completed>

 

Build 4.1.3599.0 (for R2): KB2980295

<to be completed>

 

Return to Top


FIM 2010 LDAP connector

Build 4.3.1082 (for R2): KB2936070

  • Issue 1: When you try to connect to a Lightweight Directory Access Protocol (LDAP) server that has Secure Sockets Layer (SSL) protocol/Transport Layer Security (TLS) protocol enabled, the connection fails unless mutual authentication is enabled. After this update is applied, the certificate information on the connectivity page is used only when mutual authentication is enabled. If the server uses SSL/TLS, the certificate that is presented is visible on the global page.
  • Issue 2: A DN-rename operation fails for some LDAP directories during a delta import if the connected system returns more results than the configured page size on the connector can hold.
  • Issue 3:When a change in an attribute value involves only a change in letter case (uppercase to lowercase or vice-versa), the change fails for some LDAP directories. For example, if the attribute value is changed from “contoso” to “Contoso,” the change fails for some LDAP directories.
  • Feature 1 Added support for the following additional LDAP directories, including delta import support:
    • Open DS
    • Open DJ
    • Active Directory Lightweight Directory Services (AD LDS)
    • Active Directory Global Catalog (AD GC)

 

Return to Top


FIM 2010 Lotus Domino MA

Build 5.0.601.0: KB2784728

Article ID: 2784728 - Last Review: December 20, 2012 - Revision: 1.0

 

Build 5.3.259.0: KB2823899

Article ID: 2823899 - Last Review: April 2, 2013 - Revision: 1.0

 

Build 5.3.407.0: KB2854415

Article ID: 2854417 - Last Review: June 27, 2013 - Revision: 1.0

 

Build 5.3.520.0: KB2741896

 

Build 5.3.534.0: KB2875551

Article ID: 2875551 - Last Review: August 9, 2013 - Revision: 1.0

 

Build 5.3.721.0: KB2899874

Article ID: 2899874 - Last Review: October 28, 2013 - Revision: 1.0

 

 Note
All hotfix rollups are cumulative, this means you can start from RTM and install the desired build level without having to install all previous released build versions.

 

Build 5.3.1003.0: KB2932635

Article ID: 2932635 - Last Review: February 19, 2014 - Revision: 1.0
  • Issue 1 You export group members that are other groups (also known as nested groups) to Domino. If the groups are located in the root of the directory, the membership will be incorrect. To correctly export group members in this scenario, set theEnable Creation of _Contacts object option on the global page to None.
  • Issue 2 In a Domino system where records are updated by a back-end process, some records might not appear in a full import. This behavior occurs if search indexes are out-of-date in Domino. This causes some of the records in the FIM Synchronization Service to be deleted. If you experience this problem, change the new Perform Full Import By option from the default setting of SearchtoViews.
  • Issue 3Password synchronization operations are always reported as successful even if the user is not present in Domino. An operation that fails because of a deleted user is now reported as Failed in the event log.

 

Return to Top


FIM 2010 Powershell MA

Build 4.3.1082.0

Download from http://www.microsoft.com/en-us/download/details.aspx?id=42260

 

Build build 1.0.419.911: KB3008179

Issues that are fixed

This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base: Creating a PowerShell connector without using an LDAP DN style fails because of an issue in the default template.

Features that are added

This update adds support for Windows PowerShell 4.0.

 

Return to Top


Best practices

  • Apply patches in a test or a lab environment before patching your production servers.
  • Keep all FIM solution components on the same patch level.

 

Return to Top


Recommended Reading

 

Return to Top


Related FIM Forum Posts

 

Return to Top


Additional Resources

 

 Note
To provide feedback about this article, create a post on the FIM TechNet Forum.

 

Return to Top