none
FIM 2010 R2 Sp1, Windows 2008 R2 SP1 and Recycle Bin issues

    Question

  • Hi,

    We are running FIM 2010 R2 Sp1 (build 4.1.3613.0)

    Also running Windows 2008 R2 Forest and Domain functional level environment. (Windows Server 2008 R2 SP1 on all DCs). The previous Recycle Bin hotfix https://support.microsoft.com/en-us/kb/979214/ fails to install since we are already running WS08 R2 SP1 on all the DCs.

    During deprovisioning, when a user is deleted from the source HR system, FIM deletes the object from AD, FIM Sync & Portal.

    FIM also manages a FIM Portal group, where membership is assigned manually. This membership is then updated in AD.

    When a user (who is part of this group) is deleted in HR, FIM deletes it from AD, FIM Sync, FIM Portal, FIM also removes user from FIM Portal group. The user is also removed from the AD group (by FIM group object membership attribute flow to AD)

    ...however, on the next AD Export, FIM fails to update the same group and complains about this very same user (CD Error) and lists the user as: CN=username\0ADEL:GUID, CN=Deleted Objects,DC=domain,DC=com

    It appears that there is a problem with FIM and the Recycle Bin again?

    Are there any new Recycle Bin/FIM hotfixes ?

    Thanks,

    SK

    Sunday, March 22, 2015 10:49 PM

All replies

  • May I suggest you review the following:

    1. Is the AD MA user account part of the Domain Admins group? If yes, please remove it from this Group
    2. Verify that the "CN=Deleted Objects" container has not somehow been included in the AD MA OU scope

    • Edited by T Zukowski Monday, March 23, 2015 3:25 AM
    Monday, March 23, 2015 3:25 AM
  • It is a bug in FIM. I have the same pb with all my clients. The two advices above have been applied and do not resolve the issue.

    The pb is that FIM do not delete the connector in AD Connector Space, when the account is deleted in AD (put in the recycle bin)

    Regards,

    Sylvain G.

    Monday, October 26, 2015 10:27 AM
  • We experienced the same issue and raised it as a support request with Microsoft. It sounds like this is actually a bug with Windows Server 2008 R2 Domain Controllers. There is no fix as far as we are aware but they did offer a workaround which is to introduce a Windows Server 2012 R2 domain controller into your domain and configure your AD MA to communicate with the 2012 R2 DC. We haven't tried this as yet so can't comment on whether this works or not.
    Tuesday, October 27, 2015 9:17 AM