Consider the following scenario:
- You install a European localized version of FIM on a computer that is running Windows XP Service Pack 3 (SP3).
- You try to use the Self-Service Password Reset Client feature in Forefront Identity Manager.
In this scenario, the label on the
Reset Password button is truncated.
Resolved issues and features that are related to FIM Synchronization Service
Issue 1When you export a group that has more than one member to a SQL server, a DN-attribute error occurs.
Issue 2You receive some staging errors in a delta import in the recycle bin on a computer that is running Windows Server 2008 R2.
Issue 3 Assume that the recycle bin is enabled in AD and that FIM is authoritative for groups and users. In this situation, deleted users results in an “exported-change-not-reimported” error message for the groups in which the user is a member.
Issue 4A change to an incoming Synchronization Rule that includes a constant flow or an expression is not recalculated correctly during a full synchronization.
Issue 5Assume that you are performing a delta import from AD MA. Two objects that have the same distinguished name (DN) but different GUIDS are deleted. In this situation, you may infrequently receive the following error message:
The dimage has an anchor that differs from the image.
Issue 6A delta import on the Sun One Management Agent (MA) causes the following error message if the same object is changed two times during the same delta import:
changelog out of order
Issue 7If an invalid synchronization rule is present in the Sync Engine, a warning message appears in the event log and the processing continues.
Issue 8An extension DLL does not load additional assemblies from the extensions folder, but does load additional assemblies from the bin folder.
Issue 9There is a memory leak in the Sync Engine when you use classic scripted flow rules. When the service is slow, you have to restart the server.
Issue 10If you develop a custom MA by using XMA, members may be represented as GUIDs but not DNs during export. When you confirm the import, you may receive one of the following error messages:
export-change-not-reimported
reference-value-not-ldap-conformant
Issue 11PCNS does not synchronize passwords to AD when the target AD is untrusted by the forest that FIM is located in.
This issue occurs because of a regression introduced in build 4.0.3561.2.
Feature 1This hotfix rollup package applies the password history policy from Active Directory Domain Services (AD DS) for password reset operations in Forefront Identity Manager.
For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2443871 FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies
Feature 2The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
To make sure that the eDirectory attributes can be unlocked, the
lockedByIntruder attribute is set to FALSE, the
loginIntruderAttempts attribute is set to 0, and the
loginIntruderResetTime attribute is set to current time.
Resolved issue that is related to the FIM PortalIssue 1The functionality of browser language detection is not always correct in the FIM portal.
Issue 2
Case-only changes that are made to existing attributes are not applied to the FIM service database even though the Requests are marked as Completed.
Issue 3The
About box is not displayed in the portals of the FIM 2010 portal if the currently installed build version is 4.0.3558.2.
Resolved issue that is related to Setup
Issue 1You cannot apply Synchronization Engine hotfixes if the currently installed build version is 4.0.3547.2.
Note This hotfix includes a change to the Synchronization Engine setup to resolve this issue. After you apply Synchronization Engine hotfix build 4.0.3561.2 or a later build, you will be able to install any newer hotfixes.
Resolved issues and features that are related to FIM ServiceIssue 1The FIM service ignores requests that only contain changes in the values of attributes.
Issue 2A performance bottleneck exists in request evaluation.
Issue 3Object types other than User and Group cannot be added to cross-forest domain-local groups.
To address the issue, the DomainConfiguration attribute is now added and updated automatically when a Domain attribute is created or updated on any object that binds it. This functionality was previously limited to User and Group object types only.
Issue 4For cyclical groups that reference themselves, the GroupValidation workflow activity may cause the FIM service to crash.
Issue 5Some set memberships do not match their intended filter and must be corrected by the Maintain Sets SQL job.
Feature 1
This hotfix rollup package enables approval operations to be processed by any instance of the FIM service. This hotfix improves the installation process in an environment that has multiple instances of the FIM Service deployed.
Feature 2This hotfix includes the filter in a comment within the SQL statement that executes the query. This feature improves query troubleshooting.
Resolved issues that are related to FIM MAIssue 1A “login denied” error occurs during the final stages of export in FIM MA.
This issue occurs because FIM MA uses the FIMSynchronization service logon instead of the FIM MA logon to connect to the FIMService Database.
Issue 2Throughput of FIM MA is slow when the FIM database is first loaded.
To resolve the issue, the hotfix provides a new asynchronous export mode for FIM MA. This enables the parallel export of objects. This parallel execution provides an increase in the export rate at the cost of increasing the load on the FIM service SQL database. This mode was primarily designed for use when data is first loaded, when sacrificing portal usability for increased performance is not a concern.
Configuration settings are provided for this new export mode. The configuration settings enable performance and FIM portal usability to be balanced during FIM MA export in your environment. We recommend that you experiment with these settings in a test and staging environment before you consider making any modifications to a production server.
The hotfix adds support for an asynchronous request evaluation mode for requests that are created by the synchronization engine account. When the new mode is enabled, the FIM MA provides a preliminary response to the synchronization engine for the export operation. This happens as soon as the request is created but before it is evaluated by the FIM Service. The request is queued in the FIM service for full evaluation through a set of worker threads in an asynchronous manner. At the same time, the synchronization engine feeds additional requests for export into the FIM MA. When the requests are being processed by the FIM Service, they are left in Escrow state until the FIM service can confirm their processing status. Asynchronous request processing is available only for requests that are generated by the FIM MA. All other requests continue to be executed through the regular process.
Errors that are related to the synchronization request processing in FIM service are now available in the request interface of the FIM portal. These can be accessed from the Search Requests navigation item. A search for requests that are created by the synchronisation service returns the status of these requests. Error information for failed requests is now available in the Request Status Details attribute for each request.
Note We always recommend that you verify hotfixes in a nonproduction environment before you deploy to production. Because of the level of functional change that is contained in this fix, we strongly repeat this recommendation. We also recommend that customers only install this hotfix if they are experiencing an issue that the hotfix addresses.
Operational NotesWe recommend that you continue to use the synchronous mode during the usual operation of FIM MA. You should use the asynchronous mode of operation when a higher FIM export processing rate is necessary. Increasing the export rate for the FIM MA can affect the processing rate and latency of requests that are submitted by users. Configuration settings are provided to enable you to tune the load that the FIM MA will put on the FIM service. We recommend that you configure these settings to suit the individual needs of your deployment and the available system resources.
Configuration Settings:FIM service configuration file
The new asynchronous mode of operation for the FIM MA export is controlled by a switch in the FIM service configuration file. This switch has three modes of operation:
<resourceManagementService synchronizationExportThrottle="Single" />
<resourceManagementService synchronizationExportThrottle="Unlimited"/>
<resourceManagementService synchronizationExportThrottle="Limited" requestRecoveryMaxPerMinute="60" />
SingleThis is the default mode when the new switch is not specified. It is identical to the mode that is included in FIM 2010.
UnlimitedIn this mode, request evaluation happens immediately on the worker thread and the FIM service will use the maximum throughput of the system. This setting is only recommended when you perform the initial load of data into the system and when no other load on the system is expected.
LimitedIn this mode, requests are put in a SQL queue, re-dispatched back into the FIM service, and controlled by the requestRecoveryMaxPerMinute throttle setting. You should use this setting to increas performance if other loads on the system are expected (for example, portal operations). We expect that customers will have to optimize this setting to for their environment, and to accommodate their hardware capabilities and portal load. To tune this setting, monitor the FIM database SQL CPU usage and the Windows Workflow Foundation
Workflows In Memory performance counters. Adjust the throttle up or down until you obtain a maximum throughput state. Example target metrics include SQL CPU usage of about 70% and Windows Workflow Foundation not building up a large queue in the
Workflows in Memory performance counter.
This setting can be changed dynamically You do not have to re-start the FIM service.
Configuration settings: synchronization engine configuration file
Additional configuration settings for FIM MA are controlled from the synchronization engine configuration file (Miiserver.exe.config). You can configure the new settings by adding a new “resourceSynchronizationClient” section that specifies a property and a value to be configured. The following example demonstrates the general format of the “resourceSynchronizationClient” section:
<resourceSynchronizationClient propertyName="value" />
The following specific example configures the
exportFetchResultsPollingTimerInSeconds property:
<resourceSynchronizationClient exportFetchResultsPollingTimerInSeconds ="5" />
The following example shows the new section in the context of the synchronization engine configuration file:
<configSections>
<section name="resourceManagementClient" type="Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClientSection, Microsoft.ResourceManagement"/>
<section name="resourceSynchronizationClient" type="MIIS.ManagementAgent.ResourceSynchronizationClientSection, mmsmafim"/>
</configSections>
<startup>
<requiredRuntime version="v2.0.50727"></requiredRuntime>
<supportedRuntime version="v2.0.50727"></supportedRuntime>
</startup>
<resourceSynchronizationClient propertyName="value" />
The new configuration properties are described in the following table:
Property Name | Default Value | Description |
---|
exportFetchResultsPollingTimerInSeconds | 5 | When the Synchronization service is exporting objects in asynchronous mode, this property controls the frequency of polling results that are returned from the FIM service by the FIM MA. Changing this value may give a higher processing rate, depending on your system configuration. |
exportRequestsInProcessMaximum | 50 | When the Synchronization service is exporting objects in asynchronous mode, this property controls how many requests can be queued up in the FIM service for processing. If this limit is met, FIM MA will wait until asynchronous results are sent back before resuming additional exports. Setting this value higher may provide additional processing throughput during export. However, during system failures, these objects may have to be re-exported from the synchronization engine when the FIM-Export process restarts. |
exportWaitingForRequestsToProcessTimeoutInSeconds | 600 | This is the time-out value that FIM MA will use to wait for the FIM service to process a request. If no response is received from the FIM service within this time, FIM MA will end the export with a “cd-error” error. |
As part of your system tuning, you can adjust both the
exportFetchResultsPollingTimerInSeconds property and the
exportRequestsInProcessMaximum property to achieve the best results for your environment and configuration. You have to restart the FIM synchronization service after you change these settings.
Known Issues- When operating in the asynchronous mode, a few operations may fail with an “Access Denied” error. This issue is most common on small data sets that have interdependent references. In these cases, a the next FIM MA export will resolve the problem.
- During FIM MA export in the asynchronous mode, the FIM service may need lots of time to process all the requests that are submitted by the synchronization engine. During this time, any additional operations for new exports or imports (delta or full) will be ended with a “Stopped-server” error. Under ordinary conditions, the synchronization engine will wait for all requests to be fully processed by the FIM service and not allow the operator to perform additional operations.
- The synchronization engine service may take 10 minutes to shut down. This is the default length of time that the synchronization engine will wait for FIM MA to return status results for a FIM export operation. If the synchronization engine is shut-down during this time, you may have to wait for the time-out to expire.
- The synchronization engine may not receive a response for an object that is processed by the FIM service under some error conditions. In this case, the synchronization engine will re-send the object for export. The FIM service will detect this replay and signal it with a “Resource Identifier Already Exists” error. To clear objects that are reported with this error, you must perform a Delta Import and Delta Sync, followed by a FIM MA export sequence.