A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Website:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
To apply this hotfix, you must have Forefront Identity Manager (FIM) 2010 installed.
To use the hotfix, you do not have to change the registry.
You must restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
The FIM 2010 Certificate Manager (CM) auto enroll policy module cannot be used with Cluster CA when database replication is enabled. This issue occurs because the database connection is encrypted by using data protection API (DPAPI). When the database is replicated to another node, the connection cannot be decrypted.
The certificate template object identifier (also known as OID) that is specified in an external online update request is ignored in the FIM 2010 CM. Then, when online update requests are submitted externally, all certificates are updated. This issue occurs even if the policy settings dictate that the initiator selects which certificate to update and a certificate OID is specified in the construction of the external request.
This hotfix changes the behavior so that warnings do not count against the error limit.
A Sun ONE Directory may write a delta change log inconsistently. The Sync Engine detects this state and throws the “stopped-change-log-out-of-order” error. Additionally, it requires a full import before a delta import can be run again on the Sun One Management Agent (MA).
The Active Directory Management Agent (AD MA) incorrectly reports "success" for a newly provisioned user on which the password policy is not met. This issue results in an "exported-change-not-reimported" warning during the next import because Active Directory would correctly disable the user.
If you have a CaseSensitiveString attribute in Active Directory, the attribute type is not correctly detected and cannot be configured in Declarative Provisioning.
When you try to create a new eDirectory MA that connects to an eDirectory 8.8, you receive the following error message:
The management agent run was ended as there were unspecified agent errors.
The issue occurs because the eDirectory 8.8 is not detected correctly after the eDirectory schema is extended. For example, the eDirectory 8.8 is not detected correctly after you add the SecureLogin type in the schema. .
When a calculated group is imported from the FIM Service MA and has static members added because of misconfiguration, Sync Engine crashes. Therefore, a placeholder takeover occurs without any object type set.
The AD MA does not have a check box to enable an account to be unblocked when a password is synchronized.
GALSync cannot recognize the new Exchange Dynamic Distribution List type.
When you perform a search for an object in a connector space for an Export-only ECMA, you receive the following error message:
Image or delta does not have an anchor.
If you configure synchronization rules and set dependencies between them after initial configuration, you can end up in a situation where configuration from before the dependency was set is still being applied and objects are disconnected.
With this hotfix the Synchronization Service does not process those settings.
The FIM MA cannot be created when metaverse attributes have a hyphen character ( - ) in their name and the database is upgraded from Identity Lifecycle Manager (ILM) 2007 or Identity Integration Server (MIIS) 2003 Service Pack 2 (SP2).
The Exchange Serer 2010 PowerShell cmdlets causes the FIM Sync Service to crash when the cmdlets time out.
In order to prevent external applications from causing issues to the FIM Sync Service, the cmdlets now run in an external process after you apply the hotfix.
When you define scoping filters by using declarative provisioning, the filter is always evaluated to "false" if an attribute value is missing. This issue makes it difficult to construct filters by using clauses that contains "not" to try to catch bad data.
After you apply the hotfix, an attribute that contains no value (null) is evaluated as if the attribute is an empty string.
During FIM startup, a single failure to create an instance of the WorkflowServiceHost class can cause other workflows not to be re-hydrated. This behavior may cause workflows being stuck in the PostProcessing stage.
When you create an object that depends on one or more other objects, the Configuration Migration tool may not map references to objects in the target system.
A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration. For more information about these PowerShell cmdlets, visit the following Microsoft Website:
The hotfix improves the performance when an object is joined to several management agents, with an average of 10% better performance rate for 5 management agents.
When you import from Active Directory, you must have been granted the DirSync permission. If you have at least a Windows Server 2003 Domain Controller that you can target, you can take advantage of a new feature that uses usual access control lists (ACLs) in Active Directory and does not require DirSync permissions. By setting the ADMAUseACLSecurity registry key, the AD MA uses AD ACLs instead.
For more information about the registry settings for FIM 2010, visit the following Microsoft TechNet website:
If you enable the ADMAUseACLSecurity registry key, make sure that the account that is used by the AD MA has read permissions to all locations. By default, a regular user has read permissions to all objects except deleted objects. If an object cannot be read any longer it is treated as a deleted object.
Assume that you are developing a call-based extensible connectivity management agent (ECMA). You expect that the MA will continue exporting the same change until the change is confirmed by an import. Then, when you have an unreliable target for the data, the data might not be committed successfully even if the call returns success. You will notice this during a delta import on which the information that you read back is not what you sent.
To enable this behavior on the ECMA, you can set the ECMAAlwaysExportUnconfirmed registry key. For more information about the registry key, visit the following Microsoft TechNet website: