Jorge 's Quest For Knowledge!

Microsoft has released Update 3 for FIM 2010 RC1. It is available connect here. This is the final pre-release of the product before RTM. I think this is a major release because it can be installed as an update or as a new install from scratch. It contains a (new) installation guide. Make sure to read the release notes FIRST before installing it!!!

Summary of changes in Update 3

This package contains multiple updates to the following Microsoft® Forefront™ Identity Manager 2010 feature areas. It also contains a number of general improvements to FIM functionality and reliability.

• New prerequisites:

1. Windows® Installer 4.5 for all server components
2. For the FIM Service: Microsoft SQL Server® 2008 Service Pack 1 (SP1)
3. For the FIM Add-In for Outlook: Microsoft Office Outlook® 2007 Service Pack 2 (SP2)

• New supported platforms for FIM Certificate Management:

1. Windows Server® 2008 R2
2. Windows Server Datacenter Edition

• FIM Synchronization Service improvements:

1. Fixed customer-reported failures in FIM Synchronization Service.
2. Fixed issues with multimastered attributes.
3. The FIM management agent (MA) will now store error messages with the operation during export. You do not have to look in the FIM Service event log anymore to view the errors.
4. You can now have several MAs that are responsible for deleting a resource. This solves a common problem in which custom code was necessary for Declarative provisioning.
5. Added two new Declarative provisioning functions:
6. Null – This SR should not contribute a value.
7. ReplaceString – Find and replace a substring in another string.

• Introduces new Management Policy Rule (MPR) types:

1. The new Set Transition MPR type allows for easy creation of Policies that apply to Set membership changes (that is, when resources enter or leave a specific Set).
2. During Update 3 installation, all existing MPRs in the system are marked as Request-based MPRs.
3. The Run On Policy Update flag is now applicable only to the new Set Transition MPRs.
4. Temporal policy definitions require the use of the new Set Transition MPRs.

• Fixes an issue in which queries did not evaluate correctly if they contained three or more conditions and at least two of them used the not() operator.
• Adds support for Exchange 2010, which includes the following:

1. FIM Synchronization Service support for Active Directory MA and global address list (GAL) MA
2. The FIM Service sending and receiving mail
3. Outlook 2007 on Exchange 2010 sending approvals and group membership requests

• Adds support for SQL Server Failover Clusters for High Availability.
• Adds support for taking database backups without stopping the FIM Service.
• Removes DomainSynchronizationActivity and replaces it with built-in logic to support cross-forest group management.

Important

This update deletes the WorkflowDefinition Group management workflow: Domain information synchronization for cross-forest resources, which has the Resource ID 955e3366-fbcc-43ee-b6e4-2001b81971da. You should back up any changes you may have made to this resource before installing the update and then re-create the functionality in a new activity.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Today I received an e-mail I was re-awarded again with the MVP Award for Directory Services. This year is the fifth time I have received this award! J

----------

Dear Jorge de Almeida Pinto,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year

----------

!!! THANKS !!!

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Reporting/Auditing

With RC0, a web services client could reconstruct resources via Requests, or betweenTime, atTime and allTime functions

With RC1, a web service client will be able to reconstruct resources via Requests

• More attributes on Request, and new creator and target fields in RequestParameters values available
• Configurable request trimming interval to auto-delete requests which have been archived

Also see: http://theexpertscommunity.com/item/show/blog/1381

Password Reset Feature

Configuring the MPRs for Password reset was quite complicated. In RC1 these MPRs are pre-configured by default, but are disabled. If you want to use the Password Reset feature you need to enable the MPRs!

Windows XP SP2 is now also supported.

Expect a huge change in how you will be able to use this feature. Very promising! J In time I will tell more about this.

Also interesting to know: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/7d538ef4-a286-481f-8ff1-6e4f886e2f1d

FIM MA Run Profiles

The FIM MA only supports Full Imports at the moment (see release notes)

FIM Portal Schema

Attributes of type "Unindexed String" are not yet supported by the FIM Portal and will not show up the UI for queries/filters.

It is possible to use a dash '-' in the systemName of an attribute, but you should not use it. Why? Well, other parts that may want to use that attribute may not accept that dash in the name. Look at the pictures below.

One of those places where this was found is in a workflow activity. For example… let's say you have created a string type attribute with the systemName 'My-Test-ID' and displayName 'My Test ID'. When using the function evaluator activity you can select as the destination [//Target/My-Test-ID]. You can type this in manually or first select //Target as your workflow parameter and then select 'My Test ID' as your parameter attribute. Click Save and you will see the error in the picture.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

XPATH Filter changes

Double negations are not supported/possible anymore. An example of a double negation is "/Person[not(MyAttribute != '_$$$_')]"

Read more about it here: http://blogs.dirteam.com/blogs/jorge/archive/2009/11/12/fim-2010-not-not-is-empty-and-not-equal-i-think.aspx

In addition:

• "contains()" function now works like SQL Full Text Search
• descendants(), betweenTime(), atTime(), allTime() removed
• membersof() changed syntax

Patches

After RC1, patches will be made available through Windows Update. You can also download these manually through the Windows Update Catalog.

At the time of writing, Update1 and Update2 have been released.

For the release notes see: FIM 2010 RC1, Update1 and Update2.

Management Agents (MA)

Support for:

• Active Directory in Windows Server 2008
• SQL Server 2008
• Novell eDirectory 8.8
• Sun Java System DS 6.2
• IBM DB2 9.1, 9.5

To connect to RACF, ACF2, OS400, TopSecret, you will still need ILM 2007FP1.

FIM Service Partition

Read more here: http://blogs.msdn.com/darrylru/archive/2009/11/23/service-partitions-multiple-middle-tiers-request-workflow-processing.aspx

Checking Uniqueness during object creation

Read more here: http://blogs.dirteam.com/blogs/jorge/archive/2009/12/10/checking-uniqueness-of-an-attribute-in-fim-2010-during-the-create-process.aspx

Sync Rules

Sync rules are now bidirectional, meaning that both inbound and outbound within one sync rule is possible.

New functions that are available for "External System Scoping":

• NotContains, NotStartsWith, NotEndsWith

New functions that are available for attribute flows:

• IsPresent

The GUI to create the Attribute Flows also changed. Previously you could create the attribute flows on one screen. Now you have one screen with two tabs for each attribute flow you need. One tab is for the source attribute and the other tab is for the destination attribute. I really do not like this change.

This is the main screen with all the attribute flows. When you want to create a new flow you click "New Attribute Flow"

This is what you will see when creating a new attribute flow.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Export/Import Portal Configuration

In ILM 2007 you were able to export the complete Sync Engine configuration and move that to some other instance instead of reconfiguration everything manually. That saved you a lot of work AND mistakes! Although it is possible export/import individual Mas, you need to be careful about that precedence configuration may not be configure the same as with the instance where you did the export. Sometimes it may be better to export the complete server configuration!

In ILM "2" RC0 it was not possible to export ANYTHING from the portal. So, you basically had to reconfigure stuff over and over and over again, until you get annoyed and start dying to be able to use FIM 2010 RC1! Why? FIM 2010 RC1 does allow you to export and import the portal configuration through PowerShell CMDlets. YES ! YES ! YES!!!!!!!!!!!

So, how do you do this? Follow the next steps:

• Start PowerShell
• Execute: Add-PSSnapin FIMautomation

The following FIM CMDlets become available:

• Export-FIMConfig
  • The Export-FIMConfig cmdlet extracts configuration objects from the FIM Service using the web service interface. The cmdlet recursively follows references contained in objects in order to extract a full representation of the service's configuration. If a reference points to an object which is not marked as a configuration object, the cmdlet downloads the entire representation but does not follow any references.
• Import-FIMConfig
  • The Import-FIMConfig cmdlet takes in a list of ImportObject objects and executes the web service calls. Please be warned that all ImportObjects sent to Import will be executed. As objects are created, the references are automatically resolved in subsequent update and create operations.
• Join-FIMConfig
  • The Join-FIMConfig cmdlet takes two lists of Export Objects and joins them into Match Objects. The cmdlet performs the join using criteria specified as arguments to the cmdlet. The join criteria is specific attributes to compare using case-sensitive matching. You may specify individual join criteria for each object type. For example, you may join on EmployeeID for Person and MailNickname for Groups. You may also use multiple attributes as join criteria. For example, you may join ConstantSpecifier objects on both the DisplayName and Value. No default join criteria is provided. The reason you must specify the join criteria is to ensure that this tool joins on attributes or collections of attributes that are unique in your organization.
• Compare-FIMConfig
  • The Compare-FIMConfig cmdlet takes in a list of MatchObject and performs an attribute-level comparison on the source and target objects. The cmdlet returns a list of changes to make to the target system such that it looks like the source system. The list of changes is guaranteed to be in precedence order. For example, if a Workflow Definition references an Email Template, then the cmdlet guarantees that the EmailTemplate exists prior to creating the WorkflowDefinition. All objects are processed generically without regard to object type except for ManagementPolicyRule objects. These objects are processed in a special way: the cmdlet guarantees that all dependent sets are updated prior to workflow definitions.
• ConvertFrom-FIMResource
  • The ConvertFrom-FIMResource serializes objects used elsewhere in the FIM Automation Snapin into xml. The motiviation of this cmdlet is so you can save intermediate work and transfer it among computers. The cmdlet serializes the objects using XmlObjectSerializer in .NET. It is necessary to use this cmdlet over Export-Clixml because Export-Clixml does not preserve nested and complex types.
• ConvertTo-FIMResource
  • The ConvertTo-FIMResource deserializes objects used elsewhere in the FIM Automation Snapin from xml. This is the complement cmdlet to ConvertFrom-FIMResource. The cmdlet deserializes the objects using XmlObjectSerializer in .NET.

Using the GET-Help CMDlet you can get additional information on how to use each FIM CMDlet, including examples (e.g. Get-help Export-FIMConfig)

Remark: Make sure to read this too!

WorkFlow Activities designed for ILM "2" RC0 to be used in FIM 2010 RC1

Short one. Check the following URL: http://blogs.dirteam.com/blogs/jorge/archive/2009/10/04/workflow-activities-designed-for-ilm2-rc0-may-not-work-for-fim-2010-rc1.aspx

Enable/Disable codeless provisioning

In RC0 you could only disable/enable scripted (through Rules Extensions) provisioning. As soon as an object mapping was defined in the ILM2 MA provisioning would occur, assuming other prerequisites were also met (initial flow only for anchor attributes and criteria). It was not possible to disable codeless provisioning. In RC1 you now can disable codeless provisioning through the Identity Manager GUI. If the setting is not checked, provisioning through Codeless Provisioning will not work. AND it is disabled by default!

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

MPRs

New MPRs have been defined or existing MPRs have been redefined. In ILM "2" RC0 an MPR called "Administrators have Full Control" existed which gave administrators Full Control permissions over existing stuff and new created stuff. In FIM 2010 RC1 I created a new object type called COMPUTER including the attributes I wanted on that. I then wanted to create a computer object and at the end when I clicked SUBMIT I got an access denied. Researching a bit more I found out that administrators only have Full Control over configuration stuff in the FIM Portal. They are not allowed to create users and in my case also computers. So, for those object types I had to create an MPR that gave the administrators Full Control over those objects. Now you can take two different approaches: (1) create a permissions based MPR for each object type or, (2) create a permissions based MPR that gives the administrators Full Control over ALL objects.

In addition, it is possible to disable and re-enable MPRs. Now you do not have to delete them or change them in a way so that there were not used by the system. Remember that when you get an access denied you cases might apply: (1) no MPR is available, or (2) an MPR is available but it is disabled!

After you have configured your FIM system with all kinds of MPRs, SETs, Workflows, etc. How are you going to find out or troubleshoot, after 6 months for example, how a particular system works? In ILM"2" RC0 that was a pain in the well-known behind! In FIM 2010 RC1 you will find a button called MPR Explorer (see below). It is "just" button and because of that you might miss it.

Clicking that button shows you the following screen which allows you to select what you want to check/do.

After that, for what you want to do, you define criteria as shown below. In my case I wanted to know which "enabled" "permissions-based MPRs" apply when "ADM.ROOT" makes a request to "Create a resource", "Delete a resource", "Read resource", "Add a value to a multi-valued attribute", "Remove a value from a multi-valued attribute" OR "Modify the value of a single-valued attribute" against "All Objects".

The results of the query I'm making are shown below

SCOM Management Pack

A SCOM Management Pack will be made available for FIM 2010.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

So FIM 2010 RC1 came out in the beginning of October are my first impressions, or changes I found (either through my own testing/reading or through some other posts):

OS Support

FIM 2010 now both supports Windows Server 2008 (x64) and Windows Server 2008 R2 (x64). Be aware though; if you want to combine all kinds of technologies on one server (e.g. test/demo environment) check all requirements and pre-requisites of all components. For example, Exchange Server 2007 is not supported on Windows Server 2008 R2 and FIM 2010 does not support Exchange Server 2010 yet. However, Microsoft changed their plans and has decided to support Exchange Server 2007 on Windows Server 2008 R2 in the (near) future!

Additional Options During install + FIM Portal Access

Read more about this here: http://blogs.dirteam.com/blogs/jorge/archive/2009/12/11/enabling-fim-portal-access-for-a-regular-ad-user-account.aspx

FIM 2010 Portal itself

The graphics department at Microsoft has been busy changing its looks and rebranding everything within the system from "Identity Lifecycle Manager "2"" to "Forefront Identity Manager 2010"

BEFORE

AFTER

Other Stuff within the product that was rebranded is:

FIM MA in Identity Manager

Connection information for the FIM MA is different. You now need to specify the SQL Server, the SQL DB for the portal (to read from) and the address of the FIM Service you want to use for writes (You can have more than one FIM Service and you can dedicate a FIM Service instance for the FIM Sync Engine if you need/want to)

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

To be able to access the FIM portal as a regular user, the following MUST be true:

• The user has an AD user account
• The attributes "Domain", "AccountName" and "ObjectSID" must have values populated about that AD user account synched by the FIM Sync Engine
• The correct permissions have been configured for the AD user account in the FIM Portal (see more below)

To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal:

• Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)
• Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

In addition to this all, you as an administrator need to enable a few MPRs which by default are disabled. I'm talking about the following MPRs:

• "General: Users can read non-administrative configuration resources"
• "User management: Users can read attributes of their own"

You can check the MPRs in the FIM Portal or use can use this powershell script to do that for you. The result may look like:

This is for simple plain FIM Portal access. If you want to allow a user to do more, you need to create and/or enable additional MPRs.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

FIM 2010 provides CMDlets to migrate the configuration of the FIM Portal from one server to another. The first step is exporting the configuration of the SOURCE server. The Powershell script you can use for that is:

---------

# ExportPilot.ps1

# Copyright (c) 2009 Microsoft Corporation

# The purpose of this script is to export the current configuration in the pilot environment.

# The script stores the configuration into file "pilot.xml" in the current directory.

Add-PSSnapin FIMAutomation

$pilot_filename = "pilot.xml"

Write-Host "Exporting configuration objects from pilot."

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

Write-Host "Exported " $pilot.Count " objects from pilot."

$pilot | ConvertFrom-FIMResource -file $pilot_filename

Write-Host "Pilot file is saved as " $pilot_filename "."

Write-Host "Export complete. The next step is to copy " $pilot_filename " to production and run SyncProduction.ps1."

---------

This script will export policy configuration, schema configuration and portal configuration. If you want to export custom configuration such certain object types you need to replace a line as specified in the documentation.

REPLACE

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

WITH

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Person")

However as soon as you execute your adjusted powershell script, you will get the following error:

-------------

Export-FIMConfig : Failure on making enumeration web service call.

Filter = Group

Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: c

annot filter as requested

at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.Enumerat

eResources(SearchParameters parameters)

at Microsoft.ResourceManagement.WebServices.ResourceManager.MoveNext()

at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()

At C:\_FIM-CONFIG\ExportFIMConfigFromSource.ps1:10 char:27

+ $Source = Export-FIMConfig <<<< -uri http://localhost:5725/ResourceManagemen

tService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Pers

on")

+ CategoryInfo : InvalidOperation: (:) [Export-FIMConfig], Invali

dOperationException

+ FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automa

tion.ExportConfig

-------------

This is telling you the filter of the customConfig option is wrong. That is weird as the way I'm using is also mentioned in the help of the CMDlet. However, it appears that you need to use the XPATH filter notation. So the correct line would be:

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("/Group","/Person")

Oh, by the way… This is for FIM 2010 RC 1 Update2

SOURCE: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/6e543d7a-2543-4975-9b5d-0615ae341e47

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

At the time of writing Update 2 has been released for FIM 2010 RC1. This update introduces a new feature for RCDCs which leverages XPATH.

In short, when you CREATE a new object in the FIM Portal you can configure an attribute in the RCDC (a.k.a. OVC) to check if the value that was entered manually already exists in the database. If it does not, you can continue. If it does already exist, it will tell you right away! Unfortunately this does NOT work when EDITING an object as the check is not made.

From my personal experience I can say that administering RCDC XML files in XML Notepad is friendlier than editing the text under the hood. Others like to do it in Visual Studio as that also performs additional checks.

Now let's say you do not use an activity to generate a unique AccountName for a person object in the FIM Portal. Instead you need to do it manually and you would like to know right away if it's possible to use that value or not.

In the RCDC for user creation you may have a similar section for the AccountName attribute.

In some editor, it would look like:

In XML Notepad, it would look like:

After you have edited the RCDC, you need to load it into the FIM Portal and finish it with an IISERESET. For the IISRESET, make sure to do that with elevated permissions (otherwise it will fail).

When creating a user manually and entering the AccountName, you will see the following if the attribute value already exists as soon as you click NEXT:

Source: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/cc51ca7a-908c-40bf-ae10-f47711dd321b

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

You might have noticed that resource counts do not work in FIM 2010 RC1 (even with Update 1). After installing update2, this is fixed again. However, take into account the following comment that I found on the FIM TechNet Forum.

"This feature is currently broken in RC1 and from RC1 forward will be not supported out of the box. However, if you plug the xpath query back in Approve Requests search scope again after Update 2 (not yet released), it should start to work again. You will get a penalty of 2 seconds on home page load when you add in this query. In fact for each nav bar count query you add in, it would be 2 second delay. For performance reason, we decided to not enable it out of box in Update 2."

Source: http://social.technet.microsoft.com/Forums/en/ilm2/thread/184bb2b7-b20a-4c8a-ab7d-d7098bd997ba

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Microsoft has released another update for FIM 2010 RC1. After a few days it will be available through Windows Update.

This package contains multiple updates to the following FIM feature areas:

• Sets
• Setup
• Codeless Provisioning
• Management Policy Rules
• Portal user interface
• Schema
• Self-service Password Reset
• Synchronization engine
• Workflow

Detailed information about the updates mentioned can be read in the release notes for update2.

Summary of changes in Update 2

This package contains multiple updates to the following Microsoft® Forefront Identity Manager 2010 feature areas as well as a number of general improvements to functionality and reliability:

• Codeless Provisioning
  • Adds a Null function to support not flowing values to a disabled AD account.
  • You can now set attribute precedence between classic provisioning and codeless provisioning attribute flows.
• Configuration Migration Tool
  • During the import phase the Migration tool now resumes after logging failures. This allows the Migration tool to complete as many imports as possible on a single run while noting the failures still requiring administrator resolution.
  • Migrating custom resource types is now supported.
• Management Policy Rules (MPR)
  • When defining permissions for enumeration you no longer need to grant all the permissions for required attributes as part of a single MPR. The system will now properly aggregate permissions from multiple MPRs when evaluating query permissions.
• Password Reset
  • Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials.
• Portal User Interface
  • You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.
  • The UOC text box now lets you check uniqueness on Create operations using a custom XPATH statement that you provide.
  • Note
    • Uniqueness checking only works in Create mode, not in Edit mode. Attempting this in Edit mode may cause the check to be done when it's not intended.
    • Fixes an issue introduced in Update 1 where the portal may show valid Active Directory security group memberships as invalid.
• Schema
  • The product now enforces schema validation at the web services layer to disallow Required reference types.
• Sets
  • All Sets restrictions noted in the RC1 Release Notes have been removed. In particular:
  • You no longer need to avoid the use of the following operators in set creation: <, <=, >, >=, endswith, startswith, nesting.
  • You are no longer limited to using only the literal = operator with multi-valued operators when creating sets.
  • You no longer need to avoid having explicit members in a set which has a defined filter.
• Setup
  • Resolves a number of issues that occurred on a first-time installation of the RTM product. These changes are not visible in the installations of the Updates, but you will receive the benefits of these improvements on new installations of the RTM product.
• Synchronization engine
  • Synchronization rule error messages are now visible during synchronization previews.
  • Resolved an issue where having multiple join and projection rules causes rule corruption on a full synchronization.
  • Removes management agent (MA) support for Exchange version 5.5 and Windows NT.
  • Various other improvements in synchronization preview.
• Workflows
  • Owner-originated requests are now auto-approved.

Available Updates….

The EXEs cannot be used to directly install the update. If you try you will get the following error "This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package"

So, if it is an EXE, you can use either of the following methods:

1. <File>.exe /C:"MSIEXEC /p <MSP File Name>"
   OR if that does not work
2. <File>.exe /T:"<Folder to extract to>" --> if you get the error "", then do not click OK right away, but look in the folder. Copy the MSP to another location and then click OK.

So, if it is a CAB, just extract it.

Then double-click the MSP file to install it.

Get this update here. (Windows Update Catalog)

More info here. (may not be available right away, but rather later on!)

Make sure to read the release notes about how to install!!!

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Queen has created tons of kick a$$ songs. For me, one of the best rockbands ever! As a tribute to Freddie Mercury, who died 18 years ago on november 24th, the Muppets have created their own version of "Bohemian Rhapsody". Besides being one heck of a song, I really had a good laugh when I saw it. It was so much fun. Even my little daughter was "dancing" when she saw/heart it (now I know she has good taste in music!)

Watch it for yourself.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Office 2010 Beta is NOW available on TechNet and MSDN!

Although I'm using Windows 7 RTM x64, unfortunately for me, I still have to use the x86 version because a lot of add-ins are not x64 (yet). Although available, you need to have the correct subscription, otherwise you will see but cannot access it.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------