Wednesday, April 07, 2010 9:34 AM
FIM 2010 and Windows 2008 R2 AD support
Some time ago I wrote about issues with the ILM 2007 FP1 Active Directory MA connecting to Windows 2008 R2 forests. In short words: it is supported as long as Recycle Bin is not enabled.
Someone asked a question ActiveDir.org, whether it is supported in regards to FIM 2010. I've asked a few people (thanks Andreas) and it looks the same. FIM 2010 AD MA is supported to work with Windows 2008R2 Active Directory if Recycle Bin is not enabled. However there is light at the end of the tunnel ...
... the problem with the ILM \ FIM AD MA is related to the usage of the DirSync control, which can be used in conjunction with LDAP queries to retrieve changes from AD since the last query. Because links to deleted objects in AD with Recycle Bin enabled are treated in a different way (links are disabled \ enabled instead of being deleted) it caused the effect, that when a user is restored, group membership is not correctly imported in these delta cycles. However, the AD team has released a hotfix. It is described in KB 979214 which corrects behavior of DirSync control in this scenario.
This of course won't fix the problem with the FIM AD MA itself. This will be fixed when an update to FIM will be released (sorry, no date known to me at this moment).
However this fix is also important to know to application developers using DirSync to pull changes from AD. Good to know, if such applications are (not) working in your environment maybe it is worth to deploy this fix.