Experts Corner Article Microsoft has released update 1 for Microsoft Forefront Identity Manager (FIM) 2010. This update applies only to FIM 2010 RTM which is also known as build 4.0.2592.0. This update is recommended for all installations of FIM 2010. Important notes about the cumulative update package: Update packages for each FIM component are distributed in separate update files. A new prerequisite for Update 1: The FIM Synchronization Service is now using SQL Native Agent. More Information How to Obtain Update 1 for FIM 2010 This update is available on the following services: Download Method Components Microsoft Update Catalog All Component Automatic Updates All Components Windows Update site For update on Windows XP only FIM Add-ins and Extensions FIM Add-ins and Extensions LP FIM CM Bulk Issuance Client FIM CM Client Note: We recommend that you test these updates before installing them on any production machines. Please test the update method in test that will be used in production. Important: For the FIM server components, there is a limitation when using Automatic Updates through the Microsoft Update service. Allowing the Windows Update service on Windows Server 2008 to both download and automatically install the update may cause problems with the install. If you choose to use the Windows Update service to download the update package we recommend that you configure the service to download and prompt for installation. This will work around the issue. Component Update File Information Component Update Packages The following table contains the component update packages that are available for download. Component Filename FIM 2010 Add-ins and Extensions FIMAddinsExtensions_KB978864.msp (Note: versions available for x86 and x64) FIM 2010 Add-ins and Extensions Language Pack FIMServiceLP_KB978864.msp (Note: versions available for x86 and x64) FIM 2010 Certificate Management FIMCM_KB978864.msp FIM 2010 Certificate Management Bulk Issuance Client FIMCMBulkClient_KB978864.msp FIM 2010 Certificate Management Client FIMCMClient_KB978864.msp (Note: versions available for x86 and x64) FIM 2010 Service and Portal FIMService_KB978864.msp FIM 2010 Service Portal Language Pack FIMServiceLP_KB978864.msp FIM 2010 Synchronization Service FIMSyncService_KB978864.msp FIM 2010 Password Change Notification Service FIMPCNS_KB978864.msp (Note: versions available for x86 and x64) Build Information Update package 1 for FIM 2010 RTM is also known as build 4.0.3531.2. Summary of changes in FIM 2010Update 1 This package contains a number of general improvements to functionality and reliability in Update 1 for Microsoft® Forefront® Identity Manager (FIM) 2010. A new prerequisite for Update 1: The FIM Synchronization Service is now using SQL Native Agent. Before Installing This Update FIM Service and Portal and FIM Synchronization Service Back up all databases, configuration files, encryption keys, certificates, and custom components. FIM Product Databases FIMSynchronizationService database FIMService database Configuration Files FIM Synchronization Service All custom rules extensions for the Synchronization Service All custom management agents for the Synchronization Service All needed data from the MAData folder MIIServer.exe.config file Encryption keys (using the Synchronization Service Key Management tool) FIM Service Microsoft.ResourceManagement.Service.exe.config Certificate specified during the FIM Service setup Custom workflows Custom clients FIM Portals Make sure the FIM Portals are available on http://localhost. If you have enabled SSL or for some other reason have made a change so http://localhost isn’t accessible on the FIM Portal server, make the necessary configuration changes so this address is accessible before applying the update. After the update has been installed you can revert the temporary change. Close the FIM Synchronization Service Manager before installing the update on the Synchronization server. This will avoid the need to reboot the machine after the update is installed. It is highly recommended that you install the FIM Service and Portal and the FIM Synchronization Service using the UI. Configure Microsoft Update on those servers to either “Download updates but let me choose whether to install them” or “Check for updates but let me choose whether to download and install them.” FIM Certificate Management Follow the instructions documented in TechNet for backing up the FIM Certificate Management configuration (FIM CM Backup and Restore Guide). Post-Installation Steps If the FIM Language Pack was installed when you applied this update you must also install the Update 1 Language Pack. If you don’t, a product version mismatch will cause the product to fall back to English. If using the Certificate Management management agent in the FIM Synchronization Service, please update both the FIM Synchronization Service and the FIM Certificate Management Service to Update 1. To avoid this requirement, please implement binding redirection settings as documented in (http://support.microsoft.com/kb/2005585). Before Uninstalling the FIM Service and Portal Update If you must uninstall the Service and Portal update package, do the following: Copy the file [FIM Installation Folder]\Service\Microsoft.ResourceManagement.Service.exe.config to a different location so you can copy it back after completing the uninstall. Stop the service FIMService. If the FIM Portal is not located on the same server as the FIM Service, uninstall the update from the FIM Portal server. If you have installed on a SharePoint farm, this step will most likely time out. To work around this issue, uninstall the FIM Portal and reinstall it as described in the FIM Installation Guide. Restore the FIM Service Database to the FIM RTM version. The RTM version of the FIM Service will not start if the database has been updated to FIM 2010 RTM Update 1. Uninstall Update 1 from the Control Panel. On the FIM Service server, in the FIM Service installation folder, open the Microsoft.ResourceManagement.Service.exe.Config file. Replace all occurrences of “4.0.3531.2” with “4.0.2592.0” to reconfigure for the RTM build. On the FIM Portal server, open the web.config file in the root folder of the web site. Replace all occurrences of “4.0.3531.2” with “4.0.2592.0” to reconfigure for the RTM build. Copy the file Microsoft.ResourceManagement.Service.exe.config back to its original location. Start the FIM Service. Known Issues Installation of Update 1 fails when cached MSI is not available Update 1 for the server components fail to install if you have deleted the FIM RTM installation folder. Setup log will contain the following message: “MSI (s) (60:2C) [17:34:40:010]: Product: Forefront Identity Manager Synchronization Service -- Error 1706. No valid source could be found for product Forefront Identity Manager Synchronization Service. The Windows Installer cannot continue.” Do not delete the FIM RTM installation folder. If you deleted the folder, restore it to the directory where you originally installed RTM. Change Details FIM Portal In the object picker UOC control, clicking the selected items displays the item clicked in a popup window. X-path lookups in email templates now properly resolve references to object ID that previously returned Display Name. [//Target/ObjectID] -or- [//Request/ObjectID] In the dialog to create a binding object, the DisplayName value is properly retained when navigating forward and backwards in the dialog using the Next and Previous buttons. Approval workflows where the approver is blank, as when a user does not have a manager value, will no longer gets stuck in an unresolved state. Now the workflow instance will fail with the remarks: WorkflowInstance 'XXXX' could not resolve any of the defined approvers '[//Target/Manager]' FIM Service A problem in the FIM_DeleteExpiredSysetmObjectsJob SQL Agent that was returning a Primary Key Violation error was fixed. FIM Synchronization Service Added support for Recycle Bin in Active Directory. To get the correct result, install the Active Directory Recycle Bin fix 979214 on the DC used by FIM Synchronization Service. Added a new feature called “Resume Full Sync”. If a full sync is not completed the next time the same run profile is attempted a new option in Run Management Agent will allow the administrator to continue the Full Sync from the point that it stopped. Addressed an issue to detect Exchange Server 2010 in the AD MA. FIM Certificate Management Bulk Issuance Client The FIM CM Bulk Client has been updated to install and run on Windows 7 32-bit. Article Applies To: Microsoft Forefront Identity Manager 2010 (4.0.2592.0) Go to the Experts Corner

Resumable Full Sync Rocks!Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

Nice writeup Markus, more compete than the offical KB.http://setspn.blogspot.com

Hi Thomas, This is actually the text that was supposed to be in the KB article. Due to a process problem the revisions have been delayed on the KB, so we published the content in the forum. Expect to see this information in the KB article soon. Steve Klem

Hi, Is there any additional info available for the updates to: FIM 2010 Add-ins and Extensions FIM 2010 Password Change Notification Service I'm especially interested in the second one, what was updated, is it required to update PCNS on all Domain Controllers along with applying Update1 to FIM 2010 Synchronization Service? Regards Piotr

Nothing has changed in PCNS and it is not required to update it. You can even use PCNS shipped with MIIS and ILM if you want to. /AndreasThis posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm

Do you have a specific link to which I can point? I cannot find it in the catalog. I have tried several searches and come up with nothing. Maybe if you could just supply the appropriate search terms that would be helpful. Thanks!

I'm experiencing the same problem as Kurt Hudson, can't find Update 1 for FIM 2010 RTM on the catalog site. Was anyone else able to find it?

This link should hold the bits for FIM 2010 update 1: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB978864 http://setspn.blogspot.com

I don't understand this note, or the ramifications of it. How will this affect the environment, and is there anything that I need to do manually to make this work after Update 1 is installed? What effect does this cause? "A new prerequisite for Update 1: The FIM Synchronization Service is now using SQL Native Agent." Sorry if this is clearly evident to everyone else... and thank you for the help! Robert

The services make use of the SQL Server Native Client which is distributed as part of SQL Server or the SQL Server Feature Pack. You can download the 2008 version here: http://www.microsoft.com/downloads/details.aspx?FamilyId=C6C3E9EF-BA29-4A43-8D69-A2BED18FE73C&displaylang=en This allows you to download and install only the x64 client for the 2008 Native client: http://go.microsoft.com/fwlink/?LinkId=123718&clcid=0x409 You will not be able to proceed with the upgrade until you install this prerequisite. If your Sync Server is colocated on a box that already has SQL Server installed then the client is already installed.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

stupid question: what is the name of "Update 1"? The catalog doesnt have anything by that name.

stupid question: what is the name of "Update 1"? The catalog doesnt have anything by that name.

FIM Update 1 is in fact known as "kb978864" From the microsoft update catalog: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=forefront%20identity%20manager If you want an overview of all builds till now (that I know off): http://setspn.blogspot.com/2010/11/fim-build-overview.html There have been some hotfix packages since Update 1.http://setspn.blogspot.com