Tuesday, January 29, 2013

Voted: Top 5 Deprecated Features of FIM 2010 R2 SP1

I conducted a linkedIn poll to find out what others thought of the features that are deprecated starting in FIM 2010 R2 SP1. For the poll I only listed the ones I put in my top 5 list. With 15 votes and 1 abstention I thought it would be worthwhile to publish the results:

Here we can see the winner:


  1. Multi-mastery/equal precedence (I had this 2nd)
  2. ECMA1 (XMA) (I had this third)
  3. Tie: Combined Run Profile Steps (e.g. DI/DS)  (this was my vote)
    1. Tie:Transaction properties (I had this 4th)
  4. FIM CM MA and CLM utils (I had this last)

If the results change significantly over the next two weeks I will post again.

Thursday, January 17, 2013

The rest of the FIM 2010 R2 SP1 Deprecations

Remember that these features are still here but will be removed in a future version (probably the next major release or the one after)

Feature Impact

Unselect “allow nulls” for exported values

You need to be more careful to ensure that you aren't deleting values

Web Service configuration interface

You will no longer be able to send a request to the web service to update the mv-data or ma-data objects in order to configure the sync engine. The article says that we will be able to use PowerShell to configure the sync engine.
Running Connectors(MA) out of process Can no longer run the MA out of process
Run Rules Extensions out of process Can no longer run rules extensions out of process

Join on “Any” object type

Shouldn't be doing that anyway it makes your join search far less efficient.

“Do not recall attributes”

Yeah! I always hated this feature as I have seen many Metaverse attributes left in states where you can't update that attribute in the Metaverse -- especially if the contributing MA has been decommissioned
Exchange 5.5 Utils Are you still provisioning to Exchange 5.5? Way past time to upgrade!
Configure partition display name This really only applied to the old MIIS password change site that hasn't been part of the product since ILM 2007 shipped.

Wednesday, January 16, 2013

Top 5 Deprecated features as of FIM 2010 R2 SP1

Yesterday Microsoft published a list of features that have been deprecated in FIM and will be removed from the product at some point in the future. In other words these don't require immediate action but when the next major release of * Identity Manager (* because we don't know what the new name will be -- see my tweet from last week at the Redmond Identity Summit) emerges those features will likely be gone. So over the next 18-36 months you need to begin working away from these issues.

Rank Feature Impact
1 Combined Run Profiles steps such as Delta Import/Delta Sync, Full Import/Delta Sync, and Full Import/Full Sync Removing the Delta Import/Delta Sync combined run profile step will have a huge impact on shops that have lots of disconnectors in their connector space. Remember that disconnectors are considered pending and so a delta sync always processes them. The Delta Import/Delta Sync single step only processes pending objects that were imported during the delta import.

Hopefully, MSFT will add a feature: a checkbox to determine whether you want to process all disconnectors or just those with import changes since your last sync.

Multi-mastery/equal precedence

As Paul Loonen describes it:

As a net effect, when the MV attribute is multi-valued, all values contributed by the different MAs are accumulated in the MV attribute.
When the MV attribute is single valued, the value that is last contributed is stored in the MV attribute, or, “the last writer wins”.

The deprecation article leaves in a bit of confusion it says it will be removed but you can still keep using it if you have the FIM MA deployed:

You can continue to use this feature if your environment has a FIM Service management agent deployed (this management agent does not provide manual precedence) and to avoid export-not-precedent for declarative provisioning.

So will it be removed or not?



Lots of XMA (ECMA 1) code running out there and all of it will need to be switched to ECMA 2.0 at some point in the future. While I have this one third this could actually have the biggest impact. If someone could create a tool that would auto-magically transform them that would be cool. I don't expect that they would take advantage of all of the new features but at least people will be able to upgrade without tons of recoding.

Transaction properties

This handy feature is used in many advanced coding scenarios to be able to signal to your provisioning code that this object just projected or joined and then to take some one time action or skip taking some action.
5 FIM CM MA and CLMUtils So unlike the Lotus Notes MA and SAP R/3 MA which have been replaced with newer versions the FIM CM MA doesn't look like it will be getting replaced. Honestly there aren't many implementations using this MA. But this has some portents about the future of FIM Certificate Management. I would say that it suggests no future development of FIM CM but they did just add support for the DataCard CD800 printer as part of SP1 so I don't think it is going away entirely.   At a minimum it does suggest a decoupling of the FIM CM from the rest of FIM.

I do think that the acquisition of PhoneFactor suggests that Smart Cards and certificates will have less importance in the authentication game.

Tuesday, January 15, 2013

Top 11 new features of FIM 2010 R2 SP1

My comments on What's new and the release notes for FIM 2010 R2 SP1:


Rank Feature Impact
1 Deferred evaluation of criteria based groups
This setting can be enabled one group at a time. You can also change the default so that as new criteria based groups are created they will be set for Deferred. The default is to calculate group membership twice a day at 2:30 AM and 2:30 PM.
HUGE! Thank you product group for answering my wishes. You see whenever a request is received by the FIM Service it evaluates permissions, it evaluates whether the request will cause any criteria based set memberships to change, and it also evaluates whether criteria based group memberships to change. For large systems with lots of users and lots of criteria based groups this can take a long time.Now we have the option to defer those calculations, and then the system can perform those calculations using SQL based set logic. I suspect that this is done using SQL Agent jobs and if a more frequent schedule is needed you could tweak the schedule of the job.
2 Upgrading the FIM database from FIM 2010 to R2 used to be quite time consuming -- this has been improved by at least an order of magnitude from "days [down] to hours." Phew! It is now safe to get up and upgrade!
3 "imports of groups with 30,000 members are 2.5 times faster" for AD MA, FIM MA and ECMA 2.0 This is on the import side rather than the sync side but every bit of additional speed we get on dealing with references without sacrificing integrity is appreciated.
4 ECMA has been updated to 2.1 You can now do updates on multi-valued attributes instead of having to do a replace.

You can also skip doing confirmations on add.
Good impact on performance
5 FIM Server components are now supported for:
Windows Server 2012
SQL 2012
SharePoint Foundation 2013 (read Installing FIM 2010 R2 on SharePoint Foundation 2013.)
SCSM 2012
Note support for earlier versions hasn't been dropped yet.
6 FIM Client components are now supported for:
Windows 8
Outlook 2013
Note support for earlier versions hasn't been dropped yet.
7 Support for Windows Server 2012 based AD and Exchange 2013 has been added to the AD MA Note support for earlier versions hasn't been dropped yet.
8 Support for SQL Server 2012 has been added to the SQL MA Note support for earlier versions hasn't been dropped yet.
9 Support for the FIM Portal in IE 10 (be sure to install the hotfixes mentioned)
10 The Sun and Netscape MA is now called Oracle Directory Servers and includes support for Sun 7.x and Oracle 11 Support for Oracle Internet Directory 11g!!!
11 "Import-MIISServerConfig PowerShell cmdlet supports now overwriting an existing configuration" This will help with automated testing scenarios!

Source Articles:

What's New in Forefront Identity Manager 2010 R2 SP1

Release Notes for Forefront Identity Manager 2010 R2 SP1