My quest to discover and teach Best Practices in Identity Management especially with Microsoft FIM / ILM -- David Lundell of Identity Managed
So in 1 hr and 20 min I will present on
November 13, 2013 21:00 UTC
See when this is in your timezone
David Lundell
Impact of deprecated features.This session will go over various deprecated features that the FIM product group have announced are to be eliminated in future releases, such as XMA v1 (ECMA v1), transaction properties, multi-mastery and equal precedence, with advice on planning for and working around their future absence.
If one of your AD domains has a NetBios domain name that doesn't match the leftmost part of your FQDN you need to have the Replicating Directory Changes permission given to your AD MA account. This is documented in a few places including my book. However, DirSync misses this step. Normally, Dirsync does a very good job of installing and configuring everything which you need without needing you to be an expert in FIM, but this is one thing it misses.
For Example if the FQDN is Exchange.loc but the netbios name of the domain was Snappy then you would use this command to solve the issue
DSACLS "CN=Configuration,dc=exchange,dc=loc" /G "exchange\Grp_DirChanges:CA;Replicating Directory Changes;"
Michael Pearn from down under wrote about his experience trying to use just Declarative Sync Rules
His experience -- especially the religious debates are similar to my own. It made me recall my presentation at TEC 2012 the FIM 2010 R2 Showdown: Classic vs. Declarative
The vast majority of old hands at the presentation declared for Classic both before and after the presentation. During the presentation I attempted to view anything you could do without code as declarative whether it came from a sync rule or not, especially if it was a new feature. But the crowd wouldn't let me claim anything configured in the sync engine as declarative. But in this post only classic code counts as not declarative.
Michael found that he needed classic code for Advance Join rules, doing anything with multi-valued attributes other than just flowing them and "Converting Binary values to ISO8601 Datetime." In his example he could have modified his SQL query that gets the data from HR and avoided the need for the Advanced Join rule.
In addition to Michael's list here are some other things that you may need classic code to do:
But what does the FIM Sync engine bring us beyond what we had in ILM 2007 FP1?
In my presentation I contrasted the new sync rules with the classic config and code:
Finally here were my recommendations that many disagreed with but it sounds like Michael would agree:
There are some high volume scenarios where sync rules are too slow and there are still some customers that get all they want out the classic sync engine and don't want to pay for CALs.
One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet.
He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS
One key thing is that ADFS on Windows Server 2012 R2 doesn't require IIS so now it can and should be installed on domain controllers.
But the most exciting aspect is the enhancement to security specifically mobile security. With the advent of Workplace Join (or Join to Workplace) mobile devices (iOS and Windows) can be part of the domain and participate in SSO.
One of the best enhancements to ADFS is the ability to "Set [multi-factor authentication] requirement for all extranet access or conditionally based on the user’s identity, network location or a device that is used to access protected resources." http://technet.microsoft.com/en-us/library/dn280949.aspx
Microsoft put out a release day before yesterday (8/13/13) to fix a security vulnerability in ADFS 2.0
It caused an outage for SSO with Office365 for a customer of ours (they had the servers set to auto update).
http://technet.microsoft.com/en-us/security/bulletin/ms13-066
http://support.microsoft.com/kb/2843639
http://support.microsoft.com/kb/2843638
At the moment we recommend NOT installing these updates.
We saw the following error repeated for every authentication attempt:
Event ID 111 Federation service encountered an error while processing the ws-trust request.
Exception Details:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation ---> System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Protocols.XmlSignature.AsymmetricSignatureOperatorsDelegate' from assembly 'Microsoft.IdentityModel, Version=3.5.0.0
It goes on with the stack trace.
Uninstalling these updates has partially restored service: Outlook and Lync now work, but the Outlook Web Access and SharePoint online still aren't working.
In fact they pulled the patch later in the day yesterday.
At last year's Cloud Identity Summit in Vail I heard a lot about how the password is dead. I expect to hear a lot more this year.
Most of it fit into one of several categories:
Last year when talking about DMZ's Gunnar Peterson said "You have to eat what you kill." Meaning you have to provide replacement functionality.
As I was recently reminded by a business analyst co-worker you always have to start with the requirements. So let's list what are the requirements for a password replacement? Well we need to consider the requirements from several view points
The password killer that best meets the expectations of all of these groups should become the most widely adopted.
So in the next several posts I will explore what each of these view points want in a password killer
Then I plan on evaluating all of the password killers I find against these criteria.
This morning I received an email letting me know that for the 7th time (every year since 2007) I have been honored by Microsoft with the Microsoft Most Valuable Professional (MVP) Award. All 7 times I have received the award for my "outstanding contributions in Forefront Identity Manager technical communities" and its predecessors.
In 2007 despite the product rename Identity Lifecycle Manager (ILM) 2007 the MVP award was for Microsoft Identity Integration Server (MIIS) 2003. By 2008 it was changed to ILM, in 2010 it was changed to FIM.
So I have been an MIIS MVP an ILM MVP and a FIM MVP. Entering into my 7th year I am experiencing an itch. I wonder what product name will come next:
What do you think it will be?
The article on Password Sync for Office 365 is interesting news and clearly states that Federated users can't have their password's synced. In the Community Additions many curious users asked their questions treating it as a forum. Well here are my responses:
If you do Password Sync do you still need ADFS or any other SSO tool that works with Office365?
Password Sync gives you the ability to login to Office365 using the same username and password that you use with your Active Directory. This is usually referred to as Simplified SignOn or Reduced SignOn.
ADFS gives you Single Sign On, meaning that when you are on a computer and have already authenticated an SSO token (a SAML token) is stored on your computer and when you access Office 365 services your computer will transmit the token to the Office365 service, which means that you usually won't need to type in your username and password. That is Single Sign On (you signed on a single time and can now access many services).
Does this mean that you don't need ADFS? That depends (the consulting guild requires that I initially answer all questions in that fashion ;). As you can see Password Sync gets you some benefits that previously required ADFS (use the same password as AD) but not all of the benefits (sign in a single time, and not have to re-authenticate to every service).
If your only online service is Office365 and you are willing to live with your users having to type in their passwords repeatedly then you probably don't need ADFS.
If your only online service is Office365 and you do not want your users to have to type in their passwords repeatedly then you do need ADFS.
If you have multiple online services then you want ADFS or another SSO tool so that you can do SSO to all of them (Dir Sync won't sync your password to anything but Office365 and its Azure AD).
Another question asked is about Password Reset -- in effect why does the Office365 Password Reset feature get disabled if you do Password Sync? The answer is that if you are syncing passwords your local AD is now in charge of passwords (good because it simplifies things for the users -- fewer passwords to remember) rather than Office 365. I suppose Microsoft could have set it up whereby the password reset tool would reset the on premise AD password but probably felt that was too invasive and risky. So if you do go with Password Sync users need to reset their passwords in the local AD using whatever means you already have to do that -- Forefront Identity Manager, some third party Password Reset tool, or the helpdesk.
If you are looking at the XML export of the FIM synchronization config and you are trying to track down which sync rule is supplying a particular flow you just need to know which numbers lead you where.
For example:
<import-flows mv-attribute="accountName" type="ranked">
<import-flow src-ma="{9686B319-E4BF-49C5-90C9-59054CCE3F92}"
cd-object-type="user" id="{210D4BB7-B886-4898-8361-7A232BBD65E8}">
<sync-rule-mapping mapping-type="direct"
sync-rule-id="{B3E7157E-2EDA-E111-BCF5-005056000006}"
sync-rule-mapping-id="{52CF9D5C-33C8-4E1F-B56C-C77F7A9A1577}"
initial-flow-only="false" is-existence-test="false">
<src-attribute>sAMAccountName</src-attribute>
</sync-rule-mapping>
</import-flow>
</import-flows>
The key to finding the Sync rule is of course the Sync rule ID. However, this is not the resource ID that I can search for in the FIM Portal. Rather this is the metaverse ID.
From there I can open the list of connectors and for sync rules there should be one -- the FIM MA.
Then I can see the Distinguished Name of the Sync rule which is the Resource ID (aka ObjectID)
Then I can search in the FIM Portal by ResourceId and find the corresponding Synchronization rule:
Even better is to use the Join-ImportToExportAttributeFlow PowerShell commandlet originally created by Craig Martin http://fimpowershellmodule.codeplex.com/
Joe Zamora found and tweaked a minor bug in it: http://c--shark.blogspot.com/2013/03/one-small-addition-to-powershell-module.html be sure to use this fix.
Using the commandlet you can have a spreadsheet showing you the end to end attribute flow.
In addition to the official reference for functions I thought I would update my examples from back in the ILM 2 Beta days
| Function Name | BitAnd |
| Parameters | 1) mask Type: Integer 2) flag Type: Integer |
| Description | BitAnd is a bitwise operation anding mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is -3 (the 64-bit two's complement of 2) Then the result is that the disable bit (bit 2) is turned off leaving all of the other bits unchanged. To figure out what mask to use to turn off a bit multiply that number by negative 1 and then subtract one. To turn off bit 2 and the userAccountControl with -3. To turn off bit 16 -- account is locked out and it with a -17. |
| Examples | BitAnd(-3, userAccountControl) Turn off the disable bit Flow the result into userAccountControl in AD to enable a user. |
| BitAnd(-3, 514) =512 if userAccountControl is 514 then the example gives us 512, which reactivates an account | |
| BitAnd(-3, 512) =512 if it is 512 then it remains unchanged. The account was already active | |
| BitAnd(-17, 528) =512 A locked out account (the bit in the 16's place was on) was unlocked | |
| BitAnd(-17, 512) =512 An account that was already unlocked was guaranteed to be unlocked | |
| Eq( BitAnd(2,userAccountControl),2) This is a test to see if an account in AD is currently disabled. If so it will return a true otherwise it will return a false. |
| Function Name | BitOr |
| Parameters | 1) mask Type: Integer 2) flag Type: Integer |
| Description | BitOr is a bitwise operation ORing mask and flag. So if Flag is the UserAccountControl Attribute in AD and mask is 2 Then the result is that the disable bit is turned on |
| Examples | BitOr(2, userAccountControl) Turn on the disable bit. Flow the result into userAccountControl in AD to disable a user. |
| BitOr(2, 512) = 514 if userAccountControl is 512 then the example gives us 514. | |
| BitOr(2, 514) = 514 if it is 514 then it remains unchanged. |
Hopefully this helps you in your codeless provisioning quest.
Remember there are limitations like the output of IIF can't feed into a function parameter expecting an Integer like the mask or the flag in BitAND or BitOR -- and no, I am not BitOr about it. Without casting and conversion functions that is an obstacle that can't be overcome using the FIM functions for that you may need to turn to custom workflows.
I wrote an article for the Insight Newsletter about two of our new offerings.
Solving identity and access management for mid-sized business
By David Lundell, Sr. Manager, Identity and Security Practice
User productivity, IT budgets, and security and compliance all suffer from ineffective identity and access management. Insight has two new packages aimed at helping mid-sized businesses confront these challenges in the age of the cloud. Read more.
Parts 1-5:
First of all the FIM Product group does not support direct modification of the data in any of the FIM databases. Do so can leave your database in a state that is entirely unsupportable.
Second, the FIM Product group doesn't support direct queries against any of the FIM databases. However, it is possible to query the FIM Synchronization Service database without causing problems and without enormous gyrations. The FIM Service database has a very *interesting* data structure and is much more difficult to query.
So how do you safely query the FIM Synchronization Service database?
1) Use no lock hint
or
2) Set the transaction isolation level to read uncommitted.
Both of these tell SQL to not obtain locks on the records you are querying. This means that other threads such as the one that is synchronizing records don't get stuck waiting on your query. However this does also mean that some of the data you read could be in the middle of transaction, a transaction that could be rolled back. For example you query could catch it at the moment when a new MV object has just been projected from the HR MA but has not yet provisioned to AD. That transaction could succeed and commit or it could get rolled back and the MV project undone.
On to the how:
To use the no lock hint you must place it after every table and view name referenced in your query like this:
SELECT MetaverseObjectCount, ConnectorSpaceObjectCount, MetaDirectoryObjectCount = MetaverseObjectCount + ConnectorSpaceObjectCount
FROM (select count(*) AS MetaverseObjectCount
FROM MicrosoftIdentityIntegrationServer.dbo.[mms_metaverse] with (nolock)) as MVC
CROSS JOIN
(select count(*) AS ConnectorSpaceObjectCount
FROM MicrosoftIdentityIntegrationServer.dbo.[mms_connectorspace] WITH (nolock) ) AS CSOC
To Set the transaction isolation level to read uncommitted you simply run that command and the keyword GO before your queries -- sometimes your reporting tools permit you to set that with a checkbox
set transaction isolation level read uncommitted
go
SELECT MetaverseObjectCount, ConnectorSpaceObjectCount, MetaDirectoryObjectCount = MetaverseObjectCount + ConnectorSpaceObjectCount
FROM (select count(*) AS MetaverseObjectCount
FROM MicrosoftIdentityIntegrationServer.dbo.[mms_metaverse] ) as MVC
CROSS JOIN
(select count(*) AS ConnectorSpaceObjectCount
FROM MicrosoftIdentityIntegrationServer.dbo.[mms_connectorspace] ) AS CSOC
One might ask: Can you do both? Yes you can and it will cause no harm. The one place you can use the set transaction isolation level command is in a view or stored procedure -- so inside of those objects you must use the WITH (nolock) hint
Parts 1-5:
Has access to the metaverse gotten faster with recent releases? Well I won't cover everything they have done but two really significant things:
1) Skinnier clustered index key for the mms_metaverse table:
2) Sequential numbering of the clustered index key
1) Skinnier clustered index key for the mms_metaverse table:
| Old | New | |
| column used as the clustered Index key: | object_id | row_key |
| DataType: | uniqueIdentifier | big_int |
| Size: | 16 bytes | 8 bytes |
The mms_metaverse table previously used the object_id column of type uniqueIdentifier (16 bytes) as the clustered index key. The product group added a new column called row_key of type big_int (8 bytes).
So how does this help?
Think of a database table like a book. The clustered index is the Table of Contents and the main text of the book, excluding the indexes in the back. There is only one order for the book to go in and that is the same with a table. In the book the key used in the table of contents is the page #. In a table we pick one or more columns to serve as the clustered index key.
The non-clustered indexes are like the indexes in the back of the book (a topical index, a place index, a person index) and they make include the clustered index key. So the topical index lists a subject and then the page(s) where it is found.
Clustered Index ~ Table of Contents
Clustered Index Key ~ page number
Non-Clustered Index ~ Topical Index at the back of the book
Non-Clustered Index Key ~ topic
Pretend we had to pad the page # so it looked like 00000000045?
Chapter 1 page 0000 0000 0000 0000 0000 0000 0001
Chapter 2 page 0000 0000 0000 0000 0000 0000 0093
Then the topical index would look like (the topical index includes the key from the table of contents -- the page number):
Beach 0000 0000 0000 0000 0000 0000 0006
Desert 0000 0000 0000 0000 0000 0000 0020
Suddenly this limits how many columns of the index I can print on a single page.
Both the table of contents and the index are much larger consuming more pages. It also takes more time to search through those pages for my topic.
By going to a skinnier clustered index key it is as though the product group changed the book to be like this:
Chapter 1 page 0001
Chapter 2 page 0093
and the index to this:
Beach 0006
Desert 0020
Suddenly the table of contents and the index take fewer pages and it is faster to leaf through them when searching. So it is with a database table reading the table and its indexes is now much faster.
2) Sequential numbering of the clustered index key
This new column has data populated automatically using the SQL Server identity feature (this feature allows new rows to be added with an incrementing counter). Previously new pages would be inserted in random order and sometimes that mean splitting pages.
So how does this help?
The use of an identity column to increment 1 by 1 as opposed to a randomly generated unique identifier is enormously helpful in writes and will lead to less fragmentation. Whereas prior to the change a new row could be inserted anywhere in the entire table, now it will be inserted at "the end."
Parts 1-5:
Many times people wonder how many attributes they can create in the Metaverse Designer tool.
The answer is confusing because ... it depends.
Per my calculations there is a hard limit for single-valued, non-reference attributes of 502. Now to show you my work (in school my math teachers always insisted that I show my work).
Remember from Part 2 that the Metaverse consists of 5 tables:
When you create a new single-valued, non-reference attribute using the Metaverse Designer tool FIM modifies not just data but the table structure of three of these tables: mms_metaverse, mms_metaverse_lineagedate, and mms_metaverse_lineageguid. FIM will add a column to each of these tables. The mms_metaverse table will get a column of a datatype based on what has been selected as the attribute data type:
| Metaverse DataType | SQL Data Type | Min Size | Max Size | Comments |
| String (Indexable) | nvarchar(448) | 2 | 898 | |
| String (non-Indexable) | nvarchar(max) | 2 GB | If the data is small (less than 4000 bytes or whatever limit is set) and doesn't cause the row to exceed the 8060 byte limit it will stored in the row, otherwise only pointers will be stored in the row and the data will be stored in its own set of pages (off-row). | |
| Binary(indexable) | varbinary(900) | 2 | 902 | |
| Binary(non-indexable) | varbinary(max) | 2 GB | see the note on string non-indexable | |
| Boolean | bit | 1/8 | 1 | If there are between 1-8 bit columns in the table 1 byte of storage is consumed, if 9-16 bits then 2 bytes, if 17-24 then 3 bytes and so on |
| Number | BigInt | 8 | 8 |
In the mms_metaverse_lineagedate table FIM adds a new column of type DateTime which takes 8 bytes. In the mms_metaverse_lineageguid table FIM adds a column of type UniqueIdentifier which takes 16 bytes.
A row in SQL Server 2000 and beyond can only hold 8060 bytes. With SQL 2005 and beyond there is a feature called row overflow that allows for the variable length columns (like varchar) to overflow to other pages. However that doesn't apply to fixed length data types like BigInt, DateTime and UniqueIdentifier.
So the mms_metaverse_lineageguid has two columns (row_key a bigInt and object_id a unique identifier so 24 bytes) and then one column of type UniqueIdentifier for every single-valued non-reference attribute. 8060-24 = 8036 and 8036/16 = 502.25, which rounds down to 502.
So while there may be other limits that may depend on the datatype selected, this is one limit that cannot be escaped.
Parts 1-5:
Where and how is the Metaverse data stored?
Before I get into that I must caution you that modifying data directly will put you in a position that is unsupported by Microsoft. Even querying the data is something of a touchy issue (see Part 5).
The Metaverse consists of 5 tables in the FIM Synchronization Service Database:
| Table | Comment |
| mms_metaverse | Every object in the metaverse has a row in this table. Single-Valued non-reference attributes are stored in this table |
| mms_metaverse_lineagedate | This table has a DateTime column of the same name of every attribute column in the mms_metaverse table (in other words -- single-valued non-reference attributes). |
| mms_metaverse_lineageguid | This table has a UniqueIdentifier column of the same name of every attribute column in the mms_metaverse table (in other words -- single-valued non-reference attributes). |
| mms_mv_link | Reference attributes (both single valued and multi-valued) are stored in this table in an Entity Attribute Value format. The references are kept as uniqueIdentifiers |
| mms_metaverse_multivalue | Non-Reference multi-valued attributes are stored in this table in an Entity Attribute Value format (with a column for each of the possible data types) |
Here is an update on the impact of the newly deprecated features: The big change is that XMA has caught up to Multi-Mastery and is tied for first.
Watch the presentation that James Booth (who worked with us on the project) and Joe Gasowski (DPDHL) gave at the Redmond Identity Summit 2013 about our project at DHL to replace the DPDHL Sun One Directory and deploy FIM to replace both CriticalPath and a home-grown admin portal.
I conducted a linkedIn poll to find out what others thought of the features that are deprecated starting in FIM 2010 R2 SP1. For the poll I only listed the ones I put in my top 5 list. With 15 votes and 1 abstention I thought it would be worthwhile to publish the results:
Here we can see the winner:
If the results change significantly over the next two weeks I will post again.
Remember that these features are still here but will be removed in a future version (probably the next major release or the one after)
| Feature | Impact |
| Unselect “allow nulls” for exported values | You need to be more careful to ensure that you aren't deleting values |
| Web Service configuration interface | You will no longer be able to send a request to the web service to update the mv-data or ma-data objects in order to configure the sync engine. The article says that we will be able to use PowerShell to configure the sync engine. |
| Running Connectors(MA) out of process | Can no longer run the MA out of process |
| Run Rules Extensions out of process | Can no longer run rules extensions out of process |
| Join on “Any” object type | Shouldn't be doing that anyway it makes your join search far less efficient. |
| “Do not recall attributes” | Yeah! I always hated this feature as I have seen many Metaverse attributes left in states where you can't update that attribute in the Metaverse -- especially if the contributing MA has been decommissioned |
| Exchange 5.5 Utils | Are you still provisioning to Exchange 5.5? Way past time to upgrade! |
| Configure partition display name | This really only applied to the old MIIS password change site that hasn't been part of the product since ILM 2007 shipped. |
Yesterday Microsoft published a list of features that have been deprecated in FIM and will be removed from the product at some point in the future. In other words these don't require immediate action but when the next major release of * Identity Manager (* because we don't know what the new name will be -- see my tweet from last week at the Redmond Identity Summit) emerges those features will likely be gone. So over the next 18-36 months you need to begin working away from these issues.
| Rank | Feature | Impact |
| 1 | Combined Run Profiles steps such as Delta Import/Delta Sync, Full Import/Delta Sync, and Full Import/Full Sync | Removing the Delta Import/Delta Sync combined run profile step will have a huge impact on shops that have lots of disconnectors in their connector space. Remember that disconnectors are considered pending and so a delta sync always processes them. The Delta Import/Delta Sync single step only processes pending objects that were imported during the delta import. Hopefully, MSFT will add a feature: a checkbox to determine whether you want to process all disconnectors or just those with import changes since your last sync. |
| 2 | Multi-mastery/equal precedence As Paul Loonen describes it:As a net effect, when the MV attribute is multi-valued, all values contributed by the different MAs are accumulated in the MV attribute. | The deprecation article leaves in a bit of confusion it says it will be removed but you can still keep using it if you have the FIM MA deployed: You can continue to use this feature if your environment has a FIM Service management agent deployed (this management agent does not provide manual precedence) and to avoid export-not-precedent for declarative provisioning. So will it be removed or not? |
| 3 | ECMA1 (XMA) | Lots of XMA (ECMA 1) code running out there and all of it will need to be switched to ECMA 2.0 at some point in the future. While I have this one third this could actually have the biggest impact. If someone could create a tool that would auto-magically transform them that would be cool. I don't expect that they would take advantage of all of the new features but at least people will be able to upgrade without tons of recoding. |
| 4 | Transaction properties | This handy feature is used in many advanced coding scenarios to be able to signal to your provisioning code that this object just projected or joined and then to take some one time action or skip taking some action. |
| 5 | FIM CM MA and CLMUtils | So unlike the Lotus Notes MA and SAP R/3 MA which have been replaced with newer versions the FIM CM MA doesn't look like it will be getting replaced. Honestly there aren't many implementations using this MA. But this has some portents about the future of FIM Certificate Management. I would say that it suggests no future development of FIM CM but they did just add support for the DataCard CD800 printer as part of SP1 so I don't think it is going away entirely. At a minimum it does suggest a decoupling of the FIM CM from the rest of FIM. I do think that the acquisition of PhoneFactor suggests that Smart Cards and certificates will have less importance in the authentication game. |
My comments on What's new and the release notes for FIM 2010 R2 SP1:
| Rank | Feature | Impact |
| 1 | Deferred evaluation of criteria based groups This setting can be enabled one group at a time. You can also change the default so that as new criteria based groups are created they will be set for Deferred. The default is to calculate group membership twice a day at 2:30 AM and 2:30 PM. | HUGE! Thank you product group for answering my wishes. You see whenever a request is received by the FIM Service it evaluates permissions, it evaluates whether the request will cause any criteria based set memberships to change, and it also evaluates whether criteria based group memberships to change. For large systems with lots of users and lots of criteria based groups this can take a long time.Now we have the option to defer those calculations, and then the system can perform those calculations using SQL based set logic. I suspect that this is done using SQL Agent jobs and if a more frequent schedule is needed you could tweak the schedule of the job. |
| 2 | Upgrading the FIM database from FIM 2010 to R2 used to be quite time consuming -- this has been improved by at least an order of magnitude from "days [down] to hours." | Phew! It is now safe to get up and upgrade! |
| 3 | "imports of groups with 30,000 members are 2.5 times faster" for AD MA, FIM MA and ECMA 2.0 | This is on the import side rather than the sync side but every bit of additional speed we get on dealing with references without sacrificing integrity is appreciated. |
| 4 | ECMA has been updated to 2.1 | You can now do updates on multi-valued attributes instead of having to do a replace. You can also skip doing confirmations on add. Good impact on performance |
| 5 | FIM Server components are now supported for: Windows Server 2012 SQL 2012 SharePoint Foundation 2013 (read Installing FIM 2010 R2 on SharePoint Foundation 2013.) SCSM 2012 | Note support for earlier versions hasn't been dropped yet. |
| 6 | FIM Client components are now supported for: Windows 8 Outlook 2013 | Note support for earlier versions hasn't been dropped yet. |
| 7 | Support for Windows Server 2012 based AD and Exchange 2013 has been added to the AD MA | Note support for earlier versions hasn't been dropped yet. |
| 8 | Support for SQL Server 2012 has been added to the SQL MA | Note support for earlier versions hasn't been dropped yet. |
| 9 | Support for the FIM Portal in IE 10 (be sure to install the hotfixes mentioned) |
|
| 10 | The Sun and Netscape MA is now called Oracle Directory Servers and includes support for Sun 7.x and Oracle 11 | Support for Oracle Internet Directory 11g!!! |
| 11 | "Import-MIISServerConfig PowerShell cmdlet supports now overwriting an existing configuration" | This will help with automated testing scenarios! |
Source Articles:
