Final Update for FIM RC1 released

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

https://connect.microsoft.com/site433/Downloads

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

• Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
• Less need for custom old style code
  • Now more than 1 MA can be authoritative for deleting an object (resource)
  • New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
    • Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
    • ReplaceString
• New type of MPR – Set Transition MPRs vs. request based MPRs
  • Run on Policy Update only applies to this type
  • All other MPRs are – request based MPRs
  • This should easy some of the difficulty in wrapping heads around MPRs.
• DBA’s will love these:
  • Backups without stopping the FIM Service and now supported!
  • SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
• Prereqs have changed
  • Server Components
    • Windows Installer 4.5 is required,
  • FIM Service requires SQL 2008 SP 1
  • The addin for Outlook now needs Outlook 2007 SP 2

 

 

Even the certificate management side got some improvements: Windows Server 2008 R2

 

Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1

FIM Hand on Labs

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

 

Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

 

Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  amy.gant@gemalto.com  |  (888) 343 5773  | www.gemalto.com/enterprise

An Update to FIM RC1

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

• Query and Sets
• Resolved a number of issues that resulted in incorrect dynamic set membership.
• Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function.  For example, the following xpath is not supported: /Group[Owner != /Person].  Instead, use the following xpath: /Group[not(Owner = /Person)]
• Synchronization engine
• Resolved a data corruption issue in Multi-Mastery scenarios where deleted Member attributes were being added back during full sync of AD and FIM.
• Workflows
• Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIM Service that originally created the workflow. This enables the partitioning of workflow execution among servers dedicated to specific functionality. 
  For example, if a FIM Service is dedicated to servicing Requests submitted by the Synchronization Service, all workflows resulting from Synchronization Service Requests will only run on that FIM Service.
• Resolved an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.
• Resolved an issue in the EnumerateResourcesActivity that prevented selecting which attributes to return. Previously, regardless of the attribute selection specified, all attributes bound to the enumerated resources were returned.
• Resolved various issues and made general improvements for:
• Management Policy Rules
• Portal user interface Request Management
• Self-service Password Reset
• Schema

 

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

 

Go to Connect.microsoft.com and 11/6/2009
Here’s the link: FIM 2010 RC1 Update 1
4.0.2570.0 (compare to 4.0.2560.0 the version released on 9/29/09 -- RC1)
Build

It references a KB article that I can’t find: KB976465

The total download is under 36 MB so this is definitely a patch and not the full enchilada.

Looks like Jorge got the news out first.

Identity Management Luncheon NYC

I will be speaking at an Identity Management Luncheon in New York City on Nov 12th. I will be speaking on FIM.

Come on down and join me if you can. (Please Register)

When: Thursday, November 12, 2009 10:45 AM to 2:00 PM (EST) Where: Del Frisco's Double Eagle Steak House 1221 Avenue of the Americas New York, New York 10020 Come join us at this exclusive luncheon at one of the best steak houses in NYC!

Realizing the Value of Identity Management

Using Microsoft Forefront Identity Manager 2010 to Empower People, Deliver Agility and Efficiency, and Increase Security and Compliance of your Business
Ensynch and Microsoft invite you to join other senior technology and business executives at a complementary exclusive luncheon where we will discuss and demonstrate how Microsoft’s new identity management platform and solutions can help you consolidate technologies and reduce cost.

Today’s IT enterprise must deliver identity and access management that is efficient, cost effective, and secure. The complexity of managing and securing users, devices, and services is increasing. Whether due to regulatory mandate or business growth, identity management becomes more complex, and does often not deliver as much business benefit as it could.

Come and learn how Forefront Identity Manager 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.
Event Agenda:

Interactive demonstration and discussion of how Forefront Identity Manager 2010 helps to...
• Ease Administrative Functions of Managing Identities
• Enable Self Service Group Management
• Increase Security and Compliance
• Save Money – Realizing ROI
• Empower collaboration by integrating with other cutting edge Microsoft technologies such as Office Communications Server and SharePoint.

[Register Now]

-------
Contact Anthony.Morgante@microsoft.com if you have any questions or concerns.

Visit http://www.microsoft.com/forefront/identitymanager
for more information on ForeFront Identity Manager 2010