Release Notes for Identity Integration Feature Pack 1a (IIFP 1a) for Microsoft Windows Server Active Directory

• Password synchronization—Synchronizes user password changes and password resets from Active Directory domain controllers to other connected data sources. Deployment of password synchronization includes installing the password change notification service (PCNS) and a password filter on each Active Directory domain controller. Password changes are encrypted and sent by using remote procedure call (RPC) to the server running IIFP 1a, which pushes them out to the appropriate management agents.
• Support for Microsoft SQL Server™ 2000 Standard Edition—In addition to SQL Server 2000 Enterprise Edition, IIFP 1a now supports SQL Server 2000 Standard Edition or Developer Edition for its data store.
• Deletion threshold setting—During import, this setting prevents accidental deletions by stopping a management agent if the specified threshold limit is reached. During export, the management does not start if the number of pending exports exceeds the threshold limit. The deletion threshold is set in the run profile configuration.
• Remote Procedure Call (RPC) dependency removed from management agent for Active Directory—The management agent for Active Directory no longer requires a range of RPC ports to be opened for synchronization. However, RPC ports are required if password synchronization is enabled.

For product overviews, case studies, and other news about IIFP 1a, including newsgroup information, see the Microsoft Identity Integration Server 2003 Web site at http://go.microsoft.com/fwlink/?LinkId=6999. For the latest technical documentation, see the Microsoft Web site(http://www.microsoft.com/).

At the time of this release, the following are known issues.

Installation

• If you are installing a new build of IIFP 1a and are using a existing IIFP database that has password synchronization enabled, the installation process will disable password synchronization. You must enable password synchronization again after installation is complete.
• If SQL Server 2000 is unavailable on the network during the installation of IIFP, you may receive an error stating that you do not have the correct version of SQL Server 2000 installed. When troubleshooting this error, be sure to check for both the correct version of SQL Server 2000 and the network availability of the server hosting SQL Server 2000.
• During Setup, a security audit may be written to the Security log if the Integration Server service account is created with the default, or minimal, permissions. While this will not affect the functionality of IIFP 1a, you should review this security audit to ensure that it meets your network security requirements.
• If you make any changes to the MIIS 2003 service account, for example changing the account to a domain account, you will need to stop and start the MIIS 2003 service for the new credentials to take effect.
• IIFP 1a does not support Domain local groups for the four default security groups. The groups must be local machine groups or global groups. If password synchronization is enabled, they must be global groups. The following correction should be noted in the Help topic "Using security groups":
  • All instances of "Domain local groups" should read "global groups".

Global Address List Synchronization (GALSync) scenario

• Changes have been made for MIIS 2003 SP1 to the GALSync code installed with the product. To update your code:
  • If you have not modified the original GALSync code and recompiled it, copy the new source files from the SourceCode\GALSyncSP1 folder in the MIIS 2003 installation directory to the Extensions folder.
  • If you have modified the original GALSync code, you will need to compare your current code with the new files in the SourceCode\GALSyncSP1 folder, identify and incorporate the changes, and recompile.

Password Synchronization

• The password change notification service (PCNS) is only supported on Active Directory domain controllers that are running on x86-based or x64-based computers. PCNS is not supported on Itanium-based computers.
• If PCNS is installed on domain controllers in a different forest than the forest where IIFP 1a is installed, there must be a 2-way trust set up between the forests in order for synchronization to complete successfully.
• SetSPN.exe, the tool used to set the service principal name (SPN) during password synchronization setup, cannot be used with the -D option to remove an SPN. To remove an SPN from the service account, use ldp.exe or ADSIEdit.exe, which are available in the Support Tools folder on the Windows Server 2003 Enterprise product CD.
• The following corrections should be noted in the help topic "Pcnscfg: Password change notification service (PCNS) configuration utility":
  • The description of the /WL: parameter for pcnscfg addtarget and pcnscfg modifytarget should read as follows:
    
    "Logs a warning level when the number of objects in the queue reaches or exceeds nn. Must be an integer in the range from 0 to 4294967295. The default setting is 0, which disables the warning level."
  • The description of the /WI: parameter for pcnscfg addtarget and pcnscfg addtarget should read as follows:
    
    "The interval, in minutes, that the warning level is logged. This parameter has no effect if the /WL: parameter is not specified, or is set to 0. Must be an integer in the range from 0 to 4294967295. The default value for /WI: is 30. To disable periodic notifications, set the value to 0. When the value is set to 0, notifications will still be logged whenever the level threshold defined in /WL: is crossed, either up or down."

This feature pack contains fixes for the following issues:

• When IIFP tries to disconnect and to reprovision the same object during the same synchronization run, you may receive an "extension DLL exception" error message in the Flow Errors section of the management agent run profile type statistics. You may also receive an "object already exists" error message in the synchronization error information for the object.
  
  After you apply this feature pack, these objects will not appear as a pre-existing object.
• When you run a delta synchronization or a full synchronization, the provisioning rules may delete an object and then add the object back. You may receive an "unexpected error" error message in the Flow Errors section of the Operational Statics pane. The following event message may also be logged in the Application log:
  
  Event Type: Error
  Event Source: MIIServer
  Event Category: Server
  Event ID: 6301
  Date: Date
  Time: Time
  User: N/A
  Computer: Server Name
  Description: The server encountered an unexpected error in the synchronization engine: "MMS(3932): Pre: HRESULT: 0x0<entry dn="CN=dlobject,OU=groups,OU=test,DC=Fabrikam,DC=com">
  
  If a preview is generated on the object, you may receive the following error message:
  
  "The dimage has an anchor that is different than the image".
  
  After you apply this feature pack, you no longer receive this error message. However, it is a good idea to verify that the delete-add operation that occurs during the provision is expected behavior for the scenario. If it is not expected behavior, evaluate the provisioning logic.
• IIFP stops responding while running a delta import. The management agent appears to stop responding, and then the following error message is logged in the Application log:
  
  Application popup: miiserver.exe - Application Error : The instruction at 0x01076f77 referenced memory at 0x00000000. The memory could not be read.
  
  This event is logged because an exception error occurs while the management agent is running in Delta mode.
  
  This feature pack prevents this exception error.
• Objects become corrupted in the connector space, and errors are returned when IIFP runs the management agent. The following event is logged when the following conditions are true:
  • You run IIFP to synchronize any management agent that modifies a metaverse object.
  • That metaverse object is joined to a connector space object that has become corrupted.
  Note This corruption occurs because the tower has a distinguished name (DN) that is different from the name of the Microsoft SQL Server store. (A tower is also known as a hologram.)
  
  Event Type: Error
  Event Source: MIIServer
  Event Category: Server
  Event ID: 6312
  Date: Date
  Time: Time
  User: N/A
  Computer: Server Name
  Description: The server encountered an unexpected error while performing an operation for a rules extension.
  ERR: MMS(3576): tower.cpp(521): DN mismatch for phantom export: row (DN=CN=Mike Smith (Central Financial Services),OU=Disabled Users,OU=MIIS,DC=Fabrikam,DC=com), tower(old DN=CN=Mike Smith,OU=Disabled Users,OU=MIIS,DC=Fabrikam,DC=com)
  BAIL: MMS(3576): tower.cpp(522): 0x8023031c (The tower has a distinguished name that is different from that of the store.)
  
  When you process an Export run profile to export objects to the connected directory, the following event message may be logged if the objects have become corrupted:
  
  Event Type: Error
  Event Source: MIIServer
  Event Category: Server
  Event ID: 6301
  Date: Date
  Time: Time
  User: N/A
  Computer: Server Name
  Description: The server encountered an unexpected error in the synchronization engine:
  BAIL: MMS(3576): scripthost.cpp(10075): 0x80230703 (The extension threw an exception.) Microsoft.MetadirectoryServices.Impl.InternalError: 0x8023031c at Microsoft.MetadirectoryServices.Impl.ScriptHost.ThrowExceptionFromHRESULT(Int32 hr)
  
  This feature pack prevents the DNs of the tower and of the store from becoming different, and this behavior in turn prevents this type of corruption of the connector space objects. However, existing corrupted objects in the connector space are not changed. This feature pack only prevents existing objects from becoming corrupted. Therefore, you must delete the connector space under that management agent. In many cases, it is faster to rebuild the existing management agents by renaming the existing management agent and then creating a new management agent. If the management agent has many connectors under it, you may want to just rename the management agent and wait to delete it on the weekend or at a specific scheduled downtime. For additional information about how to build a new management agent to replace the existing management agent, see the following article in the Microsoft Knowledge Base:
  
  827117 How to build a new management agent to replace an existing management agent
• When you attempt to create a management agent for Active Directory Global Address List (GAL), and you try to use a DN that contains an ampersand character (&) to set the destination container for the contacts, you may be unable to save the management agent. For example, you try to use the following:
  
  OU=Contacts & Things,DC=Fabrikam,DC=com
  
  When you do this, you can complete the management agent configuration. However, when you click Finish, nothing occurs, and you cannot create the management agent.
  
  After applying the feature pack, the & character will be processed without errors.
• When you try to modify a management agent for Active Directory Global Address List (GAL) by changing the DN of the destination container to a DN that contains an ampersand character (&), such as "OU=Contacts & Things,DC=Fabrikam,DC=com," you may receive the following error message after you click OK in the Management Agent Designer properties dialog box:
  
  An unhandled exception has occurred in your application.
  If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will be shut down immediately.
  An error occurred while parsing EntityName. Line x, position y.
  
  Note In this error message, x and y are numeric values.
  
  After applying the feature pack, the & character will be processed without errors.
• Unexpected errors occur during an export of provisioned user objects in Active Directory when you set the initial passwords. When this problem occurs, a 6401 error message is logged in the event log. This message includes the following text:
  
  Failed to get SamAccountName.
  
  This problem occurs because a domain controller other than the one where the user account was originally created replies when the CN lookup occurs before the user's password is set.
  
  After applying the feature pack, provisioned user objects will be processed without errors.
• You may receive unexpected error messages when you export a rename add operation on an object. When this problem occurs, you receive an event message that contains the following text:
  
  The server encountered an unexpected error in the synchronization engine:
  
  DN mismatch for phantom export: row (DN=CN=User1,OU=TargetUsers,OU=Enterprise,DC=Fabrikam,DC=com), tower(old DN=CN=User2,OU=TargetUsers,OU=Enterprise,DC=Fabrikam,DC=com)
  
  The following error code appears in the event text:
  
  0x8023031c (The tower has a distinguished name that is different from that of the store.)
  
  After applying the feature pack, rename add operations will be processed without errors.
• When you import a rename operation on a connector space object, and the connector space object has a delete-add operation in escrow in an unapplied state, a staging error occurs. Additionally, an event message is logged in the Application log. The event message contains the following text and error code 0x80230306:
  
  E_MMS_ENTRY_ANCHOR_MISMATCH
  
  After applying the feature pack, rename operations will be processed without errors.
• You may receive a "server stopped" error message when you are provisioning group objects that use Auxiliary Object Class definitions. When this problem occurs, you receive the following event message:
  
  The server encountered an unexpected error in the synchronization engine:
  
  (The parameter is incorrect.) ERR: MMS(3260): expbase.cpp(1861): PutAnchorWithDnInternal failed on CS object {3A1BEB07-4023-442E-B14C-3CA66800534F} with 0x80070057.
  
  After applying the feature pack, provisioning group objects will be processed without errors.

© 2004 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.