FIM2010

#FIM2010 upgrade/update failure and roll back

Recently I have been working with several customer that experienced a similar situation:

  • update FIM with a hotfix fails
  • upgrade FIM 2010 to FIM 2010 R2 fails
  • during installation of FIM he FIM services won’t start

All of them result in a roll-back of the installation.

Let me spoil the root cause right away (and then explain): using an SQL port number in the installation wizard.

The installation wizard is not able to connect to the database with a port number.

Solution:

use an SQL alias

Background

The FIM Sync Service and/or the FIM servers check the registry for the database server and instance and then connect to SQL and start the service.

The use of a port number seems to break the wizard.
Normally the FIM Services and FIM Sync Services CAN use an SQL port…

Easy fix: set an alias in the SQL Server client network utility

c:\windows\system32\cliconfig.exe

cliconfig
port1433_1
port1433_2
setalias

Then change the registry to use the FIM SQL ALIAS (as server), you don’t need the instance and port anymore (as the alias will take care of it).

For the FIM Sync:

regedit

Check the server and instance configured for the FIM Sync database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Server (use SQL Alias)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Instance (empty)

for FIM Service

Check the server and instance configured for the FIM Service database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMService\DatabaseServer

Reference

I’ve updated the Wiki article with more detailed info at http://social.technet.microsoft.com/wiki/contents/articles/14551.fim-2010-r2-troubleshooting-syncservice-installation-or-upgrade-failure-and-roll-back.aspx

See also:

Last updated: 2020-12-30

FIM2010# MIISActivate – FIM Sync service terminated with service-specific error %%-2146234334

This article has been posted on TNWiki at: FIM2010 Troubleshooting: MIISActivate – FIM Sync service terminated with service-specific error %%-2146234334.


Situation

Failing over a FIM Sync Server to the standby FIM sync server using MIISActivate.

After using successfully MIISActivate, the FIMSync Service fails to start and logs an error in the eventviewer.


Symptoms

You’ll see 2 error messages in the event viewer, erro 7024 and error 6324.

Error 7024

Reference

This error is pretty similar or exactly like the error described in the following Wiki article:

FIM2010 Troubleshooting: FIM Sync service terminated with service-specific error %%-2146234334.

Screen

Error message Text

Log Name: System
Source: Service Control Manager
Date: 3/02/2016 15:08:59
Event ID: 7024
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: servername.domain.customer
Description:
The Forefront Identity Manager Synchronization Service service terminated with service-specific error %%-2146234334.
Event Xml:
<System>
<Provider Name=”Service Control Manager” Guid=”{555908d1-a6d7-4695-8e1e-26931d2012f4}” EventSourceName=”Service Control Manager” />
<EventID Qualifiers=”49152″>7024</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=”2016-02-03T14:08:59.670239000Z” />
<EventRecordID>679744</EventRecordID>
<Correlation />
<Execution ProcessID=”516″ ThreadID=”1212″ />
<Channel>System</Channel>
<Computer>servername.domain.customer</Computer>
<Security />
</System>
<EventData>
<Data Name=”param1″>Forefront Identity Manager Synchronization Service</Data>
<Data Name=”param2″>%%-2146234334</Data>
</EventData>
</Event>

Error 6324

Error message Text

Log Name: Application
Source: FIMSynchronizationService
Date: 3/02/2016 15:08:59
Event ID: 6324
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: servername.domain.customer
Description:
The server encountered an unexpected error and stopped.
 
“BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(5096): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(493): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(429): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x8023060d (The computer_id in the database does not match this computer.)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2145188339. This is retry number 0.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 1.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 2.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 3.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1041): 0x80131022 (unable to get error text)
Forefront Identity Manager 4.1.3634.0″
Event Xml:
<System>
< Provider Name=”FIMSynchronizationService” />
<EventID Qualifiers=”49152″>6324</EventID>
<Level>2</Level>
<Task>3</Task>
< Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2016-02-03T14:08:59.000000000Z” />
< EventRecordID>266336</EventRecordID>
<Channel>Application</Channel>
< Computer>servername.domain.customer</Computer>
<Security />
</System>
< EventData>
<Data>BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(5096): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\sqlstore\storeimp.cpp(493): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(429): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x8023060d (The computer_id in the database does not match this computer.)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x8023060d (The computer_id in the database does not match this computer.)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2145188339. This is retry number 0.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 1.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 2.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\shared\utils\clrhost.cpp(224): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\rules\scriptmanagerimpl.cpp(7886): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(272): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\server.cpp(3960): 0x80131022 (unable to get error text)
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1588): 0x80131022 (unable to get error text)
ERR_: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1027): Error creating com objects. Error code: -2146234334. This is retry number 3.
BAIL: MMS(7916): d:\bt\39459\private\source\miis\server\server\service.cpp(1041): 0x80131022 (unable to get error text)
Forefront Identity Manager 4.1.3634.0</Data>
</EventData>

</Event>


Solution

Restart Service twice

At the first attempt, the service will take a very long time to try starting.

When the initial attempt fails, try restarting the FIM Synchronization again.

Check DB connection

Use a UDL file with the Data Link Properties tool to check if you can connect to the FIM Sync Database.

More info:
FIM2010 Troubleshooting: FIM Sync service terminated with service-specific error %%-2146234334.


Also on this blog


Last update: 2020-12-30

Note-to-self: #FIM2010 Visio Stencils & icons

Source: https://social.technet.microsoft.com/Forums/en-US/7a7b3df0-35d1-48a5-9577-e2c435b39128/how-to-become-a-fimster?forum=ilm2

As mentioned by Ross Currie, you need a shortcut to this, as you keep losing this little gem…

https://skydrive.live.com/?cid=b905f742cf6d28e2&id=B905F742CF6D28E2%21164

The Visio Stencils are also published on Github at:

Announcing the public availability of the #MIMWAL for #MIM2016 project, now available as an Open Source Project on GitHub

Source: https://social.technet.microsoft.com/Forums/en-US/e613bbd9-5a2a-46c2-8d91-5f1e0116521b/announcing-the-public-availability-of-the-mimwal-project-now-available-as-an-open-source-project-on?forum=ilm2

Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.

The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.

MIMWAL Features

  • Building-block Workflow Activities
  • Conditional Execution Capability for Building-block Activities
  • Support for Iteration Over a Collection of Values in Building-block Activities
  • Deep Resolution Capability for FIM Lookup Grammar
  • Rich Library of Workflow Functions
  • UI Framework for Building Additional Custom Workflow Activities
  • Support for ETW Event Tracing
  • Optimization of Update Requests
    • Combining multiple updates into a single request per resource per activity
    • Issuing update request only when resource is actually modified.

More information

Please visit the MIMWAL site at http://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.

Please post any questions or discussions about the MIMWAL project on this forum, which can also be found at http://aka.ms/MIMWAL/Forum

MIMWAL Links

Note-to-self: #FIM2010 Microsoft.MetadirectoryServices.dll vs. Microsoft.MetadirectoryServicesEx.dll

Question: What’s the difference between Microsoft.MetadirectoryServices.dll and Microsoft.MetadirectoryServicesEx.dll?

MIIS/ILM code is using the Microsoft.MetadirectoryServices.dll, while FIM is using Microsoft.MetadirectoryServicesEx.dll.

Can the old DLL be removed from the FIM code extensions, when the new DLL is referenced in code?

Answer:

You should use the Ex.dll when possible. The other DLL is only there in case you have a DLL from MIIS, has lost the sources, and cannot recompile it. The only difference between the two is that Ex is digitally signed and the other is not. When you have changed the references to Ex.dll you will not need the other.

Hotfix rollup package (build 4.1.3671.0) for Forefront Identity Manager 2010 R2

Source: https://support.microsoft.com/en-us/kb/3092178

From the KB Article:

Issues that are fixed or features that are added in this update

This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM add-ins and extensions

Issue 1

This hotfix addresses an issue in the password reset window that occurs on displays that have high DPI settings when the Windows display sizing of items is set to a custom size, such as 200% or more.

FIM Certificate Management

Issue 1

If you try to enroll a smart card that has the correct profile selected (and the correct adminKey), but the user PIN does not correspond to the smart card PIN policy, you receive the following error message:

The card cannot be accessed because the wrong PIN was presented.

 

FIM Synchronization Service

Issue 1

When you configure an ECMA2 run profile, you receive the following exception:

Value of ‘10’ is not a valid value

 

Issue 2

The Sync Engine reports a staging error during delta import when the Generic LDAP connector detects the renaming of the distinguished name for an object.

Issue 3

During the export run DN modification of a user, an object is deleted from a group membership in Oracle Directory Enterprise Edition (ODSEE) instead of changing the DN LDAP.

Issue 4

When you try to select an OU that contains more than 4,000 sub-OUs on the Directory Partitions tab, you receive the following error message:

The administrative size limit on the server was exceeded.

 

Issue 5

When you perform an Export, CS Search, or CS Deletion during ECMA2 Export Only, the MA displays the following error message:

The image or delta doesn’t have an anchor.

 

Issue 6

The Sync Service stops responding because of high CPU usage when you stop a run profile for the ECMA connector.

Issue 7

When you have characters in the SMTP address that are unsupported by Exchange Server, a GALSync Export operation stops, and you receive an ma-extension error. This triggers a provisioning loop that causes object duplication.

FIM Portal

Issue 1

This hotfix addresses an issue in the FIM Portal that affects sorting a customized list view that’s based on the columns specified in the ColumnsToDisplay field.

Issue 2

This hotfix updates HTML elements and attributes in the password registration portal and the FIM Portal.

Issue 3

The object picker does not search objects that contain special characters in their file names.

Issue 4

This hotfix updates the translation into Russian of the user interface strings that relate to “Password Reset AuthN Workflow” activity.

Issue 5

This hotfix addresses an issue that affects the Leave and Remove Member buttons when the group resource type is customized.

Issue 6

This hotfix adds a new search scope (All Groups) to enable searching for and joining groups if the user does not know whether the group is a security group or a distribution list.

FIM Service

Issue 1

This hotfix addresses an issue in which broker service conversations are not closed after an export from FIM Sync to the FIM Service database.

Issue 2

When there are too many negative conditions in the Group Criteria, the SQL & FIM service stop running.

Issue 3

SET filter definitions are unsuccessful during save after you upgrade to version 4.1.3634.0.

Issue 4

When you use the CustomExpression option, the Concatenate operator is replaced with the “+” character. This triggers an error when it saves.

Issue 5

This hotfix addresses an issue that affects FIM Service database stored procedures. Specifically, deadlocks might occur in approval workflows. This issue occurs particularly in deployments with complex or general Set definitions such as sets matching “/*” instead of with specific resource types.

BHOLD

Issue 1

There’s an inconsistency between the Permission name and the value if an attribute changes. After Export\Import\Export flow in FIM Sync, BHOLD receives duplicates of a renamed group and retains the original group in the database.”

Note-to-self: quickly checking which #FIM2010 Sync Security groups used

Although, it’s best practices to use AD based security groups to setup your FIM/MIM, this is not always the case in practice.
So, how do you quickly verify which groups have been used to secure your FIM Sync configuration?

On the FIM Synchronization server, open the component services

(samples are taken from a Windows Server 2012, but this also applies to Windows 2008 …)

First, look up and open Component services

1. find component services

Within the Component Services navigate to “Computers > My Computer”, open DCOM Config

2. open DCOM config

It’s very likely that you get the icon view, switch it to detailed view.

3. change view to details

Then look up the Forefront Identity Synchronization Manager configuration item.

4. open FIMSync Service Props

Right click on it, click properties

5. open Security tab - launc and activation

Click the security tab.

And on the “Launch and Activation Permissions” section, click the edit button.

In case you the sections are greyed out, you need to set registry permissions to allow access

Side note

In the Component services console, you might encounter that the security options are greyed out…

Here’s the solution to fix this quickly: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

6. Launch and activation permissions

Now you should see the FIM Sync Security groups configured.

The info will show you (based on the group names) if local or AD groups have been used.

End note on this topic: you can’t change these groups manually.
You need to run the FIM Sync installation wizard in repair mode to fix or change these groups.

The wizard will change the component services, DCOM config, regisgtry and local NTFS permissions to match the groups.

If you would like to do it in a more scripted way, you can use the DCOMPerm code sample, which is included with the Microsoft Windows SDK for Windows 7 and .NET Framework 4.

Sample command:

dcomperm -aa {835BEE60-8731-4159-8BFF-941301D76D05} list

Output

Access permission list for AppID {835BEE60-8731-4159-8BFF-941301D76D05}:

Remote and Local access permitted to CONTOSO\FIMSyncAdmins.
Remote and Local access permitted to CONTOSO\FIMSyncOperators.
Remote and Local access permitted to CONTOSO\FIMSyncJoiners.
Remote and Local access permitted to NT AUTHORITY\SYSTEM.
Remote and Local access permitted to CONTOSO\svcfimsync.
Remote and Local access permitted to CONTOSO\FIMSyncBrowse.
Remote and Local access permitted to CONTOSO\FIMSyncPasswordSet.

Note-to-self: #FIM2010 Virtualisation support

Nowadays, it’s not a hot topic anymore, rather a common practices to run your FIM / MIM environment in a virtualized setup.
Still once in a while we do get questions about virtualization support for FIM/MIM.

Bookmark the sources below, as it might be useful to retrieve the answer quickly.

First, more general to check is: the Windows Server Catalog (http://www.windowsservercatalog.com/).
On that catalog page you find the link to the Server Virtualization Validation Program site (http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm).

“Please visit the Server Virtualization Validation Program site for more information on validated solutions and available support.” 

That page mentions:

“Information on Microsoft’s support policy for Hyper-V and Azure can be found at:

and

“The information provided by the Microsoft Application Support Policy is for guidance purposes only. Please visit the Products listing to review the latest information available ”

Microsoft Server Software and Supported Virtualization Environments points to this KB article : https://support.microsoft.com/nl-be/kb/957006

It explicitly refers to Forefront Identity Manager as:

“Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 and later versions are supported.”

Just as a side step, the Products Listing page (on http://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25), has the latest updates on Windows Server 2012 and later…

In the left side menu bar you’ll find OS Compatibility and Processor architecture:

OS compatibility

Supports Windows Server 2012 R2
Supports Windows Server 2012
Supports Windows Server 2008 R2
Supports Windows Server 2008

Processor architecture

Windows Server 2012 R2 (x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 (x64)
Windows Server 2008 (x64)
Windows Server 2008 (x86)

Another side note, for support lifecycle the KB article refers to http://support.microsoft.com/?pr=lifecycle.
But, for FIM 2010 / MIM 2016 there is an easier short cut you should use :

FIM 2010: https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Forefront%20Identity%20Manager&Filter=FilterNO

MIM 2016 (also include FIM2010 info): https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Identity%20Manager&Filter=FilterNO

For future use, this info has also been published on TNWIki, you can use this short URL http://aka.ms/FIM2010Virtualisation and http://aka.ms/MIM2016Virtualisation.

 

#MIM2016 now officially published and generally available

Source: http://blogs.technet.com/b/ad/archive/2015/08/06/microsoft-identity-manager-2016-is-now-ga.aspx

As many of the FIMsters already knew by the updates on MSDN/VL downloads and the update on the TechNet Center,.. is now also officially announced by the FIM/MIM product group.

You can read the full details at: http://aka.ms/MIM2016.

Shai Kariv points to a few interesting links in the announcement.

“Please refer to the official Microsoft communication here and here for the available channels for getting the final product version. ”

This is :

And also

This major new version of Identity Manager is an overall modernization of capabilities and experiences relative to the previous version, FIM 2010 R2.

We added programmatic interfaces such as a RESTful API and PowerShell commands, and expanded the supported operating systems, server products and browser versions based on customer input.

Additionally, we’re very proud about some of the innovations introduced in this product version, in the areas of Security (privileged identity management), Hybrid identity management, new self-service capabilities, and new certificate management experiences.

For more extensive information about Microsoft Identity Management features and themes, check out previous posts in this blog: here, here, here, and here.

Great news for Windows 10 users! Microsoft Identity Manager not only adds experiences for Windows 10, but actually it has greater value for you, because it leverages the intrinsic Windows Server 2016 new Active Directory capabilities: time-limited group memberships and foreign principal groups.”

And as a reminder:

Also take a look at the updated licensing scheme for FIM and MIM 2016.

Note-to-self: Identity manager resources at the TechNet Evaluation Center

Source: http://aka.ms/IdentityManagerEval aka http://www.microsoft.com/en-us/evalcenter/search?k=identity%20manager&p=&a=&s=&r=&so=

Head over to the TechNet Evaluation center to find some interesting resources on Identity Manager….