Symptoms

You might experience issues, in scenarios included below (but other situations might apply)

• The sync engine, on an AD Import, sees the previously deleted AD account as a member of the group as CN=...\0ADEL:<someGUID>,CN=Deleted Objects,DC...
• Sync run profiles fail with missing attributes
• The sync engine imports data from the CN=Deleted Objects container
•  exported-change-not-reimported errors on two security groups managed by FIM
  • See: Forum: Forum: FIM to AD Group Synchronization: exported-change-not-reimported by   Thomas Vuylsteke [MSFT]

Known Issue

This is a known issue with Windows 2008 R2 domain controllers.

Caution
Since September 2013, the Windows Server 2008 R2 service pack is out of support (Windows 2008 R2 mainstream support ended in 2015). More info here: https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%20Server%202008%20R2

Fix

Windows DC

Make sure to apply the KB 979214 patch to your ADDS DC.

As mentioned before Windows Server 2008 (+R2) is out of support, you will not be able to download the hotfix anymore.

Essentially the only solution is to upgrade to Windows Server 2012 or better Windows Server 2016.

FIM2010

Prerequisite

Minimum AD DC patch level for the AD.

Hotfix

As of hotfix rollup package (build 4.0.3573.2) for Forefront Identity Manager 2010, this should be handled

https://support.microsoft.com/en-us/help/2417774/a-hotfix-rollup-package-build-4.0.3573.2-is-available-for-forefront-identity-manager-2010

"Issue 2

You receive some staging errors in a delta import in the recycle bin on a computer that is running Windows Server 2008 R2.

Issue 3

Assume that the recycle bin is enabled in the AD and that FIM is authoritative for groups and users. In this situation, deleted users result in an “exported-change-not-reimported” error message for the groups in which the user is a member."

Possible Workarounds

In the forum posts (see References section below), you'll find some suggestions to work around the problem.

FIM2010/MIM 2016

AD MA Account

Remove the Domain Admin permissions from the AD MA account.

FIM/MIM Sync Ou selection

Exclude the CN=Deleted Objects,DC=<domain>, DC=<suffix> from the AD container Selection

(Next, disable provisioning, run the full imports, full sync again. Then re-activate Provisioning, and run the full import, next full sync)

Filtering

You could try to filter the objects from the CN=Deleted Objects container. But when you use a simple import filter to check if the dn contains the "CN=Deleted Objects" container, the filter is only applied after import, which does not solve the import errors.

You could also try to use an declared import filter, to block the MA from importing the AD data, but this is a quick and dirty fix for a problem that should be fixed on the AD side.

References

• Forum: AD MA cd-error on deleted users as previous Group members:
• Forum: FIM 2010 Update 1 support for 2008 R2 recycle bin feature
• Forum: References
  • Forum: AD MA cd-error on deleted users as previous Group members:
  • Forum: FIM 2010 R2 Sp1, Windows 2008 R2 SP1 and Recycle Bin issues by Shim Kwan
  • Forum: Forum: FIM to AD Group Synchronization: exported-change-not-reimported

  ---