none
provisioning in cross forest

    Question

  • Hi,

    There is one forest say abc.In that forest there may be some domins like abc.uk.com,abc.am.com etc. Each domain has seperate AD to create the users.
    FIM needs to monitor the users OU in each Domain, when a new user is created by any domain team,FIM will then create a corresponding linked account in the new resource forest.The new resource forest will have exhange,AD,lync.Can any one please suggest about this senario.As i have not implemeted the FIM in any forest.

    Can we synchronization user from one forest to another forest.if yes, how to do it.
    Can we do the provision of mailbox,AD,lync(Forest B) to user which in forest A.If yes, how to do it. Is there any document for it?

    any other important thing which we should know from client?

    Thanks in Advance.

    Harry

    Wednesday, January 09, 2013 7:01 AM

Answers

All replies

  • Hi Harry

    This is very much possible.

    please have a look at the following link

    http://technet.microsoft.com/en-us/library/ff721965(v=ws.10).aspx

    Hope this helps.

    Wednesday, January 09, 2013 7:45 AM
  • Thanks

    One more question,can we provision a user from AD 1 to AD2 with the  same sid.? Means if in  AD-1, user has sid "S-1234-abc" then can we provision the same user from AD 1 to AD 2.with the same SID.

    Thanks  

    Wednesday, January 09, 2013 10:52 AM
  • I would never suggest that. I dont know if it is doable or not, but its under noway recommened.

    It may introduce serious problems to your AD if you end up with duplicate SIDs in the same AD.

    Wednesday, January 09, 2013 11:15 AM
  • Hi

    i asked the same question last week. http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/4d323846-35f7-445b-8070-b21ea50fbf41

    I assume this is for an exchange resource forest or something similar.

    I think FIM provisions new users using powershell to your CAS servers (Exchange 2010) thus creating the Disabled Linked AD Accounts as you would manually.

    However finding documentation on this is proving to be hard.

    If you read the link above , expert advice is probably wise.

    If FIM , users and Exchange are in the same forest then this seems to be an almost out of the box feature and is documented, if its cross forest then documentation is limited.

    I did find this for Lync and FIM for cross forest. http://technet.microsoft.com/en-us/library/gg670889(v=ocs.14).aspx

    unfortunately there isnt a corresponding doucment for Exchange.


    • Edited by snips1973 Wednesday, January 09, 2013 1:46 PM
    Wednesday, January 09, 2013 1:45 PM
  • Thanks

    One more question,can we provision a user from AD 1 to AD2 with the  same sid.? Means if in  AD-1, user has sid "S-1234-abc" then can we provision the same user from AD 1 to AD 2.with the same SID.

    Thanks  

    No, you cannot. SID generation is a protected function of the domain, plus the SID itself is a function of the domain's SID.

    If you want the user in AD-2 to inherit the identity of the user in AD-1, you'd want to look at using SID history. This would require a custom workflow or XMA to call the APIs, though.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Saturday, January 12, 2013 5:35 AM
    Moderator