Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
FIM Sync without installing an agent on source forest

Answered FIM Sync without installing an agent on source forest

  • Monday, February 18, 2013 1:22 PM
     
     
    Sign In to Vote
    0

     I have 2 separate forests (A, account domain & B resource) with no trusts. I've used a CSVDE export from A and imported basic user account information (name, email and logon) in B .

    I have full control over domain B, but none over domain A (I have a mandate to reduce/avoid any major changes to domain A).

    Is it possible to use FIM 2010 to do an account sync from domain A to B? If so, what's the best way to achieve this whilst making the smallest possible changes to domain A?

    Thanks 

     

All Replies

  • Monday, February 18, 2013 1:52 PM
     
     Answered
    Sign In to Vote
    0

    This requires an account to be created in domain A and allowing it to read data with permissions which are required for MA to work:

    http://technet.microsoft.com/en-us/library/cc720599(v=ws.10).aspx

    This is only change required to make it work. 

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

     
  • Monday, February 18, 2013 8:32 PM
     
     
    Sign In to Vote
    0

    Cheers Tomasz,

    The account and permissions are not an problem. However, do I need to open firewall ports or require say VPN connectivity between domains?

    What does FIM use to match user accounts - I'm guessing a unique field such as upn?

    Thanks

     
  • Tuesday, February 19, 2013 3:48 PM
     
     Answered
    Sign In to Vote
    1

    Hi,

    some information you need to go to in detail:

    Do not underestimate FIM 2010 R2, it can probably do the work you want it to do, but as you do not have a mandate on the "A" forest, you're problem will be in having to ask the guys managing forest A to have a user with access, the right to query for changes and so on. Be sure that's ok before you event start thinking in using FIM.

    Make sure you discuss the design with the stakeholders (eg will you delete groups and users in forest B if these are deleted in A? Will you move the objects in the OU structure if these are moved in forest A? And so on).

    Make a design first, and try to have an answer on all the questions before starting technically, or you'll risk to be stuck at 70% of the implementation.

    Regards,
    David

     
  • Tuesday, February 26, 2013 10:35 PM
     
     
    Sign In to Vote
    0
    If anyone needs to do this, it is possible - you can use a CSVDE as a connected data source, then use a fim ma to import the data and sync - using a unique attribute such as a SID for the anchor attribute is the way forward