19 ianuarie 2011 06:00
I have a scenario where we have a single forest, and 2 Domains in it A Parent domain (for eg test.com) and child domain (testcdc.com), The requirement is that whenever data (i.e. a particular Attribute/couple of Attributes) from Authoratataive Source (SAP) changes then, The User needs to be moved by FIM 2010 from Parent to Child Domain (i.e Movement Across Domains).
I have Tried the foll Options
1. Used the Single Management Agent (MA) for both DC's (Parent and Child), established a simple sync Rule wherin using IIF that if the particular Attribute value changes change the DN value i.e. IIF Dept= Finance the DN = OU=testfinance,DC=test,DC=com (The DN for Parent Domain), else DN = OU=testfinancecdc,DC=testcdc,DC=test,DC=com (DN for Child Domain), Things are fine till I do Full Sync from FIM MA , wich Indicates I have the Provisioning Rename to be done for the User (i.e If the User is in Parent Domain and the User Attribute has changed thus in the Next cycle Ideally the User should move to Child Domain) , but when i do an export it gives me an error "invalid-dn" and "Cross Domain Move Requested" and the User Movement doesnt occur
Thus my primary query is Can FIM do the User Movement from One Domain to Another If they are in a Single Forest.?
Are my settings/configurations right , or may be i would be missing something , I chose to Use a single MA for both Domains in Single Forest because it has been mentioned in Forums here that it is allways desired to have Single MA for Single Forest irrespective of the number of Domains i it.
2. The second option that Ive tried is i created Two MA (One for Parent and the Other for Child Domain), For the case of User Movement , What happens here is If the User who is residing in parent Domain, and whose attribute changes such that the User has to be moved in Child Domain, In this scenario , I disconnect the User from FIM , i.e. chose Disconnect Option in my Sync Rule for Parent DOmain , also make the Parent Domain MA as explicit disconnector , Thus in this case the User from parent Domain gets totally disconnected from FIM , And Instead of User Movement , The User is created as New user in CHild Domain, Thus for the case of User Movement , what I have in the end is Two entries for the same User in Parent and Child Domain, and FIM gets totally disconnected from Parent Domain User , and all future request from FIM go to CHild Domain User Entry.
My Organaisation doesnt wish to delete Users from AD's thus I get two entries for the same User ,
I would like to ask , Is this the only Option (Disconnect User from one domain and create same User entry in Child Domain)in FIM , If User Movement Across Domains needs to be handled ? .. by this option i assume Users Password , His connnection to the Mailbox , His group Membership also would be affected.. correct me in my above assumption if m wrong.
Request your replies,
Thanks in Advance
19 ianuarie 2011 10:32
This is not something that FIM is really designed to do. I think you're better off looking at ADMT so you can retain passwords and profiles during the migration. What you could do with FIM is set a flag of some sort on the user account indicating that it should be migrated, then perhaps you could have an overnight scheduled task which runs ADMT against flagged accounts. This will have the extra benefit of only moving accounts at an expected time.
- Marcat ca răspuns de Markus VilcinskasMicrosoft Employee, Owner 14 februarie 2011 18:06
12 iunie 2012 08:17
I am also looking for such solution, but for password synchronization.
We have two domain abc.com and xyz.com where we have created trust relationship between this two forest, now i want to copy same user object with same password from abc.com to xyz.com and whenever user or administrator changed password in abc.com it should be sync automatically with xyz.com also.
Could you please tell me how can i achieve this through FIM 2010? i can create MA for both domain in FIM manager.
12 iunie 2012 17:27Moderator
16 iulie 2012 18:13
Hi, If anyone can help me out in this...
I am trying to provision users from one forest A to forest B with password synchronization, fim 2010 installed on Forest A need to provisioned users to Forest B.
First i created MA, sets and MPRs by following this Microsoft procedure http://technet.microsoft.com/en-us/library/ff686263%28WS.10%29.aspx, i am able to provisioned users to forest B when i create users manually in FIM portal,
After that i configured inbound policy and MAs to provisioned users from ADDS (Forest A) to FIM2010 and succeeded.
As per this configuration, i thought if i create new user in Forest A ADDS then FIM 2010 will move resource identity to Forest B, but it doesn't work.
Both inbound and outbound synchronization rule working individually for both forest but it does work together.
I hope this explanation is enough to understand you my scenario and requirement, my ultimate target is to provision user from Forest A to Forest B using FIM 2010 and whenever user password change in Forest A it should be sync same password to Forest B so they dont need to remember different password.
Your response will be highly appreciated.