locked
FIM Technet Scenario not working RRS feed

  • Question

  • I've working with FIM to determine if it will meet the operational requirements of an environment we're planning to bring online soon. I've been going through the Technet Scenarios for FIM in order to learn more about it, but I'm coming up empty on the Introduction to User and Group Management scenario (Here: http://technet.microsoft.com/en-us/library/ee534902%28WS.10%29.aspx )

    I've gone through the setup for the scenario twice and both times the users and groups are imported successfully to FIM but they don't get exported to AD. Could anyone help me figure out what I'm doing wrong or what I'm missing? Let me know what information you need and I'll do my best to supply it.

    Friday, February 4, 2011 11:40 PM

Answers

  • Steve, while that might be a solution, that's a bit blunt. I tend to avoid equal precedence as it increases complexity a lot. "If #Import Flow >1 => equal precedence" is definately not a rule of thumb.

    You just have to decide carefully which identity source is authoratative, or "more" authoratative for a given attribute.

    An simple setup could be an environment with:

    • SQL managed by HR
    • FIM Portal
    • AD

    Whilst the SQL contains all regular users, the FIM portal additionaly is used to manged external users which are not in the HR database.

    In this simple FIM -> AD Scenario it's pretty common to have both the SQL MA and the FIM MA contribute to the accountName attribute. There's absolutely no need to use equal precedence however.

    acbrown. Can you explain more precisely what you are trying to achieve? Good points to start are:

    And if things go wrong:

     


    http://setspn.blogspot.com
    Sunday, February 6, 2011 3:04 PM

All replies

  • I should mention that the connection status on the AD MA is showing success, but no items are being added when I perform an export.
    Friday, February 4, 2011 11:41 PM
  •  

    Equal precedence must be set when there is more than one contributing MA to required attributes on a MV object, such as, the FIM MA and AD MA.

    This can be set through the ILM Metaverse Designer for the person and group object types. For the required attributes that have an Import Flow > 1, right click each attribute and select Set Attribute Precedence, Equal Precedence.

    You can see which attributes are skipped during synchronization by selecting the objects that are updated in the Operations screen sync output report and select Preview on the Connector Space Properties screen. Any Criteria Based Groups should be excluded with an inbound sync from AD.

    • Proposed as answer by STech2 Saturday, February 5, 2011 12:34 AM
    • Unproposed as answer by Adam C Brown Monday, February 7, 2011 3:38 PM
    Saturday, February 5, 2011 12:05 AM
  • Steve, while that might be a solution, that's a bit blunt. I tend to avoid equal precedence as it increases complexity a lot. "If #Import Flow >1 => equal precedence" is definately not a rule of thumb.

    You just have to decide carefully which identity source is authoratative, or "more" authoratative for a given attribute.

    An simple setup could be an environment with:

    • SQL managed by HR
    • FIM Portal
    • AD

    Whilst the SQL contains all regular users, the FIM portal additionaly is used to manged external users which are not in the HR database.

    In this simple FIM -> AD Scenario it's pretty common to have both the SQL MA and the FIM MA contribute to the accountName attribute. There's absolutely no need to use equal precedence however.

    acbrown. Can you explain more precisely what you are trying to achieve? Good points to start are:

    And if things go wrong:

     


    http://setspn.blogspot.com
    Sunday, February 6, 2011 3:04 PM
  •  

    I was attempting to explain if both scenarios are being configured in FIM at the same time..."users and groups are imported successfully to FIM but they don't get exported to AD"..., you run into a scenario where the system is provisioning users and groups through the portal as well as loading existing users and groups from AD. In this configuration, you have more than one MA contributing to the attributes for a MV object.

    A similar configuration I'm currently working with is where we have a SQL HR feed for users. In this case no equal precedence is required because HR is authoritative for user attributes to the MV and all the sync rules to AD are outbound.

    For groups however, I wanted to be able to load from AD while still being able to create new groups through the portal. For this scenario, both the FIM MA and the AD MA become authoritative for required group attributes where I needed to set equal precedence. The issue I ran into with this wasn't so much with attribute precedence, but where FIM doesn't set accountName for DLs. Therefore, I had to setup separate outbound and inbound sync rules for DLs which join on mailNickname, and SGs which join on accountName and sAMAccountName.

    Steve

    Monday, February 7, 2011 1:01 AM
  • Equal precedence has been set already as was recommended by the scenario I was working with. Still, the users and groups are not being moved synced to the AD environment. I can create a user in the FIMObjects folder which is being managed by the AD MA, and it is successfully Imported to the AD MA connector space. But nothing is going from the FIM Connector Space to the AD Connector space. I'll look through the articles you've linked to, Thomas.
    Monday, February 7, 2011 3:43 PM
  • Here are a few things to look for since you noted that your outbound run profiles are completing successfully. First take a look at the Provisioning tab in FIM for the user to see which rules have been applied. If your outbound AD sync rule isn't listed, then your MPR configuration, user set, or workflow may not be configured correctly to bring the AD outbound sync rule into scope to apply it.

    Secondly, if your outbound sync rule was applied, take a look at the ILM Operations screen, select the FIM MA sync profile that would have been run after your FIM MA import, and you should see an Outbound Synchronization section for the AD MA. If you created a new user through the FIM Portal prior to your run, you should see a Provisioning Adds entry for the AD MA. Select it, then in the popup screen select the AD DN of the connector space entry, make sure the DN is correct for AD, then select the entry, verify the attribute settings, select Preview. In the next screen, select Generate Preview. On the Preview screen, drill down to:

    Connector Updates -> AD <user DN> -> Export Attribute Flow -> Outbound Synchronization Rules -> AD MA <Provisioning Rule Name> Then look to see which attributes are "Skipped: Not Precedent" or "Not Applied" and that should give you a better idea of what the rule is updating.

    Steve

    Monday, February 7, 2011 10:06 PM