none
Syncing AD Users to FIM 2010 RRS feed

  • Question

  • I'm setting up FIM in a test lab. I've never know such a tasking solution to get working. I've followed every technet article under the sun trying to get FIM to sync users from AD into the Identity Management portal. I'm totally frustrated by the product. I just can't get it to work.

    Can anyone point me to an idiots guide to getting the synch working? I'm sure it can't as hard as MS seem to make it out to be.

    Cheers

    Wednesday, May 23, 2012 10:12 AM

Answers

  • I set attribute flows on the ADMA as well as the FIMMA and the issue has been resolved. Should I be setting attribute flows here as the documentation doesn't seem to suggest so.
    Thursday, May 24, 2012 12:22 PM
  • Have you been following any particular documentation? I've found some of Microsoft's doco to be horrendously confusing, especially as their common walk throughs mix classic provisioning (the attribute flows you've been setting up) with the newer synchronization rule provisioning (e.g. http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx walks you through using a Synchronization Rule to import data from AD rather than attribute flows). I personally prefer the classic provisioning for inbound data, we only use Synchronization Rules for outbound data flows, but it's really up to you.

    So the short answer is yes, you can set attribute flows for the AD MA if you want to, OR you can set up those attribute flows in a Synchronization Rule that you create through the FIM Portal (as in the Microsoft doco). In that instance, you'll need to make sure you do an import and sync for the FIM MA first (i.e. before you do anything with the AD MA), to get that Synchronization Rule into the metaverse. Either way, there needs to be something in place to pull attributes in from Active Directory for your user accounts, otherwise there will be no data to export to FIM.

    Thursday, May 24, 2012 10:57 PM

All replies

  • I'm going to check this out and see if it helps.

    http://technet.microsoft.com/en-us/forefront/ff182885.aspx

    Wednesday, May 23, 2012 10:38 AM
  • No help at all. Anyone?
    Wednesday, May 23, 2012 12:23 PM
  • Hi,

    Do you have any errors? I'm willing to help you, but I don't know where you're standing right now. What part is configured? Etc...

    As far as I can see, the video you linked provides some good instructions on how to sync the users. FIM can be fairly complicated if you see it for the first time, but once you get the hang of it, It'll be worth the effort :)!

    Best regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

    Wednesday, May 23, 2012 12:39 PM
  • I've gone through the creation of the MA's in the Sync Service and followed the steps laid out in the video. I'm not sure which step of the video would sync users from AD into FIM. Is it by running these agents? I have configured all the Attribute Flows which I assume state what should be imported/exported and I assume that the ADFMA is run to import from AD to FIM and FIMMA from FIM to AD? 

    I get an error when exporting from the FIMMA - 

    There is an error executing a web service object modification request. 
    Type: Microsoft.ResourceManagement.WebServices.Client.UnwillingToPerformException 

    Message: Fault Reason: The endpoint could not dispatch the request.

    I don't get any errors when running the ADMA.

    Are there any other FIM specific logs I can check to investigate. 

    Thanks for any help

    Wednesday, May 23, 2012 12:50 PM
  • You are correct to assume that running the agents exports data:

    ADMA -> Full Import and Full Sync -> Imports data from AD and prepares to export the data to the FIM Portal

    FIMMA -> Export -> Exports the data to the FIM Portal

    FIMMA -> Full Import and Full Sync -> Imports data from FIM Portal and prepares to export the data to ActiveDirectory (if the fim portal calculates that the user should be created in AD).

    ActiveDirectory -> Export -> Exports the user to ActiveDirectory.

    Some questions:

    • What attribute flows have you set on the FIMMA? (03:17 of the video).
    • What connection information have you set on the FIMMA? (connect to database page of the same dialog).

    Best regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

    Wednesday, May 23, 2012 1:20 PM
  • What attribute flows have you set on the FIMMA? (see below)

    What connection information have you set on the FIMMA? Server: . Database: FIMSERVICE FIM Service base address: http://localhost:5725 then using Windows Authentication using the FIMMA account.  

    I did try a moment ago and got some success. Some imported users but every user field was blank e.g displayname etc.

    Wednesday, May 23, 2012 1:38 PM
  • If you look at your user accounts in the metaverse, are those attributes populated? (accountName, displayName etc). When we were setting up FIM for the first time we ran into similar issues, and it turned out to be that the attributes weren't actually being imported from AD to the metaverse (some due to attribute precedence being set up incorrectly, some due to populating a different attribute than we were actually exporting). 

    Also, when you're doing the 'synchronization' step of the AD MA, you should be seeing 'Pending Exports' for the FIM MA. If you open up the Properties window for those, it will show you what details are going to be exported to FIM. From that, it should give you an idea of what attributes are there and what's missing.

    The 'UnwillingToPerformException' is thrown for a lot of reasons, things like missing necessary attributes, exporting two objects with the same accountName (AccountName must be unique in FIM) etc. The actual stack trace shown in the details window might help track down what's actually happening.

    I've found FIM to have a crazily steep learning curve, but like Pieter said, it's worth the effort :).

    Thursday, May 24, 2012 1:04 AM
  • I set attribute flows on the ADMA as well as the FIMMA and the issue has been resolved. Should I be setting attribute flows here as the documentation doesn't seem to suggest so.
    Thursday, May 24, 2012 12:22 PM
  • Have you been following any particular documentation? I've found some of Microsoft's doco to be horrendously confusing, especially as their common walk throughs mix classic provisioning (the attribute flows you've been setting up) with the newer synchronization rule provisioning (e.g. http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx walks you through using a Synchronization Rule to import data from AD rather than attribute flows). I personally prefer the classic provisioning for inbound data, we only use Synchronization Rules for outbound data flows, but it's really up to you.

    So the short answer is yes, you can set attribute flows for the AD MA if you want to, OR you can set up those attribute flows in a Synchronization Rule that you create through the FIM Portal (as in the Microsoft doco). In that instance, you'll need to make sure you do an import and sync for the FIM MA first (i.e. before you do anything with the AD MA), to get that Synchronization Rule into the metaverse. Either way, there needs to be something in place to pull attributes in from Active Directory for your user accounts, otherwise there will be no data to export to FIM.

    Thursday, May 24, 2012 10:57 PM
  • Excellent. Cheers. I had followed that doc as well and I agreed the Microsoft docs are extremely confusing. My only error at the mo is that I cannot get lastname to sync from the sn value. I will investigate myself.  One further question however - can you schedule the sync from AD to FIM so that FIM is up-to-date with newly created users rather than manually running the MA's?

    Thanks

    Friday, May 25, 2012 9:17 AM
  • You can definitely schedule them to run, but it's not something you can set up through FIM itself (strangely enough... I would have thought that would be a built-in feature myself). We use a Powershell script (a customised version of the one posted here: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/c7e204be-05b4-40e1-bf95-e0191a76ece3). Instead of having it run a certain number of times like the example script, we have it run only once and set up as a task in Windows Task Scheduler to run on a schedule.
    Saturday, May 26, 2012 1:00 AM
  • Nikki,

    Thanks for your help.


    Saturday, May 26, 2012 9:34 PM