locked
How to Automatically Synchronize FIM 2010 from AD DS RRS feed

  • Question

  • Hello there,

    I have enabled AD DS Users inbound synchronization to FIM 2010. Currently using Self-Password Reset functionality which is working great.

    My question is that, Is it possible to Sync FIM from AD DS automatically because at the moment, I have to run "Run Profiles" manualy in order to import the new users from AD DS to FIM.

    Is there anyway to make it auto Sync??

    Please help me in this regard.

    Thanks 


    Network Engineer
    • Edited by Fahad Afzal Monday, August 9, 2010 7:16 AM mistake
    Monday, August 9, 2010 7:04 AM

Answers

  • hi Fahad,

    this post describes how to automate / schedule run profiles. If you have any further questions let me know

    /Matthias 

     

    • Marked as answer by Fahad Afzal Wednesday, August 11, 2010 10:54 AM
    Monday, August 9, 2010 10:40 AM
  •  

    I successfully exported the run profiles and calling them from a batch file in the specific order required for synchronization. I pasted the code as below:

    cscript C:\scripts\ADMA_Delta_Import.vbs

    cscript C:\scripts\ADMA_Delta_Sync.vbs

    cscript C:\scripts\FIMMA_Export.vbs

    cscript C:\scripts\FIMMA_Delta_Import.vbs

    Can I associate the batch file with the log of creating a new user object in Active Directory i.e. Event ID 5137

    Please tell me the way to do it.

    Thanks


    Network Engineer
    • Marked as answer by Fahad Afzal Thursday, August 12, 2010 9:40 AM
    Wednesday, August 11, 2010 11:01 AM

All replies

  • hi Fahad,

    this post describes how to automate / schedule run profiles. If you have any further questions let me know

    /Matthias 

     

    • Marked as answer by Fahad Afzal Wednesday, August 11, 2010 10:54 AM
    Monday, August 9, 2010 10:40 AM
  •  

    I successfully exported the run profiles and calling them from a batch file in the specific order required for synchronization. I pasted the code as below:

    cscript C:\scripts\ADMA_Delta_Import.vbs

    cscript C:\scripts\ADMA_Delta_Sync.vbs

    cscript C:\scripts\FIMMA_Export.vbs

    cscript C:\scripts\FIMMA_Delta_Import.vbs

    Can I associate the batch file with the log of creating a new user object in Active Directory i.e. Event ID 5137

    Please tell me the way to do it.

    Thanks


    Network Engineer
    • Marked as answer by Fahad Afzal Thursday, August 12, 2010 9:40 AM
    Wednesday, August 11, 2010 11:01 AM
  • hi Fahad,

    what do exactly want to achieve?

    Each time the ADMA creates a new Active Directory user create an Event Log entry similar to EventID 5137?

    Have a separate log file in place, which logs Active Directory user account creation via the ADMA?

    Isn’t it sufficient to have the FIM SE run history in place? Within the history you can track how many users have been created during a single management agent run and so on

    /Matthias

     

    Wednesday, August 11, 2010 11:48 AM
  •  

    Hi Matthias

    Actually my primary goal is to automate inbound synchronization process on FIM for AD DS. So far, I have created a batch file which is calling all the "Run Profiles" as mentioned in my last post.

    Now the question is how to run this batch file automatically. There can be two ways to automate synchronization.

    1. Schedule the batch to run every 30 minutes or an hour.
    2. Run the batch file only if the new user object is created/deleted in Active directory.

    Option 2 looks more accurate if it is possible.

    In conclusion, I want to know how to run the batch file automatically for synchronization only if the user object is created or deleted on active directory??? 


    Network Engineer
    Thursday, August 12, 2010 9:38 AM
  • Hi Fahad,

     

    the nature of FIM 2010 Management Agents is that they are „agentless“, which means there is no Management Agent component running on the connected source system – in your case Active Directory – that could fetch the event like  „New User Creation” and trigger a MA run.

     

    For that reason you should schedule management runs with the Windows task scheduler or similar tools or look for options within the source system to trigger the MA run.

     

    In case of Active Directory there might be an smart option, if you’re running Active Directory on Windows 2008 DCs:

    • On Windows 2008 DCs you can attach a task to a given Log Entry and execute a program.

    However, there are some challenges with this approach:

    • This configuration must be implemented on each DC in your environment
    • You have to start the MAs from a remote system (your DC(s)), which means you have to adopt the .vbs files and connecting WMI commands not to the local computer but to the remote FIM server.
    • you have to implement additional logic to investigate if a MA run is in progress and needs to rescheduled (sample script can be found within this or Identity Lifecycle Manager forum)

    BTW: You should ask if you really have to realize a service level that immediatly published AD accounts in FIM portal or if it's sufficiant to hava e.g. 30 minutes delay.

     

    /Matthias

     

     

    Thursday, August 12, 2010 10:28 AM
  •  

    Thank you Mathias!

    You said very true, I also wana trigger my batch file with the EventID 5137 which is defined for creating new user object on AD DS.

    I am trying to approach the same thing. Currently having some issues in generating eventid 5137, but eventid 5136 is showing up which is for modifying user object.

    Once the EventID 5137 starts logging in, I would work on it and will get back to the post.

    Thanks again.


    Network Engineer
    Monday, August 16, 2010 9:29 AM