Configure FIM 2010 R2 between domains RRS feed

  • Question

  • Hi folks,

    In my other post:

    Had asked whether it was possible to perform the following actions with Microsoft Forefront Identity Manager 2010 R2.

    - If you change the password on the domain A, should synchronize the domino B;
    - If you change the password on the domain B, should not synchronize the domain A;
    - Create user in domain A, should be replicated to the domino B;
    - Create user in domain B, should not be replicated in the field A;

    Dominik Trojnar informed me that it was possible by performing the following actions:

    With FIM Synchronization Service and PCNS only (no need for FIMService). IN FIM Synchronization you prepare two management agents (one for each domain) and enable password synchronization on Them.

    Moreover in Agent That Is connected to domainA, you create "Projection Rule" inside MA properties. In both agents you should create join rules that would match pre-existing accounts of two users.

    In the domain you have to install PCNS on every DC and configure it to point FIM Server.

    Did some testing without much success.

    I need help from you which way or which steps to complete the following configuration:

    - Create user in domain A, should be replicated to the domino B;

    Recalling that the structure of the environment is as follows:

    Domain A (;
    Domain B (;

    The customer environment has no trust relationship between the domains.

    Thanks a lot!

    Wilsterman Fernandes

    Monday, September 15, 2014 8:27 PM

All replies

  • You'll need to elaborate more on what you've actually been able to complete.

    Have you installed the Synchronization Service and created your AD management agents?

    Basically you need to do the following:

    - Create service accounts in both domain a and b

    - Create connector for domain A, at inbound attribute flows and a projection rule for user

    - Create a connector for domain B, add outbound attribute flows

    - Create a provisioning code (MvExtension) to provision the user (

    Also, you will only need a trust if your FIM server is in a different domain to the PCNS source. For example if you put your synchronization service in domain A, you will not need a trust, however you will need to open additional firewalls between your FIM server and domain B.

    Tuesday, September 16, 2014 12:23 AM
  • Hi Cameron Zivkovic,

    Sorry for the incomplete question.

    let's go...

    The Scenario.

    - 1 Active Directory called

    - 1 Active Directory called

    - 1 SQL Server 2008 R2 SP1

    - 1 FIM Synchronization Service

    Accounts FIMMA and FIMSync created in domain

    Accounts FIMMA and FIMSync Created in domain

    I started installing FIM Syncrhonization Service successfully.

    I create a new OU dedicated to be Managed by FIM. FIMusers, after right-click on the OU and run the delegate control wizard give the FIMMA:

    Createm delete, and manage user accounts and create, delete and manage groups.

    After in a After in, security, assign permission to the FIMMA for Replication Directory Changes.

    I did the same process for the domain

    I initiated the creation of the AD MA. When configuring Create Management Agent for Active Directory, i lost myself.

    Can you help me?

    Thanks a lot!

    Wilsterman Fernandes

    Tuesday, September 16, 2014 2:25 AM
  • So for your connector (assuming FIM is in the same domain) 

    - In the credentials page enter and the username and password for the FIMMA user account

    - In the configure directory partitions page, click on containers, select your FIM Managed OU

    - In join and projection rules, create a person -> person join rule based on sAMAccountName = accountName. Afterwards click on project, select person from the dropdown list (this is what pulls the users into FIM)

    - Skip through to attribute flows, add new import flows for person along the lines of:

      sAMAccountName -> accountName

      givenName -> givenName

      sn -> sn

      displayName -> displayName

    - Click next and finish the creation of the AD MA

    - After this you need to create run profiles to execute the import/synchronisation of users into the Metaverse

    You will follow a similar process for your domain, however instead of import flows you'd use export flows. Additionally, you would need to ensure that you do not create a projection rule within that AD MA. 

    Tuesday, September 16, 2014 2:39 AM
  • Hi Cameron Zivkovic

    Yes! Same domain.

    - 1 AD DS

    - 1 SQL Server 2008 R2 member server []

    - 1 FIM Synchronization service member server []

    - 1 AD DS

    I'll make a test following their instructions.Once finished I'll post the result.

    Thanks again!


    Wilsterman Fernandes

    Tuesday, September 16, 2014 4:36 AM
  • Hi Cameron Zivkovic,

    Screenshot of the configuration of the Agent, as you described. This way is correct?

    Wilsterman Fernandes

    Tuesday, September 16, 2014 1:16 PM
  • That looks good, now when you execute the Full Import and Synchronization all users from that OU should be projected into the Metaverse. You will still need to create the connector for your second domain to do the export and ensure the correct firewalls are opened between the domains. Lastly, you will need to create provisioning code to provision the metaverse objects into the management agents connector space. (resources linked in a previous post). 

    If you aren't familiar with data synchronization it probably wouldn't hurt to run through a lab guide end to end to make sure you have the concepts down. 

    Wednesday, September 17, 2014 12:25 AM
  • Hi Cameron Zivkovic,

    Thank you for your help!

    I'll configure the connector for After post the result.

    Thanks again.

    Take Care.

    Wilsterman Fernandes

    Wednesday, September 17, 2014 3:50 AM