locked
Export to AD success but no changes in Active Directory RRS feed

  • Question

  • Hi,

     

    Weird one..

     

    ive got attributes coming from 2 MA'S (HR and AD) Joining and exporting to fim to get its export synch rule..which they all do fine...

    doing a delta sync i have an AD export attribute flow for every account ready to go...When i go to do final export of accounts to AD the results show "success" and 3000+ users exported...but when i look at AD no changes have been made?

     

    what could be going on? my relationship criteria is: accountname > samAccountName...its precedent is currently the HR system...should this be equal precedent??

     

    Is it a precedence thing?... i need to join with AD to the HR system to get a full list of attributes populated to get current useraccountstatus etc ..i wanted to join this data together and export it all back into the AD...

     

    anyone have any ideas...all CS and MV status are either "add" or "update" and i cant see an errors...?

     

    is there maybe something wrong with my attribute flow values for fim ma?

     

    stu


    Cheers Stu
    Thursday, March 31, 2011 6:09 AM

Answers

  • you might be doing 'test export run' - which does show what will be exported and doesn't do any real job. wrong AD MA run profile.


    Wednesday, April 6, 2011 4:42 AM

All replies

  • How are you "looking" at AD?  If the MA is exporting them they're going somewhere.  If you're using ADUC make sure you refresh the container (F5 or right-click, refresh) as it caches results.
    Thursday, March 31, 2011 8:06 AM
  • i refresh constantly but nothing changes..

     

    ive got the objects going into two different OU'S in the AD set properly from the AD Management agent.

     

    it dosent even error out?


    Cheers Stu
    Friday, April 1, 2011 12:52 AM
  • A long shot but it could be a (pretty severe) replication problem.  You could check that the DC you are exporting to is the same one as the one you're looking at via ADUC.  You can lock this down in the MA configuration.

    Other than that it has to be something pretty simple ... is the ADUC looking at a different environment entirely? :)


    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Friday, April 1, 2011 2:17 AM
  • yeh theyre the same bob...

    and looked at my other ADUC environments but the MA is set to speak to a specific AD and its not...

     

    if there was a problem with precedence or something else wouldn't it throw en export error?

     

     


    Cheers Stu
    Friday, April 1, 2011 3:55 AM
  • OK.  Precedence is something which applies at the sync stage and not the export stage, so this is not the issue.  This tends to suggest the FIM Sync Server thinks there's some changes to export that are not really there ... which could mean that you have not preceded your export with a full import/full sync of your AD MA, or that perhaps you haven't refreshed your AD MA schema lately.  Try both and then look at any pending exports you've got left still to go out.  Also, what happens with your (confirming) delta import/delta sync after you run the export?
    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Friday, April 1, 2011 3:59 AM
  • The account used for AD MA has enough rights?

    Yannick

    Friday, April 1, 2011 1:13 PM
  • OK.  Precedence is something which applies at the sync stage and not the export stage, so this is not the issue.  This tends to suggest the FIM Sync Server thinks there's some changes to export that are not really there ... which could mean that you have not preceded your export with a full import/full sync of your AD MA, or that perhaps you haven't refreshed your AD MA schema lately.  Try both and then look at any pending exports you've got left still to go out.  Also, what happens with your (confirming) delta import/delta sync after you run the export?
    Bob Bradley, www.unifysolutions.net (FIMBob?)


    I've seem some phantom exports before but I haven't been able to figure out a repro scenario.

    For the OP, what are the changes being exported?


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Friday, April 1, 2011 8:20 PM
  • the changes that im syncing are additional fields being applied to the currently existing AD accounts...the addition of fields such as mobile_nbr, roles, addresses etc...

     

    Ive tried full import + sync on ad ma before sync but still no joy and refreshed schema but theres been no changes...

     

    the pending exports for an object seems to have the "accountname" attribute applied...it seems like they export fine to fim but not the AD...even though it says its successful?

     

    my confirming delta import+sync brings back: only 158 "connectors without flow updates"?

     

    the run cycle process im running is as follows..please correct me if im running the sequence wrong...

    * = authoritative system

     

    *HR ma= full import/delta sync (brings user objects and attibutes in from db)

    AD ma= delta import/delta sync (joins current AD user to HR user by "accountName")

     

    FIM ma= export (exports joined user account to fim portal)

    FIM ma= delta import/delta sync (users get there ERE rule)

    FIM ma= export (sets rule to applied and updates to portal)

     

    AD ma= full import/full sync (think this gets users ready to export to ad)

    AD ma= export (exports user back into AD with all their details etc)

     

     

    Also, just wondering if the "DOMAIN" attribute is required for the objects to flow correctly to the AD?

     

    thanks


    Cheers Stu

    Monday, April 4, 2011 2:58 AM
  • Pick an MV object (search MV), click properties, connectors, and choose the HR connector.  Run a preview (full sync).  Look at the flow, specifically the updates to connected systems to ensure precedence, etc. is correct.

    In your above list the full import and sync on the AD MA in the penultimate list item is unnecessary. 

    A couple of things to note: if you change the SYNC RULES in the FIM Service you need to commit those changes with a FULL SYNC (FIM MA).  You need to then run a FULL SYNC on all other MAs *after* ensuring precedence is correct.

    Also to export values to AD you need an OSR with the flows defined and an ERE.

     

    Monday, April 4, 2011 7:11 AM
  • Paul

    im looking at my HR MA user...all the attributes are applied except for a few unimportant ones...(mobile, fax nbr etc) which dont as theres no value for them in this case...

    the important "accountName > samAccountName" flow is applied and listed under the 'Initial value' column.

     

    all looks like it should? although im not sure if i should be flowing a "domain" attribute? (im not at the moment) the ADMA is connected to the required domain so i dont think this should matter?

     

    the outbound sync rule im using is called "AD User Inbound & Outbound SR" and it is applied with the FIM export attribute flow and applied on the AD MA  object for outbound synchronization

     

    ive been looking at ESD and using detected rule entries...will this have any impact? 


    Cheers Stu
    Tuesday, April 5, 2011 6:49 AM
  • Hi Stu,

    Domain is required if you want the users to be able to load the portal.  That and objectSid.  It isn't required for AD.  AD just needs a DN and an objectClass.  Most people will want to also set a password (unicodePwd), enable (userAccountControl) and set a human-friendly username (sAMAccountName).  displayName is usually helpful if you have a GAL too.

    DRE doesn't affect any of this.  The ERE is, however, very important.  Without the ERE outbound attribute flow won't happen, i.e. synchronisation won't flow MV attribute values into adjacent CS'.

    > ive been looking at ESD and using detected rule entries...will this have any impact?

    You are creating the EREs right?  Look at the MV object.  You should be able to click the ERE objects (they're references).  Can you do this?

    Tuesday, April 5, 2011 9:47 AM
  • ah okay...so its not domain then...


    im getting accounts from AD with passwords applied already so no need to bring the pw into fim (no password synchronization)...im am bringing useraccountcontrol from AD to FIM so the account status is correct at export... samAccountName and username are set aswell (that precedence is from HR MA though) 

     

    ERE's are all applied successfully for every single account... my sync rule triple works perfectly...i can see the ERE "AD User Inbound & Outbound SR" applied for every user and i can click the ere object and look at its properties...

     

    really strange...than no changes are applied but fim says there has been?

     



    Cheers Stu
    Wednesday, April 6, 2011 1:09 AM
  • applied but fim says there has been?

    It looks like your last operation was an export to AD.

    The next thing I would do is run a delta import/sync on the AD MA.

    If the users have been exported succesfully, you should see the confirming imports coming back from AD.

    Alternatively you may get some "exported-change-not-reimported" warnings during the import and (depending on your how your rules are configured), the sync may re-generate the exports.

    Let us know how that goes for you.

    Wednesday, April 6, 2011 1:16 AM
  • okay ive done the full run cycle and done a confirming delta import delta sync..

    once its runs i have "0" for everything so users aren't geting exported to AD. no "exported-change-not-reimported" warnings aswell...

     

    so even though it export says 'successful'..upon confirming..nothing has exported? any idea where to from here?


    Cheers Stu
    Wednesday, April 6, 2011 4:17 AM
  • you might be doing 'test export run' - which does show what will be exported and doesn't do any real job. wrong AD MA run profile.


    Wednesday, April 6, 2011 4:42 AM
  • Eugene well done...! your spot on..i completely forgot but in the run profile i set the log file option as "create a log file and stop the run. do not export to data source" which is absolutley why its not working...

    i did this so long ago i forgot id done it...ive changed the option to "create a log file" and now its all good..

     

    thanks to everyone for assistance!

     

    stu


    Cheers Stu
    Wednesday, April 6, 2011 4:57 AM
  • Hah.. beat me to it.. was my next suggestion
    Wednesday, April 6, 2011 5:04 AM
  • For anyone looking at this post because they've got a similar problem they can't make sense of, then maybe you are having the same experience I had today?  Check out todays blog post.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Tuesday, July 10, 2012 2:30 PM