none
FIM 2010 - Syncronize between SQL and Active Directory RRS feed

  • Question

  • Hi,

    I have MIIS 2003 running on my production environment.

    Now in my development environment i have a FIM 2010 installed with two agents and the same extensions (code) used in production environment. The two agents are an agent for a RH database and an agent for Active directory.

    But now in my development environment i have a difference from production, all my AD accounts already exists. I run the first import of the AD Agent and it creates all the CSEntries in the conector space of the agent. But when i run the full import and synchronize of the RH database agent (this agent is configured for provisioning) it creates the MV entry but it says the object already exists in the conector space (AD agent) with the following error:

    "Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "CN=xxx,OU=yyy..." already exists in the managemet agent "Contoso.PT AD Agent"

    I use the following piece of code for provisioning:

        Connected_AD_MA = mventry.ConnectedMAs["Contoso.PT AD Agent"];

        ParentContainer = mventry["userOU"].Value;
        rdn= "CN=" + mventry["login"].Value;
        DN = Connected_AD_MA.EscapeDNComponent(rdn).Concat(ParentContainer);

        
        //The first connector to be built
        if(Connected_AD_MA.Connectors.Count == 0)
        { 
         //Account provisioning in AD

         ConSpaceEntry = Connected_AD_MA.Connectors.StartNewConnector("user");
         ConSpaceEntry.DN = DN;
         SetUserAccountSettings(ConSpaceEntry, mventry, Connected_AD_MA);
         ConSpaceEntry.CommitNewConnector();
        }

    I thought .startnewconnector just link the mv entry with the csentry but did not create the cs entry itself.

    Do u have any ideas how i can solve this problem in this first import where the objects already exists in AD and what comes from the RH database is mandatory so the provisioning code has to be runed?

    TIA.

    Filipe Clemente

    Wednesday, June 12, 2013 2:18 PM

All replies

  • Hello,

    You need to add a join rule to achieve that (You can't do it by provisioning code).

    A basic "How To":

    1. From your AD MA, you have to specify a join rule (based on login for example)
    2. Disable the provision rules from Option
    3. Run Full import and then Full synchronization from RH
    4. Run  Full import and then Full synchronization from AD (Depeding on your join rule, many csentry from AD will be join to corresponding mventry)
    5. Re-enable the provision rules from Option
    6. Full synchronization from RH (To create the account for unjoined user)

    Regards,


    Sylvain

    Wednesday, June 12, 2013 4:11 PM
  • Also it's often common to swallow the ObjectAlreadyExistsException in a try/catch block.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Wednesday, June 12, 2013 5:29 PM
    Moderator