none
MIM 2016 SP1 - Importing UAC from AD to MV needs full sync RRS feed

  • Question

  • I have asked this earlier too, but now I ask again. It seems that if you want to flow UAC from AD to MV, it needs a full sync? Why? With Delta Sync the value just doesn't flow.

    This is a little bit frustrating and same happend with FIM 2010 R2.

    Am I again the only one who is facing this issue?

    Monday, July 24, 2017 11:35 AM

All replies

  • How are you flowing it, as a direct of advanced?

    Nosh Mernacaj, Identity Management Specialist

    Monday, July 24, 2017 12:52 PM
  • Yep, I am using direct flow.
    Tuesday, July 25, 2017 6:22 AM
  • Hi 2xTsei,

    I know that FS is needed when you have a flow to connected system and back from (to another attribute). Is that the case in your environment that you are flowing UAC from Metaverse (doesn't matter if it is direct or advanced export flow) and have another flow configured as import direct flow?


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Tuesday, July 25, 2017 6:41 AM
  • Hi 2xTsei,

    I know that FS is needed when you have a flow to connected system and back from (to another attribute). Is that the case in your environment that you are flowing UAC from Metaverse (doesn't matter if it is direct or advanced export flow) and have another flow configured as import direct flow?


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Actually yes. We are importing it directly to the MV and then exporting it back to the AD using sync rule. But I just tried to test this in my own test environment using this kind of scenario:

    AD -> MV -> AD

    direct flow on every step

    The result was that Delta Sync was enough. I think I need to do some more tests!

    Tuesday, July 25, 2017 7:26 AM
  • Hi Tsei,

    I asked another way, for example:

    MV (person: DisplayName) -(any flow)-> AD (DisplayName) -(direct flow to another attribute)-> MV (person: DisplayNameFromAD)

    In such case I remember I faced that problem that delta sync was not enough to take this second flow, so in that case DisplayNameFromAD was not updated doing only delta. Whereas FS was ok and DisplayNameFromAD was updated properly.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Tuesday, July 25, 2017 9:27 AM
  • So, you have UserAccountControl --> UserAccountControl (No other calculations here)

    We need to know what is changing UAC from your MIM perspective, but I suspect that the reason for this is because what is changing UAC is an expored to AD, which is being calculated at almost the same time. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, July 25, 2017 1:28 PM
  • Importing and exporting to the same attribute can cause some issues with a delta sync.

    If you export a value to an attribute, then as long as that value is returned on the import, it will not trigger any inbound flow rules associated with that attribute.

    For example:

    You export 512 (normal enabled user) to UAC, changing the previous value of 514 (normal disabled user). When you import the change (514->512), no sync rules will be trigger on a delta, because the imported value matches the exported value.

    This mostly comes up when you have multiple inbound flow rules e.g.

    AD.useraccountcontrol <-> MV.foo

    AD.useraccountcontrol  -> MV.bar

    When you export a change out the top flow rule, the bottom flow rule will not trigger on a delta sync.

    This is all related to the change detection algorithm that the sync engine uses to optimize which rules are triggered in a delta. If an import comes in that matches what was exported then the attribute is considered to have not changed.


    Tuesday, July 25, 2017 7:46 PM