What is wrong with this design? I get syncrule provision error RRS feed

  • Question

  • We are trying to get FIM to manage users and groups.

    The AD has 3 containers



    OU=Test Accounts

    members of groups in ou=Groups can be from either ou=Users or ou=Test Accounts or both.

    I have an INbound sync rule which projects or joins MV user objects from the two AD user containers. So we can get all users necessary in FIM.

    I have a set 'NormalUsers' which are those only from the ou=Users branch.

    I have an OUTbound sync rule to create and update users in ou=Users... when a FIM account transitions into the NormalUsers set. The SyncRule is added by workflow called by the MPR and the workflow also runs on Policy update to update existing accounts.

    However. If for some reason an AD admin creates a user in the ou=Users branch, when I import ADMA it gets projected onto the MV correctly. At this time the MV object also gets a FIMMA object connected somehow.

    When I run the fullsync ADMA I get a syncrule provision error! This is BEFORE I even export that projected MV object to FIMMA to trigger the transition into MPR or any Policy!!

    The outbound rule is trying to create an account which already exists on AD and so I get the error.  It seems that FIM looks far ahead and that projection automatically seems to make FIM apply the outbound rule before I export to FIMMA.

    How do I prevent this kind of thing happening? AD administrators tend to be a law unto themselves so I can only manipulate FIM.

    Thursday, March 7, 2013 11:16 AM

All replies

  • oops. I forgot to say the error I receive is

    Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: 0x80230405

    Thursday, March 7, 2013 3:25 PM
  • If you disable sync rule provisioning and run a delta sync, you'll get the intended behavior. This is one of the reasons I tend to stick with a traditional metaverse extension.

    My Book - Active Directory, 4th Edition
    My Blog -

    Thursday, March 7, 2013 9:07 PM
  • I hoped that we could set up an automated MA operational run script.

    I think my problem is the workflow which adds the outbound sync rule being made "Run on Policy update". If I disable my MPR on Portal and then import/sync ADMA then I dont get this error. I guess this is same effect as your disable sync provisioning from sync service console.

    Maybe I try two Outbound SyncRules. OBSync1 and OBSync2. One which is added by the workflow which is ONLY called when a user transitions into the set, No run on policy update. The relationship is that this rule first joins and if not there already creates an account on AD (as it currently is). OBSync2 only JOINS, no create resource box ticked and is scoped to the Set Criteria. So for new guys created on Portal I get OBSync1 to do the creation as before. If they edit the Portal data then OBSync2 should get added if not already added and flow data. If new accounts get created on AD and imported to Portal then hopefully OBSync1 will hopefully JOIN up and none of the inital flow only stuff happens.. this is the risk here.

    I guess this means that a MV object gets 2 sync rules attached ... is this a problem? I think only one of them should be applied in each synchronization run but not totally sure.

    Friday, March 8, 2013 7:37 AM