none
IntraForest Group Memberships not flowing RRS feed

  • Question

  • Hi All,

    I have configured a my FIM to import groups from a database and to automatically generate criteria based groups in the the Portal (this works perfectly well). I have criteria based group is the portal. However, my AD architecture presents some challenges. My groups exist in parent domain of a forest, and my users exist in a child domain. I can provision the users and the groups into the correct domains. BUT, membership for groups does not flow at all (i.e. i cannot provision membership for user in the child domain into groups in its parent domain)

    Anbody got any ideas.. I was pondering that I may need to follow the cross-forest provisioning scenario.. but not convinced.

    Thanks..

    Oh and I have already configured the forest configuration, all the domain configurations and associated the domains with the forest configuration. I also have created a criteria based set for all domains in the forest.

    Friday, November 2, 2012 11:42 AM

Answers

  • i have separate MAs per domain and separate in and outbound sync rules per domain.

    That doesn't work.

    The best practice recommendation is to have one MA per forest.
    Your scenario is one example for where the recommendation comes from.

    To preserve and manage reference attributes (member of a group), the referencing and the references objects (group and the members) must be in the same connector space.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Thursday, December 6, 2012 4:04 PM

All replies

  • BUT, membership for groups does not flow at all (i.e. i cannot provision membership for user in the child domain into groups in its parent domain)

    What does "does not flow at all" mean?
    Have you updates staged in the connector space that don't flow?

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Wednesday, November 7, 2012 7:25 PM
  • I'll second Markus's questions... and also:  Are you using a single MA for all domains in the forest?

    Cross-forest group membership approaches wouldn't apply here, as foreignSecurityPrincipals are an inter-forest thing only.

    Thursday, November 8, 2012 3:40 AM
  • Hi sorry for late response..

     @ Steve no i have separate MAs per domain and separate in and outbound sync rules per domain. 

    What i mean to say is that if i have a group in domain x(in forest Z) and users from domain y (in forest Z) are members. i do an full import and full sync in the MV and portal (equal precedence on member attribute is set) the users in domain y are not included in the group in the portal. So when is do delta import from FIM into MV a export to domain x then membership is stripped.


    • Edited by aelric Thursday, December 6, 2012 2:09 PM
    Thursday, December 6, 2012 1:41 PM
  • i have separate MAs per domain and separate in and outbound sync rules per domain.

    That doesn't work.

    The best practice recommendation is to have one MA per forest.
    Your scenario is one example for where the recommendation comes from.

    To preserve and manage reference attributes (member of a group), the referencing and the references objects (group and the members) must be in the same connector space.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Thursday, December 6, 2012 4:04 PM
  • HI Markus,

    Could you please point me to the article which states this as best practice?

    Problem with having a single MA for a forest is that it limits functionality in handling internal company politics when separate domains are managed by different outsourcing companies and delegation of rights are an issues. Well thats just one of the hurdles anyway.

    Thursday, December 20, 2012 10:27 AM