none
Groups with multiple domains members RRS feed

  • Question

  • Hi,

    We have a particular configuration that we want to work.

    Our FIM engine hosts a user population split in two parts, each part is represented by a fix value in an attribut. There is a sync rule for each population, which make FIM populate 2 AD domains (in the same forest), one for each population.

    This configuration works fine. The problem is in group management. Groups are managed in FIM and injected in the first domain, with member sync of the first domain. There are defined as universal groups, because we need to have domain 2 users in domain 1 groups. Users from the 2 populations are correctly seen as members in FIM, but during export, membership is only propagated for domain 1 users. Looks like fim cannot sync groups in an AD domain with members of another AD domain (same forest), whereas users membership is correct in FIM.

    Does anyone already configured something like this ?

    BR,


    Emmanuel IT

    Sunday, October 9, 2016 4:02 PM

Answers

  • What you're describing is the expected behavior in your case. Since you have a single forest with two domains, you should be using a single AD MA that provisions to both domains. This will solve your issue with the group membership.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Proposed as answer by Todd Heron Sunday, October 9, 2016 11:22 PM
    • Marked as answer by Emmanuel BILLOT Monday, October 10, 2016 7:41 PM
    Sunday, October 9, 2016 9:26 PM
    Moderator

All replies

  • Can you confirm if you're using one or two AD MAs total to connect to the two domains?

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Sunday, October 9, 2016 4:03 PM
    Moderator
  • Hi,

    I use 2 AD MA.

    When doing import from FIM, before sync, i analyzed data with preview

    - group in MV is updateted with both of 2 populations

    - outbound flow of the population 1 group is not updateted

    You can see on attachements 2 screens capture from the same preview wizard :

    - mv.jpg shows the mv changes = group from domain 1 is updateted with users from domain 2

    - ad.jpg shows the population 1 AD outbound = group from domain 1 which is NOT updateted with members from domain 2

    I thought about a permission issue, as AD MA were defined with the domain administrator for each domain. Howerver i don't know how to specify a "more powerfull" account like an enterprise admin in the MA definition.


    Emmanuel IT

    Sunday, October 9, 2016 6:29 PM
  • What you're describing is the expected behavior in your case. Since you have a single forest with two domains, you should be using a single AD MA that provisions to both domains. This will solve your issue with the group membership.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Proposed as answer by Todd Heron Sunday, October 9, 2016 11:22 PM
    • Marked as answer by Emmanuel BILLOT Monday, October 10, 2016 7:41 PM
    Sunday, October 9, 2016 9:26 PM
    Moderator
  • HI,

    Many thanks.

    Ii followed yours advices, using one MA for all of the forest with several partitions. Group memberships are well synced with users from different domains.

    BR,


    Emmanuel IT

    Monday, October 10, 2016 7:43 PM