none
Sync between 2 different forests RRS feed

  • Question

  • Hey All,

    I have a question regarding FIM, i have 2 disconnected forests with no trust in between. I have setup FIM and was able to sync users from Domain A to FIM and from FIM to Domain A. My question is how do i go about Syncing from Domain A to Domain B ?

    I have created a Management Agent for Domain B and scoped the connector (Yes i can reach it also and view the containers) but i need more information on how to go about Sync of users from Domain A to Domain B. My understanding is it has to go from Domain A --> FIM -- > Domain B .. Am i correct ?


    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer

    Monday, November 18, 2013 12:26 PM

Answers

All replies

  • Hello,

    When you speak about FIM, it's only sync engine or it's include FIMService/Portal?

    Basically, you need to use provisioning code to sync your users in your domain B if you only use the sync engine.

    If you use also FIMService/Portal, you can use Synchronization rule to avoid code.

    Regards,


    Sylvain

    Monday, November 18, 2013 4:09 PM
  • Hi Sylvain,

    I am sorry was a bit more clear, when i said fim i meant the FimService, i know that i need to use declarative provisioning and that i need to bring in the attributes from Domain A into FimService first then onto to Domain B, The thing i have done is to create an Inbound connector from Domain A to FIM, verified i can see the users in the fim portal and all is fine. 

    Now my issue is the outbound connector to Domain B, the Sync Rule triple doesnt seem to be applying and whenever i export to domain B it just zeros out on Export. 

    My understanding is that i should have 1 ADMA for Domain A, 1 FIMMA and 1 ADMA for Domain B. and then i need to have one Inbound Sync from Domain A and 1 Outbound Sync to Domain B  Is that understanding correct ?


    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer


    • Edited by Hany George Monday, November 18, 2013 7:24 PM
    Monday, November 18, 2013 7:22 PM
  • For classical provisioning

    1. Implement the provisioning method on the Metaverse extension

    http://msdn.microsoft.com/en-us/library/ms696059(VS.85).aspx

    2. Configure import, sync,  Run profiles for Forest A (after you do the appropriate attribute mappings)

    3. Configure import, sync, export Run profiles for Forest B (after you do the appropriate mappings)

    4. Run Import Forest A -> Sync Forest A -> Export Forest B -> Import Forest B -> Sync Forest B

    There are many threads on this.

    If you want to do codeless provisioning (no need for the metaverse extension code), take a look at

    https://www.winsec.nl/2012/10/15/provisioning-ad-directory-services-forefront-identity-manager-2010/

    ---



    • Edited by UNDPMSDN Monday, November 18, 2013 10:12 PM
    Monday, November 18, 2013 10:11 PM
  • I am trying to do codeless provisioning, the thing i want to understand is as follows. I have imported the Users from Domain A AD into FIM Service, i can infact see all the users correctly in the FIM portal. 

    What i have done so far is as below 

    1. Created the DOMAIN A ADMA 
    2. Created the FIMMA 
    3. Configured Attribute flow mappings
    4. Configured an Inbound Syncronization rule from Domain A

    As far as i understand the next steps are as follows 

    1. create DOMAIN B ADMA
    2. Modify FIMMA Attribute flo mapping as below 
    3. Create Outbound Sync rule using Step 6 here http://technet.microsoft.com/en-us/library/ff686263%28WS.10%29.aspx
    4. Create a Workflow 
    5. I can use the set All Active users
    6. Create An MPR 
    7. initialize 

    is my understanding correct ?


    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer

    Tuesday, November 19, 2013 11:14 AM
  • Yes, that the right way!

    Depending if you are using FIM2010 R1 or R2,

    With R1: You have to create one WF and one MPR to create ERE (ExpectedRuleEntry) to apply your sync rule.

    With R2: You can use a declarative outbound filter or the old way

    Regards


    Sylvain

    Tuesday, November 19, 2013 12:09 PM
  • Sylvain, thanks for the help so far .. but i just did the above and its still doesn't sync to Domain B, if i go to any of the users on the FIM Portal and on the provisioning tab, i dont see any rules. 

    I see you have mentioned that i need to create the ERE, i have that attribute passed. Is there any other config that i need to do inorder to see this on the user ? i know this is why its not syncing, the users are just not falling in the scope of the outbound sync

    one more thing is that in the article i am following when i am supposed to create the ADMA i am supposed to: Ensure that you have an import attribute flow rule configured for the ExpectedRulesList attribute.

    http://technet.microsoft.com/en-us/library/ff686263%28WS.10%29.aspx 

    the thing is i cant find where to handle the ERL in the ADMA, 

    Also the MPR i create is a Transition IN, should it be like that or Request type ?


    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer



    • Edited by Hany George Tuesday, November 19, 2013 1:58 PM
    Tuesday, November 19, 2013 1:47 PM
  • ExpectedRulesList should flow from Portal to MV (just in FIMMA). After flowing this user object will be connected to sync rule.

    Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)

    Tuesday, November 19, 2013 2:18 PM
  • This is what i have done 



    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer

    Tuesday, November 19, 2013 4:31 PM
  • Just fixed it now, the issue turn out to be what seems a bug, this article has the solution 

    http://blog.msresource.net/2011/05/03/regenerating-expected-rule-entry-ere-resources/

    Just had to refresh the EREs, Thanks guys for all your help.


    Hany George | Consultant | IDC S.p.A | MCITP: Lync Server | MCITP: Exchange 2010 | MCTS: OCS | Blog: http://dusk1911.wordpress.com/ | If this post has been useful please click the green arrow to the left or click Propose as answer

    • Marked as answer by Hany George Tuesday, November 19, 2013 5:10 PM
    Tuesday, November 19, 2013 5:10 PM