none
why are 2 AD mgmt agents needed to sync FIM and AD? RRS feed

  • General discussion

  • Hi everyone...

    Following instruction to provision into AD (http://technet.microsoft.com/en-us/library/ff686263(v=WS.10).aspx)

    It states to create a management agent for AD entering these attributes for provisioned users:

    ADMA (provision to AD from FIM)
    •displayName
    •givenName
    •sn
    •sAMAccountName
    •unicodePwd
    •userAccountControl

    I was able to provision into AD following the guide.  Then I'm trying to show that changes can be made to AD, and those users would be reflected in FIM following (http://technet.microsoft.com/en-us/library/ff686264(v=ws.10).aspx).

    Instructions state to create a new agent with users defined with the following attributes:

    ADMA (sync AD changes to FIM)
    •displayName
    •givenName
    •objectSid
    •sAMAccountName
    •sn

    So, while i have not yet tested this, and suspect the instructions will work I have a few questions for this kind community:

    1.) Why do I need two different sets of attributes to describe the same user?

    2.) Am I missing something or does it seem like a trememdous amount of work in terms of creating potentially FOUR management agents just to be able to sync between FIM and AD?

    3.) Is there a way to automate running the rules instead of needed to select each sync rule individually and running it, then waiting for completion to run the next?

    Thanks!

    Tuesday, October 16, 2012 7:02 PM

All replies

  • Just to be clear - my main question here is shouldn't I be able to keep FIM and AD in sync with just one set of management agents?  Perhaps just by creating an outbound and inbound sync rule for them to process?  Perhaps the two instruction pages (Provision to AD & Sync AD with FIM) are meant to be read individually, not in supplement to each other as I may be treating them??

    • Edited by Osho27 Tuesday, October 16, 2012 7:31 PM
    Tuesday, October 16, 2012 7:30 PM
  • They are indeed meant to be individual to each other and not read like that.

    They compliment each other, but not supplement each other, if that makes sense.

    You indeed only need one management agent unless you are syncing some other strange object into FIM like Bitlocker keys.

    Tuesday, October 16, 2012 9:57 PM
  • Sorry, not following your point here.  If I set up 2 management agents, one for FIM and one for AD, shouldn't I be able to sync both ways: from AD to FIM and FIM to AD?  According to the the documentation I've highlighted they are calling for four agents to sync both ways.  That seems like overkill.
    Wednesday, October 17, 2012 2:35 AM
  • Management Agents typically operate in 2 different modes. One is Import and the other is Export. When your import data your pulling it in from the target (AD in this instance) and then into the Metaverse (depending on your join rules). That data can then be carried over to other management agents FIM for example to flow / provision / deprovision base off your logic.

    Think of your Management agents as a data source. You will sometimes want to import data to flow elsewhere (FIM portal for instance) and push data out that may have been brought in from elsewhere. For every user store you want to integrate into FIM, you typically have 1 management agent to pull and push data.


    Wednesday, October 17, 2012 5:06 AM