none
FIM 2010 R2 SSPR QuickStart RRS feed

  • Question

  • Hi

    I have used the quickstart commandlet to populate FIM with users from AD targeting a particular OU. This has worked fine - quickstart created ADMA and FIMMAs and then ran MA operations in the following order which has populated the FIM console with users:

    1. FIMMA - Full Import
    2. FIMMA - Full Sync
    3. ADMA - Full Import
    4. ADMA Full Sync
    5. ADMA - Delta Import
    6. ADMA - Delta Sync
    7. FIMMA - Export
    8. FIMMA - Delta Import

    Making an assumption that this is the order in which the run profiles should be run to keep FIM in sync with AD I have exported the vb scripts and scheduled them to run in this order daily.

    So far so good, and FIM SSPR working fine with client gina mods on Windows 7 and via SSPR web consoles.

    Before moving this configuration into production I need to be sure that FIM is staying in sync with AD. I have found through testing that if I add a new user to AD, or change a user in AD, the user appears / changes in FIM after next scheduled run. However, if I delete a user in AD this change is not reflected in FIM, and the user remains.

    Please could someone explain what needs to be changed with the configuration to replicate the delete into FIM as well. Also if someone could explain in a bit more detail exactly what the run profiles created by quickstart are doing, and why they are run in the order shown it would be very much appreciated.

    Thank you


    Douks

    Monday, October 7, 2013 9:13 AM

All replies

  • Hello,

    just a reminder first, as you use the OOB Quickstart cmdlet, i assume you are not very familiar with FIM, are you sure you want to bring an Autmation System into production whose main concepts you dont completly understand ?

    But anyway ist your responsibility.

    So, I never used this OOB cmdlet but deleting  in FIM is a 2-step Operation.

    1. You have to configure the object delete for a specific disconnetor, then the object will be deleted from MV

    2. After that you had to configure what MAs should do with this Information, so either disconnect or delete the object from the datasource, or doing something Special with code maybe.

    So for example:

    if you want to delete the object in MV only when the object is deleted in AD go to MV Designer (Schema) an set the object deletion rule when the object is disconnected from AD.

    Then go to FIMMA and under deprovisioning activate "Stage a delete on the next Export run".

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Monday, October 7, 2013 10:12 AM
  • Thanks Peter - I'll try this in the lab.

    The Technet resources for SSPR don't go into much detail about FIM, but do suggest that QuickStart is suitable for deploying it.

    http://technet.microsoft.com/en-us/library/jj134297(v=ws.10).aspx

    It would be useful if this documentation explained what is necessary to keep FIM in sync with AD following the initial execution of QuickStart (for those that just want SSPR, and not full blown IDM which can come later if required).

    Thanks again


    Douks

    Monday, October 7, 2013 1:32 PM
  • Hello Douks,

    i think that is because there are some documents which easily explains how to sync or Provision users from AD to FIM and vv.

    So to get an overview i recommend to read and maybe try in your test Environment the Scenarios from the following to articles:

    http://technet.microsoft.com/en-us/library/ff686263(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/ff686264(v=ws.10).aspx

    and in Addition the references in these documents. It's not that much but you get an good overview.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Monday, October 7, 2013 2:19 PM