Declarative approach - changing a sync target Transition Set in existing MPR's? RRS feed

  • Question

  • MIM novice:  I have a single sync target - Transition Set that I use for 50+ identical outbound only ADMAs, workflows and Management Policy Rules.   My sync target Transition Set is dynamic and uses a value stored in MSexchangeEntensionAttribute15 as the trigger.  This lets me mark all users to be synced to ALL the remote forests easily.

    Recently the requirements have changed and a few customer forests are requiring some different accounts to be synchronized.

    I would like to create some new Transition Sets, about 3 that use the same dynamic queries - but also allow me to use the manually controlled memberships for those specific forests.  Can I go modify the Management Policy Rules \ Transition in, Transition Out MPRs and change the Transition Set they use for the 3 specific forests and replace the Transition Set without any major issues?

    Thanks, Stu

    Monday, July 25, 2016 4:06 PM

All replies

  • Hi Stu,

    You can certainly do that.   All you have to do is update the SET. No changes needed elsewhere.



    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 28, 2016 7:50 PM
  • After changing out Transition Sets for two forests, I see lot's of errors on "Provisioning" the MIMMA with existing accounts.  The sets were equivalent with the dynamic rules.  New users were created with the manual settings.

    But, I see hundreds of provisioning errors on the MIMMA for the existing accounts.

    Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=ang-ETG,OU=Edge Users,DC=Darsana,DC=com" already exists in management agent "DARSANA-ADMA".

    What should I do to fix this?

    Monday, August 1, 2016 12:41 PM
  • 1- What did you mean by "Worked as a champ"?

    2- If you simply changed the Set criteria without touching anything else, this would not have happened. I am sure there was something else that caused it. 

    Transition-in happens only once, but if you changed the SET something that would have caused current users to be temporarily removed, then you get this.

    So, now you have duplicate connectors and you need to rebuilt the connector space.

    Nosh Mernacaj, Identity Management Specialist

    Monday, August 1, 2016 2:36 PM
  • How do I rebuild the connector space?

    Do I just delete all synced accounts from the target AD and let them get recreated?

    Thanks, Stu

    Monday, August 1, 2016 3:12 PM
  • If that is possible you sure can. But you also need to delete ad ma and fim ma connector spaces and rerun the jobs as you did when you first losed the users. Now if this PROD, you have you be careful. This is nos something you would do in PROD. If you need further assitance, send me an email where ti contact you offline and I can help you out.

    Nosh Mernacaj, Identity Management Specialist

    Monday, August 1, 2016 3:35 PM
  • This is PROD.   In my scenario our source forest engineers under one OU are synced to 50+ target forests to allow for SSO with their source password.

    Do I really have to delete the ADMA itself our the connector space within?

    I have in the LAB, deleted the synchronized accounts from targets and they just get recreated.  Then I would just reset the password in the source forest.


    Monday, August 1, 2016 3:47 PM
  • If you do the same thing as in uour Lab it will work. I am just cautioning you on deleting actual objects in a prod env. If you are allowed to do that, then it would work. Just follow same steps as in LaB

    Nosh Mernacaj, Identity Management Specialist

    Monday, August 1, 2016 3:53 PM
  • Thanks.  Will schedule this.
    Monday, August 1, 2016 3:57 PM