none
Can FIM provision accounts in domains or forests of which it is not a member of? RRS feed

  • Question

  • Consider a case where Forest A and Forest B maintain separate environments.  the FIM server is a member of Forest A and I set up FIM to provision accounts in Forest A.  That being said, am I also able to use FIM to provision accounts into Forest B even if it a member of A?  If not, how should the FIM server be configured to ensure that it could?

    Thanks!

    Monday, October 15, 2012 12:59 PM

Answers

All replies

  • Yes, this is very easy to do. When you configure the Active Directory MA for Forest B, you'll need to provide a service account in Forest B which has access to make the modifications you want to make there.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Osho27 Tuesday, October 16, 2012 6:48 PM
    Monday, October 15, 2012 4:15 PM
    Moderator
  • We are doing this now but having issue where the account created in Forest B but FIM cannot set the password and therefor the account is disabled.  Any ideas on this issue?
    Monday, October 15, 2012 7:53 PM
  • We are doing this now but having issue where the account created in Forest B but FIM cannot set the password and therefor the account is disabled.  Any ideas on this issue?

    Kirk-

    Sounds like the Forest B service account doesn't have enough permissions.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Monday, October 15, 2012 7:58 PM
    Moderator
  • We resolved our issue yesterday with MS.  Turns out it was a DNS issue.  We had a static entry for Domain B in Domain A's DNS.  We removed that Static entry for Domain B and then made it a Conditional Foward to point to Domain Bs DNS Servers.  This helped it find all the Kerberos and kpassword services and worked like a charm.

    Thanks for the suggestions and maybe this will help the OP with his implementation in multiple domains.  We have our FIM managing accounts in 3 different Forest domains now without issue.

    Kirk

    Tuesday, October 16, 2012 5:20 PM
  • to further that point, I've seen the trick of adding the IP of a remote domain's DC in the connection properties, and letting the MA sort it out - works great except for setting passwords.

    The SRV records you need can't even be 'faked' in a hosts file, so you're going to need to get to a DNS server reference for that.


    Frank C. Drewes III - Architect - Oxford Computer Group

    Tuesday, October 16, 2012 9:35 PM
  • Frank,  We even tried to add the SVR records in DNS on Domain A for Domain B for kerberos and kpasswd and that would not.  Only thing that worked for us was removing the static DNS entry in Domain A for domain b, then adding it in Domain A as a Conditional Forward.  Interestingly we did have to restart the FIM services to get everything to work after the DNS change.  And we did flush dns.
    And to your point, we had this ADMA working to manage accounts in Domain B the way we had it, just could not set the password which had to use kerberos from Domain B.

    Thanks all.

    Wednesday, October 17, 2012 5:28 PM