none
How to Sync AD with CSV and match on Object Sid RRS feed

  • Question

  • Hi,

    I have a requirement to do the following with domain A and domain B (totally separate forests):

    Export accounts from domain A (CSVDE export). Use fim 2010 R2 in domain B to sync these accounts in domain B

    In domain B, I've succesffully imported the CSV information into the metaverse, but have not been able to do the AD sync yet (work in progress).

    I'd like to do the following:

    Directly import my CSVDE CSV file from domain A into domain B. I'd then like to be able to get FIM working, so future updates from domain A can be exported to CSV and imported\sync'd with domain B.

    I can export ObjectSid from domain A, then map this onto EmployeeID in FIM, so I have an anchor attribute. My question is, can I do a direct CSV import to begin with and later use FIM 2010 R2 for future sync? As opposed to doing the initial and continued sync via FIM 2010 (which will take me longer).

    Thanks


    IT Support/Everything

    Thursday, March 14, 2013 12:40 PM

Answers

  • You're probably a lot better off doing everything in FIM, with two separate Active Directory MAs (this requires good connectivity to both environments, but not necessarily a trust).

    Importing anything from CSVDE or LDIFDE directly into AD is a very difficult task, due to the amount of system / nonwriteable attributes that must be stripped out, DNs transformed, etc.

    Repeatedly loading the CSVDE output into FIM would be feasible, however.  Personally I'd go with LDIF over CSV every time in this situation as it's a much closer representation of the directory's schema.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    • Marked as answer by Aetius2012 Thursday, March 14, 2013 8:17 PM
    Thursday, March 14, 2013 3:43 PM
  • Yes - there shouldn't be any reason you couldn't add FIM in to the mix later. You might actually want to use objectGUID rather than objectSID. It's easier to work with and guaranteed not to change.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Aetius2012 Thursday, March 14, 2013 8:17 PM
    Thursday, March 14, 2013 3:58 PM
    Moderator

All replies

  • You're probably a lot better off doing everything in FIM, with two separate Active Directory MAs (this requires good connectivity to both environments, but not necessarily a trust).

    Importing anything from CSVDE or LDIFDE directly into AD is a very difficult task, due to the amount of system / nonwriteable attributes that must be stripped out, DNs transformed, etc.

    Repeatedly loading the CSVDE output into FIM would be feasible, however.  Personally I'd go with LDIF over CSV every time in this situation as it's a much closer representation of the directory's schema.


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    • Marked as answer by Aetius2012 Thursday, March 14, 2013 8:17 PM
    Thursday, March 14, 2013 3:43 PM
  • Yes - there shouldn't be any reason you couldn't add FIM in to the mix later. You might actually want to use objectGUID rather than objectSID. It's easier to work with and guaranteed not to change.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by Aetius2012 Thursday, March 14, 2013 8:17 PM
    Thursday, March 14, 2013 3:58 PM
    Moderator
  • Cheers guys,

    Steve, I agree FIM direct would be better, but I don't have direct connectivity between domains and the client does not want any trusts.

    Thanks Brian, at least I can move ahed with an initial sync (will be useful for an Exchange system)


    IT Support/Everything

    Thursday, March 14, 2013 8:17 PM