none
FIM 2010 - the anchor change RRS feed

  • Question

  • Hi guys,

    I´ve FIM 2010 server in place (no portal, using Extension rules = own .dll). FIM is doing sync from AD -> Microsoft SQL database. Means I have Active Directory management agents (AD MA) and I have SQL database management agent (SQL MA).

    Actual anchor is user principal name (UPN). I must change the anchor as it´s a technical requirement now.

    If I simply change the anchor to another attribute this will makes me duplicity in SQL DB same as in the Connector space and the Metaverse, right? If I´m right the new anchor equals the new object for FIM.

    What I have to do to avoid any issue? Here are details about my AD and SQL MA configuration:

    AD MA has configuration in tab Configure Deprovisioning like MAKE THEM DISCONNECTORS and it´s checked DO NOT RECALL ATTRIBUTES CONTRIBUTED BY OBJECTS FROM THIS MANAGEMENT AGENT WHEN DISCONNECTED.

    SQL MA has following configuration in tab Configure Deprovisioning: MAKE THEM DISCONNECTORS

    Thank you very much for ideas!

    PW


    Petr Weiner

    Friday, October 3, 2014 1:55 PM

All replies

  • Are you in control of the schema for the SQL tables? if so, you could flow another attribute from AD, i.e. objectGUID to the SQL tables - and once all records are populated, you could change your join rules on the SQL MA to use objectGUID, clear the SQL MA CS and reimport and join up with the existing MV records. Be sure to check your projections rules though.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Saturday, October 4, 2014 4:53 PM
  • Hello,

    I´ve SQL fully under control. So if I got you right:

    1/ sync new attributes (will be anchor further) to SQL

    2/ change join rules of the SQL MA to use new anchor

    3/ clear SQL MA Connector space

    4/ run AD MA to reimport


    Petr Weiner

    Sunday, October 5, 2014 8:41 AM
  • Almost -

    Step 4 and on should be -

    4 ) Disable any provisioning rules

    5) Do full import on SQL MA

    6) Do Full Sync on SQL MA

    7) Double check that you get joins for all your records from the MA

    8) Once all records are joined, you can reenable any provisioning rules and run regular schedules 

    That should do the trick. Could take some time depending on the number of records of course.


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt



    Sunday, October 5, 2014 9:33 AM
  • Thanks for ideas.

    Yes, I´m SQL table owner. I´ll play in my lab first before I run in production. Thank you.


    Petr Weiner

    Thursday, October 23, 2014 1:52 PM