MIM 2016 - AD MA - Newly created OU not retreived RRS feed

  • Question

  • I've been using MIM 2016 for a year now, to enable password synchronization between two ADs. It was all working fine, but not for users under a new OU that I created recently. I'm suspecting that this is caused by MIM that is not "seeing" the newly created OU.

    When I go to the "Joiner" tab, and show all disconnectors for AD MA, I can see all OUs listed there but not the newly created OU. I have run full import, full sync, delta import, and also delta sync on AD MA, but still the new OU is not retreived.

    I really need advise what should I do, as i'm not really understand what goes behind the scene on MIM so please be slow down a little bit :)

    PS: new OU is created directly under the domain root, and selected container in MIM is the domain root itself. 
    Thursday, November 30, 2017 9:03 AM

All replies

  • Hi,

    What happens with newly created OU's depends on where it is created.  

    If the new OU is created under a container that is already selected, MIM will automatically include it, and start importing objects in that new OU.

    If the new OU is created under a container that is not selected already, MIM will not detect it, and will not start importing objects.

    To check the current containers selected, open the AD Connector (Management Agent).

    Select the Configure Directory Partitions Tab.

    Select Containers, you will be prompted for the AD Connector Service Account Password now, when you enter it, it will display the currently select containers.  If the new OU is not selected, you should now be able to select it, and during the new full import, it will add the new objects to the Connector Space.

    Hope this helps,


    Thursday, November 30, 2017 10:21 AM
  • hello Ian, thanks for coming here!

    The new OU is created under the domain root and the domain root is already the selected container in AD MA, sorry for not bringing this up before... I believe selecting the domain root will include all its child OUs right? because that's what happen before, until this new OU created.

    please advise

    Friday, December 1, 2017 4:11 AM
  • I would of expected it to have been picked up when the next Full Import was run.

    The only other thing I can think of is that it might be a permission issue, where the account running the AD Connector does not have read permission to this new OU. 

    If that does not resolve it, I am out of things to try, maybe someone else will be able to think of something else to try?


    Friday, December 1, 2017 9:22 AM
  • Can you take a screen shot of the OU selected? There are 2 ways to select them.

    Permission is not in question, because the AD MA Account needs those rights for the Password Set, so I rule that out

    Nosh Mernacaj, Identity Management Specialist

    Friday, December 1, 2017 4:16 PM
  • dear all, thankyou for the insight.

    i dont know what's wrong but maybe i missed something previously, but i'm pretty sure had selected the domain root on the container option

    however due to pressing timeline, i ended up re-creating the MA and re-run full import and sync. this time all the OUs are fetched completely. 

    Tuesday, December 5, 2017 3:18 PM
  • That's fine, but it does not guarantee the newly created OUs (the ones that will be created after Today) will make it, unless the root cause was the miss-selection of OUs and you fixed that here.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, December 5, 2017 3:33 PM