none
Cross domain group membership management RRS feed

  • Question

  • Hi guys,

    I have environment with multiple domains in single forest. Users from all domains are in single FIM portal. For each domain there is separate AD management agent. Group membership works great when you manage members from the same management agent. In my scenario, I want to add member to a group, which is from different domain than group is. FIM portal allows me to do that, but when I check Sync console, there is no pending export (member attribute modification is not present). 

    I have tried to do the same in AD, and AD Users and Computers console allows me to add members from different domain.

    Is this scenario even supported by FIM? I can imagine, that in order for this to work (the FIM way), DOMAIN1 Management agent should have some kind of connector space object representing the user from DOMAIN2 - but I would really like to avoid that.

    Group type is Universal.


    • Edited by Simon Hocevar Thursday, May 4, 2017 10:46 AM Missing data
    Thursday, May 4, 2017 10:41 AM

Answers

  • Hi,

    Basic question, why are you using a seperate Management Agent for each Domain ?

    A single AD MA can handle the whole forest with multiple Domains.
    Having that you will have a needed objects present in the MA and multi-Domain (one forest) referencing will be no Problem.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, May 4, 2017 11:07 AM
  • Hi Peter,

    The environment changed since the design phase, and I think that was the reason for multiple AD agents.

    I am not sure if transferring four AD-MAs into one is an option at this point.

    Can you think of any other solution for this problem?

    Thanks,
    Simon

    Simon-

    For the references to work, the group and all the members need to be in one connector space (aka one MA). If you can't change the MA design, you could add an additional MA that has all users and groups and is just used for group management.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Thursday, May 4, 2017 2:31 PM
    Moderator

All replies

  • Hi,

    Basic question, why are you using a seperate Management Agent for each Domain ?

    A single AD MA can handle the whole forest with multiple Domains.
    Having that you will have a needed objects present in the MA and multi-Domain (one forest) referencing will be no Problem.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, May 4, 2017 11:07 AM
  • Hi Peter,

    The environment changed since the design phase, and I think that was the reason for multiple AD agents.

    I am not sure if transferring four AD-MAs into one is an option at this point.

    Can you think of any other solution for this problem?

    Thanks,
    Simon

    Thursday, May 4, 2017 11:50 AM
  • Hi Peter,

    The environment changed since the design phase, and I think that was the reason for multiple AD agents.

    I am not sure if transferring four AD-MAs into one is an option at this point.

    Can you think of any other solution for this problem?

    Thanks,
    Simon

    Simon-

    For the references to work, the group and all the members need to be in one connector space (aka one MA). If you can't change the MA design, you could add an additional MA that has all users and groups and is just used for group management.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Thursday, May 4, 2017 2:31 PM
    Moderator
  • Hi Brian,

    After thinking it through, I have decided to add another MA, which will have all the users and groups in connector space and will only manage group membership - Peter's solution with Brian's approach :)

    Thanks to both of you.

    Friday, May 5, 2017 5:50 AM