none
Import AD LDS Account - Export AD DS Account RRS feed

  • Question

  • I am just starting to play around with FIM Synchronization Service Manager. I have created an MA to connect to AD LDS and import user account information that I would like to use to populate AD DS. I have created MA for AD LDS and AD DS, which appear to work for populating the MV. However, the CS appear to be operating independently - the AD LDS accounts do not get synced to AD DS.

    AD LDS MA

    • Run Profiles - Full Import (Stage Only), Full Sync, Delta Import (Stage Only), Delta Sync
    • Join/Projection Rules - container (No/Yes:person), domainDNS (No/No), organizationalUnit (No/No), user (Yes:person[upn-direct-uid], Yes:person)
    • Attribute Flow - DS-user (gn/mn/sn/upn) import to MV-person (gn/mn/sn/uid)
    • Importing from OU=Users,DC=S2,DC=Mydomain,DC=com

    AD DS MA

    • Run Profiles - Full Import (Stage Only), Export
    • Join/Projection Rules - container (No/Yes:person), domainDNS (No/No), organizationalUnit (No/No), user (No/No)
    • Attribute Flow - MV-person (gn/mn/sn/uid) export to DS-user (gn/mn/sn/upn)
    • Exporting to OU=ADUsers,DC=S2,DC=Mydomain,DC=com

    I tested as follows:

    1. Create new user in AD LDS (FIM Test User)
    2. Ran AD LDS MA Full Import (Stage Only) (Staging shows an account in the Add)
    3. Ran AD LDS MA Full Sync (Inbound Synchronization shows account in both Projections and Connectors with Flow Updates)
    4. Ran AD DS MA Full Import (Stage Only) (Staging shows accounts in Add from existing ADUsers OU, which does not currently contain my FIM Test User)
    5. Ran AD DS MA Export (Step 1 and Step 2 show no changes in counter increments)

    I was following/modifying one of the Sample Recipes from the book "Active Directory Cookbook". Since the two OU do not match, I am assuming there is a step I am missing where I should be changing the OU on the import from AD LDS. Any help in how to accomplish that step, or correcting missteps made above, would be greatly appreciated.

    Thursday, June 30, 2016 4:47 PM

All replies

  • I am assuming that I will need to do some scripting using MVExtension. However, when I go into Options, Enable metaverse rules extension, and click Create Rules Extension Project, it opens VisualStudio 2010 which lists MVExtension as "(unavailable) The project file was unloaded".
    Thursday, June 30, 2016 5:04 PM
  • MJD, you're missing a provisioning synchronization rule. The objective of this rule is to create objects in the AD DS connector space, that are ready to be exported to the AD DS connected directory. It looks like you're unable to create a metaverse extension project in Visual Studio. Do you have Visual Studio installed locally on the Sync Service server?

    Tom Houston, UK Identity Management Practice

    Thursday, June 30, 2016 6:16 PM
  • Tom,

    Yes, Visual Studio 2010 is installed locally on the Sync Server. I am not using the Portal, as I don't envision the user community managing their own accounts (we are merely leveraging the users already loaded in AD LDS to provision other services requiring account provisioning within the local AD DS).

    Thanks,

    Mike

    Thursday, June 30, 2016 6:34 PM
  • Mike, you could setup the metaverse extension project manually in Visual Studio. Instructions here.

    Hope this helps,

    Tom Houston, UK Identity Management Practice

    Thursday, June 30, 2016 6:48 PM
  • Thank you. I will take a look at the referenced link.

    Regards,

    Mike

    Thursday, June 30, 2016 7:03 PM
  • I will take a look at the referenced link.

    Mike, this is a more complete reference.


    Tom Houston, UK Identity Management Practice

    Thursday, June 30, 2016 7:07 PM