Synchronizing groups between AD forests RRS feed

  • Question

  • We have a need to synch groups between two AD forests, using only the Synchronization Service.

    I can import the groups in one forest into the MV, with the members, and I can provision a group with the same name in the second forest, but I need to lookup the equivalent user ID in the second forest and add them as members to the provisioned group.  But since the member attribute is a ReferenceValue, nothing I try works.

    I know that Group Management in the Synch Service has never been a robust feature, but is there any way to make this work?

    Ed Bell - Specialist, Network Services, Convergys

    Saturday, December 22, 2018 2:30 AM

All replies

  • Dear Ed,

    First there is a unanswered question: are you dealing with two forests with trust between them or you have second forest with copy of user accounts shadow accounts) from first one?

    Generally, Group management is as robust as any other identity object management. 

    Thing you should understand is that Sync engine, same as AD or any other system, should know about the user to be able to keep it's reference in the member attribute. In your case, members of the group you synchronize, are existing only in the source forest and MIM mv doesn't have any knowledge about them, so it can't accept any reference to them. Placeholder objects, you mentioned, are existing only in source forest's CS (to be able to populate CS with data).

    To synchronize groups with their membership from other forest you need to include affected users in import from source and join them with appropriate users from destination forest (in case you deal with shadow accounts). That way member attribute will be preserved.

    Have a nice day


    Tuesday, December 25, 2018 2:20 PM