none
Synchronization Rule in MIM 2016 Instructions RRS feed

  • Question

  • I am at the "AD User Inbound Synchronization Rule" section in the setup of MIM 2016.

    I am working on the Inbound Attribute Flow

    The instructions call for you to create 8 rules as follows:

    Rule 1

    samAccountName

    f

    Rule 2

     

    displayName

    displayName

    Rule 3

    EmployeeType

    EmployeeType

    Rule 4

    givenName

    givenName

    Rule 5

    sn

    lastName

    Rule 6

    Manager

    manager

    Rule 7

    objectSID

    ObjectSID

    Rule 8

    "Contoso"

    domain

    My issue is, for rule 1, the f attribute does not exist.  EmployeeType does not show as a source and neither does givenName.

    Has anyone gotten MIM 2016 working.  There are several errors in the technet article and I have managed to figure most of them out, but I am stuck at this point.  Looking in AD, the f attribute does not exist.  The other sources do exist, but I cannot get them to show up in the Inbound Attribute flow choices.

    Friday, October 23, 2015 6:18 PM

All replies

  • I am not seeing the issue here. If the value is not present, nothing is imported.

    I am not seeing the issue. Can you elaborate please?  Do you have a filter that EmployeeType has to be present?


    Nosh Mernacaj, Identity Management Specialist

    Friday, October 23, 2015 6:52 PM
  • For employeeType and givenName, ensure that you have checked them in "Select attributes" on the AD Management Agent.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, October 26, 2015 7:34 AM
  • I am following the instructions as they are written on TechNet.  I had assumed that if they are in the documentation that they would exist in AD.  Its not that there is no value, its that as part of the instructions they should show up when you write the rule.  How can I create an Attribute flow with a destination of "f" if "f" does not exist?  How can I create an attribute flow of employeetype when employeetype is not listed as a source?

    All of this is in the technet instructions.  I have not tried an import because I cannot get to that point yet.

    Monday, October 26, 2015 12:00 PM
  • Thats just it.  They are selected.

    Yet when I go to select this is what I see.

    Also it says to use samaccountname as a source and "f" as the destination.  While I can select samaccountname as a source, "f" does not exist as a destination.

    I cannot find a resource other than the technet article on this which is why I am stuck.

    Thank you in advance for any help you can provide.

    Monday, October 26, 2015 12:13 PM
  • If you made changes to the AD MA, please try to restart the Windows Services, "FIMSynchronizationService" and "FIMService"

    Do an IISReset after that, on FIM Portal Server.

    It is a matter of refreshing the data.


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 1:27 PM
  • That "f" attribute is probably just a mistake in the documentation. Have you tried to do IISRESET? What if you select CustomExpression and type employeeType? 

    Monday, October 26, 2015 1:40 PM
  • I tried that.  It all appears the same as before.
    Monday, October 26, 2015 1:57 PM
  • Will that work?  I am not trying to be dense here, but this is my first foray into Identity Management.  If the Sources are not listed can they be entered as Custom Expressions?

    I will try it and let you know.


    Huh.  tried it and it says employeeType is not a valid attribute.  Same with givenName, yet both exist in AD.

    • Edited by NPSD Tom Monday, October 26, 2015 2:03 PM
    Monday, October 26, 2015 1:58 PM
  • sAMAccountName attribute should be mapped to accountName in FIM. 


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 2:17 PM
  • Thank you.  I was hoping it was just a misprint.  Now if I can only figure out why it thinks that givenName and employeeType are not valid attributes I'll be in business. 

    I thank you all for your patience and assistance.  I am new to identity management and am hoping it will be a long term asset to us, but getting it up and running is proving to be harder than I thought.

    Monday, October 26, 2015 2:24 PM
  • Are you still not seeing them after Restart I suggested above?


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 2:26 PM
  • No.  I do not see them in the Synchronization rules.  The screen shots I posted above are what I see, even after the restarts.  There was a recommendation to try setting it as a custom expression.  When I did that its said that "givenName" was not a valid attribute (same with employeeType), yet both are valid AD attributes.
    Monday, October 26, 2015 2:50 PM
  • CustomExpression would not make a difference, so forget it.  The issue you have is that the FIM Portal does not see the attributes as being selected.

    Do you have more then one AD MA by any chance, or did you delete and recreate the MA? 


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 2:54 PM
  • Just the one ADMA.  The other is the FIMMA.  These are the two covered in the technet article.

    https://technet.microsoft.com/en-us/library/mt219040.aspx

    I did not delete and recreate. 

    Monday, October 26, 2015 2:58 PM
  • I know it is frustrating, but did you select all those attributes when you first created ADMA, or did you modify them later?
    Are you able to reboot the Server (or servers if you have more then one)


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 3:00 PM
  • Do a FI (Full Import) on the ADMA. Also do a "Refresh Schema" on the ADMA agent.

    Then do a FS (Full Sync) on the FIMMA, and then view the Inbound Attributes list again in the Portal.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, October 26, 2015 3:00 PM
  • I selected them all. 

    I have rebooted the server a few times now since the start of this thread. I can reboot it again at any time.

    Monday, October 26, 2015 3:05 PM
  • When you say Fill Import, do you mean Full Import (Stage Only) or Full Import and Synchronization?

    I followed the steps you described using Full Import (stage Only) and nothing changed.

    Monday, October 26, 2015 3:13 PM
  • I don't think this matters.  Full Import and Sync are concerned with Values, you are missing attributes. Can you open the ADMA and see if the attributes in question are visible under "Attribute Mapping" tab.


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 3:18 PM
  • Forgive me, but I do not see an "Attribute Mapping" Tab when I open the ADMA.

    They are visible and selected in the "Select Attributes" section

    Monday, October 26, 2015 3:22 PM
  • Sorry, I am not in front of MIM, so I did not remember the exact syntax.

    It is called Configure Attribute Flow. See Pic.  When you click on it, you can see on the left bottom, attributes available.   Just make sure that person is selected on the dropdown list.  Please send me a screen shot of it.


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 3:28 PM
  • It would appear that the two in question are not.

    Monday, October 26, 2015 3:33 PM
  • As you can see, your attributes are not there and they are considered as "non-selected" so you need to do something about it. 
    Since I am not on your computer, I would suggest you do the following.

    Create a new AD MA with the same settings, name it ADMA2. and refresh currect ADMA with the ADMA2

    1. Create a new ADMA2, make sure the picture above has the attributes you need.

    2. Export ADMA2 --> Right Click ADMA2 and Click Export.

    3. Go to ADMA, right click and select update. Point it to the xml from step 2. Click Next - Next to all the steps.


    Nosh Mernacaj, Identity Management Specialist


    Monday, October 26, 2015 3:39 PM
  • I tried this suggestion with no success.

    I looked around a bit at the ADMA and found that the attributes do no exist under person, but they do exist under user. 

    Does this make any sense?

    Monday, October 26, 2015 4:59 PM
  • It does make sense, but I don't like it.  What object types are available, on the dropdown?

    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 5:02 PM
  • Too numerous to show here when you pick show all.  However, this is what the basic view looks like.

    If you choose show all, the number of objects is over 100.

    Monday, October 26, 2015 5:24 PM
  • This is fine, but I am not sure user and person should both show. I need to check on my LAB and get back to you. I am not sure if this is AD issue, or ADMA.


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 5:29 PM
  • Thanks.  If person is not selected there, then you cannot create the scope as in the directions.

    Steps 5 and 6 are as follows:

    1. On the Scope tab, provide the following information, and then click Next:

        • Metaverse Resource Type: person

        • External System: ADMA

        • External System Resource Type: person

    2. On the Relationship tab, provide the following information, and then click Next

      • To configure the Relationship Criteria, select objectSID from the MetaverseObject:person(Attribute) list and ObjectSID from the ConnectedSystemObject:person(Attribute)list.

      • Select Create Resource In FIM.

    If person is not added as object type, then you cannot select it as an External System Resource Type.  Also you cannot configure the relationship.  The instructions do not call for including person, just users and groups.  This is where I get confused.

    If you swap user for person in the External System resource type then everything looks correct and the instructions work.  Is it a misprint?  Or are the objects not so interchangeable.

    • Edited by NPSD Tom Monday, October 26, 2015 5:56 PM
    Monday, October 26, 2015 5:52 PM
  • I understand that, but I don't think user should be on the list of objects in MA.  person and user are user interchangeably at times, but mean completely different things.  I will look into my MIM environment and make sense of this.

    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 5:59 PM
  • I tried it both ways.

    I removed person in one scenario and group in the second scenario.

    Removing user left me in the same situation as having both did.

    Removing person left me having to choose user as the External System resource type (as opposed to person which was listed in the instructions).  However, in choosing user, the correct attributes show up.

    Monday, October 26, 2015 6:09 PM
  • On my LAB, I have user no person for both AD and FIM. See Attached.

    So I would pick user in both source and target

     

      


    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Tuesday, October 27, 2015 1:17 PM
    Monday, October 26, 2015 10:48 PM