locked
Expected rules list for custom resource being deleted between import and sync RRS feed

  • Question

  • I'm really hoping someone can point me in the right direction with what's going wrong here, it's driving me up the wall!

    We have computers defined as a custom resource in the FIM portal, and they sync from Active Directory -> Metaverse -> Portal fine. When the computer  is provisioned into the portal (via the FIM management agent), there is an MPR that puts it into the scope of a synchronization rule that is designed to create an Active Directory global security group. This all works fine in the portal, and when I view the computer object in the portal the Expected Rules List field shows the name of the sync rule as it should. 

    The problem happens during import/sync. When imported into the connector space, the computer object is fully populated, including the expected rules list field (the reference matches the reference of an ExpectedRuleEntry object that is also in the connector space). All looks good, until I run the sync (either full or delta does the same thing). The Expected Rules List field is deleted (status is 'Applied Delete'), and the associated expectedRuleEntry object is not in the metaverse as it should be.

    I am flowing the ExpectedRulesList -> expectedRulesList in the attribute flow exactly the same way as I do for other objects (e.g. groups) and that works fine for those. For some reason, it only seems to be the custom resource Computer object.

    If I do a two-step manual sync by previewing and committing the sync of the ExpectedRuleEntry object, that object appears in the metaverse. Sweet. Unfortunately, if I then do a preview sync on the computer object, committing it makes the ExpectedRuleEntry object disappear from the metaverse, the expectedRulesList field in the computer metaverse object is blank, and I have absolutely no idea why this is happening. The synchronization statistics has a link for the Projections which shows the ExpectedRuleEntry object, but its status is Delete (how can it be a projection, and deleted at the same time?).

    I'm using an almost identical process (MPR, workflow, sync rule) to provision groups into Active Directory when they are created in the portal, and that process works beautifully. It is frustrating me no end that it's just not working when I apply the same theory to computer objects. Being a custom resource, have I missed a critical permission somewhere? Or does FIM just hate me?

    I really hope someone has some suggestions of why this simple thing is going so horribly wrong! 

    Cheers, Nikki

    Thursday, December 8, 2011 6:05 AM

Answers

  • Thanks for the reply Carol, sorry I didn't actually notice it until now!

    I ended up blowing away all the configuration and starting from scratch, and now its working as expected. I can only assume that some obscure step was missed somewhere in the initial setup.

    Thanks again.

    • Marked as answer by Talicca Wednesday, December 21, 2011 12:34 AM
    Wednesday, December 21, 2011 12:34 AM

All replies

  • Does sound odd. Have you got a particular object deletion rule set for the ERE object type in the metaverse?


    http://www.wapshere.com/missmiis
    Thursday, December 8, 2011 11:14 AM
  • The ERE object in the metaverse has no specific object deletion rule, no. In fact, I haven't configured object deletion rules for anything as yet, which is why I find it really strange that the object itself is being deleted. I did also just notice that when doing the sync, the statistics box shows 'Metaverse Object Deletes' that do not correspond to the ERE objects - instead, they link to the Computer objects.. But, err.. They didn't actually get deleted, or even changed. They still exist in the metaverse, with the same GUID as before the sync. When I look at the properties for the delete, it even says 'Modification type: none', so it makes no sense to report it as an object delete. 

    It's completely nonsensical, and other than blowing the whole environment away and starting again I just don't know what else I can do! If the sync server wasn't virtual I'd be pitching it out a window right about now.

    Thanks for the reply, it's nice to know someone is listening at least.

    Thursday, December 8, 2011 11:38 PM
  • Can we go back to the beginning on this as I'm nto sure I understand what you're trying to do. You sync a computer object from AD --> Portal and then try to provision a security group off it? Does this mean there will be one group per computer object?
    http://www.wapshere.com/missmiis
    Monday, December 12, 2011 11:54 PM
  • Thanks for the reply Carol, sorry I didn't actually notice it until now!

    I ended up blowing away all the configuration and starting from scratch, and now its working as expected. I can only assume that some obscure step was missed somewhere in the initial setup.

    Thanks again.

    • Marked as answer by Talicca Wednesday, December 21, 2011 12:34 AM
    Wednesday, December 21, 2011 12:34 AM