none
Configuring FIM GALSYNC where contacts already exists RRS feed

  • Question

  • I am run in the process of configuring FIM 2010R2 GALSYNC between multiple AD Forests but there are few challenges which I need to understand how FIM will react to it.

    1. The environment I am trying to configure GALSYNC on used to have MIIS AD MA connectors many years back. They decided to migrate from MIIS to FIM2010. After the migration there were some issues so they stopped using FIM2010 (it was still using AD DS management agent inherited from MIIS) for GALSYNC.

    2. We then moved to powershell scripts through which we manually imported and exported contacts in each domain.

    3. Finally it has been decided to deploy a new FIM2010R2 machine dedicated only for the purpose of GALSYNC (which will have AD GAL management agent connector). The server is ready with the management agents ready but here is what I need to understand. If we delete the existing contacts on the target contacts OU from each forest and FIM do a new sync it will create new contacts. I know the emails will be working but there will be NDR issues if users send emails to older mails because the the routing of mail in Exchange recipients is done with the legacyExchangeDN attribute, and the legacyExchangeDN attribute is changed when you recreate the mailbox. And if leave the existing contacts as it is it will try to create duplicate mail enabled contacts or perhaps give existing contact error or something.

    I know about the joiner rule mechanism which I have done manually. Is it possible that within the FIM code we can enter the joiner rule instead of the provisioning rule on the GALSYNC MA? Will FIM detect the contacts created by MIIS couple of years ago and will FIM also detect and join manually created contacts? Please advise.


    Jimmy George

    Saturday, January 25, 2014 6:09 PM

Answers

  • Jimmy,

    If you are using the out of the box version of GALSync (the .dll that comes with FIM and out of box MAs), there's an easy way to handle existing contacts. You will want to turn Provisioning Rules extension OFF then run the following:

    1. Full Import (Stage Only) all MAs
    2. Full Sync all MAs
    3. Delta Sync all MAs

    This should make sure everything has properly joined, and minimize the possibility of getting duplicates when provisioning is turned back on.  There's a section of one of the walk-through documents that goes over this but I can't seem to locate it.

    -Andrew

    • Marked as answer by Jimmy George Monday, January 27, 2014 12:58 PM
    Sunday, January 26, 2014 8:21 PM

All replies

  • Hi

    Yes, you can configure FIM to join existing objects between them - you need to configure join rules on management agents to join existing contact object to metaverse objects using some value - most probably e-mail. THis is not replacing provisioning code but this is management agent configuration. 

    When you will be running this for first time you need to run synchronization first with provisioning rules disabled to allow objects to be created and then joined between MAs and metaverse. 

    So - order of things:

    1. Configure join rules on your MA to join existing contacts to metaverse objects. In MA properties go to join and projection rules and configure join between CS contact object and MV object type which you are using. 

    2. Run full synch of all MAs with provisioning disabled. You should run it twice as each MA can contribute object to MV and each of them can also contain contacts most probably. This should allow your existing contacts to be joined to metaverse objects

    3. Enable provisioning and run full synch on all MAs again. This will correct all missing contacts and will provision them if needed. 

    This is how it should goes in general. If you will have some specific questions or problem - drop question in this thread or a new one :)


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Saturday, January 25, 2014 9:42 PM
  • Jimmy,

    If you are using the out of the box version of GALSync (the .dll that comes with FIM and out of box MAs), there's an easy way to handle existing contacts. You will want to turn Provisioning Rules extension OFF then run the following:

    1. Full Import (Stage Only) all MAs
    2. Full Sync all MAs
    3. Delta Sync all MAs

    This should make sure everything has properly joined, and minimize the possibility of getting duplicates when provisioning is turned back on.  There's a section of one of the walk-through documents that goes over this but I can't seem to locate it.

    -Andrew

    • Marked as answer by Jimmy George Monday, January 27, 2014 12:58 PM
    Sunday, January 26, 2014 8:21 PM
  • Thanks Andrew. That is exactly what I am testing right now. In addition to what you've suggested I've also included an additional breadcrumb attribute (write back the value of msExchOriginatingForest into ExtensionAttribute2) and then an additional join rule of ExtensionAttribute2 mapped to msExchOriginatingForest.

    -Jimmy George


    Jimmy George

    Monday, January 27, 2014 12:58 PM