none
MIM can't synchronize the group member changes from source AD to target AD. RRS feed

  • Question

  • My current situation below, 

    if create new AD user or group, both are fine to be synchronized to target AD

    if I changed existing membership for a group in source AD, like to add new existing users to existing group or remove users, then I saw the change can be synchronized to MV, but it won't be synchronized the change to target AD.

    Does someone meet the issue before or give me some guide how to fix this issue?  
    Tuesday, April 9, 2019 2:33 PM

Answers

  • A drawing of how your sync/import/export rules are setup would be helpful. I suspect you have created a loop and/or have a precedence problem but it's hard to tell. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Hailin Hu Monday, April 22, 2019 6:31 AM
    Thursday, April 11, 2019 9:10 PM
    Moderator

All replies

  • Do you have sync rules setup that are bidirectional (e.g. the member attribute is imported from both sides)?

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, April 9, 2019 3:55 PM
    Moderator
  • Thanks Brian to check into this.

    No,  the current synchronization is one way, only from source domain to target domain.

    but because we are trying to migration from FIM to MIM, not sure if there is any configuration I missed for this?  

    The new creation for users and group under MIM synchronization are successfully including the group member.

    But if I created new user and add to the old group which were created under FIM previously, then disable FIM and enable MIM for synchronization, the the new user account will be synced to target domain, but group membership won't be updated on the target domain.  



    • Edited by Hailin Hu Wednesday, April 10, 2019 6:50 AM
    Wednesday, April 10, 2019 6:47 AM
  • check the group from metaverse, the group has the members, you can see below picture

    

    I tried to change the member within the testgroup,  but those members won't be updated on the target domain. 

    Wednesday, April 10, 2019 9:22 AM
  • I did some investigation and found if both user and group account have 3 connectors, then then the group member will be updated, if the user or group missed one target connector, then the group member can't be updated.  

    So how to fix this issue as let all users and groups have 3 connectors instead of only newly created user and group have but the existing users an groups don't have.

    Thursday, April 11, 2019 5:25 AM
  • A drawing of how your sync/import/export rules are setup would be helpful. I suspect you have created a loop and/or have a precedence problem but it's hard to tell. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Hailin Hu Monday, April 22, 2019 6:31 AM
    Thursday, April 11, 2019 9:10 PM
    Moderator
  • Thanks. the issue was resolved now. 
    Monday, April 22, 2019 6:30 AM