I've got some Team entities (security groups) in AD which aren't joining up with their matching objects in FIM-MA and an XMA. Due complexities with some connected systems, we have to do a data-migration run before initialising FIM, where we create the migrated data in FIM via WS calls. So the teams exist in FIM, AD and another system. When initialising FIM, all Team entities are expected to join, and have done before. I've had a similar problem to this before, but resolved it where the relationship criteria was wrong in the AD sync rule. This feels like a regression as the join was working before, but after a configuration migration to a new environment, it's stopped working. So, here's the landscape... Outbound sync-rule to AD has a relationship criteria of accountName (mv) => sAMAccountName (ad). This attribute is not flowed ordinarily but I have tried adding it in and marked it as an existence check, but this didn't make a difference. AD-MA has a join rule for group to MV type Team with sAMAccountName (ad) => accountName (mv). To initialise the system I perform this run: Sync Rule Provisioning disabled. Full import on FIM-MA Full import on AD-MA Full import on other MA's Full sync on FIM-MA Full sync on AD-MA Full sync on other MA's At this point I can see the connector space object is only joined to FIM-MA and has the accountName attribute value I would expect. If I look in the MV I can see another instance of the team object which is joined to fim-ma and another MA. This second object is not joined with the AD-MA CS one, even though they both have the same value for the accountName attribute. If I put FIM into Sync Rule Provisioning enabled mode and run the normal sync, export runs then there is no change, the objects are still un-joined and the AD-MA complains when it tries to provision a duplicate to AD. I'm lost as to why the AD team objects aren't joining with the others. Could it be a permissions issue? I see no errors or anything to give me a clue. Hopefully the above is enough information to describe the situation, but if not, can provide more! Any ideas?

Hi Carol, it all looks fine, except for a distinct lack of joins:

Hrm, thanks Eric. This is an initialisation scenario, so the first thing that's done is disable sync rule provisioning, then full import stage only on all ma's then full sync on all ma's. At this point I can see the joins have not been made against the AD objects. I've tried resetting multiple times. As we couldn't progress with this issue we've continued with our plans which is to move config to a new environment, so if we're lucky, the gremlins won't be in that environment. I'll report back. If we can't progress on this, we'll have to contact support I guess as there's not much to go on.

Go into the connector space, locate one of the objects and do a preview sync. What do you see?http://www.wapshere.com/missmiis

I have seen some strangeness withe Sync Rule relationships that we've had to either do a FIM MA full sync or a Preview Commits on the Sync Rule objects in the FIM MA at customers. The issue appers to begin occasionally after a sync rule is changed in the Portal and a Delta Sync done of the FIM MA.Eric