Environment as follows: 1, a large enterprise, there are a number of different Active Directory forest, the group AD Domain: a.com, Branch AD Domain: b.com; 2, Active Directory to Windows Server 2003 or 2008; Requirements are as follows: 1, a Branch of the domain users need to synchronize to the group's domain; 2, in the company domain users change the password, the corresponding account in the group will change accordingly; Questions: Because the only prior contact with IIFP, no ILM and the FIM experience, according to the current understanding of the content, the process should be, I wonder if the right: 1, The branch office domain user synchronization to the FIM 2, simultaneous users to the group domain from the FIM 3, call PCNS (Password Change Notificaton Service) synchronization password Now the question is: 1, FIM Server should be installed on the Group domain or should be installed to the Branch company's domain? 2, SPN setting is not required? 3, how many should I create Active Directory Domain Service Agent? 4, how many should I create FIM Service Management Agent? 5, is not to be created in the Portal in the Active Directory User Outbound Synchronization Rule, Active Directory User Provisioning Workflow, AD User Provisioning Management Policy Rul? 6, I should at least choose those Object Types, should include those who: Attributes?There is no fate but what we make

A lot of questions at the same time... Do you have trust between the domains/forests? FIM can perfectly support the IIFP scenarios. If you do not wish to use the FIM portal functionality (workflows, policies, self-services, ...) you can just use the FIM Sync engine. Do you wish to support: - workflows? - group management via the portal? - request management? (eg. request access to groups - password management (self service?) - other out-of-the-box FIM Service functionality?. FIM Service has group management on board, by default. 1. FIM Server can be installed in either domain, but by preference in the domain which initiates the password sync (source domain for password sync). Keep in mind: password sync is one-way (source AD > targets) , 2-way pw sync is not supported. 2. SPN settings is at least required if using PCNS, in addition the FIM 2010 technical guides explain exactly when and how to configure SPNs 3. Each Active Directory forest that participates in synchronization requires its own management agent. For example, if you are using FIM to synchronize data between two Active Directory forests, you must create two separate management agents to represent each forest. 4.If you do not plan to use the FIM Service and FIM portal functionality (workflows, management via portal, ...) you do not need the FIM MA. You can start with FIM Sync and add the FIM Service later, if you wish. 5. If you do not use the portal, you can setup the config without the sync rules, MPR and workflows. 6. The object and attribute selections depend on your requirements. Which objects do you wish to manage? Security groups, distribution lists, users, contacts, ... HTH, PeterPeter Geelen - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]