Dear all, I already synchronize users and group from ADDS to FIM. And then I try to provision Groups to ADDS, it work fine too. I try add user to be a member of Distribution Groups on FIM, user successfully add to the distribution group with approving flow by Group manager, user can view the new member of Disribution Groups on the FIM Portal. But, on the AD user and computer, the user not listed in distribution group, why? Is any with my wrong configuration? Regards, Endrik

How do I Provision Groups to Active Directory Domain Services. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Dear Markus, I already follow your guide to provision group and its works. And then I try to add user to be member on the FIM, it work fine with the approval from the Owner of Distribution Group. But, If I check on the ADDS, the user not listed as a member in Distribution Group. For example, There 2 user, Jenny and Donny, and there 1 DG, Sales, DG Sales managed by Jenny. Donny request to be member of Sales in FIM, Jenny approve the request. On the FIM, Donny listed as a member of Sales, but on the ADDS, Donny not listed in Sales. is any wrong with my configuration? Regards, Endrik

Changes arent 'live'. Have you synchronized the changes in the groups back from FIM to AD ?

Dear Robin, Yeah, changes arent live, so I synchronize the changes from FIM Sync service. And the result, on the FIM, the user is listed on the DG, but on the ADDS, the user arent listed. Any idea? Thank Regards, Endrik

well, if its listed in FIM and not in AD, and asuming you arent getting any errors I would start checking the sync rules. Member attribute is in the outbound rule ? You can also try to follow the flow. They are listed in FIM, are they listen in the Metaverse ? Or in the AD connectorspace ? Are other changes being synced correct when you change it in FIM to AD ?

Dear Robin, They are listed in the FIM and also in the Metaverse. but, on the Connector space of AD, they are not listed. so, what the configuration that I must check? Thank you. Regards, Endrik

It looks like no export is taking place. Do you have a sync rule with an outbound flow from member to member? If its in the MV, then after a full sync it should be staged for export on the adma and after running the export on that MA it should be in AD

Dear Robin, Ont the Synch Rule, I have outbound rule with flow from member to member. On the FIMMA, when I run Full Import, and then FULL Sync, the changes are appear in Synchronization Statistic on the Update field. And then I run the Export, but no changes appear on the Synch Statistic. I tired with this kind, the changes of member attribute are not detected by ADMA. I successful created Group in FIM, and also sync to the ADDS, but if I add member, the member are not listed in the ADDS How to troubleshoot this matter? Regards, Endrik

after you run the full sync it should get through to the adma connector space, and then be able to export. I'm not sure why this isnt working, bc if I look at my config then the only thing I've done for this seems to be the member outbound rule. It seems like its not applying the rule correct ?? Are other changes getting through, like changing a groups name or something like that ?

You might want to make sure that the Attribute Flow Precedence is set correctly on the 'member' attribute of the 'group' object type. In this case, you probably want to make sure that FIM is precedent, or that it is set to "Equal Precedence". To set the Attribute Flow Precedence, go to the Metaverse Designer in the Sync Engine and select the 'group' object type, and then the 'member' attribute, then click on 'Configure Attribute Flow Precedence'.

Dear Robin, if Iam changing the group name on the FIM and then synchronize, the display name of group not change on the ADDS. So, I think the problem is about applying the rule. I just following the How do I Provision Groups to Active Directory Domain Services . Are you have some problem too? regards, Endrik

The groups are working for me. Have you checked the flow precedence like mark suggested ? MPR is what triggers the apply of the rule. Mabe you can post your config, like its also posted in the how do I guides, mabe we can see if you made a mistake somewhere

Dear Endrik, Have you check your outbound sync rule in the portal and make sure that you have not check the option "Initial Flow Only" for the attribute flow ? This can explain the fact that it synchronizes correctly in the MV and not export it to the ADDS.

Dear Michael, I have not check the option Initial flow only, and the result its same. For Robin, how to export the configuration synch and the inbound-outbound rule? regards, Endrik

http://social.technet.microsoft.com/wiki/contents/articles/fim-troubleshooting.aspx Think you can find it there

Dear Robin, For example, There Sales DG in FIM. Sales DG managed by User1, User2 want join the Sales DG, request status is PENDING, and then User1 approve the request of User2, on the status change AUTHORIZED, how to make status Complete? is any workflow i must set? Thanks for your patient Endrik

http://technet.microsoft.com/en-us/library/ee534915(WS.10).aspx Check this link. I never realized you where talkin about an approval proces.

Dear Robin, Approval process is working before I delete the Sync Rule. And still not work. Because it's development phase, I'll uninstall the FIM Sync and FIM Portal. I try to re-configure all. Hope the Distribution groups work fine. The link troubleshooting that you give me is very helpful But, the FIM Object Visualizer not work for 64-bit machine. how to associate HTA with 64-bit? Regards, Endrik

Dear All, I have solved the problem. this is because expected rule list not listed so the changes are not applied into AD CS. and I create custom Workflow for the approval. Thank you. Regards, Endrik