Hi, I have a scenario where we have a single forest, and 2 Domains in it A Parent domain (for eg test.com) and child domain (testcdc.com), The requirement is that whenever data (i.e. a particular Attribute/couple of Attributes) from Authoratataive Source (SAP) changes then, The User needs to be moved by FIM 2010 from Parent to Child Domain (i.e Movement Across Domains). I have Tried the foll Options 1. Used the Single Management Agent (MA) for both DC's (Parent and Child), established a simple sync Rule wherin using IIF that if the particular Attribute value changes change the DN value i.e. IIF Dept= Finance the DN = OU=testfinance,DC=test,DC=com (The DN for Parent Domain), else DN = OU=testfinancecdc,DC=testcdc,DC=test,DC=com (DN for Child Domain), Things are fine till I do Full Sync from FIM MA , wich Indicates I have the Provisioning Rename to be done for the User (i.e If the User is in Parent Domain and the User Attribute has changed thus in the Next cycle Ideally the User should move to Child Domain) , but when i do an export it gives me an error "invalid-dn" and "Cross Domain Move Requested" and the User Movement doesnt occur Thus my primary query is Can FIM do the User Movement from One Domain to Another If they are in a Single Forest.? Are my settings/configurations right , or may be i would be missing something , I chose to Use a single MA for both Domains in Single Forest because it has been mentioned in Forums here that it is allways desired to have Single MA for Single Forest irrespective of the number of Domains i it. 2. The second option that Ive tried is i created Two MA (One for Parent and the Other for Child Domain), For the case of User Movement , What happens here is If the User who is residing in parent Domain, and whose attribute changes such that the User has to be moved in Child Domain, In this scenario , I disconnect the User from FIM , i.e. chose Disconnect Option in my Sync Rule for Parent DOmain , also make the Parent Domain MA as explicit disconnector , Thus in this case the User from parent Domain gets totally disconnected from FIM , And Instead of User Movement , The User is created as New user in CHild Domain, Thus for the case of User Movement , what I have in the end is Two entries for the same User in Parent and Child Domain, and FIM gets totally disconnected from Parent Domain User , and all future request from FIM go to CHild Domain User Entry. My Organaisation doesnt wish to delete Users from AD's thus I get two entries for the same User , I would like to ask , Is this the only Option (Disconnect User from one domain and create same User entry in Child Domain)in FIM , If User Movement Across Domains needs to be handled ? .. by this option i assume Users Password , His connnection to the Mailbox , His group Membership also would be affected.. correct me in my above assumption if m wrong. Request your replies, Thanks in Advance Kaushik B

This is not something that FIM is really designed to do. I think you're better off looking at ADMT so you can retain passwords and profiles during the migration. What you could do with FIM is set a flag of some sort on the user account indicating that it should be migrated, then perhaps you could have an overnight scheduled task which runs ADMT against flagged accounts. This will have the extra benefit of only moving accounts at an expected time.http://www.wapshere.com/missmiis

Hi Carol, I am also looking for such solution, but for password synchronization. We have two domain abc.com and xyz.com where we have created trust relationship between this two forest, now i want to copy same user object with same password from abc.com to xyz.com and whenever user or administrator changed password in abc.com it should be sync automatically with xyz.com also. Could you please tell me how can i achieve this through FIM 2010? i can create MA for both domain in FIM manager.

You can use the Password Change Notification Service (PCNS) to sync passwords from ABC to XYZ. Provisioning users and so forth in XYZ would be standard FIM sync config work.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Brian, I am not sure whether i am following right link or not, http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/02/08/synchronize-active-directory-password-to-an-sql-database-with-fim-and-pcns.aspx but this is what i found so far and i am trying to implement in FIM2010. Do you have any specific document or guide where i can find detail information of user provisioning from one domain to another.