Hi, I am a complete FIM newbie and I have just installed the FIM sync engine into our lab. I am trying to configure FIM as a basic DirSynch between two AD domain, so when a user gets created in AD1 I would like FIM to pick the user up and create a duplicate in AD2. I have created a AD MA to AD1 and I have managed to pull a few test users into FIM (I can see them in the connector space), now how do I export them to AD2? I thought it would be just a case of creating a MA to AD2 and set the flow to export but reading on some web pages I think I will need to install the FIM service and create a FIM Service MA. Any help gratefully received! David

If you don't have the FIM Portal in place you have to configure the classical provisioning methods. This document may help you to understand how classical provisioning works./Matthias

I find that guide a little difficult to understand, no wonder I had such trouble provisioning users when I first started out. Anyway, David, what you want to do is slightly more complicated than using the FIM Portal but probably less complicated than that guide makes it out to be. Essentially the understanding you're missing here is that your standard attribute flows will only bring users into FIM, into the metaverse, and push those attributes back out to users it joins to. To actually provision users in another system, you need to write some code using classic provisioning methods. But even that is not that tricky. Assuming you have: - A projection rule in AD1 MA for user->Person - A join rule on both MA's for user->person on sAMAccountName->accountName - An import rule on AD1.sAMAccountName->MV.accountName Then basically do this: Tools->Options-> "Enable Metaverse Rules Extensions", check this box In the same window, check "Enable Provisioning Rules Extension", then click "Create Rules Extension Project" This will create a Visual Studio project for you. I generally use C#... but use VB.NET if you prefer In the code it generates, open the MVExtension project and locate the Provision() method replace this method with something like: void IMVSynchronization.Provision(MVEntry mventry) { switch (mventry.ObjectType) { case "Person": ConnectedMA ad2 = mventry.ConnectedMAs["Name of AD2 MA"]; // replace with the name of the AD2 MA // if this user has not been provisioned if (ad2.Connectors.Count == 0) { CSEntry csentry = ad2.Connectors.StartNewConnector("user"); // set the user's account Name csentry["sAMAccountName"].StringValue = mventry["accountName"].StringValue; csentry["userPrincipalName"].StringValue = mventry["accountName"].StringValue; // set a default password in AD2 // if you want to setup password sync, that's a whole other question. csentry["unicodePwd"].Value = "12345"; // set the account to enabled by default. // set to 514 for disabled csentry["userAccountControl"].IntegerValue = 512; // Set the DN // replace "accountName" with "displayName", or whatever other attribute you're flowing in from AD1 // replace the OU=Users bit with the DN for the container you wish to put users into. ReferenceValue DN = ad2.EscapeDNComponent("CN="+mventry["accountName"].StringValue).Concat("OU=Users,DC=company,DC=com"); csentry.CommitNewConnector(); } break; default: throw new EntryPointNotImplementedException(); } } (you'll have to debug that one yourself) Then compile the code and copy the DLL's to your FIM extensions directory (C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions) Then run a full sync on AD1. Once that's done, you should see new users get generated for AD2. Perform an export on AD2 to send them out. That's the rough guide anyway. if you get stuck anywhere, let me know. If writing/compiling the code is beyond you, your options are to get someone who can do it, or consider using the FIM Portal. - Ross Currie