FIM in one-way trust environment
Hi, I need to implement FIM in a one-way trust environment. I have two domains dom1 & dom2 and dom1 trusts dom2. All my user accounts are in dom2. I need to use FIM to add user accounts to Domain Local groups in dom1. I have setup FIM in dom1 and I'm able to sync users from dom2 to FIM portal. I know I'll need to provision FSPs before I can add the users to domain groups but I have no idea how to do that. Can anyone help on this please? Any relevant documentation on this will be helpful.
February 10th, 2011 10:34pm
I recommend the Getting Starting serie. BTW: could you explain FSP?/Matthias
February 11th, 2011 6:23am
You just need to set the credentials on each MA to manage the other forest. For FSP's in group management, check out the Cross-Forest Group Management Whitepaper at http://technet.microsoft.com/en-us/library/ff721965(WS.10).aspx.Eric
February 11th, 2011 10:18am
I was referring to Foreign Security Principals.
February 11th, 2011 2:35pm
I did not understand this "You just need to set the credentials on each MA to manage the other forest" I have MAs for each forest and. For DOM1 ADMA I use a user account created in DOM1 and for DOM2 ADMA a user account from DOM2. Is this the right config?
February 11th, 2011 2:40pm
I did not understand this "You just need to set the credentials on each MA to manage the other forest" I have MAs for each forest and. For DOM1 ADMA I use a user account created in DOM1 and for DOM2 ADMA a user account from DOM2. Is this the right config? That's correct.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
February 11th, 2011 3:19pm
I followed the white paper to configure FIM for cross-forest management. However, I still can’t add users from the other forest. My configuration looks like this 1. Dom1 a. AD Agent – Dom1ADMA b. Agent Account – Dom1\Adma – has necessary rights to create objects in AD c. Created Join rule cn -> objectSidstring 2. Dom2 a. AD Agent – Dom1ADMA b. Agent Account – Dom2\Adma c. Created Join rule cn -> objectSidstring 3. Created Sets and Sync Rules as in the document 4. Added the objectSidstring attribute in Synchronization service and in FIM portal. 5. Created group calculation workflow and MPR As I posted earlier, it is a one-way trust environment and I need to provision FSPs in DOM1. Dom2 will have only user accounts. I also don’t use exchange provisioning. This is one of the main things I need to achieve with FIM in my environment. I would appreciate any help with this. Thanks…
February 15th, 2011 3:18am