How do join I group members from two AD domains into FIM? I have a group in domain A and an identical group in domain B. When I do a synchronization and export FIM MA deletes the domain A members and adds the domain B members. How do I make sure the members do not get overwritten? Membershiplocked = True, currently set to false? Thanks, Nathan

By design, you can’t because you always need either one authoritative owner per system or per connector space (equal precedence) to enable sync to make a processing decision. This is a bit weird setup from the AD perspective. If the groups are “identical”, you should use group nesting to keep the members in sync on the AD side. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Ok, makes sense. Another question: Does Outbound work the same way? If I have identical groups and members between the domains, then I add a user to a group from domain A then do a outbound to domain B, will it delete all the domain B accounts and then add the user from domain A? Or just add domain A account if it exists in domain B without deleting the domain B accounts? What I am trying to do is have domain A be authoritative that manages groups and then synchronizes the group membership to domain B if the group or user account exists in domain B. I know this may seem weird. Thanks, Nathan

What I don’t get right now is where these groups are located – are they in separate forests? In this case, you can configure the single-authoritative master model – which is the preferred method. So, what you have in group A will eventually be in group B – as long as the group members exist in B. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Yes, they are in seperate forests. Thanks, Nathan

In this case, you can implement your single authoritative master scenario in the constraints you have mentioned. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I want to make sure that if a member gets added to a group by ADUC.msc in the non-authoratitive domain that FIM does not overwrite the members during an export. It currently is doing this, so I must be doing something incorrectly or since it is authoritative no way to change this. What would be the proper configuration in FIM to not overwrite the group members in a non-authorative domain? Would this work if I synced the non-authoritative domain while the "member" mapping was removed or deleted from the inbound synchronization rule? So when I do a sync from the authoritative domain to FIM, then export the changes to the non-authorative domain it will only add the members, but not delete any members? Is this possible? I still want to manage groups through other tools besides FIM. Thanks, Nathan

As mentioned before, you can't prevent non-authoritative values ftom being overwritten. For the member attribute, there is no merge - just a replace. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation