Hi Guys,I'm struggling to wrap my head around ILM2 at the moment, though I've only been at it for a day.The situation I'm in is that we are looking at using ILM2 to see if we can perform on-demand (as we hope not to do this very often) synchronisation between an iPlanet 5.1 LDAP source to AD, and in the process create the AD objects as contacts (we're tackling an Exchange issue, not authentication).So far, I've managed to get the import MA working, and I can search the metabase for imported objects just fine. But what I can't seem to do is export them from ILM to AD. Nothing fails, I just don't get any objects being provisioned by the second MA.In terms of the settings I've used in the MA, it's simply to assign a few attributes using the Export directive from the built-in "person" class to the AD "contact" class. The Run Profile I have set up uses the Export option.It's worth noting that I am not using the IIS components, as we do not wish to utilise any sef-service functionality at this point in time. We also wish to avoid having to install optional components from a security footprint standpoint.From an administrative perspective, is it mandatory to install the portal components, or can I achieve what we desire without installing them? If it is possible, then what might I need to look at to resolve the issue with the lack of propogation?Cheers,Lain

Please take a lok at the "Introduction to Outbound Synchronization".This document has all the steps you need.Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Hi Markus,I've already read that document, but it relies on making use of the web-based front end, from what I can see. As I mentioned, we're trying to avoid having to run and therefore lock down another web interface if we can.What I'm after is any documentation that covers how to do this in similar detail to the link you provided, but exclusively through the Identity Manager console, not partially through the portal interface. Or alternatively, confirmation that it can't in fact be done without the web interface, and I'll just have to go away and install it.Cheers,Lain

Hi Lain,if I understand your requirements correctly you want to use the FIM Synchronization Enginge exclusively without the FIM portal services, which is in general possible and what MIIS2003 and ILM2007 basically provided. I recommend reading the Classical MetaDirectory and Simple Account Provisioning scenario in http://www.microsoft.com/downloads/details.aspx?familyid=15032653-D78E-4D9D-9E48-6CF0AE0C369C&displaylang=en, which describe similar implementations with MIIS2003. These scenarios should then beeasily transformed to FIM 2010.Hope this helps/Matthias

Lain, just making sure that this is understood without the portal component, you are losing some elementary functionality.You can certainly use FIM in a sync only mode without the portal; however, think hard about it :o) Without the portal, you can use the synchronization engine the "good old way".To get a proof of concept installed, you can definitely use the document Matthias has suggested. However, for starters, I would more recommend something like Synchronizing Active Directory Objects to SQL Server Synchronizing SQL Server Objects to Active Directory These documents are in my opinion better suited for beginners. Cheers,MarkusMarkus Vilcinskas, Technical Content Developer, Microsoft Corporation

Thanks Markus and Matthias.I've had a read of both Matthias' link, in addition to Markus' "Synchronizing SQL Server Objects to Active Directory", and unless I'm mistaken, I have to write an extension in Visual Studio just to provision a contact in AD? Is my understanding here correct? I guess I just assumed that since ILM is a Microsoft product, that it would at least be able to provision to AD natively?Though that said, it also appears that I would need to create a Contact class using the Metaverse Designer, as only a handful of objects already exist. Is there no way for ILM to simply import the class definition from the AD schema?I really like the manner in which multiple sources can be used to create a rich, centralised representation of what an AD object should look like, I'm just suprised that it can't then turn around and actually talk to AD to do the provisioning.Cheers,Lain

Hi Lain,1. "...write an extension in Visual Studio just to provision a contact in AD..." That's exactly what Markus was talking about: If you're using FIM "the good old way" you lose some functionality, in this case the function "Codeless Provisioning", which enables you to provisioning AD users without writing code. 2. "...import the class definition from the AD schema...". FIM discovers the AD schema and imports it into the conncetor space of your AD Manangement Agent. Once you have this definition in your conncetor space you have to design how this object classes will be represented in the Metaverse of the synchronization engine. And this depends very much on detailed requirements. For example if you only have to take care about iPlanet users and Active Directory contacts, it might be sufficient to use the default Metaverse object class "Person" to bring both Connector Space objects together. In you want to implement more complex scenarios it might be meaningful to define a separate Metaverse class "Contacts". /Matthias

No worries. That's exactly the kind of clarification I was after. Now I have to weigh up the labour effort versus the security maintenance effort, which is something I can more readily quantify.Thanks a lot for taking the time to shoot me a couple of quick replies, it's really helped.Cheers,Lain