hello, I have two domain out of which one is child domain. i.e. abc.local and right.abc.local i had imported uses from both domain by configuring containers in Management agent for AD. now i want to flow users to their respective OU crated in both domain on the basis of the domain name is selected in portal while creating user. I decided to modify DN flow in outbound sync rule, but i am not sure how can i modify it. please let me know if my approach is correct , what operation should i select to server my purpose. Thanks in advance.Cheers, Mohit Goyal

Hi... In your Outbound Synchronization Rule, set the attribute DN pointing to path which you want. Take a look in the post http://social.technet.microsoft.com/Forums/en/ilm2/thread/d68795e7-8c75-4430-a672-123b383c9331. This post explains some thing about flow definition. Remember to specify the right values of your domain in ",DC=abc,DC=local" and ",DC=right,DC=abc,DC=local" in the concatenate function. Cheers,***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)

hello Paulo, I understood the flow defination mentioned above but my question was, will defining DN flow to ",DC=abc,DC=local" and ",dc=right,dc=ac,dc=local" simultaniously in same flow defination, work as preditive flow. if request comes to add user to ",dc=right,dc=ac,dc=local" flow, will it work by only defining concatenate function. i doubt that. Please guide me what should i do , that will surve my requirement. thanks,Cheers, Mohit Goyal

Ok... you can use the Function IIF to flow your DN... in this example, I used department to flow DN to correct OU... String: "CN=" + DisplayName + CustomExpression: IIF(Eq(department,"Marketing"), ",ou=Marketing,dc=Fabrikam,dc=com", IIF(Eq(department, "hr"), ",ou=HR,dc=Fabrikam,dc=com", "")) The IIF function returns one of a set of possible values based on a specified condition. IIF(Condition:Boolean, ValueTrue:object, ValueFalse:object) You can change the department and the value in case of true. Cheers, ***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)

hello Paulo, according to your description i followed and created an customExpression as below String: "CN=" + DisplayName + CustomExpression: IIF(Eq(domain,"ABC"),",ou=FIMObjects,dc=abc,dc=local",IIF(Eq(domain,"RIGHT"),",ou=FIMObjects,dc=right,DC=ABC,dc=local","")) I got the error while sync Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector. DN is set for initial flow only. Cheers, Mohit Goyal

Regarding that error, you might want to make sure that the 'domain' attribute is present in the MV prior to the AD synchronization.

hello Mark, domain attribute is very much is present MV, prior to this change i was able to provision to DN . please let me know if you need more information. Please helpCheers, Mohit Goyal

For custom expressions, you are better off testing them in a lab environment, first, based on a simple scenario. In your case, I would first create a simple inbound synchronization rule with a custom expression that has the same structure as the one you are using in case of your DN flow. That way, you can "debug" and verify whether your logic is accurate. So, basically, all you need is a file MA with an anchor and a text field - something like ID, Name. ID could flow to something like uid and name to givenName. The custom expression could populate description. The goal is to test the logic of the custom expression. That way, you can see whether description has the intended value in the metaverse. If you have verified, that the general logic of your custom expression works, you can then take it for your actual scenario. So, this is just a general suggestion for testing custom expressions. In my experience, it helps to test them first in an inbound synchronization rule based on a very simple scenario. Also, it is not a good idea to configure the "ELSE" part of an IIF with an empty string. In your case, I would use something that has a valid structure but still incorrect information - something like "ou=banana,dc=test,dc=com". That way, you get a more helpful error - something along the lines of "no compatible partition found". At least, you can make sure that there is nothing wrong with your IFF evaluation. Last but not least, in case of string comparisons that include a literal such as "ABC", I would always apply an "upper case" function to the attribute that is part of the comparison as a safety feature. These are all little things you can do to make sure that your custom expression is accurate. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation