I'm trying to provision AD accounts from an Oracle data source. I've followed the "Publishing Active Directory Users From Two Authoritive Data Sources" document as mentioned by others but I can't get the accounts provisioned in AD. I've imported the accounts into the HRMA CS successfully and provisioned them in the FIMMA, however, the ExpectedRulesList never gets set. I tried creating an account via the Portal interface and this works fine, the ERL gets set, the connectors get configured and account gets created as expected.

Please see "Verifying the Declarative Provisioning Preconditions" in the "Introduction to Outbound Synchronization". Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I have read the document. I`ve actually spent hours reviewing the documents, checking here for any information but have resloved the problem so I finally decided to post a question. So this is were I'm confused. I have verified that the accounts are members of the set but the ERL is not getting set. As mentioned I created an account via the Portal and it worked so I`m assuming the AD Sync rule works. I`m not seeing any errors so I`m not sure where to go now. Does the attribute precedence have any affect? I`ve just set the attributes to "equal precedence" when an attribute is associated with more than one MA. Not sure how to post the HTML generated by your scripts otherwise I would have posted my sync rules, etc.

Posting the HTML code is pretty simple. You can find a detailed description here. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Here are my two Sync Rule Configuration settings. What else would you like to see? HR MA Inbound Sync Rule: Synchronization Rule Configuration Name VCC Student Banner Inbound Sync Rule Connector {B81EC09A-3C2C-4371-A312-AFAEA0C9B902} Pending No Description Created Time 02/04/2010 Precedence 1 Flow Type Inbound Scope Metaverse Object Type person Data Source {37FB7FAA-5591-48E7-8386-8158137311EB} Data Source Object Type person Relationship Create object in FIM true Create object in Connected System false Relationship termination false Connected Object Scope Source Attribute Operation Value DXMDXST_EXPIRY_FLAG EQUAL N Relationship Criteria ILM Attribute Data Source Attribute employeeID DXMDXST_BANNER_ID Inbound Attribute Flows Destination Source accountName DXMDXST_BANNER_ID employeeID DXMDXST_BANNER_ID email DXMDXST_EMAIL_ALIAS firstName DXMDXST_FIRST_NAME displayName +(DXMDXST_FIRST_NAME," ",DXMDXST_LAST_NAME) lastName DXMDXST_LAST_NAME employeeType Constant: Student AD Outbound/Inbound Sync Rule: Synchronization Rule Configuration Name VCC AD Sync Rule Connector {65D5E0CC-807A-4D59-8F58-19CF28581549} Pending No Description Created Time 02/04/2010 Precedence 1 Flow Type Inbound and Outbound Scope Metaverse Object Type person Data Source {7A8F2570-7B50-43CB-B363-51E2D6841F02} Data Source Object Type user Relationship Create object in FIM false Create object in Connected System true Relationship termination false Relationship Criteria ILM Attribute Data Source Attribute employeeID employeeID Inbound Attribute Flows Destination Source displayName displayName firstName givenName domain CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown")) objectSid objectSid accountName sAMAccountName lastName sn Initial Outbound Attribute Flows Allow Nulls Destination Source false pwdLastSet Constant: 0 false userAccountControl Constant: 512 false dn +("CN=",displayName,",OU=",employeeType,"s,OU=User Accounts,DC=vcctest,DC=ca") false unicodePwd Constant: Pa$$W0rd123 Persistent Outbound Attribute Flows Allow Nulls Destination Source false sAMAccountName accountName false displayName displayName false mail email false employeeID employeeID false employeeType employeeType false givenName firstName false sn lastName

Your synchronization rules look good. If I understand your problem correctly, your problem is the ERL population ("however, the ExpectedRulesList never gets set")- correct?"I have verified that the accounts are members of the set but the ERL is not getting set."In this case, you should post your MPR and the related workflow. It is kind of strange that you can get the ERL of a manually created user populated - but the ERL of an imported user is empty.There is nothing that prevents a TMPR from bringing a set member into the scope of a synchronization rule. Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Yes, you are correct, the ERL is not getting populated. The accounts are members of the set. And it all works for a manually created account. Here's some more information: Management Policy Rule Configuration Name VCC AD Management Policy Rule Description Created Time 4/2/2010 Type Request Grants Permissions True Disabled False Requestors and Operators Requestor All People Operation Create Target Resources Before Request All VCC Accounts After Request All VCC Accounts Resources Attributes All Attributes Policy Workflows Type Display Name Action VCC AD Workflow Workflow Configuration Name VCC AD Workflow Description Created Time 4/2/2010 Workflow Type Action Run On Policy Update False Synchronization Rule Name VCC AD Sync Rule Action Add Metaverse Attribute Flow Configuration for person accountName, equal Management Agent Object Type Type Source Attributes FIMMA Person d AccountName ADMA user sr sAMAccountName BannerStudentMA person sr DXMDXST_BANNER_ID - csObjectID, ranked Management Agent Object Type Type Source Attributes FIMMA Person d dn - displayName, equal Management Agent Object Type Type Source Attributes FIMMA Person d DisplayName ADMA user sr displayName BannerStudentMA person sr +(DXMDXST_FIRST_NAME," ",DXMDXST_LAST_NAME) - domain, equal Management Agent Object Type Type Source Attributes FIMMA Person d Domain ADMA user sr CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown")) - email, equal Management Agent Object Type Type Source Attributes FIMMA Person d Email BannerStudentMA person sr DXMDXST_EMAIL_ALIAS - employeeID, equal Management Agent Object Type Type Source Attributes FIMMA Person d EmployeeID BannerStudentMA person sr DXMDXST_BANNER_ID - employeeType, equal Management Agent Object Type Type Source Attributes FIMMA Person d EmployeeType BannerStudentMA person sr Constant: Student - expectedRulesList, ranked Management Agent Object Type Type Source Attributes FIMMA Person d ExpectedRulesList - firstName, equal Management Agent Object Type Type Source Attributes FIMMA Person d FirstName ADMA user sr givenName BannerStudentMA person sr DXMDXST_FIRST_NAME - lastName, equal Management Agent Object Type Type Source Attributes FIMMA Person d LastName ADMA user sr sn BannerStudentMA person sr DXMDXST_LAST_NAME - objectSid, ranked Management Agent Object Type Type Source Attributes ADMA user sr objectSid Metaverse Active Schema Configuration Metaverse object type: person Metaverse AttributeTypeMulti-valuedIndexedImport-Flows objectSid Binary (non-indexable) no no 1 email String (non-indexable) no no 2 lastName String (non-indexable) no no 3 firstName String (non-indexable) no no 3 expectedRulesList Reference (DN) yes no 1 employeeType String (non-indexable) no no 2 employeeID String (non-indexable) no no 2 domain String (non-indexable) no no 2 displayName String (non-indexable) no no 3 accountName String (non-indexable) no no 3 csObjectID String (non-indexable) no no 1 Metaverse Active Schema Configuration Metaverse object type: detectedRuleEntry Metaverse AttributeTypeMulti-valuedIndexedImport-Flows csObjectID String (non-indexable) no no 1 Metaverse object type: expectedRuleEntry Metaverse AttributeTypeMulti-valuedIndexedImport-Flows displayName String (non-indexable) no no 1 synchronizationRuleID Reference (DN) no no 1 synchronizationRuleData String (non-indexable) yes no 1 expectedRuleEntryAction String (non-indexable) no no 1 createdTime String (non-indexable) no no 1 Metaverse object type: person Metaverse AttributeTypeMulti-valuedIndexedImport-Flows objectSid Binary (non-indexable) no no 1 email String (non-indexable) no no 2 lastName String (non-indexable) no no 3 firstName String (non-indexable) no no 3 expectedRulesList Reference (DN) yes no 1 employeeType String (non-indexable) no no 2 employeeID String (non-indexable) no no 2 domain String (non-indexable) no no 2 displayName String (non-indexable) no no 3 accountName String (non-indexable) no no 3 csObjectID String (non-indexable) no no 1 Metaverse object type: synchronizationRule Metaverse AttributeTypeMulti-valuedIndexedImport-Flows synchronizationRuleParameters String (non-indexable) yes no 1 relationshipCriteria String (non-indexable) no no 1 precedence Number no no 1 persistentFlow String (non-indexable) yes no 1 initialFlow String (non-indexable) yes no 1 ilmObjectType String (non-indexable) no no 1 flowType Number no no 1 existenceTest String (non-indexable) yes no 1 displayName String (non-indexable) no no 1 disconnectConnectedSystemObject Boolean no no 1 dependency Reference (DN) no no 1 createILMObject Boolean no no 1 createConnectedSystemObject Boolean no no 1 connectedSystemScope String (non-indexable) no no 1 connectedSystem String (non-indexable) no no 1 connectedObjectType String (non-indexable) no no 1

Cool - having the reports helped: Management Policy Rule Configuration Name VCC AD Management Policy Rule Description Created Time 4/2/2010 Type Request Grants Permissions True Disabled False Requestors and Operators Requestor All People Operation Create Target Resources Before Request All VCC Accounts After Request All VCC Accounts Resources Attributes All Attributes Policy Workflows Type Display Name Action VCC AD Workflow Your MPR is incorrect. You have a request based MPR, which should be a set transition based MPR. Theoretically, you could have also done this with a RMPR; however, in this case, the Target Resources Before Request must be All People.With your configuration, the MPR is not tied to a set transition. I wonder why it worked with the manually created user - it shouldn't... Anyway, now you know, how to fix this. Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus. Yes, the reports are indispensible. Now that you point it out I can see it is wrong. Just looking back at the “publishing Active Directory Users From Two Authoritative Data Sources” is out of date. Just prior to you responding I was finally able to provision an account in AD (see steps below). Anyway, I recreated the MPR as a “type=Set Transition”. Management Policy Rule Configuration Name VCC AD MPR Description Created Time 4/6/2010 Type Set Transition Grants Permissions False Disabled False Transition Definition Transition Type Transition In Transition Set All VCC Accounts Policy Workflows Type Display Name Action VCC AD Workflow I re-ran the Import HR script and nothing happened, so I followed the procedure bellow again and it worked. For some reason I need to delete the account in the FIM Portal first. Any ideas why? What am I doing wrong? 1. Delete the account in FIM Portal a. Can still see the account via the FIM Synchronization Service interface. What’s the difference? 2. Run my Import HR script which does the following: a. Sync from HR i. Full Import ii. Full Synchronization b. Sync with FIM i. Delta Import ii. Delta Synchronization iii. Export iv. Delta Import c. Sync with AD i. Export ii. Delta Import This populates the ERL but in a “pending state”. 3. Run my FIM Sync script which does the following: a. Sync with FIM i. Delta Import ii. Delta Synchronization iii. Export iv. Delta Import b. Sync with AD i. Export ii. Delta Import This creates the account in AD.

This looks better now :o) Management Policy Rule Configuration Name VCC AD MPR Description Created Time 4/6/2010 Type Set Transition Grants Permissions False Disabled False Transition Definition Transition Type Transition In Transition Set All VCC Accounts Policy Workflows Type Display Name Action VCC AD Workflow There is no need to delete your objects.Your MPR triggers when an object transitions into All VCC Accounts.Your existing accounts were probably already members of All VCC Accounts.So, what you need to do is to take the accounts out of All VCC Accounts and bring them back into the Set. This would have done the trick. Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I removed the members from All VCC Accounts and brought them back into the set. That did do the trick. I had to run the FIM_Sync twice though. The first time the ERL was pending and then the second time the accounts were provisioned into AD. Is this normal? Cheers,Bruce

Not really, they should have been provisioned during the first synchronization run.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation