Provision AD Accounts from an Oracle HR Database.
I'm trying to provision AD accounts from an Oracle data source. I've followed the "Publishing Active Directory Users From Two Authoritive Data Sources" document as mentioned by others but I can't get the accounts provisioned in AD. I've imported the accounts into the HRMA CS successfully and provisioned them in the FIMMA, however, the ExpectedRulesList never gets set. I tried creating an account via the Portal interface and this works fine, the ERL gets set, the connectors get configured and account gets created as expected.
April 5th, 2010 1:21am
Please see "Verifying the Declarative Provisioning Preconditions" in the "Introduction to Outbound Synchronization".
Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 2:07am
I have read the document. I`ve actually spent hours reviewing the documents, checking here for any information but have resloved the problem so I finally decided to post a question.
So this is were I'm confused. I have verified that the accounts are members of the set but the ERL is not getting set. As mentioned I created an account via the Portal and it worked so I`m assuming the AD Sync rule works. I`m not seeing any errors so I`m not sure where to go now. Does the attribute precedence have any affect? I`ve just set the attributes to "equal precedence" when an attribute is associated with more than one MA.
Not sure how to post the HTML generated by your scripts otherwise I would have posted my sync rules, etc.
April 5th, 2010 5:15am
Posting the HTML code is pretty simple.
You can find a detailed description here.
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 5:41am
Here are my two Sync Rule Configuration settings. What else would you like to see?
HR MA Inbound Sync Rule:
Synchronization Rule Configuration
Name
VCC Student Banner Inbound Sync Rule
Connector
{B81EC09A-3C2C-4371-A312-AFAEA0C9B902}
Pending
No
Description
Created Time
02/04/2010
Precedence
1
Flow Type
Inbound
Scope
Metaverse Object Type
person
Data Source
{37FB7FAA-5591-48E7-8386-8158137311EB}
Data Source Object Type
person
Relationship
Create object in FIM
true
Create object in Connected System
false
Relationship termination
false
Connected Object Scope
Source Attribute
Operation
Value
DXMDXST_EXPIRY_FLAG
EQUAL
N
Relationship Criteria
ILM Attribute
Data Source Attribute
employeeID
DXMDXST_BANNER_ID
Inbound Attribute Flows
Destination
Source
accountName
DXMDXST_BANNER_ID
employeeID
DXMDXST_BANNER_ID
email
DXMDXST_EMAIL_ALIAS
firstName
DXMDXST_FIRST_NAME
displayName
+(DXMDXST_FIRST_NAME," ",DXMDXST_LAST_NAME)
lastName
DXMDXST_LAST_NAME
employeeType
Constant: Student
AD Outbound/Inbound Sync Rule:
Synchronization Rule Configuration
Name
VCC AD Sync Rule
Connector
{65D5E0CC-807A-4D59-8F58-19CF28581549}
Pending
No
Description
Created Time
02/04/2010
Precedence
1
Flow Type
Inbound and Outbound
Scope
Metaverse Object Type
person
Data Source
{7A8F2570-7B50-43CB-B363-51E2D6841F02}
Data Source Object Type
user
Relationship
Create object in FIM
false
Create object in Connected System
true
Relationship termination
false
Relationship Criteria
ILM Attribute
Data Source Attribute
employeeID
employeeID
Inbound Attribute Flows
Destination
Source
displayName
displayName
firstName
givenName
domain
CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown"))
objectSid
objectSid
accountName
sAMAccountName
lastName
sn
Initial Outbound Attribute Flows
Allow Nulls
Destination
Source
false
pwdLastSet
Constant: 0
false
userAccountControl
Constant: 512
false
dn
+("CN=",displayName,",OU=",employeeType,"s,OU=User Accounts,DC=vcctest,DC=ca")
false
unicodePwd
Constant: Pa$$W0rd123
Persistent Outbound Attribute Flows
Allow Nulls
Destination
Source
false
sAMAccountName
accountName
false
displayName
displayName
false
mail
email
false
employeeID
employeeID
false
employeeType
employeeType
false
givenName
firstName
false
sn
lastName
April 5th, 2010 9:57am
Your synchronization rules look good.
If I understand your problem correctly, your problem is the ERL population ("however, the ExpectedRulesList never gets set")- correct?"I have verified that the accounts are members of the set but the ERL is not getting set."In this case, you should post your MPR and the related workflow.
It is kind of strange that you can get the ERL of a manually created user populated - but the ERL of an imported user is empty.There is nothing that prevents a TMPR from bringing a set member into the scope of a synchronization rule.
Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 2:33pm
Yes, you are correct, the ERL is not getting populated. The accounts are members of the set. And it all works for a manually created account.
Here's some more information:
Management Policy Rule Configuration
Name
VCC AD Management Policy Rule
Description
Created Time
4/2/2010
Type
Request
Grants Permissions
True
Disabled
False
Requestors and Operators
Requestor
All People
Operation
Create
Target Resources
Before Request
All VCC Accounts
After Request
All VCC Accounts
Resources Attributes
All Attributes
Policy Workflows
Type
Display Name
Action
VCC AD Workflow
Workflow Configuration
Name
VCC AD Workflow
Description
Created Time
4/2/2010
Workflow Type
Action
Run On Policy Update
False
Synchronization Rule
Name
VCC AD Sync Rule
Action
Add
Metaverse Attribute Flow Configuration for person
accountName, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
AccountName
ADMA
user
sr
sAMAccountName
BannerStudentMA
person
sr
DXMDXST_BANNER_ID
-
csObjectID, ranked
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
dn
-
displayName, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
DisplayName
ADMA
user
sr
displayName
BannerStudentMA
person
sr
+(DXMDXST_FIRST_NAME," ",DXMDXST_LAST_NAME)
-
domain, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
Domain
ADMA
user
sr
CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown"))
-
email, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
Email
BannerStudentMA
person
sr
DXMDXST_EMAIL_ALIAS
-
employeeID, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
EmployeeID
BannerStudentMA
person
sr
DXMDXST_BANNER_ID
-
employeeType, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
EmployeeType
BannerStudentMA
person
sr
Constant: Student
-
expectedRulesList, ranked
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
ExpectedRulesList
-
firstName, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
FirstName
ADMA
user
sr
givenName
BannerStudentMA
person
sr
DXMDXST_FIRST_NAME
-
lastName, equal
Management Agent
Object Type
Type
Source Attributes
FIMMA
Person
d
LastName
ADMA
user
sr
sn
BannerStudentMA
person
sr
DXMDXST_LAST_NAME
-
objectSid, ranked
Management Agent
Object Type
Type
Source Attributes
ADMA
user
sr
objectSid
Metaverse Active Schema Configuration
Metaverse object type: person
Metaverse AttributeTypeMulti-valuedIndexedImport-Flows
objectSid
Binary (non-indexable)
no
no
1
email
String (non-indexable)
no
no
2
lastName
String (non-indexable)
no
no
3
firstName
String (non-indexable)
no
no
3
expectedRulesList
Reference (DN)
yes
no
1
employeeType
String (non-indexable)
no
no
2
employeeID
String (non-indexable)
no
no
2
domain
String (non-indexable)
no
no
2
displayName
String (non-indexable)
no
no
3
accountName
String (non-indexable)
no
no
3
csObjectID
String (non-indexable)
no
no
1
Metaverse Active Schema Configuration
Metaverse object type: detectedRuleEntry
Metaverse AttributeTypeMulti-valuedIndexedImport-Flows
csObjectID
String (non-indexable)
no
no
1
Metaverse object type: expectedRuleEntry
Metaverse AttributeTypeMulti-valuedIndexedImport-Flows
displayName
String (non-indexable)
no
no
1
synchronizationRuleID
Reference (DN)
no
no
1
synchronizationRuleData
String (non-indexable)
yes
no
1
expectedRuleEntryAction
String (non-indexable)
no
no
1
createdTime
String (non-indexable)
no
no
1
Metaverse object type: person
Metaverse AttributeTypeMulti-valuedIndexedImport-Flows
objectSid
Binary (non-indexable)
no
no
1
email
String (non-indexable)
no
no
2
lastName
String (non-indexable)
no
no
3
firstName
String (non-indexable)
no
no
3
expectedRulesList
Reference (DN)
yes
no
1
employeeType
String (non-indexable)
no
no
2
employeeID
String (non-indexable)
no
no
2
domain
String (non-indexable)
no
no
2
displayName
String (non-indexable)
no
no
3
accountName
String (non-indexable)
no
no
3
csObjectID
String (non-indexable)
no
no
1
Metaverse object type: synchronizationRule
Metaverse AttributeTypeMulti-valuedIndexedImport-Flows
synchronizationRuleParameters
String (non-indexable)
yes
no
1
relationshipCriteria
String (non-indexable)
no
no
1
precedence
Number
no
no
1
persistentFlow
String (non-indexable)
yes
no
1
initialFlow
String (non-indexable)
yes
no
1
ilmObjectType
String (non-indexable)
no
no
1
flowType
Number
no
no
1
existenceTest
String (non-indexable)
yes
no
1
displayName
String (non-indexable)
no
no
1
disconnectConnectedSystemObject
Boolean
no
no
1
dependency
Reference (DN)
no
no
1
createILMObject
Boolean
no
no
1
createConnectedSystemObject
Boolean
no
no
1
connectedSystemScope
String (non-indexable)
no
no
1
connectedSystem
String (non-indexable)
no
no
1
connectedObjectType
String (non-indexable)
no
no
1
April 5th, 2010 9:07pm
Cool - having the reports helped:
Management Policy Rule Configuration
Name
VCC AD Management Policy Rule
Description
Created Time
4/2/2010
Type
Request
Grants Permissions
True
Disabled
False
Requestors and Operators
Requestor
All People
Operation
Create
Target Resources
Before Request
All VCC Accounts
After Request
All VCC Accounts
Resources Attributes
All Attributes
Policy Workflows
Type
Display Name
Action
VCC AD Workflow
Your MPR is incorrect. You have a request based MPR, which should be a set transition based MPR.
Theoretically, you could have also done this with a RMPR; however, in this case, the Target Resources Before Request must be All People.With your configuration, the MPR is not tied to a set transition.
I wonder why it worked with the manually created user - it shouldn't...
Anyway, now you know, how to fix this.
Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 10:36pm
Thanks Markus. Yes, the reports are indispensible. Now that you point it out I can see it is wrong. Just looking back at the “publishing Active Directory Users From Two Authoritative Data Sources” is out of date. Just prior to you responding I was finally able to provision an account in AD (see steps below).
Anyway, I recreated the MPR as a “type=Set Transition”.
Management Policy Rule Configuration
Name
VCC AD MPR
Description
Created Time
4/6/2010
Type
Set Transition
Grants Permissions
False
Disabled
False
Transition Definition
Transition Type
Transition In
Transition Set
All VCC Accounts
Policy Workflows
Type
Display Name
Action
VCC AD Workflow
I re-ran the Import HR script and nothing happened, so I followed the procedure bellow again and it worked. For some reason I need to delete the account in the FIM Portal first. Any ideas why? What am I doing wrong?
1. Delete the account in FIM Portal
a. Can still see the account via the FIM Synchronization Service interface. What’s the difference?
2. Run my Import HR script which does the following:
a. Sync from HR
i. Full Import
ii. Full Synchronization
b. Sync with FIM
i. Delta Import
ii. Delta Synchronization
iii. Export
iv. Delta Import
c. Sync with AD
i. Export
ii. Delta Import
This populates the ERL but in a “pending state”.
3. Run my FIM Sync script which does the following:
a. Sync with FIM
i. Delta Import
ii. Delta Synchronization
iii. Export
iv. Delta Import
b. Sync with AD
i. Export
ii. Delta Import
This creates the account in AD.
April 6th, 2010 11:43pm
This looks better now :o)
Management Policy Rule Configuration
Name
VCC AD MPR
Description
Created Time
4/6/2010
Type
Set Transition
Grants Permissions
False
Disabled
False
Transition Definition
Transition Type
Transition In
Transition Set
All VCC Accounts
Policy Workflows
Type
Display Name
Action
VCC AD Workflow
There is no need to delete your objects.Your MPR triggers when an object transitions into All VCC Accounts.Your existing accounts were probably already members of All VCC Accounts.So, what you need to do is to take the accounts out of All VCC Accounts and bring them back into the Set. This would have done the trick.
Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2010 1:15am
I removed the members from All VCC Accounts and brought them back into the set. That did do the trick. I had to run the FIM_Sync twice though. The first time the ERL was pending and then the second time the accounts were provisioned into AD. Is this normal?
Cheers,Bruce
April 7th, 2010 5:25am
Not really, they should have been provisioned during the first synchronization run.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2010 8:41pm