I have seen various people posting about issues with provisioning account sin AD LDS with an AD LDS MA with FIM 2010. The posts I have read have been slightly different than my problem. So I am trying to see if you guys can give me some things to check out. I am trying to use an extension rule to provision the account to AD LDS. I have enabled the setting, the MA is running as my elevated account(testing purposes) so I know it has rights to the OU. I modified an C# MVExtension project to fit in our envirnment as well(to the best of my ability). We have objects in the Metaverse and cannot get them to export We have also tried using sync rules too( I realize these are to different things). We don't receive any errors in the Event Viewer of the Sync Manager console. I am desperate and welcome any suggestions. Below is the provisioning code in the extension file I created, just in case someone can make since of it. Thanks for you help!!! void IMVSynchronization.Provision(MVEntry mventry) { ConnectedMA ManagementAgent; int Connectors = 0; CSEntry csentry; ReferenceValue DN; ManagementAgent = mventry.ConnectedMAs["Staff Import"]; Connectors = ManagementAgent.Connectors.Count; //Provision to SQL if (0 == Connectors) { csentry = ManagementAgent.Connectors.StartNewConnector("Person"); csentry["SASID"].Value = mventry["employeeID"].Value; csentry["CN"].Value = mventry["accountName"].Value; csentry["Department"].Value = mventry["department"].Value; csentry["CN"].Value = mventry["displayname"].Value; csentry["FT/PT"].Value = mventry["employeeType"].Value; csentry["Address"].Value = mventry["address"].Value; csentry["City"].Value = mventry["city"].Value; csentry["CN"].Value = mventry["accountName"].Value; csentry["Department"].Value = mventry["department"].Value; csentry["Classess"].Value = mventry["Classess"].Value; csentry["Description"].Value = mventry["description"].Value; csentry["Email"].Value = mventry["email"].Value; csentry["Fax"].Value = mventry["Fax"].Value; csentry["FirstName"].Value = mventry["firstName"].Value; csentry["Instructors"].Value = mventry["Instructors"].Value; csentry["LastName"].Value = mventry["lastName"].Value; csentry["PersonLocation"].Value = mventry["location"].Value; csentry["PositionLocation"].Value = mventry["title"].Value; csentry["PositionTitle"].Value = mventry["title"].Value; csentry["State"].Value = mventry["State"].Value; csentry["Supervisor"].Value = mventry["Supervisor"].Value; csentry["Zip"].Value = mventry["Zip"].Value; csentry["CN"].Value = mventry["loginName"].Value; csentry.CommitNewConnector(); } if (1 == Connectors) { } ManagementAgent = mventry.ConnectedMAs["ADLDS"]; Connectors = ManagementAgent.Connectors.Count; //Provision to AD if (0 == Connectors) { DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat("OU=Staff,DC=Test,DC=org"); csentry = ManagementAgent.Connectors.StartNewConnector("user"); csentry.DN = DN; csentry["CN"].Value = mventry["accountName"].Value; csentry["employeeID"].Value = mventry["employeeID"].Value; csentry["unicodePwd"].Value = "Windows20"; csentry["msDS=UserAccountDisabled"].Value = "false"; }

did some playing around and found this in the event viewer.. "This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded". Which I believe it has to deal with the Rules extension I added but not sure what to change.

reverted the Visual Studio Target Framework to .Net Framework 2.0, now I am getting "An error was encountered when processing your request Error: The expression mapping is executed but it fails becuase of a missing source attribute"...surely I am getting closer right?

Mario, I think there is a comma missing in your DN specification, just before 'OU=Staff': DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat(",OU=Staff,DC=Test,DC=org"); And, for safety reasons, I would advise to use the 'IsPresent'-method on getting the metaverse attributes, like so: string superVisor = null; if(mventry["Supervisor"].IsPresent) { superVisor = mventry["Supervisor"].Value; } (you might want to wrap that in a method, for reusability). I can also see that you set every attribute during provisoning. I would advise you to set the minimum amount of attributes during provisioning and set the remaining attributes during synchronization. Regards, PieterPieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

THANK YOU! THANK YOU! what you suggested really helped me out. It complained when I put a comma before the OU=Staff though. One question, can you help me with the code to get the MVObject to AD LDS? I mean what is the method? That is the other half of my initial problem. Is this code below sufficient? I have objects in the MV but when I try to do an export it says I have 0 objects to export. I just want to verify my code will work once I have that issue resolved. The code I copied and pasted into Visual Studio appears to only be to get the object from CS to MV??. I think..here is the other sub in the code ManagementAgent = mventry.ConnectedMAs["ADLDS"]; Connectors = ManagementAgent.Connectors.Count; string displayname = null; string unicodePwd = null; string UserAccountDisabled = "msDS-UserAccountDisabled"; if (0 == Connectors) { string employeeID = null; if(mventry["employeeID"].IsPresent) { employeeID = mventry["EmployeeID"].Value; } DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat("OU=Staff,DC=Test,DC=org"); csentry = ManagementAgent.Connectors.StartNewConnector("user"); csentry.DN = DN; displayname = mventry["displayname"].Value; employeeID = mventry["employeeID"].Value; unicodePwd = "Windows1"; UserAccountDisabled = "false"; } Thanks again

Mario, An 'Export' run, just exports the content of the connectorspace to the target system. In your case, you should first run a 'Full Synchronization' step from your source system, which executes the code above and will create your new object. As for your code: you are currently creating variables, but you are not using them. You should set values in the connectorspace by adding something like: csentry["displayname"] = displayname; ..or, as I mentioned above, define the attribute flow from the client interface. You should also commit the new connector. Try this one: void IMVSynchronization.Provision(MVEntry mventry) { ConnectedMA managementAgent; int connectors = 0; CSEntry csentry; ReferenceValue DN; managementAgent = mventry.ConnectedMAs["ADLDS"]; connectors = managementAgent.Connectors.Count; //Provision to AD if (connectors == 0) { DN = managementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat(",OU=Staff,DC=Test,DC=org"); csentry = managementAgent.Connectors.StartNewConnector("user"); csentry.DN = DN; csentry["CN"].Value = mventry["accountName"].Value; csentry["employeeID"].Value = mventry["employeeID"].Value; csentry["unicodePwd"].Value = "Windows20"; csentry["msDS=UserAccountDisabled"].Value = "false"; csentry.CommitNewConnector(); } } As for the error you got by adding the comma before the OU=Staff, can you give me the error? Maybe I can help you with that one. Regards, Pieter. Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Thanks again Pieter! I don't recall the exact error, I received regarding the OU. I just removed the comma and the error went away. Another guy and I just got back from FIM training last week and we are finding there are alot of little things were weren't told(of course). The extension rule was already built and we didn't touch C#. This is the longest I have played with it, but I have gotten alot better understanding of how at least this rules extension works. I also just discovered the FIM Event log, and I see there is a certificate issue of some kind, not sure if it would affect exports to AD LDS or not. So I am going to have to focus my attension on that now to rule it out, but I do currently have the code you helped with in our testing environment and it is no longer causing the miscellaneous "execption-dll-errors". Many many thanks!!!!!

by the way Pieter that error was: Microsoft.MetadirectoryServices.InvalidDNException: DN ",OU=Staff,DC=Test,DC=org" is not valid.

Hi guys, Not meaning to reopen this thread, but my searching lead me here. All the above code and process works exactly for my scenarios also, however, i also need to propogate when the password changes from the sql db - to the AD LDS. So i added the additional code if (connectedMA.Connectors.Count < 1) { // similar code as above... } else { // try update the pwd if (mventry.ObjectType.Equals("LDSUser")) { CSEntry csEntry = connectedMA.Connectors.ByDN[myDN]; if (csEntry["unicodePwd"].StringValue != mventry["pwdHex"].Value) { csEntry["unicodePwd"].StringValue = mventry["pwdHex"].Value; this.Log(string.Format("Updated: {0}", mventry["description"].Value)); } } } but it gives me the error that unicode is read-only! How can i propage updating the pwd?? Thanks

In general, on an attribute level, the purpose of provisioning is to initialize an object. In other words, with the exception of a DN update, you can't use provisioning code to propagate attribute updates. Attribute updates need to be handled by attribute flow rules. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks - i've moved this to a flow rule and works nicely